2025-01-20 10:52:15 +01:00 · 2008-09-27 09:04:49 +00:00 · 2008-09-27 09:04:49 +00:00 · 211e370195
commit 211e370195
parent 9c4b09d99c
6 changed files with 169 additions and 128 deletions
--- a/addKey.php
+++ b/addKey.php
@ -0,0 +1,107 @@
+<?php require_once '../yubiphpbase/appinclude.php';
+	  require_once '../yubiphpbase/yubi_lib.php';
+	  require_once 'common.php';
+	  
+header("content-type: text/plain");
+
+$tokenId = $secret = '';
+
+$nonce = getHttpVal('nonce', '');
+if ($nonce == '') {
+	reply(S_MISSING_PARAMETER, '', $client, '', 'nonce');
+	exit;
+}
+
+$client = getHttpVal('id', 0);
+if ($client <= 0) {
+	reply(S_MISSING_PARAMETER, '', $client, $nonce, 'client');
+	exit;
+}
+
+$h = getHttpVal('h', '');
+if ($h == '') {
+	reply(S_MISSING_PARAMETER, '', $client, $nonce, 'h');
+	exit;
+}
+
+$op = getHttpVal('operation', '');
+if ($op == '') {
+	reply(S_MISSING_PARAMETER, '', $client, $nonce, 'operation');
+	exit;
+} else if ($op != 'add_key') {
+	reply(S_OPERATION_NOT_ALLOWED, $ci['secret'], $client, $nonce, $op);
+	exit;
+}
+
+$ci = getClientInfo($client);
+
+if (! isset($ci['id'])) {
+	debug('Client '.$client.' not found!');
+	$client = 1;
+	if (($ci = getClientInfo($client)) == null)  {
+		debug('Root client not found, service not installed properly!');
+		reply(S_BACKEND_ERROR, '', $client, $nonce, 'root client');
+		exit;
+	}	
+	reply(S_BAD_CLIENT, $ci['secret'], $client, $nonce);
+	exit;
+}
+
+if ($ci['perm_id'] != 1 && $ci['perm_id'] != 2) {
+  	reply(S_OPERATION_NOT_ALLOWED, $ci['secret'], $client, $nonce, $ci['perm_id']);
+	exit;
+}
+
+//// Verify request signature
+//
+$reqArr = array();
+$reqArr['id'] = $client;
+$reqArr['nonce'] = $nonce;
+$reqArr['operation'] = 'add_key';
+$reqHash = sign($reqArr, $ci['secret']);
+if ($reqHash != $h) {
+  	reply(S_BAD_SIGNATURE, $ci['secret'], $client, $nonce, $h);
+	exit;
+}
+
+$tokenId = base64_encode(genRandRaw(6));
+$secret = base64_encode(genRandRaw(16));
+$keyid = addNewKey($tokenId, 1, $secret, '', $client);
+
+if ($keyid > 0) {
+	debug('Key '.$keyid.' added');
+	reply(S_OK, $ci['secret'], $client, $nonce);
+} else {
+	reply(S_BACKEND_ERROR, $ci['secret'], $client, $nonce);
+	exit;
+}
+
+function reply($status, $apiKey, $client_id, $nonce, $info='') {
+	global $tokenId, $secret;
+	
+	if ($status == null) {
+		$status = S_BACKEND_ERROR;
+	}
+
+	$a = array();
+
+	echo 'nonce='.($a['nonce'] = $nonce).PHP_EOL;
+	echo 'status='.($a['status'] = $status).PHP_EOL;
+	if ($info != '') {
+		echo 'info='.($a['info'] = $info).PHP_EOL;
+	}
+	if ($tokenId != '') {
+		echo 'token_id='.($a['token_id'] = $tokenId).PHP_EOL;
+		echo 'user_id='.($a['user_id'] = $tokenId).PHP_EOL;//TODO
+	}
+	if ($secret != '') {
+		echo 'shared_secret='.($a['shared_secret'] = $secret).PHP_EOL;
+	}
+	echo 't='.($a['t']=getUTCTimeStamp()).PHP_EOL;
+	$h = sign($a, $apiKey);
+	echo 'h='.$h.PHP_EOL;
+	echo PHP_EOL;
+
+} // End reply
+
+?>
--- a/add_key.php
+++ b/add_key.php
@ -1,101 +1,5 @@
-<?php require_once '../yubiphpbase/appinclude.php';
-	  require_once '../yubiphpbase/yubi_lib.php';
-	  require_once 'common.php';
-	  
-header("content-type: text/plain");
+<?php $trace = false;

-$trace = 1;
+require 'addKey.php';

