1
0
mirror of https://github.com/Yubico/yubikey-val.git synced 2025-02-01 01:52:18 +01:00

Added otp, nonce in all responses for protocol >= 2.0.

This commit is contained in:
Olov Danielson 2010-01-20 10:37:21 +00:00
parent 4cf1bed1b2
commit 1809e7fb90

View File

@ -11,14 +11,6 @@ $myLog = new Log('ykval-verify');
$myLog->addField('ip', $_SERVER['REMOTE_ADDR']);
$myLog->log(LOG_INFO, "Request: " . $_SERVER['QUERY_STRING']);
/* Initialize the sync library. Strive to use this instead of custom
DB requests, custom comparisons etc */
$sync = new SyncLib('ykval-verify:synclib');
$sync->addField('ip', $_SERVER['REMOTE_ADDR']);
if (! $sync->isConnected()) {
sendResp(S_BACKEND_ERROR, $apiKey);
exit;
}
/* Detect protocol version */
if (preg_match("/\/wsapi\/([0-9]+)\.([0-9]+)\//", $_SERVER['REQUEST_URI'], $out)) {
@ -37,19 +29,28 @@ $otp = getHttpVal('otp', '');
$otp = strtolower($otp);
$timestamp = getHttpVal('timestamp', 0);
/* Construct response parameters */
$extra=array();
if ($protocol_version>=2.0) {
$extra['otp']=$otp;
}
/* We have the OTP now, so let's add it to the logging */
$myLog->addField('otp', $otp);
$sync->addField('otp', $otp);
if ($protocol_version>=2.0) {
$sl = getHttpVal('sl', '');
$timeout = getHttpVal('timeout', '');
$nonce = getHttpVal('nonce', '');
/* Add nonce to response parameters */
$extra['nonce']= $nonce;
/* Nonce is required from protocol 2.0 */
if(!$nonce || strlen($nonce)<16 || strlen($nonce)>32) {
$myLog->log(LOG_NOTICE, 'Protocol version >= 2.0. Nonce is missing');
sendResp(S_MISSING_PARAMETER, $apiKey);
sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
exit;
}
}
@ -69,26 +70,26 @@ if ($protocol_version>=2.0) {
if (preg_match("/^[0-9]+$/", $client)==0){
$myLog->log(LOG_NOTICE, 'id provided in request must be an integer');
sendResp(S_MISSING_PARAMETER, $apiKey);
sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
exit;
}
if ($timeout && preg_match("/^[0-9]+$/", $timeout)==0) {
$myLog->log(LOG_NOTICE, 'timeout is provided but not correct');
sendResp(S_MISSING_PARAMETER, $apiKey);
sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
exit;
}
if ($nonce && preg_match("/^[A-Za-z0-9]+$/", $nonce)==0) {
$myLog->log(LOG_NOTICE, 'NONCE is provided but not correct');
sendResp(S_MISSING_PARAMETER, $apiKey);
sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
exit;
}
if ($sl && (preg_match("/^[0-9]+$/", $sl)==0 || ($sl<0 || $sl>100))) {
$myLog->log(LOG_NOTICE, 'SL is provided but not correct');
sendResp(S_MISSING_PARAMETER, $apiKey);
sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
exit;
}
@ -99,14 +100,27 @@ if ($sl && (preg_match("/^[0-9]+$/", $sl)==0 || ($sl<0 || $sl>100))) {
//
if ($client <= 0) {
$myLog->log(LOG_NOTICE, 'Client ID is missing');
sendResp(S_MISSING_PARAMETER, $apiKey);
sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
exit;
}
/* Initialize the sync library. Strive to use this instead of custom
DB requests, custom comparisons etc */
$sync = new SyncLib('ykval-verify:synclib');
$sync->addField('ip', $_SERVER['REMOTE_ADDR']);
$sync->addField('otp', $otp);
if (! $sync->isConnected()) {
sendResp(S_BACKEND_ERROR, $apiKey, $extra);
exit;
}
$cd=$sync->getClientData($client);
if(!$cd) {
$myLog->log(LOG_NOTICE, 'Invalid client id ' . $client);
sendResp(S_NO_SUCH_CLIENT);
sendResp(S_NO_SUCH_CLIENT, $apikey, $extra);
exit;
}
$myLog->log(LOG_DEBUG,"Client data:", $cd);
@ -130,7 +144,7 @@ if ($h != '') {
// Compare it
if ($hmac != $h) {
$myLog->log(LOG_DEBUG, 'client hmac=' . $h . ', server hmac=' . $hmac);
sendResp(S_BAD_SIGNATURE, $apiKey);
