#!/usr/bin/php
<?php
set_include_path(get_include_path() . PATH_SEPARATOR . "/etc/ykval:/usr/share/ykval");
require_once 'ykval-config.php';
function url2shortname($url)
{
if (preg_match("/^[^\\/]+\\/\\/([a-z0-9-]+)/", $url, $name) == 0) {
echo "Cannot match URL hostname: " . $url . "\n";
exit(1);
}
return $name[1];
}
$ksms = otp2ksmurls("ccccccccfnkjtvvijktfrvvginedlbvudjhjnggndtck", 16);
$shortksms = array_map("url2shortname", $ksms);
if ($argc == 2 && strcmp($argv[1], "autoconf") == 0) {
print "yes\n";
exit(0);
}
if ($argc == 2 && strcmp($argv[1], "config") == 0) {
echo "multigraph yk_latency\n";
echo "graph_title KSM latency\n";
echo "graph_vlabel Average KSM Decrypt Latency (seconds)\n";
echo "graph_category ykval\n";
echo "graph_width 400\n";
foreach ($shortksms as $shortksm) {
echo "{$shortksm}_avgwait.label {$shortksm}\n";
echo "{$shortksm}_avgwait.type GAUGE\n";
echo "{$shortksm}_avgwait.info Average wait time for KSM decrypt\n";
echo "{$shortksm}_avgwait.min 0\n";
echo "{$shortksm}_avgwait.draw LINE1\n";
}
if (hash_equals($hmac, $h) === FALSE) {
$myLog->log(LOG_DEBUG, "client hmac={$h}, server hmac={$hmac}");
sendResp(S_BAD_SIGNATURE, $myLog, $apiKey);
}
}
/**
* We need to add necessary parameters not available at
* earlier protocols after signature is computed.
*/
if ($protocol_version < 2.0) {
// we need to create a nonce manually here
$nonce = md5(uniqid(rand()));
$myLog->log(LOG_INFO, "protocol version below 2.0. Created nonce {$nonce}");
}
// which YK-KSM should we talk to?
$urls = otp2ksmurls($otp, $client);
if (!is_array($urls)) {
sendResp(S_BACKEND_ERROR, $myLog, $apiKey);
}
// decode OTP from input
$curlopts = array();
if (array_key_exists('__YKVAL_KSM_CURL_OPTS__', $baseParams)) {
$curlopts = $baseParams['__YKVAL_KSM_CURL_OPTS__'];
}
if (($otpinfo = KSMdecryptOTP($urls, $myLog, $curlopts)) === FALSE) {
sendResp(S_BAD_OTP, $myLog, $apiKey);
}
$myLog->log(LOG_DEBUG, 'Decrypted OTP:', $otpinfo);
// get Yubikey from DB
$yk_publicname = substr($otp, 0, strlen($otp) - TOKEN_LEN);
if (($localParams = $sync->getLocalParams($yk_publicname)) === FALSE) {
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
set_include_path(implode(PATH_SEPARATOR, array(get_include_path(), '/usr/share/yubikey-val', '/etc/yubico/val')));
require_once 'ykval-config.php';
require_once 'ykval-common.php';
# FIXME
# otp and client ID should be moved to a munin environment variable
$urls = otp2ksmurls('ccccccccfnkjtvvijktfrvvginedlbvudjhjnggndtck', 16);
if (($endpoints = endpoints($urls)) === FALSE) {
echo "Cannot parse URLs from ksm url list\n";
exit(1);
}
if ($argc == 2 && strcmp($argv[1], 'autoconf') == 0) {
echo "yes\n";
exit(0);
}
if ($argc == 2 && strcmp($argv[1], 'config') == 0) {
echo "multigraph ykval_ksmlatency\n";
echo "graph_title KSM latency\n";
echo "graph_vlabel Average KSM Decrypt Latency (seconds)\n";
echo "graph_category ykval\n";
echo "graph_width 400\n";
foreach ($endpoints as $endpoint) {