diff --git a/common.php b/common.php index 4ed43ef..75f3e10 100644 --- a/common.php +++ b/common.php @@ -11,19 +11,11 @@ define('S_BACKEND_ERROR', 'BACKEND_ERROR'); define('TS_SEC', 0.119); define('TS_REL_TOLERANCE', 0.3); define('TS_ABS_TOLERANCE', 20); +define('DEVICE_ID_LEN', 12); require_once 'yubikey.php'; require_once 'config.php'; -function writeLog($msg, $debug=false) { - $fileMsg = date( 'Y-m-d H:i:s: ').trim($msg); - if (isset($_SERVER['REMOTE_ADDR'])) { - $fileMsg .= ' by '.$_SERVER['REMOTE_ADDR']; - } - $fileMsg .= "\n"; - error_log($fileMsg, 3, "/tmp/yms.log"); -} - function unescape($s) { return str_replace('\\', "", $s); } @@ -35,7 +27,6 @@ function getHttpVal($key, $defaultVal) { } else if (array_key_exists($key, $_POST)) { $val = $_POST[$key]; } - //return unescape(trim($val)); $v = unescape(trim($val)); return $v; } @@ -69,22 +60,16 @@ function mysql_quote($value) { return "'" . mysql_real_escape_string($value) . "'"; } -function debug($msg, $exit = false) { - global $trace; - if ($trace) { - if (is_array($msg)) { - $str = ""; - foreach($msg as $key => $value){ - $str .= " $key=$value"; - } - } else { - $str = ' ' . $msg; - } - echo '

Debug>' . $str . "\n"; - } - if ($exit) { - die('

