├── .gitignore
├── LICENSE
├── README
├── README.rst
├── crypto.py
├── dbconf.py
├── src
├── dump.mysql
└── dump.sqlite
├── yubikeys.sqlite
├── yubiserve.cfg
├── yubiserve.png
└── yubiserve.py
/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | .*.swp
3 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU GENERAL PUBLIC LICENSE
2 | Version 3, 29 June 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU General Public License is a free, copyleft license for
11 | software and other kinds of works.
12 |
13 | The licenses for most software and other practical works are designed
14 | to take away your freedom to share and change the works. By contrast,
15 | the GNU General Public License is intended to guarantee your freedom to
16 | share and change all versions of a program--to make sure it remains free
17 | software for all its users. We, the Free Software Foundation, use the
18 | GNU General Public License for most of our software; it applies also to
19 | any other work released this way by its authors. You can apply it to
20 | your programs, too.
21 |
22 | When we speak of free software, we are referring to freedom, not
23 | price. Our General Public Licenses are designed to make sure that you
24 | have the freedom to distribute copies of free software (and charge for
25 | them if you wish), that you receive source code or can get it if you
26 | want it, that you can change the software or use pieces of it in new
27 | free programs, and that you know you can do these things.
28 |
29 | To protect your rights, we need to prevent others from denying you
30 | these rights or asking you to surrender the rights. Therefore, you have
31 | certain responsibilities if you distribute copies of the software, or if
32 | you modify it: responsibilities to respect the freedom of others.
33 |
34 | For example, if you distribute copies of such a program, whether
35 | gratis or for a fee, you must pass on to the recipients the same
36 | freedoms that you received. You must make sure that they, too, receive
37 | or can get the source code. And you must show them these terms so they
38 | know their rights.
39 |
40 | Developers that use the GNU GPL protect your rights with two steps:
41 | (1) assert copyright on the software, and (2) offer you this License
42 | giving you legal permission to copy, distribute and/or modify it.
43 |
44 | For the developers' and authors' protection, the GPL clearly explains
45 | that there is no warranty for this free software. For both users' and
46 | authors' sake, the GPL requires that modified versions be marked as
47 | changed, so that their problems will not be attributed erroneously to
48 | authors of previous versions.
49 |
50 | Some devices are designed to deny users access to install or run
51 | modified versions of the software inside them, although the manufacturer
52 | can do so. This is fundamentally incompatible with the aim of
53 | protecting users' freedom to change the software. The systematic
54 | pattern of such abuse occurs in the area of products for individuals to
55 | use, which is precisely where it is most unacceptable. Therefore, we
56 | have designed this version of the GPL to prohibit the practice for those
57 | products. If such problems arise substantially in other domains, we
58 | stand ready to extend this provision to those domains in future versions
59 | of the GPL, as needed to protect the freedom of users.
60 |
61 | Finally, every program is threatened constantly by software patents.
62 | States should not allow patents to restrict development and use of
63 | software on general-purpose computers, but in those that do, we wish to
64 | avoid the special danger that patents applied to a free program could
65 | make it effectively proprietary. To prevent this, the GPL assures that
66 | patents cannot be used to render the program non-free.
67 |
68 | The precise terms and conditions for copying, distribution and
69 | modification follow.
70 |
71 | TERMS AND CONDITIONS
72 |
73 | 0. Definitions.
74 |
75 | "This License" refers to version 3 of the GNU General Public License.
76 |
77 | "Copyright" also means copyright-like laws that apply to other kinds of
78 | works, such as semiconductor masks.
79 |
80 | "The Program" refers to any copyrightable work licensed under this
81 | License. Each licensee is addressed as "you". "Licensees" and
82 | "recipients" may be individuals or organizations.
83 |
84 | To "modify" a work means to copy from or adapt all or part of the work
85 | in a fashion requiring copyright permission, other than the making of an
86 | exact copy. The resulting work is called a "modified version" of the
87 | earlier work or a work "based on" the earlier work.
88 |
89 | A "covered work" means either the unmodified Program or a work based
90 | on the Program.
91 |
92 | To "propagate" a work means to do anything with it that, without
93 | permission, would make you directly or secondarily liable for
94 | infringement under applicable copyright law, except executing it on a
95 | computer or modifying a private copy. Propagation includes copying,
96 | distribution (with or without modification), making available to the
97 | public, and in some countries other activities as well.
98 |
99 | To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies. Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 |
103 | An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License. If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 |
112 | 1. Source Code.
113 |
114 | The "source code" for a work means the preferred form of the work
115 | for making modifications to it. "Object code" means any non-source
116 | form of a work.
117 |
118 | A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 |
123 | The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form. A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 |
134 | The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities. However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work. For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 |
147 | The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 |
151 | The Corresponding Source for a work in source code form is that
152 | same work.
153 |
154 | 2. Basic Permissions.
155 |
156 | All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met. This License explicitly affirms your unlimited
159 | permission to run the unmodified Program. The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work. This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 |
164 | You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force. You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright. Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 |
175 | Conveying under any other circumstances is permitted solely under
176 | the conditions stated below. Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 |
179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 |
181 | No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 |
187 | When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 |
195 | 4. Conveying Verbatim Copies.
196 |
197 | You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 |
205 | You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 |
208 | 5. Conveying Modified Source Versions.
209 |
210 | You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 |
214 | a) The work must carry prominent notices stating that you modified
215 | it, and giving a relevant date.
216 |
217 | b) The work must carry prominent notices stating that it is
218 | released under this License and any conditions added under section
219 | 7. This requirement modifies the requirement in section 4 to
220 | "keep intact all notices".
221 |
222 | c) You must license the entire work, as a whole, under this
223 | License to anyone who comes into possession of a copy. This
224 | License will therefore apply, along with any applicable section 7
225 | additional terms, to the whole of the work, and all its parts,
226 | regardless of how they are packaged. This License gives no
227 | permission to license the work in any other way, but it does not
228 | invalidate such permission if you have separately received it.
229 |
230 | d) If the work has interactive user interfaces, each must display
231 | Appropriate Legal Notices; however, if the Program has interactive
232 | interfaces that do not display Appropriate Legal Notices, your
233 | work need not make them do so.
234 |
235 | A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit. Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 |
245 | 6. Conveying Non-Source Forms.
246 |
247 | You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 |
252 | a) Convey the object code in, or embodied in, a physical product
253 | (including a physical distribution medium), accompanied by the
254 | Corresponding Source fixed on a durable physical medium
255 | customarily used for software interchange.
256 |
257 | b) Convey the object code in, or embodied in, a physical product
258 | (including a physical distribution medium), accompanied by a
259 | written offer, valid for at least three years and valid for as
260 | long as you offer spare parts or customer support for that product
261 | model, to give anyone who possesses the object code either (1) a
262 | copy of the Corresponding Source for all the software in the
263 | product that is covered by this License, on a durable physical
264 | medium customarily used for software interchange, for a price no
265 | more than your reasonable cost of physically performing this
266 | conveying of source, or (2) access to copy the
267 | Corresponding Source from a network server at no charge.
268 |
269 | c) Convey individual copies of the object code with a copy of the
270 | written offer to provide the Corresponding Source. This
271 | alternative is allowed only occasionally and noncommercially, and
272 | only if you received the object code with such an offer, in accord
273 | with subsection 6b.
