yubikey-val/verifyOTP.php

<?php require_once '../yubiphpbase/appinclude.php';
	  require_once '../yubiphpbase/yubi_lib.php';
	  require_once 'common.php';
	  
header("content-type: text/plain");

if (!isset($trace)) { $trace = 0; }

$client = getHttpVal('id', 0);
if ($client <= 0) {
	debug('Client ID is missing');
	sendResp(S_MISSING_PARAMETER, 'id');
	exit;
}

$otp = getHttpVal('otp', '');
if ($otp == '') {
	debug('OTP is missing');
	sendResp(S_MISSING_PARAMETER, 'otp');
	exit;
} else {
	$otp = strtolower($otp);
}

//// Get Yubikey from DB
//
$devId = substr($otp, 0, 12);
$ad = getAuthData($devId);

if ($ad == null) {
	debug('Invalid Yubikey '.$devId);
	sendResp(S_BAD_OTP, $otp);
	exit;
} else {
	debug($ad);
}

//// Check the client ID - does the client own the Yubikey?
//

if ($ad['chk_owner'] && $ad['client_id'] != $client) {
	debug('Client-'.$client.' is not the owner of the Yubikey!');
	sendResp(S_BAD_CLIENT, 'Not owner of the Yubikey');
	exit;
}

$k = b64ToModhex($ad['secret']);
//debug('aes key in modhex = '.$k);
$key16 = ModHex::Decode($k);
//debug('aes key in hex = ['.$key16.'], length = '.strlen($key16));
$apiKey = base64_decode($ad['c_secret']);
	
//// Check signature
//
if ($ad['chk_sig']) {
	// Create the signature using the API key
	$a = array();
	$a['id']=$client;
	$a['otp']=$otp;
	$hmac = sign($a, $apiKey);

	if (($h = getHttpVal('h', '')) == '') {
		sendResp(S_MISSING_PARAMETER, 'h');
		debug('signature missing, hmac='.$hmac);
		exit;
	} else if ($hmac != $h) {
		sendResp(S_BAD_SIGNATURE);
		debug('h='.$h.', hmac='.$hmac);
		exit;
	}
}


//// Decode OTP from input
//
debug('From the OTP validation request:');
$decoded_token = Yubikey::Decode($otp, $key16);
debug($decoded_token);
if ( ! is_array($decoded_token) ) {
	sendResp(S_BAD_OTP, $otp);
	exit;
}

//// Sanity check key status
//
if ($ad['active'] < 1) {
	sendResp(S_BAD_OTP, 'Suspended');
	exit;
}

//// Sanity check client status
//
if ($ad['c_active'] < 1) {
	sendResp(S_BAD_CLIENT);
	exit;
}

//// Sanity check token ID
//
if (strlen($decoded_token["public_id"]) == 12 ) {
	debug("Token ID OK (".$decoded_token["public_id"].")");
} else { 
	debug("TOKEN ID FAILED, ".$decoded_token["public_id"]); 
	sendResp(S_BAD_OTP, $otp);
	exit;
}

//// Sanity check the OTP
//
if ( strlen($decoded_token["token"]) != 32) {
	debug("Wrong OTP length,".strlen($decoded_token["token"]));
	sendResp(S_BAD_OTP, $otp);
	exit;	 
}

//// Check the session counter
//
$sessionCounter = $decoded_token["session_counter"]; // From the req
$seenSessionCounter = $ad['counter']; // From DB
$scDiff = $seenSessionCounter - $sessionCounter;
if ($scDiff > 0) {
	debug("Replayed session counter=".$sessionCounter.', seen='.$seenSessionCounter);
	sendResp(S_REPLAYED_OTP);
	exit;
} else {
	debug("Session counter OK (".$sessionCounter.")");
}

//// Check the high counter
//
$hi = $decoded_token["high"]; // From the req
$seenHi = $ad['high']; // From DB
$hiDiff = $seenHi - $hi;
if ($scDiff == 0 && $hiDiff > 0) {
	debug("Replayed hi counter=".$hi.', seen='.$seenHi);
	sendResp(S_REPLAYED_OTP);
	exit;
} else {
	debug("Hi counter OK (".$hi.")");
}

//// Check the low counter
//
$lo = $decoded_token["low"]; // From the req
$seenLo = $ad['low']; // From DB
$loDiff = $seenLo - $lo;
if ($scDiff == 0 && $hiDiff == 0 && $loDiff >= 0) {
	debug("Replayed low counter=".$lo.', seen='.$seenLo);
	sendResp(S_REPLAYED_OTP);
	exit;
} else {
	debug("Lo counter OK (".$lo.")");
}

