# HG changeset patch # User Dan # Date 1249098668 14400 # Node ID 9997bee9ad03bd277224543d67e466670c381c04 First commit. Lacks key deletion support and an admin CP for controlling options. diff -r 000000000000 -r 9997bee9ad03 YubikeyManagement.php --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/YubikeyManagement.php Fri Jul 31 23:51:08 2009 -0400 @@ -0,0 +1,192 @@ +attachHook('session_started', 'yms_add_special_pages();'); + +function yms_add_special_pages() +{ + global $lang; + + register_special_page('YMS', 'yms_specialpage_yms'); + register_special_page('YMSCreateClient', 'yms_specialpage_register'); + register_special_page('YubikeyValidate', 'yms_specialpage_validate'); +} + +define('YMS_DISABLED', 0); +define('YMS_ENABLED', 1); +define('YMS_ANY_CLIENT', 2); + +define('YMS_INSTALLED', 1); + +require(ENANO_ROOT . '/plugins/yms/yms.php'); +require(ENANO_ROOT . '/plugins/yms/libotp.php'); +require(ENANO_ROOT . '/plugins/yms/transcode.php'); +require(ENANO_ROOT . '/plugins/yms/backend.php'); +require(ENANO_ROOT . '/plugins/yms/validate.php'); +require(ENANO_ROOT . '/plugins/yms/validate-functions.php'); + +/**!language** + +The following text up to the closing comment tag is JSON language data. +It is not PHP code but your editor or IDE may highlight it as such. This +data is imported when the plugin is loaded for the first time; it provides +the strings displayed by this plugin's interface. + +You should copy and paste this block when you create your own plugins so +that these comments and the basic structure of the language data is +preserved. All language data is in the same format as the Enano core +language files in the /language/* directories. See the Enano Localization +Guide and Enano API Documentation for further information on the format of +language files. + +The exception in plugin language file format is that multiple languages +may be specified in the language block. This should be done by way of making +the top-level elements each a JSON language object, with elements named +according to the ISO-639-1 language they are representing. The path should be: + + root => language ID => categories array, ( strings object => category \ + objects => strings ) + +All text leading up to first curly brace is stripped by the parser; using +a code tag makes jEdit and other editors do automatic indentation and +syntax highlighting on the language data. The use of the code tag is not +necessary; it is only included as a tool for development. + + +{ + // english + eng: { + categories: [ 'meta', 'yms' ], + strings: { + meta: { + yms: 'Yubikey management system' + }, + yms: { + specialpage_yms: 'Yubikey manager', + specialpage_register: 'Register YMS client', + specialpage_validate: 'Yubikey validation API', + err_yubikey_plugin_missing_title: 'Yubikey plugin not found', + err_yubikey_plugin_missing_body: 'The Yubikey YMS cannot load because the Enano Yubikey authentication plugin is not installed. Please ask your administrator to install it.', + err_client_exists_title: 'Client already exists', + err_client_exists_body: 'You cannot register another YMS client using this same user account.', + register_confirm_title: 'Enable your account for Yubikey authentication', + register_confirm_body: 'As a Yubikey authentication client, you gain the ability to manage multiple Yubikeys and tie them to your own organization. It also lets you retrieve secret AES keys for tokens, register new or reprogrammed keys, validate Yubikey OTPs using your own API key, and deactivate keys in case of a compromise. Do you want to enable your account for Yubikey management?', + register_btn_submit: 'Create YMS client', + + register_msg_success_title: 'Congratulations! Your account is now enabled for YMS access.', + register_msg_success_body: '

You can now go to the YMS admin panel and add your Yubikeys. Your client ID and API key are below:

+

Client ID: %client_id%
+ API key: %api_key%
+ Validation API URL: %validate_url%

+

Remember to secure your user account! Your Enano login is used to administer your YMS account. For maximum security, use the Yubikey Settings page of the User Control Panel to require both a password and a Yubikey OTP to log in.

