rooty/yubikey-val
1
0
Fork 0
mirror of https://github.com/Yubico/yubikey-val.git synced 2025-02-27 06:54:16 +01:00
Code Issues Projects Releases Wiki Activity

Fix what looks like a logic error in sync logic.

Browse Source 
Only $req_answers sync peers would get polled.  When $req_answers is
less than $nr_servers, some servers (that return replayed counters)
will get ignored, since retrieveURLasync() stops after $req_answers
responses.

The fix requires $nr_servers responses from retrieveURLasync, causing
all sync peers to get polled and processed by sync().

This arrangement also allows a two-server sync pool to operate when
one peer is gone or unreachable, something that cannot be done before
these modifications.  Set the sync_level to 0, which means
"try everyone, but if you get no valid responses, it's okay to proceed".
Prior to the modifications, it means "don't even try syncing".

Also, added ykval-cron, which can be fired off from a cron job to
make sure ykval-queue stays running.  This is example code, as
your enviroment and usernames may differ.
This commit is contained in:
Scott Sakai 2016-03-02 22:55:30 -08:00
parent a4f8c24877
commit f24aed77a6
No known key found for this signature in database
GPG Key ID: FEA1D71D587AD228
2 changed files with 45 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
ykval-cron Executable file
View File

@ -0,0 +1,22 @@
#!/bin/bash
# Something to keep ykval-queue going
# run this in cron
# restarts if necessary
RUNAS=ykval
function start
{
su -s /bin/bash -c '/usr/sbin/ykval-queue &>/dev/null &' - ${RUNAS}
exit 0
}
FOUND=$( ps -C ykval-queue | wc -l )
if [[ ${FOUND} -lt 2 ]]; then
start
fi
exit 0

28
ykval-verify.php
View File

@ -378,9 +378,13 @@ if (!$sync->queue($otpParams, $localParams))
$nr_servers = $sync->getNumberOfServers(); $nr_servers = $sync->getNumberOfServers();
$req_answers = ceil($nr_servers * $sl / 100.0); $req_answers = ceil($nr_servers * $sl / 100.0);
if ($req_answers > 0) // try syncing anyway
if ($nr_servers > 0)
{ {
$syncres = $sync->sync($req_answers, $timeout); // we need to attempt syncing with all servers, since one may
// return replayed counters. Using $req_answers means such a server
// may get ignored.
$syncres = $sync->sync($nr_servers, $timeout);
$nr_answers = $sync->getNumberOfAnswers(); $nr_answers = $sync->getNumberOfAnswers();
$nr_valid_answers = $sync->getNumberOfValidAnswers(); $nr_valid_answers = $sync->getNumberOfValidAnswers();
$sl_success_rate = floor(100.0 * $nr_valid_answers / $nr_servers); $sl_success_rate = floor(100.0 * $nr_valid_answers / $nr_servers);
@ -405,16 +409,26 @@ $myLog->log(LOG_INFO, '', array(
if ($syncres == False) if ($syncres == False)
{ {
/* sync returned false, indicating that /* sync returned false, indicating that not all servers returned valid answers;
either at least 1 answer marked OTP as invalid or some may have returned NO answer (host down...). Sort this out here,
there were not enough answers */ it's not the end of the world yet! */
$myLog->log(LOG_WARNING, 'Sync failed');
if ($nr_valid_answers != $nr_answers) if ($nr_answers != $nr_valid_answers)
{
/* at least 1 answers marked OTP as invalid */
$myLog->log(LOG_WARNING, 'Sync failed');
sendResp(S_REPLAYED_OTP, $myLog, $apiKey, $extra); sendResp(S_REPLAYED_OTP, $myLog, $apiKey, $extra);
}
if ($nr_valid_answers < $req_answers)
{
/* not enough valid answers */
$myLog->log(LOG_WARNING, 'Sync failed');
$extra['sl'] = $sl_success_rate; $extra['sl'] = $sl_success_rate;
sendResp(S_NOT_ENOUGH_ANSWERS, $myLog, $apiKey, $extra); sendResp(S_NOT_ENOUGH_ANSWERS, $myLog, $apiKey, $extra);
}
} }
if ($otpParams['yk_counter'] == $localParams['yk_counter'] && $otpParams['yk_use'] > $localParams['yk_use']) if ($otpParams['yk_counter'] == $localParams['yk_counter'] && $otpParams['yk_use'] > $localParams['yk_use'])