rooty/yubikey-val
1
0
Fork 0
mirror of https://github.com/Yubico/yubikey-val.git synced 2025-03-15 18:29:17 +01:00
Code Issues Projects Releases Wiki Activity

Allowed certain cURL options to be configurable.

Browse Source 
- When calling either URLs in the sync pool or the KSMs,
    the following curl options are configurable;

    CURLOPT_PROTOCOLS
    CURLOPT_IPRESOLVE
    CURLOPT_SSLVERSION
    CURLOPT_SSL_VERIFYPEER
    CURLOPT_SSL_VERIFYHOST
    CURLOPT_CAINFO
    CURLOPT_CAPATH
This commit is contained in:
Jean Paul Galea 2015-04-13 17:35:02 +02:00
parent ed3211cb9d
commit 8df329aa0e
4 changed files with 111 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
ykval-common.php
View File

@ -130,6 +130,63 @@ function modhex2b64 ($modhex_str) {
return hex2b64($hex_str); return hex2b64($hex_str);
} }
function curl_settings($logger, $ident, $handle, $url, $timeout, $curlopts) {
//configure "hard" options
$logger->log(LOG_DEBUG, $ident . " adding URL : " . $url);
curl_setopt($handle, CURLOPT_URL, $url);
curl_setopt($handle, CURLOPT_TIMEOUT, $timeout);
curl_setopt($handle, CURLOPT_USERAGENT, "YK-VAL");
curl_setopt($handle, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($handle, CURLOPT_FAILONERROR, TRUE);
if (!is_array($curlopts)) {
$logger->log(LOG_WARN, $ident . "curl options must be an array");
return;
}
//allowed configurable options in ykval-config.php
$allowed = array(
CURLOPT_PROTOCOLS,
CURLOPT_IPRESOLVE,
CURLOPT_SSLVERSION,
CURLOPT_SSL_VERIFYPEER,
CURLOPT_SSL_VERIFYHOST,
CURLOPT_CAINFO,
CURLOPT_CAPATH,
);
foreach($curlopts as $key => $val) {
if (in_array($key, $allowed) === FALSE) {
$logger->log(LOG_WARN, $ident . curl_opt_name($key) . " is not configurable");
continue;
}
if (curl_setopt($handle, $key, $val) === FALSE) {
$logger->log(LOG_WARN, $ident . " failed to set " . curl_opt_name($key));
continue;
}
}
}
//returns the string name of a curl constant,
// or "curl option" if constant not found.
// e.g.
// curl_opt_name(CURLOPT_URL) returns "CURLOPT_URL"
// curl_opt_name(CURLOPT_BLABLA) returns "curl option"
function curl_opt_name($opt) {
$consts = get_defined_constants(true);
$consts = $consts['curl'];
$name = array_search($opt, $consts, TRUE);
//array_search may return either on failure...
if ($name === FALSE || $name === NULL) {
return "curl option";
}
return $name;
}
// This function takes a list of URLs. It will return the content of // This function takes a list of URLs. It will return the content of
// the first successfully retrieved URL, whose content matches ^OK. // the first successfully retrieved URL, whose content matches ^OK.
// The request are sent asynchronously. Some of the URLs can fail // The request are sent asynchronously. Some of the URLs can fail
@ -137,18 +194,14 @@ function modhex2b64 ($modhex_str) {
// long as one of the URLs given work, data will be returned. If all // long as one of the URLs given work, data will be returned. If all
// URLs fail, data from some URL that did not match parameter $match // URLs fail, data from some URL that did not match parameter $match
// (defaults to ^OK) is returned, or if all URLs failed, false. // (defaults to ^OK) is returned, or if all URLs failed, false.
function retrieveURLasync ($ident, $urls, $logger, $ans_req=1, $match="^OK", $returl=False, $timeout=10) { function retrieveURLasync ($ident, $urls, $logger, $ans_req=1, $match="^OK", $returl=False, $timeout=10, $curlopts) {
$mh = curl_multi_init(); $mh = curl_multi_init();
$ch = array(); $ch = array();
foreach ($urls as $id => $url) { foreach ($urls as $id => $url) {
$handle = curl_init(); $handle = curl_init();
$logger->log(LOG_DEBUG, $ident . " adding URL : " . $url);
curl_setopt($handle, CURLOPT_URL, $url); curl_settings($logger, $ident, $handle, $url, $timeout, $curlopts);
curl_setopt($handle, CURLOPT_USERAGENT, "YK-VAL");
curl_setopt($handle, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($handle, CURLOPT_FAILONERROR, true);
curl_setopt($handle, CURLOPT_TIMEOUT, $timeout);
curl_multi_add_handle($mh, $handle); curl_multi_add_handle($mh, $handle);
@ -209,13 +262,13 @@ function retrieveURLasync ($ident, $urls, $logger, $ans_req=1, $match="^OK", $re
} }
// $otp: A yubikey OTP // $otp: A yubikey OTP
function KSMdecryptOTP($urls, $logger) { function KSMdecryptOTP($urls, $logger, $curlopts) {
$ret = array(); $ret = array();
if (!is_array($urls)) { if (!is_array($urls)) {
$urls = array($urls); $urls = array($urls);
} }
$response = retrieveURLasync ("YK-KSM", $urls, $logger, $ans_req=1, $match="^OK", $returl=False, $timeout=10); $response = retrieveURLasync ("YK-KSM", $urls, $logger, $ans_req=1, $match="^OK", $returl=False, $timeout=10, $curlopts);
if (is_array($response)) { if (is_array($response)) {
$response = $response[0]; $response = $response[0];
} }

