plugins/yubikey/corelib.php
author Dan
Tue, 04 Aug 2009 19:37:38 -0400
changeset 29 7cd9707ed72f
parent 27 647f0aa485dd
child 35 03d6287d4a8b
permissions -rw-r--r--
Fixed OTP field behavior (improper/empty submission) exposed in YMS
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
0
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
     1
<?php
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
     2
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
     3
define('YK_SEC_NORMAL_USERNAME', 1);
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
     4
define('YK_SEC_NORMAL_PASSWORD', 2);
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
     5
define('YK_SEC_ELEV_USERNAME', 4);
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
     6
define('YK_SEC_ELEV_PASSWORD', 8);
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
     7
define('YK_SEC_ALLOW_NO_OTP', 16);
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
     8
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
     9
define('YK_DEFAULT_VERIFY_URL', 'http://api.yubico.com/wsapi/verify');
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    10
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    11
function generate_yubikey_field($name = 'yubikey_otp', $value = false)
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    12
{
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    13
  global $lang;
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    14
  
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    15
  $fid = substr(sha1(microtime() . mt_rand()), 0, 12);
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    16
  $class = $value ? 'wasfull' : 'wasempty';
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    17
  $html = '<input id="yubifield' . $fid . '" class="' . $class . '" type="hidden" name="' . $name . '" value="' . ( is_string($value) ? $value : '' ) . '" />';
29
7cd9707ed72f Fixed OTP field behavior (improper/empty submission) exposed in YMS
Dan
parents: 27
diff changeset
    18
  $html .= '<noscript><input type="text" name="' . $name . '" class="yubikey_noscript" value="' . ( is_string($value) ? $value : '' ) . '" /> </noscript>';
0
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    19
  if ( $value )
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    20
  {
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    21
    $html .= '<span id="yubistat' . $fid . '" class="yubikey_status enrolled">' . $lang->get('yubiauth_ctl_status_enrolled') . '</span>';
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    22
    $atext = $lang->get('yubiauth_ctl_btn_change_key');
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    23
    $classadd = ' abutton_green';
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    24
  }
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    25
  else
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    26
  {
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    27
    $html .= '<span id="yubistat' . $fid . '" class="yubikey_status empty">' . $lang->get('yubiauth_ctl_status_empty') . '</span>';
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    28
    $atext = $lang->get('yubiauth_ctl_btn_enroll');
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    29
    $classadd = '';
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    30
  }
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    31
  $html .= ' <a class="abutton' . $classadd . ' yubikey_enroll" onclick="yk_mb_init(\'yubifield' . $fid . '\', \'yubistat' . $fid . '\'); return false;" href="#enroll">' . $atext . '</a>';
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    32
  if ( $value )
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    33
  {
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    34
    $html .= ' <a class="abutton abutton_red yubikey_enroll" onclick="yk_clear(\'yubifield' . $fid . '\', \'yubistat' . $fid . '\'); return false;" href="#enroll">'
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    35
             . $lang->get('yubiauth_ctl_btn_clear') .
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    36
             '</a>';
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    37
  }
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    38
  return $html;
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    39
}
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    40
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    41
function yubikey_validate_otp($otp)
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    42
{
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    43
  $api_key = getConfig('yubikey_api_key');
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    44
  $api_id  = getConfig('yubikey_api_key_id');
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    45
  if ( !$api_key || !$api_id )
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    46
  {
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    47
    return array(
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    48
        'success' => false,
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    49
        'error' => 'missing_api_key'
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    50
      );
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    51
  }
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    52
  if ( !preg_match('/^[cbdefghijklnrtuv]{44}$/', $otp) )
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    53
  {
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    54
    return array(
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    55
        'success' => false,
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    56
        'error' => 'otp_invalid_chars'
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    57
      );
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    58
  }
27
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
    59
  // are we using local YMS?
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
    60
  if ( getConfig('yubikey_use_local_yms', 0) && defined('YMS_INSTALLED') )
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
    61
  {
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
    62
    $result = yms_validate_otp($otp, $api_id);
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
    63
    if ( $result == 'OK' )
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
    64
    {
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
    65
      return array(
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
    66
          'success' => true
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
    67
        );
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
    68
    }
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
    69
    else
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
    70
    {
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
    71
      return array(
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
    72
        'success' => false,
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
    73
        'error' => strtolower("response_{$result}")
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
    74
      );
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
    75
    }
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
    76
  }
0
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    77
  // make HTTP request
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    78
  require_once( ENANO_ROOT . '/includes/http.php' );
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    79
  $auth_url = getConfig('yubikey_auth_server', YK_DEFAULT_VERIFY_URL);
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    80
  $auth_url = preg_replace('#^https?://#i', '', $auth_url);
16
3163b9f58ae8 Added error for HTTP connection failure.
Dan
parents: 10
diff changeset
    81
  if ( !preg_match('#^(\[?[a-z0-9-:]+(?:\.[a-z0-9-:]+\]?)*)(?::([0-9]+))?(/.*)$#U', $auth_url, $match) )
0
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    82
  {
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    83
    return array(
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    84
        'success' => false,
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    85
        'error' => 'invalid_auth_url'
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    86
      );
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    87
  }
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    88
  $auth_server =& $match[1];
16
3163b9f58ae8 Added error for HTTP connection failure.
Dan
parents: 10
diff changeset
    89
  $auth_port = ( !empty($match[2]) ) ? intval($match[2]) : 80;
3163b9f58ae8 Added error for HTTP connection failure.
Dan
parents: 10
diff changeset
    90
  $auth_uri =& $match[3];
3163b9f58ae8 Added error for HTTP connection failure.
Dan
parents: 10
diff changeset
    91
  try
3163b9f58ae8 Added error for HTTP connection failure.
Dan
parents: 10
diff changeset
    92
  {
3163b9f58ae8 Added error for HTTP connection failure.
Dan
parents: 10
diff changeset
    93
    $req = new Request_HTTP($auth_server, $auth_uri, 'GET', $auth_port);
3163b9f58ae8 Added error for HTTP connection failure.
Dan
parents: 10
diff changeset
    94
    $req->add_get('id', strval($api_id));
3163b9f58ae8 Added error for HTTP connection failure.
Dan
parents: 10
diff changeset
    95
    $req->add_get('otp', $otp);
3163b9f58ae8 Added error for HTTP connection failure.
Dan
parents: 10
diff changeset
    96
    $req->add_get('h', yubikey_sign($req->parms_get));
0
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
    97
  
