diff --git a/ykval-common.php b/ykval-common.php index 50bb2e0..ae204cc 100644 --- a/ykval-common.php +++ b/ykval-common.php @@ -219,11 +219,12 @@ function KSMdecryptOTP($urls) { return $ret; } // End decryptOTP -function sendResp($status, $apiKey = '', $extra = null) { +function sendResp($status, $context, $apiKey = '', $extra = null) { if ($status == null) { $status = S_BACKEND_ERROR; } + $a['status'] = $status; $a['t'] = getUTCTimeStamp(); if ($extra){ @@ -242,8 +243,8 @@ function sendResp($status, $apiKey = '', $extra = null) { $str .= "\r\n"; global $ykval_common_log; - $ykval_common_log->log(LOG_INFO, "Response: " . $str . - " (at " . date("c") . " " . microtime() . ")"); + $ykval_common_log->log(LOG_INFO, "Context=" . $context . " Response: " . $str . + " (at " . date("c") . " " . microtime() . ")"); echo $str; } diff --git a/ykval-sync.php b/ykval-sync.php index ddf40fe..2f3111d 100644 --- a/ykval-sync.php +++ b/ykval-sync.php @@ -4,11 +4,12 @@ require_once 'ykval-config.php'; require_once 'ykval-synclib.php'; $apiKey = ''; +$context = 'sync'; header("content-type: text/plain"); if(empty($_SERVER['QUERY_STRING'])) { - sendResp(S_MISSING_PARAMETER, $apiKey); + sendResp(S_MISSING_PARAMETER, $context, $apiKey); exit; } @@ -21,7 +22,7 @@ $sync = new SyncLib('ykval-sync:synclib'); $sync->addField('ip', $_SERVER['REMOTE_ADDR']); if (! $sync->isConnected()) { - sendResp(S_BACKEND_ERROR, $apiKey); + sendResp(S_BACKEND_ERROR, $context, $apiKey); exit; } @@ -41,7 +42,7 @@ foreach ($baseParams['__YKVAL_ALLOWED_SYNC_POOL__'] as $server) { } if (!$allowed) { $myLog->log(LOG_NOTICE, 'Operation not allowed from IP ' . $_SERVER['REMOTE_ADDR']); - sendResp(S_OPERATION_NOT_ALLOWED, $apiKey); + sendResp(S_OPERATION_NOT_ALLOWED, $context, $apiKey); exit; } @@ -67,7 +68,7 @@ foreach ($syncParams as $param=>$value) { $value = getHttpVal($param, Null); if ($value==Null) { $myLog->log(LOG_NOTICE, "Received request with parameter[s] (" . $param . ") missing value"); - sendResp(S_MISSING_PARAMETER, ''); + sendResp(S_MISSING_PARAMETER, $context, $apiKey); exit; } $syncParams[$param]=$value; @@ -88,7 +89,7 @@ $sync->addField('otp', $syncParams['otp']); foreach (array('modified') as $param) { if (preg_match("/^[0-9]+$/", $syncParams[$param])==0) { $myLog->log(LOG_NOTICE, 'Input parameters ' . $param . ' not correct'); - sendResp(S_MISSING_PARAMETER, $apiKey); + sendResp(S_MISSING_PARAMETER, $context, $apiKey); exit; } } @@ -96,7 +97,7 @@ foreach (array('modified') as $param) { foreach (array('yk_counter', 'yk_use', 'yk_high', 'yk_low') as $param) { if (preg_match("/^(-1|[0-9]+)$/", $syncParams[$param])==0) { $myLog->log(LOG_NOTICE, 'Input parameters ' . $param . ' not correct'); - sendResp(S_MISSING_PARAMETER, $apiKey); + sendResp(S_MISSING_PARAMETER, $context, $apiKey); exit; } } @@ -112,7 +113,7 @@ $yk_publicname = $syncParams['yk_publicname']; $localParams = $sync->getLocalParams($yk_publicname); if (!$localParams) { $myLog->log(LOG_NOTICE, 'Invalid Yubikey ' . $yk_publicname); - sendResp(S_BACKEND_ERROR, $apiKey); + sendResp(S_BACKEND_ERROR, $context, $apiKey); exit; } @@ -179,6 +180,6 @@ $extra=array('modified'=>$localParams['modified'], 'yk_high'=>$localParams['yk_high'], 'yk_low'=>$localParams['yk_low']); -sendResp(S_OK, '', $extra); +sendResp(S_OK, $context, $apiKey, $extra); ?