yubikey-val/ykval-sync.php

<?php

# Copyright (c) 2009-2013 Yubico AB
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
#   * Redistributions of source code must retain the above copyright
#     notice, this list of conditions and the following disclaimer.
#
#   * Redistributions in binary form must reproduce the above
#     copyright notice, this list of conditions and the following
#     disclaimer in the documentation and/or other materials provided
#     with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

require_once 'ykval-common.php';
require_once 'ykval-config.php';
require_once 'ykval-synclib.php';

$apiKey = '';

header("content-type: text/plain");


$myLog = new Log('ykval-sync');
$myLog->addField('ip', $_SERVER['REMOTE_ADDR']);

if(empty($_SERVER['QUERY_STRING'])) {
  sendResp(S_MISSING_PARAMETER, $myLog, $apiKey);
  exit;
}

$myLog->log(LOG_INFO, "Request: " . $_SERVER['QUERY_STRING']);

$sync = new SyncLib('ykval-sync:synclib');
$sync->addField('ip', $_SERVER['REMOTE_ADDR']);

if (! $sync->isConnected()) {
  sendResp(S_BACKEND_ERROR, $myLog, $apiKey);
  exit;
}

#
# Verify that request comes from valid server
#

$myLog->log(LOG_INFO, 'Received request from ' . $_SERVER['REMOTE_ADDR']);

$allowed = in_array($_SERVER['REMOTE_ADDR'], $baseParams['__YKVAL_ALLOWED_SYNC_POOL__']);

if (!$allowed) {
  $myLog->log(LOG_NOTICE, 'Operation not allowed from IP ' . $_SERVER['REMOTE_ADDR']);
  $myLog->log(LOG_DEBUG, 'Remote IP ' . $_SERVER['REMOTE_ADDR'] . ' not listed in allowed sync pool : ' .
	      implode(', ', $baseParams['__YKVAL_ALLOWED_SYNC_POOL__']));
  sendResp(S_OPERATION_NOT_ALLOWED, $myLog, $apiKey);
  exit;
}

#
# Define requirements on protocol
#

$syncParams=array('modified'=>Null,
		  'otp'=>Null,
		  'nonce'=>Null,
		  'yk_publicname'=>Null,
		  'yk_counter'=>Null,
		  'yk_use'=>Null,
		  'yk_high'=>Null,
		  'yk_low'=>Null);

#
# Extract values from HTTP request
#

$tmp_log = "Received ";
foreach ($syncParams as $param=>$value) {
  $value = getHttpVal($param, Null);
  if ($value==Null) {
    $myLog->log(LOG_NOTICE, "Received request with parameter[s] (" . $param . ") missing value");
    sendResp(S_MISSING_PARAMETER, $myLog, $apiKey);
    exit;
  }
  $syncParams[$param]=$value;
  $tmp_log .= "$param=$value ";
}
$myLog->log(LOG_INFO, $tmp_log);

#
# At this point we should have the otp so let's add it to the logging module
#
$myLog->addField('otp', $syncParams['otp']);
$sync->addField('otp', $syncParams['otp']);

#
# Verify correctness of input parameters
#

foreach (array('modified') as $param) {
  if (preg_match("/^[0-9]+$/", $syncParams[$param])==0) {
    $myLog->log(LOG_NOTICE, 'Input parameters ' . $param . ' not correct');
    sendResp(S_MISSING_PARAMETER, $myLog, $apiKey);
    exit;
  }
}

foreach (array('yk_counter', 'yk_use', 'yk_high', 'yk_low') as $param) {
  if (preg_match("/^(-1|[0-9]+)$/", $syncParams[$param])==0) {
    $myLog->log(LOG_NOTICE, 'Input parameters ' . $param . ' not correct');
    sendResp(S_MISSING_PARAMETER, $myLog, $apiKey);
    exit;
  }
}


#
# Get local counter data
#

$yk_publicname = $syncParams['yk_publicname'];
$localParams = $sync->getLocalParams($yk_publicname);
if (!$localParams) {
  $myLog->log(LOG_NOTICE, 'Invalid Yubikey ' . $yk_publicname);
  sendResp(S_BACKEND_ERROR, $myLog, $apiKey);
  exit;
}

/* Conditional update local database */
$sync->updateDbCounters($syncParams);

$myLog->log(LOG_DEBUG, 'Local params ' , $localParams);
$myLog->log(LOG_DEBUG, 'Sync request params ' , $syncParams);