274 |
275 | d) Convey the object code by offering access from a designated
276 | place (gratis or for a charge), and offer equivalent access to the
277 | Corresponding Source in the same way through the same place at no
278 | further charge. You need not require recipients to copy the
279 | Corresponding Source along with the object code. If the place to
280 | copy the object code is a network server, the Corresponding Source
281 | may be on a different server (operated by you or a third party)
282 | that supports equivalent copying facilities, provided you maintain
283 | clear directions next to the object code saying where to find the
284 | Corresponding Source. Regardless of what server hosts the
285 | Corresponding Source, you remain obligated to ensure that it is
286 | available for as long as needed to satisfy these requirements.
287 |
288 | e) Convey the object code using peer-to-peer transmission, provided
289 | you inform other peers where the object code and Corresponding
290 | Source of the work are being offered to the general public at no
291 | charge under subsection 6d.
292 |
293 | A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 |
297 | A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling. In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage. For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product. A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 |
310 | "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source. The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 |
318 | If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information. But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 |
329 | The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed. Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 |
337 | Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 |
343 | 7. Additional Terms.
344 |
345 | "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law. If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 |
354 | When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it. (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.) You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 |
361 | Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 |
365 | a) Disclaiming warranty or limiting liability differently from the
366 | terms of sections 15 and 16 of this License; or
367 |
368 | b) Requiring preservation of specified reasonable legal notices or
369 | author attributions in that material or in the Appropriate Legal
370 | Notices displayed by works containing it; or
371 |
372 | c) Prohibiting misrepresentation of the origin of that material, or
373 | requiring that modified versions of such material be marked in
374 | reasonable ways as different from the original version; or
375 |
376 | d) Limiting the use for publicity purposes of names of licensors or
377 | authors of the material; or
378 |
379 | e) Declining to grant rights under trademark law for use of some
380 | trade names, trademarks, or service marks; or
381 |
382 | f) Requiring indemnification of licensors and authors of that
383 | material by anyone who conveys the material (or modified versions of
384 | it) with contractual assumptions of liability to the recipient, for
385 | any liability that these contractual assumptions directly impose on
386 | those licensors and authors.
387 |
388 | All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10. If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term. If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 |
398 | If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 |
403 | Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 |
407 | 8. Termination.
408 |
409 | You may not propagate or modify a covered work except as expressly
410 | provided under this License. Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 |
415 | However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 |
422 | Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 |
429 | Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License. If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 |
435 | 9. Acceptance Not Required for Having Copies.
436 |
437 | You are not required to accept this License in order to receive or
438 | run a copy of the Program. Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance. However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work. These actions infringe copyright if you do
443 | not accept this License. Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 |
446 | 10. Automatic Licensing of Downstream Recipients.
447 |
448 | Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License. You are not responsible
451 | for enforcing compliance by third parties with this License.
452 |
453 | An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations. If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 |
463 | You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License. For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 |
471 | 11. Patents.
472 |
473 | A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based. The
475 | work thus licensed is called the contributor's "contributor version".
476 |
477 | A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version. For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 |
487 | Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 |
492 | In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement). To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 |
499 | If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients. "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 |
513 | If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 |
521 | A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License. You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 |
536 | Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 |
540 | 12. No Surrender of Others' Freedom.
541 |
542 | If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License. If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all. For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 |
552 | 13. Use with the GNU Affero General Public License.
553 |
554 | Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work. The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 |
563 | 14. Revised Versions of this License.
564 |
565 | The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time. Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 |
570 | Each version is given a distinguishing version number. If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation. If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 |
579 | If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 |
584 | Later license versions may give you additional or different
585 | permissions. However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 |
589 | 15. Disclaimer of Warranty.
590 |
591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 |
600 | 16. Limitation of Liability.
601 |
602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 |
612 | 17. Interpretation of Sections 15 and 16.
613 |
614 | If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 |
621 | END OF TERMS AND CONDITIONS
622 |
623 | How to Apply These Terms to Your New Programs
624 |
625 | If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 |
629 | To do so, attach the following notices to the program. It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 |
634 |
635 | Copyright (C)
636 |
637 | This program is free software: you can redistribute it and/or modify
638 | it under the terms of the GNU General Public License as published by
639 | the Free Software Foundation, either version 3 of the License, or
640 | (at your option) any later version.
641 |
642 | This program is distributed in the hope that it will be useful,
643 | but WITHOUT ANY WARRANTY; without even the implied warranty of
644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
645 | GNU General Public License for more details.
646 |
647 | You should have received a copy of the GNU General Public License
648 | along with this program. If not, see .
649 |
650 | Also add information on how to contact you by electronic and paper mail.
651 |
652 | If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 |
655 | Copyright (C)
656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 | This is free software, and you are welcome to redistribute it
658 | under certain conditions; type `show c' for details.
659 |
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License. Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 |
664 | You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | .
668 |
669 | The GNU General Public License does not permit incorporating your program
670 | into proprietary programs. If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library. If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License. But first, please read
674 | .
675 |
--------------------------------------------------------------------------------
/README:
--------------------------------------------------------------------------------
1 | Author & Version
2 | ================
3 |
4 | YubiServe has been written by Alessio Periloso
5 | Version 1.0: 21/05/2010
6 | Version 2.0: 19/11/2010
7 | Version 2.9: 13/12/2010
8 | Version 3.0: 14/12/2010
9 | Version 3.1: 24/03/2011
10 | + Fixed issue #3, #4, #5, #6
11 |
12 |
13 | Description
14 | ===========
15 | This simple service allows to authenticate Yubikeys and OATH Tokens using
16 | only a small sqlite database (the mysql support is optional!)
17 | The code has been released under GNU license (license into LICENSE file)
18 |
19 | The project is divided into two parts:
20 | - The database management tool (dbconf.py)
21 | - The validation server (yubiserve.py)
22 |
23 |
24 | Installation
25 | ============
26 |
27 | Installation is pretty simple, you just have to install few python packages:
28 | Under Debian, you can run::
29 |
30 | apt-get install python python-crypto python-openssl
31 |
32 | If you want to add the sqlite support, you should run::
33 |
34 | apt-get install python-sqlite
35 |
36 | Or, if you want to add the mysql support, you should run::
37 |
38 | apt-get install python-mysqldb
39 |
40 | If you chose the mysql support, you must create a database and create the
41 | tables. The mysql dump is at src/dump.mysql.
42 |
43 | Then, you have to generate the certificate for ssl validation, so if you don't
44 | already have a certificate you have to issue the following command to self-sign
45 | one::
46 |
47 | openssl req -new -x509 -keyout yubiserve.pem -out yubiserve.pem -days 365 -nodes
48 |
49 | A good idea would be taking a look at ``yubiserve.cfg'', to configure the validation server settings.
50 |
51 | After installing the needed packages, you just need to extract the files
52 | to a directory, add the keys and launch the server (or, if you prefer
53 | you can launch the server before adding the keys, it doesn't matter).
54 |
55 |
56 | The database management tool
57 | ============================
58 |
59 | The database management tool helps you to manage keys in the database.
60 | For detailed help, run the database management tool with ./dbconf.py
61 |
62 | The tool allows you to add, delete, disable and enable keys/tokens.
63 | You can also add and remove API keys, to check the server signature in
64 | server responses.
65 | Everything is managed through nicknames, to make keys easy to remember
66 | who belong to.
