yubikey-val/ykval-common.php

<?php

# Copyright (c) 2009-2013 Yubico AB
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
#   * Redistributions of source code must retain the above copyright
#     notice, this list of conditions and the following disclaimer.
#
#   * Redistributions in binary form must reproduce the above
#     copyright notice, this list of conditions and the following
#     disclaimer in the documentation and/or other materials provided
#     with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

define('S_OK', 'OK');
define('S_BAD_OTP', 'BAD_OTP');
define('S_REPLAYED_OTP', 'REPLAYED_OTP');
define('S_DELAYED_OTP', 'DELAYED_OTP');
define('S_BAD_SIGNATURE', 'BAD_SIGNATURE');
define('S_MISSING_PARAMETER', 'MISSING_PARAMETER');
define('S_NO_SUCH_CLIENT', 'NO_SUCH_CLIENT');
define('S_OPERATION_NOT_ALLOWED', 'OPERATION_NOT_ALLOWED');
define('S_BACKEND_ERROR', 'BACKEND_ERROR');
define('S_NOT_ENOUGH_ANSWERS', 'NOT_ENOUGH_ANSWERS');
define('S_REPLAYED_REQUEST', 'REPLAYED_REQUEST');


define('TS_SEC', 1/8);
define('TS_REL_TOLERANCE', 0.3);
define('TS_ABS_TOLERANCE', 20);

define('TOKEN_LEN', 32);
define('OTP_MAX_LEN', 48); // TOKEN_LEN plus public identity of 0..16

function logdie ($logger, $str)
{
  $logger->log(LOG_INFO, $str);
  die($str . "\n");
}

function getHttpVal($key, $defaultVal) {
	$val = $defaultVal;
	if (array_key_exists($key, $_GET)) {
		$val = $_GET[$key];
  	} else if (array_key_exists($key, $_POST)) {
  		$val = $_POST[$key];
  	}
  	$v = trim($val);
  	$v = str_replace('\\', "", $v);
  	return $v;
}

function log_format() {
  $str = "";
  foreach (func_get_args() as $msg)
    {
      if (is_array($msg)) {
	foreach($msg as $key => $value){
	  $str .= "$key=$value ";
	}
      } else {
	$str .= $msg . " ";
      }
    }
  return $str;
}

// Sign a http query string in the array of key-value pairs
// return b64 encoded hmac hash
function sign($a, $apiKey, $logger) {
	ksort($a);
	$qs = urldecode(http_build_query($a));

	// the TRUE at the end states we want the raw value, not hexadecimal form
	$hmac = hash_hmac('sha1', utf8_encode($qs), $apiKey, true);
	$hmac = base64_encode($hmac);

	$logger->log(LOG_DEBUG, 'SIGN: ' . $qs . ' H=' . $hmac);

	return $hmac;

} // sign an array of query string

function curl_settings($logger, $ident, $handle, $url, $timeout, $curlopts)
{
	$logger->log(LOG_DEBUG, $ident . ' adding URL : ' . $url);

	curl_setopt($handle, CURLOPT_URL, $url);
	curl_setopt($handle, CURLOPT_TIMEOUT, $timeout);
	curl_setopt($handle, CURLOPT_USERAGENT, 'YK-VAL');
	curl_setopt($handle, CURLOPT_RETURNTRANSFER, TRUE);
	curl_setopt($handle, CURLOPT_FAILONERROR, TRUE);

	if (is_array($curlopts) === FALSE)
	{
		$logger->log(LOG_WARN, $ident . 'curl options must be an array');
		return;
	}

	foreach ($curlopts as $key => $val)
	{
		if (curl_setopt($handle, $key, $val) === FALSE)
		{
			$logger->log(LOG_WARN, $ident . ' failed to set ' . curl_opt_name($key));
			continue;
		}
	}
}

// returns the string name of a curl constant,
//	or "curl option" if constant not found.
// e.g.
//  curl_opt_name(CURLOPT_URL) returns "CURLOPT_URL"
//  curl_opt_name(CURLOPT_BLABLA) returns "curl option"
function curl_opt_name($opt)
{
	$consts = get_defined_constants(true);
	$consts = $consts['curl'];

	$name = array_search($opt, $consts, TRUE);

