From 8ea97ab0fb5cfbf4b8e7043a4c5a783462f93c46 Mon Sep 17 00:00:00 2001
From: Simon Josefsson <simon@josefsson.org>
Date: Sun, 12 Sep 2010 10:39:23 +0000
Subject: [PATCH] Sanity check OTP variable before trusting it.

Reported by Ricky Zhou <ricky@fedoraproject.org>.
---
 ykval-common.php |  1 +
 ykval-verify.php | 31 ++++++++++++++++++-------------
 2 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/ykval-common.php b/ykval-common.php
index cf8f5eb..feb3edf 100644
--- a/ykval-common.php
+++ b/ykval-common.php
@@ -20,6 +20,7 @@ define('TS_REL_TOLERANCE', 0.3);
 define('TS_ABS_TOLERANCE', 20);
 
 define('TOKEN_LEN', 32);
+define('OTP_MAX_LEN', 48); // TOKEN_LEN plus public identity of 0..16
 
 global $ykval_common_log;
 $ykval_common_log = new Log('ykval-common');
diff --git a/ykval-verify.php b/ykval-verify.php
index 8564bcb..6aef888 100644
--- a/ykval-verify.php
+++ b/ykval-verify.php
@@ -69,6 +69,24 @@ if ($protocol_version>=2.0) {
 
  */
 
+if ($otp == '') {
+  $myLog->log(LOG_NOTICE, 'OTP is missing');
+  sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
+  exit;
+}
+
+if (strlen($otp) < TOKEN_LEN || strlen ($otp) > TOKEN_MAXLEN) {
+  $myLog->log(LOG_NOTICE, 'Incorrect OTP length: ' . $otp);
+  sendResp(S_BAD_OTP, $apiKey, $extra);
+  exit;
+}
+
+if (preg_match("/^[cbdefghijklnrtuv]+$/", $otp)==0) {
+  $myLog->log(LOG_NOTICE, 'Invalid OTP: ' . $otp);
+  sendResp(S_BAD_OTP, $apiKey, $extra);
+  exit;
+}
+
 if (preg_match("/^[0-9]+$/", $client)==0){
   $myLog->log(LOG_NOTICE, 'id provided in request must be an integer');
   sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
@@ -163,19 +181,6 @@ if ($protocol_version<2.0) {
   $myLog->log(LOG_INFO, 'protocol version below 2.0. Created nonce ' . $nonce);
  }
 
-//// Sanity check OTP
-//
-if ($otp == '') {
-  $myLog->log(LOG_NOTICE, 'OTP is missing');
-  sendResp(S_MISSING_PARAMETER, $apiKey, $extra);
-  exit;
-}
-if (strlen($otp) <= TOKEN_LEN) {
-  $myLog->log(LOG_NOTICE, 'Too short OTP: ' . $otp);
-  sendResp(S_BAD_OTP, $apiKey, $extra);
-  exit;
-}
-
 //// Which YK-KSM should we talk to?
 //
 $urls = otp2ksmurls ($otp, $client);