yubikey-val/ykval-common.php

<?php

require_once('ykval-log.php');

define('S_OK', 'OK');
define('S_BAD_OTP', 'BAD_OTP');
define('S_REPLAYED_OTP', 'REPLAYED_OTP');
define('S_DELAYED_OTP', 'DELAYED_OTP');
define('S_BAD_SIGNATURE', 'BAD_SIGNATURE');
define('S_MISSING_PARAMETER', 'MISSING_PARAMETER');
define('S_NO_SUCH_CLIENT', 'NO_SUCH_CLIENT');
define('S_OPERATION_NOT_ALLOWED', 'OPERATION_NOT_ALLOWED');
define('S_BACKEND_ERROR', 'BACKEND_ERROR');
define('S_NOT_ENOUGH_ANSWERS', 'NOT_ENOUGH_ANSWERS');
define('S_REPLAYED_REQUEST', 'REPLAYED_REQUEST');


define('TS_SEC', 1/8);
define('TS_REL_TOLERANCE', 0.3);
define('TS_ABS_TOLERANCE', 20);

define('TOKEN_LEN', 32);

global $ykval_common_log;
$ykval_common_log = new Log('ykval-common');

function logdie ($str)
{
  global $ykval_common_log;
  $ykval_common_log->log(LOG_INFO, $str);
  die($str . "\n");
}

function unescape($s) {
	return str_replace('\\', "", $s);
}

function getHttpVal($key, $defaultVal) {
	$val = $defaultVal;
	if (array_key_exists($key, $_GET)) {
		$val = $_GET[$key];
  	} else if (array_key_exists($key, $_POST)) {
  		$val = $_POST[$key];
  	}
  	$v = unescape(trim($val));
  	return $v;
}

function debug() {
  $str = "";
  foreach (func_get_args() as $msg)
    {
      if (is_array($msg)) {
	foreach($msg as $key => $value){
	  $str .= "$key=$value ";
	}
      } else {
	$str .= $msg . " ";
      }
    }
  global $ykval_common_log;
  $ykval_common_log->log(LOG_DEBUG, $str);
}

// Return eg. 2008-11-21T06:11:55Z0711
//            
function getUTCTimeStamp() {
	date_default_timezone_set('UTC');
	$tiny = substr(microtime(false), 2, 3);
	return date('Y-m-d\TH:i:s\Z0', time()) . $tiny;
}

# NOTE: When we evolve to using general DB-interface, this functinality
# should be moved there. 
function DbTimeToUnix($db_time)
{
  $unix=strptime($db_time, '%F %H:%M:%S');
  return mktime($unix[tm_hour], $unix[tm_min], $unix[tm_sec], $unix[tm_mon]+1, $unix[tm_mday], $unix[tm_year]+1900);
}

function UnixToDbTime($unix)
{
  return date('Y-m-d H:i:s', $unix);
}  

// Sign a http query string in the array of key-value pairs
// return b64 encoded hmac hash
function sign($a, $apiKey) {
	ksort($a);
	$qs = '';
	$n = count($a);
	$i = 0;
	foreach (array_keys($a) as $key) {
		$qs .= trim($key).'='.trim($a[$key]);
		if (++$i < $n) {
			$qs .= '&';
		}
	}
	
	// the TRUE at the end states we want the raw value, not hexadecimal form
	$hmac = hash_hmac('sha1', utf8_encode($qs), $apiKey, true);
	$hmac = base64_encode($hmac);

	debug('SIGN: ' . $qs . ' H=' . $hmac);

	return $hmac;
		
} // sign an array of query string

function hex2b64 ($hex_str) {
  $bin = pack("H*", $hex_str);
  return base64_encode($bin);
}

function modhex2b64 ($modhex_str) {
  $hex_str = strtr ($modhex_str, "cbdefghijklnrtuv", "0123456789abcdef");
  return hex2b64($hex_str);
}

// This function takes a list of URLs.  It will return the content of
// the first successfully retrieved URL, whose content matches ^OK.
// The request are sent asynchronously.  Some of the URLs can fail
// with unknown host, connection errors, or network timeout, but as
// long as one of the URLs given work, data will be returned.  If all
// URLs fail, data from some URL that did not match parameter $match 
// (defaults to ^OK) is returned, or if all URLs failed, false.
function retrieveURLasync ($urls, $ans_req=1, $match="^OK", $returl=False) {
  $mh = curl_multi_init();