', + msg_no_yubikeys: 'No Yubikeys found', + btn_add_key: 'Add Yubikey', + btn_add_key_preregistered: 'Claim a New Key', + state_active: 'Active', + state_inactive: 'Inactive', + + th_id: 'ID#', + th_publicid: 'OTP prefix', + th_createtime: 'Created', + th_accesstime: 'Last accessed', + th_state: 'Lifecycle state', + th_note: 'Note', + + msg_access_never: 'Never', + + // Add key interface + lbl_addkey_heading: 'Register Yubikey', + lbl_addkey_desc: 'Register a Yubikey that you programmed yourself in YMS to enable validation of OTPs from that key against this server.', + lbl_addkey_field_secret: 'AES secret key:', + lbl_addkey_field_secret_hint: 'Input in ModHex, hex, or base-64. The format will be detected automatically.', + lbl_addkey_field_otp: 'Enter an OTP from this Yubikey:', + lbl_addkey_field_notes: 'Notes about this key:', + lbl_addkey_field_state: 'Lifecycle state:', + lbl_addkey_field_any_client_name: 'Allow validation by any client:', + lbl_addkey_field_any_client_hint: 'If unchecked, OTPs from this Yubikey can only be verified by someone using your client ID. Check this if you plan to use this Yubikey on websites you don\'t control.', + lbl_addkey_field_any_client: 'Other clients can validate OTPs from this key', + btn_addkey_submit: 'Register key', + msg_addkey_success: 'This key has been successfully registered.', + + err_addkey_crc_failed: 'The CRC check on the OTP failed. This usually means that your AES key is wrong or could not be properly interpreted.', + err_addkey_invalid_key: 'There was an error decoding your AES secret key. Please enter a 128-bit hex, ModHex, or base-64 value.', + err_addkey_invalid_otp: 'The OTP from the Yubikey is invalid.', + err_addkey_key_exists: 'This Yubikey is already registered on this server.', + + // Claim key interface + lbl_claimkey_heading: 'Claim Yubikey', + lbl_claimkey_desc: 'Attach a key you have not reprogrammed to your YMS account, so that you can see its AES secret key and keep track of it.', + lbl_claimkey_field_otp: 'Enter an OTP from this Yubikey:', + lbl_custom_hint: 'For your security, this is used to validate your ownership of this Yubikey.', + + // AES key view interface + showaes_th: 'AES secret key for key %public_id%', + showaes_lbl_hex: 'Hex:', + showaes_lbl_modhex: 'ModHex:', + showaes_lbl_base64: 'Base64:', + + // API key view interface + th_client_id: 'Client ID', + lbl_client_id: 'Client ID:', + th_api_key: 'API key', + + // Binary format converter + th_converted_value: 'Converted value', + conv_err_invalid_string: 'The string was invalid or you entered did not match the format you selected.', + th_converter: 'Convert binary formats', + conv_lbl_value: 'Value to convert:', + conv_lbl_format: 'Current encoding:', + conv_lbl_format_auto: 'Auto-detect', + conv_lbl_format_hex: 'Hexadecimal', + conv_lbl_format_modhex: 'ModHex', + conv_lbl_format_base64: 'Base-64', + conv_btn_submit: 'Convert', + + // Key list + btn_note_view: 'View or edit note', + btn_note_create: 'No note; click to create', + btn_show_aes: 'Show AES secret', + btn_show_converter: 'Binary encoding converter', + btn_show_client_info: 'View client info' + } + } + } +} + +**!*/ + +/**!install dbms="mysql"; ** + +CREATE TABLE {{TABLE_PREFIX}}yms_clients( + id int(12) NOT NULL DEFAULT 0, + apikey varchar(40) NOT NULL, + PRIMARY KEY ( id ) +); + +CREATE TABLE {{TABLE_PREFIX}}yms_yubikeys( + id int(12) NOT NULL auto_increment, + client_id int(12) NOT NULL DEFAULT 0, + public_id varchar(12) NOT NULL DEFAULT '000000000000', + private_id varchar(12) NOT NULL DEFAULT '000000000000', + session_count int(8) NOT NULL DEFAULT 0, + token_count int(8) NOT NULL DEFAULT 0, + create_time int(12) NOT NULL DEFAULT 0, + access_time int(12) NOT NULL DEFAULT 0, + token_time int(12) NOT NULL DEFAULT 0, + aes_secret varchar(40) NOT NULL DEFAULT '00000000000000000000000000000000', + flags int(8) NOT NULL DEFAULT 1, + notes text, + PRIMARY KEY (id) +); + +**!*/ + diff -r 000000000000 -r 9997bee9ad03 yms/backend.php --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/yms/backend.php Fri Jul 31 23:51:08 2009 -0400 @@ -0,0 +1,325 @@ +user_id; + + $key = yms_tobinary($key); + $otp = yms_tobinary($otp); + + if ( strlen($key) != 16 ) + { + return 'yms_err_addkey_invalid_key'; + } + + if ( strlen($otp) != 22 ) + { + return 'yms_err_addkey_invalid_otp'; + } + + $otpdata = yms_decode_otp($otp, $key); + if ( $otpdata === false ) + { + return 'yms_err_addkey_invalid_otp'; + } + if ( !$otpdata['crc_good'] ) + { + return 'yms_err_addkey_crc_failed'; + } + + // make sure it's not already in there + $q = $db->sql_query('SELECT 1 FROM ' . table_prefix . "yms_yubikeys WHERE public_id = '{$otpdata['publicid']}';"); + if ( !$q ) + $db->_die(); + + if ( $db->numrows() > 0 ) + { + $db->free_result(); + return 'yms_err_addkey_key_exists'; + } + $db->free_result(); + + $now = time(); + $key = yms_hex_encode($key); + + $flags = 0; + if ( $enabled ) + $flags |= YMS_ENABLED; + if ( $any_client ) + $flags |= YMS_ANY_CLIENT; + + $notes = $notes ? $db->escape(strval($notes)) : ''; + + $q = $db->sql_query("INSERT INTO " . table_prefix . "yms_yubikeys(client_id, public_id, private_id, session_count, token_count, create_time, access_time, token_time, aes_secret, flags, notes) VALUES\n" + . " ($client_id, '{$otpdata['publicid']}', '{$otpdata['privateid']}', {$otpdata['session']}, {$otpdata['count']}, $now, $now, {$otpdata['timestamp']}, '$key', $flags, '$notes');"); + if ( !$q ) + $db->_die(); + + return true; +} + +function yms_chown_yubikey($otp, $client_id = false, $enabled = true, $any_client = false, $notes = false) +{ + global $db, $session, $paths, $template, $plugins; // Common objects + + if ( $client_id === false ) + $client_id = $session->user_id; + + $otp = yms_tobinary($otp); + + if ( strlen($otp) != 22 ) + { + return 'yms_err_addkey_invalid_otp'; + } + + $public_id = yms_hex_encode(substr($otp, 0, 6)); + + // make sure it's already in there + $q = $db->sql_query('SELECT id FROM ' . table_prefix . "yms_yubikeys WHERE public_id = '{$public_id}' AND client_id = 0;"); + if ( !