67 |
68 | For example, to add a new yubikey, write::
69 |
70 | ./dbconf.py -ya alessio vvkdtkjureru 980a8608b307 f1dc9c6585d600d06f9aae1abea2969e
71 |
72 | In this example, 'alessio' is the key nickname, 'vvkdtkjureru' is the
73 | key public identity (the one you can see at the beginning of your OTPs),
74 | '980a8608b307' is the private identity of the OTP (you can read it when
75 | you program your key), and the last parameter is the AES Key.
76 |
77 |
78 | To add a new OATH/HOTP::
79 |
80 | ./dbconf.py -ha alessio 4rvn24642402 f03ddacdfebb6396f60d7045f41de68f5c5e1c3f
81 |
82 | In this other example, 'alessio' is still the nickname, '4rvn24642402' is
83 | the public identity of the token (it could be also 1, 2, 'alessio' or
84 | whatever you want; the Yubico implementation is 12 characters long)
85 |
86 |
87 | To add a new API key::
88 |
89 | ./dbconf.py -aa alessio
90 |
91 | When you add a new API key, the configuration tool will return both
92 | the api key (ex. 'UkxFMnNFNTV4clRYUExSOWlONzQ=') and the API key id
93 | meant to be used later in your queries to the Yubiserve validation server.
94 |
95 |
96 | The Yubiserve Validation Server
97 | ===============================
98 |
99 |
100 | Understanding how to use the Yubiserve web application is pretty simple.
101 | You just have to run it (./yubiserve.py) and send your queries through
102 | HTTP GET connections.
103 |
104 | The default listening port is 8000, the default listening ip is 0.0.0.0
105 | (so you can connect to it from other machines). If you need it to answer
106 | only from local machine, you can change the ip to 127.0.0.1.
107 |
108 | The ssl port is by default the next one, so if the http validation server
109 | answers on port 8000, the ssl will answer on port 8001.
110 |
111 | Anyway, everything is easily customizable modifying the yubiserve.py file
112 | and changing the variables "yubiservePORT" for the HTTP port, "yubiserveSSLPORT"
113 | for the SSL port, "yubiserveHOST" for the listening ip.
114 | When you connect to the server (ex. http://192.168.0.1:8000/), it will
115 | answer with a simple page, asking you Yubico Yubikeys OTPs or OATH/HOTP
116 | tokens.
117 |
118 | The Yubico Yubikey needs only one parameter: the OTP.
119 | The OATH/HOTP tokens needs two parameters: the OTP itself (6 or 8 digits)
120 | and the Token Identifier. The token identifier can be any character string
121 | you prefer, or, according to the standard OATH implementation, the preceding
122 | string to the OTP. The Yubico implementation follows this standard.
123 |
124 | The Yubiserve Validation Server, according to the standard, will try to
125 | find the Token Identifier preceding the OTP. If the string is found, the
126 | OTP will be verified according to that string; in case of LCD tokens,
127 | the string is not automatically added, so you will need to insert your ID
128 | in the second box to allow the Validation Server to find your own identity.
129 |
130 |
131 | Querying the Yubiserve Validation Server
132 | ========================================
133 |
134 | Querying the Yubiserve Validation Server is pretty simple.
135 | For Yubico Yubikeys, you will need to send a HTTP GET connection to:
136 | http://:/wsapi/2.0/verify?otp=
137 | ex.: http://192.168.0.1:8000/wsapi/2.0/verify?otp=vvnjbbkvjbcnhiretjvjfebbrdgrjjchdhtbderrdbhj
138 | This way you will try to authenticate to it, the simplest way possible.
139 | The response will be something like::
140 |
141 | otp=vvnjbbkvjbcnhiretjvjfebbrdgrjjchdhtbderrdbhj
142 | status=OK
143 | t=2010-11-20T23:54:35
144 | h=
145 |
146 | As you can see, the 'h' parameter is not set, and this is because we didn't use
147 | the signature through API Key. To use it, just add the 'key='
148 | parameter we had when we added the API Key.
149 | ex.: http://192.168.0.1:8000/wsapi/2.0/verify?otp=vvnjbbkvjbcnhiretjvjfebbrdgrjjchdhtbderrdbhj&id=1
150 | This time the response will be like::
151 |
152 | otp=vvnjbbkvjbcnhiretjvjfebbrdgrjjchdhtbderrdbhj
153 | status=OK
154 | t=2010-11-21T00:00:03
155 | h=6lrhQPKo1I/RQA1KPnjpuiOvVMc=
156 |
157 | To check the server signature, check the source code (you will have to do the
158 | exact same procedure to generate it and then just check if they are equal), or
159 | rely on the Yubico documentation on Validation Servers.
160 |
161 | For OATH/HOTP keys, the query can be simplified or not.
162 | If your token supports the 'Token Identifier', like Yubico Yubikeys, you can just
163 | send one parameter, the generated string, and the Yubiserve Validation Server will
164 | take care of looking for your key informations in the database.
165 | If your token instead only generates the 6-8 digits, you will have to explicit
166 | your publicID through another parameter.
167 | So, you will have to query, via HTTP GET, the following address:
168 | http://:/wsapi/2.0/oathverify?otp=&publicid=
169 | ex.: http://192.168.0.1:8000/wsapi/2.0/oathverify?otp=80l944311056173483
170 | ex.: ex.: http://192.168.0.1:8000/wsapi/2.0/oathverify?otp=173483&publicid=80l944311056
171 |
172 | Both the examples works the same way: in the first case, the Token Identifier was
173 | inside the generated OTP (like in Yubico Yubikey implementation), in the second case
174 | an authentication through a LCD Token was made, so the Yubiserve needed to know who
175 | the token belonged to, and the publicid parameter was added.
176 | The response, like Yubico Yubikey queries, is the following::
177 |
178 | otp=80l944311056173483
179 | status=OK
180 | t=2010-11-21T00:04:59
181 | h=
182 |
183 | The 'h' parameter is not set, because we didn't specified the API Key id. To use the
184 | server signature, we will need to add the 'id' parameter, like in the following query:
185 | ex.: http://192.168.1.2:8000/wsapi/2.0/oathverify?otp=80l944311056173483&id=1
186 | ex.: http://192.168.0.1:8000/wsapi/2.0/oathverify?otp=173483&publicid=80l944311056&id=1
187 |
188 | And this would be the the response::
189 |
190 | otp=80l944311056173483
191 | status=OK
192 | t=2010-11-21T00:10:56
193 | h=vYoG9Av8uG6OqVkmMFuANi4fyWw=
194 |
195 |
196 | Final thoughts
197 | ==============
198 |
199 | That's all. Pretty simple, huh?
200 | Of course you can add new keys while the server is already running, without needing it
201 | to restart, and of course multiple queries a time are allowed, that's why the server
202 | is multithreaded.