#
# Compare sync and local counters and generate warnings according to
#
# https://github.com/Yubico/yubikey-val/wiki/ServerReplicationProtocol
#


if ($sync->countersHigherThan($localParams, $syncParams)) {
  $myLog->log(LOG_WARNING, 'Remote server out of sync.');
}


if ($sync->countersEqual($localParams, $syncParams)) {

  if ($syncParams['modified']==$localParams['modified'] &&
      $syncParams['nonce']==$localParams['nonce']) {
    /* This is not an error. When the remote server received an OTP to verify, it would
     * have sent out sync requests immediately. When the required number of responses had
     * been received, the current implementation discards all additional responses (to
     * return the result to the client as soon as possible). If our response sent last
     * time was discarded, we will end up here when the background ykval-queue processes
     * the sync request again.
     */
    $myLog->log(LOG_INFO, 'Sync request unnecessarily sent');
  }

  if ($syncParams['modified']!=$localParams['modified'] &&
      $syncParams['nonce']==$localParams['nonce']) {
    $deltaModified = $syncParams['modified'] - $localParams['modified'];
    if($deltaModified < -1 || $deltaModified > 1) {
      $myLog->log(LOG_WARNING, 'We might have a replay. 2 events at different times have generated the same counters. The time difference is ' . $deltaModified . ' seconds');
    }
  }

  if ($syncParams['nonce']!=$localParams['nonce']) {
    $myLog->log(LOG_WARNING, 'Remote server has received a request to validate an already validated OTP ');
  }
}

if ($localParams['active'] != 1) {
  /* The remote server has accepted an OTP from a YubiKey which we would not.
   * We still needed to update our counters with the counters from the OTP though.
   */
  $myLog->log(LOG_WARNING, 'Received sync-request for de-activated Yubikey ' . $yk_publicname .
	      ' - check database synchronization!!!');
  sendResp(S_BAD_OTP, $myLog, $apiKey);
  exit;
}

$extra=array('modified'=>$localParams['modified'],
	     'nonce'=>$localParams['nonce'],
	     'yk_publicname'=>$yk_publicname,
	     'yk_counter'=>$localParams['yk_counter'],
	     'yk_use'=>$localParams['yk_use'],
	     'yk_high'=>$localParams['yk_high'],
	     'yk_low'=>$localParams['yk_low']);

sendResp(S_OK, $myLog, $apiKey, $extra);

?>
Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00			`<?php`
Updated copyright headers. 2013-02-04 17:36:04 +01:00
			`# Copyright (c) 2009-2013 Yubico AB`
			`# All rights reserved.`
			`#`
			`# Redistribution and use in source and binary forms, with or without`
			`# modification, are permitted provided that the following conditions are`
			`# met:`
			`#`
			`# * Redistributions of source code must retain the above copyright`
			`# notice, this list of conditions and the following disclaimer.`
			`#`
			`# * Redistributions in binary form must reproduce the above`
			`# copyright notice, this list of conditions and the following`
			`# disclaimer in the documentation and/or other materials provided`
			`# with the distribution.`
			`#`
			`# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS`
			`# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT`
			`# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR`
			`# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT`
			`# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,`
			`# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT`
			`# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,`
			`# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY`
			`# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT`
			`# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE`
			`# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.`

Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00			`require_once 'ykval-common.php';`
			`require_once 'ykval-config.php';`
1. Nonce introduced in protocol. This required changes in the chain from client->verify->sync. 2. ykval-verify is modified a bit. It now acts more as a flow controller and relies on ykval-synclib to do details on DB-calls and counterlogic. The "system" decision making is still located in ykval-verify. 2009-12-15 11:17:51 +01:00			`require_once 'ykval-synclib.php';`
Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00
			`$apiKey = '';`

			`header("content-type: text/plain");`

if the sync request is empty, drop it as early as possible. 2012-06-13 09:32:38 +02:00
Unified logging to use Log class defined in ykval-log.php which in turn uses syslog. NOTE: ykval common debug function is still available but uses Log class aswell to actually log message. 2010-01-11 13:06:00 +01:00			`$myLog = new Log('ykval-sync');`
Added possibility to use custom fields in logging module. Also added client IP and otp in verify and sync logs. 2010-01-14 12:25:17 +01:00			`$myLog->addField('ip', $_SERVER['REMOTE_ADDR']);`

instead of passing context to sendResp, give it a logger. 2012-06-14 15:15:47 +02:00			`if(empty($_SERVER['QUERY_STRING'])) {`
			`sendResp(S_MISSING_PARAMETER, $myLog, $apiKey);`
			`exit;`
			`}`