	// array_search may return either on failure...
	if ($name === FALSE || $name === NULL)
		return 'curl option';

	return $name;
}

// This function takes a list of URLs.  It will return the content of
// the first successfully retrieved URL, whose content matches ^OK.
// The request are sent asynchronously.  Some of the URLs can fail
// with unknown host, connection errors, or network timeout, but as
// long as one of the URLs given work, data will be returned.  If all
// URLs fail, data from some URL that did not match parameter $match
// (defaults to ^OK) is returned, or if all URLs failed, false.
function retrieveURLasync($ident, $urls, $logger, $ans_req=1, $match="^OK", $returl=False, $timeout=10, $curlopts)
{
	$mh = curl_multi_init();
	$ch = array();

	foreach ($urls as $url)
	{
		$handle = curl_init();
		curl_settings($logger, $ident, $handle, $url, $timeout, $curlopts);
		curl_multi_add_handle($mh, $handle);
		$ch[$handle] = $handle;
	}

	$str = false;
	$ans_count = 0;
	$ans_arr = array();

	do
	{
		while (curl_multi_exec($mh, $active) == CURLM_CALL_MULTI_PERFORM);

		while ($info = curl_multi_info_read($mh))
		{
			$logger->log(LOG_DEBUG, $ident . " curl multi info : ", $info);

			if ($info['result'] == CURLE_OK)
			{
				$str = curl_multi_getcontent($info['handle']);
				$logger->log(LOG_DEBUG, "$ident curl multi content : $str");

				if (preg_match("/$match/", $str))
				{
					$logger->log(LOG_DEBUG, "$ident response matches $match");
					$error = curl_error($info['handle']);
					$errno = curl_errno($info['handle']);
					$cinfo = curl_getinfo($info['handle']);
					$logger->log(LOG_INFO, "$ident errno/error: $errno/$error", $cinfo);
					$ans_count++;

					if ($returl)
						$ans_arr[] = "url=" . $cinfo['url'] . "\n" . $str;
					else
						$ans_arr[] = $str;
				}

				if ($ans_count >= $ans_req)
				{
					foreach ($ch as $h)
					{
						curl_multi_remove_handle($mh, $h);
						curl_close($h);
					}
					curl_multi_close($mh);

					return $ans_arr;
				}

				curl_multi_remove_handle($mh, $info['handle']);
				curl_close($info['handle']);
				unset($ch[$info['handle']]);
			}

			curl_multi_select($mh);
		}
	}
	while($active);

	foreach ($ch as $h)
	{
		curl_multi_remove_handle($mh, $h);
		curl_close($h);
	}
	curl_multi_close($mh);

	if ($ans_count > 0)
		return $ans_arr;

	return $str;
}

function KSMdecryptOTP($urls, $logger, $curlopts)
{
	$ret = array();

	if (!is_array($urls))
	{
		$urls = array($urls);
	}

	$response = retrieveURLasync('YK-KSM', $urls, $logger, $ans_req=1, $match='^OK', $returl=False, $timeout=10, $curlopts);

	if (is_array($response))
	{
		$response = $response[0];
	}

	if ($response)
	{
		$logger->log(LOG_DEBUG, log_format('YK-KSM response: ', $response));
	}

	if (sscanf($response,
		'OK counter=%04x low=%04x high=%02x use=%02x',
		$ret['session_counter'],
		$ret['low'],
		$ret['high'],
		$ret['session_use'] !== 4)
	{
		return false;
	}

	return $ret;
}

function sendResp($status, $logger, $apiKey = '', $extra = null) {
  $a['status'] = $status;

  // 2008-11-21T06:11:55Z0711
  $t = substr(microtime(false), 2, 3);
  $t = gmdate('Y-m-d\TH:i:s\Z0') . $t;

  $a['t'] = $t;

  if ($extra)
    foreach ($extra as $param => $value)
      $a[$param] = $value;

  $h = sign($a, $apiKey, $logger);

  $str = "";
  $str .= "h=" . $h . "\r\n";
  $str .= "t=" . $a['t'] . "\r\n";

  if ($extra)
    foreach ($extra as $param => $value)
      $str .= $param . "=" . $value . "\r\n";

  $str .= "status=" . $a['status'] . "\r\n";
  $str .= "\r\n";

