[Web] Updated Yubico.php to v2.7 (#3535)
Source: https://github.com/Yubico/php-yubico/releases/tag/Auth_Yubico-2.7master
parent
4ddc54aabc
commit
e91fb7ccdd
|
@ -5,7 +5,7 @@
|
|||
* @category Auth
|
||||
* @package Auth_Yubico
|
||||
* @author Simon Josefsson <simon@yubico.com>, Olov Danielson <olov@yubico.com>
|
||||
* @copyright 2007-2015 Yubico AB
|
||||
* @copyright 2007-2020 Yubico AB
|
||||
* @license https://opensource.org/licenses/bsd-license.php New BSD License
|
||||
* @version 2.0
|
||||
* @link https://www.yubico.com/
|
||||
|
@ -50,12 +50,6 @@ class Auth_Yubico
|
|||
*/
|
||||
var $_key;
|
||||
|
||||
/**
|
||||
* URL part of validation server
|
||||
* @var string
|
||||
*/
|
||||
var $_url;
|
||||
|
||||
/**
|
||||
* List with URL part of validation servers
|
||||
* @var array
|
||||
|
@ -80,12 +74,24 @@ class Auth_Yubico
|
|||
*/
|
||||
var $_response;
|
||||
|
||||
/**
|
||||
* Number of times we retried in our last validation
|
||||
* @var int
|
||||
*/
|
||||
var $_retries;
|
||||
|
||||
/**
|
||||
* Flag whether to verify HTTPS server certificates or not.
|
||||
* @var boolean
|
||||
*/
|
||||
var $_httpsverify;
|
||||
|
||||
/**
|
||||
* Maximum number of times we will retry transient HTTP errors
|
||||
* @var int
|
||||
*/
|
||||
var $_max_retries;
|
||||
|
||||
/**
|
||||
* Constructor
|
||||
*
|
||||
|
@ -98,39 +104,37 @@ class Auth_Yubico
|
|||
* default true)
|
||||
* @access public
|
||||
*/
|
||||
public function __construct($id, $key = '', $https = 0, $httpsverify = 1)
|
||||
public function __construct($id, $key = '', $https = 0, $httpsverify = 1, $max_retries = 3)
|
||||
{
|
||||
$this->_id = $id;
|
||||
$this->_key = base64_decode($key);
|
||||
$this->_httpsverify = $httpsverify;
|
||||
$this->_max_retries = $max_retries;
|
||||
}
|
||||
|
||||
/**
|
||||
* Specify to use a different URL part for verification.
|
||||
* The default is "api.yubico.com/wsapi/verify".
|
||||
* The default is "https://api.yubico.com/wsapi/2.0/verify".
|
||||
*
|
||||
* @param string $url New server URL part to use
|
||||
* @access public
|
||||
* @deprecated
|
||||
*/
|
||||
function setURLpart($url)
|
||||
{
|
||||
$this->_url = $url;
|
||||
$this->_url_list = array($url);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get next URL part from list to use for validation.
|
||||
*
|
||||
* @return mixed string with URL part of false if no more URLs in list
|
||||
* @return mixed string with URL part or false if no more URLs in list
|
||||
* @access public
|
||||
*/
|
||||
function getNextURLpart()
|
||||
{
|
||||
if ($this->_url_list) $url_list=$this->_url_list;
|
||||
else $url_list=array('https://api.yubico.com/wsapi/2.0/verify',
|
||||
'https://api2.yubico.com/wsapi/2.0/verify',
|
||||
'https://api3.yubico.com/wsapi/2.0/verify',
|
||||
'https://api4.yubico.com/wsapi/2.0/verify',
|
||||
'https://api5.yubico.com/wsapi/2.0/verify');
|
||||
else $url_list=array('https://api.yubico.com/wsapi/2.0/verify');
|
||||
|
||||
if ($this->_url_index>=count($url_list)) return false;
|
||||
else return $url_list[$this->_url_index++];
|
||||
|
@ -178,6 +182,17 @@ class Auth_Yubico
|
|||
return $this->_response;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the number of retries that were used in the last validation
|
||||
*
|
||||
* @return int Number of retries
|
||||
* @access public
|
||||
*/
|
||||
function getRetries()
|
||||
{
|
||||
return $this->_retries;
|
||||
}
|
||||
|
||||
/**
|
||||
* Parse input string into password, yubikey prefix,
|
||||
* ciphertext, and OTP.
