# HG changeset patch
# User Dan
# Date 1249098668 14400
# Node ID 9997bee9ad03bd277224543d67e466670c381c04
First commit. Lacks key deletion support and an admin CP for controlling options.
diff -r 000000000000 -r 9997bee9ad03 YubikeyManagement.php
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/YubikeyManagement.php Fri Jul 31 23:51:08 2009 -0400
@@ -0,0 +1,192 @@
+attachHook('session_started', 'yms_add_special_pages();');
+
+function yms_add_special_pages()
+{
+ global $lang;
+
+ register_special_page('YMS', 'yms_specialpage_yms');
+ register_special_page('YMSCreateClient', 'yms_specialpage_register');
+ register_special_page('YubikeyValidate', 'yms_specialpage_validate');
+}
+
+define('YMS_DISABLED', 0);
+define('YMS_ENABLED', 1);
+define('YMS_ANY_CLIENT', 2);
+
+define('YMS_INSTALLED', 1);
+
+require(ENANO_ROOT . '/plugins/yms/yms.php');
+require(ENANO_ROOT . '/plugins/yms/libotp.php');
+require(ENANO_ROOT . '/plugins/yms/transcode.php');
+require(ENANO_ROOT . '/plugins/yms/backend.php');
+require(ENANO_ROOT . '/plugins/yms/validate.php');
+require(ENANO_ROOT . '/plugins/yms/validate-functions.php');
+
+/**!language**
+
+The following text up to the closing comment tag is JSON language data.
+It is not PHP code but your editor or IDE may highlight it as such. This
+data is imported when the plugin is loaded for the first time; it provides
+the strings displayed by this plugin's interface.
+
+You should copy and paste this block when you create your own plugins so
+that these comments and the basic structure of the language data is
+preserved. All language data is in the same format as the Enano core
+language files in the /language/* directories. See the Enano Localization
+Guide and Enano API Documentation for further information on the format of
+language files.
+
+The exception in plugin language file format is that multiple languages
+may be specified in the language block. This should be done by way of making
+the top-level elements each a JSON language object, with elements named
+according to the ISO-639-1 language they are representing. The path should be:
+
+ root => language ID => categories array, ( strings object => category \
+ objects => strings )
+
+All text leading up to first curly brace is stripped by the parser; using
+a code tag makes jEdit and other editors do automatic indentation and
+syntax highlighting on the language data. The use of the code tag is not
+necessary; it is only included as a tool for development.
+
+
+{
+ // english
+ eng: {
+ categories: [ 'meta', 'yms' ],
+ strings: {
+ meta: {
+ yms: 'Yubikey management system'
+ },
+ yms: {
+ specialpage_yms: 'Yubikey manager',
+ specialpage_register: 'Register YMS client',
+ specialpage_validate: 'Yubikey validation API',
+ err_yubikey_plugin_missing_title: 'Yubikey plugin not found',
+ err_yubikey_plugin_missing_body: 'The Yubikey YMS cannot load because the Enano Yubikey authentication plugin is not installed. Please ask your administrator to install it.',
+ err_client_exists_title: 'Client already exists',
+ err_client_exists_body: 'You cannot register another YMS client using this same user account.',
+ register_confirm_title: 'Enable your account for Yubikey authentication',
+ register_confirm_body: 'As a Yubikey authentication client, you gain the ability to manage multiple Yubikeys and tie them to your own organization. It also lets you retrieve secret AES keys for tokens, register new or reprogrammed keys, validate Yubikey OTPs using your own API key, and deactivate keys in case of a compromise. Do you want to enable your account for Yubikey management?',
+ register_btn_submit: 'Create YMS client',
+
+ register_msg_success_title: 'Congratulations! Your account is now enabled for YMS access.',
+ register_msg_success_body: '
You can now go to the YMS admin panel and add your Yubikeys. Your client ID and API key are below:
+
Client ID: %client_id%
+ API key: %api_key%
+ Validation API URL: %validate_url%
+
Remember to secure your user account! Your Enano login is used to administer your YMS account. For maximum security, use the Yubikey Settings page of the User Control Panel to require both a password and a Yubikey OTP to log in.
