rooty/yubikey-val
1
0
Fork 0
mirror of https://github.com/Yubico/yubikey-val.git synced 2025-01-20 10:52:15 +01:00
Code Issues Projects Releases Wiki Activity

let sendResp take one more parameter $context

Browse Source 
use for logging if it's a response to sync or verify.
This commit is contained in:
Klas Lindfors 2012-06-14 14:55:50 +02:00
parent d37c41011a
commit 01969a279e
3 changed files with 39 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ykval-common.php
View File

@ -219,11 +219,12 @@ function KSMdecryptOTP($urls) {
return $ret; return $ret;
} // End decryptOTP } // End decryptOTP
function sendResp($status, $apiKey = '', $extra = null) { function sendResp($status, $context, $apiKey = '', $extra = null) {
if ($status == null) { if ($status == null) {
$status = S_BACKEND_ERROR; $status = S_BACKEND_ERROR;
} }
$a['status'] = $status; $a['status'] = $status;
$a['t'] = getUTCTimeStamp(); $a['t'] = getUTCTimeStamp();
if ($extra){ if ($extra){
@ -242,8 +243,8 @@ function sendResp($status, $apiKey = '', $extra = null) {
$str .= "\r\n"; $str .= "\r\n";
global $ykval_common_log; global $ykval_common_log;
$ykval_common_log->log(LOG_INFO, "Response: " . $str . $ykval_common_log->log(LOG_INFO, "Context=" . $context . " Response: " . $str .
" (at " . date("c") . " " . microtime() . ")"); " (at " . date("c") . " " . microtime() . ")");
echo $str; echo $str;
} }

17
ykval-sync.php
View File

@ -4,11 +4,12 @@ require_once 'ykval-config.php';
require_once 'ykval-synclib.php'; require_once 'ykval-synclib.php';
$apiKey = ''; $apiKey = '';
$context = 'sync';
header("content-type: text/plain"); header("content-type: text/plain");
if(empty($_SERVER['QUERY_STRING'])) { if(empty($_SERVER['QUERY_STRING'])) {
sendResp(S_MISSING_PARAMETER, $apiKey); sendResp(S_MISSING_PARAMETER, $context, $apiKey);
exit; exit;
} }
@ -21,7 +22,7 @@ $sync = new SyncLib('ykval-sync:synclib');
$sync->addField('ip', $_SERVER['REMOTE_ADDR']); $sync->addField('ip', $_SERVER['REMOTE_ADDR']);
if (! $sync->isConnected()) { if (! $sync->isConnected()) {
sendResp(S_BACKEND_ERROR, $apiKey); sendResp(S_BACKEND_ERROR, $context, $apiKey);
exit; exit;
} }
@ -41,7 +42,7 @@ foreach ($baseParams['__YKVAL_ALLOWED_SYNC_POOL__'] as $server) {
} }
if (!$allowed) { if (!$allowed) {
$myLog->log(LOG_NOTICE, 'Operation not allowed from IP ' . $_SERVER['REMOTE_ADDR']); $myLog->log(LOG_NOTICE, 'Operation not allowed from IP ' . $_SERVER['REMOTE_ADDR']);
sendResp(S_OPERATION_NOT_ALLOWED, $apiKey); sendResp(S_OPERATION_NOT_ALLOWED, $context, $apiKey);
exit; exit;
} }
@ -67,7 +68,7 @@ foreach ($syncParams as $param=>$value) {
$value = getHttpVal($param, Null); $value = getHttpVal($param, Null);
if ($value==Null) { if ($value==Null) {