$q ) + $db->_die(); + + if ( $db->numrows() < 1 ) + { + // this should never happen, as the OTP is put through validation before this function is called + $db->free_result(); + return 'yms_err_claimkey_owner_invalid'; + } + + list($key_id) = $db->fetchrow_num(); + $db->free_result(); + + $now = time(); + + $flags = 0; + if ( $enabled ) + $flags |= YMS_ENABLED; + if ( $any_client ) + $flags |= YMS_ANY_CLIENT; + + $notes = $notes ? $db->escape(strval($notes)) : ''; + + $q = $db->sql_query("UPDATE " . table_prefix . "yms_yubikeys SET flags = $flags, notes = '$notes', client_id = $client_id WHERE id = $key_id;"); + if ( !$q ) + $db->_die(); + + return true; +} + +function yms_validate_custom_field($value, $otp, $url) +{ + require_once(ENANO_ROOT . '/includes/http.php'); + $url = strtr($url, array( + '%c' => rawurlencode($value), + '%o' => rawurlencode($otp) + )); + // do we need to sign this? + if ( strstr($url, '%h') && ($key = getConfig('yms_claim_auth_key', false)) ) + { + list(, $signpart) = explode('?', $url); + $signpart = preg_replace('/(&h=%h|^h=%h&)/', '', $signpart); + $signpart = yms_ksort_url($signpart); + + $key = yms_tobinary($key); + $key = yms_hex_encode($key); + $hash = hmac_sha1($signpart, $key); + $hash = yms_hex_decode($hash); + $hash = base64_encode($hash); + + $url = str_replace('%h', rawurlencode($hash), $url); + } + + // run authentication + $result = yms_get_url($url); + $result = yms_parse_auth_result($result, $key); + + if ( !$result['sig_valid'] ) + return 'yubiauth_err_response_bad_signature'; + + if ( $result['status'] !== 'OK' ) + { + if ( preg_match('/^[A-Z_]+$/', $result['status']) ) + return 'yubiauth_err_response_' . strtolower($result['status']); + else + return $result['status']; + } + + // authentication is ok + return true; +} + +function yms_get_url($url) +{ + require_once(ENANO_ROOT . '/includes/http.php'); + + $url = preg_replace('#^https?://#i', '', $url); + if ( !preg_match('#^(\[?[a-z0-9-:]+(?:\.[a-z0-9-:]+\]?)*)(?::([0-9]+))?(/.*)$#U', $url, $match) ) + { + return 'invalid_auth_url'; + } + $server =& $match[1]; + $port = ( !empty($match[2]) ) ? intval($match[2]) : 80; + $uri =& $match[3]; + try + { + $req = new Request_HTTP($server, $uri, 'GET', $port); + $response = $req->get_response_body(); + } + catch ( Exception $e ) + { + return 'http_failed:' . $e->getMessage(); + } + + if ( $req->response_code !== HTTP_OK ) + return 'http_failed_status:' . $req->response_code; + + return $response; +} + +function yms_parse_auth_result($result, $api_key = false) +{ + $result = explode("\n", trim($result)); + $arr = array(); + foreach ( $result as $line ) + { + list($name) = explode('=', $line); + $value = substr($line, strlen($name) + 1); + $arr[$name] = $value; + } + // signature check + if ( $api_key ) + { + $signarr = $arr; + ksort($signarr); + unset($signarr['h']); + $signpart = array(); + foreach ( $signarr as $name => $value ) + $signpart[] = "{$name}={$value}"; + + $signpart = implode('&', $signpart); + $api_key = yms_hex_encode(yms_tobinary($api_key)); + $right_sig = base64_encode(yms_hex_decode( + hmac_sha1($signpart, $api_key) + )); + $arr['sig_valid'] = ( $arr['h'] === $right_sig ); + } + else + { + $arr['sig_valid'] = true; + } + return $arr; +} + +function yms_ksort_url($signpart) +{ + $arr = array(); + $values = explode('&', $signpart); + foreach ( $values as $var ) + { + list($name) = explode('=', $var); + $value = substr($var, strlen($name) + 1); + $arr[$name] = $value; + } + ksort($arr); + $result = array(); + foreach ( $arr as $name => $value ) + { + $result[] = "{$name}={$value}"; + } + return implode('&', $result); +} + +function yms_validate_otp($otp, $id) +{ + global $db, $session, $paths, $template, $plugins; // Common objects + + $public_id = yms_modhex_decode(substr($otp, 0, 12)); + if ( !$public_id ) + { + return 'BAD_OTP'; + } + // Just in case + $public_id = $db->escape($public_id); + + $q = $db->sql_query("SELECT id, private_id, session_count, token_count, access_time, token_time, aes_secret, flags, client_id FROM " . table_prefix . "yms_yubikeys WHERE ( client_id = 0 or client_id = $id OR flags & " . YMS_ANY_CLIENT . " ) AND public_id = '$public_id';"); + if ( !$q ) + $db->_die(); + + if ( $db->numrows($q) < 1 ) + { + return 'NO_SUCH_KEY'; + } + + list($yubikey_id, $private_id, $session_count, $token_count, $access_time, $token_time, $aes_secret, $flags, $client_id) = $db->fetchrow_num($q); + $session_count = intval($session_count); + $token_count = intval($token_count); + $access_time = intval($access_time); + $token_time = intval($token_time); + + // check flags + if ( $client_id > 0 ) + { + if ( !($flags & YMS_ANY_CLIENT) ) + { + return 'NO_SUCH_KEY'; + } + if ( !($flags & YMS_ENABLED) ) + { + return 'NO_SUCH_KEY'; + } + } + + // decode the OTP + $otp = yms_decode_otp($otp, $aes_secret); + + // check CRC + if ( !$otp['crc_good'] ) + { + return 'BAD_OTP'; + } + + // check private UID (avoids combining a whitelisted known public UID with the increment part of a malicious token) + if ( $private_id !== $otp['privateid'] ) + { + return 'BAD_OTP'; + } + + // check counters + if ( $otp['session'] < $session_count ) + { + return 'REPLAYED_OTP'; + } + if ( $otp['session'] == $session_count && $otp['count'] <= $token_count ) + { + return 'REPLAYED_OTP'; + } + + // update DB + $q = $db->sql_query("UPDATE " . table_prefix . "yms_yubikeys SET session_count = {$otp['session']}, token_count = {$otp['count']}, access_time = " . time() . ", token_time = {$otp['timestamp']} WHERE id = $yubikey_id;"); + if ( !$q ) + $db->_die(); + + // check timestamp + if ( $otp['session'] == $session_count ) + { + $expect_delta = time() - $access_time; + // 8Hz Yubikey internal clock + $actual_delta = intval(( $otp['timestamp'] - $token_time ) / 8); + $fuzz = 150; + if ( !yms_within($expect_delta, $actual_delta, $fuzz) ) + { + // if we have a likely wraparound, just pass it + if ( !($token_time > 0xe80000 && $otp['timestamp'] < 0x800000) ) + { + return 'BAD_OTP'; + } + } + // $debug_array = array('ts_debug_delta_expected' => $expect_delta, 'ts_debug_delta_received' => $actual_delta); + } + + // looks like we're good + return 'OK'; +} diff -r 000000000000 -r 9997bee9ad03 yms/cp.js --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/yms/cp.js Fri Jul 31 23:51:08 2009 -0400 @@ -0,0 +1,269 @@ +function yms_showpage(page) +{ + load_component(['fadefilter', 'jquery', 'jquery-ui']); + yms_destroy_float(); + + if ( aclDisableTransitionFX ) + jQuery.fx.off = true; + + darken(true, 70, 'ymsmask'); + + $('body').append('