',
+ msg_no_yubikeys: 'No Yubikeys found',
+ btn_add_key: 'Add Yubikey',
+ btn_add_key_preregistered: 'Claim a New Key',
+ state_active: 'Active',
+ state_inactive: 'Inactive',
+
+ th_id: 'ID#',
+ th_publicid: 'OTP prefix',
+ th_createtime: 'Created',
+ th_accesstime: 'Last accessed',
+ th_state: 'Lifecycle state',
+ th_note: 'Note',
+
+ msg_access_never: 'Never',
+
+ // Add key interface
+ lbl_addkey_heading: 'Register Yubikey',
+ lbl_addkey_desc: 'Register a Yubikey that you programmed yourself in YMS to enable validation of OTPs from that key against this server.',
+ lbl_addkey_field_secret: 'AES secret key:',
+ lbl_addkey_field_secret_hint: 'Input in ModHex, hex, or base-64. The format will be detected automatically.',
+ lbl_addkey_field_otp: 'Enter an OTP from this Yubikey:',
+ lbl_addkey_field_notes: 'Notes about this key:',
+ lbl_addkey_field_state: 'Lifecycle state:',
+ lbl_addkey_field_any_client_name: 'Allow validation by any client:',
+ lbl_addkey_field_any_client_hint: 'If unchecked, OTPs from this Yubikey can only be verified by someone using your client ID. Check this if you plan to use this Yubikey on websites you don\'t control.',
+ lbl_addkey_field_any_client: 'Other clients can validate OTPs from this key',
+ btn_addkey_submit: 'Register key',
+ msg_addkey_success: 'This key has been successfully registered.',
+
+ err_addkey_crc_failed: 'The CRC check on the OTP failed. This usually means that your AES key is wrong or could not be properly interpreted.',
+ err_addkey_invalid_key: 'There was an error decoding your AES secret key. Please enter a 128-bit hex, ModHex, or base-64 value.',
+ err_addkey_invalid_otp: 'The OTP from the Yubikey is invalid.',
+ err_addkey_key_exists: 'This Yubikey is already registered on this server.',
+
+ // Claim key interface
+ lbl_claimkey_heading: 'Claim Yubikey',
+ lbl_claimkey_desc: 'Attach a key you have not reprogrammed to your YMS account, so that you can see its AES secret key and keep track of it.',
+ lbl_claimkey_field_otp: 'Enter an OTP from this Yubikey:',
+ lbl_custom_hint: 'For your security, this is used to validate your ownership of this Yubikey.',
+
+ // AES key view interface
+ showaes_th: 'AES secret key for key %public_id%',
+ showaes_lbl_hex: 'Hex:',
+ showaes_lbl_modhex: 'ModHex:',
+ showaes_lbl_base64: 'Base64:',
+
+ // API key view interface
+ th_client_id: 'Client ID',
+ lbl_client_id: 'Client ID:',
+ th_api_key: 'API key',
+
+ // Binary format converter
+ th_converted_value: 'Converted value',
+ conv_err_invalid_string: 'The string was invalid or you entered did not match the format you selected.',
+ th_converter: 'Convert binary formats',
+ conv_lbl_value: 'Value to convert:',
+ conv_lbl_format: 'Current encoding:',
+ conv_lbl_format_auto: 'Auto-detect',
+ conv_lbl_format_hex: 'Hexadecimal',
+ conv_lbl_format_modhex: 'ModHex',
+ conv_lbl_format_base64: 'Base-64',
+ conv_btn_submit: 'Convert',
+
+ // Key list
+ btn_note_view: 'View or edit note',
+ btn_note_create: 'No note; click to create',
+ btn_show_aes: 'Show AES secret',
+ btn_show_converter: 'Binary encoding converter',
+ btn_show_client_info: 'View client info'
+ }
+ }
+ }
+}
+
+**!*/
+
+/**!install dbms="mysql"; **
+
+CREATE TABLE {{TABLE_PREFIX}}yms_clients(
+ id int(12) NOT NULL DEFAULT 0,
+ apikey varchar(40) NOT NULL,
+ PRIMARY KEY ( id )
+);
+
+CREATE TABLE {{TABLE_PREFIX}}yms_yubikeys(
+ id int(12) NOT NULL auto_increment,
+ client_id int(12) NOT NULL DEFAULT 0,
+ public_id varchar(12) NOT NULL DEFAULT '000000000000',
