mirror of
https://github.com/Yubico/yubikey-val.git
synced 2025-02-27 06:54:16 +01:00
Taking care of sl and timeout parameters in new protocol
This commit is contained in:
Olov Danielson
parent
530498ef71
commit
f7cf1e1a5d
@ -10,8 +10,12 @@ $baseParams['__YKVAL_DB_PW__'] = 'lab';
|
|||||||
$baseParams['__YKVAL_SYNC_POOL__'] = "http://api2.yubico.com/wsapi/sync;http://api3.yubico.com/wsapi/sync;http://api4.yubico.com/wsapi/sync";
|
$baseParams['__YKVAL_SYNC_POOL__'] = "http://api2.yubico.com/wsapi/sync;http://api3.yubico.com/wsapi/sync;http://api4.yubico.com/wsapi/sync";
|
||||||
$baseParams['__YKVAL_SYNC_INTERVAL__'] = 60;
|
$baseParams['__YKVAL_SYNC_INTERVAL__'] = 60;
|
||||||
$baseParams['__YKVAL_SYNC_MAX_SIMUL__'] = 50;
|
$baseParams['__YKVAL_SYNC_MAX_SIMUL__'] = 50;
|
||||||
$baseParams['__YKVAL_SYNC_TIMEOUT__'] = 30;
|
$baseParams['__YKVAL_SYNC_RESYNC_TIMEOUT__'] = 30;
|
||||||
$baseParams['__YKVAL_SYNC_OLD_LIMIT__'] = 1;
|
$baseParams['__YKVAL_SYNC_OLD_LIMIT__'] = 1;
|
||||||
|
$baseParams['__YKVAL_SYNC_FAST_LEVEL__'] = 1;
|
||||||
|
$baseParams['__YKVAL_SYNC_SECURE_LEVEL__'] = 50;
|
||||||
|
$baseParams['__YKVAL_SYNC_DEFAULT_LEVEL__'] = 50;
|
||||||
|
$baseParams['__YKVAL_SYNC_DEFAULT_TIMEOUT__'] = 1;
|
||||||
|
|
||||||
# For the get-api-key service.
|
# For the get-api-key service.
|
||||||
$baseParams['__YKGAK_DB_HOST__'] = $baseParams['__YKVAL_DB_HOST__'];
|
$baseParams['__YKGAK_DB_HOST__'] = $baseParams['__YKVAL_DB_HOST__'];
|
||||||
|
|||||||
@ -20,7 +20,7 @@ class SyncLib
|
|||||||
$this->db->connect();
|
$this->db->connect();
|
||||||
$this->random_key=rand(0,1<<16);
|
$this->random_key=rand(0,1<<16);
|
||||||
$this->max_url_chunk=$baseParams['__YKVAL_SYNC_MAX_SIMUL__'];
|
$this->max_url_chunk=$baseParams['__YKVAL_SYNC_MAX_SIMUL__'];
|
||||||
$this->resync_timeout=$baseParams['__YKVAL_SYNC_TIMEOUT__'];
|
$this->resync_timeout=$baseParams['__YKVAL_SYNC_RESYNC_TIMEOUT__'];
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -303,7 +303,7 @@ class SyncLib
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
public function sync($ans_req)
|
public function sync($ans_req, $timeout=1)
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
Construct URLs
|
Construct URLs
|
||||||
@ -321,7 +321,7 @@ class SyncLib
|
|||||||
/*
|
/*
|
||||||
Send out requests
|
Send out requests
|
||||||
*/
|
*/
|
||||||
if (count($urls)>=$ans_req) $ans_arr=$this->retrieveURLasync($urls, $ans_req);
|
if (count($urls)>=$ans_req) $ans_arr=$this->retrieveURLasync($urls, $ans_req, $timeout);
|
||||||
else return false;
|
else return false;
|
||||||
|
|
||||||
if (!is_array($ans_arr)) {
|
if (!is_array($ans_arr)) {
|
||||||
@ -423,7 +423,7 @@ class SyncLib
|
|||||||
curl_setopt($handle, CURLOPT_USERAGENT, "YK-VAL");
|
curl_setopt($handle, CURLOPT_USERAGENT, "YK-VAL");
|
||||||
curl_setopt($handle, CURLOPT_RETURNTRANSFER, 1);
|
curl_setopt($handle, CURLOPT_RETURNTRANSFER, 1);
|
||||||
curl_setopt($handle, CURLOPT_FAILONERROR, true);
|
curl_setopt($handle, CURLOPT_FAILONERROR, true);
|
||||||
curl_setopt($handle, CURLOPT_TIMEOUT, 10);
|
curl_setopt($handle, CURLOPT_TIMEOUT, $timeout);
|
||||||
|
|
||||||
curl_multi_add_handle($mh, $handle);
|
curl_multi_add_handle($mh, $handle);
|
||||||
|
|
||||||
@ -468,7 +468,7 @@ class SyncLib
|
|||||||
unset ($ch[$info['handle']]);
|
unset ($ch[$info['handle']]);