16
3163b9f58ae8 Added error for HTTP connection failure.
Dan
parents: 10
diff changeset
    98
    $response = $req->get_response_body();
3163b9f58ae8 Added error for HTTP connection failure.
Dan
parents: 10
diff changeset
    99
  }
3163b9f58ae8 Added error for HTTP connection failure.
Dan
parents: 10
diff changeset
   100
  catch ( Exception $e )
3163b9f58ae8 Added error for HTTP connection failure.
Dan
parents: 10
diff changeset
   101
  {
3163b9f58ae8 Added error for HTTP connection failure.
Dan
parents: 10
diff changeset
   102
    return array(
3163b9f58ae8 Added error for HTTP connection failure.
Dan
parents: 10
diff changeset
   103
        'success' => false,
3163b9f58ae8 Added error for HTTP connection failure.
Dan
parents: 10
diff changeset
   104
        'error' => 'http_failed',
3163b9f58ae8 Added error for HTTP connection failure.
Dan
parents: 10
diff changeset
   105
        'http_error' => $e->getMessage()
3163b9f58ae8 Added error for HTTP connection failure.
Dan
parents: 10
diff changeset
   106
      );
3163b9f58ae8 Added error for HTTP connection failure.
Dan
parents: 10
diff changeset
   107
  }
0
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   108
  