'); + $('#yms-float-wrapper') + .css('top', String(getScrollOffset()) + 'px') + .css('left', 0) + .css('z-index', String( getHighestZ() + 20 )); + + ajaxGet(makeUrlNS('Special', 'YMS/' + page, 'noheaders'), function(ajax) + { + if ( ajax.readyState == 4 && ajax.status == 200 ) + { + var fade_time = aclDisableTransitionFX ? 0 : 500; + $('#yms-float-body').animate({ width: 728, height: getHeight() - 200 }); + $('.yms-float-spinner').fadeOut(fade_time, function() + { + $('#yms-float-inner') + .css('text-align', 'left') + .html(ajax.responseText) + .append('
' + $lang.get('etc_cancel') + '
'); + $('.yms-float-closer a').click(function() + { + yms_destroy_float(); + return false; + }); + $('#yms-float-inner form').submit(yms_ajax_submit); + // focus first element in the form + $('#yms-float-inner input:first').focus(); + }); + } + else if ( ajax.readyState == 4 && ajax.status != 200 ) + { + yms_destroy_float(); + } + }); +} + +function yms_ajax_submit() +{ + var whitey = whiteOutElement(this); + + var qs = ''; + $('input, select, textarea', this).each(function(i, e) + { + var name = $(e).attr('name'); + var val = $(e).val(); + + if ( $(e).attr('type') == 'checkbox' ) + { + if ( !$(e).attr('checked') ) + return; + val = 'on'; + } + else if ( $(e).attr('type') == 'radio' ) + { + if ( !$(e).attr('checked') ) + return; + } + + if ( name ) + qs += '&' + name + '=' + ajaxEscape(val); + }); + qs = qs.replace(/^&/, ''); + var submit_uri = $(this).attr('action'); + var separator = (/\?/).test(submit_uri) ? '&' : '?'; + submit_uri += separator + 'ajax&noheaders'; + + var to_self = $(this).hasClass('submit_to_self'); + ajaxPost(submit_uri, qs, function(ajax) + { + if ( ajax.readyState == 4 && ajax.status == 200 ) + { + var response = String(ajax.responseText) + ''; + if ( to_self ) + { + // form submits to the dynamic frame, just set HTML and die + $(whitey).remove(); + $('#yms-float-inner') + .html(response) + .append('
' + $lang.get('etc_cancel') + '
'); + + $('.yms-float-closer a').click(function() + { + yms_destroy_float(); + return false; + }); + $('#yms-float-inner form').submit(yms_ajax_submit); + // focus first element in the form + $('#yms-float-inner input:first').focus(); + + return true; + } + if ( !check_json_response(response) ) + { + // invalid JSON, gracefully report error + whiteOutReportFailure(whitey); + setTimeout(function() + { + yms_destroy_float(); + handle_invalid_json(response); + }, 1250); + return false; + } + response = parseJSON(response); + if ( response.mode == 'success' ) + { + $('#yms-messages').html('
' + $lang.get(response.message) + '
'); + yms_refresh_keylist(); + whiteOutReportSuccess(whitey); + setTimeout('yms_destroy_float();', 1250); + } + else if ( response.mode == 'error' ) + { + whiteOutReportFailure(whitey); + setTimeout(function() + { + $('#yms-float-inner .error-box').remove(); + $('#yms-float-inner').prepend('
' + $lang.get(response.error) + '
'); + }, 1250); + } + } + else if ( ajax.readyState == 4 && ajax.status != 200 ) + { + whiteOutReportFailure(whitey); + setTimeout('yms_destroy_float();', 1250); + } + }); + return false; +} + +function yms_destroy_float() +{ + var fade_time = aclDisableTransitionFX ? 0 : 500; + $('#yms-float-wrapper').fadeOut(fade_time, function() + { + $('#yms-float-wrapper').remove(); + enlighten(aclDisableTransitionFX, 'ymsmask'); + }); +} + +function yms_refresh_keylist() +{ + $('#yms-keylist').empty(); + ajaxGet(makeUrlNS('Special', 'YMS', 'noheaders&ajax'), function(ajax) + { + if ( ajax.readyState == 4 && ajax.status == 200 ) + { + $('#yms-keylist').html(ajax.responseText); + } + }); +} + +function yms_toggle_state(span, id) +{ + // touch to put into closure scope + void(span); + var whitey = whiteOutElement(span.parentNode); + var newstate = $(span).hasClass('yms-disabled') ? 'active' : 'inactive'; + ajaxPost(makeUrlNS('Special', 'YMS/AjaxToggleState'), 'id=' + id + '&state=' + newstate, function(ajax) + { + if ( ajax.readyState == 4 && ajax.status == 200 ) + { + if ( ajax.responseText != 'ok' ) + { + whiteOutReportFailure(whitey); + return false; + } + + whiteOutReportSuccess(whitey); + var newclass = newstate == 'active' ? 'yms-enabled' : 'yms-disabled'; + var newtext = newstate == 'active' ? 'yms_state_active' : 'yms_state_inactive'; + $(span).removeClass('yms-disabled').removeClass('yms-enabled').addClass(newclass).text($lang.get(newtext)); + } + }); +} + +function yms_show_notes(link, id) +{ + // show the box + var offset = $(link.parentNode).offset(); + var height = $(link.parentNode).outerHeight(); + var top = offset.top + height; + var left = ( offset.left + $(link.parentNode).outerWidth() ) - 420; + var box = document.createElement('div'); + $(box) + .css('background-color', 'white') + .css('color', '#202020') + .css('padding', 10) + .css('position', 'absolute') + .css('width', 400) + .css('height', 130) + .css('top', top) + .css('left', left) + .appendTo('body'); + + box.yk_id = id; + box.link = link; + + var whitey = whiteOutElement(box); + ajaxPost(makeUrlNS('Special', 'YMS/AjaxNotes'), 'get=' + id, function(ajax) + { + if ( ajax.readyState == 4 && ajax.status == 200 ) + { + $(whitey).remove(); + $(box).html('

