rooty/yubikey-val
1
0
Fork 0
mirror of https://github.com/Yubico/yubikey-val.git synced 2024-11-29 09:24:12 +01:00
Code Issues Projects Releases Wiki Activity
a839954882
yubikey-val/ykval-sync.php
Olov Danielson a839954882 Unified logging to use Log class defined in ykval-log.php which in turn uses syslog. 
NOTE: ykval common debug function is still available but uses Log class aswell to actually
log message.
2010-01-11 12:06:00 +00:00

134 lines
3.8 KiB
PHP
Raw Blame History

<?php
require_once 'ykval-common.php';
require_once 'ykval-config.php';
require_once 'ykval-synclib.php';
$apiKey = '';
header("content-type: text/plain");
$myLog = new Log('ykval-sync');
$myLog->log(LOG_INFO, "Request: " . $_SERVER['QUERY_STRING']);
$sync = new SyncLib('ykval-sync:synclib');
if (! $sync->isConnected()) {
sendResp(S_BACKEND_ERROR, $apiKey);
exit;
}
#
# Verify that request comes from valid server
#
$myLog->log(LOG_INFO, 'remote request ip is ' . $_SERVER['REMOTE_ADDR']);
$allowed=False;
foreach ($baseParams['__YKVAL_ALLOWED_SYNC_POOL__'] as $server) {
$myLog->log(LOG_DEBUG, 'checking against ip ' . $server);
if ($_SERVER['REMOTE_ADDR'] == $server) {
$myLog->log(LOG_DEBUG, 'server ' . $server . ' is allowed');
$allowed=True;
break;
}
}
if (!$allowed) {
$myLog->log(LOG_NOTICE, 'Operation not allowed from IP ' . $_SERVER['REMOTE_ADDR']);
sendResp(S_OPERATION_NOT_ALLOWED, $apiKey);
exit;
}
#
# Define requirements on protocoll
#
$syncParams=array('modified'=>Null,
'otp'=>Null,
'nonce'=>Null,
'yk_publicname'=>Null,
'yk_counter'=>Null,
'yk_use'=>Null,
'yk_high'=>Null,
'yk_low'=>Null);
#
# Extract values from HTTP request
#
$tmp_log = "Received ";
foreach ($syncParams as $param=>$value) {
$value = getHttpVal($param, Null);
if ($value==Null) {
$myLog->log(LOG_NOTICE, "Recevied request with parameter[s] missing");
sendResp(S_MISSING_PARAMETER, '');
exit;
}
$syncParams[$param]=$value;
$local_log .= "$param=$value ";
}
$myLog->log(LOG_INFO, $tmp_log);
#
# Get local counter data
#
$yk_publicname = $syncParams['yk_publicname'];
$localParams = $sync->getLocalParams($yk_publicname);
if (!$localParams) {
$myLog->log(LOG_NOTICE, 'Invalid Yubikey ' . $yk_publicname);
sendResp(S_BACKEND_ERROR, $apiKey);
exit;
}
if ($localParams['active'] != 1) {
$myLog->log(LOG_NOTICE, 'De-activated Yubikey ' . $yk_publicname);
sendResp(S_BAD_OTP, $apiKey);
exit;
}
#
# Compare sync and local counters and generate warnings according to
#
# http://code.google.com/p/yubikey-val-server-php/wiki/ServerReplicationProtocol
#
/* Conditional update local database */
$sync->updateDbCounters($syncParams);
if ($sync->countersHigherThan($localParams, $syncParams)) {
/* sync counters are lower than local counters */
$myLog->log(LOG_WARNING, 'Remote server out of sync. Local params ' , $localParams);
$myLog->log(LOG_WARNING, 'Remote server out of sync. Sync params ' , $syncParams);
}
if ($sync->countersEqual($localParams, $syncParams)) {
/* sync counters are equal to local counters. */
if ($syncParams['modified']==$localParams['modified']) {
/* sync modified is equal to local modified.
Sync request is unnessecarily sent, we log a "light" warning */
$myLog->log(LOG_WARNING, 'Sync request unnessecarily sent');
} else {
/* sync modified is not equal to local modified.
We have an OTP replay attempt somewhere in the system */
$myLog->log(LOG_WARNING, 'Replayed OTP attempt. Modified differs. Local ', $localParams);
$myLog->log(LOG_WARNING, 'Replayed OTP attempt. Modified differs. Sync ', $syncParams);
}
if ($syncParams['nonce']!=$localParams['nonce']) {
$myLog->log(LOG_WARNING, 'Replayed OTP attempt. Nonce differs. Local ', $localParams);
$myLog->log(LOG_WARNING, 'Replayed OTP attempt. Nonce differs. Sync ', $syncParams);
}
}
$extra=array('modified'=>$localParams['modified'],
'nonce'=>$localParams['nonce'],
'yk_publicname'=>$yk_publicname,
'yk_counter'=>$localParams['yk_counter'],
'yk_use'=>$localParams['yk_use'],
'yk_high'=>$localParams['yk_high'],
'yk_low'=>$localParams['yk_low']);
sendResp(S_OK, '', $extra);
?>
Reference in New Issue View Git Blame Copy Permalink