-$client = getHttpVal('id', 0);
-if ($client <= 0) {
-	debug('Client ID is missing, default to 1 (root)');
-	$client = 1;
-}
-
-$nonce = getHttpVal('nonce', '');
-if ($nonce == '') {
-	reply(S_MISSING_PARAMETER, '', $client, '', 'nonce');
-	exit;
-}
-
-$h = getHttpVal('h', '');
-if ($h == '') {
-	reply(S_MISSING_PARAMETER, '', $client, $nonce, 'h');
-	exit;
-}
-
-$op = getHttpVal('operation', '');
-if ($op == '') {
-	reply(S_MISSING_PARAMETER, '', $client, $nonce, 'operation');
-	exit;
-} else if ($op != 'add_key') {
-	reply(S_OPERATION_NOT_ALLOWED, $ci['secret'], $client, $nonce, $op);
-	exit;
-}
-
-$ci = getClientInfo($client);
-
-if (! isset($ci['id'])) {
-	debug('Client '.$client.' not found!');
-	$client = 1;
-	if (($ci = getClientInfo($client)) == null)  {
-		debug('Root client not found, service not installed properly!');
-		reply(S_BACKEND_ERROR, '', $client, $nonce, 'root client');
-		exit;
-	}	
-	reply(S_BAD_CLIENT, $ci['secret'], $client, $nonce);
-	exit;
-}
-
-if ($ci['perm_id'] != 1 && $ci['perm_id'] != 2) {
-  	reply(S_OPERATION_NOT_ALLOWED, $ci['secret'], $client, $nonce, $ci['perm_id']);
-	exit;
-}
-
-$tokenId = base64_encode(genRandRaw(6));
-$secret = base64_encode(genRandRaw(16));
-$keyid = addNewKey($tokenId, 1, $secret, '', $client);
-
-if ($keyid > 0) {
-	debug('Key '.$keyid.' added');
-	reply(S_OK, $ci['secret'], $client, $nonce);
-} else {
-	reply(S_BACKEND_ERROR, $ci['secret'], $client, $nonce);
-	exit;
-}
-
-function reply($status, $apiKey, $client_id, $nonce, $info=null) {
-	global $tokenId;
-	
-	if ($status == null) {
-		$status = S_BACKEND_ERROR;
-	}
-
-	date_default_timezone_set('UTC');
-	$timestamp = date('Y-m-d\TH:i:s\ZZ', time());
-
-	//// Prepare the response to the user
-	//
-	$respParams = 'status='.$status.'&t='.$timestamp;
-
-	// Generate the signature
-	debug('API key: '.$apiKey); // API key of the client
-	debug('Signing response: '.$respParams);
-	// the TRUE at the end states we want the raw value, not hexadecimal form
-	$hmac = hash_hmac('sha1', utf8_encode($respParams), $apiKey, true);
-	//outputToFile('hmac', $hmac, "b");
-	// now take that byte value and base64 encode it
-	$hmac = base64_encode($hmac);
-
-	echo 'h='.$hmac.PHP_EOL;
-	if ($info != null) {
-		echo 'info='.$info.PHP_EOL;
-	}
-	echo 'nonce='.$nonce.PHP_EOL;
-	echo 'status='.$status.PHP_EOL;
-	echo 't='.$timestamp.PHP_EOL;
-	echo PHP_EOL;
-	
-} // End reply
-
-?>
+?>
--- a/add_key_debug.php
+++ b/add_key_debug.php
@ -0,0 +1,5 @@
+<?php $trace = true;
+
+require 'addKey.php';
+
+?>
--- a/common.php
+++ b/common.php
@ -35,6 +35,37 @@ function genRandRaw($len) {
 	return $s;
 }