Exit

'); - } +function debug($msg) { + if (is_array($msg)) { + $str = ""; + foreach($msg as $key => $value){ + $str .= "$key=$value "; + } + } else { + $str = $msg; + } + error_log($str); } // Return eg. 2008-11-21T06:11:55Z0711 @@ -108,7 +93,7 @@ function sign($a, $apiKey, $debug=false) { $qs .= '&'; } } - + // Generate the signature // debug('API key: '.base64_encode($apiKey)); // API key of the client debug('SIGN: '.$qs); @@ -123,8 +108,6 @@ function sign($a, $apiKey, $debug=false) { } // sign an array of query string -define('DEVICE_ID_LEN', 12); - function modhexToB64($modhex_str) { $s = ModHex::Decode($modhex_str); return base64_encode($s); @@ -149,8 +132,8 @@ function b64ToHex($b64_str) { function getAuthData($devId) { $tokenId = modhexToB64($devId); $stmt = 'SELECT id, client_id, secret, active, counter, '. - ' sessionUse, low, high, accessed '. - ' FROM yubikeys WHERE active AND tokenId='.mysql_quote($tokenId); + 'sessionUse, low, high, accessed FROM yubikeys WHERE active '. + 'AND tokenId='.mysql_quote($tokenId); $r = query($stmt); if (mysql_num_rows($r) > 0) { $row = mysql_fetch_assoc($r); @@ -163,7 +146,7 @@ function getAuthData($devId) { // $clientId: The decimal client identity function getClientData($clientId) { $stmt = 'SELECT secret, chk_sig, chk_owner, chk_time'. - ' FROM clients WHERE active AND id='.mysql_quote($clientId); + ' FROM clients WHERE active AND id='.mysql_quote($clientId); $r = query($stmt); if (mysql_num_rows($r) > 0) { $row = mysql_fetch_assoc($r); diff --git a/verify.php b/verify.php index 22b83d9..233842c 100644 --- a/verify.php +++ b/verify.php @@ -3,23 +3,21 @@ require_once 'common.php'; header("content-type: text/plain"); -if (!isset ($trace)) { - $trace = 0; -} +debug("Request: " . $_SERVER['QUERY_STRING']); //// Extract values from HTTP request // $client = getHttpVal('id', 0); if ($client <= 0) { debug('Client ID is missing'); - sendResp(S_MISSING_PARAMETER, 'id'); + sendResp(S_MISSING_PARAMETER); exit; } $otp = getHttpVal('otp', ''); if ($otp == '') { debug('OTP is missing'); - sendResp(S_MISSING_PARAMETER, 'otp'); + sendResp(S_MISSING_PARAMETER); exit; } $otp = strtolower($otp); @@ -29,7 +27,7 @@ $otp = strtolower($otp); $cd = getClientData($client); if ($cd == null) { debug('Invalid client id ' . $client); - sendResp(S_NO_SUCH_CLIENT, $client); + sendResp(S_NO_SUCH_CLIENT); exit; } debug($cd); @@ -40,8 +38,8 @@ $apiKey = base64_decode($cd['secret']); $h = getHttpVal('h', ''); if ($cd['chk_sig'] && $h == '') { - sendResp(S_MISSING_PARAMETER, 'h'); debug('Signature missing'); + sendResp(S_MISSING_PARAMETER); exit; } else if ($cd['chk_sig'] || $h != '') { // Create the signature using the API key @@ -52,21 +50,20 @@ if ($cd['chk_sig'] && $h == '') { // Compare it if ($hmac != $h) { - sendResp(S_BAD_SIGNATURE); debug('client hmac=' . $h . ', server hmac=' . $hmac); + sendResp(S_BAD_SIGNATURE); exit; } - debug('signature ok h=' . $h); } //// Get Yubikey from DB // -$devId = substr($otp, 0, 12); +$devId = substr($otp, 0, DEVICE_ID_LEN); $ad = getAuthData($devId); if ($ad == null) { debug('Invalid Yubikey ' . $devId); - sendResp(S_BAD_OTP, $otp); + sendResp(S_BAD_OTP); exit; } else { debug($ad); @@ -79,11 +76,10 @@ $key16 = ModHex :: Decode($k); //// Decode OTP from input // -debug('OTP validation req:'); $otpinfo = Yubikey :: Decode($otp, $key16); debug($otpinfo); if (!is_array($otpinfo)) { - sendResp(S_BAD_OTP, $otp); + sendResp(S_BAD_OTP); exit; } @@ -96,9 +92,6 @@ if ($sessionCounter < $seenSessionCounter) { " this=" . $sessionCounter); sendResp(S_REPLAYED_OTP); exit; -} else { - debug("Session counter OK, seen=" . $seenSessionCounter . - " this=" . $sessionCounter); } //// Check the session use @@ -110,13 +103,17 @@ if ($sessionCounter == $seenSessionCounter && $sessionUse <= $seenSessionUse) { ' this=' . $sessionUse); sendResp(S_REPLAYED_OTP); exit; -} else { - debug("Session use OK, seen=" . $seenSessionUse . - ' this=' . $sessionUse); } -updateDB($ad['id'], $otpinfo['session_counter'], $otpinfo['session_use'], - $otpinfo['high'], $otpinfo['low']); +//// Valid OTP, update database +// +$stmt = 'UPDATE yubikeys SET accessed=NOW()' . + ', counter=' .$otpinfo['session_counter'] . + ', sessionUse=' . $otpinfo['session_use'] . + ', low=' . $otpinfo['low'] . + ', high=' . $otpinfo['high'] . + ' WHERE id=' . $ad['id']; +query($stmt); //// Check the time stamp // @@ -155,36 +152,21 @@ sendResp(S_OK); // Functions ////////////////////////// -function sendResp($status, $info = null) { - global $ad, $apiKey; +function sendResp($status) { + global $apiKey; if ($status == null) { $status = S_BACKEND_ERROR; } $a['status'] = $status; - #$a['info'] = $info; $a['t'] = getUTCTimeStamp(); $h = sign($a, $apiKey); echo "h=" . $h . "\r\n"; echo "t=" . ($a['t']) . "\r\n"; echo "status=" . ($a['status']) . "\r\n"; - if ($a['info'] != null) { - echo "info=" . ($a['info']) . "\r\n"; - } echo "\r\n"; } // End sendResp - -function updateDB($id, $session_counter, $session_use, $ts_high, $ts_low) { - $stmt = 'UPDATE yubikeys SET ' . - 'accessed=NOW(),' . - 'counter=' . $session_counter . ',' . - 'sessionUse=' . $session_use . ',' . - 'low=' . $ts_low . ',' . - 'high=' . $ts_high . - ' WHERE id=' . $id; - query($stmt); -} ?>