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   109
  if ( $req->response_code != HTTP_OK )
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   110
  {
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   111
    return array(
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   112
        'success' => false,
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   113
        'error' => 'http_response_error'
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   114
      );
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   115
  }
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   116
  $response = trim($response);
4
73aecd46bb56 Should work with Yubico's official server now - forgot to account for newlines.
Dan
parents: 3
diff changeset
   117
  if ( !preg_match_all('/^([a-z0-9_]+)=(.*?)\r?$/m', $response, $matches) )
0
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   118
  {
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   119
    return array(
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   120
        'success' => false,
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   121
        'error' => 'malformed_response'
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   122
      );
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   123
  }
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   124
  $response = array();
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   125
  foreach ( $matches[0] as $i => $_ )
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   126
  {
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   127
    $response[$matches[1][$i]] = $matches[2][$i];
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   128
  }
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   129
  // make sure we have a status
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   130
  if ( !isset($response['status']) )
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   131
  {
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   132
    return array(
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   133
        'success' => false,
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   134
        'error' => 'response_missing_status'
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   135
      );
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   136
  }
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   137
  // verify response signature
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   138
  // MISSING_PARAMETER is the ONLY situation under which an unsigned response is acceptable
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   139
  if ( $response['status'] !== 'MISSING_PARAMETER' )
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   140
  {
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   141
    if ( !isset($response['h']) )
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   142
    {
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   143
      return array(
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   144
          'success' => false,
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   145
          'error' => 'response_missing_sig'
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   146
        );
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   147
    }
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   148
    if ( yubikey_sign($response) !== $response['h'] )
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   149
    {
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   150
      return array(
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   151
          'success' => false,
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   152
          'error' => 'response_invalid_sig'
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   153
        );
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   154
    }
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   155
  }
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   156
  if ( $response['status'] === 'OK' )
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   157
  {
10
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   158
    if ( yubikey_verify_timestamp($response['t']) )
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   159
    {
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   160
      return array(
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   161
          'success' => true
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   162
        );
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   163
    }
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   164
    else
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   165
    {
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   166
      return array(
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   167
          'success' => false,
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   168
          'error' => 'timestamp_check_failed'
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   169
        );
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   170
    }
0
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   171
  }
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   172
  else
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   173
  {
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   174
    return array(
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   175
        'success' => false,
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   176
        'error' => strtolower("response_{$response['status']}")
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   177
      );
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   178
  }
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   179
}
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   180
27
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   181
function yubikey_sign($arr, $use_api_key = false)
0
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   182
{
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   183
  static $api_key = false;
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   184
  
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   185
  ksort($arr);
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   186
  
27
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   187
  if ( !$use_api_key )
0
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   188
  {
27
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   189
    if ( !$api_key )
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   190
    {
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   191
      $api_key = getConfig('yubikey_api_key');
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   192
      $api_key = hexencode(base64_decode($api_key), '', '');
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   193
    }
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   194
    $use_api_key = $api_key;
0
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   195
  }
27
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   196
  /*
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   197
  else
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   198
  {
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   199
    $use_api_key = hexencode(base64_decode($use_api_key), '', '');
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   200
  }
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   201
  */
0
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   202
  
27
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   203
  foreach ( array('h', 'title', 'auth', 'do') as $key )
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   204
  {
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   205
    if ( isset($arr[$key]) )
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   206
      unset($arr[$key]);
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   207
  }
4
73aecd46bb56 Should work with Yubico's official server now - forgot to account for newlines.
Dan
parents: 3
diff changeset
   208
  
0
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   209
  $req = array();
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   210
  foreach ( $arr as $key => $val )
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   211
  {
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   212
    $req[] = "$key=$val";
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   213
  }
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   214
  $req = implode('&', $req);
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   215
  
27
647f0aa485dd Some modifications to support the YMS plugin
Dan
parents: 22
diff changeset
   216
  $sig = hmac_sha1($req, $use_api_key);
0
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   217
  $sig = hexdecode($sig);
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   218
  $sig = base64_encode($sig);
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   219
  
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   220
  return $sig;
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   221
}
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   222
10
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   223
/**
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   224
 * Validate the timestamp returned in a Yubico API response. Borrowed from Drupal and backported for friendliness with earlier versions of PHP.
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   225
 * @param string Yubico timestamp
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   226
 * @return bool True if valid, false otherwise
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   227
 */
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   228
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   229
function yubikey_verify_timestamp($timestamp)
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   230
{
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   231
  $tolerance = intval(getConfig('yubikey_api_ts_tolerance', 150));
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   232
  
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   233
  $now = time();
21
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents: 20
diff changeset
   234
  $timestamp_seconds = yk_strtotime($timestamp);
10
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   235
21
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents: 20
diff changeset
   236
  if ( !$timestamp || !$now || !$timestamp_seconds )
10
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   237
  {
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   238
    return false;
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   239
  }
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   240
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   241
  if ( ( $timestamp_seconds + $tolerance ) > $now && ( $timestamp_seconds - $tolerance ) < $now )
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   242
  {
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   243
    return true;
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   244
  }
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   245
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   246
  return false;
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   247
}
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   248
21
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents: 20
diff changeset
   249
function yk_strtotime($timestamp)
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents: 20
diff changeset
   250
{
22
9b8688df52d5 Fixed no tolerance for missing Z in response timestamp
Dan
parents: 21
diff changeset
   251
  if ( !preg_match('/^([0-9]{4})-([0-9]{2})-([0-9]{2})T([0-9]{2}):([0-9]{2}):([0-9]{2})(?:Z[0-9]+)?$/', $timestamp, $match) )
21
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents: 20
diff changeset
   252
    return 0;
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents: 20
diff changeset
   253
  