'); + $('textarea', box).val(ajax.responseText); + $('a.save', box).text($lang.get('etc_save_changes')).attr('href', '#').click(function() + { + var box = this.parentNode.parentNode; + var text = $('textarea:first', box).val(); + yms_save_note(box, box.yk_id, text, box.link); + return false; + }); + + $('a.cancel', box).text($lang.get('etc_cancel')).attr('href', '#').click(function() + { + $(this.parentNode.parentNode).remove(); + return false; + }); + } + }); +} + +function yms_save_note(box, id, text, link) +{ + var whitey = whiteOutElement(box); + void(link); + ajaxPost(makeUrlNS('Special', 'YMS/AjaxNotes'), 'save=' + id + '¬e=' + ajaxEscape(text), function(ajax) + { + if ( ajax.readyState == 4 && ajax.status == 200 ) + { + if ( ajax.responseText != 'ok' ) + { + whiteOutReportFailure(whitey); + return false; + } + + var newsrc = text == '' ? scriptPath + '/plugins/yms/icons/note_delete.png' : scriptPath + '/plugins/yms/icons/note.png'; + var newtitle = text == '' ? $lang.get('yms_btn_note_create') : $lang.get('yms_btn_note_view'); + $(link).attr('title', newtitle); + $('img:first', link).attr('src', newsrc); + + // remove any existing text + while ( link.nextSibling ) + link.parentNode.removeChild(link.nextSibling); + + // insert text + if ( text != '' ) + { + var summary = ' ' + (text.length > 15 ? text.substr(0, 12) + '...' : text); + link.parentNode.appendChild(document.createTextNode(summary)); + } + + whiteOutReportSuccess(whitey); + setTimeout(function() + { + $(box).remove(); + }, 1250); + } + }); +} diff -r 000000000000 -r 9997bee9ad03 yms/icons/application_view_icons.png Binary file yms/icons/application_view_icons.png has changed diff -r 000000000000 -r 9997bee9ad03 yms/icons/key_add.png Binary file yms/icons/key_add.png has changed diff -r 000000000000 -r 9997bee9ad03 yms/icons/key_delete.png Binary file yms/icons/key_delete.png has changed diff -r 000000000000 -r 9997bee9ad03 yms/icons/key_go.png Binary file yms/icons/key_go.png has changed diff -r 000000000000 -r 9997bee9ad03 yms/icons/note.png Binary file yms/icons/note.png has changed diff -r 000000000000 -r 9997bee9ad03 yms/icons/note_delete.png Binary file yms/icons/note_delete.png has changed diff -r 000000000000 -r 9997bee9ad03 yms/icons/show_client_info.png Binary file yms/icons/show_client_info.png has changed diff -r 000000000000 -r 9997bee9ad03 yms/libotp.php --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/yms/libotp.php Fri Jul 31 23:51:08 2009 -0400 @@ -0,0 +1,84 @@ +decrypt($cryptpart, $key, ENC_HEX); + $crc_is_good = yms_validate_crc($otp_decrypted); + $return['privateid'] = yms_hex_encode(substr($otp_decrypted, 0, 6)); + $return['session'] = yms_unpack_int(strrev(substr($otp_decrypted, 6, 2))); + $return['timestamp'] = yms_unpack_int(strrev(substr($otp_decrypted, 8, 3))); + $return['count'] = yms_unpack_int(substr($otp_decrypted, 11, 1)); + $return['random'] = yms_unpack_int(substr($otp_decrypted, 12, 2)); + $return['crc'] = yms_unpack_int(substr($otp_decrypted, 14, 2)); + $return['crc_good'] = $crc_is_good; + + return $return; +} + +function yms_unpack_int($str) +{ + $return = 0; + for ( $i = 0; $i < strlen($str); $i++ ) + { + $return = $return << 8; + $return = $return | ord($str{$i}); + } + return $return; +} + +function yms_crc16($buffer) +{ + $buffer = yms_tobinary($buffer); + + $m_crc=0x5af0; + for($bpos=0; $bpos>= 1; + if ($j) $m_crc ^= 0x8408; + } + } + return $m_crc; +} + +function yms_validate_crc($token) +{ + $crc = yms_crc16($token); + return $crc == 0; +} + +function yms_within($test, $control, $fuzz) +{ + $min = $control - $fuzz; + $max = $control + $fuzz; + return $test > $min && $test < $max; +} diff -r 000000000000 -r 9997bee9ad03 yms/styles.css --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/yms/styles.css Fri Jul 31 23:51:08 2009 -0400 @@ -0,0 +1,56 @@ +p.yms-copypara { + line-height: 220%; + margin-left: 2.3em; +} + +span.yms-copyfield { + padding: 3px 7px; + border: 1px dashed rgba(0, 0, 0, 0.2); + background-color: rgba(0, 0, 0, 0.05); +} + +div.yms-buttons { + padding: 10px 0; + text-align: right; +} + +div#yms-float-wrapper { + position: absolute; + width: 100%; + margin: 0; + padding: 0; + top: 0; + margin-top: 75px; +} + +div#yms-float-body { + margin: 0 auto; + padding: 20px; + background-color: #ffffff; + text-align: center; + /* width: 708px; */ + width: 130px; + height: 130px; + + clip: rect(0px, auto, auto, 0px); + overflow: auto; +} + +div.yms-float-closer { + margin-top: 20px; + text-align: center; +} + +span.yms-enabled { + color: white; + padding: 2px 4px; + background-color: #00aa00; + cursor: pointer; +} + +span.yms-disabled { + color: white; + padding: 2px 4px; + background-color: #aa0000; + cursor: pointer; +} diff -r 000000000000 -r 9997bee9ad03 yms/transcode.php --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/yms/transcode.php Fri Jul 31 23:51:08 2009 -0400 @@ -0,0 +1,79 @@ + $now, + 'status' => $result + )), $api_key); + + exit; +} + +function yms_generate_signed_response($response, $api_key) +{ + $hash = yms_val_sign($response, $api_key); + $result = "h={$hash}\n"; + foreach ( $response as $key => $value ) + { + $result .= "{$key}={$value}\n"; + } + return trim($result); +} + +function yms_val_sign($response, $api_key) +{ + foreach ( array('h', 'title', 'auth') as $key ) + if ( isset($response[$key]) ) + unset($response[$key]); + + ksort($response); + + $signstr = array(); + foreach ( $response as $key => $value ) + { + $signstr[] = "$key=$value"; + } + + $signstr = implode('&', $signstr); + + $api_key = yms_hex_encode(base64_decode($api_key)); + $hash = hmac_sha1($signstr, $api_key); + $hash = yms_hex_decode($hash); + $hash = base64_encode($hash); + + return $hash; +} diff -r 000000000000 -r 9997bee9ad03 yms/validate.php --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/yms/validate.php Fri Jul 31 23:51:08 2009 -0400 @@ -0,0 +1,47 @@ + 'id')); + } + + if ( !isset($_GET['otp']) ) + { + yms_send_reply('MISSING_PARAMETER', '', array('info' => 'otp')); + } + + // first, get API key so we can properly sign responses + $id = intval($_GET['id']); + $q = $db->sql_query("SELECT apikey FROM " . table_prefix . "yms_clients WHERE id = $id;"); + if ( !$q ) + $db->_die(); + + if ( $db->numrows($q) < 1 ) + yms_send_reply("NO_SUCH_CLIENT"); + + list($g_api_key) = $db->fetchrow_num($q); + $db->free_result($q); + + // check API key + if ( isset($_GET['h']) ) + { + $hex_api_key = yms_hex_encode(base64_decode($g_api_key)); + $right_sig = yubikey_sign($_GET, $hex_api_key); + if ( $right_sig !== $_GET['h'] ) + { + yms_send_reply('BAD_SIGNATURE'); + } + } + + $GLOBALS['g_api_key'] =& $g_api_key; + + yms_send_reply(yms_validate_otp($_GET['otp'], $id)); +} + diff -r 000000000000 -r 9997bee9ad03 yms/yms.php --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/yms/yms.php Fri Jul 31 23:51:08 2009 -0400 @@ -0,0 +1,842 @@ +auth_level < USER_LEVEL_CHPREF && getConfig('yms_require_reauth', 1) == 1 ) + { + redirect(makeUrlNS('Special', "Login/$paths->fullpage", 'level=' . USER_LEVEL_CHPREF), '', '', 0); + } + + // Check for Yubikey plugin + if ( !function_exists('yubikey_validate_otp') ) + { + die_friendly($lang->get('yms_err_yubikey_plugin_missing_title'), '

