mirror of
https://github.com/Yubico/yubikey-val.git
synced 2025-03-13 21:29:17 +01:00
Allowed certain cURL options to be configurable.
- When calling either URLs in the sync pool or the KSMs,
the following curl options are configurable;
CURLOPT_PROTOCOLS
CURLOPT_IPRESOLVE
CURLOPT_SSLVERSION
CURLOPT_SSL_VERIFYPEER
CURLOPT_SSL_VERIFYHOST
CURLOPT_CAINFO
CURLOPT_CAPATH
This commit is contained in:
Jean Paul Galea
parent
ed3211cb9d
commit
8df329aa0e
@ -130,6 +130,63 @@ function modhex2b64 ($modhex_str) {
|
||||
return hex2b64($hex_str);
|
||||
}
|
||||
|
||||
function curl_settings($logger, $ident, $handle, $url, $timeout, $curlopts) {
|
||||
//configure "hard" options
|
||||
$logger->log(LOG_DEBUG, $ident . " adding URL : " . $url);
|
||||
curl_setopt($handle, CURLOPT_URL, $url);
|
||||
curl_setopt($handle, CURLOPT_TIMEOUT, $timeout);
|
||||
curl_setopt($handle, CURLOPT_USERAGENT, "YK-VAL");
|
||||
curl_setopt($handle, CURLOPT_RETURNTRANSFER, TRUE);
|
||||
curl_setopt($handle, CURLOPT_FAILONERROR, TRUE);
|
||||
|
||||
if (!is_array($curlopts)) {
|
||||
$logger->log(LOG_WARN, $ident . "curl options must be an array");
|
||||
return;
|
||||
}
|
||||
|
||||
//allowed configurable options in ykval-config.php
|
||||
$allowed = array(
|
||||
CURLOPT_PROTOCOLS,
|
||||
CURLOPT_IPRESOLVE,
|
||||
CURLOPT_SSLVERSION,
|
||||
CURLOPT_SSL_VERIFYPEER,
|
||||
CURLOPT_SSL_VERIFYHOST,
|
||||
CURLOPT_CAINFO,
|
||||
CURLOPT_CAPATH,
|
||||
);
|
||||
|
||||
foreach($curlopts as $key => $val) {
|
||||
if (in_array($key, $allowed) === FALSE) {
|
||||
$logger->log(LOG_WARN, $ident . curl_opt_name($key) . " is not configurable");
|
||||
continue;
|
||||
}
|
||||
|
||||
if (curl_setopt($handle, $key, $val) === FALSE) {
|
||||
$logger->log(LOG_WARN, $ident . " failed to set " . curl_opt_name($key));
|
||||
continue;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
//returns the string name of a curl constant,
|
||||
// or "curl option" if constant not found.
|
||||
// e.g.
|
||||
// curl_opt_name(CURLOPT_URL) returns "CURLOPT_URL"
|
||||
// curl_opt_name(CURLOPT_BLABLA) returns "curl option"
|
||||
function curl_opt_name($opt) {
|
||||
$consts = get_defined_constants(true);
|
||||
$consts = $consts['curl'];
|
||||
|
||||
$name = array_search($opt, $consts, TRUE);
|
||||
|
||||
//array_search may return either on failure...
|
||||
if ($name === FALSE || $name === NULL) {
|
||||
return "curl option";
|
||||
}
|
||||
|
||||
return $name;
|
||||
}
|
||||
|
||||
// This function takes a list of URLs. It will return the content of
|
||||
// the first successfully retrieved URL, whose content matches ^OK.
|
||||
// The request are sent asynchronously. Some of the URLs can fail
|
||||
@ -137,18 +194,14 @@ function modhex2b64 ($modhex_str) {
|
||||
// long as one of the URLs given work, data will be returned. If all
|
||||
// URLs fail, data from some URL that did not match parameter $match
|
||||
// (defaults to ^OK) is returned, or if all URLs failed, false.