203 |
--------------------------------------------------------------------------------
/README.rst:
--------------------------------------------------------------------------------
1 | README
--------------------------------------------------------------------------------
/crypto.py:
--------------------------------------------------------------------------------
1 | # coding: utf-8
2 |
3 |
4 | class OATHValidator(object):
5 | STATUS_OK = 'OK'
6 | STATUS_BAD = 'BAD'
7 | STATUS_NO_AUTH = 'NO_AUTH'
8 | STATUS_NO_CLIENT = 'NO_CLIENT'
9 |
10 | def __init__(self, dbread_callback, dbwrite_callback):
11 | self.dbread_callback = dbread_callback
12 | self.dbwrite_callback = dbwrite_callback
13 |
14 | def test_HOTP(self, K, C, digits=6):
15 | counter = ('%s' % C).rjust(16, '0').decode('hex')
16 | HS = hmac.new(K, counter, hashlib.sha1).digest()
17 | offset = ord(HS[19]) & 0xF
18 | bin_code = int((chr(ord(HS[offset]) & 0x7F) + HS[offset+1:offset+4]).encode('hex'), 16)
19 | return str(bin_code)[-digits:]
20 |
21 | def validate_OATH(self, OATH, publicID):
22 | if len(OATH) % 2 != 0:
23 | return self.STATUS_BAD
24 |
25 | token_data = self.dbread_callback(publicID=publicID)
26 | if token_data.rowcount != 1:
27 | return self.STATUS_BAD
28 |
29 | (actualcounter, key) = token_data.fetchone()
30 |
31 | K = key.decode('hex')
32 | for C in range(actualcounter + 1, actualcounter + 256):
33 | if OATH == self.test_HOTP(K, C, len(OATH)):
34 | self.dbwrite_callback(counter=str(C), publicID=publicID)
35 | return self.STATUS_OK
36 |
37 | return self.STATUS_NO_AUTH
38 |
--------------------------------------------------------------------------------
/dbconf.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | import time, random, re, os
3 | from sys import argv
4 |
5 | try:
6 | import MySQLdb
7 | except ImportError:
8 | pass
9 | try:
10 | import sqlite
11 | except ImportError:
12 | pass
13 |
14 | def parseConfigFile(): # Originally I wrote this function to parse PHP configuration files!
15 | config = open(os.path.dirname(os.path.realpath(__file__)) + '/yubiserve.cfg', 'r').read().splitlines()
16 | keys = {}
17 | for line in config:
18 | match = re.search('(.*?)=(.*);', line)
19 | try: # Check if it's a string or a number
20 | if ((match.group(2).strip()[0] != '"') and (match.group(2).strip()[0] != '\'')):
21 | keys[match.group(1).strip()] = int(match.group(2).strip())
22 | else:
23 | keys[match.group(1).strip()] = match.group(2).strip('"\' ')
24 | except:
25 | pass
26 | return keys
27 |
28 | def randomChars(max):
29 | retVal = ''
30 | for i in range(0, max):
31 | rand = random.randrange(0, 63)
32 | if (rand>36):
33 | retVal += chr(rand-36+96) # Starting with 'a'
34 | elif (rand>10):
35 | retVal += chr(rand-10+64) # Starting with 'A'
36 | else: # Starting with '0'
37 | retVal += chr(rand+47)
38 | return retVal
39 |
40 | config = parseConfigFile()
41 | try:
42 | if MySQLdb != None:
43 | isThereMysql = True
44 | except NameError:
45 | isThereMysql = False
46 |
47 | try:
48 | if sqlite != None:
49 | isThereSqlite = True
50 | except NameError:
51 | isThereSqlite = False
52 |
53 | if isThereMysql == isThereSqlite == False:
54 | print "Cannot continue without any database support.\nPlease read README.\n\n"
55 | quit()
56 |
57 | if config['yubiDB'] == 'mysql' and (config['yubiMySQLHost'] == '' or config['yubiMySQLUser'] == '' or config['yubiMySQLPass'] == '' or config['yubiMySQLName'] == ''):
58 | print "Cannot continue without any MySQL configuration.\nPlease read README.\n\n"
59 | quit()
60 |
61 | try:
62 | if config['yubiDB'] == 'sqlite':
63 | con = sqlite.connect(os.path.dirname(os.path.realpath(__file__)) + '/yubikeys.sqlite')
64 | elif config['yubiDB'] == 'mysql':
65 | con = MySQLdb.connect(host=config['yubiMySQLHost'], user=config['yubiMySQLUser'], passwd=config['yubiMySQLPass'], db=config['yubiMySQLName'])
66 | except:
67 | print "There's a problem with the database!\n"
68 | cur = con.cursor()
69 |
70 | if (len(argv)<2):
71 | print ' == YubiServe Key Management Tool 2.0 ==\n'
72 | print ' -ya \tAdd a new Yubikey'
73 | print ' -yk \t\t\t\t\tDelete a Yubikey'
74 | print ' -yd \t\t\t\t\tDisable a Yubikey'
75 | print ' -ye \t\t\t\t\tEnable a Yubikey'
76 | print ' -yl\t\t\t\t\t\tList all yubikeys in database\n'
77 |
78 | print ' -ha \t\tAdd a new OATH token'
79 | print ' -hk \t\t\t\t\tDelete a OATH token'
80 | print ' -hd \t\t\t\t\tDisable a OATH token'
81 | print ' -he \t\t\t\t\tEnable a OATH token'
82 | print ' -hl\t\t\t\t\t\tList all OATH tokens in database\n'
83 |
84 | print ' -aa \t\t\t\t\tGenerate an API Key'
85 | print ' -ak \t\t\t\t\tRemove an API Key'
86 | print ' -al\t\t\t\t\t\tList all API Keys in database\n'
87 |
88 | else:
89 | if argv[1][0:2] == '-y': # Yubico Yubikey
90 | if (argv[1][2] == 'd') and (len(argv)>2):
91 | nickname = re.escape(argv[2])
92 | cur.execute("SELECT * FROM yubikeys WHERE nickname = '" + nickname + "'")
93 | if (cur.rowcount == 0):
94 | print 'Key not found.'
95 | else:
96 | cur.execute("SELECT * FROM yubikeys WHERE nickname = '" + nickname + "' AND active = '1'")
97 | if (cur.rowcount == 1):
98 | cur.execute("UPDATE yubikeys SET active = '1' WHERE nickname = '" + nickname + "'")
99 | print "Key '" + nickname + "' disabled."
100 | con.commit()
101 | else:
102 | print 'Key is already disabled.'
103 |
104 | elif (argv[1][2] == 'e') and (len(argv)>2):
105 | nickname = re.escape(argv[2])
106 | cur.execute("SELECT * FROM yubikeys WHERE nickname = '" + nickname + "'")
107 | if (cur.rowcount == 0):
108 | print 'Key not found.'
109 | else:
110 | cur.execute("SELECT * FROM yubikeys WHERE nickname = '" + nickname + "' AND active = '1'")
111 | if (cur.rowcount == 1):
112 | cur.execute("UPDATE yubikeys SET active = '1' WHERE nickname = '" + nickname + "'")
113 | print "Key '" + nickname + "' enabled."
114 | con.commit()
115 | else:
116 | print 'Key is already enabled.'
117 | elif (argv[1][2] == 'k') and (len(argv)>2):
118 | nickname = re.escape(argv[2])
119 | cur.execute("SELECT * FROM yubikeys WHERE nickname = '" + nickname + "'")
120 | if (cur.rowcount == 0):
121 | print 'Key not found.'
122 | else:
123 | cur.execute("DELETE FROM yubikeys WHERE nickname = '" + nickname + "'")
124 | print "Key '" + nickname + "' deleted."
125 | con.commit()
126 | elif (argv[1][2] == 'a') and (len(argv)>4):
127 | nickname = re.escape(argv[2])
128 | if ((len(argv[2])<=16) and (len(argv[3]) <= 16) and (len(argv[4]) <= 12) and (len(argv[5])<=32)):
129 | cur.execute("SELECT * FROM yubikeys WHERE nickname = '" + argv[2] + "' OR publicname = '" + argv[3] + "'")
130 | if (cur.rowcount == 0):
131 | cur.execute("INSERT INTO yubikeys VALUES ('" + argv[2] + "', '" + argv[3] + "', '" + time.strftime("%Y-%m-%dT%H:%M:%SZ", time.gmtime()) + "', '" + argv[4] + "', '" + argv[5] + "', 1, 1, 1)")
132 | con.commit()
133 | print "Key '" + argv[2] + "' added to database."