' . $lang->get('yms_err_yubikey_plugin_missing_body') . '

'); + } + + // Does the client exist? + $q = $db->sql_query('SELECT 1 FROM ' . table_prefix . "yms_clients WHERE id = {$session->user_id};"); + if ( !$q ) + $db->_die(); + + $client_exists = $db->numrows(); + $db->free_result(); + if ( !$client_exists ) + { + redirect(makeUrlNS('Special', 'YMSCreateClient'), '', '', 0); + } + + // Check for a subpage request + if ( $subpage = $paths->getParam(0) ) + { + if ( preg_match('/^[A-z0-9]+$/', $subpage) ) + { + if ( function_exists("page_Special_YMS_{$subpage}") ) + { + // call the subpage + return call_user_func("page_Special_YMS_{$subpage}"); + } + } + } + + // + // POST processing + // + + if ( isset($_POST['add_aes']) && isset($_POST['add_otp']) ) + { + $client_id = false; + $enabled = $_POST['state'] == 'active'; + $any_client = isset($_POST['any_client']); + $notes = $_POST['notes']; + $result = yms_add_yubikey($_POST['add_aes'], $_POST['add_otp'], $client_id, $enabled, $any_client, $notes); + yms_send_response('yms_msg_addkey_success', $result); + } + else if ( isset($_POST['claim_otp']) ) + { + // do we need to validate a custom field? + if ( ($url = getConfig('yms_claim_auth_url')) && getConfig('yms_claim_auth_field') ) + { + if ( ($result = yms_validate_custom_field($_POST['custom_field'], $_POST['claim_otp'], $url)) !== true ) + yms_send_response('n/a', $result); + } + + // validate this OTP, make sure it's all good + $result = strtolower(yms_validate_otp($_POST['claim_otp'], 0)); + if ( $result !== 'ok' ) + yms_send_response('n/a', "yubiauth_err_response_{$result}"); + + // change owner + $client_id = false; + $enabled = $_POST['state'] == 'active'; + $any_client = isset($_POST['any_client']); + $notes = $_POST['notes']; + $result = yms_chown_yubikey($_POST['claim_otp'], $client_id, $enabled, $any_client, $notes); + yms_send_response('yms_msg_addkey_success', $result); + } + + // Preload JS libraries we need for Yubikey + $template->preload_js(array('jquery', 'jquery-ui', 'l10n', 'flyin', 'messagebox', 'fadefilter')); + // Load CSS + $template->add_header(''); + // Load JS + $template->add_header(''); + + // Send header + $output->header(); + + // Message container + if ( !isset($_GET['ajax'] ) ) + echo '
'; + + // Buttons + ?> +
+ + get('yms_btn_add_key'); ?> + + + get('yms_btn_add_key_preregistered'); ?> + +
+ sql_query('SELECT id, public_id, session_count, create_time, access_time, flags, notes FROM ' . table_prefix . "yms_yubikeys WHERE client_id = {$session->user_id};"); + if ( !$q ) + $db->_die(); + + if ( $db->numrows() < 1 ) + { + echo '

