yubikey-val/common.php

<?php

define('S_OK', 'OK');
define('S_BAD_OTP', 'BAD_OTP');
define('S_REPLAYED_OTP', 'REPLAYED_OTP');
define('S_DELAYED_OTP', 'DELAYED_OTP');
define('S_BAD_SIGNATURE', 'BAD_SIGNATURE');
define('S_MISSING_PARAMETER', 'MISSING_PARAMETER');
define('S_NO_SUCH_CLIENT', 'NO_SUCH_CLIENT');
define('S_OPERATION_NOT_ALLOWED', 'OPERATION_NOT_ALLOWED');
define('S_BACKEND_ERROR', 'BACKEND_ERROR');

define('TS_SEC', 1/8);
define('TS_REL_TOLERANCE', 0.3);
define('TS_ABS_TOLERANCE', 20);

define('TOKEN_LEN', 32);

function unescape($s) {
	return str_replace('\\', "", $s);
}

function getHttpVal($key, $defaultVal) {
	$val = $defaultVal;
	if (array_key_exists($key, $_GET)) {
		$val = $_GET[$key];
  	} else if (array_key_exists($key, $_POST)) {
  		$val = $_POST[$key];
  	}
  	$v = unescape(trim($val));
  	return $v;
}

function query($conn, $q) {
  debug('Query: '.$q);
  $result = mysql_query($q, $conn);
  if (!$result) {
    die("Query error: " . mysql_error());
  }
  return $result;
}

function mysql_quote($value) {
	return "'" . mysql_real_escape_string($value) . "'";	
}

function debug($msg) {
  if (is_array($msg)) {
    $str = "";
    foreach($msg as $key => $value){
      $str .= "$key=$value ";
    }
  } else {
    $str = $msg;
  }
  error_log($str);
}

// Return eg. 2008-11-21T06:11:55Z0711
//            
function getUTCTimeStamp() {
	date_default_timezone_set('UTC');
	$tiny = substr(microtime(false), 2, 3);
	return date('Y-m-d\TH:i:s\Z0', time()) . $tiny;
}

// Sign a http query string in the array of key-value pairs
// return b64 encoded hmac hash
function sign($a, $apiKey) {
	ksort($a);
	$qs = '';
	$n = count($a);
	$i = 0;
	foreach (array_keys($a) as $key) {
		$qs .= trim($key).'='.trim($a[$key]);
		if (++$i < $n) {
			$qs .= '&';
		}
	}
	
	// the TRUE at the end states we want the raw value, not hexadecimal form
	$hmac = hash_hmac('sha1', utf8_encode($qs), $apiKey, true);
	$hmac = base64_encode($hmac);

	debug('SIGN: ' . $qs . ' H=' . $hmac);

	return $hmac;
		
} // sign an array of query string

function hex2b64 ($hex_str) {
  $bin = pack("H*", $hex_str);
  return base64_encode($bin);
}

function modhex2b64 ($modhex_str) {
  $hex_str = strtr ($modhex_str, "cbdefghijklnrtuv", "0123456789abcdef");
  return hex2b64($hex_str);
}

// $otp: A yubikey OTP
function decryptOTP($otp, $base_url) {
  $url = $base_url . $otp;
  $ch = curl_init($url);
  curl_setopt($ch, CURLOPT_USERAGENT, "YK-VAL");
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt($ch, CURLOPT_FAILONERROR, true);
  curl_setopt($ch, CURLOPT_TIMEOUT, 5);
  $response = curl_exec($ch);
  $error = curl_error ($ch);
  $errno = curl_errno ($ch);
  debug("YK-KSM response: $response errno: " . $errno . " error: " . $error);
  $info = curl_getinfo ($ch);
  debug($info);
  curl_close($ch);

  if (sscanf ($response,
	      "OK counter=%04x low=%04x high=%02x use=%02x",
	      $ret["session_counter"], $ret["low"], $ret["high"],
	      $ret["session_use"]) != 4) {
    return false;
  }
  return $ret;
} // End decryptOTP