//// Update the DB only upon validation success
//
if (updDB($ad['id'], $decoded_token, $client)) {
	debug('Validation database updated');	
	sendResp(S_OK);
} else {
	debug('Failed to update validation database');
	sendResp(S_BACKEND_ERROR);
}

//////////////////////////
// 		Functions
//////////////////////////

function sendResp($status, $info=null) {
	global $ad, $apiKey;

	if ($status == null) {
		$status = S_BACKEND_ERROR;
	}

	echo 'status='.($a['status'] = $status).PHP_EOL;
	if ($info != null) {
		echo 'info='.($a['info'] = $info).PHP_EOL;
	}
	echo 't='.($a['t']=getUTCTimeStamp()).PHP_EOL;
	$h = sign($a, $apiKey);
	echo 'h='.$h.PHP_EOL;
	echo PHP_EOL;

} // End sendResp

function updDB($keyid, $new, $client) {
	$stmt = 'UPDATE yubikeys SET '.
		'accessed=NOW(),'.
		'counter='.$new['session_counter'].','.
		'low='.$new['low'].','.
		'high='.$new['high'].
		' WHERE id='.$keyid;
	if (!query($stmt)) {
		$err = 'Failed to update validation data of key: '.$keyid.' by '.$stmt;
		debug($err);
		writeLog($err);
		return false;
	}

	addHist(0, $_SERVER['REMOTE_ADDR'] , $keyid, $client);

	return true;
}

?>
lego stackup 2008-09-26 00:18:42 +00:00			`<?php require_once '../yubiphpbase/appinclude.php';`
			`require_once '../yubiphpbase/yubi_lib.php';`
add key 2008-09-26 03:21:11 +00:00			`require_once 'common.php';`

resp mesgs 2008-09-23 01:37:25 +00:00			`header("content-type: text/plain");`

Fix counter comparison 2008-09-20 01:36:24 +00:00			`if (!isset($trace)) { $trace = 0; }`

resp mesgs 2008-09-23 01:37:25 +00:00			`$client = getHttpVal('id', 0);`
			`if ($client <= 0) {`
			`debug('Client ID is missing');`
			`sendResp(S_MISSING_PARAMETER, 'id');`
Init 2008-09-18 23:42:35 +00:00			`exit;`
			`}`

			`$otp = getHttpVal('otp', '');`
			`if ($otp == '') {`
resp mesgs 2008-09-23 01:37:25 +00:00			`debug('OTP is missing');`
			`sendResp(S_MISSING_PARAMETER, 'otp');`
Init 2008-09-18 23:42:35 +00:00			`exit;`
Case-insensitive 2008-11-29 02:57:56 +00:00			`} else {`
			`$otp = strtolower($otp);`
Init 2008-09-18 23:42:35 +00:00			`}`

			`//// Get Yubikey from DB`
			`//`
			`$devId = substr($otp, 0, 12);`
			`$ad = getAuthData($devId);`

			`if ($ad == null) {`
resp mesgs 2008-09-23 01:37:25 +00:00			`debug('Invalid Yubikey '.$devId);`
			`sendResp(S_BAD_OTP, $otp);`
Init 2008-09-18 23:42:35 +00:00			`exit;`
			`} else {`
			`debug($ad);`
			`}`

check yubikey owner when told to 2008-10-07 08:24:28 +00:00			`//// Check the client ID - does the client own the Yubikey?`
resp mesgs 2008-09-23 01:37:25 +00:00			`//`
loosen the client checking, will make it optional 2008-09-24 01:52:08 +00:00
check yubikey owner when told to 2008-10-07 08:24:28 +00:00			`if ($ad['chk_owner'] && $ad['client_id'] != $client) {`
			`debug('Client-'.$client.' is not the owner of the Yubikey!');`
			`sendResp(S_BAD_CLIENT, 'Not owner of the Yubikey');`
			`exit;`
			`}`
resp mesgs 2008-09-23 01:37:25 +00:00
Init 2008-09-18 23:42:35 +00:00			`$k = b64ToModhex($ad['secret']);`
Fix counter comparison 2008-09-20 01:36:24 +00:00			`//debug('aes key in modhex = '.$k);`
Init 2008-09-18 23:42:35 +00:00			`$key16 = ModHex::Decode($k);`
Fix counter comparison 2008-09-20 01:36:24 +00:00			`//debug('aes key in hex = ['.$key16.'], length = '.strlen($key16));`
check signature 2008-09-23 07:12:42 +00:00			`$apiKey = base64_decode($ad['c_secret']);`