|
||||
|
@ -238,6 +253,26 @@ class Auth_Yubico
|
|||
return $param_array;
|
||||
}
|
||||
|
||||
function _make_curl_handle($query, $timeout=null)
|
||||
{
|
||||
flush();
|
||||
$handle = curl_init($query);
|
||||
curl_setopt($handle, CURLOPT_USERAGENT, "PEAR Auth_Yubico");
|
||||
curl_setopt($handle, CURLOPT_RETURNTRANSFER, 1);
|
||||
if (!$this->_httpsverify) {
|
||||
curl_setopt($handle, CURLOPT_SSL_VERIFYPEER, 0);
|
||||
curl_setopt($handle, CURLOPT_SSL_VERIFYHOST, 0);
|
||||
}
|
||||
curl_setopt($handle, CURLOPT_FAILONERROR, true);
|
||||
/* If timeout is set, we better apply it here as well
|
||||
* in case the validation server fails to follow it. */
|
||||
if ($timeout) {
|
||||
curl_setopt($handle, CURLOPT_TIMEOUT, $timeout);
|
||||
}
|
||||
|
||||
return $handle;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify Yubico OTP against multiple URLs
|
||||
* Protocol specification 2.0 is used to construct validation requests
|
||||
|
@ -252,12 +287,19 @@ class Auth_Yubico
|
|||
* and 100 or "fast" or "secure".
|
||||
* @param int $timeout Max number of seconds to wait
|
||||
* for responses
|
||||
* @param int $max_retries Max number of times we will retry on
|
||||
* transient errors.
|
||||
* @return mixed PEAR error on error, true otherwise
|
||||
* @access public
|
||||
*/
|
||||
function verify($token, $use_timestamp=null, $wait_for_all=False,
|
||||
$sl=null, $timeout=null)
|
||||
$sl=null, $timeout=null, $max_retries=null)
|
||||
{
|
||||
/* If maximum retries is not set, default from instance */
|
||||
if (is_null($max_retries)) {
|
||||
$max_retries = $this->_max_retries;
|
||||
}
|
||||
|
||||
/* Construct parameters string */
|
||||
$ret = $this->parsePasswordOTP($token);
|
||||
if (!$ret) {
|
||||
|
@ -284,10 +326,13 @@ class Auth_Yubico
|
|||
}
|
||||
|
||||
/* Generate and prepare request. */
|
||||
$this->_lastquery=null;
|
||||
$this->_lastquery = null;
|
||||
$this->_retries = 0;
|
||||
$this->URLreset();
|
||||
|
||||
$mh = curl_multi_init();
|
||||
$ch = array();
|
||||
$retries = array();
|
||||
while($URLpart=$this->getNextURLpart())
|
||||
{
|
||||
$query = $URLpart . "?" . $parameters;
|
||||
|
@ -295,21 +340,11 @@ class Auth_Yubico
|
|||
if ($this->_lastquery) { $this->_lastquery .= " "; }
|
||||
$this->_lastquery .= $query;
|
||||
|
||||
$handle = curl_init($query);
|
||||
curl_setopt($handle, CURLOPT_USERAGENT, "PEAR Auth_Yubico");
|
||||
curl_setopt($handle, CURLOPT_RETURNTRANSFER, 1);
|
||||
if (!$this->_httpsverify) {
|
||||
curl_setopt($handle, CURLOPT_SSL_VERIFYPEER, 0);
|
||||
curl_setopt($handle, CURLOPT_SSL_VERIFYHOST, 0);
|
||||
}
|
||||
curl_setopt($handle, CURLOPT_FAILONERROR, true);
|
||||
/* If timeout is set, we better apply it here as well
|
||||
in case the validation server fails to follow it.