// $devId: The first 12 chars from the OTP
function getAuthData($conn, $devId) {
	$tokenId = modhex2b64($devId);
	$stmt =
	  'SELECT id, active, client_id, counter, sessionUse, low, high, accessed '.
	  'FROM yubikeys '.
	  'WHERE tokenId='.mysql_quote($tokenId);
	$r = query($conn, $stmt);
	if (mysql_num_rows($r) > 0) {
		$row = mysql_fetch_assoc($r);
		mysql_free_result($r);
		return $row;
	}
	return null;
} // End getAuthData

function addNewKey($conn, $devId) {
	$tokenId = modhex2b64($devId);
	$stmt = 'INSERT INTO yubikeys (client_id, active, created, tokenId, counter) '.
	  'VALUES (1, true, NOW(), ' . mysql_quote($tokenId) . ', 0)';
	$r = query($conn, $stmt);
}

// $clientId: The decimal client identity
function getClientData($conn, $clientId) {
	$stmt =
	  'SELECT id, secret, chk_time '.
	  'FROM clients '.
	  'WHERE active AND id='.mysql_quote($clientId);
	$r = query($conn, $stmt);
	if (mysql_num_rows($r) > 0) {
		$row = mysql_fetch_assoc($r);
		mysql_free_result($r);
		return $row;
	}
	return null;
} // End getClientData
?>
add key 2008-09-26 05:21:11 +02:00			`<?php`
Cleanup. 2009-03-11 02:42:23 +01:00
add key 2008-09-26 05:21:11 +02:00			`define('S_OK', 'OK');`
			`define('S_BAD_OTP', 'BAD_OTP');`
			`define('S_REPLAYED_OTP', 'REPLAYED_OTP');`
Improve checking of OTPs. 2009-03-11 01:19:59 +01:00			`define('S_DELAYED_OTP', 'DELAYED_OTP');`
add key 2008-09-26 05:21:11 +02:00			`define('S_BAD_SIGNATURE', 'BAD_SIGNATURE');`
			`define('S_MISSING_PARAMETER', 'MISSING_PARAMETER');`
Make it work. 2009-03-10 23:01:46 +01:00			`define('S_NO_SUCH_CLIENT', 'NO_SUCH_CLIENT');`
add key 2008-09-26 05:21:11 +02:00			`define('S_OPERATION_NOT_ALLOWED', 'OPERATION_NOT_ALLOWED');`
			`define('S_BACKEND_ERROR', 'BACKEND_ERROR');`
Cleanup. 2009-03-11 02:42:23 +01:00
			`define('TS_SEC', 1/8);`
Use absolute timestamp tolerance as well. 2009-03-11 01:26:57 +01:00			`define('TS_REL_TOLERANCE', 0.3);`
			`define('TS_ABS_TOLERANCE', 20);`
add key 2008-09-26 05:21:11 +02:00
Don't hard code prefix length. 2009-03-18 12:00:48 +01:00			`define('TOKEN_LEN', 32);`
Make standalone. 2009-03-10 23:50:35 +01:00
			`function unescape($s) {`
			`return str_replace('\\', "", $s);`
			`}`

			`function getHttpVal($key, $defaultVal) {`
			`$val = $defaultVal;`
			`if (array_key_exists($key, $_GET)) {`
			`$val = $_GET[$key];`
			`} else if (array_key_exists($key, $_POST)) {`
			`$val = $_POST[$key];`
			`}`
			`$v = unescape(trim($val));`
			`return $v;`
			`}`

More cleanups. 2009-03-11 03:06:02 +01:00			`function query($conn, $q) {`
			`debug('Query: '.$q);`
			`$result = mysql_query($q, $conn);`
			`if (!$result) {`
			`die("Query error: " . mysql_error());`
			`}`
			`return $result;`
Make standalone. 2009-03-10 23:50:35 +01:00			`}`

