mirror of
https://github.com/Yubico/yubikey-val.git
synced 2025-02-01 01:52:18 +01:00
Added otp, nonce in all responses for protocol >= 2.0.
This commit is contained in:
parent
4cf1bed1b2
commit
1809e7fb90
@ -11,14 +11,6 @@ $myLog = new Log('ykval-verify');
|
||||
$myLog->addField('ip', $_SERVER['REMOTE_ADDR']);
|
||||
$myLog->log(LOG_INFO, "Request: " . $_SERVER['QUERY_STRING']);
|
||||
|
||||
/* Initialize the sync library. Strive to use this instead of custom
|
||||
DB requests, custom comparisons etc */
|
||||
$sync = new SyncLib('ykval-verify:synclib');
|
||||
$sync->addField('ip', $_SERVER['REMOTE_ADDR']);
|
||||
if (! $sync->isConnected()) {
|
||||
sendResp(S_BACKEND_ERROR, $apiKey);
|
||||
exit;
|
||||
}
|
||||
|
||||
/* Detect protocol version */
|
||||
if (preg_match("/\/wsapi\/([0-9]+)\.([0-9]+)\//", $_SERVER['REQUEST_URI'], $out)) {
|
||||
@ -37,19 +29,28 @@ $otp = getHttpVal('otp', '');
|
||||
$otp = strtolower($otp);
|
||||
$timestamp = getHttpVal('timestamp', 0);
|
||||
|
||||
/* Construct response parameters */
|
||||
$extra=array();
|
||||
if ($protocol_version>=2.0) {
|
||||
$extra['otp']=$otp;
|
||||
}
|
||||
|
||||
|
||||
/* We have the OTP now, so let's add it to the logging */
|
||||
$myLog->addField('otp', $otp);
|
||||
$sync->addField('otp', $otp);
|
||||
|
||||
if ($protocol_version>=2.0) {
|
||||
$sl = getHttpVal('sl', '');
|
||||
$timeout = getHttpVal('timeout', '');
|
||||
$nonce = getHttpVal('nonce', '');
|
||||
|
||||
/* Add nonce to response parameters */
|
||||
$extra['nonce']= $nonce;
|
||||
|
||||
/* Nonce is required from protocol 2.0 */
|
||||
if(!$nonce || strlen($nonce)<16 || strlen($nonce)>32) {
|
||||
$myLog->log(LOG_NOTICE, 'Protocol version >= 2.0. Nonce is missing');
|
||||
sendResp(S_MISSING_PARAMETER, $apiKey);
|
||||
sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
|
||||
exit;
|
||||
}
|
||||
}
|
||||
@ -69,26 +70,26 @@ if ($protocol_version>=2.0) {
|
||||
|
||||
if (preg_match("/^[0-9]+$/", $client)==0){
|
||||
$myLog->log(LOG_NOTICE, 'id provided in request must be an integer');
|
||||
sendResp(S_MISSING_PARAMETER, $apiKey);
|
||||
sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
|
||||
exit;
|
||||
}
|
||||
|
||||
if ($timeout && preg_match("/^[0-9]+$/", $timeout)==0) {
|
||||
$myLog->log(LOG_NOTICE, 'timeout is provided but not correct');
|
||||
sendResp(S_MISSING_PARAMETER, $apiKey);
|
||||
sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
|
||||
exit;
|
||||
}
|
||||
|
||||
if ($nonce && preg_match("/^[A-Za-z0-9]+$/", $nonce)==0) {
|
||||
$myLog->log(LOG_NOTICE, 'NONCE is provided but not correct');
|
||||
sendResp(S_MISSING_PARAMETER, $apiKey);
|
||||
sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
|
||||
exit;
|
||||
|
||||
}
|
||||
|
||||
if ($sl && (preg_match("/^[0-9]+$/", $sl)==0 || ($sl<0 || $sl>100))) {
|
||||
$myLog->log(LOG_NOTICE, 'SL is provided but not correct');
|
||||
sendResp(S_MISSING_PARAMETER, $apiKey);