+function getUTCTimeStamp() {
+	date_default_timezone_set('UTC');
+	return date('Y-m-d\TH:i:s\ZZ', time());
+}
+
+// Sign a http query string in the array of key-value pairs
+// return b64 encoded hmac hash
+function sign($a, $apiKey) {
+	ksort($a);
+	$qs = '';
+	$n = count($a);
+	$i = 0;
+	foreach (array_keys($a) as $key) {
+		$qs .= $key.'='.$a[$key];
+		if (++$i < $n) {
+			$qs .= '&';
+		}
+	}
+	
+	// Generate the signature
+	//debug('API key: '.$apiKey); // API key of the client
+	debug('Signing: '.$qs);
+	
+	// the TRUE at the end states we want the raw value, not hexadecimal form
+	$hmac = hash_hmac('sha1', utf8_encode($qs), $apiKey, true);
+	$hmac = base64_encode($hmac);
+	
+	return $hmac;
+		
+} // SignWithTime
+
 function outputToFile($outFname, $content, $mode, $append = false) {
 	$out = fopen($outFname, ($append ? "a" : "w"));
 	fwrite($out, $content);
--- a/ping.php
+++ b/ping.php
@ -0,0 +1,7 @@
+<?php 
+
+header("content-type: text/plain");
+
+echo 'status=OK'.PHP_EOL;
+
+?>
--- a/verifyOTP.php
+++ b/verifyOTP.php
@ -54,10 +54,11 @@ $apiKey = base64_decode($ad['c_secret']);
 //
 if ($ad['chk_sig']) {
 	// Create the signature using the API key
-	$reqParams = 'id='.$client.'&otp='.$otp;
-	$hmac = hash_hmac('sha1', utf8_encode($reqParams), $apiKey, true);
-	$hmac = base64_encode($hmac);
-	
+	$a = array();
+	$a['id']=$client;
+	$a['otp']=$otp;
+	$hmac = sign($a, $apiKey);
+
 	if (($h = getHttpVal('h', '')) == '') {
 		sendResp(S_MISSING_PARAMETER, 'h');
 		debug('signature missing, hmac='.$hmac);
@ -83,14 +84,14 @@ if ( ! is_array($decoded_token) ) {
 //// Sanity check key status
 //
 if ($ad['active'] < 1) {
-	sendResp(S_BAD_OTP, 'Suspended Yubikey');
+	sendResp(S_BAD_OTP, 'Suspended');
 	exit;
 }

 //// Sanity check client status
 //
 if ($ad['c_active'] < 1) {
-	sendResp(S_BAD_CLIENT, 'Suspended client');
+	sendResp(S_BAD_CLIENT);
 	exit;
 }

@ -119,7 +120,7 @@ $seenSessionCounter = $ad['counter']; // From DB
 $scDiff = $seenSessionCounter - $sessionCounter;
 if ($scDiff > 0) {
 	debug("Replayed session counter=".$sessionCounter.', seen='.$seenSessionCounter);
-	sendResp(S_REPLAYED_OTP, 'session counter');
+	sendResp(S_REPLAYED_OTP);
 	exit;
 } else {
 	debug("Session counter OK (".$sessionCounter.")");
@ -132,7 +133,7 @@ $seenHi = $ad['high']; // From DB
 $hiDiff = $seenHi - $hi;
 if ($scDiff == 0 && $hiDiff > 0) {
 	debug("Replayed hi counter=".$hi.', seen='.$seenHi);
-	sendResp(S_REPLAYED_OTP, 'hi counter');
+	sendResp(S_REPLAYED_OTP);
 	exit;
 } else {
 	debug("Hi counter OK (".$hi.")");
@ -145,7 +146,7 @@ $seenLo = $ad['low']; // From DB
 $loDiff = $seenLo - $lo;
 if ($scDiff == 0 && $hiDiff == 0 && $loDiff >= 0) {
 	debug("Replayed low counter=".$lo.', seen='.$seenLo);
-	sendResp(S_REPLAYED_OTP, 'lo counter');
+	sendResp(S_REPLAYED_OTP);
 	exit;
 } else {
 	debug("Lo counter OK (".$lo.")");
@ -172,28 +173,14 @@ function sendResp($status, $info=null) {
 		$status = S_BACKEND_ERROR;
 	}

-	date_default_timezone_set('UTC');
-	$timestamp = date('Y-m-d\TH:i:s\ZZ', time());
-
-	//// Prepare the response to the user
-	//
-	$respParams = 'status='.$status.'&t='.$timestamp;
-
-	// Generate the signature
-	debug('API key: '.$ad['c_secret']); // API key of the client
-	debug('Signing: '.$respParams);
-	// the TRUE at the end states we want the raw value, not hexadecimal form
-	$hmac = hash_hmac('sha1', utf8_encode($respParams), $apiKey, true);
-	//outputToFile('hmac', $hmac, "b");
-	// now take that byte value and base64 encode it
-	$hmac = base64_encode($hmac);
-
-	echo 'h='.$hmac.PHP_EOL;
-	echo 't='.$timestamp.PHP_EOL;
+	echo 'status='.($a['status'] = $status).PHP_EOL;
 	if ($info != null) {
-		echo 'info='.$info.PHP_EOL;
+		echo 'info='.($a['info'] = $info).PHP_EOL;
 	}
-	echo 'status='.$status.PHP_EOL.PHP_EOL;
+	echo 't='.($a['t']=getUTCTimeStamp()).PHP_EOL;
+	$h = sign($a, $apiKey);
+	echo 'h='.$h.PHP_EOL;
+	echo PHP_EOL;

 } // End sendResp