  $logger->log(LOG_INFO, "Response: " . $str . " (at " . gmdate("c") . " " . microtime() . ")");

  echo $str;
  exit;
}

// backport from PHP 5.6
if (function_exists('hash_equals') === FALSE)
{
	function hash_equals($a, $b)
	{
		// hashes are a (known) fixed length,
		//	so this doesn't leak anything.
		if (strlen($a) != strlen($b))
			return false;

		$result = 0;

		for ($i = 0; $i < strlen($a); $i++)
			$result |= ord($a[$i]) ^ ord($b[$i]);

		return (0 === $result);
	}
}
Use LF as EOL consistently. 2013-04-17 17:24:50 +02:00			`<?php`

			`# Copyright (c) 2009-2013 Yubico AB`
			`# All rights reserved.`
			`#`
			`# Redistribution and use in source and binary forms, with or without`
			`# modification, are permitted provided that the following conditions are`
			`# met:`
			`#`
			`# * Redistributions of source code must retain the above copyright`
			`# notice, this list of conditions and the following disclaimer.`
			`#`
			`# * Redistributions in binary form must reproduce the above`
			`# copyright notice, this list of conditions and the following`
			`# disclaimer in the documentation and/or other materials provided`
			`# with the distribution.`
			`#`
			`# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS`
			`# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT`
			`# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR`
			`# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT`
			`# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,`
			`# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT`
			`# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,`
			`# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY`
			`# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT`
			`# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE`
			`# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.`

			`define('S_OK', 'OK');`
			`define('S_BAD_OTP', 'BAD_OTP');`
			`define('S_REPLAYED_OTP', 'REPLAYED_OTP');`
			`define('S_DELAYED_OTP', 'DELAYED_OTP');`
			`define('S_BAD_SIGNATURE', 'BAD_SIGNATURE');`
			`define('S_MISSING_PARAMETER', 'MISSING_PARAMETER');`
			`define('S_NO_SUCH_CLIENT', 'NO_SUCH_CLIENT');`
			`define('S_OPERATION_NOT_ALLOWED', 'OPERATION_NOT_ALLOWED');`
			`define('S_BACKEND_ERROR', 'BACKEND_ERROR');`
			`define('S_NOT_ENOUGH_ANSWERS', 'NOT_ENOUGH_ANSWERS');`
			`define('S_REPLAYED_REQUEST', 'REPLAYED_REQUEST');`


			`define('TS_SEC', 1/8);`
			`define('TS_REL_TOLERANCE', 0.3);`
			`define('TS_ABS_TOLERANCE', 20);`

			`define('TOKEN_LEN', 32);`
			`define('OTP_MAX_LEN', 48); // TOKEN_LEN plus public identity of 0..16`

			`function logdie ($logger, $str)`
			`{`
			`$logger->log(LOG_INFO, $str);`
			`die($str . "\n");`
			`}`

			`function getHttpVal($key, $defaultVal) {`
			`$val = $defaultVal;`
			`if (array_key_exists($key, $_GET)) {`
			`$val = $_GET[$key];`
			`} else if (array_key_exists($key, $_POST)) {`
			`$val = $_POST[$key];`
			`}`
Unwrap, only used here. 2015-07-16 22:14:36 +02:00			`$v = trim($val);`
Fix. - introduced bug in 0d03c2be29d394a7a8a9c9617481f4b6a5ff0556. 2015-07-17 10:11:43 +02:00			`$v = str_replace('\\', "", $v);`
Use LF as EOL consistently. 2013-04-17 17:24:50 +02:00			`return $v;`
			`}`

			`function log_format() {`
			`$str = "";`
			`foreach (func_get_args() as $msg)`
			`{`
			`if (is_array($msg)) {`
			`foreach($msg as $key => $value){`
			`$str .= "$key=$value ";`
			`}`
			`} else {`
			`$str .= $msg . " ";`
			`}`
			`}`
			`return $str;`
			`}`

			`// Sign a http query string in the array of key-value pairs`
			`// return b64 encoded hmac hash`
			`function sign($a, $apiKey, $logger) {`
			`ksort($a);`
			`$qs = urldecode(http_build_query($a));`

