Init

verify.php

@@ -1,99 +1,5 @@
-<?php require_once '../yms/appinclude.php';
+<?php $trace = false;
-	  require_once '../yms/yubi_lib.php';
 
-$id = getHttpVal('id', 0);
+require 'verifyOTP.php';
-if ($id <= 0) {
-	echo 'Client ID is missing';
-	exit;
-}
-
-$otp = getHttpVal('otp', '');
-if ($otp == '') {
-	echo 'OTP is missing';
-	exit;
-}
-
-//// Get Yubikey from DB
-//
-$devId = substr($otp, 0, 12);
-$ad = getAuthData($devId);
-echo '<h3>--- From DB ---</h3>';
-print_r($ad); echo '<p>';
-if ($ad == null) {
-	echo 'Invalid Yubikey '.$devId;
-	exit;
-}
-
-//// Decode OTP from input
-//
-echo '<h3>--- From Input ---</h3>';
-//$key16 = b64ToHex($ad['secret']);
-//$key16 = 'e42b35465e48b6bdbe6676f23bf28259';
-$k = b64ToModhex($ad['secret']);
-echo '<li>K='.$k.'<p>';
-$key16 = ModHex::Decode($k);
-echo '<li>Key16 = ['.$key16.'] len='.strlen($key16).'<p>';
-//$key= pack('H*', $key16);
-$decoded_token = Yubikey::Decode($otp, $key16);
-print_r($decoded_token);
-echo '<p>';
-if ( ! is_array($decoded_token) ) {
-	die ('DECODING FAILED: '.$decoded_token."\n");
-}
-
-//// Sanity check key status
-//
-if ($ad['active'] < 1) {
-	die ('The Yubikey is not activated!');
-}
-
-// Sanity check client status
-//
-if ($ad['c_active'] < 1) {
-	die ('The Client is not activated!');
-}
-
-// Sanity check token ID
-//
-if ( strlen($decoded_token["public_id"]) == 12 ) {
-	print "\t-> Public ID OK (".$decoded_token["public_id"].")\n";
-} else { print "TOKEN ID FAILED, ".$decoded_token["public_id"]."\n"; }
-
-// Sanity check the OTP
-//
-if ( strlen($decoded_token["token"]) == 32) {
-	print "\t-> OTP len OK (".$decoded_token["token"].")\n";
-} else { print " OTP len FAILED,".strlen($decoded_token["token"])."\n"; }
-
-// Check the session counter
-//
-$sessionCounter = $decoded_token["counter"]; // From the req
-$seenSessionCounter = $ad['counter']; // From DB
-$scDiff = $seenSessionCounter - $sessionCounter;
-if ($scDiff > 0) {
-	print "Replayed session counter, counter=".$sessionCounter.', seen='.$seenSessionCounter."\n";
-} else {
-	print "\t-> Counter OK (".$sessionCounter.")\n";
-}
-
-$hi = $decoded_token["high"] & 0xff; // From the req
-$seenHi = $ad['high']; // From DB
-$hiDiff = $seenHi - $hi;
-if ($scDiff == 0 && $hiDiff > 0) {
-	print "Replayed high counter, counter=".$hi.', seen='.$seenHi."\n";
-} else {
-	print "\t-> High counter OK (".$hi.")\n";
-}
-
-$lo = $decoded_token["low"] & 0xff; // From the req
-$seenLo = $ad['low']; // From DB
-$loDiff = $seenLo - $lo;
-if ($scDiff == 0 && $loDiff > 0) {
-	print "Replayed low counter, counter=".$lo.', seen='.$seenLo."\n";
-} else {
-	print "\t-> Low counter OK (".$lo.")\n";
-}
-
-echo '<p>Validation OK for Yubikey: '.$decoded_token["public_id"];
 
