Yubikey support: plugins/yubikey/corelib.php@03d6287d4a8b (annotated)

0 9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	1	<?php
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	2
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	3	define('YK_SEC_NORMAL_USERNAME', 1);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	4	define('YK_SEC_NORMAL_PASSWORD', 2);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	5	define('YK_SEC_ELEV_USERNAME', 4);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	6	define('YK_SEC_ELEV_PASSWORD', 8);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	7	define('YK_SEC_ALLOW_NO_OTP', 16);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	8
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	9	define('YK_DEFAULT_VERIFY_URL', 'http://api.yubico.com/wsapi/verify');
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	10
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	11	function generate_yubikey_field($name = 'yubikey_otp', $value = false)
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	12	{
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	13	global $lang;
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	14
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	15	$fid = substr(sha1(microtime() . mt_rand()), 0, 12);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	16	$class = $value ? 'wasfull' : 'wasempty';
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	17	$html = '<input id="yubifield' . $fid . '" class="' . $class . '" type="hidden" name="' . $name . '" value="' . ( is_string($value) ? $value : '' ) . '" />';
29 7cd9707ed72f Fixed OTP field behavior (improper/empty submission) exposed in YMS Dan parents: 27 diff changeset	18	$html .= '<noscript><input type="text" name="' . $name . '" class="yubikey_noscript" value="' . ( is_string($value) ? $value : '' ) . '" /> </noscript>';
0 9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	19	if ( $value )
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	20	{
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	21	$html .= '<span id="yubistat' . $fid . '" class="yubikey_status enrolled">' . $lang->get('yubiauth_ctl_status_enrolled') . '</span>';
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	22	$atext = $lang->get('yubiauth_ctl_btn_change_key');
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	23	$classadd = ' abutton_green';
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	24	}
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	25	else
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	26	{
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	27	$html .= '<span id="yubistat' . $fid . '" class="yubikey_status empty">' . $lang->get('yubiauth_ctl_status_empty') . '</span>';
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	28	$atext = $lang->get('yubiauth_ctl_btn_enroll');
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	29	$classadd = '';
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	30	}
35 03d6287d4a8b Modified yubifields in forms to show the OTP prefix; modified some strings Dan parents: 29 diff changeset	31
03d6287d4a8b Modified yubifields in forms to show the OTP prefix; modified some strings Dan parents: 29 diff changeset	32	$html .= ' <span class="yubikey_pubkey">';
03d6287d4a8b Modified yubifields in forms to show the OTP prefix; modified some strings Dan parents: 29 diff changeset	33	if ( !empty($value) )
03d6287d4a8b Modified yubifields in forms to show the OTP prefix; modified some strings Dan parents: 29 diff changeset	34	$html .= htmlspecialchars(substr($value, 0, 12));
03d6287d4a8b Modified yubifields in forms to show the OTP prefix; modified some strings Dan parents: 29 diff changeset	35	$html .= '</span> ';
03d6287d4a8b Modified yubifields in forms to show the OTP prefix; modified some strings Dan parents: 29 diff changeset	36
0 9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	37	$html .= ' <a class="abutton' . $classadd . ' yubikey_enroll" onclick="yk_mb_init(\'yubifield' . $fid . '\', \'yubistat' . $fid . '\'); return false;" href="#enroll">' . $atext . '</a>';
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	38	if ( $value )
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	39	{
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	40	$html .= ' <a class="abutton abutton_red yubikey_enroll" onclick="yk_clear(\'yubifield' . $fid . '\', \'yubistat' . $fid . '\'); return false;" href="#enroll">'
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	41	. $lang->get('yubiauth_ctl_btn_clear') .
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	42	'</a>';
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	43	}
35 03d6287d4a8b Modified yubifields in forms to show the OTP prefix; modified some strings Dan parents: 29 diff changeset	44
0 9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	45	return $html;
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	46	}
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	47
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	48	function yubikey_validate_otp($otp)
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	49	{
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	50	$api_key = getConfig('yubikey_api_key');
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	51	$api_id = getConfig('yubikey_api_key_id');
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	52	if ( !$api_key \|\| !$api_id )
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	53	{
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	54	return array(
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	55	'success' => false,
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	56	'error' => 'missing_api_key'
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	57	);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	58	}
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	59	if ( !preg_match('/^[cbdefghijklnrtuv]{44}$/', $otp) )
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	60	{
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	61	return array(
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	62	'success' => false,
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	63	'error' => 'otp_invalid_chars'
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	64	);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	65	}
27 647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	66	// are we using local YMS?