Unified logging to use Log class defined in ykval-log.php which in turn uses syslog. NOTE: ykval common debug function is still available but uses Log class aswell to actually log message. 2010-01-11 13:06:00 +01:00			`$myLog->log(LOG_INFO, "Request: " . $_SERVER['QUERY_STRING']);`

			`$sync = new SyncLib('ykval-sync:synclib');`
. 2010-01-14 12:58:19 +01:00			`$sync->addField('ip', $_SERVER['REMOTE_ADDR']);`
Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00
1. Nonce introduced in protocol. This required changes in the chain from client->verify->sync. 2. ykval-verify is modified a bit. It now acts more as a flow controller and relies on ykval-synclib to do details on DB-calls and counterlogic. The "system" decision making is still located in ykval-verify. 2009-12-15 11:17:51 +01:00			`if (! $sync->isConnected()) {`
instead of passing context to sendResp, give it a logger. 2012-06-14 15:15:47 +02:00			`sendResp(S_BACKEND_ERROR, $myLog, $apiKey);`
Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00			`exit;`
Nitpicking 2013-02-13 11:19:29 +01:00			`}`
Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00
delete-trailing-whitespace 2012-05-29 11:07:19 +02:00			`#`
Only allowed sync requests from specified IP addresses 2010-01-11 11:25:25 +01:00			`# Verify that request comes from valid server`
			`#`

Less verbose logging when verifying remote IP. 2012-06-18 12:42:39 +02:00			`$myLog->log(LOG_INFO, 'Received request from ' . $_SERVER['REMOTE_ADDR']);`
Nitpicking 2013-02-13 11:19:29 +01:00
			`$allowed = in_array($_SERVER['REMOTE_ADDR'], $baseParams['__YKVAL_ALLOWED_SYNC_POOL__']);`

Only allowed sync requests from specified IP addresses 2010-01-11 11:25:25 +01:00			`if (!$allowed) {`
Unified logging to use Log class defined in ykval-log.php which in turn uses syslog. NOTE: ykval common debug function is still available but uses Log class aswell to actually log message. 2010-01-11 13:06:00 +01:00			`$myLog->log(LOG_NOTICE, 'Operation not allowed from IP ' . $_SERVER['REMOTE_ADDR']);`
Less verbose logging when verifying remote IP. 2012-06-18 12:42:39 +02:00			`$myLog->log(LOG_DEBUG, 'Remote IP ' . $_SERVER['REMOTE_ADDR'] . ' not listed in allowed sync pool : ' .`
			`implode(', ', $baseParams['__YKVAL_ALLOWED_SYNC_POOL__']));`
instead of passing context to sendResp, give it a logger. 2012-06-14 15:15:47 +02:00			`sendResp(S_OPERATION_NOT_ALLOWED, $myLog, $apiKey);`
Only allowed sync requests from specified IP addresses 2010-01-11 11:25:25 +01:00			`exit;`
Nitpicking 2013-02-13 11:19:29 +01:00			`}`
Only allowed sync requests from specified IP addresses 2010-01-11 11:25:25 +01:00
Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00			`#`
Nitpicking 2013-02-13 11:19:29 +01:00			`# Define requirements on protocol`
Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00			`#`

1. Nonce introduced in protocol. This required changes in the chain from client->verify->sync. 2. ykval-verify is modified a bit. It now acts more as a flow controller and relies on ykval-synclib to do details on DB-calls and counterlogic. The "system" decision making is still located in ykval-verify. 2009-12-15 11:17:51 +01:00			`$syncParams=array('modified'=>Null,`
			`'otp'=>Null,`
			`'nonce'=>Null,`
Changed DB-names to be more consistent (WARNING current revision might be broken but needs to be submitted for multiserver test purposes) 2010-01-08 14:54:33 +01:00			`'yk_publicname'=>Null,`
1. Nonce introduced in protocol. This required changes in the chain from client->verify->sync. 2. ykval-verify is modified a bit. It now acts more as a flow controller and relies on ykval-synclib to do details on DB-calls and counterlogic. The "system" decision making is still located in ykval-verify. 2009-12-15 11:17:51 +01:00			`'yk_counter'=>Null,`
			`'yk_use'=>Null,`
			`'yk_high'=>Null,`
			`'yk_low'=>Null);`
Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00
			`#`
			`# Extract values from HTTP request`
			`#`