  $ch = array();
  foreach ($urls as $id => $url) {
    $handle = curl_init();
    debug("url is: " . $url);
    curl_setopt($handle, CURLOPT_URL, $url);
    curl_setopt($handle, CURLOPT_USERAGENT, "YK-VAL");
    curl_setopt($handle, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($handle, CURLOPT_FAILONERROR, true);
    curl_setopt($handle, CURLOPT_TIMEOUT, 10);

    curl_multi_add_handle($mh, $handle);

    $ch[$handle] = $handle;
  }

  $str = false;
  $ans_count = 0;
  $ans_arr = array();

  do {
    while (($mrc = curl_multi_exec($mh, $active)) == CURLM_CALL_MULTI_PERFORM)
      ;

    while ($info = curl_multi_info_read($mh)) {
      debug ("YK-KSM multi", $info);
      if ($info['result'] == CURL_OK) {
	$str = curl_multi_getcontent($info['handle']);
	debug($str);
	if (preg_match("/".$match."/", $str)) {
	  $error = curl_error ($info['handle']);
	  $errno = curl_errno ($info['handle']);
	  $cinfo = curl_getinfo ($info['handle']);
	  debug("YK-KSM errno/error: " . $errno . "/" . $error, $cinfo);
	  $ans_count++;
	  debug("found entry");
	  if ($returl) $ans_arr[]="url=" . $cinfo['url'] . "\n" . $str;
	  else $ans_arr[]=$str;
	}

	if ($ans_count >= $ans_req) {
	  foreach ($ch as $h) {
	    curl_multi_remove_handle ($mh, $h);
	    curl_close ($h);
	  }
	  curl_multi_close ($mh);
	  
	  if ($ans_count==1) return $ans_arr[0];
	  else return $ans_arr;
	}
	
	curl_multi_remove_handle ($mh, $info['handle']);
	curl_close ($info['handle']);
	unset ($ch[$info['handle']]);
      }

      curl_multi_select ($mh);
    }
  } while($active);

  foreach ($ch as $h) {
    curl_multi_remove_handle ($mh, $h);
    curl_close ($h);
  }
  curl_multi_close ($mh);

  return $str;
}

function retrieveURLsimple ($url, $match="^OK") {
  foreach (file($url) as $line) {
    if (preg_match("/".$match."/", $line)) {
      return $line;
    }
  }
  return false;
}

// $otp: A yubikey OTP
function KSMdecryptOTP($urls) {
  $ret = array();
  if (!is_array($urls)) {
    $response = retrieveURLsimple ($urls);
  } elseif (count($urls) == 1) {
    $response = retrieveURLsimple ($urls[0]);
  } else {
    $response = retrieveURLasync ($urls);
  }
  if ($response) {
    debug("YK-KSM response: " . $response);
  }
  if (sscanf ($response,
	      "OK counter=%04x low=%04x high=%02x use=%02x",
	      $ret["session_counter"], $ret["low"], $ret["high"],
	      $ret["session_use"]) != 4) {
    return false;
  }
  return $ret;
} // End decryptOTP

function sendResp($status, $apiKey = '', $extra = null) {
  if ($status == null) {
    $status = S_BACKEND_ERROR;
  }

  $a['status'] = $status;
  $a['t'] = getUTCTimeStamp();
  if ($extra){
    foreach ($extra as $param => $value) $a[$param] = $value;
  }
  $h = sign($a, $apiKey);

  echo "h=" . $h . "\r\n";
  echo "t=" . ($a['t']) . "\r\n";
  if ($extra){
    foreach ($extra as $param => $value) {
      echo $param . "=" . $value . "\r\n";
    }
  }
  echo "status=" . ($a['status']) . "\r\n";
  echo "\r\n";
}
?>
add key 2008-09-26 05:21:11 +02:00			`<?php`
Cleanup. 2009-03-11 02:42:23 +01:00
Unified logging to use Log class defined in ykval-log.php which in turn uses syslog. NOTE: ykval common debug function is still available but uses Log class aswell to actually log message. 2010-01-11 13:06:00 +01:00			`require_once('ykval-log.php');`

