| author | Michael Krelin <hacker@klever.net> | 2007-06-18 22:02:02 (UTC) |
|---|---|---|
| committer | Michael Krelin <hacker@klever.net> | 2007-06-18 22:02:02 (UTC) |
| commit | 9af3fae2d53a34003af405b68923061c01584bc6 (patch) (unidiff) | |
| tree | dd63e5bc3515c47ab074c564c51879b7c9652ab2 | |
| parent | 3b404dd029a2aba05efc2edadcc7f67c59746cf7 (diff) | |
| download | libopkele-9af3fae2d53a34003af405b68923061c01584bc6.zip libopkele-9af3fae2d53a34003af405b68923061c01584bc6.tar.gz libopkele-9af3fae2d53a34003af405b68923061c01584bc6.tar.bz2 | |
reworked zero-padding machinery and added one more instance of zero-padding
| -rw-r--r-- | lib/consumer.cc | 13 | ||||
| -rw-r--r-- | lib/server.cc | 11 | ||||
| -rw-r--r-- | lib/util.cc | 10 |
3 files changed, 20 insertions, 14 deletions
diff --git a/lib/consumer.cc b/lib/consumer.cc index 12866f0..282f0cc 100644 --- a/lib/consumer.cc +++ b/lib/consumer.cc | |||
| @@ -96,21 +96,22 @@ namespace opkele { | |||
| 96 | throw bad_input(OPKELE_CP_ "unsupported session_type"); | 96 | throw bad_input(OPKELE_CP_ "unsupported session_type"); |
| 97 | secret_t secret; | 97 | secret_t secret; |
| 98 | if(st.empty()) { | 98 | if(st.empty()) { |
| 99 | secret.from_base64(p.get_param("mac_key")); | 99 | secret.from_base64(p.get_param("mac_key")); |
| 100 | }else{ | 100 | }else{ |
| 101 | util::bignum_t s_pub = util::base64_to_bignum(p.get_param("dh_server_public")); | 101 | util::bignum_t s_pub = util::base64_to_bignum(p.get_param("dh_server_public")); |
| 102 | vector<unsigned char> ck(DH_size(dh)); | 102 | vector<unsigned char> ck(DH_size(dh)+1); |
| 103 | int cklen = DH_compute_key(&(ck.front()),s_pub,dh); | 103 | unsigned char *ckptr = &(ck.front())+1; |
| 104 | int cklen = DH_compute_key(ckptr,s_pub,dh); | ||
| 104 | if(cklen<0) | 105 | if(cklen<0) |
| 105 | throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); | 106 | throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); |
| 106 | ck.resize(cklen); | 107 | if(cklen && (*ckptr)&0x80) { |
| 107 | // OpenID algorithm requires extra zero in case of set bit here | 108 | (*(--ckptr)) = 0; ++cklen; |
| 108 | if(ck[0]&0x80) ck.insert(ck.begin(),1,0); | 109 | } |
| 109 | unsigned char key_sha1[SHA_DIGEST_LENGTH]; | 110 | unsigned char key_sha1[SHA_DIGEST_LENGTH]; |
| 110 | SHA1(&(ck.front()),ck.size(),key_sha1); | 111 | SHA1(ckptr,cklen,key_sha1); |
| 111 | secret.enxor_from_base64(key_sha1,p.get_param("enc_mac_key")); | 112 | secret.enxor_from_base64(key_sha1,p.get_param("enc_mac_key")); |
| 112 | } | 113 | } |
| 113 | int expires_in = 0; | 114 | int expires_in = 0; |
| 114 | if(p.has_param("expires_in")) { | 115 | if(p.has_param("expires_in")) { |
| 115 | expires_in = util::string_to_long(p.get_param("expires_in")); | 116 | expires_in = util::string_to_long(p.get_param("expires_in")); |
| 116 | }else if(p.has_param("issued") && p.has_param("expiry")) { | 117 | }else if(p.has_param("issued") && p.has_param("expiry")) { |