			`// the TRUE at the end states we want the raw value, not hexadecimal form`
			`$hmac = hash_hmac('sha1', utf8_encode($qs), $apiKey, true);`
			`$hmac = base64_encode($hmac);`

			`$logger->log(LOG_DEBUG, 'SIGN: ' . $qs . ' H=' . $hmac);`

			`return $hmac;`

			`} // sign an array of query string`

Prettify. 2015-07-16 22:26:10 +02:00			`function curl_settings($logger, $ident, $handle, $url, $timeout, $curlopts)`
			`{`
			`$logger->log(LOG_DEBUG, $ident . ' adding URL : ' . $url);`

			`curl_setopt($handle, CURLOPT_URL, $url);`
			`curl_setopt($handle, CURLOPT_TIMEOUT, $timeout);`
			`curl_setopt($handle, CURLOPT_USERAGENT, 'YK-VAL');`
			`curl_setopt($handle, CURLOPT_RETURNTRANSFER, TRUE);`
			`curl_setopt($handle, CURLOPT_FAILONERROR, TRUE);`

			`if (is_array($curlopts) === FALSE)`
			`{`
			`$logger->log(LOG_WARN, $ident . 'curl options must be an array');`
			`return;`
			`}`
Allowed certain cURL options to be configurable. - When calling either URLs in the sync pool or the KSMs, the following curl options are configurable; CURLOPT_PROTOCOLS CURLOPT_IPRESOLVE CURLOPT_SSLVERSION CURLOPT_SSL_VERIFYPEER CURLOPT_SSL_VERIFYHOST CURLOPT_CAINFO CURLOPT_CAPATH 2015-04-13 17:35:02 +02:00
Prettify. 2015-07-16 22:26:10 +02:00			`foreach ($curlopts as $key => $val)`
			`{`
			`if (curl_setopt($handle, $key, $val) === FALSE)`
			`{`
			`$logger->log(LOG_WARN, $ident . ' failed to set ' . curl_opt_name($key));`
			`continue;`
			`}`
			`}`
Allowed certain cURL options to be configurable. - When calling either URLs in the sync pool or the KSMs, the following curl options are configurable; CURLOPT_PROTOCOLS CURLOPT_IPRESOLVE CURLOPT_SSLVERSION CURLOPT_SSL_VERIFYPEER CURLOPT_SSL_VERIFYHOST CURLOPT_CAINFO CURLOPT_CAPATH 2015-04-13 17:35:02 +02:00			`}`

Prettify. 2015-07-16 22:26:10 +02:00			`// returns the string name of a curl constant,`
Allowed certain cURL options to be configurable. - When calling either URLs in the sync pool or the KSMs, the following curl options are configurable; CURLOPT_PROTOCOLS CURLOPT_IPRESOLVE CURLOPT_SSLVERSION CURLOPT_SSL_VERIFYPEER CURLOPT_SSL_VERIFYHOST CURLOPT_CAINFO CURLOPT_CAPATH 2015-04-13 17:35:02 +02:00			`// or "curl option" if constant not found.`
			`// e.g.`
			`// curl_opt_name(CURLOPT_URL) returns "CURLOPT_URL"`
			`// curl_opt_name(CURLOPT_BLABLA) returns "curl option"`
Prettify. 2015-07-16 22:26:10 +02:00			`function curl_opt_name($opt)`
			`{`
			`$consts = get_defined_constants(true);`
			`$consts = $consts['curl'];`
Allowed certain cURL options to be configurable. - When calling either URLs in the sync pool or the KSMs, the following curl options are configurable; CURLOPT_PROTOCOLS CURLOPT_IPRESOLVE CURLOPT_SSLVERSION CURLOPT_SSL_VERIFYPEER CURLOPT_SSL_VERIFYHOST CURLOPT_CAINFO CURLOPT_CAPATH 2015-04-13 17:35:02 +02:00
Prettify. 2015-07-16 22:26:10 +02:00			`$name = array_search($opt, $consts, TRUE);`
Allowed certain cURL options to be configurable. - When calling either URLs in the sync pool or the KSMs, the following curl options are configurable; CURLOPT_PROTOCOLS CURLOPT_IPRESOLVE CURLOPT_SSLVERSION CURLOPT_SSL_VERIFYPEER CURLOPT_SSL_VERIFYHOST CURLOPT_CAINFO CURLOPT_CAPATH 2015-04-13 17:35:02 +02:00
Prettify. 2015-07-16 22:26:10 +02:00			`// array_search may return either on failure...`
			`if ($name === FALSE \|\| $name === NULL)`
			`return 'curl option';`
Allowed certain cURL options to be configurable. - When calling either URLs in the sync pool or the KSMs, the following curl options are configurable; CURLOPT_PROTOCOLS CURLOPT_IPRESOLVE CURLOPT_SSLVERSION CURLOPT_SSL_VERIFYPEER CURLOPT_SSL_VERIFYHOST CURLOPT_CAINFO CURLOPT_CAPATH 2015-04-13 17:35:02 +02:00
Prettify. 2015-07-16 22:26:10 +02:00			`return $name;`
Allowed certain cURL options to be configurable. - When calling either URLs in the sync pool or the KSMs, the following curl options are configurable; CURLOPT_PROTOCOLS CURLOPT_IPRESOLVE CURLOPT_SSLVERSION CURLOPT_SSL_VERIFYPEER CURLOPT_SSL_VERIFYHOST CURLOPT_CAINFO CURLOPT_CAPATH 2015-04-13 17:35:02 +02:00			`}`