			`//// Check signature`
			`//`
			`if ($ad['chk_sig']) {`
			`// Create the signature using the API key`
2008-09-27 09:04:49 +00:00			`$a = array();`
			`$a['id']=$client;`
			`$a['otp']=$otp;`
			`$hmac = sign($a, $apiKey);`

check signature 2008-09-23 07:12:42 +00:00			`if (($h = getHttpVal('h', '')) == '') {`
			`sendResp(S_MISSING_PARAMETER, 'h');`
			`debug('signature missing, hmac='.$hmac);`
			`exit;`
			`} else if ($hmac != $h) {`
			`sendResp(S_BAD_SIGNATURE);`
			`debug('h='.$h.', hmac='.$hmac);`
			`exit;`
			`}`
			`}`

Init 2008-09-18 23:42:35 +00:00
			`//// Decode OTP from input`
			`//`
resp mesgs 2008-09-23 01:37:25 +00:00			`debug('From the OTP validation request:');`
Init 2008-09-18 23:42:35 +00:00			`$decoded_token = Yubikey::Decode($otp, $key16);`
			`debug($decoded_token);`
			`if ( ! is_array($decoded_token) ) {`
resp mesgs 2008-09-23 01:37:25 +00:00			`sendResp(S_BAD_OTP, $otp);`
			`exit;`
Init 2008-09-18 23:42:35 +00:00			`}`

			`//// Sanity check key status`
			`//`
			`if ($ad['active'] < 1) {`
2008-09-27 09:04:49 +00:00			`sendResp(S_BAD_OTP, 'Suspended');`
resp mesgs 2008-09-23 01:37:25 +00:00			`exit;`
Init 2008-09-18 23:42:35 +00:00			`}`

resp mesgs 2008-09-23 01:37:25 +00:00			`//// Sanity check client status`
Init 2008-09-18 23:42:35 +00:00			`//`
			`if ($ad['c_active'] < 1) {`
2008-09-27 09:04:49 +00:00			`sendResp(S_BAD_CLIENT);`
resp mesgs 2008-09-23 01:37:25 +00:00			`exit;`
Init 2008-09-18 23:42:35 +00:00			`}`

resp mesgs 2008-09-23 01:37:25 +00:00			`//// Sanity check token ID`
Init 2008-09-18 23:42:35 +00:00			`//`
			`if (strlen($decoded_token["public_id"]) == 12 ) {`
			`debug("Token ID OK (".$decoded_token["public_id"].")");`
resp mesgs 2008-09-23 01:37:25 +00:00			`} else {`
			`debug("TOKEN ID FAILED, ".$decoded_token["public_id"]);`
			`sendResp(S_BAD_OTP, $otp);`
			`exit;`
			`}`
Init 2008-09-18 23:42:35 +00:00
resp mesgs 2008-09-23 01:37:25 +00:00			`//// Sanity check the OTP`
Init 2008-09-18 23:42:35 +00:00			`//`
Fix counter comp algo 2008-09-22 20:42:19 +00:00			`if ( strlen($decoded_token["token"]) != 32) {`
resp mesgs 2008-09-23 01:37:25 +00:00			`debug("Wrong OTP length,".strlen($decoded_token["token"]));`
			`sendResp(S_BAD_OTP, $otp);`
			`exit;`
Fix counter comp algo 2008-09-22 20:42:19 +00:00			`}`
Init 2008-09-18 23:42:35 +00:00
resp mesgs 2008-09-23 01:37:25 +00:00			`//// Check the session counter`
Init 2008-09-18 23:42:35 +00:00			`//`
Fix counter comparison 2008-09-20 01:36:24 +00:00			`$sessionCounter = $decoded_token["session_counter"]; // From the req`
Init 2008-09-18 23:42:35 +00:00			`$seenSessionCounter = $ad['counter']; // From DB`
			`$scDiff = $seenSessionCounter - $sessionCounter;`
			`if ($scDiff > 0) {`
resp mesgs 2008-09-23 01:37:25 +00:00			`debug("Replayed session counter=".$sessionCounter.', seen='.$seenSessionCounter);`
2008-09-27 09:04:49 +00:00			`sendResp(S_REPLAYED_OTP);`
resp mesgs 2008-09-23 01:37:25 +00:00			`exit;`
Init 2008-09-18 23:42:35 +00:00			`} else {`
Fix counter comp algo 2008-09-22 20:42:19 +00:00			`debug("Session counter OK (".$sessionCounter.")");`
Init 2008-09-18 23:42:35 +00:00			`}`