+ private_id varchar(12) NOT NULL DEFAULT '000000000000',
+ session_count int(8) NOT NULL DEFAULT 0,
+ token_count int(8) NOT NULL DEFAULT 0,
+ create_time int(12) NOT NULL DEFAULT 0,
+ access_time int(12) NOT NULL DEFAULT 0,
+ token_time int(12) NOT NULL DEFAULT 0,
+ aes_secret varchar(40) NOT NULL DEFAULT '00000000000000000000000000000000',
+ flags int(8) NOT NULL DEFAULT 1,
+ notes text,
+ PRIMARY KEY (id)
+);
+
+**!*/
+
diff -r 000000000000 -r 9997bee9ad03 yms/backend.php
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/yms/backend.php Fri Jul 31 23:51:08 2009 -0400
@@ -0,0 +1,325 @@
+user_id;
+
+ $key = yms_tobinary($key);
+ $otp = yms_tobinary($otp);
+
+ if ( strlen($key) != 16 )
+ {
+ return 'yms_err_addkey_invalid_key';
+ }
+
+ if ( strlen($otp) != 22 )
+ {
+ return 'yms_err_addkey_invalid_otp';
+ }
+
+ $otpdata = yms_decode_otp($otp, $key);
+ if ( $otpdata === false )
+ {
+ return 'yms_err_addkey_invalid_otp';
+ }
+ if ( !$otpdata['crc_good'] )
+ {
+ return 'yms_err_addkey_crc_failed';
+ }
+
+ // make sure it's not already in there
+ $q = $db->sql_query('SELECT 1 FROM ' . table_prefix . "yms_yubikeys WHERE public_id = '{$otpdata['publicid']}';");
+ if ( !$q )
+ $db->_die();
+
+ if ( $db->numrows() > 0 )
+ {
+ $db->free_result();
+ return 'yms_err_addkey_key_exists';
+ }
+ $db->free_result();
+
+ $now = time();
+ $key = yms_hex_encode($key);
+
+ $flags = 0;
+ if ( $enabled )
+ $flags |= YMS_ENABLED;
+ if ( $any_client )
+ $flags |= YMS_ANY_CLIENT;
+
+ $notes = $notes ? $db->escape(strval($notes)) : '';
+
+ $q = $db->sql_query("INSERT INTO " . table_prefix . "yms_yubikeys(client_id, public_id, private_id, session_count, token_count, create_time, access_time, token_time, aes_secret, flags, notes) VALUES\n"
+ . " ($client_id, '{$otpdata['publicid']}', '{$otpdata['privateid']}', {$otpdata['session']}, {$otpdata['count']}, $now, $now, {$otpdata['timestamp']}, '$key', $flags, '$notes');");
+ if ( !$q )
+ $db->_die();
+
+ return true;
+}
+
+function yms_chown_yubikey($otp, $client_id = false, $enabled = true, $any_client = false, $notes = false)
+{
+ global $db, $session, $paths, $template, $plugins; // Common objects
+
+ if ( $client_id === false )
+ $client_id = $session->user_id;
+
+ $otp = yms_tobinary($otp);
+
+ if ( strlen($otp) != 22 )
+ {
+ return 'yms_err_addkey_invalid_otp';
+ }
+
+ $public_id = yms_hex_encode(substr($otp, 0, 6));
+
+ // make sure it's already in there
+ $q = $db->sql_query('SELECT id FROM ' . table_prefix . "yms_yubikeys WHERE public_id = '{$public_id}' AND client_id = 0;");
+ if ( !$q )
+ $db->_die();
+
+ if ( $db->numrows() < 1 )
+ {
+ // this should never happen, as the OTP is put through validation before this function is called
+ $db->free_result();
+ return 'yms_err_claimkey_owner_invalid';
+ }
+
+ list($key_id) = $db->fetchrow_num();
+ $db->free_result();
+
+ $now = time();
+
+ $flags = 0;
+ if ( $enabled )
+ $flags |= YMS_ENABLED;
+ if ( $any_client )
+ $flags |= YMS_ANY_CLIENT;
+
+ $notes = $notes ? $db->escape(strval($notes)) : '';
+
+ $q = $db->sql_query("UPDATE " . table_prefix . "yms_yubikeys SET flags = $flags, notes = '$notes', client_id = $client_id WHERE id = $key_id;");
+ if ( !$q )
+ $db->_die();
+
+ return true;
+}
+
+function yms_validate_custom_field($value, $otp, $url)
+{
+ require_once(ENANO_ROOT . '/includes/http.php');
+ $url = strtr($url, array(
+ '%c' => rawurlencode($value),
+ '%o' => rawurlencode($otp)
+ ));
+ // do we need to sign this?