			`function mysql_quote($value) {`
			`return "'" . mysql_real_escape_string($value) . "'";`
			`}`

Code cleanups. 2009-03-11 01:54:19 +01:00			`function debug($msg) {`
			`if (is_array($msg)) {`
			`$str = "";`
			`foreach($msg as $key => $value){`
			`$str .= "$key=$value ";`
			`}`
			`} else {`
			`$str = $msg;`
			`}`
			`error_log($str);`
add key 2008-09-26 05:21:11 +02:00			`}`

Make getUTCTimeStamp return milliseconds too, similar to Java server. 2009-03-10 20:01:07 +01:00			`// Return eg. 2008-11-21T06:11:55Z0711`
No time zone, UTC default 2008-11-21 07:41:13 +01:00			`//`
2008-09-27 11:04:49 +02:00			`function getUTCTimeStamp() {`
			`date_default_timezone_set('UTC');`
Make getUTCTimeStamp return milliseconds too, similar to Java server. 2009-03-10 20:01:07 +01:00			`$tiny = substr(microtime(false), 2, 3);`
			`return date('Y-m-d\TH:i:s\Z0', time()) . $tiny;`
2008-09-27 11:04:49 +02:00			`}`

			`// Sign a http query string in the array of key-value pairs`
			`// return b64 encoded hmac hash`
More cleanups. 2009-03-11 03:06:02 +01:00			`function sign($a, $apiKey) {`
2008-09-27 11:04:49 +02:00			`ksort($a);`
			`$qs = '';`
			`$n = count($a);`
			`$i = 0;`
			`foreach (array_keys($a) as $key) {`
2008-11-21 22:41:26 +01:00			`$qs .= trim($key).'='.trim($a[$key]);`
2008-09-27 11:04:49 +02:00			`if (++$i < $n) {`
			`$qs .= '&';`
			`}`
			`}`

			`// the TRUE at the end states we want the raw value, not hexadecimal form`
			`$hmac = hash_hmac('sha1', utf8_encode($qs), $apiKey, true);`
			`$hmac = base64_encode($hmac);`
Improve debugging. 2009-03-11 02:53:38 +01:00
			`debug('SIGN: ' . $qs . ' H=' . $hmac);`

2008-09-27 11:04:49 +02:00			`return $hmac;`

sign example 2008-10-08 08:29:19 +02:00			`} // sign an array of query string`
2008-09-27 11:04:49 +02:00
Use YKKSM instead of local secret. Remove more code. 2009-03-11 02:37:07 +01:00			`function hex2b64 ($hex_str) {`
			`$bin = pack("H*", $hex_str);`
			`return base64_encode($bin);`
Make standalone. 2009-03-10 23:50:35 +01:00			`}`

Use YKKSM instead of local secret. Remove more code. 2009-03-11 02:37:07 +01:00			`function modhex2b64 ($modhex_str) {`
			`$hex_str = strtr ($modhex_str, "cbdefghijklnrtuv", "0123456789abcdef");`
			`return hex2b64($hex_str);`
Make standalone. 2009-03-10 23:50:35 +01:00			`}`

Cleanup. 2009-03-11 02:42:23 +01:00			`// $otp: A yubikey OTP`
			`function decryptOTP($otp, $base_url) {`
			`$url = $base_url . $otp;`
Use YKKSM instead of local secret. Remove more code. 2009-03-11 02:37:07 +01:00			`$ch = curl_init($url);`
			`curl_setopt($ch, CURLOPT_USERAGENT, "YK-VAL");`
			`curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);`
More curl debugging. 2009-03-11 12:14:50 +01:00			`curl_setopt($ch, CURLOPT_FAILONERROR, true);`
Add timeout for ykksm queries. 2009-03-11 03:12:36 +01:00			`curl_setopt($ch, CURLOPT_TIMEOUT, 5);`
Use YKKSM instead of local secret. Remove more code. 2009-03-11 02:37:07 +01:00			`$response = curl_exec($ch);`
More curl debugging. 2009-03-11 12:14:50 +01:00			`$error = curl_error ($ch);`
Curl errno/error is order dependent?! 2009-03-11 12:18:56 +01:00			`$errno = curl_errno ($ch);`
			`debug("YK-KSM response: $response errno: " . $errno . " error: " . $error);`
More curl debugging. 2009-03-11 12:14:50 +01:00			`$info = curl_getinfo ($ch);`
			`debug($info);`
Use YKKSM instead of local secret. Remove more code. 2009-03-11 02:37:07 +01:00			`curl_close($ch);`