Unified logging to use Log class defined in ykval-log.php which in turn uses syslog. NOTE: ykval common debug function is still available but uses Log class aswell to actually log message. 2010-01-11 13:06:00 +01:00			`$tmp_log = "Received ";`
Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00			`foreach ($syncParams as $param=>$value) {`
			`$value = getHttpVal($param, Null);`
			`if ($value==Null) {`
Spelling, and more informational logging. 2012-06-12 14:50:31 +02:00			`$myLog->log(LOG_NOTICE, "Received request with parameter[s] (" . $param . ") missing value");`
instead of passing context to sendResp, give it a logger. 2012-06-14 15:15:47 +02:00			`sendResp(S_MISSING_PARAMETER, $myLog, $apiKey);`
Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00			`exit;`
			`}`
			`$syncParams[$param]=$value;`
Fix undefined warnings. Solves Issue #8. 2010-04-23 19:36:23 +02:00			`$tmp_log .= "$param=$value ";`
Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00			`}`
Unified logging to use Log class defined in ykval-log.php which in turn uses syslog. NOTE: ykval common debug function is still available but uses Log class aswell to actually log message. 2010-01-11 13:06:00 +01:00			`$myLog->log(LOG_INFO, $tmp_log);`
Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00
Added possibility to use custom fields in logging module. Also added client IP and otp in verify and sync logs. 2010-01-14 12:25:17 +01:00			`#`
Nitpicking 2013-02-13 11:19:29 +01:00			`# At this point we should have the otp so let's add it to the logging module`
Added possibility to use custom fields in logging module. Also added client IP and otp in verify and sync logs. 2010-01-14 12:25:17 +01:00			`#`
			`$myLog->addField('otp', $syncParams['otp']);`
. 2010-01-14 12:58:19 +01:00			`$sync->addField('otp', $syncParams['otp']);`
Added possibility to use custom fields in logging module. Also added client IP and otp in verify and sync logs. 2010-01-14 12:25:17 +01:00
Added a few checks for input parameters and corrected warnings according to new docuemnt 2010-01-14 10:39:48 +01:00			`#`
delete-trailing-whitespace 2012-05-29 11:07:19 +02:00			`# Verify correctness of input parameters`
Added a few checks for input parameters and corrected warnings according to new docuemnt 2010-01-14 10:39:48 +01:00			`#`

Use -1 in yk_counter etc. to indicate yubikey discovered in protocol 2010-01-25 15:55:05 +01:00			`foreach (array('modified') as $param) {`
			`if (preg_match("/^[0-9]+$/", $syncParams[$param])==0) {`
			`$myLog->log(LOG_NOTICE, 'Input parameters ' . $param . ' not correct');`
instead of passing context to sendResp, give it a logger. 2012-06-14 15:15:47 +02:00			`sendResp(S_MISSING_PARAMETER, $myLog, $apiKey);`
Use -1 in yk_counter etc. to indicate yubikey discovered in protocol 2010-01-25 15:55:05 +01:00			`exit;`
			`}`
			`}`

			`foreach (array('yk_counter', 'yk_use', 'yk_high', 'yk_low') as $param) {`
			`if (preg_match("/^(-1\|[0-9]+)$/", $syncParams[$param])==0) {`
Added a few checks for input parameters and corrected warnings according to new docuemnt 2010-01-14 10:39:48 +01:00			`$myLog->log(LOG_NOTICE, 'Input parameters ' . $param . ' not correct');`
instead of passing context to sendResp, give it a logger. 2012-06-14 15:15:47 +02:00			`sendResp(S_MISSING_PARAMETER, $myLog, $apiKey);`
Added a few checks for input parameters and corrected warnings according to new docuemnt 2010-01-14 10:39:48 +01:00			`exit;`
			`}`
			`}`




Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00			`#`
			`# Get local counter data`
			`#`

