rooty/yubikey-val
1
0
Fork 0
mirror of https://github.com/Yubico/yubikey-val.git synced 2025-01-20 10:52:15 +01:00
Code Issues Projects Releases Wiki Activity

Use time stamp to prevent OTP phishing

Browse Source
This commit is contained in:
Paul Chen 2008-12-03 07:49:32 +00:00
parent 1c9c717efd
commit 150458a5ea
2 changed files with 100 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
common.php
View File

@ -8,6 +8,9 @@ define('S_MISSING_PARAMETER', 'MISSING_PARAMETER');
//define('S_NO_SUCH_CLIENT', 'NO_SUCH_CLIENT'); // Deprecated by paul 20080920 //define('S_NO_SUCH_CLIENT', 'NO_SUCH_CLIENT'); // Deprecated by paul 20080920
define('S_OPERATION_NOT_ALLOWED', 'OPERATION_NOT_ALLOWED'); define('S_OPERATION_NOT_ALLOWED', 'OPERATION_NOT_ALLOWED');
define('S_BACKEND_ERROR', 'BACKEND_ERROR'); define('S_BACKEND_ERROR', 'BACKEND_ERROR');
define('S_SECURITY_ERROR', 'SECURITY_ERROR');
define('TS_SEC', 0.1118);
define('TS_TOLERANCE', 0.3);
function debug($msg, $exit = false) { function debug($msg, $exit = false) {
global $trace; global $trace;