134 | else:
135 | print 'Key is already into database. Delete it before adding the same key!'
136 | else:
137 | print 'Nickname and publicid must be max 16 characters long.'
138 | print 'Secretid must be 12 characters max, aeskey must be 32 characters max.\n'
139 | quit()
140 | elif (argv[1][2] == 'l'):
141 | cur.execute('SELECT nickname, publicname, active FROM yubikeys')
142 | if cur.rowcount != 0:
143 | print " " + str(cur.rowcount) + " keys into database:"
144 | print '[Nickname]\t\t>> [PublicID]'
145 | for i in range(0, cur.rowcount):
146 | (nickname, publicname, active) = cur.fetchone()
147 | print ' ' + nickname + ' ' * (23-len(nickname)) + ">> " + publicname + ' ' * (21-len(publicname)) + ">> " + active
148 | print ''
149 | else:
150 | print 'No keys in database\n'
151 | else:
152 | print 'Not enough parameters. Try looking at ' + argv[0] + ' --help'
153 | elif argv[1][0:2] == '-h':
154 | if (argv[1][2] == 'd') and (len(argv)>2):
155 | nickname = re.escape(argv[2])
156 | cur.execute("SELECT * FROM oathtokens WHERE nickname = '" + nickname + "'")
157 | if (cur.rowcount == 0):
158 | print 'Key not found.'
159 | else:
160 | cur.execute("SELECT * FROM oathtokens WHERE nickname = '" + nickname + "' AND active = '1'")
161 | if (cur.rowcount == 1):
162 | cur.execute("UPDATE oathtokens SET active = '1' WHERE nickname = '" + nickname + "'")
163 | print "Key '" + nickname + "' disabled."
164 | con.commit()
165 | else:
166 | print 'Key is already disabled.'
167 |
168 | elif (argv[1][2] == 'e') and (len(argv)>2):
169 | nickname = re.escape(argv[2])
170 | cur.execute("SELECT * FROM oathtokens WHERE nickname = '" + nickname + "'")
171 | if (cur.rowcount == 0):
172 | print 'Key not found.'
173 | else:
174 | cur.execute("SELECT * FROM oathtokens WHERE nickname = '" + nickname + "' AND active = '1'")
175 | if (cur.rowcount == 1):
176 | cur.execute("UPDATE oathtokens SET active = '1' WHERE nickname = '" + nickname + "'")
177 | print "Key '" + nickname + "' enabled."
178 | con.commit()
179 | else:
180 | print 'Key is already enabled.'
181 | elif (argv[1][2] == 'k') and (len(argv)>2):
182 | nickname = re.escape(argv[2])
183 | cur.execute("SELECT * FROM oathtokens WHERE nickname = '" + nickname + "'")
184 | if (cur.rowcount == 0):
185 | print 'Key not found.'
186 | else:
187 | cur.execute("DELETE FROM oathtokens WHERE nickname = '" + nickname + "'")
188 | print "Key '" + nickname + "' deleted."
189 | con.commit()
190 | elif (argv[1][2] == 'a') and (len(argv)>3):
191 | nickname = re.escape(argv[2])
192 | if (len(argv[2])<=16) and (len(argv[3]) <= 16) and (len(argv[4]) <= 40):
193 | cur.execute("SELECT * FROM oathtokens WHERE nickname = '" + argv[2] + "' OR publicname = '" + argv[3] + "'")
194 | if (cur.rowcount == 0):
195 | cur.execute("INSERT INTO oathtokens VALUES ('" + nickname + "', '" + argv[3] + "', '" + time.strftime("%Y-%m-%dT%H:%M:%SZ", time.gmtime()) + "', '" + argv[4] + "', 1, 1)")
196 | con.commit()
197 | print "Key '" + argv[2] + "' added to database."
198 | else:
199 | print 'Key is already into database. Delete it before adding the same key!'
200 | else:
201 | print 'Nickname and publicid must be max 16 characters long.'
202 | print 'Secret key must be 40 characters max.\n'
203 | quit()
204 | elif (argv[1][2] == 'l'):
205 | cur.execute('SELECT nickname, publicname FROM oathtokens')
206 | if cur.rowcount != 0:
207 | print " " + str(cur.rowcount) + " keys into database:"
208 | print '[Nickname]\t\t>> [PublicID]'
209 | for i in range(0, cur.rowcount):
210 | (nickname, publicname) = cur.fetchone()
211 | print ' ' + nickname + ' ' * (23-len(nickname)) + ">> " + publicname
212 | print ''
213 | else:
214 | print 'No keys in database\n'
215 | else:
216 | print 'Not enough parameters. Try looking at ' + argv[0] + ' --help'
217 | elif argv[1][0:2] == '-a':
218 | if (argv[1][2] == 'a') and (len(argv)>2):
219 | nickname = re.escape(argv[2])
220 | cur.execute("SELECT * FROM apikeys WHERE nickname = '" + nickname + "'")
221 | if (cur.rowcount != 0):
222 | print 'API Key for this nickname is already present. Remove it or choose another one.\n'
223 | quit()
224 | cur.execute('SELECT id FROM apikeys ORDER BY id DESC LIMIT 1')
225 | if (cur.rowcount != 0):
226 | id = cur.fetchone()[0] + 1
227 | else:
228 | id = 1
229 | api_key = randomChars(20)
230 | cur.execute("INSERT INTO apikeys VALUES ('" + nickname + "', '" + api_key + "', '" + str(id) + "')")
231 | con.commit()
232 | print "New API Key for '" + nickname + "': '" + api_key.encode('base64').strip() + "'"
233 | print "Your API Key ID is: " + str(id) + "\n"
234 | elif (argv[1][2] == 'k') and (len(argv)>2):
235 | nickname = re.escape(argv[2])
236 | cur.execute("SELECT * FROM apikeys WHERE nickname = '" + nickname + "'")
237 | if (cur.rowcount == 0):
238 | print "API Key for this nickname Doesn't exists!\n"
239 | quit()
240 | cur.execute("DELETE FROM apikeys WHERE nickname = '" + nickname + "'")
241 | con.commit()
242 | print "API Key for '" + nickname + "' has been deleted.\n"
243 | elif (argv[1][2] == 'l'):
244 | cur.execute('SELECT nickname FROM apikeys')
245 | if cur.rowcount != 0:
246 | print ' ' + str(cur.rowcount) + ' keys into database:'
247 | print '[Nickname]'
248 | for i in range(0, cur.rowcount):
249 | nickname = cur.fetchone()[0]
250 | print ' ' + nickname
251 | print ''
252 | else:
253 | print 'No keys in database\n'
254 |
255 |
--------------------------------------------------------------------------------
/src/dump.mysql:
--------------------------------------------------------------------------------
1 | SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";
2 |
3 |
4 | /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
5 | /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
6 | /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
7 | /*!40101 SET NAMES utf8 */;
8 |
9 | --
10 | -- Database: `yubikeys`
11 | --
12 |
13 | -- --------------------------------------------------------
14 |
15 | --
16 | -- Table `apikeys`
17 | --
18 |
19 | CREATE TABLE IF NOT EXISTS `apikeys` (
20 | `nickname` varchar(16) default NULL,
