$urls = otp2ksmurls($otp, $client);
if (!is_array($urls)) {
sendResp(S_BACKEND_ERROR, $myLog, $apiKey);
}
// decode OTP from input
$curlopts = array();
if (array_key_exists('__YKVAL_KSM_CURL_OPTS__', $baseParams)) {
$curlopts = $baseParams['__YKVAL_KSM_CURL_OPTS__'];
}
if (($otpinfo = KSMdecryptOTP($urls, $myLog, $curlopts)) === FALSE) {
sendResp(S_BAD_OTP, $myLog, $apiKey);
}
$myLog->log(LOG_DEBUG, 'Decrypted OTP:', $otpinfo);
// get Yubikey from DB
$yk_publicname = substr($otp, 0, strlen($otp) - TOKEN_LEN);
if (($localParams = $sync->getLocalParams($yk_publicname)) === FALSE) {
$myLog->log(LOG_NOTICE, "Invalid Yubikey {$yk_publicname}");
sendResp(S_BACKEND_ERROR, $myLog, $apiKey);
}
$myLog->log(LOG_DEBUG, 'Auth data:', $localParams);
if ($localParams['active'] != 1) {
$myLog->log(LOG_NOTICE, "De-activated Yubikey {$yk_publicname}");
sendResp(S_BAD_OTP, $myLog, $apiKey);
}
/* Build OTP params */
$otpParams = array('modified' => time(), 'otp' => $otp, 'nonce' => $nonce, 'yk_publicname' => $yk_publicname, 'yk_counter' => $otpinfo['session_counter'], 'yk_use' => $otpinfo['session_use'], 'yk_high' => $otpinfo['high'], 'yk_low' => $otpinfo['low']);
/* First check if OTP is seen with the same nonce, in such case we have an replayed request */
if ($sync->countersEqual($localParams, $otpParams) && $localParams['nonce'] == $otpParams['nonce']) {
$myLog->log(LOG_WARNING, 'Replayed request');
sendResp(S_REPLAYED_REQUEST, $myLog, $apiKey, $extra);
}
sendResp(S_MISSING_PARAMETER, $apiKey);
exit;
}
}
foreach (array('yk_counter', 'yk_use', 'yk_high', 'yk_low') as $param) {
if (preg_match("/^(-1|[0-9]+)\$/", $syncParams[$param]) == 0) {
$myLog->log(LOG_NOTICE, 'Input parameters ' . $param . ' not correct');
sendResp(S_MISSING_PARAMETER, $apiKey);
exit;
}
}
#
# Get local counter data
#
$yk_publicname = $syncParams['yk_publicname'];
$localParams = $sync->getLocalParams($yk_publicname);
if (!$localParams) {
$myLog->log(LOG_NOTICE, 'Invalid Yubikey ' . $yk_publicname);
sendResp(S_BACKEND_ERROR, $apiKey);
exit;
}
if ($localParams['active'] != 1) {
$myLog->log(LOG_NOTICE, 'De-activated Yubikey ' . $yk_publicname);
sendResp(S_BAD_OTP, $apiKey);
exit;
}
/* Conditional update local database */
$sync->updateDbCounters($syncParams);
$myLog->log(LOG_DEBUG, 'Local params ', $localParams);
$myLog->log(LOG_DEBUG, 'Sync request params ', $syncParams);
#
}
$db->closeCursor($res);
} else {
# Check if key exists
$r = $db->findBy('yubikeys', 'yk_publicname', $yk, 1);
if (!$r) {
logdie($myLog, "ERROR Unknown yubikey: {$yk}");
}
$yubikeys = array($yk);
}
/* Initialize the sync library. */
$sync = new SyncLib('ykval-resync:synclib');
$sync->addField('ip', $_SERVER['REMOTE_ADDR']);
$sync->addField('yk', $yk);
if (!$sync->isConnected()) {
logdie($myLog, 'ERROR Database connect error (2)');
}
foreach ($yubikeys as $key) {
if (($localParams = $sync->getLocalParams($key)) === FALSE) {
logdie($myLog, 'ERROR Invalid Yubikey ' . $key);
}
$localParams['otp'] = $key . str_repeat('c', 32);
// Fake an OTP, only used for logging.
$myLog->log(LOG_DEBUG, "Auth data:", $localParams);
/* Queue sync request */
if (!$sync->queue($localParams, $localParams)) {
logdie($myLog, 'ERROR Failed resync');
}
}
# We are done
logdie($myLog, "OK Initiated resync of {$yk}");
$db->closeCursor($res);
} else {
# Check if key exists
$r = $db->findBy('yubikeys', 'yk_publicname', $yk, 1);
if (!$r) {
logdie($myLog, "ERROR Unknown yubikey: {$yk}");
}
$yubikeys = array($yk);
}
/* Initialize the sync library. */
$sync = new SyncLib('ykval-resync:synclib');
$sync->addField('ip', $_SERVER['REMOTE_ADDR']);
$sync->addField('yk', $yk);
if (!$sync->isConnected()) {
logdie($myLog, 'ERROR Database connect error (2)');
}
foreach ($yubikeys as $key) {
$localParams = $sync->getLocalParams($key);
if (!$localParams) {
logdie($myLog, 'ERROR Invalid Yubikey ' . $key);
}
$localParams['otp'] = $key . str_repeat('c', 32);
// Fake an OTP, only used for logging.
$myLog->log(LOG_DEBUG, "Auth data:", $localParams);
/* Queue sync request */
if (!$sync->queue($localParams, $localParams)) {
logdie($myLog, 'ERROR Failed resync');
}
}
# We are done
logdie($myLog, "OK Initiated resync of {$yk}");