146
verifyOTP.php
View File

@ -1,10 +1,13 @@
<?php require_once '../yubiphpbase/appinclude.php'; <?php
require_once '../yubiphpbase/yubi_lib.php'; require_once '../yubiphpbase/appinclude.php';
require_once 'common.php'; require_once '../yubiphpbase/yubi_lib.php';
require_once 'common.php';
header("content-type: text/plain"); header("content-type: text/plain");
if (!isset($trace)) { $trace = 0; } if (!isset ($trace)) {
$trace = 0;
}
$client = getHttpVal('id', 0); $client = getHttpVal('id', 0);
if ($client <= 0) { if ($client <= 0) {
@ -28,7 +31,7 @@ $devId = substr($otp, 0, 12);
$ad = getAuthData($devId); $ad = getAuthData($devId);
if ($ad == null) { if ($ad == null) {
debug('Invalid Yubikey '.$devId); debug('Invalid Yubikey ' . $devId);
sendResp(S_BAD_OTP, $otp); sendResp(S_BAD_OTP, $otp);
exit; exit;
} else { } else {
@ -39,14 +42,14 @@ if ($ad == null) {
// //
if ($ad['chk_owner'] && $ad['client_id'] != $client) { if ($ad['chk_owner'] && $ad['client_id'] != $client) {
debug('Client-'.$client.' is not the owner of the Yubikey!'); debug('Client-' . $client . ' is not the owner of the Yubikey!');
sendResp(S_BAD_CLIENT, 'Not owner of the Yubikey'); sendResp(S_BAD_CLIENT, 'Not owner of the Yubikey');
exit; exit;
} }
$k = b64ToModhex($ad['secret']); $k = b64ToModhex($ad['secret']);
//debug('aes key in modhex = '.$k); //debug('aes key in modhex = '.$k);
$key16 = ModHex::Decode($k); $key16 = ModHex :: Decode($k);
//debug('aes key in hex = ['.$key16.'], length = '.strlen($key16)); //debug('aes key in hex = ['.$key16.'], length = '.strlen($key16));
$apiKey = base64_decode($ad['c_secret']); $apiKey = base64_decode($ad['c_secret']);
@ -54,29 +57,29 @@ $apiKey = base64_decode($ad['c_secret']);
// //
if ($ad['chk_sig']) { if ($ad['chk_sig']) {
// Create the signature using the API key // Create the signature using the API key
$a = array(); $a = array ();
$a['id']=$client; $a['id'] = $client;
$a['otp']=$otp; $a['otp'] = $otp;
$hmac = sign($a, $apiKey); $hmac = sign($a, $apiKey);
if (($h = getHttpVal('h', '')) == '') { if (($h = getHttpVal('h', '')) == '') {
sendResp(S_MISSING_PARAMETER, 'h'); sendResp(S_MISSING_PARAMETER, 'h');
debug('signature missing, hmac='.$hmac); debug('signature missing, hmac=' . $hmac);
exit; exit;
} else if ($hmac != $h) { } else
if ($hmac != $h) {
sendResp(S_BAD_SIGNATURE); sendResp(S_BAD_SIGNATURE);
debug('h='.$h.', hmac='.$hmac); debug('h=' . $h . ', hmac=' . $hmac);
exit; exit;
} }
} }
//// Decode OTP from input //// Decode OTP from input
// //
debug('From the OTP validation request:'); debug('From the OTP validation request:');
$decoded_token = Yubikey::Decode($otp, $key16); $decoded_token = Yubikey :: Decode($otp, $key16);
debug($decoded_token); debug($decoded_token);
if ( ! is_array($decoded_token) ) { if (!is_array($decoded_token)) {
sendResp(S_BAD_OTP, $otp); sendResp(S_BAD_OTP, $otp);
exit; exit;
} }
@ -97,18 +100,18 @@ if ($ad['c_active'] < 1) {
//// Sanity check token ID //// Sanity check token ID
// //
if (strlen($decoded_token["public_id"]) == 12 ) { if (strlen($decoded_token["public_id"]) == 12) {
debug("Token ID OK (".$decoded_token["public_id"].")"); debug("Token ID OK (" . $decoded_token["public_id"] . ")");
} else { } else {
debug("TOKEN ID FAILED, ".$decoded_token["public_id"]); debug("TOKEN ID FAILED, " . $decoded_token["public_id"]);
sendResp(S_BAD_OTP, $otp); sendResp(S_BAD_OTP, $otp);
exit; exit;
} }
//// Sanity check the OTP //// Sanity check the OTP
// //
if ( strlen($decoded_token["token"]) != 32) { if (strlen($decoded_token["token"]) != 32) {
debug("Wrong OTP length,".strlen($decoded_token["token"])); debug("Wrong OTP length," . strlen($decoded_token["token"]));
sendResp(S_BAD_OTP, $otp); sendResp(S_BAD_OTP, $otp);
exit; exit;
} }
@ -119,38 +122,68 @@ $sessionCounter = $decoded_token["session_counter"]; // From the req
$seenSessionCounter = $ad['counter']; // From DB $seenSessionCounter = $ad['counter']; // From DB
$scDiff = $seenSessionCounter - $sessionCounter; $scDiff = $seenSessionCounter - $sessionCounter;
if ($scDiff > 0) { if ($scDiff > 0) {
debug("Replayed session counter=".$sessionCounter.', seen='.$seenSessionCounter); debug("Replayed session counter=" . $sessionCounter . ', seen=' . $seenSessionCounter);
