author | Dan Fuhry <dan@enanocms.org> |
Fri, 11 Nov 2011 00:33:28 -0500 | |
changeset 38 | d109af008343 |
parent 37 | 5e946a3f405b |
permissions | -rw-r--r-- |
0 | 1 |
<?php |
2 |
||
3
d0fe7acaf0e8
Maybe we could actually make yubikey_enable in config not ignored!
Dan
parents:
2
diff
changeset
|
3 |
if ( getConfig('yubikey_enable', '1') != '1' ) |
37 | 4 |
return true; |
3
d0fe7acaf0e8
Maybe we could actually make yubikey_enable in config not ignored!
Dan
parents:
2
diff
changeset
|
5 |
|
0 | 6 |
// hook into auth |
7 |
$plugins->attachHook('login_process_userdata_json', 'return yubikey_auth_hook_json($userinfo, $req["level"], @$req["remember"]);'); |
|
8 |
// hook into special page init |
|
9 |
$plugins->attachHook('session_started', 'yubikey_add_special_pages();'); |
|
32 | 10 |
// session key security |
11 |
$plugins->attachHook('session_key_calc', 'yubikey_sk_calc($user_id, $key_pieces, $sk_mode);'); |
|
0 | 12 |
|
13 |
function yubikey_auth_hook_json(&$userdata, $level, $remember) |
|
14 |
{ |
|
37 | 15 |
global $db, $session, $paths, $template, $plugins; // Common objects |
16 |
global $lang; |
|
17 |
||
18 |
$do_validate_otp = false; |
|
19 |
$do_validate_user = false; |
|
20 |
$do_validate_pass = false; |
|
21 |
||
22 |
$user_flag = ( $level >= USER_LEVEL_CHPREF ) ? YK_SEC_ELEV_USERNAME : YK_SEC_NORMAL_USERNAME; |
|
23 |
$pass_flag = ( $level >= USER_LEVEL_CHPREF ) ? YK_SEC_ELEV_PASSWORD : YK_SEC_NORMAL_PASSWORD; |
|
24 |
||
25 |
$auth_log_prefix = ( $level >= USER_LEVEL_CHPREF ) ? 'admin_' : ''; |
|
26 |
||
27 |
// Sort of a hack: if the password looks like an OTP and the OTP field is empty, use the password as the OTP |
|
28 |
if ( empty($userdata['yubikey_otp']) && preg_match('/^[cbdefghijklnrtuv]{44}$/', $userdata['password'] ) ) |
|
29 |
{ |
|
30 |
$userdata['yubikey_otp'] = $userdata['password']; |
|
31 |
} |
|
32 |
||
33 |
// Lockouts removed from here - they're done during preprocessing now. |
|
34 |
||
35 |
if ( !empty($userdata['username']) ) |
|
36 |
{ |
|
37 |
// get flags |
|
38 |
$q = $db->sql_query('SELECT user_id, user_yubikey_flags FROM ' . table_prefix . "users WHERE " . ENANO_SQLFUNC_LOWERCASE . "(username) = '" . $db->escape(strtolower($userdata['username'])) . "';"); |
|
39 |
if ( !$q ) |
|
40 |
$db->die_json(); |
|
41 |
||
42 |
if ( $db->numrows() < 1 ) |
|
43 |
{ |
|
44 |
// Username not found - let the main login function handle it |
|
45 |
$db->free_result(); |
|
46 |
return null; |
|
47 |
} |
|
48 |
list($user_id, $flags) = $db->fetchrow_num(); |
|
49 |
$flags = intval($flags); |
|
50 |
// At the point the username is validated. |
|
51 |
$do_validate_user = false; |
|
52 |
$do_validate_pass = $flags & $pass_flag; |
|
53 |
if ( empty($userdata['yubikey_otp']) ) |
|
54 |
{ |
|
55 |
// no OTP was provided |
|
56 |
// make sure the user has allowed logging in with no OTP |
|
57 |
if ( !($flags & YK_SEC_ALLOW_NO_OTP) ) |
|
58 |
{ |
|
59 |
// We also might have no Yubikeys enrolled. |
|
60 |
$q = $db->sql_query('SELECT 1 FROM ' . table_prefix . "yubikey WHERE user_id = $user_id;"); |
|
61 |
if ( !$q ) |
|
62 |
$db->die_json(); |
|
63 |
||
64 |
if ( $db->numrows() > 0 ) |
|
65 |
{ |
|
66 |
// Yep at least one key is enrolled. |
|
67 |
// I don't think these should be logged because they'll usually just be innocent mistakes. |
|
68 |
$db->free_result(); |
|
69 |
return array( |
|
70 |
'mode' => 'error', |
|
71 |
'error' => 'yubiauth_err_must_have_otp' |
|
72 |
); |
|
73 |
} |
|
74 |
// Nope, no keys enrolled, user hasn't enabled Yubikey support |
|
75 |
$db->free_result(); |
|
76 |
} |
|
77 |
// we're ok, use normal password auth |
|
78 |
return null; |
|
79 |
} |
|
80 |
else |
|
81 |
{ |
|
82 |
// user did enter an OTP; make sure it's associated with the username |
|
83 |
$yubi_uid = $db->escape(substr($userdata['yubikey_otp'], 0, 12)); |
|
38
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
84 |
$q = $db->sql_query('SELECT user_id FROM ' . table_prefix . 'yubikey WHERE yubi_uid = \'' . $yubi_uid . '\';'); |
