author | Dan |
Fri, 31 Jul 2009 23:48:56 -0400 | |
changeset 27 | 647f0aa485dd |
parent 22 | 9b8688df52d5 |
child 29 | 7cd9707ed72f |
permissions | -rw-r--r-- |
0 | 1 |
<?php |
2 |
||
3 |
define('YK_SEC_NORMAL_USERNAME', 1); |
|
4 |
define('YK_SEC_NORMAL_PASSWORD', 2); |
|
5 |
define('YK_SEC_ELEV_USERNAME', 4); |
|
6 |
define('YK_SEC_ELEV_PASSWORD', 8); |
|
7 |
define('YK_SEC_ALLOW_NO_OTP', 16); |
|
8 |
||
9 |
define('YK_DEFAULT_VERIFY_URL', 'http://api.yubico.com/wsapi/verify'); |
|
10 |
||
11 |
function generate_yubikey_field($name = 'yubikey_otp', $value = false) |
|
12 |
{ |
|
13 |
global $lang; |
|
14 |
||
15 |
$fid = substr(sha1(microtime() . mt_rand()), 0, 12); |
|
16 |
$class = $value ? 'wasfull' : 'wasempty'; |
|
17 |
$html = '<input id="yubifield' . $fid . '" class="' . $class . '" type="hidden" name="' . $name . '" value="' . ( is_string($value) ? $value : '' ) . '" />'; |
|
18 |
if ( $value ) |
|
19 |
{ |
|
20 |
$html .= '<span id="yubistat' . $fid . '" class="yubikey_status enrolled">' . $lang->get('yubiauth_ctl_status_enrolled') . '</span>'; |
|
21 |
$atext = $lang->get('yubiauth_ctl_btn_change_key'); |
|
22 |
$classadd = ' abutton_green'; |
|
23 |
} |
|
24 |
else |
|
25 |
{ |
|
26 |
$html .= '<span id="yubistat' . $fid . '" class="yubikey_status empty">' . $lang->get('yubiauth_ctl_status_empty') . '</span>'; |
|
27 |
$atext = $lang->get('yubiauth_ctl_btn_enroll'); |
|
28 |
$classadd = ''; |
|
29 |
} |
|
30 |
$html .= ' <a class="abutton' . $classadd . ' yubikey_enroll" onclick="yk_mb_init(\'yubifield' . $fid . '\', \'yubistat' . $fid . '\'); return false;" href="#enroll">' . $atext . '</a>'; |
|
31 |
if ( $value ) |
|
32 |
{ |
|
33 |
$html .= ' <a class="abutton abutton_red yubikey_enroll" onclick="yk_clear(\'yubifield' . $fid . '\', \'yubistat' . $fid . '\'); return false;" href="#enroll">' |
|
34 |
. $lang->get('yubiauth_ctl_btn_clear') . |
|
35 |
'</a>'; |
|
36 |
} |
|
37 |
$html = '<noscript><input type="text" name="' . $name . '" class="yubikey_noscript" value="' . ( is_string($value) ? $value : '' ) . '" /> </noscript>' |
|
38 |
. $html; // '<script type="text/javascript">document.write(unescape("' . rawurlencode($html) . '"));</script>'; |
|
39 |
return $html; |
|
40 |
} |
|
41 |
||
42 |
function yubikey_validate_otp($otp) |
|
43 |
{ |
|
44 |
$api_key = getConfig('yubikey_api_key'); |
|
45 |
$api_id = getConfig('yubikey_api_key_id'); |
|
46 |
if ( !$api_key || !$api_id ) |
|
47 |
{ |
|
48 |
return array( |
|
49 |
'success' => false, |
|
50 |
'error' => 'missing_api_key' |
|
51 |
); |
|
52 |
} |
|
53 |
if ( !preg_match('/^[cbdefghijklnrtuv]{44}$/', $otp) ) |
|
54 |
{ |
|
55 |
return array( |
|
56 |
'success' => false, |
|
57 |
'error' => 'otp_invalid_chars' |
|
58 |
); |
|
59 |
} |
|
27 | 60 |
// are we using local YMS? |
61 |
if ( getConfig('yubikey_use_local_yms', 0) && defined('YMS_INSTALLED') ) |
|
62 |
{ |
|
63 |
$result = yms_validate_otp($otp, $api_id); |
|
64 |
if ( $result == 'OK' ) |
|
65 |
{ |
|
66 |
return array( |
|
67 |
'success' => true |
|
68 |
); |
|
69 |
} |
|
70 |
else |
|
71 |
{ |
|
72 |
return array( |
|
73 |
'success' => false, |
|
74 |
'error' => strtolower("response_{$result}") |
|
75 |
); |
|
76 |
} |
|
77 |
} |
|
0 | 78 |
// make HTTP request |