Changed DB-names to be more consistent (WARNING current revision might be broken but needs to be submitted for multiserver test purposes) 2010-01-08 14:54:33 +01:00			`$yk_publicname = $syncParams['yk_publicname'];`
			`$localParams = $sync->getLocalParams($yk_publicname);`
1. Nonce introduced in protocol. This required changes in the chain from client->verify->sync. 2. ykval-verify is modified a bit. It now acts more as a flow controller and relies on ykval-synclib to do details on DB-calls and counterlogic. The "system" decision making is still located in ykval-verify. 2009-12-15 11:17:51 +01:00			`if (!$localParams) {`
More explanatory logging. 2012-06-12 14:21:56 +02:00			`$myLog->log(LOG_NOTICE, 'Invalid Yubikey ' . $yk_publicname);`
instead of passing context to sendResp, give it a logger. 2012-06-14 15:15:47 +02:00			`sendResp(S_BACKEND_ERROR, $myLog, $apiKey);`
1. Nonce introduced in protocol. This required changes in the chain from client->verify->sync. 2. ykval-verify is modified a bit. It now acts more as a flow controller and relies on ykval-synclib to do details on DB-calls and counterlogic. The "system" decision making is still located in ykval-verify. 2009-12-15 11:17:51 +01:00			`exit;`
Nitpicking 2013-02-13 11:19:29 +01:00			`}`
1. Nonce introduced in protocol. This required changes in the chain from client->verify->sync. 2. ykval-verify is modified a bit. It now acts more as a flow controller and relies on ykval-synclib to do details on DB-calls and counterlogic. The "system" decision making is still located in ykval-verify. 2009-12-15 11:17:51 +01:00
Added a few checks for input parameters and corrected warnings according to new docuemnt 2010-01-14 10:39:48 +01:00			`/* Conditional update local database */`
delete-trailing-whitespace 2012-05-29 11:07:19 +02:00			`$sync->updateDbCounters($syncParams);`
Added a few checks for input parameters and corrected warnings according to new docuemnt 2010-01-14 10:39:48 +01:00
			`$myLog->log(LOG_DEBUG, 'Local params ' , $localParams);`
			`$myLog->log(LOG_DEBUG, 'Sync request params ' , $syncParams);`

Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00			`#`
delete-trailing-whitespace 2012-05-29 11:07:19 +02:00			`# Compare sync and local counters and generate warnings according to`
			`#`
Updated references to old Google Code project. 2013-02-04 17:06:32 +01:00			`# https://github.com/Yubico/yubikey-val/wiki/ServerReplicationProtocol`
Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00			`#`

1. Nonce introduced in protocol. This required changes in the chain from client->verify->sync. 2. ykval-verify is modified a bit. It now acts more as a flow controller and relies on ykval-synclib to do details on DB-calls and counterlogic. The "system" decision making is still located in ykval-verify. 2009-12-15 11:17:51 +01:00
Corrected a few log entries 2010-01-13 13:32:38 +01:00
1. Nonce introduced in protocol. This required changes in the chain from client->verify->sync. 2. ykval-verify is modified a bit. It now acts more as a flow controller and relies on ykval-synclib to do details on DB-calls and counterlogic. The "system" decision making is still located in ykval-verify. 2009-12-15 11:17:51 +01:00			`if ($sync->countersHigherThan($localParams, $syncParams)) {`
Corrected a few log entries 2010-01-13 13:32:38 +01:00			`$myLog->log(LOG_WARNING, 'Remote server out of sync.');`
Nitpicking 2013-02-13 11:19:29 +01:00			`}`
1. Nonce introduced in protocol. This required changes in the chain from client->verify->sync. 2. ykval-verify is modified a bit. It now acts more as a flow controller and relies on ykval-synclib to do details on DB-calls and counterlogic. The "system" decision making is still located in ykval-verify. 2009-12-15 11:17:51 +01:00
Added a few checks for input parameters and corrected warnings according to new docuemnt 2010-01-14 10:39:48 +01:00
1. Nonce introduced in protocol. This required changes in the chain from client->verify->sync. 2. ykval-verify is modified a bit. It now acts more as a flow controller and relies on ykval-synclib to do details on DB-calls and counterlogic. The "system" decision making is still located in ykval-verify. 2009-12-15 11:17:51 +01:00			`if ($sync->countersEqual($localParams, $syncParams)) {`
Added a few checks for input parameters and corrected warnings according to new docuemnt 2010-01-14 10:39:48 +01:00
			`if ($syncParams['modified']==$localParams['modified'] &&`
			`$syncParams['nonce']==$localParams['nonce']) {`
Downgrade 'Sync request unnecessarily sent' to INFO. Also add comment explaining that this is not an error (and why). 2012-06-13 10:10:04 +02:00			`/* This is not an error. When the remote server received an OTP to verify, it would`
			`* have sent out sync requests immediately. When the required number of responses had`
			`* been received, the current implementation discards all additional responses (to`
			`* return the result to the client as soon as possible). If our response sent last`
			`* time was discarded, we will end up here when the background ykval-queue processes`
			`* the sync request again.`
			`*/`
			`$myLog->log(LOG_INFO, 'Sync request unnecessarily sent');`
1. Nonce introduced in protocol. This required changes in the chain from client->verify->sync. 2. ykval-verify is modified a bit. It now acts more as a flow controller and relies on ykval-synclib to do details on DB-calls and counterlogic. The "system" decision making is still located in ykval-verify. 2009-12-15 11:17:51 +01:00			`}`
delete-trailing-whitespace 2012-05-29 11:07:19 +02:00
Added a few checks for input parameters and corrected warnings according to new docuemnt 2010-01-14 10:39:48 +01:00			`if ($syncParams['modified']!=$localParams['modified'] &&`
			`$syncParams['nonce']==$localParams['nonce']) {`
			`$deltaModified = $syncParams['modified'] - $localParams['modified'];`
only warn about replays if the delta is more than 1 (or less than -1) 2012-06-14 16:44:19 +02:00			`if($deltaModified < -1 \|\| $deltaModified > 1) {`
			`$myLog->log(LOG_WARNING, 'We might have a replay. 2 events at different times have generated the same counters. The time difference is ' . $deltaModified . ' seconds');`
			`}`
Added a few checks for input parameters and corrected warnings according to new docuemnt 2010-01-14 10:39:48 +01:00			`}`

