Dain Nilsson
1b2dfd136c
Use constant time string comparisson for validating HMAC signature
...
(fixes #26 ).
2014-09-27 15:47:57 +02:00
Simon Josefsson
276616d871
Use LF as EOL consistently.
2013-04-17 17:24:50 +02:00
Simon Josefsson
ae217ceb10
Log query for POST requests too.
2013-03-12 11:23:25 +01:00
Dain Nilsson
ee1f040b00
Updated copyright headers.
2013-02-04 17:39:36 +01:00
Klas Lindfors
34706698a4
Merge branch 'master' into feature/oracle_support
...
Conflicts:
ykval-db.php
ykval-export.php
ykval-synclib.php
2012-06-29 10:33:41 +02:00
Fredrik Thulin
499377fd2f
Change protocol version logging to 'debug'.
2012-06-14 15:54:51 +02:00
Fredrik Thulin
6c80f76102
Get rid of debug() - use log_format() for the formatting part.
2012-06-14 15:23:53 +02:00
Fredrik Thulin
765620f17b
Merge branch 'master' of github.com:Yubico/yubikey-val-server-php into devel/refactor_retrieveURLasync
2012-06-14 15:19:19 +02:00
Fredrik Thulin
c8e9eb828f
Pass logger object to retrieveURLasync()
2012-06-14 15:19:04 +02:00
Klas Lindfors
6c9edb0db2
instead of passing context to sendResp, give it a logger.
2012-06-14 15:15:47 +02:00
Klas Lindfors
01969a279e
let sendResp take one more parameter $context
...
use for logging if it's a response to sync or verify.
2012-06-14 14:55:50 +02:00
Klas Lindfors
cf49385bf3
rest of oracle patches from Remi Mollon <Remi.Mollon@cern.ch>
2012-06-12 10:35:49 +02:00
Fredrik Thulin
b5976ad3c9
delete-trailing-whitespace
2012-05-29 11:07:19 +02:00
Klas Lindfors
6a94b396dc
check if $sl or $timeout is empty, if they are insert default
2012-05-24 14:37:01 +02:00
Simon Josefsson
f2b05822ef
Silence PHP warnings.
2012-05-21 09:12:33 +02:00
Klas Lindfors
2e0dbfa2c3
build up the array to sign by taking $_GET or $_POST and remove the h key
2012-05-16 13:45:08 +02:00
Klas Lindfors
854a6527d6
update comment about nonce to reflect what the code actually does enforce
2012-05-08 13:43:21 +02:00
Klas Lindfors
da24a3fe30
fix fast or secure strings as sl
...
move transformation of strings for sync and default values for sync and
timeout to before sanity checking.
2012-02-22 14:27:24 +01:00
Simon Josefsson
a68539e884
Tiny fixes to silence PHP warnings from Hiroki Nose <Hiroki_Nose@totec.co.jp>.
...
1. PHP Notice: Use of undefined constant CURL_OK - assumed 'CURL_OK' in /usr/share/ykval/ykval-common.php on line 156
2. PHP Notice: Undefined index: HTTPS in /usr/share/ykval/ykval-verify.php on line 14
3. PHP Notice: Undefined variable: query in /usr/share/ykval/ykval-db.php on line 186
2011-10-25 08:08:31 +00:00
Simon Josefsson
fb506d0238
Don't echo (unsanitized) OTP/NONCE values back to client when
...
sending error codes. Reported by Paul van Empelen.
2011-08-18 12:19:15 +00:00
Simon Josefsson
016313a1e3
Support YubiKey OTPs filtered through a US Dvorak keyboard layout.
2010-09-21 08:13:36 +00:00
Simon Josefsson
dd9f472e77
Fix typo.
2010-09-12 10:42:32 +00:00
Simon Josefsson
8ea97ab0fb
Sanity check OTP variable before trusting it.
...
Reported by Ricky Zhou <ricky@fedoraproject.org>.
2010-09-12 10:39:23 +00:00
Simon Josefsson
c9f58a83c7
Log HTTPS status.
2010-08-22 14:38:26 +00:00
Simon Josefsson
069092fd6b
Timestamp requests.
2010-08-22 13:27:46 +00:00
Simon Josefsson
7b18b50ee7
When number of sync servers equals zero, set sync result to success.
...
Patch from arte42.ripe in issue #7 .
2010-05-17 13:06:06 +00:00
Simon Josefsson
2f099df58c
Don't reject on nonce error for v1.x requests.
