yubikey-val/common.php

<?php
define('S_OK', 'OK');
define('S_BAD_OTP', 'BAD_OTP');
define('S_REPLAYED_OTP', 'REPLAYED_OTP');
define('S_PHISHED_OTP', 'PHISHED_OTP');
define('S_BAD_SIGNATURE', 'BAD_SIGNATURE');
define('S_MISSING_PARAMETER', 'MISSING_PARAMETER');
define('S_NO_SUCH_CLIENT', 'NO_SUCH_CLIENT');
define('S_OPERATION_NOT_ALLOWED', 'OPERATION_NOT_ALLOWED');
define('S_BACKEND_ERROR', 'BACKEND_ERROR');
define('TS_SEC', 0.119);
define('TS_TOLERANCE', 0.3);

require_once 'yubikey.php';
require_once 'config.php';

function writeLog($msg, $debug=false) {
    	$fileMsg = date( 'Y-m-d H:i:s: ').trim($msg);
    	if (isset($_SERVER['REMOTE_ADDR'])) {
    		$fileMsg .= ' by '.$_SERVER['REMOTE_ADDR'];
    	}
	$fileMsg .= "\n";
	error_log($fileMsg, 3, "/tmp/yms.log");
}

function unescape($s) {
	return str_replace('\\', "", $s);
}

function getHttpVal($key, $defaultVal) {
	$val = $defaultVal;
	if (array_key_exists($key, $_GET)) {
		$val = $_GET[$key];
  	} else if (array_key_exists($key, $_POST)) {
  		$val = $_POST[$key];
  	}
  	//return unescape(trim($val));
  	$v = unescape(trim($val));
  	return $v;
}

///////////////////// 
//
// DB Related
// 
///////////////////

$conn = mysql_connect($baseParams['__DB_HOST__'],
		      $baseParams['__DB_USER__'],
		      $baseParams['__DB_PW__'])
  or die('Could not connect to database: ' . mysql_error());
mysql_select_db($baseParams['__DB_NAME__'], $conn)
  or die('Could not select database');

function query($q) {
	global $conn;
	$result = mysql_query($q, $conn);
	if (!$result) {
		$err = "Invalid query -- $q -- ";
		writeLog($err);
		die($err . mysql_error());
	}
	return $result;
}

function mysql_quote($value) {
	return "'" . mysql_real_escape_string($value) . "'";	
}

function truncate($s, $max) {
    return (strlen($s) > $max) ? substr($s, 0, $max-3).'...' : $s;
}

function debug($msg, $exit = false) {
	global $trace;
	if ($trace) {
		if (is_array($msg)) {
			//print_r($msg);
		} else {
			echo '<p>Debug> ' . $msg;
		}
		echo "\n";
	}
	if ($exit) {
		die('<font color=red><h4>Exit</h4></font>');
	}
}

// Return eg. 2008-11-21T06:11:55Z0711
//            
function getUTCTimeStamp() {
	date_default_timezone_set('UTC');
	$tiny = substr(microtime(false), 2, 3);
	return date('Y-m-d\TH:i:s\Z0', time()) . $tiny;
}

// Sign a http query string in the array of key-value pairs
// return b64 encoded hmac hash
function sign($a, $apiKey, $debug=false) {
	ksort($a);
	$qs = '';
	$n = count($a);
	$i = 0;
	foreach (array_keys($a) as $key) {
		$qs .= trim($key).'='.trim($a[$key]);
		if (++$i < $n) {
			$qs .= '&';
		}
	}
	
	// Generate the signature
//	debug('API key: '.base64_encode($apiKey)); // API key of the client
	debug('SIGN: '.$qs);
	
	// the TRUE at the end states we want the raw value, not hexadecimal form
	$hmac = hash_hmac('sha1', utf8_encode($qs), $apiKey, true);
	$hmac = base64_encode($hmac);
	if ($debug) {
		debug('h='.$hmac);		
	}
	return $hmac;
		
} // sign an array of query string

define('DEVICE_ID_LEN', 12);

function modhexToB64($modhex_str) {
	$s = ModHex::Decode($modhex_str);
	return base64_encode($s);
}

function b64ToModhex($b64_str) {
	$s = base64_decode($b64_str);
	return ModHex::Encode($s);
}

function b64ToHex($b64_str) {
	$s = '';
	$tid = base64_decode($b64_str);
	$a = str_split($tid);
	for ($i=0; $i < count($a); $i++) {
		$s .= dechex(ord($a[$i]));
	}
	return $s;
}

