From f7cf1e1a5d3192a4d5c2db08cc12ae403d3928e2 Mon Sep 17 00:00:00 2001 From: Olov Danielson Date: Mon, 7 Dec 2009 19:13:20 +0000 Subject: [PATCH] Taking care of sl and timeout parameters in new protocol --- ykval-config.php | 6 +++- ykval-synclib.php | 10 +++---- ykval-verify.php | 73 +++++++++++++++++++++++++++++++++++------------ 3 files changed, 64 insertions(+), 25 deletions(-) diff --git a/ykval-config.php b/ykval-config.php index 9dc626e..fcd93db 100644 --- a/ykval-config.php +++ b/ykval-config.php @@ -10,8 +10,12 @@ $baseParams['__YKVAL_DB_PW__'] = 'lab'; $baseParams['__YKVAL_SYNC_POOL__'] = "http://api2.yubico.com/wsapi/sync;http://api3.yubico.com/wsapi/sync;http://api4.yubico.com/wsapi/sync"; $baseParams['__YKVAL_SYNC_INTERVAL__'] = 60; $baseParams['__YKVAL_SYNC_MAX_SIMUL__'] = 50; -$baseParams['__YKVAL_SYNC_TIMEOUT__'] = 30; +$baseParams['__YKVAL_SYNC_RESYNC_TIMEOUT__'] = 30; $baseParams['__YKVAL_SYNC_OLD_LIMIT__'] = 1; +$baseParams['__YKVAL_SYNC_FAST_LEVEL__'] = 1; +$baseParams['__YKVAL_SYNC_SECURE_LEVEL__'] = 50; +$baseParams['__YKVAL_SYNC_DEFAULT_LEVEL__'] = 50; +$baseParams['__YKVAL_SYNC_DEFAULT_TIMEOUT__'] = 1; # For the get-api-key service. $baseParams['__YKGAK_DB_HOST__'] = $baseParams['__YKVAL_DB_HOST__']; diff --git a/ykval-synclib.php b/ykval-synclib.php index 136a9d7..0eb1c1f 100644 --- a/ykval-synclib.php +++ b/ykval-synclib.php @@ -20,7 +20,7 @@ class SyncLib $this->db->connect(); $this->random_key=rand(0,1<<16); $this->max_url_chunk=$baseParams['__YKVAL_SYNC_MAX_SIMUL__']; - $this->resync_timeout=$baseParams['__YKVAL_SYNC_TIMEOUT__']; + $this->resync_timeout=$baseParams['__YKVAL_SYNC_RESYNC_TIMEOUT__']; } @@ -303,7 +303,7 @@ class SyncLib } } } - public function sync($ans_req) + public function sync($ans_req, $timeout=1) { /* Construct URLs @@ -321,7 +321,7 @@ class SyncLib /* Send out requests */ - if (count($urls)>=$ans_req) $ans_arr=$this->retrieveURLasync($urls, $ans_req); + if (count($urls)>=$ans_req) $ans_arr=$this->retrieveURLasync($urls, $ans_req, $timeout); else return false; if (!is_array($ans_arr)) { @@ -423,7 +423,7 @@ class SyncLib curl_setopt($handle, CURLOPT_USERAGENT, "YK-VAL"); curl_setopt($handle, CURLOPT_RETURNTRANSFER, 1); curl_setopt($handle, CURLOPT_FAILONERROR, true); - curl_setopt($handle, CURLOPT_TIMEOUT, 10); + curl_setopt($handle, CURLOPT_TIMEOUT, $timeout); curl_multi_add_handle($mh, $handle); @@ -468,7 +468,7 @@ class SyncLib unset ($ch[$info['handle']]); } - curl_multi_select ($mh, $timeout); + curl_multi_select ($mh); } } while($active); diff --git a/ykval-verify.php b/ykval-verify.php index b329ec3..bd42a03 100644 --- a/ykval-verify.php +++ b/ykval-verify.php @@ -9,6 +9,8 @@ header("content-type: text/plain"); debug("Request: " . $_SERVER['QUERY_STRING']); +$protocol_version=2.0; + $conn = mysql_connect($baseParams['__YKVAL_DB_HOST__'], $baseParams['__YKVAL_DB_USER__'], $baseParams['__YKVAL_DB_PW__']); @@ -28,6 +30,17 @@ $client = getHttpVal('id', 0); $otp = getHttpVal('otp', ''); $otp = strtolower($otp); $timestamp = getHttpVal('timestamp', 0); +if ($protocol_version>=2.0) { + + $sl = getHttpVal('sl', ''); + if (strcasecmp($sl, 'fast')==0) $sl=$baseParams['__YKVAL_SYNC_FAST_LEVEL__']; + if (strcasecmp($sl, 'secure')==0) $sl=$baseParams['__YKVAL_SYNC_SECURE_LEVEL__']; + if (!$sl) $sl=$baseParams['__YKVAL_SYNC_DEFAULT_LEVEL__']; + + $timeout = getHttpVal('timeout', ''); + + if (!