> diff --git a/ykval-verify.php b/ykval-verify.php index 21516c6..a5a5944 100644 --- a/ykval-verify.php +++ b/ykval-verify.php @@ -4,6 +4,7 @@ require_once 'ykval-config.php'; require_once 'ykval-synclib.php'; $apiKey = ''; +$context = 'verify'; header("content-type: text/plain"); @@ -56,7 +57,7 @@ if ($protocol_version>=2.0) { /* Nonce is required from protocol 2.0 */ if(!$nonce) { $myLog->log(LOG_NOTICE, 'Nonce is missing and protocol version >= 2.0'); - sendResp(S_MISSING_PARAMETER); + sendResp(S_MISSING_PARAMETER, $context); exit; } } @@ -90,49 +91,49 @@ if (!isset($timeout) || $timeout == '') { if ($otp == '') { $myLog->log(LOG_NOTICE, 'OTP is missing'); - sendResp(S_MISSING_PARAMETER); + sendResp(S_MISSING_PARAMETER, $context); exit; } if (strlen($otp) < TOKEN_LEN || strlen ($otp) > OTP_MAX_LEN) { $myLog->log(LOG_NOTICE, 'Incorrect OTP length: ' . $otp); - sendResp(S_BAD_OTP); + sendResp(S_BAD_OTP, $context); exit; } if (preg_match("/^[cbdefghijklnrtuv]+$/", $otp)==0) { $myLog->log(LOG_NOTICE, 'Invalid OTP: ' . $otp); - sendResp(S_BAD_OTP); + sendResp(S_BAD_OTP, $context); exit; } if (preg_match("/^[0-9]+$/", $client)==0){ $myLog->log(LOG_NOTICE, 'id provided in request must be an integer'); - sendResp(S_MISSING_PARAMETER); + sendResp(S_MISSING_PARAMETER, $context); exit; } if ($timeout && preg_match("/^[0-9]+$/", $timeout)==0) { $myLog->log(LOG_NOTICE, 'timeout is provided but not correct'); - sendResp(S_MISSING_PARAMETER); + sendResp(S_MISSING_PARAMETER, $context); exit; } if (isset($nonce) && preg_match("/^[A-Za-z0-9]+$/", $nonce)==0) { $myLog->log(LOG_NOTICE, 'NONCE is provided but not correct'); - sendResp(S_MISSING_PARAMETER); + sendResp(S_MISSING_PARAMETER, $context); exit; } if (isset($nonce) && (strlen($nonce) < 16 || strlen($nonce) > 40)) { $myLog->log(LOG_NOTICE, 'Nonce too short or too long'); - sendResp(S_MISSING_PARAMETER); + sendResp(S_MISSING_PARAMETER, $context); exit; } if ($sl && (preg_match("/^[0-9]+$/", $sl)==0 || ($sl<0 || $sl>100))) { $myLog->log(LOG_NOTICE, 'SL is provided but not correct'); - sendResp(S_MISSING_PARAMETER); + sendResp(S_MISSING_PARAMETER, $context); exit; } @@ -143,7 +144,7 @@ if ($sl && (preg_match("/^[0-9]+$/", $sl)==0 || ($sl<0 || $sl>100))) { // if ($client <= 0) { $myLog->log(LOG_NOTICE, 'Client ID is missing'); - sendResp(S_MISSING_PARAMETER); + sendResp(S_MISSING_PARAMETER, $context); exit; } @@ -156,14 +157,14 @@ $sync->addField('ip', $_SERVER['REMOTE_ADDR']); $sync->addField('otp', $otp); if (! $sync->isConnected()) { - sendResp(S_BACKEND_ERROR); + sendResp(S_BACKEND_ERROR, $context); exit; } $cd=$sync->getClientData($client); if(!