Use LF as EOL consistently. 2013-04-17 17:24:50 +02:00			`// This function takes a list of URLs. It will return the content of`
			`// the first successfully retrieved URL, whose content matches ^OK.`
			`// The request are sent asynchronously. Some of the URLs can fail`
			`// with unknown host, connection errors, or network timeout, but as`
			`// long as one of the URLs given work, data will be returned. If all`
			`// URLs fail, data from some URL that did not match parameter $match`
			`// (defaults to ^OK) is returned, or if all URLs failed, false.`
Cosmetic changes. 2015-07-17 21:54:51 +02:00			`function retrieveURLasync($ident, $urls, $logger, $ans_req=1, $match="^OK", $returl=False, $timeout=10, $curlopts)`
			`{`
			`$mh = curl_multi_init();`
			`$ch = array();`
Use LF as EOL consistently. 2013-04-17 17:24:50 +02:00
Refactor. - $id never used. 2015-07-17 22:03:49 +02:00			`foreach ($urls as $url)`
Cosmetic changes. 2015-07-17 21:54:51 +02:00			`{`
			`$handle = curl_init();`
			`curl_settings($logger, $ident, $handle, $url, $timeout, $curlopts);`
			`curl_multi_add_handle($mh, $handle);`
			`$ch[$handle] = $handle;`
Use LF as EOL consistently. 2013-04-17 17:24:50 +02:00			`}`

Cosmetic changes. 2015-07-17 21:54:51 +02:00			`$str = false;`
			`$ans_count = 0;`
			`$ans_arr = array();`
Use LF as EOL consistently. 2013-04-17 17:24:50 +02:00
Cosmetic changes. 2015-07-17 21:54:51 +02:00			`do`
			`{`
Refactor. - $mrc never used. 2015-07-17 21:55:46 +02:00			`while (curl_multi_exec($mh, $active) == CURLM_CALL_MULTI_PERFORM);`
Use LF as EOL consistently. 2013-04-17 17:24:50 +02:00
Cosmetic changes. 2015-07-17 21:54:51 +02:00			`while ($info = curl_multi_info_read($mh))`
			`{`
			`$logger->log(LOG_DEBUG, $ident . " curl multi info : ", $info);`

