<?php
define('YK_SEC_NORMAL_USERNAME', 1);
define('YK_SEC_NORMAL_PASSWORD', 2);
define('YK_SEC_ELEV_USERNAME', 4);
define('YK_SEC_ELEV_PASSWORD', 8);
define('YK_SEC_ALLOW_NO_OTP', 16);
define('YK_DEFAULT_VERIFY_URL', 'http://api.yubico.com/wsapi/verify');
function generate_yubikey_field($name = 'yubikey_otp', $value = false)
{
global $lang;
$fid = substr(sha1(microtime() . mt_rand()), 0, 12);
$class = $value ? 'wasfull' : 'wasempty';
$html = '<input id="yubifield' . $fid . '" class="' . $class . '" type="hidden" name="' . $name . '" value="' . ( is_string($value) ? $value : '' ) . '" />';
$html .= '<noscript><input type="text" name="' . $name . '" class="yubikey_noscript" value="' . ( is_string($value) ? $value : '' ) . '" /> </noscript>';
if ( $value )
{
$html .= '<span id="yubistat' . $fid . '" class="yubikey_status enrolled">' . $lang->get('yubiauth_ctl_status_enrolled') . '</span>';
$atext = $lang->get('yubiauth_ctl_btn_change_key');
$classadd = ' abutton_green';
}
else
{
$html .= '<span id="yubistat' . $fid . '" class="yubikey_status empty">' . $lang->get('yubiauth_ctl_status_empty') . '</span>';
$atext = $lang->get('yubiauth_ctl_btn_enroll');
$classadd = '';
}
$html .= ' <span class="yubikey_pubkey">';
if ( !empty($value) )
$html .= htmlspecialchars(substr($value, 0, 12));
$html .= '</span> ';
$html .= ' <a class="abutton' . $classadd . ' yubikey_enroll" onclick="yk_mb_init(\'yubifield' . $fid . '\', \'yubistat' . $fid . '\'); return false;" href="#enroll">' . $atext . '</a>';
if ( $value )
{
$html .= ' <a class="abutton abutton_red yubikey_enroll" onclick="yk_clear(\'yubifield' . $fid . '\', \'yubistat' . $fid . '\'); return false;" href="#enroll">'
. $lang->get('yubiauth_ctl_btn_clear') .
'</a>';
}
return $html;
}
function yubikey_validate_otp($otp)
{
$api_key = getConfig('yubikey_api_key');
$api_id = getConfig('yubikey_api_key_id');
// Don't require an API key or user ID to be installed if we're using local YMS
if ( !(getConfig('yubikey_use_local_yms', 0) && defined('YMS_INSTALLED')) && (!$api_key || !$api_id) )
{
return array(
'success' => false,
'error' => 'missing_api_key'
);
}
if ( !preg_match('/^[cbdefghijklnrtuv]{44}$/', $otp) )
{
return array(
'success' => false,
'error' => 'otp_invalid_chars'
);
}
// are we using local YMS?
if ( getConfig('yubikey_use_local_yms', 0) && defined('YMS_INSTALLED') )
{
$result = yms_validate_otp($otp, $api_id);
if ( $result == 'OK' )
{
return array(
'success' => true
);
}
else
{
return array(
'success' => false,
'error' => strtolower("response_{$result}")
);
}
}
// make HTTP request
require_once( ENANO_ROOT . '/includes/http.php' );
$auth_url = getConfig('yubikey_auth_server', YK_DEFAULT_VERIFY_URL);
$auth_url = preg_replace('#^https?://#i', '', $auth_url);
if ( !preg_match('#^(\[?[a-z0-9-:]+(?:\.[a-z0-9-:]+\]?)*)(?::([0-9]+))?(/.*)$#U', $auth_url, $match) )
{
return array(
'success' => false,
'error' => 'invalid_auth_url'
);
}
$auth_server =& $match[1];
$auth_port = ( !empty($match[2]) ) ? intval($match[2]) : 80;
$auth_uri =& $match[3];
try
{
$req = new Request_HTTP($auth_server, $auth_uri, 'GET', $auth_port);
$req->add_get('id', strval($api_id));
$req->add_get('otp', $otp);
$req->add_get('h', yubikey_sign($req->parms_get));
$response = $req->get_response_body();
}
catch ( Exception $e )
{
return array(
'success' => false,
'error' => 'http_failed',
'http_error' => $e->getMessage()
);
}
if ( $req->response_code != HTTP_OK )
{
return array(
'success' => false,
'error' => 'http_response_error'
);
}
$response = trim($response);
if ( !preg_match_all('/^([a-z0-9_]+)=(.*?)\r?$/m', $response, $matches) )
{
return array(
'success' => false,
'error' => 'malformed_response'
);
}
$response = array();
foreach ( $matches[0] as $i => $_ )
{
$response[$matches[1][$i]] = $matches[2][$i];