$cd) { $myLog->log(LOG_NOTICE, 'Invalid client id ' . $client); - sendResp(S_NO_SUCH_CLIENT); + sendResp(S_NO_SUCH_CLIENT, $context); exit; } $myLog->log(LOG_DEBUG,"Client data:", $cd); @@ -189,7 +190,7 @@ if ($h != '') { // Compare it if ($hmac != $h) { $myLog->log(LOG_DEBUG, 'client hmac=' . $h . ', server hmac=' . $hmac); - sendResp(S_BAD_SIGNATURE, $apiKey); + sendResp(S_BAD_SIGNATURE, $context, $apiKey); exit; } } @@ -206,7 +207,7 @@ if ($protocol_version<2.0) { // $urls = otp2ksmurls ($otp, $client); if (!is_array($urls)) { - sendResp(S_BACKEND_ERROR, $apiKey); + sendResp(S_BACKEND_ERROR, $context, $apiKey); exit; } @@ -214,7 +215,7 @@ if (!is_array($urls)) { // $otpinfo = KSMdecryptOTP($urls); if (!is_array($otpinfo)) { - sendResp(S_BAD_OTP, $apiKey); + sendResp(S_BAD_OTP, $context, $apiKey); exit; } $myLog->log(LOG_DEBUG, "Decrypted OTP:", $otpinfo); @@ -226,14 +227,14 @@ $yk_publicname=$devId; $localParams = $sync->getLocalParams($yk_publicname); if (!$localParams) { $myLog->log(LOG_NOTICE, 'Invalid Yubikey ' . $yk_publicname); - sendResp(S_BACKEND_ERROR, $apiKey); + sendResp(S_BACKEND_ERROR, $context, $apiKey); exit; } $myLog->log(LOG_DEBUG, "Auth data:", $localParams); if ($localParams['active'] != 1) { $myLog->log(LOG_NOTICE, 'De-activated Yubikey ' . $devId); - sendResp(S_BAD_OTP, $apiKey); + sendResp(S_BAD_OTP, $context, $apiKey); exit; } @@ -253,7 +254,7 @@ $otpParams=array('modified'=>time(), if ($sync->countersEqual($localParams, $otpParams) && $localParams['nonce']==$otpParams['nonce']) { $myLog->log(LOG_WARNING, 'Replayed request'); - sendResp(S_REPLAYED_REQUEST, $apiKey, $extra); + sendResp(S_REPLAYED_REQUEST, $context, $apiKey, $extra); exit; } @@ -262,7 +263,7 @@ if ($sync->countersHigherThanOrEqual($localParams, $otpParams)) { $sync->log(LOG_WARNING, 'replayed OTP: Local counters higher'); $sync->log(LOG_WARNING, 'replayed OTP: Local counters ', $localParams); $sync->log(LOG_WARNING, 'replayed OTP: Otp counters ', $otpParams); - sendResp(S_REPLAYED_OTP, $apiKey, $extra); + sendResp(S_REPLAYED_OTP, $context, $apiKey, $extra); exit; } @@ -270,7 +271,7 @@ if ($sync->countersHigherThanOrEqual($localParams, $otpParams)) { if(!$sync->updateDbCounters($otpParams)) { $myLog->log(LOG_CRIT, "Failed to update yubikey counters in database"); - sendResp(S_BACKEND_ERROR, $apiKey); + sendResp(S_BACKEND_ERROR, $context, $apiKey); exit; } @@ -278,7 +279,7 @@ if(!$sync->updateDbCounters($otpParams)) { if (!$sync->queue($otpParams, $localParams)) { $myLog->log(LOG_CRIT, "ykval-verify:critical:failed to queue sync requests"); - sendResp(S_BACKEND_ERROR, $apiKey); + sendResp(S_BACKEND_ERROR, $context, $apiKey); exit; } @@ -310,11 +311,11 @@ if($syncres==False) { there were not enough answers */ $myLog->log(LOG_WARNING, "ykval-verify:notice:Sync failed"); if ($nr_valid_answers!=$nr_answers) { - sendResp(S_REPLAYED_OTP, $apiKey, $extra); + sendResp(S_REPLAYED_OTP, $context, $apiKey, $extra); exit; } else { $extra['sl']=$sl_success_rate; - sendResp(S_NOT_ENOUGH_ANSWERS, $apiKey, $extra); + sendResp(S_NOT_ENOUGH_ANSWERS, $context, $apiKey, $extra); exit; } } @@ -362,7 +363,7 @@ if ($sessionCounter == $seenSessionCounter && $sessionUse > $seenSessionUse) { if ($deviation > TS_ABS_TOLERANCE && $percent > TS_REL_TOLERANCE) { $myLog->log(LOG_NOTICE, "OTP failed phishing test"); if (0) { - sendResp(S_DELAYED_OTP, $apiKey, $extra); + sendResp(S_DELAYED_OTP, $context, $apiKey, $extra); exit; } } @@ -378,6 +379,6 @@ if ($timestamp==1){ $extra['sessionuse'] = $sessionUse; } -sendResp(S_OK, $apiKey, $extra); +sendResp(S_OK, $context, $apiKey, $extra); ?>