21 | `secret` varchar(28) default NULL,
22 | `id` int(11) NOT NULL,
23 | PRIMARY KEY (`id`)
24 | ) ENGINE=MyISAM DEFAULT CHARSET=utf8;
25 |
26 | -- --------------------------------------------------------
27 |
28 | --
29 | -- Table `oathtokens`
30 | --
31 |
32 | CREATE TABLE IF NOT EXISTS `oathtokens` (
33 | `nickname` varchar(16) NOT NULL,
34 | `publicname` varchar(12) NOT NULL,
35 | `created` varchar(24) NOT NULL,
36 | `secret` varchar(40) NOT NULL,
37 | `active` tinyint(1) default '1',
38 | `counter` int(11) NOT NULL default '1',
39 | UNIQUE KEY `nickname` (`nickname`),
40 | UNIQUE KEY `publicname` (`publicname`)
41 | ) ENGINE=MyISAM DEFAULT CHARSET=utf8;
42 |
43 | -- --------------------------------------------------------
44 |
45 | --
46 | -- Table `yubikeys`
47 | --
48 |
49 | CREATE TABLE IF NOT EXISTS `yubikeys` (
50 | `nickname` varchar(16) NOT NULL,
51 | `publicname` varchar(16) NOT NULL,
52 | `created` varchar(24) NOT NULL,
53 | `internalname` varchar(12) NOT NULL,
54 | `aeskey` varchar(32) NOT NULL,
55 | `active` tinyint(1) default '1',
56 | `counter` int(11) NOT NULL default '1',
57 | `time` int(11) NOT NULL default '1',
58 | UNIQUE KEY `nickname` (`nickname`),
59 | UNIQUE KEY `publicname` (`publicname`)
60 | ) ENGINE=MyISAM DEFAULT CHARSET=utf8;
61 |
62 |
--------------------------------------------------------------------------------
/src/dump.sqlite:
--------------------------------------------------------------------------------
1 | BEGIN TRANSACTION;
2 | create table yubikeys(
3 | nickname varchar(16) unique not null,
4 | publicname varchar(16) unique not null,
5 | created varchar(24) not null,
6 | internalname varchar(12) not null,
7 | aeskey varchar(32) not null,
8 | active boolean default true,
9 | counter integer not null default 1,
10 | time integer not null default 1
11 | );
12 | create table oathtokens(
13 | nickname varchar(16) unique not null,
14 | publicname varchar(12) unique not null,
15 | created varchar(24) not null,
16 | secret varchar(40) not null,
17 | active boolean default true,
18 | counter integer not null default 1
19 | );
20 | create table apikeys(
21 | nickname varchar(16),
22 | secret varchar(28),
23 | id integer primary key
24 | );
25 | COMMIT;
26 |
--------------------------------------------------------------------------------
/yubikeys.sqlite:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rbarrois/yubico-yubiserve/5d9baff9ca5415d948dfb67b7923d5812d3fdf0b/yubikeys.sqlite
--------------------------------------------------------------------------------
/yubiserve.cfg:
--------------------------------------------------------------------------------
1 | yubiservePORT = 8000;
2 | yubiserveSSLPORT = 8001;
3 | yubiserveHOST = '0.0.0.0';
4 | yubiDB = 'sqlite';
5 | #yubiDB = 'mysql';
6 | yubiMySQLHost = 'localhost';
7 | yubiMySQLUser = 'yubiserve';
8 | yubiMySQLPass = 'yubipass';
9 | yubiMySQLName = 'yubikeys';
10 |
--------------------------------------------------------------------------------
/yubiserve.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rbarrois/yubico-yubiserve/5d9baff9ca5415d948dfb67b7923d5812d3fdf0b/yubiserve.png
--------------------------------------------------------------------------------
/yubiserve.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # coding: utf-8
3 |
4 | import BaseHTTPServer
5 | import SocketServer
6 | import hashlib
7 | import hmac
8 | import os
9 | import re
10 | import socket
11 | import time
12 | import urllib
13 | import urlparse
14 |
15 | from threading import Thread
16 | from Crypto.Cipher import AES
17 | from OpenSSL import SSL
18 |
19 | import crypto
20 |
21 | try:
22 | import MySQLdb
23 | except ImportError:
24 | pass
25 | try:
26 | import sqlite
27 | except ImportError:
28 | pass
29 |
30 | def parseConfigFile(): # Originally I wrote this function to parse PHP configuration files!
31 | config = open(os.path.dirname(os.path.realpath(__file__)) + '/yubiserve.cfg', 'r').read().splitlines()
32 | keys = {}
33 | for line in config:
34 | match = re.search('(.*?)=(.*);', line)
35 | try: # Check if it's a string or a number
36 | if ((match.group(2).strip()[0] != '"') and (match.group(2).strip()[0] != '\'')):
37 | keys[match.group(1).strip()] = int(match.group(2).strip())
38 | else:
39 | keys[match.group(1).strip()] = match.group(2).strip('"\' ')
40 | except:
41 | pass
42 | return keys
43 |
44 | config = parseConfigFile()
45 |
46 |
47 | class OATHValidator(crypto.OATHValidator):
48 |
49 | def __init__(self, connection):
50 | cur = connection.cursor()
51 | def dbread(publicID):
52 | cur.execute("""
53 | SELECT counter, secret
54 | FROM oathtokens
55 | WHERE publicname = %s AND active = '1'
56 | """, (publicID,))
57 | return cur
58 |
59 | def dbwrite(counter, publicID):
60 | cur.execute("""
61 | UPDATE oathtokens
62 | SET counter = %s
63 | WHERE publicname = %s AND active = '1'
64 | """, (counter, publicID))
65 | connection.commit()
66 |
67 | return super(OATHValidator, self).__init__(dbread, dbwrite)
68 |
69 |
70 | class OTPValidation():
71 |
72 | def __init__(self, connection):
73 | self.status = {'OK': 1, 'BAD_OTP': 2, 'REPLAYED_OTP': 3, 'DELAYED_OTP': 4, 'NO_CLIENT': 5}
74 | self.validationResult = 0
75 | self.con = connection
76 |
77 | def hexdec(self, hex):
78 | return int(hex, 16)
79 |
80 | def modhex2hex(self, string):
81 | hex = "0123456789abcdef"
82 | modhex = "cbdefghijklnrtuv"
83 | retVal = ''
84 | for i in range (0, len(string)):
85 | pos = modhex.find(string[i])
86 | if pos > -1:
87 | retVal += hex[pos]
88 | else:
89 | raise Exception, '"' + string[i] + '": Character is not a valid hex string'
90 | return retVal
91 |
92 | def CRC(self):
93 | crc = 0xffff;
94 | for i in range(0, 16):
95 | b = self.hexdec(self.plaintext[i*2] + self.plaintext[(i*2)+1])
96 | for j in range(0, 8):
97 | n = crc & 1
98 | crc = crc >> 1
99 | if n != 0:
100 | crc = crc ^ 0x8408
101 | self.OTPcrc = crc
102 | return [crc]
103 |
104 | def isCRCValid(self):
105 | return (self.crc == 0xf0b8)
106 |
107 | def aes128ecb_decrypt(self, aeskey, aesdata):
108 | return AES.new(aeskey.decode('hex'), AES.MODE_ECB).decrypt(aesdata.decode('hex')).encode('hex')