|
||||
*/
|
||||
if ($timeout) curl_setopt($handle, CURLOPT_TIMEOUT, $timeout);
|
||||
$handle = $this->_make_curl_handle($query, $timeout);
|
||||
curl_multi_add_handle($mh, $handle);
|
||||
|
||||
$ch[(int)$handle] = $handle;
|
||||
$retries[$query] = 0;
|
||||
}
|
||||
|
||||
/* Execute and read request. */
|
||||
|
@ -319,19 +354,20 @@ class Auth_Yubico
|
|||
do {
|
||||
/* Let curl do its work. */
|
||||
while (($mrc = curl_multi_exec($mh, $active))
|
||||
== CURLM_CALL_MULTI_PERFORM)
|
||||
;
|
||||
== CURLM_CALL_MULTI_PERFORM) {
|
||||
curl_multi_select($mh);
|
||||
}
|
||||
|
||||
while ($info = curl_multi_info_read($mh)) {
|
||||
$cinfo = curl_getinfo ($info['handle']);
|
||||
if ($info['result'] == CURLE_OK) {
|
||||
|
||||
/* We have a complete response from one server. */
|
||||
|
||||
$str = curl_multi_getcontent($info['handle']);
|
||||
$cinfo = curl_getinfo ($info['handle']);
|
||||
|
||||
if ($wait_for_all) { # Better debug info
|
||||
$this->_response .= 'URL=' . $cinfo['url'] ."\n"
|
||||
$this->_response .= 'URL=' . $cinfo['url'] . ' HTTP_CODE='
|
||||
. $cinfo['http_code'] . "\n"
|
||||
. $str . "\n";
|
||||
}
|
||||
|
||||
|
@ -401,7 +437,7 @@ class Auth_Yubico
|
|||
}
|
||||
}
|
||||
}
|
||||
if (!$wait_for_all && ($valid || $replay))
|
||||
if (!$wait_for_all && ($valid || $replay))
|
||||
{
|
||||
/* We have status=OK or status=REPLAYED_OTP, return. */
|
||||
foreach ($ch as $h) {
|
||||
|
@ -413,12 +449,35 @@ class Auth_Yubico
|
|||
if ($valid) return true;
|
||||
return PEAR::raiseError($status);
|
||||
}
|
||||
|
||||
curl_multi_remove_handle($mh, $info['handle']);
|
||||
curl_close($info['handle']);
|
||||
unset ($ch[(int)$info['handle']]);
|
||||
} else {
|
||||
/* Some kind of error, but def. not a 200 response */
|
||||
/* No status= in response body */
|
||||
$http_status_code = (int)$cinfo['http_code'];
|
||||
$query = $cinfo['url'];
|
||||
if ($http_status_code == 400 ||
|
||||
($http_status_code >= 500 && $http_status_code < 600)) {
|
||||
/* maybe retry */
|
||||
if ($retries[$query] < $max_retries) {
|
||||
$retries[$query]++; // for this server
|
||||
$this->_retries++; // for this validation attempt
|
||||
|
||||
$newhandle = $this->_make_curl_handle($query, $timeout);
|
||||
|
||||
curl_multi_add_handle($mh, $newhandle);
|
||||
$ch[(int)$newhandle] = $newhandle;
|
||||
|
||||
// Loop back up to curl_multi_exec, even if this
|
||||
// was the last handle and curl_multi_exec _was_
|
||||
// no longer active, it's active again now we've
|
||||
// added a retry.
|
||||
$active = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
curl_multi_select($mh);
|
||||
/* Done with this handle */
|
||||
curl_multi_remove_handle($mh, $info['handle']);
|
||||
curl_close($info['handle']);
|
||||
unset ($ch[(int)$info['handle']]);
|
||||
}
|
||||
} while ($active);
|
||||
|
||||
|
|
Loading…
Reference in New Issue