|
||||||
}
|
}
|
||||||
|
|
||||||
curl_multi_select ($mh, $timeout);
|
curl_multi_select ($mh);
|
||||||
}
|
}
|
||||||
} while($active);
|
} while($active);
|
||||||
|
|
||||||
|
|||||||
@ -9,6 +9,8 @@ header("content-type: text/plain");
|
|||||||
|
|
||||||
debug("Request: " . $_SERVER['QUERY_STRING']);
|
debug("Request: " . $_SERVER['QUERY_STRING']);
|
||||||
|
|
||||||
|
$protocol_version=2.0;
|
||||||
|
|
||||||
$conn = mysql_connect($baseParams['__YKVAL_DB_HOST__'],
|
$conn = mysql_connect($baseParams['__YKVAL_DB_HOST__'],
|
||||||
$baseParams['__YKVAL_DB_USER__'],
|
$baseParams['__YKVAL_DB_USER__'],
|
||||||
$baseParams['__YKVAL_DB_PW__']);
|
$baseParams['__YKVAL_DB_PW__']);
|
||||||
@ -28,6 +30,17 @@ $client = getHttpVal('id', 0);
|
|||||||
$otp = getHttpVal('otp', '');
|
$otp = getHttpVal('otp', '');
|
||||||
$otp = strtolower($otp);
|
$otp = strtolower($otp);
|
||||||
$timestamp = getHttpVal('timestamp', 0);
|
$timestamp = getHttpVal('timestamp', 0);
|
||||||
|
if ($protocol_version>=2.0) {
|
||||||
|
|
||||||
|
$sl = getHttpVal('sl', '');
|
||||||
|
if (strcasecmp($sl, 'fast')==0) $sl=$baseParams['__YKVAL_SYNC_FAST_LEVEL__'];
|
||||||
|
if (strcasecmp($sl, 'secure')==0) $sl=$baseParams['__YKVAL_SYNC_SECURE_LEVEL__'];
|
||||||
|
if (!$sl) $sl=$baseParams['__YKVAL_SYNC_DEFAULT_LEVEL__'];
|
||||||
|
|
||||||
|
$timeout = getHttpVal('timeout', '');
|
||||||
|
|
||||||
|
if (!$timeout) $timeout=$baseParams['__YKVAL_SYNC_DEFAULT_TIMEOUT__'];
|
||||||
|
}
|
||||||
|
|
||||||
//// Get Client info from DB
|
//// Get Client info from DB
|
||||||
//
|
//
|
||||||
@ -54,10 +67,11 @@ if ($h != '') {
|
|||||||
$a = array ();
|
$a = array ();
|
||||||
$a['id'] = $client;
|
$a['id'] = $client;
|
||||||
$a['otp'] = $otp;
|
$a['otp'] = $otp;
|
||||||
// include timestamp in signature if it exists
|
// include timestamp,sl and timeout in signature if it exists
|
||||||
if ($timestamp) $a['timestamp'] = $timestamp;
|
if ($timestamp) $a['timestamp'] = $timestamp;
|
||||||
|
if ($sl) $a['sl'] = $sl;
|
||||||
|
if ($timeout) $a['timeout'] = $timeout;
|
||||||
$hmac = sign($a, $apiKey);
|
$hmac = sign($a, $apiKey);
|
||||||
|
|
||||||
// Compare it
|
// Compare it
|
||||||
if ($hmac != $h) {
|
if ($hmac != $h) {
|
||||||
debug('client hmac=' . $h . ', server hmac=' . $hmac);
|
debug('client hmac=' . $h . ', server hmac=' . $hmac);
|
||||||
@ -161,7 +175,7 @@ if (mysql_num_rows($r) > 0) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
//// Queue sync requests
|
//// Queue sync requests
|
||||||
$sl = new SyncLib();
|
$sync = new SyncLib();
|
||||||
// We need the modifed value from the DB
|
// We need the modifed value from the DB
|
||||||
$stmp = 'SELECT accessed FROM yubikeys WHERE id=' . $ad['id'];
|
$stmp = 'SELECT accessed FROM yubikeys WHERE id=' . $ad['id'];
|
||||||
query($conn, $stmt);
|
query($conn, $stmt);
|
||||||
@ -183,34 +197,49 @@ $localParams=array('modified'=>DbTimeToUnix($ad['accessed']),
|
|||||||
'yk_low'=>$ad['low']);
|
'yk_low'=>$ad['low']);
|
||||||
|
|
||||||
|
|
||||||
if (!$sl->queue($otpParams, $localParams)) {
|
if (!$sync->queue($otpParams, $localParams)) {
|
||||||
debug("ykval-verify:critical:failed to queue sync requests");
|
debug("ykval-verify:critical:failed to queue sync requests");
|
||||||
sendResp(S_BACKEND_ERROR, $apiKey);
|