$myLog->log(LOG_NOTICE, "Received request with parameter[s] (" . $param . ") missing value"); $myLog->log(LOG_NOTICE, "Received request with parameter[s] (" . $param . ") missing value");
sendResp(S_MISSING_PARAMETER, ''); sendResp(S_MISSING_PARAMETER, $context, $apiKey);
exit; exit;
} }
$syncParams[$param]=$value; $syncParams[$param]=$value;
@ -88,7 +89,7 @@ $sync->addField('otp', $syncParams['otp']);
foreach (array('modified') as $param) { foreach (array('modified') as $param) {
if (preg_match("/^[0-9]+$/", $syncParams[$param])==0) { if (preg_match("/^[0-9]+$/", $syncParams[$param])==0) {
$myLog->log(LOG_NOTICE, 'Input parameters ' . $param . ' not correct'); $myLog->log(LOG_NOTICE, 'Input parameters ' . $param . ' not correct');
sendResp(S_MISSING_PARAMETER, $apiKey); sendResp(S_MISSING_PARAMETER, $context, $apiKey);
exit; exit;
} }
} }
@ -96,7 +97,7 @@ foreach (array('modified') as $param) {
foreach (array('yk_counter', 'yk_use', 'yk_high', 'yk_low') as $param) { foreach (array('yk_counter', 'yk_use', 'yk_high', 'yk_low') as $param) {
if (preg_match("/^(-1|[0-9]+)$/", $syncParams[$param])==0) { if (preg_match("/^(-1|[0-9]+)$/", $syncParams[$param])==0) {
$myLog->log(LOG_NOTICE, 'Input parameters ' . $param . ' not correct'); $myLog->log(LOG_NOTICE, 'Input parameters ' . $param . ' not correct');
sendResp(S_MISSING_PARAMETER, $apiKey); sendResp(S_MISSING_PARAMETER, $context, $apiKey);
exit; exit;
} }
} }
@ -112,7 +113,7 @@ $yk_publicname = $syncParams['yk_publicname'];
$localParams = $sync->getLocalParams($yk_publicname); $localParams = $sync->getLocalParams($yk_publicname);
if (!$localParams) { if (!$localParams) {
$myLog->log(LOG_NOTICE, 'Invalid Yubikey ' . $yk_publicname); $myLog->log(LOG_NOTICE, 'Invalid Yubikey ' . $yk_publicname);
sendResp(S_BACKEND_ERROR, $apiKey); sendResp(S_BACKEND_ERROR, $context, $apiKey);
exit; exit;
} }
@ -179,6 +180,6 @@ $extra=array('modified'=>$localParams['modified'],
'yk_high'=>$localParams['yk_high'], 'yk_high'=>$localParams['yk_high'],
'yk_low'=>$localParams['yk_low']); 'yk_low'=>$localParams['yk_low']);
sendResp(S_OK, '', $extra); sendResp(S_OK, $context, $apiKey, $extra);
?> ?>

51
ykval-verify.php
View File

@ -4,6 +4,7 @@ require_once 'ykval-config.php';
require_once 'ykval-synclib.php'; require_once 'ykval-synclib.php';
$apiKey = ''; $apiKey = '';
$context = 'verify';
header("content-type: text/plain"); header("content-type: text/plain");
@ -56,7 +57,7 @@ if ($protocol_version>=2.0) {
/* Nonce is required from protocol 2.0 */ /* Nonce is required from protocol 2.0 */
if(!$nonce) { if(!$nonce) {
$myLog->log(LOG_NOTICE, 'Nonce is missing and protocol version >= 2.0'); $myLog->log(LOG_NOTICE, 'Nonce is missing and protocol version >= 2.0');
sendResp(S_MISSING_PARAMETER); sendResp(S_MISSING_PARAMETER, $context);
exit; exit;
} }
} }
@ -90,49 +91,49 @@ if (!isset($timeout) || $timeout == '') {