|
||||
function retrieveURLasync ($ident, $urls, $logger, $ans_req=1, $match="^OK", $returl=False, $timeout=10) {
|
||||
function retrieveURLasync ($ident, $urls, $logger, $ans_req=1, $match="^OK", $returl=False, $timeout=10, $curlopts) {
|
||||
$mh = curl_multi_init();
|
||||
|
||||
$ch = array();
|
||||
foreach ($urls as $id => $url) {
|
||||
$handle = curl_init();
|
||||
$logger->log(LOG_DEBUG, $ident . " adding URL : " . $url);
|
||||
curl_setopt($handle, CURLOPT_URL, $url);
|
||||
curl_setopt($handle, CURLOPT_USERAGENT, "YK-VAL");
|
||||
curl_setopt($handle, CURLOPT_RETURNTRANSFER, 1);
|
||||
curl_setopt($handle, CURLOPT_FAILONERROR, true);
|
||||
curl_setopt($handle, CURLOPT_TIMEOUT, $timeout);
|
||||
|
||||
curl_settings($logger, $ident, $handle, $url, $timeout, $curlopts);
|
||||
|
||||
curl_multi_add_handle($mh, $handle);
|
||||
|
||||
@ -209,13 +262,13 @@ function retrieveURLasync ($ident, $urls, $logger, $ans_req=1, $match="^OK", $re
|
||||
}
|
||||
|
||||
// $otp: A yubikey OTP
|
||||
function KSMdecryptOTP($urls, $logger) {
|
||||
function KSMdecryptOTP($urls, $logger, $curlopts) {
|
||||
$ret = array();
|
||||
if (!is_array($urls)) {
|
||||
$urls = array($urls);
|
||||
}
|
||||
|
||||
$response = retrieveURLasync ("YK-KSM", $urls, $logger, $ans_req=1, $match="^OK", $returl=False, $timeout=10);
|
||||
$response = retrieveURLasync ("YK-KSM", $urls, $logger, $ans_req=1, $match="^OK", $returl=False, $timeout=10, $curlopts);
|
||||
if (is_array($response)) {
|
||||
$response = $response[0];
|
||||
}
|
||||
|
||||
@ -79,6 +79,40 @@ $baseParams['__YKVAL_SYNC_SECURE_LEVEL__'] = 40;
|
||||
$baseParams['__YKVAL_SYNC_DEFAULT_LEVEL__'] = 60;
|
||||
$baseParams['__YKVAL_SYNC_DEFAULT_TIMEOUT__'] = 1;
|
||||
|
||||
# A key -> value array with curl options to set
|
||||
# when calling URLs defined in __YKVAL_SYNC_POOL__
|
||||
#
|
||||
# Only the following options are configurable;
|
||||
# CURLOPT_PROTOCOLS
|
||||
# CURLOPT_IPRESOLVE
|
||||
# CURLOPT_SSLVERSION
|
||||
# CURLOPT_SSL_VERIFYPEER
|
||||
# CURLOPT_SSL_VERIFYHOST
|
||||
# CURLOPT_CAINFO
|
||||
# CURLOPT_CAPATH
|
||||
#
|
||||
# Any other option is ignored and a warning is emitted.
|
||||
$baseParams['__YKVAL_SYNC_CURL_OPTS__'] = array(
|
||||
//CURLOPT_PROTOCOLS => CURLPROTO_HTTP,
|
||||
);
|
||||
|
||||
# A key -> value array with curl options to set
|
||||
# when calling URLs returned by otp2ksmurls()
|
||||
#
|
||||
# Only the following options are configurable;
|
||||
# CURLOPT_PROTOCOLS
|
||||
# CURLOPT_IPRESOLVE
|
||||
# CURLOPT_SSLVERSION
|
||||
# CURLOPT_SSL_VERIFYPEER
|
||||
# CURLOPT_SSL_VERIFYHOST
|
||||
# CURLOPT_CAINFO
|
||||
# CURLOPT_CAPATH
|
||||
#
|
||||
# Any other option is ignored and a warning is emitted.
|
||||
$baseParams['__YKVAL_KSM_CURL_OPTS__'] = array(
|
||||
//CURLOPT_PROTOCOLS => CURLPROTO_HTTP,
|
||||
);
|
||||
|
||||
// otp2ksmurls: Return array of YK-KSM URLs for decrypting OTP for
|
||||
// CLIENT. The URLs must be fully qualified, i.e., contain the OTP
|
||||
// itself.
|
||||
|
||||
@ -430,10 +430,17 @@ class SyncLib
|
||||
"&" . $this->otpPartFromInfoString($row['info']);
|
||||
}
|
||||
|
||||
global $baseParams;
|
||||
$curlopts = array();
|
||||
|
||||
if (array_key_exists('__YKVAL_SYNC_CURL_OPTS__', $baseParams)) {
|
||||
$curlopts = $baseParams['__YKVAL_SYNC_CURL_OPTS__'];
|
||||
}
|
||||
|
||||
/*
|
||||
Send out requests
|
||||
*/
|
||||
$ans_arr=$this->retrieveURLasync_wrap($urls, $ans_req, $timeout);
|
||||
$ans_arr=$this->retrieveURLasync_wrap($urls, $ans_req, $timeout, $curlopts);
|
||||
|
||||
if (!is_array($ans_arr)) {
|
||||
$this->log(LOG_WARNING, 'No responses from validation server pool');
|
||||
@ -537,9 +544,9 @@ class SyncLib
|
||||
else return 0;
|
||||
}
|
||||
|
||||
function retrieveURLasync_wrap ($urls, $ans_req=1, $timeout=1.0)
|
||||
function retrieveURLasync_wrap ($urls, $ans_req=1, $timeout=1.0, $curlopts)
|
||||
{
|
||||
return retrieveURLasync("YK-VAL sync", $urls, $this->myLog, $ans_req, $match="status=OK", $returl=True, $timeout);
|
||||
return retrieveURLasync("YK-VAL sync", $urls, $this->myLog, $ans_req, $match="status=OK", $returl=True, $timeout, $curlopts);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -251,7 +251,11 @@ if (!is_array($urls)) {
|
||||
|
||||
//// Decode OTP from input
|
||||
//
|
||||
$otpinfo = KSMdecryptOTP($urls, $myLog);
|
||||
$curlopts = array();
|
||||
if (array_key_exists('__YKVAL_KSM_CURL_OPTS__', $baseParams)) {
|
||||
$curlopts = $baseParams['__YKVAL_KSM_CURL_OPTS__'];
|
||||
}
|
||||
$otpinfo = KSMdecryptOTP($urls, $myLog, $curlopts);
|
||||
if (!is_array($otpinfo)) {
|
||||
sendResp(S_BAD_OTP, $myLog, $apiKey);
|
||||
exit;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user