1 <?php

     2 

     3 function page_Special_YubikeyValidate()

     4 {

     5   global $db, $session, $paths, $template, $plugins; // Common objects

     6   global $do_gzip;

     7   $do_gzip = false;

     8   

     9   // Check parameters

    10   if ( !isset($_GET['id']) )

    11   {

    12     yms_send_reply('MISSING_PARAMETER', '', array('info' => 'id'));

    13   }

    14   

    15   if ( !isset($_GET['otp']) )

    16   {

    17     yms_send_reply('MISSING_PARAMETER', '', array('info' => 'otp'));

    18   }

    19   

    20   // first, get API key so we can properly sign responses

    21   $id = intval($_GET['id']);

    22   $q = $db->sql_query("SELECT apikey FROM " . table_prefix . "yms_clients WHERE id = $id;");

    23   if ( !$q )

    24     $db->_die();

    25   

    26   if ( $db->numrows($q) < 1 )

    27     yms_send_reply("NO_SUCH_CLIENT");

    28   

    29   list($g_api_key) = $db->fetchrow_num($q);

    30   $db->free_result($q);

    31   

    32   // check API key

    33   if ( isset($_GET['h']) )

    34   {

    35     $hex_api_key = yms_hex_encode(base64_decode($g_api_key));

    36     $right_sig = yubikey_sign($_GET, $hex_api_key);

    37     if ( $right_sig !== $_GET['h'] )

    38     {

    39       yms_send_reply('BAD_SIGNATURE');

    40     }

    41   }

    42   

    43   $GLOBALS['g_api_key'] =& $g_api_key;

    44   

    45   yms_send_reply(yms_validate_otp($_GET['otp'], $id));

    46 }

    47