$urls = otp2ksmurls($otp, $client); if (!is_array($urls)) { sendResp(S_BACKEND_ERROR, $myLog, $apiKey); } // decode OTP from input $curlopts = array(); if (array_key_exists('__YKVAL_KSM_CURL_OPTS__', $baseParams)) { $curlopts = $baseParams['__YKVAL_KSM_CURL_OPTS__']; } if (($otpinfo = KSMdecryptOTP($urls, $myLog, $curlopts)) === FALSE) { sendResp(S_BAD_OTP, $myLog, $apiKey); } $myLog->log(LOG_DEBUG, 'Decrypted OTP:', $otpinfo); // get Yubikey from DB $yk_publicname = substr($otp, 0, strlen($otp) - TOKEN_LEN); if (($localParams = $sync->getLocalParams($yk_publicname)) === FALSE) { $myLog->log(LOG_NOTICE, "Invalid Yubikey {$yk_publicname}"); sendResp(S_BACKEND_ERROR, $myLog, $apiKey); } $myLog->log(LOG_DEBUG, 'Auth data:', $localParams); if ($localParams['active'] != 1) { $myLog->log(LOG_NOTICE, "De-activated Yubikey {$yk_publicname}"); sendResp(S_BAD_OTP, $myLog, $apiKey); } /* Build OTP params */ $otpParams = array('modified' => time(), 'otp' => $otp, 'nonce' => $nonce, 'yk_publicname' => $yk_publicname, 'yk_counter' => $otpinfo['session_counter'], 'yk_use' => $otpinfo['session_use'], 'yk_high' => $otpinfo['high'], 'yk_low' => $otpinfo['low']); /* First check if OTP is seen with the same nonce, in such case we have an replayed request */ if ($sync->countersEqual($localParams, $otpParams) && $localParams['nonce'] == $otpParams['nonce']) { $myLog->log(LOG_WARNING, 'Replayed request'); sendResp(S_REPLAYED_REQUEST, $myLog, $apiKey, $extra); }
sendResp(S_MISSING_PARAMETER, $apiKey); exit; } } foreach (array('yk_counter', 'yk_use', 'yk_high', 'yk_low') as $param) { if (preg_match("/^(-1|[0-9]+)\$/", $syncParams[$param]) == 0) { $myLog->log(LOG_NOTICE, 'Input parameters ' . $param . ' not correct'); sendResp(S_MISSING_PARAMETER, $apiKey); exit; } } # # Get local counter data # $yk_publicname = $syncParams['yk_publicname']; $localParams = $sync->getLocalParams($yk_publicname); if (!$localParams) { $myLog->log(LOG_NOTICE, 'Invalid Yubikey ' . $yk_publicname); sendResp(S_BACKEND_ERROR, $apiKey); exit; } if ($localParams['active'] != 1) { $myLog->log(LOG_NOTICE, 'De-activated Yubikey ' . $yk_publicname); sendResp(S_BAD_OTP, $apiKey); exit; } /* Conditional update local database */ $sync->updateDbCounters($syncParams); $myLog->log(LOG_DEBUG, 'Local params ', $localParams); $myLog->log(LOG_DEBUG, 'Sync request params ', $syncParams); #
} $db->closeCursor($res); } else { # Check if key exists $r = $db->findBy('yubikeys', 'yk_publicname', $yk, 1); if (!$r) { logdie($myLog, "ERROR Unknown yubikey: {$yk}"); } $yubikeys = array($yk); } /* Initialize the sync library. */ $sync = new SyncLib('ykval-resync:synclib'); $sync->addField('ip', $_SERVER['REMOTE_ADDR']); $sync->addField('yk', $yk); if (!$sync->isConnected()) { logdie($myLog, 'ERROR Database connect error (2)'); } foreach ($yubikeys as $key) { if (($localParams = $sync->getLocalParams($key)) === FALSE) { logdie($myLog, 'ERROR Invalid Yubikey ' . $key); } $localParams['otp'] = $key . str_repeat('c', 32); // Fake an OTP, only used for logging. $myLog->log(LOG_DEBUG, "Auth data:", $localParams); /* Queue sync request */ if (!$sync->queue($localParams, $localParams)) { logdie($myLog, 'ERROR Failed resync'); } } # We are done logdie($myLog, "OK Initiated resync of {$yk}");
$db->closeCursor($res); } else { # Check if key exists $r = $db->findBy('yubikeys', 'yk_publicname', $yk, 1); if (!$r) { logdie($myLog, "ERROR Unknown yubikey: {$yk}"); } $yubikeys = array($yk); } /* Initialize the sync library. */ $sync = new SyncLib('ykval-resync:synclib'); $sync->addField('ip', $_SERVER['REMOTE_ADDR']); $sync->addField('yk', $yk); if (!$sync->isConnected()) { logdie($myLog, 'ERROR Database connect error (2)'); } foreach ($yubikeys as $key) { $localParams = $sync->getLocalParams($key); if (!$localParams) { logdie($myLog, 'ERROR Invalid Yubikey ' . $key); } $localParams['otp'] = $key . str_repeat('c', 32); // Fake an OTP, only used for logging. $myLog->log(LOG_DEBUG, "Auth data:", $localParams); /* Queue sync request */ if (!$sync->queue($localParams, $localParams)) { logdie($myLog, 'ERROR Failed resync'); } } # We are done logdie($myLog, "OK Initiated resync of {$yk}");