34
ykval-config.php
View File

@ -79,6 +79,40 @@ $baseParams['__YKVAL_SYNC_SECURE_LEVEL__'] = 40;
$baseParams['__YKVAL_SYNC_DEFAULT_LEVEL__'] = 60; $baseParams['__YKVAL_SYNC_DEFAULT_LEVEL__'] = 60;
$baseParams['__YKVAL_SYNC_DEFAULT_TIMEOUT__'] = 1; $baseParams['__YKVAL_SYNC_DEFAULT_TIMEOUT__'] = 1;
# A key -> value array with curl options to set
# when calling URLs defined in __YKVAL_SYNC_POOL__
#
# Only the following options are configurable;
# CURLOPT_PROTOCOLS
# CURLOPT_IPRESOLVE
# CURLOPT_SSLVERSION
# CURLOPT_SSL_VERIFYPEER
# CURLOPT_SSL_VERIFYHOST
# CURLOPT_CAINFO
# CURLOPT_CAPATH
#
# Any other option is ignored and a warning is emitted.
$baseParams['__YKVAL_SYNC_CURL_OPTS__'] = array(
//CURLOPT_PROTOCOLS => CURLPROTO_HTTP,
);
# A key -> value array with curl options to set
# when calling URLs returned by otp2ksmurls()
#
# Only the following options are configurable;
# CURLOPT_PROTOCOLS
# CURLOPT_IPRESOLVE
# CURLOPT_SSLVERSION
# CURLOPT_SSL_VERIFYPEER
# CURLOPT_SSL_VERIFYHOST
# CURLOPT_CAINFO
# CURLOPT_CAPATH
#
# Any other option is ignored and a warning is emitted.
$baseParams['__YKVAL_KSM_CURL_OPTS__'] = array(
//CURLOPT_PROTOCOLS => CURLPROTO_HTTP,
);
// otp2ksmurls: Return array of YK-KSM URLs for decrypting OTP for // otp2ksmurls: Return array of YK-KSM URLs for decrypting OTP for
// CLIENT. The URLs must be fully qualified, i.e., contain the OTP // CLIENT. The URLs must be fully qualified, i.e., contain the OTP
// itself. // itself.

13
ykval-synclib.php
View File

@ -430,10 +430,17 @@ class SyncLib
"&" . $this->otpPartFromInfoString($row['info']); "&" . $this->otpPartFromInfoString($row['info']);
} }
global $baseParams;
$curlopts = array();
if (array_key_exists('__YKVAL_SYNC_CURL_OPTS__', $baseParams)) {
$curlopts = $baseParams['__YKVAL_SYNC_CURL_OPTS__'];
}
/* /*
Send out requests Send out requests
*/ */
$ans_arr=$this->retrieveURLasync_wrap($urls, $ans_req, $timeout); $ans_arr=$this->retrieveURLasync_wrap($urls, $ans_req, $timeout, $curlopts);
if (!is_array($ans_arr)) { if (!is_array($ans_arr)) {
$this->log(LOG_WARNING, 'No responses from validation server pool'); $this->log(LOG_WARNING, 'No responses from validation server pool');
@ -537,9 +544,9 @@ class SyncLib
else return 0; else return 0;
} }
function retrieveURLasync_wrap ($urls, $ans_req=1, $timeout=1.0) function retrieveURLasync_wrap ($urls, $ans_req=1, $timeout=1.0, $curlopts)
{ {
return retrieveURLasync("YK-VAL sync", $urls, $this->myLog, $ans_req, $match="status=OK", $returl=True, $timeout); return retrieveURLasync("YK-VAL sync", $urls, $this->myLog, $ans_req, $match="status=OK", $returl=True, $timeout, $curlopts);
} }
} }

6
ykval-verify.php
View File

@ -251,7 +251,11 @@ if (!is_array($urls)) {
//// Decode OTP from input //// Decode OTP from input
// //
$otpinfo = KSMdecryptOTP($urls, $myLog); $curlopts = array();
if (array_key_exists('__YKVAL_KSM_CURL_OPTS__', $baseParams)) {
$curlopts = $baseParams['__YKVAL_KSM_CURL_OPTS__'];
}
$otpinfo = KSMdecryptOTP($urls, $myLog, $curlopts);
if (!is_array($otpinfo)) { if (!is_array($otpinfo)) {
sendResp(S_BAD_OTP, $myLog, $apiKey); sendResp(S_BAD_OTP, $myLog, $apiKey);
exit; exit;