2009-12-02 18:32:20 +01:00
|
|
|
<?php
|
|
|
|
require_once 'ykval-common.php';
|
|
|
|
require_once 'ykval-config.php';
|
2009-12-15 11:17:51 +01:00
|
|
|
require_once 'ykval-synclib.php';
|
2009-12-02 18:32:20 +01:00
|
|
|
|
|
|
|
$apiKey = '';
|
|
|
|
|
|
|
|
header("content-type: text/plain");
|
|
|
|
|
|
|
|
debug("Request: " . $_SERVER['QUERY_STRING']);
|
|
|
|
|
2009-12-15 11:17:51 +01:00
|
|
|
$sync = new SyncLib('ykval-sync');
|
|
|
|
if (! $sync->isConnected()) {
|
2009-12-02 18:32:20 +01:00
|
|
|
sendResp(S_BACKEND_ERROR, $apiKey);
|
|
|
|
exit;
|
2009-12-15 11:17:51 +01:00
|
|
|
}
|
2009-12-02 18:32:20 +01:00
|
|
|
|
2010-01-11 11:25:25 +01:00
|
|
|
#
|
|
|
|
# Verify that request comes from valid server
|
|
|
|
#
|
|
|
|
|
|
|
|
$sync->log('notice', 'remote request ip is ' . $_SERVER['REMOTE_ADDR']);
|
|
|
|
$allowed=False;
|
|
|
|
foreach ($baseParams['__YKVAL_ALLOWED_SYNC_POOL__'] as $server) {
|
|
|
|
$sync->log('notice', 'checking against ip ' . $server);
|
|
|
|
if ($_SERVER['REMOTE_ADDR'] == $server) {
|
|
|
|
$sync->log('notice', 'server ' . $server . ' is allower');
|
|
|
|
$allowed=True;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (!$allowed) {
|
|
|
|
sendResp(S_OPERATION_NOT_ALLOWED, $apiKey);
|
|
|
|
exit;
|
|
|
|
}
|
|
|
|
|
2009-12-02 18:32:20 +01:00
|
|
|
#
|
|
|
|
# Define requirements on protocoll
|
|
|
|
#
|
|
|
|
|
2009-12-15 11:17:51 +01:00
|
|
|
$syncParams=array('modified'=>Null,
|
|
|
|
'otp'=>Null,
|
|
|
|
'nonce'=>Null,
|
2010-01-08 14:54:33 +01:00
|
|
|
'yk_publicname'=>Null,
|
2009-12-15 11:17:51 +01:00
|
|
|
'yk_counter'=>Null,
|
|
|
|
'yk_use'=>Null,
|
|
|
|
'yk_high'=>Null,
|
|
|
|
'yk_low'=>Null);
|
2009-12-02 18:32:20 +01:00
|
|
|
|
|
|
|
#
|
|
|
|
# Extract values from HTTP request
|
|
|
|
#
|
|
|
|
|
|
|
|
$tmp_log = "ykval-sync received ";
|
|
|
|
foreach ($syncParams as $param=>$value) {
|
|
|
|
$value = getHttpVal($param, Null);
|
|
|
|
if ($value==Null) {
|
|
|
|
debug("ykval-sync recevied request with parameter[s] missing");
|
|
|
|
sendResp(S_MISSING_PARAMETER, '');
|
|
|
|
exit;
|
|
|
|
}
|
|
|
|
$syncParams[$param]=$value;
|
|
|
|
$local_log .= "$param=$value ";
|
|
|
|
}
|
|
|
|
debug($tmp_log);
|
|
|
|
|
|
|
|
#
|
|
|
|
# Get local counter data
|
|
|
|
#
|
|
|
|
|
2010-01-08 14:54:33 +01:00
|
|
|
$yk_publicname = $syncParams['yk_publicname'];
|
|
|
|
$localParams = $sync->getLocalParams($yk_publicname);
|
2009-12-15 11:17:51 +01:00
|
|
|
if (!$localParams) {
|
2010-01-08 14:54:33 +01:00
|
|
|
debug('Invalid Yubikey ' . $yk_publicname);
|
2009-12-15 11:17:51 +01:00
|
|
|
sendResp(S_BACKEND_ERROR, $apiKey);
|
|
|
|
exit;
|
2009-12-02 18:32:20 +01:00
|
|
|
}
|
2009-12-15 11:17:51 +01:00
|
|
|
|
|
|
|
if ($localParams['active'] != 1) {
|
2010-01-08 14:54:33 +01:00
|
|
|
debug('De-activated Yubikey ' . $yk_publicname);
|
2009-12-02 18:32:20 +01:00
|
|
|
sendResp(S_BAD_OTP, $apiKey);
|
|
|
|
exit;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Compare sync and local counters and generate warnings according to
|
|
|
|
#
|
|
|
|
# http://code.google.com/p/yubikey-val-server-php/wiki/ServerReplicationProtocol
|
|
|
|
#
|
|
|
|
|
2009-12-15 11:17:51 +01:00
|
|
|
/* Conditional update local database */
|
|
|
|
$sync->updateDbCounters($syncParams);
|
|
|
|
|
|
|
|
if ($sync->countersHigherThan($localParams, $syncParams)) {
|
|
|
|
/* sync counters are lower than local counters */
|
|
|
|
$sync->log('warning', 'Remote server out of sync. Local params ' , $localParams);
|
|
|
|
$sync->log('warning', 'Remote server out of sync. Sync params ' , $syncParams);
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($sync->countersEqual($localParams, $syncParams)) {
|
|
|
|
/* sync counters are equal to local counters. */
|
|
|
|
if ($syncParams['modified']==$localParams['modified']) {
|
|
|
|
/* sync modified is equal to local modified.
|
|
|
|
Sync request is unnessecarily sent, we log a "light" warning */
|
|
|
|
$sync->log('warning', 'Sync request unnessecarily sent');
|
2009-12-02 18:32:20 +01:00
|
|
|
} else {
|
2009-12-15 11:17:51 +01:00
|
|
|
/* sync modified is not equal to local modified.
|
|
|
|
We have an OTP replay attempt somewhere in the system */
|
|
|
|
$sync->log('warning', 'Replayed OTP attempt. Modified differs. Local ', $localParams);
|
|
|
|
$sync->log('warning', 'Replayed OTP attempt. Modified differs. Sync ', $syncParams);
|
|
|
|
}
|
|
|
|
if ($syncParams['nonce']!=$localParams['nonce']) {
|
|
|
|
$sync->log('warning', 'Replayed OTP attempt. Nonce differs. Local ', $localParams);
|
|
|
|
$sync->log('warning', 'Replayed OTP attempt. Nonce differs. Sync ', $syncParams);
|
2009-12-02 18:32:20 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2009-12-15 11:17:51 +01:00
|
|
|
$extra=array('modified'=>$localParams['modified'],
|
|
|
|
'nonce'=>$localParams['nonce'],
|
2010-01-08 14:54:33 +01:00
|
|
|
'yk_publicname'=>$yk_publicname,
|
2009-12-15 11:17:51 +01:00
|
|
|
'yk_counter'=>$localParams['yk_counter'],
|
|
|
|
'yk_use'=>$localParams['yk_use'],
|
|
|
|
'yk_high'=>$localParams['yk_high'],
|
|
|
|
'yk_low'=>$localParams['yk_low']);
|
|
|
|
|
|
|
|
sendResp(S_OK, '', $extra);
|
2009-12-02 18:32:20 +01:00
|
|
|
|
|
|
|
?>
|