+ if ( strstr($url, '%h') && ($key = getConfig('yms_claim_auth_key', false)) )
+ {
+ list(, $signpart) = explode('?', $url);
+ $signpart = preg_replace('/(&h=%h|^h=%h&)/', '', $signpart);
+ $signpart = yms_ksort_url($signpart);
+
+ $key = yms_tobinary($key);
+ $key = yms_hex_encode($key);
+ $hash = hmac_sha1($signpart, $key);
+ $hash = yms_hex_decode($hash);
+ $hash = base64_encode($hash);
+
+ $url = str_replace('%h', rawurlencode($hash), $url);
+ }
+
+ // run authentication
+ $result = yms_get_url($url);
+ $result = yms_parse_auth_result($result, $key);
+
+ if ( !$result['sig_valid'] )
+ return 'yubiauth_err_response_bad_signature';
+
+ if ( $result['status'] !== 'OK' )
+ {
+ if ( preg_match('/^[A-Z_]+$/', $result['status']) )
+ return 'yubiauth_err_response_' . strtolower($result['status']);
+ else
+ return $result['status'];
+ }
+
+ // authentication is ok
+ return true;
+}
+
+function yms_get_url($url)
+{
+ require_once(ENANO_ROOT . '/includes/http.php');
+
+ $url = preg_replace('#^https?://#i', '', $url);
+ if ( !preg_match('#^(\[?[a-z0-9-:]+(?:\.[a-z0-9-:]+\]?)*)(?::([0-9]+))?(/.*)$#U', $url, $match) )
+ {
+ return 'invalid_auth_url';
+ }
+ $server =& $match[1];
+ $port = ( !empty($match[2]) ) ? intval($match[2]) : 80;
+ $uri =& $match[3];
+ try
+ {
+ $req = new Request_HTTP($server, $uri, 'GET', $port);
+ $response = $req->get_response_body();
+ }
+ catch ( Exception $e )
+ {
+ return 'http_failed:' . $e->getMessage();
+ }
+
+ if ( $req->response_code !== HTTP_OK )
+ return 'http_failed_status:' . $req->response_code;
+
+ return $response;
+}
+
+function yms_parse_auth_result($result, $api_key = false)
+{
+ $result = explode("\n", trim($result));
+ $arr = array();
+ foreach ( $result as $line )
+ {
+ list($name) = explode('=', $line);
+ $value = substr($line, strlen($name) + 1);
+ $arr[$name] = $value;
+ }
+ // signature check
+ if ( $api_key )
+ {
+ $signarr = $arr;
+ ksort($signarr);
+ unset($signarr['h']);
+ $signpart = array();
+ foreach ( $signarr as $name => $value )
+ $signpart[] = "{$name}={$value}";
+
+ $signpart = implode('&', $signpart);
+ $api_key = yms_hex_encode(yms_tobinary($api_key));
+ $right_sig = base64_encode(yms_hex_decode(
+ hmac_sha1($signpart, $api_key)
+ ));
+ $arr['sig_valid'] = ( $arr['h'] === $right_sig );
+ }
+ else
+ {
+ $arr['sig_valid'] = true;
+ }
+ return $arr;
+}
+
+function yms_ksort_url($signpart)
+{
+ $arr = array();
+ $values = explode('&', $signpart);
+ foreach ( $values as $var )
+ {
+ list($name) = explode('=', $var);
+ $value = substr($var, strlen($name) + 1);
+ $arr[$name] = $value;
+ }
+ ksort($arr);
+ $result = array();
+ foreach ( $arr as $name => $value )
+ {
+ $result[] = "{$name}={$value}";
+ }
+ return implode('&', $result);
+}
+
+function yms_validate_otp($otp, $id)
+{
+ global $db, $session, $paths, $template, $plugins; // Common objects
