equal
deleted
inserted
replaced
|
1 <?php |
|
2 |
|
3 function page_Special_YubikeyValidate() |
|
4 { |
|
5 global $db, $session, $paths, $template, $plugins; // Common objects |
|
6 global $do_gzip; |
|
7 $do_gzip = false; |
|
8 |
|
9 // Check parameters |
|
10 if ( !isset($_GET['id']) ) |
|
11 { |
|
12 yms_send_reply('MISSING_PARAMETER', '', array('info' => 'id')); |
|
13 } |
|
14 |
|
15 if ( !isset($_GET['otp']) ) |
|
16 { |
|
17 yms_send_reply('MISSING_PARAMETER', '', array('info' => 'otp')); |
|
18 } |
|
19 |
|
20 // first, get API key so we can properly sign responses |
|
21 $id = intval($_GET['id']); |
|
22 $q = $db->sql_query("SELECT apikey FROM " . table_prefix . "yms_clients WHERE id = $id;"); |
|
23 if ( !$q ) |
|
24 $db->_die(); |
|
25 |
|
26 if ( $db->numrows($q) < 1 ) |
|
27 yms_send_reply("NO_SUCH_CLIENT"); |
|
28 |
|
29 list($g_api_key) = $db->fetchrow_num($q); |
|
30 $db->free_result($q); |
|
31 |
|
32 // check API key |
|
33 if ( isset($_GET['h']) ) |
|
34 { |
|
35 $hex_api_key = yms_hex_encode(base64_decode($g_api_key)); |
|
36 $right_sig = yubikey_sign($_GET, $hex_api_key); |
|
37 if ( $right_sig !== $_GET['h'] ) |
|
38 { |
|
39 yms_send_reply('BAD_SIGNATURE'); |
|
40 } |
|
41 } |
|
42 |
|
43 $GLOBALS['g_api_key'] =& $g_api_key; |
|
44 |
|
45 yms_send_reply(yms_validate_otp($_GET['otp'], $id)); |
|
46 } |
|
47 |