sendResp(S_REPLAYED_OTP); sendResp(S_REPLAYED_OTP);
exit; exit;
} else { } else {
debug("Session counter OK (".$sessionCounter.")"); debug("Session counter OK (" . $sessionCounter . ")");
}
//// Check the time stamp
//
if ($scDiff == 0) { // Same use session, check time stamp diff
$ts = $decoded_token['timestamp'];
$seenTs = ($ad['high'] << 16) + $ad['low'];
$tsDiff = $ts - $seenTs;
if ($tsDiff <= 0) {
debug("Replayed time stamp=" . $ts . ', seen=' . $seenTs);
sendResp(S_REPLAYED_OTP);
exit;
} else {
$tsDelta = $tsDiff * TS_SEC;
debug("Timestamp OK (" . $ts . ") delta count=".$tsDiff.
'-> delta secs='.$tsDelta);
}
$lastTime = strtotime($ad['accessed']);
//$lastAccess = $ad['accessed'];
//echo 'Last accessed: '.$lastAccess.' '.date("F j, Y, g:i a", $lastTime)."\n";
$elapsed = time() - $lastTime;
debug('Elapsed time from last validation: '.$elapsed.' secs');
$deviation = abs($elapsed - $tsDelta);
debug("Key time deviation vs. real elapsed time=".$deviation.' secs');
if ($deviation > TS_TOLERANCE * $elapsed) {
debug("Is the OTP generated from a real crypto key?");
sendResp(S_SECURITY_ERROR);
exit;
}
} }
//// Check the high counter //// Check the high counter
// //
$hi = $decoded_token["high"]; // From the req //$hi = $decoded_token["high"]; // From the req
$seenHi = $ad['high']; // From DB //$seenHi = $ad['high']; // From DB
$hiDiff = $seenHi - $hi; //$hiDiff = $seenHi - $hi;
if ($scDiff == 0 && $hiDiff > 0) { //if ($scDiff == 0 && $hiDiff > 0) {
debug("Replayed hi counter=".$hi.', seen='.$seenHi); // debug("Replayed hi counter=".$hi.', seen='.$seenHi);
sendResp(S_REPLAYED_OTP); // sendResp(S_REPLAYED_OTP);
exit; // exit;
} else { //} else {
debug("Hi counter OK (".$hi.")"); // debug("Hi counter OK (".$hi.")");
} //}
//// Check the low counter //// Check the low counter
// //
$lo = $decoded_token["low"]; // From the req //$lo = $decoded_token["low"]; // From the req
$seenLo = $ad['low']; // From DB //$seenLo = $ad['low']; // From DB
$loDiff = $seenLo - $lo; //$loDiff = $seenLo - $lo;
if ($scDiff == 0 && $hiDiff == 0 && $loDiff >= 0) { //if ($scDiff == 0 && $hiDiff == 0 && $loDiff >= 0) {
debug("Replayed low counter=".$lo.', seen='.$seenLo); // debug("Replayed low counter=".$lo.', seen='.$seenLo);
sendResp(S_REPLAYED_OTP); // sendResp(S_REPLAYED_OTP);
exit; // exit;
} else { //} else {
debug("Lo counter OK (".$lo.")"); // debug("Lo counter OK (".$lo.")");
} //}
//// Update the DB only upon validation success //// Update the DB only upon validation success
// //
@ -166,41 +199,40 @@ if (updDB($ad['id'], $decoded_token, $client)) {
// Functions // Functions
////////////////////////// //////////////////////////
function sendResp($status, $info=null) { function sendResp($status, $info = null) {
global $ad, $apiKey; global $ad, $apiKey;
if ($status == null) { if ($status == null) {
$status = S_BACKEND_ERROR; $status = S_BACKEND_ERROR;
} }
echo 'status='.($a['status'] = $status).PHP_EOL; echo 'status=' . ($a['status'] = $status) . PHP_EOL;
if ($info != null) { if ($info != null) {
echo 'info='.($a['info'] = $info).PHP_EOL; echo 'info=' . ($a['info'] = $info) . PHP_EOL;
} }
echo 't='.($a['t']=getUTCTimeStamp()).PHP_EOL; echo 't=' . ($a['t'] = getUTCTimeStamp()) . PHP_EOL;
$h = sign($a, $apiKey); $h = sign($a, $apiKey);
echo 'h='.$h.PHP_EOL; echo 'h=' . $h . PHP_EOL;
echo PHP_EOL; echo PHP_EOL;
} // End sendResp } // End sendResp
function updDB($keyid, $new, $client) { function updDB($keyid, $new, $client) {
$stmt = 'UPDATE yubikeys SET '. $stmt = 'UPDATE yubikeys SET ' .
'accessed=NOW(),'. 'accessed=NOW(),' .
'counter='.$new['session_counter'].','. 'counter=' . $new['session_counter'] . ',' .
'low='.$new['low'].','. 'low=' . $new['low'] . ',' .
'high='.$new['high']. 'high=' . $new['high'] .
' WHERE id='.$keyid; ' WHERE id=' . $keyid;
if (!query($stmt)) { if (!query($stmt)) {
$err = 'Failed to update validation data of key: '.$keyid.' by '.$stmt; $err = 'Failed to update validation data of key: ' . $keyid . ' by ' . $stmt;
debug($err); debug($err);
writeLog($err); writeLog($err);
return false; return false;
} }
addHist(0, $_SERVER['REMOTE_ADDR'] , $keyid, $client); addHist(0, $_SERVER['REMOTE_ADDR'], $keyid, $client);
return true; return true;
} }
?> ?>