+
+ $public_id = yms_modhex_decode(substr($otp, 0, 12));
+ if ( !$public_id )
+ {
+ return 'BAD_OTP';
+ }
+ // Just in case
+ $public_id = $db->escape($public_id);
+
+ $q = $db->sql_query("SELECT id, private_id, session_count, token_count, access_time, token_time, aes_secret, flags, client_id FROM " . table_prefix . "yms_yubikeys WHERE ( client_id = 0 or client_id = $id OR flags & " . YMS_ANY_CLIENT . " ) AND public_id = '$public_id';");
+ if ( !$q )
+ $db->_die();
+
+ if ( $db->numrows($q) < 1 )
+ {
+ return 'NO_SUCH_KEY';
+ }
+
+ list($yubikey_id, $private_id, $session_count, $token_count, $access_time, $token_time, $aes_secret, $flags, $client_id) = $db->fetchrow_num($q);
+ $session_count = intval($session_count);
+ $token_count = intval($token_count);
+ $access_time = intval($access_time);
+ $token_time = intval($token_time);
+
+ // check flags
+ if ( $client_id > 0 )
+ {
+ if ( !($flags & YMS_ANY_CLIENT) )
+ {
+ return 'NO_SUCH_KEY';
+ }
+ if ( !($flags & YMS_ENABLED) )
+ {
+ return 'NO_SUCH_KEY';
+ }
+ }
+
+ // decode the OTP
+ $otp = yms_decode_otp($otp, $aes_secret);
+
+ // check CRC
+ if ( !$otp['crc_good'] )
+ {
+ return 'BAD_OTP';
+ }
+
+ // check private UID (avoids combining a whitelisted known public UID with the increment part of a malicious token)
+ if ( $private_id !== $otp['privateid'] )
+ {
+ return 'BAD_OTP';
+ }
+
+ // check counters
+ if ( $otp['session'] < $session_count )
+ {
+ return 'REPLAYED_OTP';
+ }
+ if ( $otp['session'] == $session_count && $otp['count'] <= $token_count )
+ {
+ return 'REPLAYED_OTP';
+ }
+
+ // update DB
+ $q = $db->sql_query("UPDATE " . table_prefix . "yms_yubikeys SET session_count = {$otp['session']}, token_count = {$otp['count']}, access_time = " . time() . ", token_time = {$otp['timestamp']} WHERE id = $yubikey_id;");
+ if ( !$q )
+ $db->_die();
+
+ // check timestamp
+ if ( $otp['session'] == $session_count )
+ {
+ $expect_delta = time() - $access_time;
+ // 8Hz Yubikey internal clock
+ $actual_delta = intval(( $otp['timestamp'] - $token_time ) / 8);
+ $fuzz = 150;
+ if ( !yms_within($expect_delta, $actual_delta, $fuzz) )
+ {
+ // if we have a likely wraparound, just pass it
+ if ( !($token_time > 0xe80000 && $otp['timestamp'] < 0x800000) )
+ {
+ return 'BAD_OTP';
+ }
+ }
+ // $debug_array = array('ts_debug_delta_expected' => $expect_delta, 'ts_debug_delta_received' => $actual_delta);
+ }
+
+ // looks like we're good
+ return 'OK';
+}
diff -r 000000000000 -r 9997bee9ad03 yms/cp.js
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/yms/cp.js Fri Jul 31 23:51:08 2009 -0400
@@ -0,0 +1,269 @@
+function yms_showpage(page)
+{
+ load_component(['fadefilter', 'jquery', 'jquery-ui']);
+ yms_destroy_float();
+
+ if ( aclDisableTransitionFX )
+ jQuery.fx.off = true;
+
+ darken(true, 70, 'ymsmask');
+
+ $('body').append('