sendResp(S_BACKEND_ERROR, $apiKey);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
$required_answers=$sl->getNumberOfServers();
|
$nr_servers=$sync->getNumberOfServers();
|
||||||
$syncres=$sl->sync($required_answers);
|
$req_answers=ceil($nr_servers*$sl/100);
|
||||||
$answers=$sl->getNumberOfAnswers();
|
if ($req_answers>0) {
|
||||||
$valid_answers=$sl->getNumberOfValidAnswers();
|
$syncres=$sync->sync($req_answers, $timeout);
|
||||||
|
$nr_answers=$sync->getNumberOfAnswers();
|
||||||
|
$nr_valid_answers=$sync->getNumberOfValidAnswers();
|
||||||
|
$sl_success_rate=floor($nr_valid_answers / $nr_servers * 100);
|
||||||
|
|
||||||
|
} else {
|
||||||
|
$nr_answers=0;
|
||||||
|
$nr_valid_answers=0;
|
||||||
|
$sl_success_rate=0;
|
||||||
|
}
|
||||||
|
debug("ykval-verify:notice:synclevel=" . $sl .
|
||||||
|
" nr servers=" . $nr_servers .
|
||||||
|
" req answers=" . $req_answers .
|
||||||
|
" answers=" . $nr_answers .
|
||||||
|
" valid answers=" . $nr_valid_answers .
|
||||||
|
" sl success rate=" . $sl_success_rate .
|
||||||
|
" timeout=" . $timeout);
|
||||||
|
|
||||||
debug("ykval-verify:notice:number of servers=" . $required_answers);
|
|
||||||
debug("ykval-verify:notice:number of answers=" . $answers);
|
|
||||||
debug("ykval-verify:notice:number of valid answers=" . $valid_answers);
|
|
||||||
if($syncres==False) {
|
if($syncres==False) {
|
||||||
# sync returned false, indicating that
|
/* sync returned false, indicating that
|
||||||
# either at least 1 answer marked OTP as invalid or
|
either at least 1 answer marked OTP as invalid or
|
||||||
# there were not enough answers
|
there were not enough answers */
|
||||||
debug("ykval-verify:notice:Sync failed");
|
debug("ykval-verify:notice:Sync failed");
|
||||||
if ($valid_answers!=$answers) {
|
if ($nr_valid_answers!=$nr_answers) {
|
||||||
sendResp(S_REPLAYED_OTP, $apiKey);
|
sendResp(S_REPLAYED_OTP, $apiKey);
|
||||||
exit;
|
exit;
|
||||||
} else {
|
} else {
|
||||||
|
$extra=array('sl'=>$sl_success_rate);
|
||||||
sendResp(S_NOT_ENOUGH_ANSWERS, $apiKey);
|
sendResp(S_NOT_ENOUGH_ANSWERS, $apiKey);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
//// Check the time stamp
|
//// Check the time stamp
|
||||||
//
|
//
|
||||||
if ($sessionCounter == $seenSessionCounter && $sessionUse > $seenSessionUse) {
|
if ($sessionCounter == $seenSessionCounter && $sessionUse > $seenSessionUse) {
|
||||||
@ -249,12 +278,18 @@ if ($sessionCounter == $seenSessionCounter && $sessionUse > $seenSessionUse) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Construct response parameters */
|
||||||
|
$extra=array();
|
||||||
|
if ($protocol_version>=2.0) {
|
||||||
|
$extra['otp']=$otp;
|
||||||
|
$extra['sl'] = $sl_success_rate;
|
||||||
|
}
|
||||||
if ($timestamp==1){
|
if ($timestamp==1){
|
||||||
$extra['timestamp'] = ($otpinfo['high'] << 16) + $otpinfo['low'];
|
$extra['timestamp'] = ($otpinfo['high'] << 16) + $otpinfo['low'];
|
||||||
$extra['sessioncounter'] = $sessionCounter;
|
$extra['sessioncounter'] = $sessionCounter;
|
||||||
$extra['sessionuse'] = $sessionUse;
|
$extra['sessionuse'] = $sessionUse;
|
||||||
sendResp(S_OK, $apiKey, $extra);
|
|
||||||
} else {
|
|
||||||
sendResp(S_OK, $apiKey);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sendResp(S_OK, $apiKey, $extra);
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user