$timeout) $timeout=$baseParams['__YKVAL_SYNC_DEFAULT_TIMEOUT__']; + } //// Get Client info from DB // @@ -54,10 +67,11 @@ if ($h != '') { $a = array (); $a['id'] = $client; $a['otp'] = $otp; - // include timestamp in signature if it exists + // include timestamp,sl and timeout in signature if it exists if ($timestamp) $a['timestamp'] = $timestamp; + if ($sl) $a['sl'] = $sl; + if ($timeout) $a['timeout'] = $timeout; $hmac = sign($a, $apiKey); - // Compare it if ($hmac != $h) { debug('client hmac=' . $h . ', server hmac=' . $hmac); @@ -161,7 +175,7 @@ if (mysql_num_rows($r) > 0) { } //// Queue sync requests -$sl = new SyncLib(); +$sync = new SyncLib(); // We need the modifed value from the DB $stmp = 'SELECT accessed FROM yubikeys WHERE id=' . $ad['id']; query($conn, $stmt); @@ -183,34 +197,49 @@ $localParams=array('modified'=>DbTimeToUnix($ad['accessed']), 'yk_low'=>$ad['low']); -if (!$sl->queue($otpParams, $localParams)) { +if (!$sync->queue($otpParams, $localParams)) { debug("ykval-verify:critical:failed to queue sync requests"); sendResp(S_BACKEND_ERROR, $apiKey); exit; } -$required_answers=$sl->getNumberOfServers(); -$syncres=$sl->sync($required_answers); -$answers=$sl->getNumberOfAnswers(); -$valid_answers=$sl->getNumberOfValidAnswers(); +$nr_servers=$sync->getNumberOfServers(); +$req_answers=ceil($nr_servers*$sl/100); +if ($req_answers>0) { + $syncres=$sync->sync($req_answers, $timeout); + $nr_answers=$sync->getNumberOfAnswers(); + $nr_valid_answers=$sync->getNumberOfValidAnswers(); + $sl_success_rate=floor($nr_valid_answers / $nr_servers * 100); + + } else { + $nr_answers=0; + $nr_valid_answers=0; + $sl_success_rate=0; + } +debug("ykval-verify:notice:synclevel=" . $sl . + " nr servers=" . $nr_servers . + " req answers=" . $req_answers . + " answers=" . $nr_answers . + " valid answers=" . $nr_valid_answers . + " sl success rate=" . $sl_success_rate . + " timeout=" . $timeout); -debug("ykval-verify:notice:number of servers=" . $required_answers); -debug("ykval-verify:notice:number of answers=" . $answers); -debug("ykval-verify:notice:number of valid answers=" . $valid_answers); if($syncres==False) { -# sync returned false, indicating that -# either at least 1 answer marked OTP as invalid or -# there were not enough answers + /* sync returned false, indicating that + either at least 1 answer marked OTP as invalid or + there were not enough answers */ debug("ykval-verify:notice:Sync failed"); - if ($valid_answers!=$answers) { + if ($nr_valid_answers!=$nr_answers) { sendResp(S_REPLAYED_OTP, $apiKey); exit; } else { + $extra=array('sl'=>$sl_success_rate); sendResp(S_NOT_ENOUGH_ANSWERS, $apiKey); exit; } } + //// Check the time stamp // if ($sessionCounter == $seenSessionCounter && $sessionUse > $seenSessionUse) { @@ -249,12 +278,18 @@ if ($sessionCounter == $seenSessionCounter && $sessionUse > $seenSessionUse) { } } +/* Construct response parameters */ +$extra=array(); +if ($protocol_version>=2.0) { + $extra['otp']=$otp; + $extra['sl'] = $sl_success_rate; + } if ($timestamp==1){ $extra['timestamp'] = ($otpinfo['high'] << 16) + $otpinfo['low']; $extra['sessioncounter'] = $sessionCounter; $extra['sessionuse'] = $sessionUse; - sendResp(S_OK, $apiKey, $extra); - } else { - sendResp(S_OK, $apiKey); - } + } + +sendResp(S_OK, $apiKey, $extra); + ?>