79 |
require_once( ENANO_ROOT . '/includes/http.php' ); |
|
80 |
$auth_url = getConfig('yubikey_auth_server', YK_DEFAULT_VERIFY_URL); |
|
81 |
$auth_url = preg_replace('#^https?://#i', '', $auth_url); |
|
16 | 82 |
if ( !preg_match('#^(\[?[a-z0-9-:]+(?:\.[a-z0-9-:]+\]?)*)(?::([0-9]+))?(/.*)$#U', $auth_url, $match) ) |
0 | 83 |
{ |
84 |
return array( |
|
85 |
'success' => false, |
|
86 |
'error' => 'invalid_auth_url' |
|
87 |
); |
|
88 |
} |
|
89 |
$auth_server =& $match[1]; |
|
16 | 90 |
$auth_port = ( !empty($match[2]) ) ? intval($match[2]) : 80; |
91 |
$auth_uri =& $match[3]; |
|
92 |
try |
|
93 |
{ |
|
94 |
$req = new Request_HTTP($auth_server, $auth_uri, 'GET', $auth_port); |
|
95 |
$req->add_get('id', strval($api_id)); |
|
96 |
$req->add_get('otp', $otp); |
|
97 |
$req->add_get('h', yubikey_sign($req->parms_get)); |
|
0 | 98 |
|
16 | 99 |
$response = $req->get_response_body(); |
100 |
} |
|
101 |
catch ( Exception $e ) |
|
102 |
{ |
|
103 |
return array( |
|
104 |
'success' => false, |
|
105 |
'error' => 'http_failed', |
|
106 |
'http_error' => $e->getMessage() |
|
107 |
); |
|
108 |
} |
|
0 | 109 |
|
110 |
if ( $req->response_code != HTTP_OK ) |
|
111 |
{ |
|
112 |
return array( |
|
113 |
'success' => false, |
|
114 |
'error' => 'http_response_error' |
|
115 |
); |
|
116 |
} |
|
117 |
$response = trim($response); |
|
4
73aecd46bb56
Should work with Yubico's official server now - forgot to account for newlines.
Dan
parents:
3
diff
changeset
|
118 |
if ( !preg_match_all('/^([a-z0-9_]+)=(.*?)\r?$/m', $response, $matches) ) |
0 | 119 |
{ |
120 |
return array( |
|
121 |
'success' => false, |
|
122 |
'error' => 'malformed_response' |
|
123 |
); |
|
124 |
} |
|
125 |
$response = array(); |
|
126 |
foreach ( $matches[0] as $i => $_ ) |
|
127 |
{ |
|
128 |
$response[$matches[1][$i]] = $matches[2][$i]; |
|
129 |
} |
|
130 |
// make sure we have a status |
|
131 |
if ( !isset($response['status']) ) |
|
132 |
{ |
|
133 |
return array( |
|
134 |
'success' => false, |
|
135 |
'error' => 'response_missing_status' |
|
136 |
); |
|
137 |
} |
|
138 |
// verify response signature |
|
139 |
// MISSING_PARAMETER is the ONLY situation under which an unsigned response is acceptable |
|
140 |
if ( $response['status'] !== 'MISSING_PARAMETER' ) |
|
141 |
{ |
|
142 |
if ( !isset($response['h']) ) |
|
143 |
{ |
|
144 |
return array( |
|
145 |
'success' => false, |
|
146 |
'error' => 'response_missing_sig' |
|
147 |
); |
|
148 |
} |
|
149 |
if ( yubikey_sign($response) !== $response['h'] ) |
|
150 |
{ |
|
151 |
return array( |
|
152 |
'success' => false, |
|
153 |
'error' => 'response_invalid_sig' |
|
154 |
); |
|
155 |
} |
|
156 |
} |
|
157 |
if ( $response['status'] === 'OK' ) |
|
158 |
{ |
|
10 | 159 |
if ( yubikey_verify_timestamp($response['t']) ) |
160 |
{ |
|
161 |
return array( |
|
162 |
'success' => true |
|
163 |
); |
|
164 |
} |
|
165 |
else |
|
166 |
{ |
|
167 |
return array( |
|
168 |
'success' => false, |
|
169 |
'error' => 'timestamp_check_failed' |
|
170 |
); |
|
171 |
} |
|
0 | 172 |
} |
173 |
else |
|
174 |
{ |
|
175 |
return array( |
|
176 |
'success' => false, |
|
177 |
'error' => strtolower("response_{$response['status']}") |
|
178 |
); |
|
179 |
} |
|
180 |
} |
|
181 |
||
27 | 182 |