37 | 85 |
if ( !$q ) |
86 |
$db->die_json(); |
|
87 |
if ( $db->numrows() < 1 ) |
|
88 |
{ |
|
89 |
$db->free_result(); |
|
90 |
return array( |
|
91 |
'mode' => 'error', |
|
92 |
'error' => 'yubiauth_err_key_not_authorized' |
|
93 |
); |
|
94 |
} |
|
38
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
95 |
list($yubi_pair_uid) = $db->fetchrow_num(); |
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
96 |
if ( $yubi_pair_uid !== $user_id ) |
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
97 |
{ |
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
98 |
return array( |
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
99 |
'mode' => 'error', |
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
100 |
'error' => 'yubiauth_err_uid_mismatch' |
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
101 |
); |
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
102 |
} |
37 | 103 |
$db->free_result(); |
104 |
$do_validate_otp = true; |
|
105 |
} |
|
106 |
} |
|
107 |
else if ( !empty($userdata['yubikey_otp']) ) |
|
108 |
{ |
|
109 |
// we have an OTP, but no username to work with |
|
110 |
$yubi_uid = substr($userdata['yubikey_otp'], 0, 12); |
|
111 |
if ( !preg_match('/^[cbdefghijklnrtuv]{12}$/', $yubi_uid ) ) |
|
112 |
{ |
|
113 |
return array( |
|
114 |
'mode' => 'error', |
|
115 |
'error' => 'yubiauth_err_invalid_otp' |
|
116 |
); |
|
117 |
} |
|
118 |
$q = $db->sql_query('SELECT u.user_id, u.username, u.user_yubikey_flags FROM ' . table_prefix . "users AS u\n" |
|
119 |
. " LEFT JOIN " . table_prefix . "yubikey AS y\n" |
|
120 |
. " ON ( y.user_id = u.user_id )\n" |
|
121 |
. " WHERE y.yubi_uid = '$yubi_uid'\n" |
|
122 |
. " GROUP BY u.user_yubikey_flags;"); |
|
123 |
if ( !$q ) |
|
124 |
$db->_die(); |
|
125 |
||
126 |
if ( $db->numrows() < 1 ) |
|
127 |
{ |
|
128 |
if ( !$do_validate_pass ) |
|
129 |
$session->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES\n" |
|
130 |
. ' (\'security\', \'' . $auth_log_prefix . 'auth_bad\', '.time().', \'DEPRECATED\', \'(Yubikey)\', ' |
|
131 |
. '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); |
|
132 |
||
133 |
return array( |
|
134 |
'mode' => 'error', |
|
135 |
'error' => 'yubiauth_err_key_not_authorized' |
|
136 |
); |
|
137 |
} |
|
138 |
||
139 |
list($user_id, $username, $flags) = $db->fetchrow_num(); |
|
38
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
140 |
|
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
141 |
if ( $level > USER_LEVEL_MEMBER ) |
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
142 |
{ |
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
143 |
$session->start(); |
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
144 |
if ( $session->user_logged_in && ($session->user_id !== $user_id) ) |
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
145 |
{ |
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
146 |
return array( |
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
147 |
'mode' => 'error', |
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
148 |
'error' => 'yubiauth_err_uid_mismatch' |
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
149 |
); |
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
150 |
} |
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
151 |
} |
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
152 |
|
37 | 153 |
$do_validate_otp = true; |
154 |
$do_validate_user = $flags & $user_flag; |
|
155 |
$do_validate_pass = $flags & $pass_flag; |
|
156 |
// to complete security logs later |
|
157 |
$userdata['username'] = $username; |
|
158 |
} |
|
159 |
else |
|
160 |
{ |
|
161 |
// Nothing - no username or OTP. This request can't be used; throw it out. |
|
162 |
return array( |
|
163 |
'mode' => 'error', |
|
164 |
'error' => 'yubiauth_err_nothing_provided' |
|
165 |
); |
|
166 |
} |
|
38
d109af008343
SECURITY: Fixed ability to log into an account with someone else's Yubikey...
