yubikey-val/common.php

<?php
define('S_OK', 'OK');
define('S_BAD_OTP', 'BAD_OTP');
define('S_BAD_CLIENT', 'BAD_CLIENT'); // New, added by paul 20080920
define('S_REPLAYED_OTP', 'REPLAYED_OTP');
define('S_BAD_SIGNATURE', 'BAD_SIGNATURE');
define('S_MISSING_PARAMETER', 'MISSING_PARAMETER');
//define('S_NO_SUCH_CLIENT', 'NO_SUCH_CLIENT'); // Deprecated by paul 20080920
define('S_OPERATION_NOT_ALLOWED', 'OPERATION_NOT_ALLOWED');
define('S_BACKEND_ERROR', 'BACKEND_ERROR');
define('S_SECURITY_ERROR', 'SECURITY_ERROR');
define('TS_SEC', 0.119);
define('TS_TOLERANCE', 0.3);

function debug($msg, $exit = false) {
	global $trace;
	if ($trace) {
		if (is_array($msg)) {
			//print_r($msg);
		} else {
			echo '<p>Debug> ' . $msg;
		}
		echo "\n";
	}
	if ($exit) {
		die('<font color=red><h4>Exit</h4></font>');
	}
}

function genRandRaw($len) {
	$h = hash_hmac('sha1', rand(9999,9999999), 'dj*ccbcuiiurubrvnubcdluul', true);
	$a = str_split($h);
	//print_r($a);
	$a = array_slice($a, 0, $len);
	//print_r($a);
	$s = implode($a);
	//outputToFile('out', $s);
	return $s;
}

// Return eg. 2008-11-21T06:11:55Z0711
//            
function getUTCTimeStamp() {
	date_default_timezone_set('UTC');
	$tiny = substr(microtime(false), 2, 3);
	return date('Y-m-d\TH:i:s\Z0', time()) . $tiny;
}

// Sign a http query string in the array of key-value pairs
// return b64 encoded hmac hash
function sign($a, $apiKey, $debug=false) {
	ksort($a);
	$qs = '';
	$n = count($a);
	$i = 0;
	foreach (array_keys($a) as $key) {
		$qs .= trim($key).'='.trim($a[$key]);
		if (++$i < $n) {
			$qs .= '&';
		}
	}
	
	// Generate the signature
//	debug('API key: '.base64_encode($apiKey)); // API key of the client
	debug('SIGN: '.$qs);
	
	// the TRUE at the end states we want the raw value, not hexadecimal form
	$hmac = hash_hmac('sha1', utf8_encode($qs), $apiKey, true);
	$hmac = base64_encode($hmac);
	if ($debug) {
		debug('h='.$hmac);		
	}
	return $hmac;
		
} // sign an array of query string

function outputToFile($outFname, $content, $mode, $append = false) {
	$out = fopen($outFname, ($append ? "a" : "w"));
	fwrite($out, $content);
	fclose($out);
}
?>
add key 2008-09-26 05:21:11 +02:00			`<?php`
			`define('S_OK', 'OK');`
			`define('S_BAD_OTP', 'BAD_OTP');`
			`define('S_BAD_CLIENT', 'BAD_CLIENT'); // New, added by paul 20080920`
			`define('S_REPLAYED_OTP', 'REPLAYED_OTP');`
			`define('S_BAD_SIGNATURE', 'BAD_SIGNATURE');`
			`define('S_MISSING_PARAMETER', 'MISSING_PARAMETER');`
			`//define('S_NO_SUCH_CLIENT', 'NO_SUCH_CLIENT'); // Deprecated by paul 20080920`
			`define('S_OPERATION_NOT_ALLOWED', 'OPERATION_NOT_ALLOWED');`
			`define('S_BACKEND_ERROR', 'BACKEND_ERROR');`
Use time stamp to prevent OTP phishing 2008-12-03 08:49:32 +01:00			`define('S_SECURITY_ERROR', 'SECURITY_ERROR');`
fine tune time per tick 2008-12-03 20:38:55 +01:00			`define('TS_SEC', 0.119);`
Use time stamp to prevent OTP phishing 2008-12-03 08:49:32 +01:00			`define('TS_TOLERANCE', 0.3);`
add key 2008-09-26 05:21:11 +02:00
Fix rand# gen 2008-09-26 07:00:41 +02:00			`function debug($msg, $exit = false) {`
add key 2008-09-26 05:21:11 +02:00			`global $trace;`
			`if ($trace) {`
			`if (is_array($msg)) {`
sign example 2008-10-08 08:29:19 +02:00			`//print_r($msg);`
add key 2008-09-26 05:21:11 +02:00			`} else {`
sign example 2008-10-08 08:29:19 +02:00			`echo '<p>Debug> ' . $msg;`
add key 2008-09-26 05:21:11 +02:00			`}`
			`echo "\n";`
			`}`
			`if ($exit) {`
Fix rand# gen 2008-09-26 07:00:41 +02:00			`die('<font color=red><h4>Exit</h4></font>');`
add key 2008-09-26 05:21:11 +02:00			`}`
			`}`