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	67	if ( getConfig('yubikey_use_local_yms', 0) && defined('YMS_INSTALLED') )
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	68	{
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	69	$result = yms_validate_otp($otp, $api_id);
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	70	if ( $result == 'OK' )
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	71	{
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	72	return array(
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	73	'success' => true
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	74	);
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	75	}
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	76	else
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	77	{
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	78	return array(
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	79	'success' => false,
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	80	'error' => strtolower("response_{$result}")
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	81	);
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	82	}
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	83	}
0 9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	84	// make HTTP request
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	85	require_once( ENANO_ROOT . '/includes/http.php' );
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	86	$auth_url = getConfig('yubikey_auth_server', YK_DEFAULT_VERIFY_URL);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	87	$auth_url = preg_replace('#^https?://#i', '', $auth_url);
16 3163b9f58ae8 Added error for HTTP connection failure. Dan parents: 10 diff changeset	88	if ( !preg_match('#^(\[?[a-z0-9-:]+(?:\.[a-z0-9-:]+\]?))(?::([0-9]+))?(/.)$#U', $auth_url, $match) )
0 9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	89	{
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	90	return array(
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	91	'success' => false,
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	92	'error' => 'invalid_auth_url'
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	93	);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	94	}
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	95	$auth_server =& $match[1];
16 3163b9f58ae8 Added error for HTTP connection failure. Dan parents: 10 diff changeset	96	$auth_port = ( !empty($match[2]) ) ? intval($match[2]) : 80;
3163b9f58ae8 Added error for HTTP connection failure. Dan parents: 10 diff changeset	97	$auth_uri =& $match[3];
3163b9f58ae8 Added error for HTTP connection failure. Dan parents: 10 diff changeset	98	try
3163b9f58ae8 Added error for HTTP connection failure. Dan parents: 10 diff changeset	99	{
3163b9f58ae8 Added error for HTTP connection failure. Dan parents: 10 diff changeset	100	$req = new Request_HTTP($auth_server, $auth_uri, 'GET', $auth_port);
3163b9f58ae8 Added error for HTTP connection failure. Dan parents: 10 diff changeset	101	$req->add_get('id', strval($api_id));
3163b9f58ae8 Added error for HTTP connection failure. Dan parents: 10 diff changeset	102	$req->add_get('otp', $otp);
3163b9f58ae8 Added error for HTTP connection failure. Dan parents: 10 diff changeset	103	$req->add_get('h', yubikey_sign($req->parms_get));
0 9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	104
16 3163b9f58ae8 Added error for HTTP connection failure. Dan parents: 10 diff changeset	105	$response = $req->get_response_body();
3163b9f58ae8 Added error for HTTP connection failure. Dan parents: 10 diff changeset	106	}
3163b9f58ae8 Added error for HTTP connection failure. Dan parents: 10 diff changeset	107	catch ( Exception $e )
3163b9f58ae8 Added error for HTTP connection failure. Dan parents: 10 diff changeset	108	{
3163b9f58ae8 Added error for HTTP connection failure. Dan parents: 10 diff changeset	109	return array(
3163b9f58ae8 Added error for HTTP connection failure. Dan parents: 10 diff changeset	110	'success' => false,
3163b9f58ae8 Added error for HTTP connection failure. Dan parents: 10 diff changeset	111	'error' => 'http_failed',
3163b9f58ae8 Added error for HTTP connection failure. Dan parents: 10 diff changeset	112	'http_error' => $e->getMessage()
3163b9f58ae8 Added error for HTTP connection failure. Dan parents: 10 diff changeset	113	);
3163b9f58ae8 Added error for HTTP connection failure. Dan parents: 10 diff changeset	114	}
0 9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	115
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	116	if ( $req->response_code != HTTP_OK )
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	117	{
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	118	return array(
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	119	'success' => false,
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	120	'error' => 'http_response_error'
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	121	);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	122	}
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	123	$response = trim($response);
4 73aecd46bb56 Should work with Yubico's official server now - forgot to account for newlines. Dan parents: 3 diff changeset	124	if ( !preg_match_all('/^([a-z0-9_]+)=(.*?)\r?$/m', $response, $matches) )
0 9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	125	{
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	126	return array(
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	127	'success' => false,
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	128	'error' => 'malformed_response'
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	129	);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	130	}
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	131	$response = array();
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	132	foreach ( $matches[0] as $i => $_ )
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	133	{
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	134	$response[$matches[1][$i]] = $matches[2][$i];
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	135	}
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	136	// make sure we have a status
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	137	if ( !isset($response['status']) )
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	138	{
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	139	return array(
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	140	'success' => false,
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	141	'error' => 'response_missing_status'
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	142	);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	143	}