Dan Fuhry <dan@enanocms.org>
parents:
37
diff
changeset
|
167 |
|
37 | 168 |
if ( $do_validate_otp ) |
169 |
{ |
|
170 |
// We need to validate the OTP. |
|
171 |
$otp_check = yubikey_validate_otp($userdata['yubikey_otp']); |
|
172 |
if ( !$otp_check['success'] ) |
|
173 |
{ |
|
174 |
if ( !$do_validate_pass ) |
|
175 |
$session->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES\n" |
|
176 |
. ' (\'security\', \'' . $auth_log_prefix . 'auth_bad\', '.time().', \'DEPRECATED\', \'(Yubikey)\', ' |
|
177 |
. '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); |
|
178 |
||
179 |
if ( $otp_check['error'] === 'http_failed' ) |
|
180 |
{ |
|
181 |
return array( |
|
182 |
'mode' => 'error', |
|
183 |
'error' => 'yubiauth_err_' . $otp_check['error'], |
|
184 |
'http_error' => $otp_check['http_error'] |
|
185 |
); |
|
186 |
} |
|
187 |
return array( |
|
188 |
'mode' => 'error', |
|
189 |
'error' => 'yubiauth_err_' . $otp_check['error'] |
|
190 |
); |
|
191 |
} |
|
192 |
} |
|
193 |
if ( $do_validate_user ) |
|
194 |
{ |
|
195 |
if ( empty($username) ) |
|
196 |
{ |
|
197 |
return array( |
|
198 |
'mode' => 'error', |
|
199 |
'error' => 'yubiauth_err_must_have_username' |
|
200 |
); |
|
201 |
} |
|
202 |
if ( strtolower($username) !== strtolower($userdata['username']) ) |
|
203 |
{ |
|
204 |
// Username incorrect |
|
205 |
if ( !$do_validate_pass ) |
|
206 |
$session->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES\n" |
|
207 |
. ' (\'security\', \'' . $auth_log_prefix . 'auth_bad\', '.time().', \'DEPRECATED\', \'(Yubikey)\', ' |
|
208 |
. '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); |
|
209 |
return array( |
|
210 |
'mode' => 'error', |
|
211 |
'error' => 'invalid_credentials' |
|
212 |
); |
|
213 |
} |
|
214 |
} |
|
215 |
// Do we need to have the password validated? |
|
216 |
if ( $do_validate_pass ) |
|
217 |
{ |
|
218 |
if ( empty($userdata['password']) ) |
|
219 |
{ |
|
220 |
return array( |
|
221 |
'mode' => 'error', |
|
222 |
'error' => 'yubiauth_err_must_have_password' |
|
223 |
); |
|
224 |
} |
|
225 |
// Yes; return and let the login API continue |
|
226 |
return null; |
|
227 |
} |
|
228 |
else |
|
229 |
{ |
|
230 |
// No password required; validated, issue session key |
|
231 |
$session->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES\n" |
|
232 |
. ' (\'security\', \'' . $auth_log_prefix . 'auth_good\', '.time().', \'DEPRECATED\', \'' . $db->escape($userdata['username']) . '\', ' |
|
233 |
. '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); |
|
234 |
||
235 |
$q = $db->sql_query('SELECT password FROM ' . table_prefix . "users WHERE user_id = $user_id;"); |
|
236 |
if ( !$q ) |
|
237 |
$db->_die(); |
|
238 |
||
239 |
list($password) = $db->fetchrow_num(); |
|
240 |
$db->free_result(); |
|
241 |
||
242 |
