rooty/yubikey-val
1
0
Fork 0
mirror of https://github.com/Yubico/yubikey-val.git synced 2025-02-20 12:54:23 +01:00
Code Issues Projects Releases Wiki Activity

Make it work.

Browse Source
This commit is contained in:
Simon Josefsson 2009-03-10 22:01:46 +00:00
parent 9b9b9a1897
commit 675e078858
2 changed files with 66 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
common.php
View File

@ -1,14 +1,13 @@
<?php <?php
define('S_OK', 'OK'); define('S_OK', 'OK');
define('S_BAD_OTP', 'BAD_OTP'); define('S_BAD_OTP', 'BAD_OTP');
define('S_BAD_CLIENT', 'BAD_CLIENT'); // New, added by paul 20080920
define('S_REPLAYED_OTP', 'REPLAYED_OTP'); define('S_REPLAYED_OTP', 'REPLAYED_OTP');
define('S_PHISHED_OTP', 'PHISHED_OTP');
define('S_BAD_SIGNATURE', 'BAD_SIGNATURE'); define('S_BAD_SIGNATURE', 'BAD_SIGNATURE');
define('S_MISSING_PARAMETER', 'MISSING_PARAMETER'); define('S_MISSING_PARAMETER', 'MISSING_PARAMETER');
//define('S_NO_SUCH_CLIENT', 'NO_SUCH_CLIENT'); // Deprecated by paul 20080920 define('S_NO_SUCH_CLIENT', 'NO_SUCH_CLIENT');
define('S_OPERATION_NOT_ALLOWED', 'OPERATION_NOT_ALLOWED'); define('S_OPERATION_NOT_ALLOWED', 'OPERATION_NOT_ALLOWED');
define('S_BACKEND_ERROR', 'BACKEND_ERROR'); define('S_BACKEND_ERROR', 'BACKEND_ERROR');
define('S_SECURITY_ERROR', 'SECURITY_ERROR');
define('TS_SEC', 0.119); define('TS_SEC', 0.119);
define('TS_TOLERANCE', 0.3); define('TS_TOLERANCE', 0.3);
@ -27,17 +26,6 @@ function debug($msg, $exit = false) {
} }
} }
function genRandRaw($len) {
$h = hash_hmac('sha1', rand(9999,9999999), 'dj*ccbcuiiurubrvnubcdluul', true);
$a = str_split($h);
//print_r($a);
$a = array_slice($a, 0, $len);
//print_r($a);
$s = implode($a);
//outputToFile('out', $s);
return $s;
}
// Return eg. 2008-11-21T06:11:55Z0711 // Return eg. 2008-11-21T06:11:55Z0711
// //
function getUTCTimeStamp() { function getUTCTimeStamp() {
@ -74,9 +62,4 @@ function sign($a, $apiKey, $debug=false) {
} // sign an array of query string } // sign an array of query string
function outputToFile($outFname, $content, $mode, $append = false) {
$out = fopen($outFname, ($append ? "a" : "w"));
fwrite($out, $content);
fclose($out);
}
?> ?>