if ($otp == '') { if ($otp == '') {
$myLog->log(LOG_NOTICE, 'OTP is missing'); $myLog->log(LOG_NOTICE, 'OTP is missing');
sendResp(S_MISSING_PARAMETER); sendResp(S_MISSING_PARAMETER, $context);
exit; exit;
} }
if (strlen($otp) < TOKEN_LEN || strlen ($otp) > OTP_MAX_LEN) { if (strlen($otp) < TOKEN_LEN || strlen ($otp) > OTP_MAX_LEN) {
$myLog->log(LOG_NOTICE, 'Incorrect OTP length: ' . $otp); $myLog->log(LOG_NOTICE, 'Incorrect OTP length: ' . $otp);
sendResp(S_BAD_OTP); sendResp(S_BAD_OTP, $context);
exit; exit;
} }
if (preg_match("/^[cbdefghijklnrtuv]+$/", $otp)==0) { if (preg_match("/^[cbdefghijklnrtuv]+$/", $otp)==0) {
$myLog->log(LOG_NOTICE, 'Invalid OTP: ' . $otp); $myLog->log(LOG_NOTICE, 'Invalid OTP: ' . $otp);
sendResp(S_BAD_OTP); sendResp(S_BAD_OTP, $context);
exit; exit;
} }
if (preg_match("/^[0-9]+$/", $client)==0){ if (preg_match("/^[0-9]+$/", $client)==0){
$myLog->log(LOG_NOTICE, 'id provided in request must be an integer'); $myLog->log(LOG_NOTICE, 'id provided in request must be an integer');
sendResp(S_MISSING_PARAMETER); sendResp(S_MISSING_PARAMETER, $context);
exit; exit;
} }
if ($timeout && preg_match("/^[0-9]+$/", $timeout)==0) { if ($timeout && preg_match("/^[0-9]+$/", $timeout)==0) {
$myLog->log(LOG_NOTICE, 'timeout is provided but not correct'); $myLog->log(LOG_NOTICE, 'timeout is provided but not correct');
sendResp(S_MISSING_PARAMETER); sendResp(S_MISSING_PARAMETER, $context);
exit; exit;
} }
if (isset($nonce) && preg_match("/^[A-Za-z0-9]+$/", $nonce)==0) { if (isset($nonce) && preg_match("/^[A-Za-z0-9]+$/", $nonce)==0) {
$myLog->log(LOG_NOTICE, 'NONCE is provided but not correct'); $myLog->log(LOG_NOTICE, 'NONCE is provided but not correct');
sendResp(S_MISSING_PARAMETER); sendResp(S_MISSING_PARAMETER, $context);
exit; exit;
} }
if (isset($nonce) && (strlen($nonce) < 16 || strlen($nonce) > 40)) { if (isset($nonce) && (strlen($nonce) < 16 || strlen($nonce) > 40)) {
$myLog->log(LOG_NOTICE, 'Nonce too short or too long'); $myLog->log(LOG_NOTICE, 'Nonce too short or too long');
sendResp(S_MISSING_PARAMETER); sendResp(S_MISSING_PARAMETER, $context);
exit; exit;
} }
if ($sl && (preg_match("/^[0-9]+$/", $sl)==0 || ($sl<0 || $sl>100))) { if ($sl && (preg_match("/^[0-9]+$/", $sl)==0 || ($sl<0 || $sl>100))) {
$myLog->log(LOG_NOTICE, 'SL is provided but not correct'); $myLog->log(LOG_NOTICE, 'SL is provided but not correct');
sendResp(S_MISSING_PARAMETER); sendResp(S_MISSING_PARAMETER, $context);
exit; exit;
} }
@ -143,7 +144,7 @@ if ($sl && (preg_match("/^[0-9]+$/", $sl)==0 || ($sl<0 || $sl>100))) {
// //
if ($client <= 0) { if ($client <= 0) {
$myLog->log(LOG_NOTICE, 'Client ID is missing'); $myLog->log(LOG_NOTICE, 'Client ID is missing');
sendResp(S_MISSING_PARAMETER); sendResp(S_MISSING_PARAMETER, $context);
exit; exit;
} }