			`if (sscanf ($response,`
Reorder high/low to match internal order. 2009-03-18 16:16:18 +01:00			`"OK counter=%04x low=%04x high=%02x use=%02x",`
Reorder high/low to match internal order. 2009-03-18 16:21:50 +01:00			`$ret["session_counter"], $ret["low"], $ret["high"],`
			`$ret["session_use"]) != 4) {`
Use YKKSM instead of local secret. Remove more code. 2009-03-11 02:37:07 +01:00			`return false;`
			`}`
			`return $ret;`
			`} // End decryptOTP`
Make standalone. 2009-03-10 23:50:35 +01:00
			`// $devId: The first 12 chars from the OTP`
More cleanups. 2009-03-11 03:06:02 +01:00			`function getAuthData($conn, $devId) {`
Use YKKSM instead of local secret. Remove more code. 2009-03-11 02:37:07 +01:00			`$tokenId = modhex2b64($devId);`
Don't fetch always true active field. 2009-03-18 21:44:14 +01:00			`$stmt =`
Auto-discover yubikeys known by the ykksm. 2009-04-01 18:09:29 +02:00			`'SELECT id, active, client_id, counter, sessionUse, low, high, accessed '.`
Don't fetch always true active field. 2009-03-18 21:44:14 +01:00			`'FROM yubikeys '.`
Auto-discover yubikeys known by the ykksm. 2009-04-01 18:09:29 +02:00			`'WHERE tokenId='.mysql_quote($tokenId);`
More cleanups. 2009-03-11 03:06:02 +01:00			`$r = query($conn, $stmt);`
Make standalone. 2009-03-10 23:50:35 +01:00			`if (mysql_num_rows($r) > 0) {`
			`$row = mysql_fetch_assoc($r);`
			`mysql_free_result($r);`
			`return $row;`
			`}`
			`return null;`
			`} // End getAuthData`

Auto-discover yubikeys known by the ykksm. 2009-04-01 18:09:29 +02:00			`function addNewKey($conn, $devId) {`
			`$tokenId = modhex2b64($devId);`
			`$stmt = 'INSERT INTO yubikeys (client_id, active, created, tokenId, counter) '.`
			`'VALUES (1, true, NOW(), ' . mysql_quote($tokenId) . ', 0)';`
			`$r = query($conn, $stmt);`
			`}`

Make standalone. 2009-03-10 23:50:35 +01:00			`// $clientId: The decimal client identity`
More cleanups. 2009-03-11 03:06:02 +01:00			`function getClientData($conn, $clientId) {`
Don't fetch always true active field. 2009-03-18 21:44:14 +01:00			`$stmt =`
			`'SELECT id, secret, chk_time '.`
			`'FROM clients '.`
			`'WHERE active AND id='.mysql_quote($clientId);`
More cleanups. 2009-03-11 03:06:02 +01:00			`$r = query($conn, $stmt);`
Make standalone. 2009-03-10 23:50:35 +01:00			`if (mysql_num_rows($r) > 0) {`
			`$row = mysql_fetch_assoc($r);`
			`mysql_free_result($r);`
			`return $row;`
			`}`
			`return null;`
			`} // End getClientData`
add key 2008-09-26 05:21:11 +02:00			`?>`