add key 2008-09-26 05:21:11 +02:00			`define('S_OK', 'OK');`
			`define('S_BAD_OTP', 'BAD_OTP');`
			`define('S_REPLAYED_OTP', 'REPLAYED_OTP');`
Improve checking of OTPs. 2009-03-11 01:19:59 +01:00			`define('S_DELAYED_OTP', 'DELAYED_OTP');`
add key 2008-09-26 05:21:11 +02:00			`define('S_BAD_SIGNATURE', 'BAD_SIGNATURE');`
			`define('S_MISSING_PARAMETER', 'MISSING_PARAMETER');`
Make it work. 2009-03-10 23:01:46 +01:00			`define('S_NO_SUCH_CLIENT', 'NO_SUCH_CLIENT');`
add key 2008-09-26 05:21:11 +02:00			`define('S_OPERATION_NOT_ALLOWED', 'OPERATION_NOT_ALLOWED');`
			`define('S_BACKEND_ERROR', 'BACKEND_ERROR');`
Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00			`define('S_NOT_ENOUGH_ANSWERS', 'NOT_ENOUGH_ANSWERS');`
1. Nonce introduced in protocol. This required changes in the chain from client->verify->sync. 2. ykval-verify is modified a bit. It now acts more as a flow controller and relies on ykval-synclib to do details on DB-calls and counterlogic. The "system" decision making is still located in ykval-verify. 2009-12-15 11:17:51 +01:00			`define('S_REPLAYED_REQUEST', 'REPLAYED_REQUEST');`
Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00
Cleanup. 2009-03-11 02:42:23 +01:00
			`define('TS_SEC', 1/8);`
Use absolute timestamp tolerance as well. 2009-03-11 01:26:57 +01:00			`define('TS_REL_TOLERANCE', 0.3);`
			`define('TS_ABS_TOLERANCE', 20);`
add key 2008-09-26 05:21:11 +02:00
Don't hard code prefix length. 2009-03-18 12:00:48 +01:00			`define('TOKEN_LEN', 32);`
Make standalone. 2009-03-10 23:50:35 +01:00
Unified logging to use Log class defined in ykval-log.php which in turn uses syslog. NOTE: ykval common debug function is still available but uses Log class aswell to actually log message. 2010-01-11 13:06:00 +01:00			`global $ykval_common_log;`
			`$ykval_common_log = new Log('ykval-common');`

Lay foundation for get-api-key service. 2009-08-28 12:55:56 +02:00			`function logdie ($str)`
			`{`
Unified logging to use Log class defined in ykval-log.php which in turn uses syslog. NOTE: ykval common debug function is still available but uses Log class aswell to actually log message. 2010-01-11 13:06:00 +01:00			`global $ykval_common_log;`
More debugging. 2010-02-22 14:17:52 +01:00			`$ykval_common_log->log(LOG_INFO, $str);`
Lay foundation for get-api-key service. 2009-08-28 12:55:56 +02:00			`die($str . "\n");`
			`}`

Make standalone. 2009-03-10 23:50:35 +01:00			`function unescape($s) {`
			`return str_replace('\\', "", $s);`
			`}`

			`function getHttpVal($key, $defaultVal) {`
			`$val = $defaultVal;`
			`if (array_key_exists($key, $_GET)) {`
			`$val = $_GET[$key];`
			`} else if (array_key_exists($key, $_POST)) {`
			`$val = $_POST[$key];`
			`}`
			`$v = unescape(trim($val));`
			`return $v;`
			`}`

Support parallel queries to multiple KSMs. 2009-04-27 19:57:24 +02:00			`function debug() {`
			`$str = "";`
			`foreach (func_get_args() as $msg)`
			`{`
			`if (is_array($msg)) {`
			`foreach($msg as $key => $value){`
			`$str .= "$key=$value ";`
			`}`
			`} else {`
			`$str .= $msg . " ";`
			`}`
Code cleanups. 2009-03-11 01:54:19 +01:00			`}`
Unified logging to use Log class defined in ykval-log.php which in turn uses syslog. NOTE: ykval common debug function is still available but uses Log class aswell to actually log message. 2010-01-11 13:06:00 +01:00			`global $ykval_common_log;`
			`$ykval_common_log->log(LOG_DEBUG, $str);`
add key 2008-09-26 05:21:11 +02:00			`}`

Make getUTCTimeStamp return milliseconds too, similar to Java server. 2009-03-10 20:01:07 +01:00			`// Return eg. 2008-11-21T06:11:55Z0711`
No time zone, UTC default 2008-11-21 07:41:13 +01:00			`//`
2008-09-27 11:04:49 +02:00			`function getUTCTimeStamp() {`
			`date_default_timezone_set('UTC');`
Make getUTCTimeStamp return milliseconds too, similar to Java server. 2009-03-10 20:01:07 +01:00			`$tiny = substr(microtime(false), 2, 3);`
			`return date('Y-m-d\TH:i:s\Z0', time()) . $tiny;`
2008-09-27 11:04:49 +02:00			`}`

Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00			`# NOTE: When we evolve to using general DB-interface, this functinality`
			`# should be moved there.`
			`function DbTimeToUnix($db_time)`
			`{`
			`$unix=strptime($db_time, '%F %H:%M:%S');`
			`return mktime($unix[tm_hour], $unix[tm_min], $unix[tm_sec], $unix[tm_mon]+1, $unix[tm_mday], $unix[tm_year]+1900);`
			`}`

			`function UnixToDbTime($unix)`
			`{`
			`return date('Y-m-d H:i:s', $unix);`
			`}`

2008-09-27 11:04:49 +02:00			`// Sign a http query string in the array of key-value pairs`
			`// return b64 encoded hmac hash`
More cleanups. 2009-03-11 03:06:02 +01:00			`function sign($a, $apiKey) {`
2008-09-27 11:04:49 +02:00			`ksort($a);`
			`$qs = '';`
			`$n = count($a);`
			`$i = 0;`
			`foreach (array_keys($a) as $key) {`
2008-11-21 22:41:26 +01:00			`$qs .= trim($key).'='.trim($a[$key]);`
2008-09-27 11:04:49 +02:00			`if (++$i < $n) {`
			`$qs .= '&';`
			`}`
			`}`

			`// the TRUE at the end states we want the raw value, not hexadecimal form`
			`$hmac = hash_hmac('sha1', utf8_encode($qs), $apiKey, true);`
			`$hmac = base64_encode($hmac);`
Improve debugging. 2009-03-11 02:53:38 +01:00
			`debug('SIGN: ' . $qs . ' H=' . $hmac);`

2008-09-27 11:04:49 +02:00			`return $hmac;`

sign example 2008-10-08 08:29:19 +02:00			`} // sign an array of query string`
2008-09-27 11:04:49 +02:00
Use YKKSM instead of local secret. Remove more code. 2009-03-11 02:37:07 +01:00			`function hex2b64 ($hex_str) {`
			`$bin = pack("H*", $hex_str);`
			`return base64_encode($bin);`
Make standalone. 2009-03-10 23:50:35 +01:00			`}`

Use YKKSM instead of local secret. Remove more code. 2009-03-11 02:37:07 +01:00			`function modhex2b64 ($modhex_str) {`
			`$hex_str = strtr ($modhex_str, "cbdefghijklnrtuv", "0123456789abcdef");`
			`return hex2b64($hex_str);`
Make standalone. 2009-03-10 23:50:35 +01:00			`}`

Re-add, some duplication but needed by KSMdecryptOTP. 2010-02-22 13:55:29 +01:00			`// This function takes a list of URLs. It will return the content of`
			`// the first successfully retrieved URL, whose content matches ^OK.`
			`// The request are sent asynchronously. Some of the URLs can fail`
			`// with unknown host, connection errors, or network timeout, but as`
			`// long as one of the URLs given work, data will be returned. If all`
			`// URLs fail, data from some URL that did not match parameter $match`
			`// (defaults to ^OK) is returned, or if all URLs failed, false.`
			`function retrieveURLasync ($urls, $ans_req=1, $match="^OK", $returl=False) {`
			`$mh = curl_multi_init();`

			`$ch = array();`
			`foreach ($urls as $id => $url) {`
			`$handle = curl_init();`
			`debug("url is: " . $url);`
			`curl_setopt($handle, CURLOPT_URL, $url);`
			`curl_setopt($handle, CURLOPT_USERAGENT, "YK-VAL");`
			`curl_setopt($handle, CURLOPT_RETURNTRANSFER, 1);`
			`curl_setopt($handle, CURLOPT_FAILONERROR, true);`
			`curl_setopt($handle, CURLOPT_TIMEOUT, 10);`

			`curl_multi_add_handle($mh, $handle);`

			`$ch[$handle] = $handle;`
			`}`

			`$str = false;`
			`$ans_count = 0;`
			`$ans_arr = array();`

			`do {`
			`while (($mrc = curl_multi_exec($mh, $active)) == CURLM_CALL_MULTI_PERFORM)`
			`;`

			`while ($info = curl_multi_info_read($mh)) {`
			`debug ("YK-KSM multi", $info);`
			`if ($info['result'] == CURL_OK) {`
			`$str = curl_multi_getcontent($info['handle']);`
			`debug($str);`
			`if (preg_match("/".$match."/", $str)) {`
			`$error = curl_error ($info['handle']);`
			`$errno = curl_errno ($info['handle']);`
			`$cinfo = curl_getinfo ($info['handle']);`
			`debug("YK-KSM errno/error: " . $errno . "/" . $error, $cinfo);`
			`$ans_count++;`
			`debug("found entry");`
			`if ($returl) $ans_arr[]="url=" . $cinfo['url'] . "\n" . $str;`
			`else $ans_arr[]=$str;`
			`}`