			`if ($info['result'] == CURLE_OK)`
			`{`
			`$str = curl_multi_getcontent($info['handle']);`
Refactor. - use string substitution rather than concatenation. 2015-07-17 22:00:11 +02:00			`$logger->log(LOG_DEBUG, "$ident curl multi content : $str");`
Cosmetic changes. 2015-07-17 21:57:16 +02:00
Refactor. - use string substitution rather than concatenation. 2015-07-17 22:00:11 +02:00			`if (preg_match("/$match/", $str))`
Cosmetic changes. 2015-07-17 21:57:16 +02:00			`{`
Refactor. - use string substitution rather than concatenation. 2015-07-17 22:00:11 +02:00			`$logger->log(LOG_DEBUG, "$ident response matches $match");`
Cosmetic changes. 2015-07-17 21:57:16 +02:00			`$error = curl_error($info['handle']);`
			`$errno = curl_errno($info['handle']);`
			`$cinfo = curl_getinfo($info['handle']);`
Refactor. - use string substitution rather than concatenation. 2015-07-17 22:00:11 +02:00			`$logger->log(LOG_INFO, "$ident errno/error: $errno/$error", $cinfo);`
Cosmetic changes. 2015-07-17 21:54:51 +02:00			`$ans_count++;`
Cosmetic changes. 2015-07-17 22:04:09 +02:00
			`if ($returl)`
			`$ans_arr[] = "url=" . $cinfo['url'] . "\n" . $str;`
			`else`
			`$ans_arr[] = $str;`
Cosmetic changes. 2015-07-17 21:54:51 +02:00			`}`

Cosmetic changes. 2015-07-17 21:57:16 +02:00			`if ($ans_count >= $ans_req)`
			`{`
			`foreach ($ch as $h)`
			`{`
			`curl_multi_remove_handle($mh, $h);`
			`curl_close($h);`
Cosmetic changes. 2015-07-17 21:54:51 +02:00			`}`
Cosmetic changes. 2015-07-17 21:57:16 +02:00			`curl_multi_close($mh);`
Cosmetic changes. 2015-07-17 21:54:51 +02:00
			`return $ans_arr;`
			`}`

Cosmetic changes. 2015-07-17 21:57:16 +02:00			`curl_multi_remove_handle($mh, $info['handle']);`
			`curl_close($info['handle']);`
			`unset($ch[$info['handle']]);`
Cosmetic changes. 2015-07-17 21:54:51 +02:00			`}`

Cosmetic changes. 2015-07-17 21:57:16 +02:00			`curl_multi_select($mh);`
Cosmetic changes. 2015-07-17 21:54:51 +02:00			`}`
			`}`
			`while($active);`
Use LF as EOL consistently. 2013-04-17 17:24:50 +02:00
Cosmetic changes. 2015-07-17 21:54:51 +02:00			`foreach ($ch as $h)`
			`{`
Cosmetic changes. 2015-07-17 21:57:16 +02:00			`curl_multi_remove_handle($mh, $h);`
			`curl_close($h);`
Cosmetic changes. 2015-07-17 21:54:51 +02:00			`}`
Cosmetic changes. 2015-07-17 21:57:16 +02:00			`curl_multi_close($mh);`
Cosmetic changes. 2015-07-17 21:54:51 +02:00
Cosmetic changes. 2015-07-17 22:04:09 +02:00			`if ($ans_count > 0)`
			`return $ans_arr;`

Cosmetic changes. 2015-07-17 21:54:51 +02:00			`return $str;`
Use LF as EOL consistently. 2013-04-17 17:24:50 +02:00			`}`

Cosmetic changes. 2015-07-17 21:38:00 +02:00			`function KSMdecryptOTP($urls, $logger, $curlopts)`
			`{`
			`$ret = array();`
let the ksm decrypt function always call retrieveUrlAsync() fixes #12 2013-10-16 13:56:34 +02:00
Cosmetic changes. 2015-07-17 21:38:00 +02:00			`if (!is_array($urls))`
			`{`
			`$urls = array($urls);`
			`}`

Refactor. - enable strict comparison for sscanf result. - use single quotes where possible. - styling. 2015-07-17 21:50:28 +02:00			`$response = retrieveURLasync('YK-KSM', $urls, $logger, $ans_req=1, $match='^OK', $returl=False, $timeout=10, $curlopts);`
Cosmetic changes. 2015-07-17 21:38:00 +02:00
			`if (is_array($response))`
			`{`
			`$response = $response[0];`
			`}`

			`if ($response)`
			`{`
Refactor. - enable strict comparison for sscanf result. - use single quotes where possible. - styling. 2015-07-17 21:50:28 +02:00			`$logger->log(LOG_DEBUG, log_format('YK-KSM response: ', $response));`
Cosmetic changes. 2015-07-17 21:38:00 +02:00			`}`