$session->register_session($user_id, $userdata['username'], $password, intval($level), $remember); |
|
243 |
return true; |
|
244 |
} |
|
0 | 245 |
} |
246 |
||
247 |
function yubikey_add_special_pages() |
|
248 |
{ |
|
37 | 249 |
global $db, $session, $paths, $template, $plugins; // Common objects |
250 |
global $lang; |
|
251 |
||
252 |
if ( getConfig('yubikey_enable', '1') != '1' ) |
|
253 |
return true; |
|
254 |
||
255 |
$paths->add_page(array( |
|
256 |
'name' => $lang->get('yubiauth_specialpage_yubikey'), |
|
257 |
'urlname' => 'Yubikey', |
|
258 |
'namespace' => 'Special', |
|
259 |
'visible' => 0, 'protected' => 0, 'comments_on' => 0, 'special' => 0 |
|
260 |
)); |
|
0 | 261 |
} |
262 |
||
32 | 263 |
function yubikey_sk_calc($user_id, &$key_pieces, &$sk_mode) |
264 |
{ |
|
37 | 265 |
global $db, $session, $paths, $template, $plugins; // Common objects |
266 |
// hash the user's yubikeys |
|
267 |
$q = $db->sql_query('SELECT yubi_uid FROM ' . table_prefix . "yubikey WHERE user_id = $user_id;"); |
|
268 |
if ( !$q ) |
|
269 |
$db->_die(); |
|
270 |
||
271 |
while ( $row = $db->fetchrow() ) |
|
272 |
{ |
|
273 |
$key_pieces[] = $row['yubi_uid']; |
|
274 |
} |
|
32 | 275 |
} |
276 |
||
0 | 277 |
function page_Special_Yubikey() |
278 |
{ |
|
37 | 279 |
global $db, $session, $paths, $template, $plugins; // Common objects |
280 |
||
281 |
header('Content-type: text/javascript'); |
|
282 |
/* |
|
283 |
if ( isset($_GET['validate_otp']) ) |
|
284 |
{ |
|
285 |
echo enano_json_encode(yubikey_validate_otp($_GET['validate_otp'])); |
|
286 |
return true; |
|
287 |
} |
|
288 |
*/ |
|
289 |
if ( isset($_GET['get_flags']) || isset($_POST['get_flags']) ) |
|
290 |
{ |
|
291 |
$yubi_uid = substr($_REQUEST['get_flags'], 0, 12); |
|
292 |
if ( !preg_match('/^[cbdefghijklnrtuv]{12}$/', $yubi_uid) ) |
|
293 |
{ |
|
294 |
return print enano_json_encode(array( |
|
295 |
'mode' => 'error', |
|
296 |
'error' => 'invalid_otp' |
|
297 |
)); |
|
298 |
} |
|
299 |
$q = $db->sql_query('SELECT u.user_yubikey_flags FROM ' . table_prefix . "users AS u\n" |
|
300 |
. " LEFT JOIN " . table_prefix . "yubikey AS y\n" |
|
301 |
. " ON ( y.user_id = u.user_id )\n" |
|
302 |
. " WHERE y.yubi_uid = '$yubi_uid'\n" |
|
303 |
. " GROUP BY u.user_yubikey_flags;"); |
|
304 |
if ( !$q ) |
|
305 |
$db->_die(); |
|
306 |
||
307 |
if ( $db->numrows() < 1 ) |
|
308 |
{ |
|
309 |
return print enano_json_encode(array( |
|
310 |
'mode' => 'error', |
|
311 |
'error' => 'key_not_authorized' |
|
312 |
)); |
|
313 |
} |
|
314 |
||
315 |
list($flags) = $db->fetchrow_num(); |
|
316 |
||
317 |
echo enano_json_encode(array( |
|
318 |
// We strip YK_SEC_ALLOW_NO_OTP here for security reasons. |
|
319 |
'flags' => intval($flags & ~YK_SEC_ALLOW_NO_OTP) |
|
320 |
)); |
|
321 |
||
322 |
return true; |
|
323 |
} |
|
0 | 324 |
} |
325 |