diff --git a/lib/server.cc b/lib/server.cc index e81d4b6..8db97be 100644 --- a/lib/server.cc +++ b/lib/server.cc | |||
| @@ -31,20 +31,21 @@ namespace opkele { | |||
| 31 | if(pin.has_param("openid.dh_gen")) | 31 | if(pin.has_param("openid.dh_gen")) |
| 32 | dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen")); | 32 | dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen")); |
| 33 | else | 33 | else |
| 34 | dh->g = util::dec_to_bignum(data::_default_g); | 34 | dh->g = util::dec_to_bignum(data::_default_g); |
| 35 | if(!DH_generate_key(dh)) | 35 | if(!DH_generate_key(dh)) |
| 36 | throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); | 36 | throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); |
| 37 | vector<unsigned char> ck(DH_size(dh)); | 37 | vector<unsigned char> ck(DH_size(dh)+1); |
| 38 | unsigned char *ckptr = &(ck.front())+1; | ||
| 38 | int cklen = DH_compute_key(&(ck.front()),c_pub,dh); | 39 | int cklen = DH_compute_key(&(ck.front()),c_pub,dh); |
| 39 | if(cklen<0) | 40 | if(cklen<0) |
| 40 | throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); | 41 | throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); |
| 41 | ck.resize(cklen); | 42 | if(cklen && (*ckptr)&0x80) { |
| 42 | // OpenID algorithm requires extra zero in case of set bit here | 43 | (*(--ckptr)) = 0; ++cklen; |
| 43 | if(ck[0]&0x80) ck.insert(ck.begin(),1,0); | 44 | } |
| 44 | SHA1(&(ck.front()),ck.size(),key_sha1); | 45 | SHA1(ckptr,cklen,key_sha1); |
| 45 | st = sess_dh_sha1; | 46 | st = sess_dh_sha1; |
| 46 | } | 47 | } |
| 47 | assoc_t assoc = alloc_assoc(mode_associate); | 48 | assoc_t assoc = alloc_assoc(mode_associate); |
| 48 | time_t now = time(0); | 49 | time_t now = time(0); |
| 49 | pout.clear(); | 50 | pout.clear(); |
| 50 | pout["assoc_type"] = assoc->assoc_type(); | 51 | pout["assoc_type"] = assoc->assoc_type(); |
diff --git a/lib/util.cc b/lib/util.cc index d9abca7..94f6f53 100644 --- a/lib/util.cc +++ b/lib/util.cc | |||
| @@ -83,15 +83,19 @@ namespace opkele { | |||
| 83 | if(!BN_dec2bn(&rv,dec.c_str())) | 83 | if(!BN_dec2bn(&rv,dec.c_str())) |
| 84 | throw failed_conversion(OPKELE_CP_ "failed to BN_dec2bn()"); | 84 | throw failed_conversion(OPKELE_CP_ "failed to BN_dec2bn()"); |
| 85 | return rv; | 85 | return rv; |
| 86 | } | 86 | } |
| 87 | 87 | ||
| 88 | string bignum_to_base64(const BIGNUM *bn) { | 88 | string bignum_to_base64(const BIGNUM *bn) { |
| 89 | vector<unsigned char> bin(BN_num_bytes(bn)); | 89 | vector<unsigned char> bin(BN_num_bytes(bn)+1); |
| 90 | int l = BN_bn2bin(bn,&(bin.front())); | 90 | unsigned char *binptr = &(bin.front())+1; |
| 91 | return encode_base64(&(bin.front()),l); | 91 | int l = BN_bn2bin(bn,binptr); |
| 92 | if(l && (*binptr)&0x80){ | ||
| 93 | (*(--binptr)) = 0; ++l; | ||
| 94 | } | ||
| 95 | return encode_base64(binptr,l); | ||
| 92 | } | 96 | } |
| 93 | 97 | ||
| 94 | /* | 98 | /* |
| 95 | * w3c times | 99 | * w3c times |
| 96 | */ | 100 | */ |
| 97 | 101 | ||