 ?>

verifyOTP.php

@@ -0,0 +1,135 @@
+<?php require_once '../yms/appinclude.php';
+	  require_once '../yms/yubi_lib.php';
+
+$id = getHttpVal('id', 0);
+if ($id <= 0) {
+	echo 'Client ID is missing';
+	exit;
+}
+
+$otp = getHttpVal('otp', '');
+if ($otp == '') {
+	echo 'OTP is missing';
+	exit;
+}
+
+//// Get Yubikey from DB
+//
+$devId = substr($otp, 0, 12);
+$ad = getAuthData($devId);
+debug('<h3>Auth Data from DB</h3>');
+
+if ($ad == null) {
+	echo 'Invalid Yubikey '.$devId;
+	exit;
+} else {
+	debug($ad);
+}
+
+$k = b64ToModhex($ad['secret']);
+debug('aes key in modhex = '.$k);
+$key16 = ModHex::Decode($k);
+debug('aes key in hex = ['.$key16.'], length = '.strlen($key16));
+
+//// Decode OTP from input
+//
+debug('<h3>From OTP decoded</h3>');
+//$key= pack('H*', $key16);
+$decoded_token = Yubikey::Decode($otp, $key16);
+debug($decoded_token);
+if ( ! is_array($decoded_token) ) {
+	die ('DECODING FAILED: '.$decoded_token."\n");
+}
+
+//// Sanity check key status
+//
+if ($ad['active'] < 1) {
+	die ('The Yubikey is not activated!');
+}
+
+// Sanity check client status
+//
+if ($ad['c_active'] < 1) {
+	die ('The Client is not activated!');
+}
+
+// Sanity check token ID
+//
+if (strlen($decoded_token["public_id"]) == 12 ) {
+	debug("Token ID OK (".$decoded_token["public_id"].")");
+} else { die("TOKEN ID FAILED, ".$decoded_token["public_id"]); }
+
+// Sanity check the OTP
+//
+if ( strlen($decoded_token["token"]) == 32) {
+	debug("OTP len OK (".$decoded_token["token"].")");
+} else { die(" OTP len FAILED,".strlen($decoded_token["token"])); }
+
+// Check the session counter
+//
+$sessionCounter = $decoded_token["counter"]; // From the req
+$seenSessionCounter = $ad['counter']; // From DB
+$scDiff = $seenSessionCounter - $sessionCounter;
+if ($scDiff > 0) {
+	die("Replayed session counter=".$sessionCounter.', seen='.$seenSessionCounter);
+} else {
+	debug("Counter OK (".$sessionCounter.")");
+}
+
+$hi = $decoded_token["high"] & 0xff; // From the req
+$seenHi = $ad['high']; // From DB
+$hiDiff = $seenHi - $hi;
+if ($scDiff == 0 && $hiDiff > 0) {
+	die("Replayed high counter=".$hi.', seen='.$seenHi);
+} else {
+	debug("High counter OK (".$hi.")");
+}
+
+$lo = $decoded_token["low"] & 0xff; // From the req
+$seenLo = $ad['low']; // From DB
+$loDiff = $seenLo - $lo;
+if ($scDiff == 0 && $loDiff > 0) {
+	die("Replayed low counter=".$lo.', seen='.$seenLo);
+} else {
+	debug("Low counter OK (".$lo.")");
+}
+
+echo 'Validation OK for Yubikey: '.$decoded_token["public_id"];
+
+if (updDB($ad['id'], $decoded_token)) {
+	debug('Validation database updated');	
+}
+
+function debug($msg, $exit=false) {
+	global $trace;
+	if ($trace) {
+		if (is_array($msg)) {
+			echo '<pre>';
+			print_r($msg);
+			echo '</pre>';
+		} else {
+			echo $msg;
+		}
+		echo "<p>\n";
+	}
+	if ($exit) {
+		die ('<font color=red><h4>Exit</h4></font>');
+	}
+}
+
+function updDB($id, $a) {
+	$stmt = 'UPDATE yubikeys SET '.
+		'accessed=NOW(),'.
+		'counter='.$a['counter'].','.
+		'low='.$a['low'].','.
+		'high='.$a['high'].
+		' WHERE id='.$id;
+	if (!query($stmt)) {
+		$err = 'Failed to update validation data of key: '.$id.' by '.$stmt;
+		debug($err);
+		writeLog($err);
+		return false;
+	}
+	return true;
+}
+?>

verify_debug.php

@@ -0,0 +1,5 @@
+<?php $trace = true;
+
+require 'verifyOTP.php';
+
+?>