Fix rand# gen 2008-09-26 07:00:41 +02:00			`function genRandRaw($len) {`
			`$h = hash_hmac('sha1', rand(9999,9999999), 'dj*ccbcuiiurubrvnubcdluul', true);`
			`$a = str_split($h);`
			`//print_r($a);`
			`$a = array_slice($a, 0, $len);`
			`//print_r($a);`
			`$s = implode($a);`
			`//outputToFile('out', $s);`
			`return $s;`
add key 2008-09-26 05:21:11 +02:00			`}`

Make getUTCTimeStamp return milliseconds too, similar to Java server. 2009-03-10 20:01:07 +01:00			`// Return eg. 2008-11-21T06:11:55Z0711`
No time zone, UTC default 2008-11-21 07:41:13 +01:00			`//`
2008-09-27 11:04:49 +02:00			`function getUTCTimeStamp() {`
			`date_default_timezone_set('UTC');`
Make getUTCTimeStamp return milliseconds too, similar to Java server. 2009-03-10 20:01:07 +01:00			`$tiny = substr(microtime(false), 2, 3);`
			`return date('Y-m-d\TH:i:s\Z0', time()) . $tiny;`
2008-09-27 11:04:49 +02:00			`}`

			`// Sign a http query string in the array of key-value pairs`
			`// return b64 encoded hmac hash`
sign example 2008-10-08 08:29:19 +02:00			`function sign($a, $apiKey, $debug=false) {`
2008-09-27 11:04:49 +02:00			`ksort($a);`
			`$qs = '';`
			`$n = count($a);`
			`$i = 0;`
			`foreach (array_keys($a) as $key) {`
2008-11-21 22:41:26 +01:00			`$qs .= trim($key).'='.trim($a[$key]);`
2008-09-27 11:04:49 +02:00			`if (++$i < $n) {`
			`$qs .= '&';`
			`}`
			`}`

			`// Generate the signature`
bugfix verify otp 2008-12-09 00:42:05 +01:00			`// debug('API key: '.base64_encode($apiKey)); // API key of the client`
sign example 2008-10-08 08:29:19 +02:00			`debug('SIGN: '.$qs);`
2008-09-27 11:04:49 +02:00
			`// the TRUE at the end states we want the raw value, not hexadecimal form`
			`$hmac = hash_hmac('sha1', utf8_encode($qs), $apiKey, true);`
			`$hmac = base64_encode($hmac);`
sign example 2008-10-08 08:29:19 +02:00			`if ($debug) {`
bugfix verify otp 2008-12-09 00:42:05 +01:00			`debug('h='.$hmac);`
sign example 2008-10-08 08:29:19 +02:00			`}`
2008-09-27 11:04:49 +02:00			`return $hmac;`

sign example 2008-10-08 08:29:19 +02:00			`} // sign an array of query string`
2008-09-27 11:04:49 +02:00
Fix rand# gen 2008-09-26 07:00:41 +02:00			`function outputToFile($outFname, $content, $mode, $append = false) {`
			`$out = fopen($outFname, ($append ? "a" : "w"));`
			`fwrite($out, $content);`
			`fclose($out);`
add key 2008-09-26 05:21:11 +02:00			`}`
			`?>`