|
||||
sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
|
||||
exit;
|
||||
}
|
||||
|
||||
@ -99,14 +100,27 @@ if ($sl && (preg_match("/^[0-9]+$/", $sl)==0 || ($sl<0 || $sl>100))) {
|
||||
//
|
||||
if ($client <= 0) {
|
||||
$myLog->log(LOG_NOTICE, 'Client ID is missing');
|
||||
sendResp(S_MISSING_PARAMETER, $apiKey);
|
||||
sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
|
||||
exit;
|
||||
}
|
||||
|
||||
|
||||
|
||||
/* Initialize the sync library. Strive to use this instead of custom
|
||||
DB requests, custom comparisons etc */
|
||||
$sync = new SyncLib('ykval-verify:synclib');
|
||||
$sync->addField('ip', $_SERVER['REMOTE_ADDR']);
|
||||
$sync->addField('otp', $otp);
|
||||
|
||||
if (! $sync->isConnected()) {
|
||||
sendResp(S_BACKEND_ERROR, $apiKey, $extra);
|
||||
exit;
|
||||
}
|
||||
|
||||
$cd=$sync->getClientData($client);
|
||||
if(!$cd) {
|
||||
$myLog->log(LOG_NOTICE, 'Invalid client id ' . $client);
|
||||
sendResp(S_NO_SUCH_CLIENT);
|
||||
sendResp(S_NO_SUCH_CLIENT, $apikey, $extra);
|
||||
exit;
|
||||
}
|
||||
$myLog->log(LOG_DEBUG,"Client data:", $cd);
|
||||
@ -130,7 +144,7 @@ if ($h != '') {
|
||||
// Compare it
|
||||
if ($hmac != $h) {
|
||||
$myLog->log(LOG_DEBUG, 'client hmac=' . $h . ', server hmac=' . $hmac);
|
||||
sendResp(S_BAD_SIGNATURE, $apiKey);
|
||||
sendResp(S_BAD_SIGNATURE, $apiKey, $extra);
|
||||
exit;
|
||||
}
|
||||
}
|
||||
@ -147,12 +161,12 @@ if ($protocol_version<2.0) {
|
||||
//
|
||||
if ($otp == '') {
|
||||
$myLog->log(LOG_NOTICE, 'OTP is missing');
|
||||
sendResp(S_MISSING_PARAMETER, $apiKey);
|
||||
sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
|
||||
exit;
|
||||
}
|
||||
if (strlen($otp) <= TOKEN_LEN) {
|
||||
$myLog->log(LOG_NOTICE, 'Too short OTP: ' . $otp);
|
||||
sendResp(S_BAD_OTP, $apiKey);
|
||||
sendResp(S_BAD_OTP, $apiKey, $extra);
|
||||
exit;
|
||||
}
|
||||
|
||||
@ -160,7 +174,7 @@ if (strlen($otp) <= TOKEN_LEN) {
|
||||
//
|
||||
$urls = otp2ksmurls ($otp, $client);
|
||||
if (!is_array($urls)) {
|
||||
sendResp(S_BACKEND_ERROR, $apiKey);
|
||||
sendResp(S_BACKEND_ERROR, $apiKey, $extra);
|
||||
exit;
|
||||
}
|
||||
|
||||
@ -168,7 +182,7 @@ if (!is_array($urls)) {
|
||||
//
|
||||
$otpinfo = KSMdecryptOTP($urls);
|
||||
if (!is_array($otpinfo)) {
|
||||
sendResp(S_BAD_OTP, $apiKey);
|
||||
sendResp(S_BAD_OTP, $apiKey, $extra);
|
||||
exit;
|
||||
}
|
||||
$myLog->log(LOG_DEBUG, "Decrypted OTP:", $otpinfo);
|
||||
@ -180,14 +194,14 @@ $yk_publicname=$devId;
|
||||
$localParams = $sync->getLocalParams($yk_publicname);
|
||||
if (!$localParams) {
|
||||
$myLog->log(LOG_NOTICE, 'Invalid Yubikey ' . $yk_publicname);
|
||||
sendResp(S_BACKEND_ERROR, $apiKey);
|
||||
sendResp(S_BACKEND_ERROR, $apiKey, $extra);
|
||||
exit;
|
||||
}
|
||||
|
||||
$myLog->log(LOG_DEBUG, "Auth data:", $localParams);
|
||||
if ($localParams['active'] != 1) {
|
||||