// $devId: The first 12 chars from the OTP
function getAuthData($devId) {
	$tokenId = modhexToB64($devId);
	$stmt = 'SELECT id, client_id, secret, active, counter, '.
	  '             sessionUse, low, high, accessed '.
	  '      FROM yubikeys WHERE active AND tokenId='.mysql_quote($tokenId);
	$r = query($stmt);
	if (mysql_num_rows($r) > 0) {
		$row = mysql_fetch_assoc($r);
		mysql_free_result($r);
		return $row;
	}
	return null;
} // End getAuthData

// $clientId: The decimal client identity
function getClientData($clientId) {
	$stmt = 'SELECT secret, chk_sig, chk_owner, chk_time'.
		' FROM clients WHERE active AND id='.mysql_quote($clientId);
	$r = query($stmt);
	if (mysql_num_rows($r) > 0) {
		$row = mysql_fetch_assoc($r);
		mysql_free_result($r);
		return $row;
	}
	return null;
} // End getClientData
?>
add key 2008-09-26 05:21:11 +02:00			`<?php`
			`define('S_OK', 'OK');`
			`define('S_BAD_OTP', 'BAD_OTP');`
			`define('S_REPLAYED_OTP', 'REPLAYED_OTP');`
Make it work. 2009-03-10 23:01:46 +01:00			`define('S_PHISHED_OTP', 'PHISHED_OTP');`
add key 2008-09-26 05:21:11 +02:00			`define('S_BAD_SIGNATURE', 'BAD_SIGNATURE');`
			`define('S_MISSING_PARAMETER', 'MISSING_PARAMETER');`
Make it work. 2009-03-10 23:01:46 +01:00			`define('S_NO_SUCH_CLIENT', 'NO_SUCH_CLIENT');`
add key 2008-09-26 05:21:11 +02:00			`define('S_OPERATION_NOT_ALLOWED', 'OPERATION_NOT_ALLOWED');`
			`define('S_BACKEND_ERROR', 'BACKEND_ERROR');`
fine tune time per tick 2008-12-03 20:38:55 +01:00			`define('TS_SEC', 0.119);`
Use time stamp to prevent OTP phishing 2008-12-03 08:49:32 +01:00			`define('TS_TOLERANCE', 0.3);`
add key 2008-09-26 05:21:11 +02:00
Make standalone. 2009-03-10 23:50:35 +01:00			`require_once 'yubikey.php';`
			`require_once 'config.php';`

			`function writeLog($msg, $debug=false) {`
			`$fileMsg = date( 'Y-m-d H:i:s: ').trim($msg);`
			`if (isset($_SERVER['REMOTE_ADDR'])) {`
			`$fileMsg .= ' by '.$_SERVER['REMOTE_ADDR'];`
			`}`
			`$fileMsg .= "\n";`
			`error_log($fileMsg, 3, "/tmp/yms.log");`
			`}`

			`function unescape($s) {`
			`return str_replace('\\', "", $s);`
			`}`

			`function getHttpVal($key, $defaultVal) {`
			`$val = $defaultVal;`
			`if (array_key_exists($key, $_GET)) {`
			`$val = $_GET[$key];`
			`} else if (array_key_exists($key, $_POST)) {`
			`$val = $_POST[$key];`
			`}`
			`//return unescape(trim($val));`
			`$v = unescape(trim($val));`
			`return $v;`
			`}`

			`/////////////////////`
			`//`
			`// DB Related`
			`//`
			`///////////////////`

			`$conn = mysql_connect($baseParams['__DB_HOST__'],`
			`$baseParams['__DB_USER__'],`
			`$baseParams['__DB_PW__'])`
			`or die('Could not connect to database: ' . mysql_error());`
			`mysql_select_db($baseParams['__DB_NAME__'], $conn)`
			`or die('Could not select database');`

			`function query($q) {`
			`global $conn;`
			`$result = mysql_query($q, $conn);`
			`if (!$result) {`
			`$err = "Invalid query -- $q -- ";`
			`writeLog($err);`
			`die($err . mysql_error());`
			`}`
			`return $result;`
			`}`

			`function mysql_quote($value) {`
			`return "'" . mysql_real_escape_string($value) . "'";`
			`}`

			`function truncate($s, $max) {`
			`return (strlen($s) > $max) ? substr($s, 0, $max-3).'...' : $s;`
			`}`

Fix rand# gen 2008-09-26 07:00:41 +02:00			`function debug($msg, $exit = false) {`
add key 2008-09-26 05:21:11 +02:00			`global $trace;`
			`if ($trace) {`
			`if (is_array($msg)) {`
sign example 2008-10-08 08:29:19 +02:00			`//print_r($msg);`
add key 2008-09-26 05:21:11 +02:00			`} else {`
sign example 2008-10-08 08:29:19 +02:00			`echo '<p>Debug> ' . $msg;`
add key 2008-09-26 05:21:11 +02:00			`}`
			`echo "\n";`
			`}`
			`if ($exit) {`
Fix rand# gen 2008-09-26 07:00:41 +02:00			`die('<font color=red><h4>Exit</h4></font>');`
add key 2008-09-26 05:21:11 +02:00			`}`
			`}`