function yubikey_sign($arr, $use_api_key = false) |
0 | 183 |
{ |
184 |
static $api_key = false; |
|
185 |
||
186 |
ksort($arr); |
|
187 |
||
27 | 188 |
if ( !$use_api_key ) |
0 | 189 |
{ |
27 | 190 |
if ( !$api_key ) |
191 |
{ |
|
192 |
$api_key = getConfig('yubikey_api_key'); |
|
193 |
$api_key = hexencode(base64_decode($api_key), '', ''); |
|
194 |
} |
|
195 |
$use_api_key = $api_key; |
|
0 | 196 |
} |
27 | 197 |
/* |
198 |
else |
|
199 |
{ |
|
200 |
$use_api_key = hexencode(base64_decode($use_api_key), '', ''); |
|
201 |
} |
|
202 |
*/ |
|
0 | 203 |
|
27 | 204 |
foreach ( array('h', 'title', 'auth', 'do') as $key ) |
205 |
{ |
|
206 |
if ( isset($arr[$key]) ) |
|
207 |
unset($arr[$key]); |
|
208 |
} |
|
4
73aecd46bb56
Should work with Yubico's official server now - forgot to account for newlines.
Dan
parents:
3
diff
changeset
|
209 |
|
0 | 210 |
$req = array(); |
211 |
foreach ( $arr as $key => $val ) |
|
212 |
{ |
|
213 |
$req[] = "$key=$val"; |
|
214 |
} |
|
215 |
$req = implode('&', $req); |
|
216 |
||
27 | 217 |
$sig = hmac_sha1($req, $use_api_key); |
0 | 218 |
$sig = hexdecode($sig); |
219 |
$sig = base64_encode($sig); |
|
220 |
||
221 |
return $sig; |
|
222 |
} |
|
223 |
||
10 | 224 |
/** |
225 |
* Validate the timestamp returned in a Yubico API response. Borrowed from Drupal and backported for friendliness with earlier versions of PHP. |
|
226 |
* @param string Yubico timestamp |
|
227 |
* @return bool True if valid, false otherwise |
|
228 |
*/ |
|
229 |
||
230 |
function yubikey_verify_timestamp($timestamp) |
|
231 |
{ |
|
232 |
$tolerance = intval(getConfig('yubikey_api_ts_tolerance', 150)); |
|
233 |
||
234 |
$now = time(); |
|
21
f34ecfa459ab
Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents:
20
diff
changeset
|
235 |
$timestamp_seconds = yk_strtotime($timestamp); |
10 | 236 |
|
21
f34ecfa459ab
Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents:
20
diff
changeset
|
237 |
if ( !$timestamp || !$now || !$timestamp_seconds ) |
10 | 238 |
{ |
239 |
return false; |
|
240 |
} |
|
241 |
||
242 |
if ( ( $timestamp_seconds + $tolerance ) > $now && ( $timestamp_seconds - $tolerance ) < $now ) |
|
243 |
{ |
|
244 |
return true; |
|
245 |
} |
|
246 |
||
247 |
return false; |
|
248 |
} |
|
249 |
||
21
f34ecfa459ab
Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents:
20
diff
changeset
|
250 |
function yk_strtotime($timestamp) |
f34ecfa459ab
Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents:
20
diff
changeset
|
251 |
{ |
22 | 252 |
if ( !preg_match('/^([0-9]{4})-([0-9]{2})-([0-9]{2})T([0-9]{2}):([0-9]{2}):([0-9]{2})(?:Z[0-9]+)?$/', $timestamp, $match) ) |
21
f34ecfa459ab
Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents:
20
diff
changeset
|
253 |
return 0; |
f34ecfa459ab
Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents:
20
diff
changeset
|
254 |
|
f34ecfa459ab
Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents:
20
diff
changeset
|
255 |
$hour = intval($match[4]); |
f34ecfa459ab
Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents:
20
diff
changeset
|
256 |
$minute = intval($match[5]); |
f34ecfa459ab
Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents:
20
diff
changeset
|
257 |
$second = intval($match[6]); |
f34ecfa459ab
Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents:
20
diff
changeset
|
258 |
$month = intval($match[2]); |
f34ecfa459ab
Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents:
20
diff
changeset
|
259 |
$day = intval($match[3]); |
f34ecfa459ab
Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents:
20
diff
changeset
|
260 |
$year = intval($match[1]); |
f34ecfa459ab
Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents:
20
diff
changeset
|
261 |
|
f34ecfa459ab
Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents:
20
diff
changeset
|
262 |
return gmmktime($hour, $minute, $second, $month, $day, $year); |
f34ecfa459ab
Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents:
20
diff
changeset
|
263 |
} |
10 | 264 |
|
0 | 265 |
$plugins->attachHook('compile_template', 'yubikey_attach_headers($this);'); |
266 |
||
267 |
function yubikey_attach_headers(&$template) |
|
268 |
{ |
|
10 | 269 |
global $db, $session, $paths, $template, $plugins; // Common objects |
270 |
||
3
d0fe7acaf0e8
Maybe we could actually make yubikey_enable in config not ignored!
Dan
parents:
0
diff
changeset
|
271 |
if ( getConfig('yubikey_enable', '1') != '1' ) |
d0fe7acaf0e8
Maybe we could actually make yubikey_enable in config not ignored!
Dan
parents:
0
diff
changeset
|
272 |
return true; |
d0fe7acaf0e8
Maybe we could actually make yubikey_enable in config not ignored!
Dan
parents:
0
diff
changeset
|
273 |
|
0 | 274 |
$template->add_header('<script type="text/javascript" src="' . scriptPath . '/plugins/yubikey/yubikey.js"></script>'); |
275 |
$template->add_header('<link rel="stylesheet" type="text/css" href="' . scriptPath . '/plugins/yubikey/yubikey.css" />'); |
|
9
65965da01c41
If yubikey_reg_require_otp is 1, opening login window now auto-opens Yubikey prompt
Dan
parents:
4
diff
changeset
|
276 |
// config option for all users have yubikey |
10 | 277 |
$user_flags = 0; |
18
dd8c53454f31
Yubikey flags are no longer fetched from server at login time, instead provided with load
Dan
parents:
16
diff
changeset
|
278 |
$yk_enabled = 0; |
10 | 279 |
if ( $session->user_logged_in ) |
280 |
{ |
|
20
5a359c7ebc48
Fixed "Mixing of GROUP columns (MIN(),MAX(),COUNT(),...) with no GROUP columns is illegal if there is no GROUP BY clause"
Dan
parents:
19
diff
changeset
|
281 |
$q = $db->sql_query('SELECT COUNT(y.yubi_uid) > 0, u.user_yubikey_flags FROM ' . table_prefix . "yubikey AS y LEFT JOIN " . table_prefix . "users AS u ON ( u.user_id = y.user_id ) WHERE y.user_id = {$session->user_id} GROUP BY u.user_id, u.user_yubikey_flags;"); |
10 | 282 |
if ( !$q ) |
283 |
$db->_die(); |
|
284 |
||
18
dd8c53454f31
Yubikey flags are no longer fetched from server at login time, instead provided with load
Dan
parents:
16
diff
changeset
|
285 |
list($yk_enabled, $user_flags) = $db->fetchrow_num(); |
10 | 286 |
$db->free_result(); |
287 |
} |
|
288 |
||
18
dd8c53454f31
Yubikey flags are no longer fetched from server at login time, instead provided with load
Dan
parents:
16
diff
changeset
|
289 |
$template->add_header('<script type="text/javascript">var yk_reg_require_otp = ' . getConfig('yubikey_reg_require_otp', '0') . '; var yk_user_enabled = ' . $yk_enabled . '; var yk_user_flags = ' . $user_flags . ';</script>'); |
0 | 290 |
} |
291 |