mirror of
https://github.com/Yubico/yubikey-val.git
synced 2024-12-03 03:24:15 +01:00
382cfc2ab5
- our ksm daemon listens on port 8002 by default, so ykval should also have the same default.
133 lines
4.7 KiB
PHP
133 lines
4.7 KiB
PHP
<?php
|
|
|
|
# Copyright (c) 2009-2015 Yubico AB
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or without
|
|
# modification, are permitted provided that the following conditions are
|
|
# met:
|
|
#
|
|
# * Redistributions of source code must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
#
|
|
# * Redistributions in binary form must reproduce the above
|
|
# copyright notice, this list of conditions and the following
|
|
# disclaimer in the documentation and/or other materials provided
|
|
# with the distribution.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
|
|
/**
|
|
* Load database configuration settings from config-db.php if available,
|
|
* otherwise default to values specified below.
|
|
*/
|
|
$dbfile = '/etc/yubico/val/config-db.php';
|
|
|
|
if (file_exists($dbfile) && @is_readable($dbfile))
|
|
{
|
|
require_once $dbfile;
|
|
}
|
|
else
|
|
{
|
|
// FIXME hostname
|
|
// FIXME port
|
|
// 'oci:oracledb' for Oracle DB (with OCI library)
|
|
$dbtype = 'mysql';
|
|
$dbuser = 'ykval_verifier';
|
|
$dbpass = 'yourpassword';
|
|
$dbname = 'ykval';
|
|
}
|
|
|
|
// for the validation interface.
|
|
$baseParams = array ();
|
|
$baseParams['__YKVAL_DB_DSN__'] = "$dbtype:dbname=$dbname;host=127.0.0.1";
|
|
$baseParams['__YKVAL_DB_USER__'] = $dbuser;
|
|
$baseParams['__YKVAL_DB_PW__'] = $dbpass;
|
|
$baseParams['__YKVAL_DB_OPTIONS__'] = array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION);
|
|
|
|
// for the validation server sync
|
|
$baseParams['__YKVAL_SYNC_POOL__'] = array(
|
|
// "https://api2.example.com/wsapi/2.0/sync",
|
|
// "https://api3.example.com/wsapi/2.0/sync",
|
|
// "https://api4.example.com/wsapi/2.0/sync",
|
|
);
|
|
|
|
/**
|
|
* An array of IP addresses which are allowed to issue sync requests to us.
|
|
*
|
|
* NOTE: You must use IP addreseses here. Hostnames will be ignored!
|
|
* Both IPv4 and IPv6 are supported.
|
|
*/
|
|
$baseParams['__YKVAL_ALLOWED_SYNC_POOL__'] = array(
|
|
// "1.2.3.4",
|
|
// "2.3.4.5",
|
|
// "3.4.5.6",
|
|
// "fc00:aaaa::",
|
|
// "fc00:bbbb::",
|
|
// "fc00:cccc::",
|
|
);
|
|
|
|
// An array of IP addresses allowed to issue YubiKey activation/deactivation
|
|
// requests through ykval-revoke.php. NOTE: You must use IP addresses here.
|
|
$baseParams['__YKREV_IPS__'] = array(/*"127.0.0.1"*/);
|
|
// An array of IP addresses allowed to issue database resync requests through
|
|
// ykval-resync.php. NOTE: You must use IP addresses here.
|
|
// $baseParams['__YKRESYNC_IPS__'] = array("127.0.0.1");
|
|
// Use the same as for issuing sync requests:
|
|
$baseParams['__YKRESYNC_IPS__'] = $baseParams['__YKVAL_ALLOWED_SYNC_POOL__'];
|
|
|
|
// Specify how often the sync daemon awakens
|
|
$baseParams['__YKVAL_SYNC_INTERVAL__'] = 10;
|
|
// Specify how long the sync daemon will wait for response
|
|
$baseParams['__YKVAL_SYNC_RESYNC_TIMEOUT__'] = 30;
|
|
// Specify how old entries in the database should be considered aborted attempts
|
|
$baseParams['__YKVAL_SYNC_OLD_LIMIT__'] = 10;
|
|
|
|
// These are settings for the validation server.
|
|
$baseParams['__YKVAL_SYNC_FAST_LEVEL__'] = 1;
|
|
$baseParams['__YKVAL_SYNC_SECURE_LEVEL__'] = 40;
|
|
$baseParams['__YKVAL_SYNC_DEFAULT_LEVEL__'] = 60;
|
|
$baseParams['__YKVAL_SYNC_DEFAULT_TIMEOUT__'] = 1;
|
|
|
|
// A key -> value array with curl options to set
|
|
// when calling URLs defined in __YKVAL_SYNC_POOL__
|
|
$baseParams['__YKVAL_SYNC_CURL_OPTS__'] = array(
|
|
//CURLOPT_PROTOCOLS => CURLPROTO_HTTP,
|
|
);
|
|
|
|
// A key -> value array with curl options to set
|
|
// when calling URLs returned by otp2ksmurls()
|
|
$baseParams['__YKVAL_KSM_CURL_OPTS__'] = array(
|
|
//CURLOPT_PROTOCOLS => CURLPROTO_HTTP,
|
|
);
|
|
|
|
// Returns an array of YK-KSM URLs for decrypting $otp for $client.
|
|
// The URLs must be fully qualified, i.e., containing the OTP itself.
|
|
function otp2ksmurls ($otp, $client)
|
|
{
|
|
//if ($client == 42) {
|
|
// return array("https://another-ykkms.example.com/wsapi/decrypt?otp=$otp");
|
|
//}
|
|
|
|
//if (preg_match("/^dteffujehknh/", $otp)) {
|
|
// return array("https://different-ykkms.example.com/wsapi/decrypt?otp=$otp");
|
|
//}
|
|
|
|
return array(
|
|
// "https://ykkms1.example.com/wsapi/decrypt?otp=$otp",
|
|
// "https://ykkms2.example.com/wsapi/decrypt?otp=$otp",
|
|
"http://127.0.0.1:8002/wsapi/decrypt?otp=$otp",
|
|
);
|
|
}
|