- $url = 'http://api2.yubico.com/wsapi/2.0/verify' if !defined($url);
-
- my $params = {
- nonce => Digest::HMAC_SHA1::hmac_sha1_hex(time(), rand()),
- id => $api_id,
- otp => uri_escape($otp),
- timestamp => 1,
- };
-
- my ($paramstr, $sig) = yubico_compute_param_sig($params, $api_key);
-
- $paramstr .= "&h=$sig" if $api_key;
-
- my $req = HTTP::Request->new('GET' => "$url?$paramstr");
-
- my $ua = LWP::UserAgent->new(protocols_allowed => ['http'], timeout => 30);
-
- if ($proxy) {
- $ua->proxy(['http'], $proxy);
- } else {
- $ua->env_proxy;
- }
-
- my $response = $ua->request($req);
- my $code = $response->code;
-
- if ($code != 200) {
- my $msg = $response->message || 'unknown';
- die "Invalid response from server: $code $msg\n";
- }
-
- my $raw = $response->decoded_content;
-
- my $result = {};
- foreach my $kvpair (split(/\n/, $raw)) {
- chomp $kvpair;
- if($kvpair =~ /^\S+=/) {
- my ($k, $v) = split(/=/, $kvpair, 2);
- $v =~ s/\s//g;
- $result->{$k} = $v;
- }
- }
-
- my $rsig = $result->{h};
- delete $result->{h};
-
- if ($api_key) {
- my ($datastr, $vsig) = yubico_compute_param_sig($result, $api_key);
- $vsig = uri_unescape($vsig);
- die "yubico: result signature verification failed\n" if $rsig ne $vsig;
- }
-
- die "yubico auth failed: $result->{status}\n" if $result->{status} ne 'OK';
-
- my $publicid = $result->{publicid} = substr(lc($result->{otp}), 0, 12);
-
- my $found;
- foreach my $k (PVE::Tools::split_list($keys)) {
- if ($k eq $publicid) {
- $found = 1;
- last;
- }
- }
-
- die "yubico auth failed: key does not belong to user\n" if !$found;
-
- return $result;