#!/usr/bin/php
<?php
/*
	php-function to validate
	Mobile One Time Passwords
	by Ralf Neumann (ralf@njumaen.de)
	based on
	motp.sourceforge.net

	TESTED 7-30-2009  by K9Barry
	Modified to write the otp|time (if valid) 
	to a CSV file and check to insure it is used
	only once.

	Adapted by SyCo/al 2010-02-20 - developer AT sysco DOT ch
	Fixed false denials if real duplicate OTP passwords were generated.
*/

/*******************************
 * Function checkOTP($user,$otp,$initsecret,$pin,$offset = 0)
 * $user       : username
 * $otp        : one-time-password that is to be checked
 * $initsecret : init-secret from token
 * $pin        : user PIN
 * $offset     : time difference between token and server in 10 seconds increments (360 = 1 hour)
 *
 * This function returns 0 if the OTP is accepted, and different error codes otherwise (the same as the shell version)
 */
function checkOTP($user,$otp,$initsecret,$pin,$offset = 0)
{
	// Here is the allowed +/- timeframe in minutes
	$timeframe = 3;

	$maxperiod = $timeframe * 60; // maxperiod in seconds = +/- 3 minutes
	$time=gmdate("U"); // time in seconds

	// Set csv file location and name
	$delimiter = "|"; // CSV file delimiter
	//$used_otp_file = "/your/file/location/used_otp.csv;
	$used_otp_file = "/var/motp/used_otp.csv"; // Must have read/writeprivileges on this file
	// Check to see if OTP has been used before
	$otp_array = file($used_otp_file);
	$otp_used = false;

	// Here we are rewriting the used OTPs which they are still in the allowed timeframe
	@$fp = fopen($used_otp_file,"wb");

	for ($i = 0; $i < count($otp_array); $i++) 
	{ 
		$search = explode($delimiter,$otp_array[$i].$delimiter.$delimiter.$delimiter);
		if ($search[2] > ($time - ($timeframe*60)))
		{
			if(($fp) && (strlen($otp_array[$i]) > 5))
			{
				fwrite($fp,$otp_array[$i]."\n");
			}

			// If the typed OTP has been already used for this user in the allowed timeframe, it's an error.
			if ($user == $search[0])
			{
				if(trim(strtolower($search[1])) == trim(strtolower($otp))) 
				{ 
					$otp_used = true;
				}
			}
		}
	}

	fclose($fp);

	if ($otp_used)
	{
		// print "This OTP has been used before";
		return(5);
	}

	// Now we check if the typed OTP is valid
	for($i = $time + ($offset * 10) - $maxperiod; $i <= $time + ($offset * 10) + $maxperiod; $i++)
	{
		$md5 = substr(md5(substr($i,0,-1).$initsecret.$pin),0,6);
		if($otp == $md5)
		{
			// Write $opt to CSV file
			@$fp = fopen($used_otp_file,"ab");
			if($fp)
			{
				fwrite($fp,$user.$delimiter.$otp.$delimiter.$time."\n"); // Write $user|$otp|$time| to the file
				fclose($fp); // Close the file
			}
			// print "This OTP WORKED!!!";
			return(0);
		}
	}
	// print "OTP was not valid";
	return(1);
}


// Function to generate an OTP based on the init-secret and the PIN
function generateOTP($initsecret,$pin)
{
	return substr(md5(substr(gmdate("U"),0,-1).$initsecret.$pin),0,6);
}

/**************************************************************************************************
 * Here is the main code, only if the otpverify.php file is used as a command-line for FreeRADIUS *
 **************************************************************************************************/

// With two parameters (3 because parameters 0 in the full path of the actual script),
//   we generate a new OTP based on the init-secret and the pin
 if (3 == count($argv))
{
	echo generateOTP($argv[1],$argv[2])."\n";
}
elseif (6 != count($argv))
{
	echo "USAGE: otpverify.php Username OTP Init-Secret PIN Offset\n";
	exit(4);
}
else
{
	$result = (checkOTP($argv[1],$argv[2],$argv[3],$argv[4],$argv[5]));

	if (0 == $result)
	{
		echo "ACCEPT\n";
	}
	else
	{
		echo "FAIL\n";
	}
	exit($result);
}