@ -156,14 +157,14 @@ $sync->addField('ip', $_SERVER['REMOTE_ADDR']);
$sync->addField('otp', $otp); $sync->addField('otp', $otp);
if (! $sync->isConnected()) { if (! $sync->isConnected()) {
sendResp(S_BACKEND_ERROR); sendResp(S_BACKEND_ERROR, $context);
exit; exit;
} }
$cd=$sync->getClientData($client); $cd=$sync->getClientData($client);
if(!$cd) { if(!$cd) {
$myLog->log(LOG_NOTICE, 'Invalid client id ' . $client); $myLog->log(LOG_NOTICE, 'Invalid client id ' . $client);
sendResp(S_NO_SUCH_CLIENT); sendResp(S_NO_SUCH_CLIENT, $context);
exit; exit;
} }
$myLog->log(LOG_DEBUG,"Client data:", $cd); $myLog->log(LOG_DEBUG,"Client data:", $cd);
@ -189,7 +190,7 @@ if ($h != '') {
// Compare it // Compare it
if ($hmac != $h) { if ($hmac != $h) {
$myLog->log(LOG_DEBUG, 'client hmac=' . $h . ', server hmac=' . $hmac); $myLog->log(LOG_DEBUG, 'client hmac=' . $h . ', server hmac=' . $hmac);
sendResp(S_BAD_SIGNATURE, $apiKey); sendResp(S_BAD_SIGNATURE, $context, $apiKey);
exit; exit;
} }
} }
@ -206,7 +207,7 @@ if ($protocol_version<2.0) {
// //
$urls = otp2ksmurls ($otp, $client); $urls = otp2ksmurls ($otp, $client);
if (!is_array($urls)) { if (!is_array($urls)) {
sendResp(S_BACKEND_ERROR, $apiKey); sendResp(S_BACKEND_ERROR, $context, $apiKey);
exit; exit;
} }
@ -214,7 +215,7 @@ if (!is_array($urls)) {
// //
$otpinfo = KSMdecryptOTP($urls); $otpinfo = KSMdecryptOTP($urls);
if (!is_array($otpinfo)) { if (!is_array($otpinfo)) {
sendResp(S_BAD_OTP, $apiKey); sendResp(S_BAD_OTP, $context, $apiKey);
exit; exit;
} }
$myLog->log(LOG_DEBUG, "Decrypted OTP:", $otpinfo); $myLog->log(LOG_DEBUG, "Decrypted OTP:", $otpinfo);
@ -226,14 +227,14 @@ $yk_publicname=$devId;
$localParams = $sync->getLocalParams($yk_publicname); $localParams = $sync->getLocalParams($yk_publicname);
if (!$localParams) { if (!$localParams) {
$myLog->log(LOG_NOTICE, 'Invalid Yubikey ' . $yk_publicname); $myLog->log(LOG_NOTICE, 'Invalid Yubikey ' . $yk_publicname);
sendResp(S_BACKEND_ERROR, $apiKey); sendResp(S_BACKEND_ERROR, $context, $apiKey);
exit; exit;
} }
$myLog->log(LOG_DEBUG, "Auth data:", $localParams); $myLog->log(LOG_DEBUG, "Auth data:", $localParams);
if ($localParams['active'] != 1) { if ($localParams['active'] != 1) {
$myLog->log(LOG_NOTICE, 'De-activated Yubikey ' . $devId); $myLog->log(LOG_NOTICE, 'De-activated Yubikey ' . $devId);
sendResp(S_BAD_OTP, $apiKey); sendResp(S_BAD_OTP, $context, $apiKey);
exit; exit;
} }
@ -253,7 +254,7 @@ $otpParams=array('modified'=>time(),
if ($sync->countersEqual($localParams, $otpParams) && if ($sync->countersEqual($localParams, $otpParams) &&
$localParams['nonce']==$otpParams['nonce']) { $localParams['nonce']==$otpParams['nonce']) {
$myLog->log(LOG_WARNING, 'Replayed request'); $myLog->log(LOG_WARNING, 'Replayed request');
