Added otp, nonce in all responses for protocol >= 2.0.

2025-02-27 06:54:16 +01:00 · 2010-01-20 10:37:21 +00:00 · 2010-01-20 10:37:21 +00:00 · 1809e7fb90
commit 1809e7fb90
parent 4cf1bed1b2
1 changed files with 45 additions and 34 deletions
--- a/ykval-verify.php
+++ b/ykval-verify.php
@ -11,14 +11,6 @@ $myLog = new Log('ykval-verify');
 $myLog->addField('ip', $_SERVER['REMOTE_ADDR']);
 $myLog->log(LOG_INFO, "Request: " . $_SERVER['QUERY_STRING']);

-/* Initialize the sync library. Strive to use this instead of custom
-   DB requests, custom comparisons etc */ 
-$sync = new SyncLib('ykval-verify:synclib');
-$sync->addField('ip', $_SERVER['REMOTE_ADDR']);
-if (! $sync->isConnected()) {
-  sendResp(S_BACKEND_ERROR, $apiKey);
-  exit;
- }

 /* Detect protocol version */
 if (preg_match("/\/wsapi\/([0-9]+)\.([0-9]+)\//", $_SERVER['REQUEST_URI'], $out)) {
@ -37,19 +29,28 @@ $otp = getHttpVal('otp', '');
 $otp = strtolower($otp);
 $timestamp = getHttpVal('timestamp', 0);

+/* Construct response parameters */
+$extra=array();
+if ($protocol_version>=2.0) {
+  $extra['otp']=$otp;
+ }
+
+
 /* We have the OTP now, so let's add it to the logging */
 $myLog->addField('otp', $otp);
-$sync->addField('otp', $otp);

 if ($protocol_version>=2.0) {
  $sl = getHttpVal('sl', '');
  $timeout = getHttpVal('timeout', '');  
  $nonce = getHttpVal('nonce', '');

+  /* Add nonce to response parameters */
+  $extra['nonce']= $nonce;
+  
  /* Nonce is required from protocol 2.0 */
  if(!$nonce || strlen($nonce)<16 || strlen($nonce)>32) {
    $myLog->log(LOG_NOTICE, 'Protocol version >= 2.0. Nonce is missing');
-    sendResp(S_MISSING_PARAMETER, $apiKey);
+    sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
    exit;
  }
 }
@ -69,26 +70,26 @@ if ($protocol_version>=2.0) {

 if (preg_match("/^[0-9]+$/", $client)==0){
  $myLog->log(LOG_NOTICE, 'id provided in request must be an integer');
-  sendResp(S_MISSING_PARAMETER, $apiKey);
+  sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
  exit;
 }

 if ($timeout && preg_match("/^[0-9]+$/", $timeout)==0) {
  $myLog->log(LOG_NOTICE, 'timeout is provided but not correct');
-  sendResp(S_MISSING_PARAMETER, $apiKey);
+  sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
  exit;
 }

 if ($nonce && preg_match("/^[A-Za-z0-9]+$/", $nonce)==0) {
  $myLog->log(LOG_NOTICE, 'NONCE is provided but not correct');
-  sendResp(S_MISSING_PARAMETER, $apiKey);
+  sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
  exit;
  
 }
  
 if ($sl && (preg_match("/^[0-9]+$/", $sl)==0 || ($sl<0 || $sl>100))) {
  $myLog->log(LOG_NOTICE, 'SL is provided but not correct');
-  sendResp(S_MISSING_PARAMETER, $apiKey);
+  sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
  exit;
 }

@ -99,14 +100,27 @@ if ($sl && (preg_match("/^[0-9]+$/", $sl)==0 || ($sl<0 || $sl>100))) {
 //
 if ($client <= 0) {
  $myLog->log(LOG_NOTICE, 'Client ID is missing');
-  sendResp(S_MISSING_PARAMETER, $apiKey);
+  sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
  exit;
 }

+
+
+/* Initialize the sync library. Strive to use this instead of custom
+   DB requests, custom comparisons etc */ 
+$sync = new SyncLib('ykval-verify:synclib');
+$sync->addField('ip', $_SERVER['REMOTE_ADDR']);
+$sync->addField('otp', $otp);
+
+if (! $sync->isConnected()) {
+  sendResp(S_BACKEND_ERROR, $apiKey, $extra);
+  exit;
+ }
+
 $cd=$sync->getClientData($client);
 if(!$cd) {
  $myLog->log(LOG_NOTICE, 'Invalid client id ' . $client);
-  sendResp(S_NO_SUCH_CLIENT);
+  sendResp(S_NO_SUCH_CLIENT, $apikey, $extra);
  exit;
 }
 $myLog->log(LOG_DEBUG,"Client data:", $cd);
@ -130,7 +144,7 @@ if ($h != '') {
  // Compare it
  if ($hmac != $h) {
    $myLog->log(LOG_DEBUG, 'client hmac=' . $h . ', server hmac=' . $hmac);
-    sendResp(S_BAD_SIGNATURE, $apiKey);
+    sendResp(S_BAD_SIGNATURE, $apiKey, $extra);
    exit;
  }
 }
@ -147,12 +161,12 @@ if ($protocol_version<2.0) {
 //
 if ($otp == '') {
  $myLog->log(LOG_NOTICE, 'OTP is missing');
-  sendResp(S_MISSING_PARAMETER, $apiKey);
+  sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
  exit;
 }
 if (strlen($otp) <= TOKEN_LEN) {
  $myLog->log(LOG_NOTICE, 'Too short OTP: ' . $otp);
-  sendResp(S_BAD_OTP, $apiKey);
+  sendResp(S_BAD_OTP, $apiKey, $extra);
  exit;
 }