109 |
110 | def getResult(self):
111 | return self.validationResult
112 |
113 | def getResponse(self):
114 | return self.validationResponse
115 |
116 | def validateOTP(self, OTP):
117 | self.OTP = re.escape(OTP)
118 | self.validationResult = 0
119 | if (len(OTP) <= 32) or (len(OTP) > 48):
120 | self.validationResult = self.status['BAD_OTP']
121 | return self.validationResult
122 | match = re.search('([cbdefghijklnrtuv]{0,16})([cbdefghijklnrtuv]{32})', re.escape(OTP))
123 | try:
124 | if match.group(1) and match.group(2):
125 | self.userid = match.group(1)
126 | self.token = self.modhex2hex(match.group(2))
127 | cur = self.con.cursor()
128 | cur.execute('SELECT aeskey, internalname FROM yubikeys WHERE publicname = "' + self.userid + '" AND active = "1"')
129 | if (cur.rowcount != 1):
130 | self.validationResult = self.status['BAD_OTP']
131 | return self.validationResult
132 | (self.aeskey, self.internalname) = cur.fetchone()
133 | self.plaintext = self.aes128ecb_decrypt(self.aeskey, self.token)
134 | uid = self.plaintext[:12]
135 | if (self.internalname != uid):
136 | self.validationResult = self.status['BAD_OTP']
137 | return self.validationResult
138 | if not (self.CRC() or self.isCRCValid()):
139 | self.validationResult = self.status['BAD_OTP']
140 | return self.validationResult
141 | self.internalcounter = self.hexdec(self.plaintext[14:16] + self.plaintext[12:14] + self.plaintext[22:24])
142 | self.timestamp = self.hexdec(self.plaintext[20:22] + self.plaintext[18:20] + self.plaintext[16:18])
143 | cur.execute('SELECT counter, time FROM yubikeys WHERE publicname = "' + self.userid + '" AND active = "1"')
144 | if (cur.rowcount != 1):
145 | self.validationResult = self.status['BAD_OTP']
146 | return self.validationResult
147 | (self.counter, self.time) = cur.fetchone()
148 | if (self.counter) >= (self.internalcounter):
149 | self.validationResult = self.status['REPLAYED_OTP']
150 | return self.validationResult
151 | if (self.time >= self.timestamp) and ((self.counter >> 8) == (self.internalcounter >> 8)):
152 | self.validationResult = self.status['DELAYED_OTP']
153 | return self.validationResult
154 | except IndexError:
155 | self.validationResult = self.status['BAD_OTP']
156 | return self.validationResult
157 | self.validationResult = self.status['OK']
158 | cur.execute('UPDATE yubikeys SET counter = ' + str(self.internalcounter) + ', time = ' + str(self.timestamp) + ' WHERE publicname = "' + self.userid + '"')
159 | self.con.commit()
160 | return self.validationResult
161 |
162 | class YubiServeHandler (BaseHTTPServer.BaseHTTPRequestHandler):
163 | __base = BaseHTTPServer.BaseHTTPRequestHandler
164 | __base_handle = __base.handle
165 |
166 | server_version = 'Yubiserve/3.0'
167 |
168 | global config
169 | #try:
170 | if config['yubiDB'] == 'sqlite':
171 | con = sqlite.connect(os.path.dirname(os.path.realpath(__file__)) + '/yubikeys.sqlite')
172 | elif config['yubiDB'] == 'mysql':
173 | con = MySQLdb.connect(host=config['yubiMySQLHost'], user=config['yubiMySQLUser'], passwd=config['yubiMySQLPass'], db=config['yubiMySQLName'])
174 | #except:
175 | # print "There's a problem with the database!\n"
176 | # quit()
177 |
178 | def getToDict(self, qs):
179 | dict = {}
180 | for singleValue in qs.split('&'):
181 | keyVal = singleValue.split('=')
182 | dict[urllib.unquote_plus(keyVal[0])] = urllib.unquote_plus(keyVal[1])
183 | return dict
184 |
185 | def setup(self):
186 | self.connection = self.request
187 | self.rfile = socket._fileobject(self.request, "rb", self.rbufsize)
188 | self.wfile = socket._fileobject(self.request, "wb", self.wbufsize)
189 |
190 | def log_message(self, format, *args):
191 | pass
192 |
193 | def do_GET(self):
194 | (scm, netloc, path, params, query, fragment) = urlparse.urlparse(self.path, 'http')
195 | if scm != 'http':
196 | self.send_error(501, "The server does not support the facility required.")
197 | return
198 | if (path != '/wsapi/2.0/verify') and (path != '/wsapi/2.0/oathverify'):
199 | self.send_response(200)
200 | self.send_header('Content-type', 'text/html')
201 | self.end_headers()
202 | self.wfile.write('')
203 | # Yubico Yubikey
204 | self.wfile.write('Yubico Yubikeys:
')
205 | # OATH HOTP
206 | self.wfile.write('OATH/HOTP tokens:
')
207 | self.wfile.write('')
208 |
209 | elif path == '/wsapi/2.0/verify': # Yubico Yubikey
210 | try:
211 | if len(query) > 0:
212 | getData = self.getToDict(query)
213 | otpvalidation = OTPValidation(self.con)
214 | validation = otpvalidation.validateOTP(getData['otp'])
215 | self.send_response(200)
216 | self.send_header('Content-type', 'text/plain')
217 | self.end_headers()
218 | iso_time = time.strftime("%Y-%m-%dT%H:%M:%S")
219 | try:
220 | result = 't=' + iso_time + '\r\notp=' + getData['otp'] + '\r\nnonce=' + getData['nonce'] + '\r\nsl=100\r\nstatus=' + [k for k, v in otpvalidation.status.iteritems() if v == validation][0] + '\r\n'
221 | orderedResult = 'nonce=' + getData['nonce'] + '&otp=' + getData['otp'] + '&sl=100&status=' + [k for k, v in otpvalidation.status.iteritems() if v == validation][0] + '&t=' + iso_time
222 | except KeyError:
223 | result = 't=' + iso_time + '\r\notp=' + getData['otp'] + '\r\nnonce=\r\nsl=100\r\nstatus=' + [k for k, v in otpvalidation.status.iteritems() if v == validation][0] + '\r\n'
224 | orderedResult = 'nonce=&otp=' + getData['otp'] + 'sl=100&status=' + [k for k, v in otpvalidation.status.iteritems() if v == validation][0] + '&t=' + iso_time
225 | otp_hmac = ''
226 | try:
227 | if (getData['id'] != None):
228 | apiID = re.escape(getData['id'])
229 | cur = self.con.cursor()
230 | cur.execute("SELECT secret from apikeys WHERE id = '" + apiID + "'")
231 | if cur.rowcount != 0:
232 | api_key = cur.fetchone()[0]
233 | otp_hmac = hmac.new(api_key, msg=orderedResult, digestmod=hashlib.sha1).hexdigest().decode('hex').encode('base64').strip()
234 | else:
235 | result = 't=' + iso_time + '\r\notp=' + getData['otp'] + '\r\nstatus=NO_CLIENT\r\n'
236 | except KeyError:
237 | pass
238 | self.wfile.write('h=' + otp_hmac + '\r\n' + result + '\r\n')