sendResp(S_REPLAYED_REQUEST, $apiKey, $extra); sendResp(S_REPLAYED_REQUEST, $context, $apiKey, $extra);
exit; exit;
} }
@ -262,7 +263,7 @@ if ($sync->countersHigherThanOrEqual($localParams, $otpParams)) {
$sync->log(LOG_WARNING, 'replayed OTP: Local counters higher'); $sync->log(LOG_WARNING, 'replayed OTP: Local counters higher');
$sync->log(LOG_WARNING, 'replayed OTP: Local counters ', $localParams); $sync->log(LOG_WARNING, 'replayed OTP: Local counters ', $localParams);
$sync->log(LOG_WARNING, 'replayed OTP: Otp counters ', $otpParams); $sync->log(LOG_WARNING, 'replayed OTP: Otp counters ', $otpParams);
sendResp(S_REPLAYED_OTP, $apiKey, $extra); sendResp(S_REPLAYED_OTP, $context, $apiKey, $extra);
exit; exit;
} }
@ -270,7 +271,7 @@ if ($sync->countersHigherThanOrEqual($localParams, $otpParams)) {
if(!$sync->updateDbCounters($otpParams)) { if(!$sync->updateDbCounters($otpParams)) {
$myLog->log(LOG_CRIT, "Failed to update yubikey counters in database"); $myLog->log(LOG_CRIT, "Failed to update yubikey counters in database");
sendResp(S_BACKEND_ERROR, $apiKey); sendResp(S_BACKEND_ERROR, $context, $apiKey);
exit; exit;
} }
@ -278,7 +279,7 @@ if(!$sync->updateDbCounters($otpParams)) {
if (!$sync->queue($otpParams, $localParams)) { if (!$sync->queue($otpParams, $localParams)) {
$myLog->log(LOG_CRIT, "ykval-verify:critical:failed to queue sync requests"); $myLog->log(LOG_CRIT, "ykval-verify:critical:failed to queue sync requests");
sendResp(S_BACKEND_ERROR, $apiKey); sendResp(S_BACKEND_ERROR, $context, $apiKey);
exit; exit;
} }
@ -310,11 +311,11 @@ if($syncres==False) {
there were not enough answers */ there were not enough answers */
$myLog->log(LOG_WARNING, "ykval-verify:notice:Sync failed"); $myLog->log(LOG_WARNING, "ykval-verify:notice:Sync failed");
if ($nr_valid_answers!=$nr_answers) { if ($nr_valid_answers!=$nr_answers) {
sendResp(S_REPLAYED_OTP, $apiKey, $extra); sendResp(S_REPLAYED_OTP, $context, $apiKey, $extra);
exit; exit;
} else { } else {
$extra['sl']=$sl_success_rate; $extra['sl']=$sl_success_rate;
sendResp(S_NOT_ENOUGH_ANSWERS, $apiKey, $extra); sendResp(S_NOT_ENOUGH_ANSWERS, $context, $apiKey, $extra);
exit; exit;
} }
} }
@ -362,7 +363,7 @@ if ($sessionCounter == $seenSessionCounter && $sessionUse > $seenSessionUse) {
if ($deviation > TS_ABS_TOLERANCE && $percent > TS_REL_TOLERANCE) { if ($deviation > TS_ABS_TOLERANCE && $percent > TS_REL_TOLERANCE) {
$myLog->log(LOG_NOTICE, "OTP failed phishing test"); $myLog->log(LOG_NOTICE, "OTP failed phishing test");
if (0) { if (0) {
sendResp(S_DELAYED_OTP, $apiKey, $extra); sendResp(S_DELAYED_OTP, $context, $apiKey, $extra);
exit; exit;
} }
} }
@ -378,6 +379,6 @@ if ($timestamp==1){
$extra['sessionuse'] = $sessionUse; $extra['sessionuse'] = $sessionUse;
} }
sendResp(S_OK, $apiKey, $extra); sendResp(S_OK, $context, $apiKey, $extra);
?> ?>