diff --git a/verify.php b/verify.php index 60bb669..e4f6e41 100644 --- a/verify.php +++ b/verify.php @@ -1,99 +1,5 @@ ---- From DB ---'; -print_r($ad); echo '

'; -if ($ad == null) { - echo 'Invalid Yubikey '.$devId; - exit; -} - -//// Decode OTP from input -// -echo '

--- From Input ---

'; -//$key16 = b64ToHex($ad['secret']); -//$key16 = 'e42b35465e48b6bdbe6676f23bf28259'; -$k = b64ToModhex($ad['secret']); -echo '
  • K='.$k.'

    '; -$key16 = ModHex::Decode($k); -echo '

  • Key16 = ['.$key16.'] len='.strlen($key16).'

    '; -//$key= pack('H*', $key16); -$decoded_token = Yubikey::Decode($otp, $key16); -print_r($decoded_token); -echo '

    '; -if ( ! is_array($decoded_token) ) { - die ('DECODING FAILED: '.$decoded_token."\n"); -} - -//// Sanity check key status -// -if ($ad['active'] < 1) { - die ('The Yubikey is not activated!'); -} - -// Sanity check client status -// -if ($ad['c_active'] < 1) { - die ('The Client is not activated!'); -} - -// Sanity check token ID -// -if ( strlen($decoded_token["public_id"]) == 12 ) { - print "\t-> Public ID OK (".$decoded_token["public_id"].")\n"; -} else { print "TOKEN ID FAILED, ".$decoded_token["public_id"]."\n"; } - -// Sanity check the OTP -// -if ( strlen($decoded_token["token"]) == 32) { - print "\t-> OTP len OK (".$decoded_token["token"].")\n"; -} else { print " OTP len FAILED,".strlen($decoded_token["token"])."\n"; } - -// Check the session counter -// -$sessionCounter = $decoded_token["counter"]; // From the req -$seenSessionCounter = $ad['counter']; // From DB -$scDiff = $seenSessionCounter - $sessionCounter; -if ($scDiff > 0) { - print "Replayed session counter, counter=".$sessionCounter.', seen='.$seenSessionCounter."\n"; -} else { - print "\t-> Counter OK (".$sessionCounter.")\n"; -} - -$hi = $decoded_token["high"] & 0xff; // From the req -$seenHi = $ad['high']; // From DB -$hiDiff = $seenHi - $hi; -if ($scDiff == 0 && $hiDiff > 0) { - print "Replayed high counter, counter=".$hi.', seen='.$seenHi."\n"; -} else { - print "\t-> High counter OK (".$hi.")\n"; -} - -$lo = $decoded_token["low"] & 0xff; // From the req -$seenLo = $ad['low']; // From DB -$loDiff = $seenLo - $lo; -if ($scDiff == 0 && $loDiff > 0) { - print "Replayed low counter, counter=".$lo.', seen='.$seenLo."\n"; -} else { - print "\t-> Low counter OK (".$lo.")\n"; -} - -echo '

    Validation OK for Yubikey: '.$decoded_token["public_id"]; +require 'verifyOTP.php'; ?> diff --git a/verifyOTP.php b/verifyOTP.php new file mode 100644 index 0000000..4740f4f --- /dev/null +++ b/verifyOTP.php @@ -0,0 +1,135 @@ +Auth Data from DB'); + +if ($ad == null) { + echo 'Invalid Yubikey '.$devId; + exit; +} else { + debug($ad); +} + +$k = b64ToModhex($ad['secret']); +debug('aes key in modhex = '.$k); +$key16 = ModHex::Decode($k); +debug('aes key in hex = ['.$key16.'], length = '.strlen($key16)); + +//// Decode OTP from input +// +debug('

    From OTP decoded

    '); +//$key= pack('H*', $key16); +$decoded_token = Yubikey::Decode($otp, $key16); +debug($decoded_token); +if ( ! is_array($decoded_token) ) { + die ('DECODING FAILED: '.$decoded_token."\n"); +} + +//// Sanity check key status +// +if ($ad['active'] < 1) { + die ('The Yubikey is not activated!'); +} + +// Sanity check client status +// +if ($ad['c_active'] < 1) { + die ('The Client is not activated!'); +} + +// Sanity check token ID +// +if (strlen($decoded_token["public_id"]) == 12 ) { + debug("Token ID OK (".$decoded_token["public_id"].")"); +} else { die("TOKEN ID FAILED, ".$decoded_token["public_id"]); } + +// Sanity check the OTP +// +if ( strlen($decoded_token["token"]) == 32) { + debug("OTP len OK (".$decoded_token["token"].")"); +} else { die(" OTP len FAILED,".strlen($decoded_token["token"])); } + +// Check the session counter +// +$sessionCounter = $decoded_token["counter"]; // From the req +$seenSessionCounter = $ad['counter']; // From DB +$scDiff = $seenSessionCounter - $sessionCounter; +if ($scDiff > 0) { + die("Replayed session counter=".$sessionCounter.', seen='.$seenSessionCounter); +} else { + debug("Counter OK (".$sessionCounter.")"); +} + +$hi = $decoded_token["high"] & 0xff; // From the req +$seenHi = $ad['high']; // From DB +$hiDiff = $seenHi - $hi; +if ($scDiff == 0 && $hiDiff > 0) { + die("Replayed high counter=".$hi.', seen='.$seenHi); +} else { + debug("High counter OK (".$hi.")"); +} + +$lo = $decoded_token["low"] & 0xff; // From the req +$seenLo = $ad['low']; // From DB +$loDiff = $seenLo - $lo; +if ($scDiff == 0 && $loDiff > 0) { + die("Replayed low counter=".$lo.', seen='.$seenLo); +} else { + debug("Low counter OK (".$lo.")"); +} + +echo 'Validation OK for Yubikey: '.$decoded_token["public_id"]; + +if (updDB($ad['id'], $decoded_token)) { + debug('Validation database updated'); +} + +function debug($msg, $exit=false) { + global $trace; + if ($trace) { + if (is_array($msg)) { + echo '
    ';
+			print_r($msg);
+			echo '
    '; + } else { + echo $msg; + } + echo "

    \n"; + } + if ($exit) { + die ('

    Exit

    '); + } +} + +function updDB($id, $a) { + $stmt = 'UPDATE yubikeys SET '. + 'accessed=NOW(),'. + 'counter='.$a['counter'].','. + 'low='.$a['low'].','. + 'high='.$a['high']. + ' WHERE id='.$id; + if (!query($stmt)) { + $err = 'Failed to update validation data of key: '.$id.' by '.$stmt; + debug($err); + writeLog($err); + return false; + } + return true; +} +?> diff --git a/verify_debug.php b/verify_debug.php new file mode 100644 index 0000000..c19d937 --- /dev/null +++ b/verify_debug.php @@ -0,0 +1,5 @@ +