1. Nonce introduced in protocol. This required changes in the chain from client->verify->sync. 2. ykval-verify is modified a bit. It now acts more as a flow controller and relies on ykval-synclib to do details on DB-calls and counterlogic. The "system" decision making is still located in ykval-verify. 2009-12-15 11:17:51 +01:00			`if ($syncParams['nonce']!=$localParams['nonce']) {`
Added a few checks for input parameters and corrected warnings according to new docuemnt 2010-01-14 10:39:48 +01:00			`$myLog->log(LOG_WARNING, 'Remote server has received a request to validate an already validated OTP ');`
Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00			`}`
Nitpicking 2013-02-13 11:19:29 +01:00			`}`
Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00
Restore responding BAD_OTP if YubiKey is disabled. It seems that we might get into problems if responding OK - the other sync client validation server would think we approved of the OTP. 2012-06-14 13:30:04 +02:00			`if ($localParams['active'] != 1) {`
			`/* The remote server has accepted an OTP from a YubiKey which we would not.`
			`* We still needed to update our counters with the counters from the OTP though.`
			`*/`
			`$myLog->log(LOG_WARNING, 'Received sync-request for de-activated Yubikey ' . $yk_publicname .`
			`' - check database synchronization!!!');`
Fix errors with our new logging code :( 2012-06-15 11:59:42 +02:00			`sendResp(S_BAD_OTP, $myLog, $apiKey);`
Restore responding BAD_OTP if YubiKey is disabled. It seems that we might get into problems if responding OK - the other sync client validation server would think we approved of the OTP. 2012-06-14 13:30:04 +02:00			`exit;`
			`}`
delete-trailing-whitespace 2012-05-29 11:07:19 +02:00
1. Nonce introduced in protocol. This required changes in the chain from client->verify->sync. 2. ykval-verify is modified a bit. It now acts more as a flow controller and relies on ykval-synclib to do details on DB-calls and counterlogic. The "system" decision making is still located in ykval-verify. 2009-12-15 11:17:51 +01:00			`$extra=array('modified'=>$localParams['modified'],`
			`'nonce'=>$localParams['nonce'],`
Changed DB-names to be more consistent (WARNING current revision might be broken but needs to be submitted for multiserver test purposes) 2010-01-08 14:54:33 +01:00			`'yk_publicname'=>$yk_publicname,`
1. Nonce introduced in protocol. This required changes in the chain from client->verify->sync. 2. ykval-verify is modified a bit. It now acts more as a flow controller and relies on ykval-synclib to do details on DB-calls and counterlogic. The "system" decision making is still located in ykval-verify. 2009-12-15 11:17:51 +01:00			`'yk_counter'=>$localParams['yk_counter'],`
			`'yk_use'=>$localParams['yk_use'],`
			`'yk_high'=>$localParams['yk_high'],`
			`'yk_low'=>$localParams['yk_low']);`

instead of passing context to sendResp, give it a logger. 2012-06-14 15:15:47 +02:00			`sendResp(S_OK, $myLog, $apiKey, $extra);`
Committed first trial version for replication protocol. 2009-12-02 18:32:20 +01:00
			`?>`