2010-04-23 21:44:25 +00:00
Simon Josefsson
522c301dae
Permit somewhat longer nonces (think SHA1 hex).
2010-04-23 20:33:45 +00:00
Simon Josefsson
4ac054f9cd
Improve error checking of nonce.
2010-04-23 20:32:39 +00:00
Olov Danielson
93652d54f6
Corrected spelling error for replayed_request
2010-01-20 14:06:57 +00:00
Olov Danielson
1809e7fb90
Added otp, nonce in all responses for protocol >= 2.0.
2010-01-20 10:37:21 +00:00
Olov Danielson
6ab59bb850
.
2010-01-19 12:53:29 +00:00
Olov Danielson
9bc6b90e45
In protocol versions less than 2.0, nonce needs to added by server. This must be done after signature is computed.
2010-01-19 12:45:31 +00:00
Simon Josefsson
9cf8bce177
Fix last commit.
2010-01-14 14:19:20 +00:00
Simon Josefsson
005b6af0fc
Review fixes.
2010-01-14 14:15:17 +00:00
Olov Danielson
12bd456dca
.
2010-01-14 11:58:19 +00:00
Olov Danielson
c2245924cf
Added possibility to use custom fields in logging module. Also added client IP and otp in verify and sync logs.
2010-01-14 11:25:17 +00:00
Olov Danielson
433c82cce7
Added a few checks for input parameters and corrected warnings according to new docuemnt
2010-01-14 09:39:48 +00:00
Olov Danielson
ab952c523c
.
2010-01-13 15:32:57 +00:00
Olov Danielson
0d105e5ecc
.
2010-01-12 15:24:38 +00:00
Olov Danielson
6cc547f791
Remove ID column from yubikeys and queue table. Renamed and changed random_key to server_nonce
2010-01-12 13:00:28 +00:00
Olov Danielson
a839954882
Unified logging to use Log class defined in ykval-log.php which in turn uses syslog.
...
NOTE: ykval common debug function is still available but uses Log class aswell to actually
log message.
2010-01-11 12:06:00 +00:00
Olov Danielson
851aa21c66
Changed to using PDO database connection
2010-01-08 16:35:25 +00:00
Olov Danielson
b9701c16ea
Changed DB-names to be more consistent (WARNING current revision might be broken but needs to be submitted for multiserver test purposes)
2010-01-08 13:54:33 +00:00
Olov Danielson
6788e5effa
1. Nonce introduced in protocol. This required changes in the chain from client->verify->sync.
...
2. ykval-verify is modified a bit. It now acts more as a flow controller and relies on ykval-synclib
to do details on DB-calls and counterlogic. The "system" decision making is still located in ykval-verify.
2009-12-15 10:17:51 +00:00
Olov Danielson
7be831db12
Corrected calculation of hmac with extra parameters (protocol v. 2). Corrected calculation of sl return value (use float inside)
2009-12-08 16:07:08 +00:00
Olov Danielson
03366efa60
sl parameter returned on "NOT_ENOUGH_ANSWERS"
2009-12-08 10:26:27 +00:00
Olov Danielson
f7cf1e1a5d
Taking care of sl and timeout parameters in new protocol
2009-12-07 19:13:20 +00:00
Olov Danielson
55aeffc066
Storing local param info at the time when verify request arrived.
...
Used to give correct warnings of wether local/remote is out of sync or not
2009-12-04 11:57:49 +00:00
Olov Danielson
f04dcbc0e7
Committed first trial version for replication protocol.
2009-12-02 17:32:20 +00:00
Olov Danielson
65d150ccde
Added option to get timestamp and session counters in the response.
...
Use with
verify?id=x&otp=xxx..×tamp=1
returns timestamp, sessoncounter and session use in response
2009-10-05 14:53:28 +00:00
Simon Josefsson
9b5602656a
Lay foundation for get-api-key service.
2009-08-28 10:55:56 +00:00
Simon Josefsson
479d5b1e7f
Cleanups.
2009-05-06 15:07:05 +00:00
Simon Josefsson
2a0a4e389e
If adding key doesn't work, it is an internal error.
2009-05-06 14:44:03 +00:00
Simon Josefsson
4050b68af8
Don't use die.
2009-05-06 14:23:04 +00:00
Simon Josefsson
c72f75f539
Drop chk_time.
2009-05-06 13:20:40 +00:00
Simon Josefsson
716182d744
Rename and cleanup.
2009-05-04 14:41:18 +00:00