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	144	// verify response signature
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	145	// MISSING_PARAMETER is the ONLY situation under which an unsigned response is acceptable
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	146	if ( $response['status'] !== 'MISSING_PARAMETER' )
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	147	{
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	148	if ( !isset($response['h']) )
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	149	{
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	150	return array(
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	151	'success' => false,
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	152	'error' => 'response_missing_sig'
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	153	);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	154	}
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	155	if ( yubikey_sign($response) !== $response['h'] )
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	156	{
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	157	return array(
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	158	'success' => false,
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	159	'error' => 'response_invalid_sig'
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	160	);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	161	}
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	162	}
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	163	if ( $response['status'] === 'OK' )
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	164	{
10 748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	165	if ( yubikey_verify_timestamp($response['t']) )
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	166	{
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	167	return array(
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	168	'success' => true
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	169	);
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	170	}
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	171	else
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	172	{
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	173	return array(
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	174	'success' => false,
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	175	'error' => 'timestamp_check_failed'
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	176	);
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	177	}
0 9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	178	}
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	179	else
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	180	{
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	181	return array(
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	182	'success' => false,
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	183	'error' => strtolower("response_{$response['status']}")
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	184	);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	185	}
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	186	}
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	187
27 647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	188	function yubikey_sign($arr, $use_api_key = false)
0 9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	189	{
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	190	static $api_key = false;
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	191
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	192	ksort($arr);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	193
27 647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	194	if ( !$use_api_key )
0 9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	195	{
27 647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	196	if ( !$api_key )
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	197	{
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	198	$api_key = getConfig('yubikey_api_key');
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	199	$api_key = hexencode(base64_decode($api_key), '', '');
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	200	}
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	201	$use_api_key = $api_key;
0 9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	202	}
27 647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	203	/*
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	204	else
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	205	{
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	206	$use_api_key = hexencode(base64_decode($use_api_key), '', '');
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	207	}
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	208	*/
0 9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	209
27 647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	210	foreach ( array('h', 'title', 'auth', 'do') as $key )
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	211	{
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	212	if ( isset($arr[$key]) )
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	213	unset($arr[$key]);
647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	214	}
4 73aecd46bb56 Should work with Yubico's official server now - forgot to account for newlines. Dan parents: 3 diff changeset	215
0 9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	216	$req = array();
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	217	foreach ( $arr as $key => $val )
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	218	{
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	219	$req[] = "$key=$val";
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	220	}
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	221	$req = implode('&', $req);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	222
27 647f0aa485dd Some modifications to support the YMS plugin Dan parents: 22 diff changeset	223	$sig = hmac_sha1($req, $use_api_key);
0 9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	224	$sig = hexdecode($sig);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	225	$sig = base64_encode($sig);
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	226
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	227	return $sig;
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	228	}
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	229
10 748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	230	/**
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	231	* Validate the timestamp returned in a Yubico API response. Borrowed from Drupal and backported for friendliness with earlier versions of PHP.