Refactor. - enable strict comparison for sscanf result. - use single quotes where possible. - styling. 2015-07-17 21:50:28 +02:00			`if (sscanf($response,`
			`'OK counter=%04x low=%04x high=%02x use=%02x',`
			`$ret['session_counter'],`
			`$ret['low'],`
			`$ret['high'],`
			`$ret['session_use'] !== 4)`
Cosmetic changes. 2015-07-17 21:38:00 +02:00			`{`
			`return false;`
			`}`

			`return $ret;`
Prettify. 2015-07-16 22:26:10 +02:00			`}`
Use LF as EOL consistently. 2013-04-17 17:24:50 +02:00
			`function sendResp($status, $logger, $apiKey = '', $extra = null) {`
			`$a['status'] = $status;`
Refactor. - unwrap getUTCTimeStamp() - use gmdate() instead of date_default_timezone_set('UTC') + date() 2015-07-17 00:42:42 +02:00
			`// 2008-11-21T06:11:55Z0711`
			`$t = substr(microtime(false), 2, 3);`
Refactor. - gmdate(, $x) already defaults to time() 2015-07-17 00:43:11 +02:00			`$t = gmdate('Y-m-d\TH:i:s\Z0') . $t;`
Refactor. - unwrap getUTCTimeStamp() - use gmdate() instead of date_default_timezone_set('UTC') + date() 2015-07-17 00:42:42 +02:00
			`$a['t'] = $t;`
Refactor. - improve readability. 2015-07-17 00:29:22 +02:00
			`if ($extra)`
			`foreach ($extra as $param => $value)`
			`$a[$param] = $value;`

Use LF as EOL consistently. 2013-04-17 17:24:50 +02:00			`$h = sign($a, $apiKey, $logger);`

Cosmetic changes. - readability. 2015-07-17 00:33:53 +02:00			`$str = "";`
			`$str .= "h=" . $h . "\r\n";`
Refactor. - improve readability. 2015-07-17 00:29:22 +02:00			`$str .= "t=" . $a['t'] . "\r\n";`
Cosmetic changes. - readability. 2015-07-17 00:33:53 +02:00
			`if ($extra)`
			`foreach ($extra as $param => $value)`
Use LF as EOL consistently. 2013-04-17 17:24:50 +02:00			`$str .= $param . "=" . $value . "\r\n";`
Cosmetic changes. - readability. 2015-07-17 00:33:53 +02:00
Refactor. - improve readability. 2015-07-17 00:29:22 +02:00			`$str .= "status=" . $a['status'] . "\r\n";`
Use LF as EOL consistently. 2013-04-17 17:24:50 +02:00			`$str .= "\r\n";`

Refactor. - unwrap getUTCTimeStamp() - use gmdate() instead of date_default_timezone_set('UTC') + date() 2015-07-17 00:42:42 +02:00			`$logger->log(LOG_INFO, "Response: " . $str . " (at " . gmdate("c") . " " . microtime() . ")");`
Use LF as EOL consistently. 2013-04-17 17:24:50 +02:00
			`echo $str;`
Refactor. - after each sendResp() we had an exit; - move exit; inside sendResp() function instead. 2015-07-16 22:47:16 +02:00			`exit;`
Use LF as EOL consistently. 2013-04-17 17:24:50 +02:00			`}`
Use constant time string comparisson for validating HMAC signature (fixes #26). 2014-09-27 15:40:53 +02:00
Prettify hash_equals. 2015-07-16 22:19:47 +02:00			`// backport from PHP 5.6`
			`if (function_exists('hash_equals') === FALSE)`
			`{`
			`function hash_equals($a, $b)`
			`{`
			`// hashes are a (known) fixed length,`
			`// so this doesn't leak anything.`
			`if (strlen($a) != strlen($b))`
			`return false;`
Use constant time string comparisson for validating HMAC signature (fixes #26). 2014-09-27 15:40:53 +02:00
Prettify hash_equals. 2015-07-16 22:19:47 +02:00			`$result = 0;`

			`for ($i = 0; $i < strlen($a); $i++)`
			`$result \|= ord($a[$i]) ^ ord($b[$i]);`

			`return (0 === $result);`
			`}`
Use constant time string comparisson for validating HMAC signature (fixes #26). 2014-09-27 15:40:53 +02:00			`}`