' . $lang->get('yms_msg_no_yubikeys') . '

'; + } + else + { + ?> +
+ + + + + + + + + + + + + + fetchrow($q) ) + { + $cls = $cls == 'row2' ? 'row1' : 'row2'; + ?> + + + + + + + + + + + + + + + + + + + + + + + + +
get('yms_th_id'); ?>get('yms_th_publicid'); ?>get('yms_th_createtime'); ?>get('yms_th_accesstime'); ?>get('yms_th_state'); ?>get('yms_th_note'); ?>
get('yms_msg_access_never') : yms_date($row['access_time']); ?>
+
+ +

+ + get('yms_btn_show_converter'); ?> + + + + get('yms_btn_show_client_info'); ?> + + + free_result($q); + + // close off inner div (yms-keylist) + if ( !isset($_GET['ajax'] ) ) + echo '
'; + + // Send footer + $output->footer(); +} + +// Add key, using AES secret +function page_Special_YMS_AddKey() +{ + global $output; + global $lang; + + $output->header(); + ?> +

get('yms_lbl_addkey_heading'); ?>

+

get('yms_lbl_addkey_desc'); ?>

+
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ get('yms_lbl_addkey_field_secret'); ?>
+ get('yms_lbl_addkey_field_secret_hint'); ?> + 		+ +
+ get('yms_lbl_addkey_field_otp'); ?> + + +
+ get('yms_lbl_addkey_field_state'); ?> + + +
+ get('yms_lbl_addkey_field_any_client_name'); ?>
+ get('yms_lbl_addkey_field_any_client_hint'); ?> + 		+ +
+ get('yms_lbl_addkey_field_notes'); ?> + + +
+ +
+
+ +
+ footer(); +} + +// Add key that's already registered +function page_Special_YMS_AddPreregisteredKey() +{ + global $db, $session, $paths, $template, $plugins; // Common objects + global $lang, $output; + + $output->header(); + ?> +

get('yms_lbl_claimkey_heading'); ?>

+

get('yms_lbl_claimkey_desc'); ?>

+
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ get('yms_lbl_addkey_field_otp'); ?> + + +
+ get('yms_lbl_addkey_field_state'); ?> + + +
+ get('yms_lbl_addkey_field_any_client_name'); ?>
+ get('yms_lbl_addkey_field_any_client_hint'); ?> + 		+ +
+ get('yms_lbl_addkey_field_notes'); ?> + + +
+ + + +
+ +
+
+ +
+ footer(); +} + +// Show the AES secret for a key +function page_Special_YMS_ShowAESKey() +{ + global $db, $session, $paths, $template, $plugins; // Common objects + global $lang, $output; + + $id = intval($paths->getParam(1)); + + // verify ownership, retrieve key + $q = $db->sql_query('SELECT client_id, public_id, aes_secret FROM ' . table_prefix . "yms_yubikeys WHERE id = $id;"); + if ( !$q ) + $db->_die(); + + if ( $db->numrows() < 1 ) + { + die_friendly('no rows', '

key not found

'); + } + + list($client_id, $public_id, $secret) = $db->fetchrow_num(); + $db->free_result(); + + if ( $client_id !== $session->user_id ) + die_friendly($lang->get('etc_access_denied_short'), '

' . $lang->get('etc_access_denied') . '

'); + + $output->header(); + ?> +
+ + + + + + + + + + + + + + + + + + + + + + + +
+ get('yms_showaes_th', array('public_id' => yms_modhex_encode($public_id))); ?> +
+ get('yms_showaes_lbl_hex'); ?> + + +
+ get('yms_showaes_lbl_modhex'); ?> + + +
+ get('yms_showaes_lbl_base64'); ?> + + +
+
+ footer(); +} + +// show the user's API key and client ID +function page_Special_YMS_ShowClientInfo() +{ + global $db, $session, $paths, $template, $plugins; // Common objects + global $lang, $output; + + $q = $db->sql_query('SELECT apikey FROM ' . table_prefix . "yms_clients WHERE id = {$session->user_id};"); + if ( !$q ) + $db->_die(); + + list($api_key) = $db->fetchrow_num(); + $db->free_result(); + + $api_key = yms_tobinary($api_key); + + $output->header(); + ?> +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
get('yms_th_client_id'); ?>
get('yms_lbl_client_id'); ?>user_id); ?>
get('yms_th_api_key'); ?>
get('yms_showaes_lbl_hex'); ?>
get('yms_showaes_lbl_modhex'); ?>
get('yms_showaes_lbl_base64'); ?>
+
+ footer(); +} + +// Converter between different binary encodings +function page_Special_YMS_Converter() +{ + global $db, $session, $paths, $template, $plugins; // Common objects + global $lang, $output; + + $output->header(); + + if ( isset($_POST['value']) ) + { + switch($_POST['format']) + { + case 'auto': + default: + $binary = yms_tobinary($_POST['value']); + break; + case 'hex': + $_POST['value'] = str_replace(" ", '', $_POST['value']); + $binary = yms_hex_decode($_POST['value']); + break; + case 'modhex': + $binary = yms_hex_decode(yms_modhex_decode($_POST['value'])); + break; + case 'base64': + $binary = base64_decode($_POST['value']); + break; + } + + if ( empty($binary) ) + { + echo '
' . $lang->get('yms_conv_err_invalid_string') . '
'; + } + else + { + ?> +
+ + + + + + + + + + + + + + + + + + + + + +
get('yms_th_converted_value'); ?>
get('yms_showaes_lbl_hex'); ?>
get('yms_showaes_lbl_modhex'); ?>
get('yms_showaes_lbl_base64'); ?>
+
+ +
+ +
+ + + + + + + + + + + + + + + + + + + + +
get('yms_th_converter'); ?>
get('yms_conv_lbl_value'); ?>
get('yms_conv_lbl_format'); ?> + $fmt ) + { + echo '\n "; + } + ?> +
+ +
+
+ +
+ footer(); +} + +function page_Special_YMS_AjaxToggleState() +{ + global $db, $session, $paths, $template, $plugins; // Common objects + + $id = intval($_POST['id']); + if ( $_POST['state'] === 'active' ) + $expr = 'flags | ' . YMS_ENABLED; + else + $expr = 'flags & ~' . YMS_ENABLED; + + $q = $db->sql_query('UPDATE ' . table_prefix . "yms_yubikeys SET flags = $expr WHERE id = $id AND client_id = {$session->user_id};"); + if ( !$q ) + $db->die_json(); + + if ( $db->sql_affectedrows() < 1 ) + echo 'no affected rows; not '; + + echo 'ok'; +} + +function page_Special_YMS_AjaxNotes() +{ + global $db, $session, $paths, $template, $plugins; // Common objects + + if ( isset($_POST['get']) ) + { + $id = intval($_POST['get']); + $q = $db->sql_query('SELECT notes FROM ' . table_prefix . "yms_yubikeys WHERE id = $id AND client_id = {$session->user_id};"); + if ( !$q ) + $db->_die(); + if ( $db->numrows() < 1 ) + { + echo "key not found"; + } + else + { + list($note) = $db->fetchrow_num(); + echo $note; + } + $db->free_result(); + } + else if ( isset($_POST['save']) ) + { + $id = intval($_POST['save']); + $note = trim($_POST['note']); + $note = $db->escape($note); + $q = $db->sql_query('UPDATE ' . table_prefix . "yms_yubikeys SET notes = '$note' WHERE id = $id AND client_id = {$session->user_id};"); + if ( !$q ) + $db->die_json(); + + echo 'ok'; + } +} + +// Add key, using just an OTP +// Requires the key to be in the database as client ID 0 + +// Client creation +function page_Special_YMSCreateClient() +{ + global $db, $session, $paths, $template, $plugins; // Common objects + global $lang; + global $output; + + // Require re-auth? + if ( $session->auth_level < USER_LEVEL_CHPREF && getConfig('yms_require_reauth', 1) == 1 ) + { + redirect(makeUrlNS('Special', "Login/$paths->fullpage", 'level=' . USER_LEVEL_CHPREF), '', '', 0); + } + + // Check for Yubikey plugin + if ( !function_exists('yubikey_validate_otp') ) + { + die_friendly($lang->get('yms_err_yubikey_plugin_missing_title'), '