137
verifyOTP.php
View File

@ -9,6 +9,8 @@ if (!isset ($trace)) {
$trace = 0; $trace = 0;
} }
//// Extract values from HTTP request
//
$client = getHttpVal('id', 0); $client = getHttpVal('id', 0);
if ($client <= 0) { if ($client <= 0) {
debug('Client ID is missing'); debug('Client ID is missing');
@ -21,8 +23,42 @@ if ($otp == '') {
debug('OTP is missing'); debug('OTP is missing');
sendResp(S_MISSING_PARAMETER, 'otp'); sendResp(S_MISSING_PARAMETER, 'otp');
exit; exit;
} else { }
$otp = strtolower($otp); $otp = strtolower($otp);
//// Get Client info from DB
//
$cd = getClientData($client);
if ($cd == null) {
debug('Invalid client id ' . $client);
sendResp(S_NO_SUCH_CLIENT, $client);
exit;
}
debug($cd);
//// Check client signature
//
$apiKey = base64_decode($cd['secret']);
$h = getHttpVal('h', '');
if ($cd['chk_sig'] && $h == '') {
sendResp(S_MISSING_PARAMETER, 'h');
debug('Signature missing');
exit;
} else if ($cd['chk_sig'] || $h != '') {
// Create the signature using the API key
$a = array ();
$a['id'] = $client;
$a['otp'] = $otp;
$hmac = sign($a, $apiKey);
// Compare it
if ($hmac != $h) {
sendResp(S_BAD_SIGNATURE);
debug('client hmac=' . $h . ', server hmac=' . $hmac);
exit;
}
debug('signature ok h=' . $h);
} }
//// Get Yubikey from DB //// Get Yubikey from DB
@ -38,43 +74,10 @@ if ($ad == null) {
debug($ad); debug($ad);
} }
//// Check the client ID - does the client own the Yubikey?
//
if ($ad['chk_owner'] && $ad['client_id'] != $client) {
debug('Client-' . $client . ' is not the owner of the Yubikey!');
sendResp(S_BAD_CLIENT, 'Not owner of the Yubikey');
exit;
}
$k = b64ToModhex($ad['secret']); $k = b64ToModhex($ad['secret']);
//debug('aes key in modhex = '.$k); //debug('aes key in modhex = '.$k);
$key16 = ModHex :: Decode($k); $key16 = ModHex :: Decode($k);
//debug('aes key in hex = ['.$key16.'], length = '.strlen($key16)); //debug('aes key in hex = ['.$key16.'], length = '.strlen($key16));
$apiKey = base64_decode($ad['c_secret']);
//// Check signature
//
$h = getHttpVal('h', '');
if ($ad['chk_sig'] && $h == '') {
sendResp(S_MISSING_PARAMETER, 'h');
debug('Signature missing');
exit;
} else if ($ad['chk_sig'] || $h != '') {
// Create the signature using the API key
$a = array ();
$a['id'] = $client;
$a['otp'] = $otp;
$hmac = sign($a, $apiKey);
// Compare it
if ($hmac != $h) {
sendResp(S_BAD_SIGNATURE);
debug('client hmac=' . $h . ', server hmac=' . $hmac);
exit;
}
}
//// Decode OTP from input //// Decode OTP from input
// //
@ -86,38 +89,6 @@ if (!is_array($decoded_token)) {
exit; exit;
} }
//// Sanity check key status
//
if ($ad['active'] < 1) {
sendResp(S_BAD_OTP, 'Suspended');
exit;
}
//// Sanity check client status
//
if ($ad['c_active'] < 1) {
sendResp(S_BAD_CLIENT);
exit;
}
//// Sanity check token ID
//
if (strlen($decoded_token["public_id"]) == 12) {
debug("Token ID OK (" . $decoded_token["public_id"] . ")");
} else {
debug("TOKEN ID FAILED, " . $decoded_token["public_id"]);
sendResp(S_BAD_OTP, $otp);
exit;
}
//// Sanity check the OTP
//
if (strlen($decoded_token["token"]) != 32) {
debug("Wrong OTP length," . strlen($decoded_token["token"]));
sendResp(S_BAD_OTP, $otp);
exit;
}
//// Check the session counter //// Check the session counter
// //
$sessionCounter = $decoded_token["session_counter"]; // From the req $sessionCounter = $decoded_token["session_counter"]; // From the req
@ -131,6 +102,19 @@ if ($scDiff > 0) {
debug("Session counter OK (" . $sessionCounter . ")"); debug("Session counter OK (" . $sessionCounter . ")");
} }
//// Check the session use
//
$sessionUse = $decoded_token["session_use"]; // From the req
$seenSessionUse = $ad['sessionUse']; // From DB
$sucDiff = $seenSessionUse - $sessionUse;
if ($sucDiff > 0) {
debug("Replayed session use=" . $sessionUse . ', seen=' . $seenSessionUse);
sendResp(S_REPLAYED_OTP);
exit;
} else {
debug("Session counter OK (" . $sessionCounter . ")");
}
//// Check the time stamp //// Check the time stamp
// //
if ($scDiff == 0) { // Same use session, check time stamp diff if ($scDiff == 0) { // Same use session, check time stamp diff
@ -162,7 +146,7 @@ if ($scDiff == 0) { // Same use session, check time stamp diff
$percent.')'); $percent.')');
if ($deviation > TS_TOLERANCE * $elapsed) { if ($deviation > TS_TOLERANCE * $elapsed) {
debug("Is the OTP generated from a real crypto key?"); debug("Is the OTP generated from a real crypto key?");
sendResp(S_SECURITY_ERROR); sendResp(S_PHISHED_OTP);
exit; exit;
} }
} }
@ -215,14 +199,18 @@ function sendResp($status, $info = null) {
$status = S_BACKEND_ERROR; $status = S_BACKEND_ERROR;
} }
echo 'status=' . ($a['status'] = $status) . PHP_EOL; $a['status'] = $status;
if ($info != null) { #$a['info'] = $info;
echo 'info=' . ($a['info'] = $info) . PHP_EOL; $a['t'] = getUTCTimeStamp();
}
echo 't=' . ($a['t'] = getUTCTimeStamp()) . PHP_EOL;
$h = sign($a, $apiKey); $h = sign($a, $apiKey);
echo 'h=' . $h . PHP_EOL;
echo PHP_EOL; echo "h=" . $h . "\r\n";
echo "t=" . ($a['t']) . "\r\n";
echo "status=" . ($a['status']) . "\r\n";
if ($a['info'] != null) {
echo "info=" . ($a['info']) . "\r\n";
}
echo "\r\n";
} // End sendResp } // End sendResp
@ -230,6 +218,7 @@ function updDB($keyid, $new, $client) {
$stmt = 'UPDATE yubikeys SET ' . $stmt = 'UPDATE yubikeys SET ' .
'accessed=NOW(),' . 'accessed=NOW(),' .
'counter=' . $new['session_counter'] . ',' . 'counter=' . $new['session_counter'] . ',' .
'sessionUse=' . $new['session_use'] . ',' .
'low=' . $new['low'] . ',' . 'low=' . $new['low'] . ',' .
'high=' . $new['high'] . 'high=' . $new['high'] .
' WHERE id=' . $keyid; ' WHERE id=' . $keyid;