sendResp(S_MISSING_PARAMETER, $myLog); } if (isset($nonce) && (strlen($nonce) < 16 || strlen($nonce) > 40)) { $myLog->log(LOG_NOTICE, 'Nonce too short or too long'); sendResp(S_MISSING_PARAMETER, $myLog); } /** * Timestamp parameter is not checked since current protocol * says that 1 means request timestamp and anything else is discarded. */ /** * Initialize the sync library. Strive to use this instead of custom * DB requests, custom comparisons etc. */ $sync = new SyncLib('ykval-verify:synclib'); $sync->addField('ip', $ipaddr); $sync->addField('otp', $otp); if (!$sync->isConnected()) { sendResp(S_BACKEND_ERROR, $myLog); } if (($cd = $sync->getClientData($client)) === FALSE) { $myLog->log(LOG_NOTICE, "Invalid client id {$client}"); sendResp(S_NO_SUCH_CLIENT, $myLog); } $myLog->log(LOG_DEBUG, 'Client data:', $cd); /** * Check client signature */ $apiKey = $cd['secret']; $apiKey = base64_decode($apiKey); unset($cd);
$res = $db->customQuery("SELECT yk_publicname FROM yubikeys WHERE active = true"); while ($r = $db->fetchArray($res)) { $yubikeys[] = $r['yk_publicname']; } $db->closeCursor($res); } else { # Check if key exists $r = $db->findBy('yubikeys', 'yk_publicname', $yk, 1); if (!$r) { logdie($myLog, "ERROR Unknown yubikey: {$yk}"); } $yubikeys = array($yk); } /* Initialize the sync library. */ $sync = new SyncLib('ykval-resync:synclib'); $sync->addField('ip', $_SERVER['REMOTE_ADDR']); $sync->addField('yk', $yk); if (!$sync->isConnected()) { logdie($myLog, 'ERROR Database connect error (2)'); } foreach ($yubikeys as $key) { if (($localParams = $sync->getLocalParams($key)) === FALSE) { logdie($myLog, 'ERROR Invalid Yubikey ' . $key); } $localParams['otp'] = $key . str_repeat('c', 32); // Fake an OTP, only used for logging. $myLog->log(LOG_DEBUG, "Auth data:", $localParams); /* Queue sync request */ if (!$sync->queue($localParams, $localParams)) { logdie($myLog, 'ERROR Failed resync'); }
// define requirements on protocol $syncParams = array('modified' => NULL, 'otp' => NULL, 'nonce' => NULL, 'yk_publicname' => NULL, 'yk_counter' => NULL, 'yk_use' => NULL, 'yk_high' => NULL, 'yk_low' => NULL); // extract values from HTTP request $tmp_log = 'Received '; foreach ($syncParams as $param => $value) { $value = getHttpVal($param, NULL); if ($value == NULL) { $myLog->log(LOG_NOTICE, "Received request with parameter[s] ({$param}) missing value"); sendResp(S_MISSING_PARAMETER, $myLog); } $syncParams[$param] = $value; $tmp_log .= "{$param}={$value} "; } $myLog->log(LOG_INFO, $tmp_log); $sync = new SyncLib('ykval-sync:synclib'); $sync->addField('ip', $ipaddr); if (!$sync->isConnected()) { sendResp(S_BACKEND_ERROR, $myLog); } // at this point we should have the otp so let's add it to the logging module $myLog->addField('otp', $syncParams['otp']); $sync->addField('otp', $syncParams['otp']); // verify correctness of input parameters foreach (array('modified', 'yk_counter', 'yk_use', 'yk_high', 'yk_low') as $param) { // -1 is valid except for modified if ($param !== 'modified' && $syncParams[$param] === '-1') { continue; } // [0-9]+ if ($syncParams[$param] !== '' && ctype_digit($syncParams[$param])) { continue;
<?php require_once 'ykval-common.php'; require_once 'ykval-config.php'; require_once 'ykval-synclib.php'; $apiKey = ''; header("content-type: text/plain"); $myLog = new Log('ykval-sync'); $myLog->addField('ip', $_SERVER['REMOTE_ADDR']); $myLog->log(LOG_INFO, "Request: " . $_SERVER['QUERY_STRING']); $sync = new SyncLib('ykval-sync:synclib'); $sync->addField('ip', $_SERVER['REMOTE_ADDR']); if (!$sync->isConnected()) { sendResp(S_BACKEND_ERROR, $apiKey); exit; } # # Verify that request comes from valid server # $myLog->log(LOG_INFO, 'remote request ip is ' . $_SERVER['REMOTE_ADDR']); $allowed = False; foreach ($baseParams['__YKVAL_ALLOWED_SYNC_POOL__'] as $server) { $myLog->log(LOG_DEBUG, 'checking against ip ' . $server); if ($_SERVER['REMOTE_ADDR'] == $server) { $myLog->log(LOG_DEBUG, 'server ' . $server . ' is allowed'); $allowed = True; break; } } if (!$allowed) { $myLog->log(LOG_NOTICE, 'Operation not allowed from IP ' . $_SERVER['REMOTE_ADDR']);
sendResp(S_MISSING_PARAMETER, $myLog); exit; } // NOTE: Timestamp parameter is not checked since current protocol says that 1 means request timestamp // and anything else is discarded. //// Get Client info from DB // if ($client <= 0) { $myLog->log(LOG_NOTICE, 'Client ID is missing'); sendResp(S_MISSING_PARAMETER, $myLog); exit; } /* Initialize the sync library. Strive to use this instead of custom DB requests, custom comparisons etc */ $sync = new SyncLib('ykval-verify:synclib'); $sync->addField('ip', $_SERVER['REMOTE_ADDR']); $sync->addField('otp', $otp); if (!$sync->isConnected()) { sendResp(S_BACKEND_ERROR, $myLog); exit; } $cd = $sync->getClientData($client); if (!$cd) { $myLog->log(LOG_NOTICE, 'Invalid client id ' . $client); sendResp(S_NO_SUCH_CLIENT, $myLog); exit; } $myLog->log(LOG_DEBUG, "Client data:", $cd); //// Check client signature // $apiKey = base64_decode($cd['secret']);