' . $lang->get('yms_err_yubikey_plugin_missing_body') . '

'); + } + + // Does the client exist? + $q = $db->sql_query('SELECT 1 FROM ' . table_prefix . "yms_clients WHERE id = {$session->user_id};"); + if ( !$q ) + $db->_die(); + + $client_exists = $db->numrows(); + $db->free_result(); + + if ( $client_exists ) + { + die_friendly($lang->get('yms_err_client_exists_title'), '

' . $lang->get('yms_err_client_exists_body') . '

'); + } + + $template->add_header(''); + $output->header(); + + if ( isset($_POST['register_client']) ) + { + // register the client + // SHA1 key length: 160 bits + $api_key = base64_encode(AESCrypt::randkey(160 / 8)); + $client_id = $session->user_id; + + $q = $db->sql_query('INSERT INTO ' . table_prefix . "yms_clients(id, apikey) VALUES ($client_id, '$api_key');"); + if ( !$q ) + $db->_die(); + + $validate_url = makeUrlComplete('Special', 'YubikeyValidate'); + $validate_url = preg_replace('/[?&]auth=[0-9a-f]+/', '', $validate_url); + + ?> +

get('yms_register_msg_success_title'); ?>

+ get('yms_register_msg_success_body', array( + 'yms_link' => makeUrlNS('Special', 'YMS'), + 'client_id' => $client_id, + 'api_key' => $api_key, + 'validate_url' => $validate_url + )); + } + else + { + // confirmation page + ?> +
+

get('yms_register_confirm_title'); ?>

+

get('yms_register_confirm_body'); ?>

+

+ + +

+
+ footer(); +} + +// Generic response function +// Processing functions return either true or a string containing an error message. This +// takes that return, and sends a response through the appropriate channel, while allowing +// shared backend functions. + +function yms_send_response($success_string, $result) +{ + global $lang, $output; + + if ( $result === true ) + { + if ( isset($_GET['ajax']) ) + { + yms_json_response(array( + 'mode' => 'success', + 'message' => $lang->get($success_string) + )); + } + else + { + $output->add_after_header( + '
' . $lang->get($success_string) . '
' + ); + } + } + else + { + if ( isset($_GET['ajax']) ) + { + yms_json_response(array( + 'mode' => 'error', + 'error' => $lang->get($result) + )); + } + else + { + $output->add_after_header( + '
' . $lang->get($result) . '
' + ); + } + } +} + +function yms_json_response($response) +{ + global $db, $session, $paths, $template, $plugins; // Common objects + + header('Content-type: application/json'); + echo enano_json_encode($response); + + $db->close(); + exit; +} + +function yms_date($ts) +{ + return enano_date('Y-m-d H:m:i', $ts); +} + +function yms_state_indicator($flags, $id) +{ + global $lang; + return $flags & YMS_ENABLED ? + '' . $lang->get('yms_state_active') . '' : + '' . $lang->get('yms_state_inactive') . ''; +} + +function yms_notes_cell($notes, $id) +{ + global $lang; + $notes = trim($notes); + if ( empty($notes) ) + { + $img = 'note_delete.png'; + $str = $lang->get('yms_btn_note_create'); + } + else + { + $img = 'note.png'; + $str = $lang->get('yms_btn_note_view'); + } + echo '' . $str . ''; + + if ( !empty($notes) ) + { + echo ' '; + if ( strlen($notes) > 15 ) + echo htmlspecialchars(substr($notes, 0, 12)) . '...'; + else + echo htmlspecialchars($notes); + } +} + +function yms_show_actions($row) +{ + global $lang; + + // Show AES secret + ?> + " title="get('yms_btn_show_aes'); ?>" onclick="yms_showpage('ShowAESKey/'); return false;"> + <?php echo $lang->get('yms_btn_show_aes'); ?> + +