Make getUTCTimeStamp return milliseconds too, similar to Java server. 2009-03-10 20:01:07 +01:00			`// Return eg. 2008-11-21T06:11:55Z0711`
No time zone, UTC default 2008-11-21 07:41:13 +01:00			`//`
2008-09-27 11:04:49 +02:00			`function getUTCTimeStamp() {`
			`date_default_timezone_set('UTC');`
Make getUTCTimeStamp return milliseconds too, similar to Java server. 2009-03-10 20:01:07 +01:00			`$tiny = substr(microtime(false), 2, 3);`
			`return date('Y-m-d\TH:i:s\Z0', time()) . $tiny;`
2008-09-27 11:04:49 +02:00			`}`

			`// Sign a http query string in the array of key-value pairs`
			`// return b64 encoded hmac hash`
sign example 2008-10-08 08:29:19 +02:00			`function sign($a, $apiKey, $debug=false) {`
2008-09-27 11:04:49 +02:00			`ksort($a);`
			`$qs = '';`
			`$n = count($a);`
			`$i = 0;`
			`foreach (array_keys($a) as $key) {`
2008-11-21 22:41:26 +01:00			`$qs .= trim($key).'='.trim($a[$key]);`
2008-09-27 11:04:49 +02:00			`if (++$i < $n) {`
			`$qs .= '&';`
			`}`
			`}`

			`// Generate the signature`
bugfix verify otp 2008-12-09 00:42:05 +01:00			`// debug('API key: '.base64_encode($apiKey)); // API key of the client`
sign example 2008-10-08 08:29:19 +02:00			`debug('SIGN: '.$qs);`
2008-09-27 11:04:49 +02:00
			`// the TRUE at the end states we want the raw value, not hexadecimal form`
			`$hmac = hash_hmac('sha1', utf8_encode($qs), $apiKey, true);`
			`$hmac = base64_encode($hmac);`
sign example 2008-10-08 08:29:19 +02:00			`if ($debug) {`
bugfix verify otp 2008-12-09 00:42:05 +01:00			`debug('h='.$hmac);`
sign example 2008-10-08 08:29:19 +02:00			`}`
2008-09-27 11:04:49 +02:00			`return $hmac;`

sign example 2008-10-08 08:29:19 +02:00			`} // sign an array of query string`
2008-09-27 11:04:49 +02:00
Make standalone. 2009-03-10 23:50:35 +01:00			`define('DEVICE_ID_LEN', 12);`

			`function modhexToB64($modhex_str) {`
			`$s = ModHex::Decode($modhex_str);`
			`return base64_encode($s);`
			`}`

			`function b64ToModhex($b64_str) {`
			`$s = base64_decode($b64_str);`
			`return ModHex::Encode($s);`
			`}`

			`function b64ToHex($b64_str) {`
			`$s = '';`
			`$tid = base64_decode($b64_str);`
			`$a = str_split($tid);`
			`for ($i=0; $i < count($a); $i++) {`
			`$s .= dechex(ord($a[$i]));`
			`}`
			`return $s;`
			`}`

			`// $devId: The first 12 chars from the OTP`
			`function getAuthData($devId) {`
			`$tokenId = modhexToB64($devId);`
			`$stmt = 'SELECT id, client_id, secret, active, counter, '.`
			`' sessionUse, low, high, accessed '.`
			`' FROM yubikeys WHERE active AND tokenId='.mysql_quote($tokenId);`
			`$r = query($stmt);`
			`if (mysql_num_rows($r) > 0) {`
			`$row = mysql_fetch_assoc($r);`
			`mysql_free_result($r);`
			`return $row;`
			`}`
			`return null;`
			`} // End getAuthData`

			`// $clientId: The decimal client identity`
			`function getClientData($clientId) {`
			`$stmt = 'SELECT secret, chk_sig, chk_owner, chk_time'.`
			`' FROM clients WHERE active AND id='.mysql_quote($clientId);`
			`$r = query($stmt);`
			`if (mysql_num_rows($r) > 0) {`
			`$row = mysql_fetch_assoc($r);`
			`mysql_free_result($r);`
			`return $row;`
			`}`
			`return null;`
			`} // End getClientData`
add key 2008-09-26 05:21:11 +02:00			`?>`