$myLog->log(LOG_NOTICE, 'De-activated Yubikey ' . $devId);
|
||||
sendResp(S_BAD_OTP, $apiKey);
|
||||
sendResp(S_BAD_OTP, $apiKey, $extra);
|
||||
exit;
|
||||
}
|
||||
|
||||
@ -207,7 +221,7 @@ $otpParams=array('modified'=>time(),
|
||||
if ($sync->countersEqual($localParams, $otpParams) &&
|
||||
$localParams['nonce']==$otpParams['nonce']) {
|
||||
$myLog->log(LOG_WARNING, 'Replayed request');
|
||||
sendResp(S_REPLAYED_REQUEST, $apikey);
|
||||
sendResp(S_REPLAYED_REQUEST, $apikey, $extra);
|
||||
exit;
|
||||
}
|
||||
|
||||
@ -216,7 +230,7 @@ if ($sync->countersHigherThanOrEqual($localParams, $otpParams)) {
|
||||
$sync->log(LOG_WARNING, 'replayed OTP: Local counters higher');
|
||||
$sync->log(LOG_WARNING, 'replayed OTP: Local counters ', $localParams);
|
||||
$sync->log(LOG_WARNING, 'replayed OTP: Otp counters ', $otpParams);
|
||||
sendResp(S_REPLAYED_OTP, $apiKey);
|
||||
sendResp(S_REPLAYED_OTP, $apiKey, $extra);
|
||||
exit;
|
||||
}
|
||||
|
||||
@ -224,7 +238,7 @@ if ($sync->countersHigherThanOrEqual($localParams, $otpParams)) {
|
||||
|
||||
if(!$sync->updateDbCounters($otpParams)) {
|
||||
$myLog->log(LOG_CRIT, "Failed to update yubikey counters in database");
|
||||
sendResp(S_BACKEND_ERROR, $apiKey);
|
||||
sendResp(S_BACKEND_ERROR, $apiKey, $extra);
|
||||
exit;
|
||||
}
|
||||
|
||||
@ -232,7 +246,7 @@ if(!$sync->updateDbCounters($otpParams)) {
|
||||
|
||||
if (!$sync->queue($otpParams, $localParams)) {
|
||||
$myLog->log(LOG_CRIT, "ykval-verify:critical:failed to queue sync requests");
|
||||
sendResp(S_BACKEND_ERROR, $apiKey);
|
||||
sendResp(S_BACKEND_ERROR, $apiKey, $extra);
|
||||
exit;
|
||||
}
|
||||
|
||||
@ -269,10 +283,10 @@ if($syncres==False) {
|
||||
there were not enough answers */
|
||||
$myLog->log(LOG_WARNING, "ykval-verify:notice:Sync failed");
|
||||
if ($nr_valid_answers!=$nr_answers) {
|
||||
sendResp(S_REPLAYED_OTP, $apiKey);
|
||||
sendResp(S_REPLAYED_OTP, $apiKey, $extra);
|
||||
exit;
|
||||
} else {
|
||||
$extra=array('sl'=>$sl_success_rate);
|
||||
$extra['sl']=$sl_success_rate;
|
||||
sendResp(S_NOT_ENOUGH_ANSWERS, $apiKey, $extra);
|
||||
exit;
|
||||
}
|
||||
@ -321,18 +335,15 @@ if ($sessionCounter == $seenSessionCounter && $sessionUse > $seenSessionUse) {
|
||||
if ($deviation > TS_ABS_TOLERANCE && $percent > TS_REL_TOLERANCE) {
|
||||
$myLog->log(LOG_NOTICE, "OTP failed phishing test");
|
||||
if (0) {
|
||||
sendResp(S_DELAYED_OTP, $apiKey);
|
||||
sendResp(S_DELAYED_OTP, $apiKey, $extra);
|
||||
exit;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* Construct response parameters */
|
||||
$extra=array();
|
||||
/* Fill up with more respone parameters */
|
||||
if ($protocol_version>=2.0) {
|
||||
$extra['otp']=$otp;
|
||||
$extra['sl'] = $sl_success_rate;
|
||||
$extra['nonce']= $nonce;
|
||||
}
|
||||
if ($timestamp==1){
|
||||
$extra['timestamp'] = ($otpinfo['high'] << 16) + $otpinfo['low'];
|
||||
|
Loading…
x
Reference in New Issue
Block a user