}
// make sure we have a status
if ( !isset($response['status']) )
{
return array(
'success' => false,
'error' => 'response_missing_status'
);
}
// verify response signature
// MISSING_PARAMETER is the ONLY situation under which an unsigned response is acceptable
if ( $response['status'] !== 'MISSING_PARAMETER' )
{
if ( !isset($response['h']) )
{
return array(
'success' => false,
'error' => 'response_missing_sig'
);
}
if ( yubikey_sign($response) !== $response['h'] )
{
return array(
'success' => false,
'error' => 'response_invalid_sig'
);
}
}
if ( $response['status'] === 'OK' )
{
if ( yubikey_verify_timestamp($response['t']) )
{
return array(
'success' => true
);
}
else
{
return array(
'success' => false,
'error' => 'timestamp_check_failed'
);
}
}
else
{
return array(
'success' => false,
'error' => strtolower("response_{$response['status']}")
);
}
}
function yubikey_sign($arr, $use_api_key = false)
{
static $api_key = false;
ksort($arr);
if ( !$use_api_key )
{
if ( !$api_key )
{
$api_key = getConfig('yubikey_api_key');
$api_key = hexencode(base64_decode($api_key), '', '');
}
$use_api_key = $api_key;
}
/*
else
{
$use_api_key = hexencode(base64_decode($use_api_key), '', '');
}
*/
foreach ( array('h', 'title', 'auth', 'do') as $key )
{
if ( isset($arr[$key]) )
unset($arr[$key]);
}
$req = array();
foreach ( $arr as $key => $val )
{
$req[] = "$key=$val";
}
$req = implode('&', $req);
$sig = hmac_sha1($req, $use_api_key);
$sig = hexdecode($sig);
$sig = base64_encode($sig);
return $sig;
}
/**
* Validate the timestamp returned in a Yubico API response. Borrowed from Drupal and backported for friendliness with earlier versions of PHP.
* @param string Yubico timestamp
* @return bool True if valid, false otherwise
*/
function yubikey_verify_timestamp($timestamp)
{
$tolerance = intval(getConfig('yubikey_api_ts_tolerance', 150));
$now = time();
$timestamp_seconds = yk_strtotime($timestamp);
if ( !$timestamp || !$now || !$timestamp_seconds )
{
return false;
}
if ( ( $timestamp_seconds + $tolerance ) > $now && ( $timestamp_seconds - $tolerance ) < $now )
{
return true;
}
return false;
}
function yk_strtotime($timestamp)
{
if ( !preg_match('/^([0-9]{4})-([0-9]{2})-([0-9]{2})T([0-9]{2}):([0-9]{2}):([0-9]{2})(?:Z[0-9]+)?$/', $timestamp, $match) )
return 0;
$hour = intval($match[4]);
$minute = intval($match[5]);
$second = intval($match[6]);
$month = intval($match[2]);
$day = intval($match[3]);
$year = intval($match[1]);
return gmmktime($hour, $minute, $second, $month, $day, $year);
}
$plugins->attachHook('compile_template', 'yubikey_attach_headers($this);');
function yubikey_attach_headers(&$template)
{
global $db, $session, $paths, $template, $plugins; // Common objects
if ( getConfig('yubikey_enable', '1') != '1' )
return true;
$template->add_header('<script type="text/javascript" src="' . scriptPath . '/plugins/yubikey/yubikey.js"></script>');
$template->add_header('<link rel="stylesheet" type="text/css" href="' . scriptPath . '/plugins/yubikey/yubikey.css" />');
// config option for all users have yubikey
$user_flags = 0;
$yk_enabled = 0;
if ( $session->user_logged_in )
{
$q = $db->sql_query('SELECT COUNT(y.yubi_uid) > 0, u.user_yubikey_flags FROM ' . table_prefix . "yubikey AS y LEFT JOIN " . table_prefix . "users AS u ON ( u.user_id = y.user_id ) WHERE y.user_id = {$session->user_id} GROUP BY u.user_id, u.user_yubikey_flags;");
if ( !$q )
$db->_die();
list($yk_enabled, $user_flags) = $db->fetchrow_num();
$db->free_result();
}
$yk_enabled = intval($yk_enabled);
$user_flags = intval($user_flags);
$template->add_header('<script type="text/javascript">var yk_reg_require_otp = ' . getConfig('yubikey_reg_require_otp', '0') . '; var yk_user_enabled = ' . $yk_enabled . '; var yk_user_flags = ' . $user_flags . ';</script>');
}