			`if ($ans_count >= $ans_req) {`
			`foreach ($ch as $h) {`
			`curl_multi_remove_handle ($mh, $h);`
			`curl_close ($h);`
			`}`
			`curl_multi_close ($mh);`

			`if ($ans_count==1) return $ans_arr[0];`
			`else return $ans_arr;`
			`}`

			`curl_multi_remove_handle ($mh, $info['handle']);`
			`curl_close ($info['handle']);`
			`unset ($ch[$info['handle']]);`
			`}`

			`curl_multi_select ($mh);`
			`}`
			`} while($active);`

			`foreach ($ch as $h) {`
			`curl_multi_remove_handle ($mh, $h);`
			`curl_close ($h);`
			`}`
			`curl_multi_close ($mh);`

			`return $str;`
			`}`

When there is only one KSM, use more portable code without async. Patch from arte42.ripe in issue #7. 2010-05-17 15:08:48 +02:00			`function retrieveURLsimple ($url, $match="^OK") {`
			`foreach (file($url) as $line) {`
			`if (preg_match("/".$match."/", $line)) {`
			`return $line;`
			`}`
			`}`
			`return false;`
			`}`

Support parallel queries to multiple KSMs. 2009-04-27 19:57:24 +02:00			`// $otp: A yubikey OTP`
			`function KSMdecryptOTP($urls) {`
			`$ret = array();`
When there is only one KSM, use more portable code without async. Patch from arte42.ripe in issue #7. 2010-05-17 15:08:48 +02:00			`if (!is_array($urls)) {`
			`$response = retrieveURLsimple ($urls);`
			`} elseif (count($urls) == 1) {`
			`$response = retrieveURLsimple ($urls[0]);`
			`} else {`
			`$response = retrieveURLasync ($urls);`
			`}`
Support parallel queries to multiple KSMs. 2009-04-27 19:57:24 +02:00			`if ($response) {`
			`debug("YK-KSM response: " . $response);`
			`}`
Use YKKSM instead of local secret. Remove more code. 2009-03-11 02:37:07 +01:00			`if (sscanf ($response,`
Reorder high/low to match internal order. 2009-03-18 16:16:18 +01:00			`"OK counter=%04x low=%04x high=%02x use=%02x",`
Reorder high/low to match internal order. 2009-03-18 16:21:50 +01:00			`$ret["session_counter"], $ret["low"], $ret["high"],`
			`$ret["session_use"]) != 4) {`
Use YKKSM instead of local secret. Remove more code. 2009-03-11 02:37:07 +01:00			`return false;`
			`}`
			`return $ret;`
			`} // End decryptOTP`
Make standalone. 2009-03-10 23:50:35 +01:00
Added option to get timestamp and session counters in the response. Use with verify?id=x&otp=xxx..&timestamp=1 returns timestamp, sessoncounter and session use in response 2009-10-05 16:53:28 +02:00			`function sendResp($status, $apiKey = '', $extra = null) {`
Cleanups. 2009-05-06 17:07:05 +02:00			`if ($status == null) {`
			`$status = S_BACKEND_ERROR;`
			`}`

			`$a['status'] = $status;`
			`$a['t'] = getUTCTimeStamp();`
Added option to get timestamp and session counters in the response. Use with verify?id=x&otp=xxx..&timestamp=1 returns timestamp, sessoncounter and session use in response 2009-10-05 16:53:28 +02:00			`if ($extra){`
			`foreach ($extra as $param => $value) $a[$param] = $value;`
			`}`
Cleanups. 2009-05-06 17:07:05 +02:00			`$h = sign($a, $apiKey);`

			`echo "h=" . $h . "\r\n";`
			`echo "t=" . ($a['t']) . "\r\n";`
Added option to get timestamp and session counters in the response. Use with verify?id=x&otp=xxx..&timestamp=1 returns timestamp, sessoncounter and session use in response 2009-10-05 16:53:28 +02:00			`if ($extra){`
			`foreach ($extra as $param => $value) {`
			`echo $param . "=" . $value . "\r\n";`
			`}`
			`}`
Cleanups. 2009-05-06 17:07:05 +02:00			`echo "status=" . ($a['status']) . "\r\n";`
			`echo "\r\n";`
			`}`
add key 2008-09-26 05:21:11 +02:00			`?>`