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents: 20
diff changeset
   254
  $hour = intval($match[4]);
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents: 20
diff changeset
   255
  $minute = intval($match[5]);
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents: 20
diff changeset
   256
  $second = intval($match[6]);
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents: 20
diff changeset
   257
  $month = intval($match[2]);
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents: 20
diff changeset
   258
  $day = intval($match[3]);
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents: 20
diff changeset
   259
  $year = intval($match[1]);
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents: 20
diff changeset
   260
  
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents: 20
diff changeset
   261
  return gmmktime($hour, $minute, $second, $month, $day, $year);
f34ecfa459ab Wrote my own Yubico-time-to-Unix-time conversion, as strtotime() was unreliable.
Dan
parents: 20
diff changeset
   262
}
10
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   263
0
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   264
$plugins->attachHook('compile_template', 'yubikey_attach_headers($this);');
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   265
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   266
function yubikey_attach_headers(&$template)
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   267
{
10
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   268
  global $db, $session, $paths, $template, $plugins; // Common objects
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   269
  
3
d0fe7acaf0e8 Maybe we could actually make yubikey_enable in config not ignored!
Dan
parents: 0
diff changeset
   270
  if ( getConfig('yubikey_enable', '1') != '1' )
d0fe7acaf0e8 Maybe we could actually make yubikey_enable in config not ignored!
Dan
parents: 0
diff changeset
   271
    return true;
d0fe7acaf0e8 Maybe we could actually make yubikey_enable in config not ignored!
Dan
parents: 0
diff changeset
   272
  
0
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   273
  $template->add_header('<script type="text/javascript" src="' . scriptPath . '/plugins/yubikey/yubikey.js"></script>');
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   274
  $template->add_header('<link rel="stylesheet" type="text/css" href="' . scriptPath . '/plugins/yubikey/yubikey.css" />');
9
65965da01c41 If yubikey_reg_require_otp is 1, opening login window now auto-opens Yubikey prompt
Dan
parents: 4
diff changeset
   275
  // config option for all users have yubikey
10
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   276
  $user_flags = 0;
18
dd8c53454f31 Yubikey flags are no longer fetched from server at login time, instead provided with load
Dan
parents: 16
diff changeset
   277
  $yk_enabled = 0;
10
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   278
  if ( $session->user_logged_in )
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   279
  {
20
5a359c7ebc48 Fixed "Mixing of GROUP columns (MIN(),MAX(),COUNT(),...) with no GROUP columns is illegal if there is no GROUP BY clause"
Dan
parents: 19
diff changeset
   280
    $q = $db->sql_query('SELECT COUNT(y.yubi_uid) > 0, u.user_yubikey_flags FROM ' . table_prefix . "yubikey AS y LEFT JOIN " . table_prefix . "users AS u ON ( u.user_id = y.user_id ) WHERE y.user_id = {$session->user_id} GROUP BY u.user_id, u.user_yubikey_flags;");
10
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   281
    if ( !$q )
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   282
      $db->_die();
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   283
    
18
dd8c53454f31 Yubikey flags are no longer fetched from server at login time, instead provided with load
Dan
parents: 16
diff changeset
   284
    list($yk_enabled, $user_flags) = $db->fetchrow_num();
10
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   285
    $db->free_result();
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   286
  }
748fa1b80031 Added timestamp-based verification.
Dan
parents: 9
diff changeset
   287
  
18
dd8c53454f31 Yubikey flags are no longer fetched from server at login time, instead provided with load
Dan
parents: 16
diff changeset
   288
  $template->add_header('<script type="text/javascript">var yk_reg_require_otp = ' . getConfig('yubikey_reg_require_otp', '0') . '; var yk_user_enabled = ' . $yk_enabled . '; var yk_user_flags = ' . $user_flags . ';</script>');
0
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   289
}
9d2c4f04a0d0 First commit! Hoping everything works.
Dan
parents:
diff changeset
   290