239 | return
240 |
241 | except KeyError:
242 | pass
243 |
244 | self.send_response(200)
245 | self.send_header('Content-type', 'text/plain')
246 | self.end_headers()
247 | iso_time = time.strftime("%Y-%m-%dT%H:%M:%S")
248 | result = 't=' + iso_time + '\r\notp=\r\nnonce=\r\nstatus=MISSING_PARAMETER\r\n'
249 | orderedResult = 'nonce=&otp=&status=MISSING_PARAMETER&t=' + iso_time
250 | otp_hmac = ''
251 | try:
252 | if (getData['id'] != None):
253 | apiID = re.escape(getData['id'])
254 | cur = self.con.cursor()
255 | cur.execute("SELECT secret from apikeys WHERE id = '" + apiID + "'")
256 | if cur.rowcount != 0:
257 | api_key = cur.fetchone()[0]
258 | otp_hmac = hmac.new(api_key, msg=orderedResult, digestmod=hashlib.sha1).hexdigest().decode('hex').encode('base64').strip()
259 | except KeyError:
260 | pass
261 |
262 | self.wfile.write('h=' + otp_hmac + '\r\n' + result + '\r\n')
263 | return
264 |
265 | elif path == '/wsapi/2.0/oathverify': # OATH HOTP
266 | try:
267 | getData = self.getToDict(query)
268 | if (len(query) > 0) and ((len(getData['otp']) == 6) or (len(getData['otp']) == 8) or (len(getData['otp']) == 18) or (len(getData['otp']) == 20)):
269 |
270 | oathvalidation = OATHValidator(self.con)
271 | OTP = getData['otp']
272 | if (len(OTP) == 18) or (len(OTP) == 20):
273 | publicID = OTP[0:12]
274 | OTP = OTP[12:]
275 | elif (len(OTP) == 6) or (len(OTP) == 8):
276 | if len(getData['publicid'])>0:
277 | publicID = getData['publicid']
278 | else:
279 | raise KeyError
280 |
281 | validation = oathvalidation.validateOATH(OTP, publicID)
282 | self.send_response(200)
283 | self.send_header('Content-type', 'text/plain')
284 | self.end_headers()
285 | iso_time = time.strftime("%Y-%m-%dT%H:%M:%S")
286 | result = 'otp=' + getData['otp'] + '\r\nstatus=' + validation + '\r\nt=' + iso_time
287 | otp_hmac = ''
288 | try:
289 | if (getData['id'] != None):
290 | apiID = re.escape(getData['id'])
291 | cur = self.con.cursor()
292 | cur.execute("SELECT secret from apikeys WHERE id = '" + apiID + "'")
293 | if cur.rowcount != 0:
294 | api_key = cur.fetchone()[0]
295 | otp_hmac = hmac.new(api_key, msg=result, digestmod=hashlib.sha1).hexdigest().decode('hex').encode('base64').strip()
296 | else:
297 | result = 'otp=' + getData['otp'] + '\r\nstatus=NO_CLIENT\r\nt=' + iso_time
298 | except KeyError:
299 | pass
300 | self.wfile.write(result + '\r\nh=' + otp_hmac)
301 | return
302 | else:
303 | self.send_response(200)
304 | self.send_header('Content-type', 'text/plain')
305 | self.end_headers()
306 | iso_time = time.strftime("%Y-%m-%dT%H:%M:%S")
307 | result = 'otp=\r\nstatus=BAD_OTP\r\nt=' + iso_time
308 | otp_hmac = ''
309 | try:
310 | if (getData['id'] != None):
311 | apiID = re.escape(getData['id'])
312 | cur = self.con.cursor()
313 | cur.execute("SELECT secret from apikeys WHERE id = '" + apiID + "'")
314 | if cur.rowcount != 0:
315 | api_key = cur.fetchone()[0]
316 | otp_hmac = hmac.new(api_key, msg=result, digestmod=hashlib.sha1).hexdigest().decode('hex').encode('base64').strip()
317 | except KeyError:
318 | pass
319 | self.wfile.write('h=' + otp_hmac + '\r\n' + result)
320 | return
321 | except KeyError:
322 | pass
323 | self.send_response(200)
324 | self.send_header('Content-type', 'text/plain')
325 | self.end_headers()
326 | iso_time = time.strftime("%Y-%m-%dT%H:%M:%S")
327 | result = 'otp=\r\nstatus=MISSING_PARAMETER\r\nt=' + iso_time
328 | otp_hmac = ''
329 | try:
330 | if (getData['id'] != None):
331 | apiID = re.escape(getData['id'])
332 | cur = self.con.cursor()
333 | cur.execute("SELECT secret from apikeys WHERE id = '" + apiID + "'")
334 | if cur.rowcount != 0:
335 | api_key = cur.fetchone()[0]
336 | otp_hmac = hmac.new(api_key, msg=result, digestmod=hashlib.sha1).hexdigest().decode('hex').encode('base64').strip()
337 | except KeyError:
338 | pass
339 | self.wfile.write('h=' + otp_hmac + '\r\n' + result)
340 | return
341 |
342 | do_HEAD = do_GET
343 | do_PUT = do_GET
344 | do_DELETE = do_GET
345 | do_CONNECT = do_GET
346 | do_POST = do_GET
347 |
348 | class SecureHTTPServer(BaseHTTPServer.HTTPServer):
349 | def __init__(self, server_address, HandlerClass):
350 | BaseHTTPServer.HTTPServer.__init__(self, server_address, HandlerClass)
351 | ctx = SSL.Context(SSL.SSLv23_METHOD)
352 | fpem = os.path.dirname(os.path.realpath(__file__)) + '/yubiserve.pem'
353 | ctx.use_privatekey_file (fpem)
354 | ctx.use_certificate_file(fpem)
355 | self.socket = SSL.Connection(ctx, socket.socket(self.address_family, self.socket_type))
356 | self.server_bind()
357 | self.server_activate()
358 |
359 | class ThreadingHTTPServer(SocketServer.ThreadingMixIn, BaseHTTPServer.HTTPServer):
360 | pass
361 | class ThreadingHTTPSServer(SocketServer.ThreadingMixIn, SecureHTTPServer):
362 | pass
363 |
364 | try:
365 | if MySQLdb != None:
366 | isThereMysql = True
367 | except NameError:
368 | isThereMysql = False
369 |
370 | try:
371 | if sqlite != None:
372 | isThereSqlite = True
373 | except NameError:
374 | isThereSqlite = False
375 |
376 | if isThereMysql == isThereSqlite == False:
377 | print "Cannot continue without any database support.\nPlease read README.\n\n"
378 | quit()
379 |
380 | if config['yubiDB'] == 'mysql' and (config['yubiMySQLHost'] == '' or config['yubiMySQLUser'] == '' or config['yubiMySQLPass'] == '' or config['yubiMySQLName'] == ''):
381 | print "Cannot continue without any MySQL configuration.\nPlease read README.\n\n"
382 | quit()
383 |
384 | yubiserveHTTP = ThreadingHTTPServer((config['yubiserveHOST'], config['yubiservePORT']), YubiServeHandler)
385 | yubiserveSSL = ThreadingHTTPSServer((config['yubiserveHOST'], config['yubiserveSSLPORT']), YubiServeHandler)
386 |
387 | http_thread = Thread(target=yubiserveHTTP.serve_forever)
388 | ssl_thread = Thread(target=yubiserveSSL.serve_forever)
389 |
390 | http_thread.setDaemon(True)
391 | ssl_thread.setDaemon(True)
392 |
393 | http_thread.start()
394 | ssl_thread.start()
395 |
396 | print "HTTP Server is running."
397 |
398 | while 1:
399 | time.sleep(1)
400 |
401 |
--------------------------------------------------------------------------------