sendResp(S_BAD_SIGNATURE, $apiKey, $extra);
exit;
}
}
@ -147,12 +161,12 @@ if ($protocol_version<2.0) {
//
if ($otp == '') {
$myLog->log(LOG_NOTICE, 'OTP is missing');
sendResp(S_MISSING_PARAMETER, $apiKey);
sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
exit;
}
if (strlen($otp) <= TOKEN_LEN) {
$myLog->log(LOG_NOTICE, 'Too short OTP: ' . $otp);
sendResp(S_BAD_OTP, $apiKey);
sendResp(S_BAD_OTP, $apiKey, $extra);
exit;
}
@ -160,7 +174,7 @@ if (strlen($otp) <= TOKEN_LEN) {
//
$urls = otp2ksmurls ($otp, $client);
if (!is_array($urls)) {
sendResp(S_BACKEND_ERROR, $apiKey);
sendResp(S_BACKEND_ERROR, $apiKey, $extra);
exit;
}
@ -168,7 +182,7 @@ if (!is_array($urls)) {
//
$otpinfo = KSMdecryptOTP($urls);
if (!is_array($otpinfo)) {
sendResp(S_BAD_OTP, $apiKey);
sendResp(S_BAD_OTP, $apiKey, $extra);
exit;
}
$myLog->log(LOG_DEBUG, "Decrypted OTP:", $otpinfo);
@ -180,14 +194,14 @@ $yk_publicname=$devId;
$localParams = $sync->getLocalParams($yk_publicname);
if (!$localParams) {
$myLog->log(LOG_NOTICE, 'Invalid Yubikey ' . $yk_publicname);
sendResp(S_BACKEND_ERROR, $apiKey);
sendResp(S_BACKEND_ERROR, $apiKey, $extra);
exit;
}
$myLog->log(LOG_DEBUG, "Auth data:", $localParams);
if ($localParams['active'] != 1) {
$myLog->log(LOG_NOTICE, 'De-activated Yubikey ' . $devId);
sendResp(S_BAD_OTP, $apiKey);
sendResp(S_BAD_OTP, $apiKey, $extra);
exit;
}
@ -207,7 +221,7 @@ $otpParams=array('modified'=>time(),
if ($sync->countersEqual($localParams, $otpParams) &&
$localParams['nonce']==$otpParams['nonce']) {
$myLog->log(LOG_WARNING, 'Replayed request');
sendResp(S_REPLAYED_REQUEST, $apikey);
sendResp(S_REPLAYED_REQUEST, $apikey, $extra);
exit;
}
@ -216,7 +230,7 @@ if ($sync->countersHigherThanOrEqual($localParams, $otpParams)) {
$sync->log(LOG_WARNING, 'replayed OTP: Local counters higher');
$sync->log(LOG_WARNING, 'replayed OTP: Local counters ', $localParams);
$sync->log(LOG_WARNING, 'replayed OTP: Otp counters ', $otpParams);
sendResp(S_REPLAYED_OTP, $apiKey);
sendResp(S_REPLAYED_OTP, $apiKey, $extra);
exit;
}
@ -224,7 +238,7 @@ if ($sync->countersHigherThanOrEqual($localParams, $otpParams)) {
if(!$sync->updateDbCounters($otpParams)) {
$myLog->log(LOG_CRIT, "Failed to update yubikey counters in database");
sendResp(S_BACKEND_ERROR, $apiKey);
sendResp(S_BACKEND_ERROR, $apiKey, $extra);
exit;
}
@ -232,7 +246,7 @@ if(!$sync->updateDbCounters($otpParams)) {
if (!$sync->queue($otpParams, $localParams)) {
$myLog->log(LOG_CRIT, "ykval-verify:critical:failed to queue sync requests");
sendResp(S_BACKEND_ERROR, $apiKey);
sendResp(S_BACKEND_ERROR, $apiKey, $extra);
exit;
}
@ -269,10 +283,10 @@ if($syncres==False) {
there were not enough answers */
$myLog->log(LOG_WARNING, "ykval-verify:notice:Sync failed");
if ($nr_valid_answers!=$nr_answers) {
sendResp(S_REPLAYED_OTP, $apiKey);
sendResp(S_REPLAYED_OTP, $apiKey, $extra);
exit;
} else {
$extra=array('sl'=>$sl_success_rate);
$extra['sl']=$sl_success_rate;
sendResp(S_NOT_ENOUGH_ANSWERS, $apiKey, $extra);
exit;
}
@ -321,18 +335,15 @@ if ($sessionCounter == $seenSessionCounter && $sessionUse > $seenSessionUse) {
if ($deviation > TS_ABS_TOLERANCE && $percent > TS_REL_TOLERANCE) {
$myLog->log(LOG_NOTICE, "OTP failed phishing test");
if (0) {
sendResp(S_DELAYED_OTP, $apiKey);
sendResp(S_DELAYED_OTP, $apiKey, $extra);
exit;
}
}
}
/* Construct response parameters */
$extra=array();
/* Fill up with more respone parameters */
if ($protocol_version>=2.0) {
$extra['otp']=$otp;
$extra['sl'] = $sl_success_rate;
$extra['nonce']= $nonce;
}
if ($timestamp==1){
$extra['timestamp'] = ($otpinfo['high'] << 16) + $otpinfo['low'];