@ -160,7 +174,7 @@ if (strlen($otp) <= TOKEN_LEN) {
 //
 $urls = otp2ksmurls ($otp, $client);
 if (!is_array($urls)) {
-  sendResp(S_BACKEND_ERROR, $apiKey);
+  sendResp(S_BACKEND_ERROR, $apiKey, $extra);
  exit;
 }

@ -168,7 +182,7 @@ if (!is_array($urls)) {
 //
 $otpinfo = KSMdecryptOTP($urls);
 if (!is_array($otpinfo)) {
-  sendResp(S_BAD_OTP, $apiKey);
+  sendResp(S_BAD_OTP, $apiKey, $extra);
  exit;
 }
 $myLog->log(LOG_DEBUG, "Decrypted OTP:", $otpinfo);
@ -180,14 +194,14 @@ $yk_publicname=$devId;
 $localParams = $sync->getLocalParams($yk_publicname);
 if (!$localParams) {
  $myLog->log(LOG_NOTICE, 'Invalid Yubikey ' . $yk_publicname);
-  sendResp(S_BACKEND_ERROR, $apiKey);
+  sendResp(S_BACKEND_ERROR, $apiKey, $extra);
  exit;
 }

 $myLog->log(LOG_DEBUG, "Auth data:", $localParams);
 if ($localParams['active'] != 1) {
  $myLog->log(LOG_NOTICE, 'De-activated Yubikey ' . $devId);
-  sendResp(S_BAD_OTP, $apiKey);
+  sendResp(S_BAD_OTP, $apiKey, $extra);
  exit;
 }

@ -207,7 +221,7 @@ $otpParams=array('modified'=>time(),
 if ($sync->countersEqual($localParams, $otpParams) &&
    $localParams['nonce']==$otpParams['nonce']) {
  $myLog->log(LOG_WARNING, 'Replayed request');
-  sendResp(S_REPLAYED_REQUEST, $apikey);
+  sendResp(S_REPLAYED_REQUEST, $apikey, $extra);
  exit;
 }

@ -216,7 +230,7 @@ if ($sync->countersHigherThanOrEqual($localParams, $otpParams)) {
  $sync->log(LOG_WARNING, 'replayed OTP: Local counters higher');
  $sync->log(LOG_WARNING, 'replayed OTP: Local counters ', $localParams);
  $sync->log(LOG_WARNING, 'replayed OTP: Otp counters ', $otpParams);
-  sendResp(S_REPLAYED_OTP, $apiKey);
+  sendResp(S_REPLAYED_OTP, $apiKey, $extra);
  exit;
 }

@ -224,7 +238,7 @@ if ($sync->countersHigherThanOrEqual($localParams, $otpParams)) {

 if(!$sync->updateDbCounters($otpParams)) {
  $myLog->log(LOG_CRIT, "Failed to update yubikey counters in database");
-  sendResp(S_BACKEND_ERROR, $apiKey);
+  sendResp(S_BACKEND_ERROR, $apiKey, $extra);
  exit;
 }

@ -232,7 +246,7 @@ if(!$sync->updateDbCounters($otpParams)) {

 if (!$sync->queue($otpParams, $localParams)) {
  $myLog->log(LOG_CRIT, "ykval-verify:critical:failed to queue sync requests");
-  sendResp(S_BACKEND_ERROR, $apiKey);
+  sendResp(S_BACKEND_ERROR, $apiKey, $extra);
  exit;
 }

@ -269,10 +283,10 @@ if($syncres==False) {
   there were not enough answers */
  $myLog->log(LOG_WARNING, "ykval-verify:notice:Sync failed");
  if ($nr_valid_answers!=$nr_answers) {
-    sendResp(S_REPLAYED_OTP, $apiKey);
+    sendResp(S_REPLAYED_OTP, $apiKey, $extra);
    exit;
  } else {
-    $extra=array('sl'=>$sl_success_rate);
+    $extra['sl']=$sl_success_rate;
    sendResp(S_NOT_ENOUGH_ANSWERS, $apiKey, $extra);
    exit;
  }
@ -321,18 +335,15 @@ if ($sessionCounter == $seenSessionCounter && $sessionUse > $seenSessionUse) {
  if ($deviation > TS_ABS_TOLERANCE && $percent > TS_REL_TOLERANCE) {
    $myLog->log(LOG_NOTICE, "OTP failed phishing test");
    if (0) {
-      sendResp(S_DELAYED_OTP, $apiKey);
+      sendResp(S_DELAYED_OTP, $apiKey, $extra);
      exit;
    }
  }
 }

-/* Construct response parameters */
-$extra=array();
+/* Fill up with more respone parameters */
 if ($protocol_version>=2.0) {
-  $extra['otp']=$otp;
  $extra['sl'] = $sl_success_rate;
-  $extra['nonce']= $nonce;
 }
 if ($timestamp==1){
  $extra['timestamp'] = ($otpinfo['high'] << 16) + $otpinfo['low'];