resp mesgs 2008-09-23 01:37:25 +00:00			`//// Check the high counter`
			`//`
Fix counter comparison 2008-09-20 01:36:24 +00:00			`$hi = $decoded_token["high"]; // From the req`
Init 2008-09-18 23:42:35 +00:00			`$seenHi = $ad['high']; // From DB`
			`$hiDiff = $seenHi - $hi;`
			`if ($scDiff == 0 && $hiDiff > 0) {`
resp mesgs 2008-09-23 01:37:25 +00:00			`debug("Replayed hi counter=".$hi.', seen='.$seenHi);`
2008-09-27 09:04:49 +00:00			`sendResp(S_REPLAYED_OTP);`
resp mesgs 2008-09-23 01:37:25 +00:00			`exit;`
Init 2008-09-18 23:42:35 +00:00			`} else {`
resp mesgs 2008-09-23 01:37:25 +00:00			`debug("Hi counter OK (".$hi.")");`
Init 2008-09-18 23:42:35 +00:00			`}`

resp mesgs 2008-09-23 01:37:25 +00:00			`//// Check the low counter`
			`//`
Fix counter comparison 2008-09-20 01:36:24 +00:00			`$lo = $decoded_token["low"]; // From the req`
Init 2008-09-18 23:42:35 +00:00			`$seenLo = $ad['low']; // From DB`
			`$loDiff = $seenLo - $lo;`
Fix counter comp algo 2008-09-22 20:42:19 +00:00			`if ($scDiff == 0 && $hiDiff == 0 && $loDiff >= 0) {`
resp mesgs 2008-09-23 01:37:25 +00:00			`debug("Replayed low counter=".$lo.', seen='.$seenLo);`
2008-09-27 09:04:49 +00:00			`sendResp(S_REPLAYED_OTP);`
resp mesgs 2008-09-23 01:37:25 +00:00			`exit;`
Init 2008-09-18 23:42:35 +00:00			`} else {`
resp mesgs 2008-09-23 01:37:25 +00:00			`debug("Lo counter OK (".$lo.")");`
Init 2008-09-18 23:42:35 +00:00			`}`

resp mesgs 2008-09-23 01:37:25 +00:00			`//// Update the DB only upon validation success`
			`//`
upd history on validation 2008-10-10 01:15:22 +00:00			`if (updDB($ad['id'], $decoded_token, $client)) {`
Init 2008-09-18 23:42:35 +00:00			`debug('Validation database updated');`
resp mesgs 2008-09-23 01:37:25 +00:00			`sendResp(S_OK);`
			`} else {`
			`debug('Failed to update validation database');`
			`sendResp(S_BACKEND_ERROR);`
Init 2008-09-18 23:42:35 +00:00			`}`

resp mesgs 2008-09-23 01:37:25 +00:00			`//////////////////////////`
			`// Functions`
			`//////////////////////////`

			`function sendResp($status, $info=null) {`
check signature 2008-09-23 07:12:42 +00:00			`global $ad, $apiKey;`
resp mesgs 2008-09-23 01:37:25 +00:00
			`if ($status == null) {`
			`$status = S_BACKEND_ERROR;`
			`}`

2008-09-27 09:04:49 +00:00			`echo 'status='.($a['status'] = $status).PHP_EOL;`
resp mesgs 2008-09-23 01:37:25 +00:00			`if ($info != null) {`
2008-09-27 09:04:49 +00:00			`echo 'info='.($a['info'] = $info).PHP_EOL;`
resp mesgs 2008-09-23 01:37:25 +00:00			`}`
2008-09-27 09:04:49 +00:00			`echo 't='.($a['t']=getUTCTimeStamp()).PHP_EOL;`
			`$h = sign($a, $apiKey);`
			`echo 'h='.$h.PHP_EOL;`
			`echo PHP_EOL;`
resp mesgs 2008-09-23 01:37:25 +00:00
			`} // End sendResp`

upd history on validation 2008-10-10 01:15:22 +00:00			`function updDB($keyid, $new, $client) {`
Init 2008-09-18 23:42:35 +00:00			`$stmt = 'UPDATE yubikeys SET '.`
			`'accessed=NOW(),'.`
Fix counter comparison 2008-09-20 01:36:24 +00:00			`'counter='.$new['session_counter'].','.`
			`'low='.$new['low'].','.`
			`'high='.$new['high'].`
resp mesgs 2008-09-23 01:37:25 +00:00			`' WHERE id='.$keyid;`
Init 2008-09-18 23:42:35 +00:00			`if (!query($stmt)) {`
resp mesgs 2008-09-23 01:37:25 +00:00			`$err = 'Failed to update validation data of key: '.$keyid.' by '.$stmt;`
Init 2008-09-18 23:42:35 +00:00			`debug($err);`
			`writeLog($err);`
			`return false;`
			`}`
upd history on validation 2008-10-10 01:15:22 +00:00
			`addHist(0, $_SERVER['REMOTE_ADDR'] , $keyid, $client);`

Init 2008-09-18 23:42:35 +00:00			`return true;`
			`}`
resp mesgs 2008-09-23 01:37:25 +00:00
Init 2008-09-18 23:42:35 +00:00			`?>`