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	232	* @param string Yubico timestamp
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	233	* @return bool True if valid, false otherwise
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	234	*/
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	235
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	236	function yubikey_verify_timestamp($timestamp)
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	237	{
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	238	$tolerance = intval(getConfig('yubikey_api_ts_tolerance', 150));
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	239
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	240	$now = time();
21 f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable. Dan parents: 20 diff changeset	241	$timestamp_seconds = yk_strtotime($timestamp);
10 748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	242
21 f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable. Dan parents: 20 diff changeset	243	if ( !$timestamp \|\| !$now \|\| !$timestamp_seconds )
10 748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	244	{
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	245	return false;
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	246	}
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	247
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	248	if ( ( $timestamp_seconds + $tolerance ) > $now && ( $timestamp_seconds - $tolerance ) < $now )
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	249	{
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	250	return true;
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	251	}
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	252
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	253	return false;
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	254	}
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	255
21 f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable. Dan parents: 20 diff changeset	256	function yk_strtotime($timestamp)
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable. Dan parents: 20 diff changeset	257	{
22 9b8688df52d5 Fixed no tolerance for missing Z in response timestamp Dan parents: 21 diff changeset	258	if ( !preg_match('/^([0-9]{4})-([0-9]{2})-([0-9]{2})T([0-9]{2}):([0-9]{2}):([0-9]{2})(?:Z[0-9]+)?$/', $timestamp, $match) )
21 f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable. Dan parents: 20 diff changeset	259	return 0;
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable. Dan parents: 20 diff changeset	260
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable. Dan parents: 20 diff changeset	261	$hour = intval($match[4]);
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable. Dan parents: 20 diff changeset	262	$minute = intval($match[5]);
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable. Dan parents: 20 diff changeset	263	$second = intval($match[6]);
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable. Dan parents: 20 diff changeset	264	$month = intval($match[2]);
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable. Dan parents: 20 diff changeset	265	$day = intval($match[3]);
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable. Dan parents: 20 diff changeset	266	$year = intval($match[1]);
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable. Dan parents: 20 diff changeset	267
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable. Dan parents: 20 diff changeset	268	return gmmktime($hour, $minute, $second, $month, $day, $year);
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable. Dan parents: 20 diff changeset	269	}
10 748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	270
0 9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	271	$plugins->attachHook('compile_template', 'yubikey_attach_headers($this);');
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	272
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	273	function yubikey_attach_headers(&$template)
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	274	{
10 748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	275	global $db, $session, $paths, $template, $plugins; // Common objects
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	276
3 d0fe7acaf0e8 Maybe we could actually make yubikey_enable in config not ignored! Dan parents: 0 diff changeset	277	if ( getConfig('yubikey_enable', '1') != '1' )
d0fe7acaf0e8 Maybe we could actually make yubikey_enable in config not ignored! Dan parents: 0 diff changeset	278	return true;
d0fe7acaf0e8 Maybe we could actually make yubikey_enable in config not ignored! Dan parents: 0 diff changeset	279
0 9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	280	$template->add_header('<script type="text/javascript" src="' . scriptPath . '/plugins/yubikey/yubikey.js"></script>');
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	281	$template->add_header('<link rel="stylesheet" type="text/css" href="' . scriptPath . '/plugins/yubikey/yubikey.css" />');
9 65965da01c41 If yubikey_reg_require_otp is 1, opening login window now auto-opens Yubikey prompt Dan parents: 4 diff changeset	282	// config option for all users have yubikey
10 748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	283	$user_flags = 0;
18 dd8c53454f31 Yubikey flags are no longer fetched from server at login time, instead provided with load Dan parents: 16 diff changeset	284	$yk_enabled = 0;
10 748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	285	if ( $session->user_logged_in )
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	286	{
20 5a359c7ebc48 Fixed "Mixing of GROUP columns (MIN(),MAX(),COUNT(),...) with no GROUP columns is illegal if there is no GROUP BY clause" Dan parents: 19 diff changeset	287	$q = $db->sql_query('SELECT COUNT(y.yubi_uid) > 0, u.user_yubikey_flags FROM ' . table_prefix . "yubikey AS y LEFT JOIN " . table_prefix . "users AS u ON ( u.user_id = y.user_id ) WHERE y.user_id = {$session->user_id} GROUP BY u.user_id, u.user_yubikey_flags;");
10 748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	288	if ( !$q )
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	289	$db->_die();
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	290
18 dd8c53454f31 Yubikey flags are no longer fetched from server at login time, instead provided with load Dan parents: 16 diff changeset	291	list($yk_enabled, $user_flags) = $db->fetchrow_num();
10 748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	292	$db->free_result();
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	293	}
748fa1b80031 Added timestamp-based verification. Dan parents: 9 diff changeset	294
18 dd8c53454f31 Yubikey flags are no longer fetched from server at login time, instead provided with load Dan parents: 16 diff changeset	295	$template->add_header('<script type="text/javascript">var yk_reg_require_otp = ' . getConfig('yubikey_reg_require_otp', '0') . '; var yk_user_enabled = ' . $yk_enabled . '; var yk_user_flags = ' . $user_flags . ';</script>');
0 9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	296	}
9d2c4f04a0d0 First commit! Hoping everything works. Dan parents: diff changeset	297

author	Dan
	Fri, 18 Dec 2009 19:29:33 -0500
changeset 35	03d6287d4a8b
parent 29	7cd9707ed72f
child 36	f2aa4bc50d2f
permissions	-rw-r--r--