summaryrefslogtreecommitdiffabout
path: root/lib/server.cc
Unidiff
Diffstat (limited to 'lib/server.cc') (more/less context) (show whitespace changes)
-rw-r--r--lib/server.cc1
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/server.cc b/lib/server.cc
index 776f1ae..0dea1eb 100644
--- a/lib/server.cc
+++ b/lib/server.cc
@@ -1,171 +1,172 @@
1#include <cstring> 1#include <cstring>
2#include <vector> 2#include <vector>
3#include <openssl/sha.h> 3#include <openssl/sha.h>
4#include <openssl/hmac.h> 4#include <openssl/hmac.h>
5#include <opkele/util.h> 5#include <opkele/util.h>
6#include <opkele/util-internal.h>
6#include <opkele/exception.h> 7#include <opkele/exception.h>
7#include <opkele/server.h> 8#include <opkele/server.h>
8#include <opkele/data.h> 9#include <opkele/data.h>
9 10
10namespace opkele { 11namespace opkele {
11 using namespace std; 12 using namespace std;
12 13
13 void server_t::associate(const params_t& pin,params_t& pout) { 14 void server_t::associate(const params_t& pin,params_t& pout) {
14 util::dh_t dh; 15 util::dh_t dh;
15 util::bignum_t c_pub; 16 util::bignum_t c_pub;
16 unsigned char key_sha1[SHA_DIGEST_LENGTH]; 17 unsigned char key_sha1[SHA_DIGEST_LENGTH];
17 enum { 18 enum {
18 sess_cleartext, 19 sess_cleartext,
19 sess_dh_sha1 20 sess_dh_sha1
20 } st = sess_cleartext; 21 } st = sess_cleartext;
21 if( 22 if(
22 pin.has_param("openid.session_type") 23 pin.has_param("openid.session_type")
23 && pin.get_param("openid.session_type")=="DH-SHA1" ) { 24 && pin.get_param("openid.session_type")=="DH-SHA1" ) {
24 /* TODO: fallback to cleartext in case of exceptions here? */ 25 /* TODO: fallback to cleartext in case of exceptions here? */
25 if(!(dh = DH_new())) 26 if(!(dh = DH_new()))
26 throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); 27 throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
27 c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public")); 28 c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public"));
28 if(pin.has_param("openid.dh_modulus")) 29 if(pin.has_param("openid.dh_modulus"))
29 dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus")); 30 dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus"));
30 else 31 else
31 dh->p = util::dec_to_bignum(data::_default_p); 32 dh->p = util::dec_to_bignum(data::_default_p);
32 if(pin.has_param("openid.dh_gen")) 33 if(pin.has_param("openid.dh_gen"))
33 dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen")); 34 dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen"));
34 else 35 else
35 dh->g = util::dec_to_bignum(data::_default_g); 36 dh->g = util::dec_to_bignum(data::_default_g);
36 if(!DH_generate_key(dh)) 37 if(!DH_generate_key(dh))
37 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); 38 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
38 vector<unsigned char> ck(DH_size(dh)+1); 39 vector<unsigned char> ck(DH_size(dh)+1);
39 unsigned char *ckptr = &(ck.front())+1; 40 unsigned char *ckptr = &(ck.front())+1;
40 int cklen = DH_compute_key(ckptr,c_pub,dh); 41 int cklen = DH_compute_key(ckptr,c_pub,dh);
41 if(cklen<0) 42 if(cklen<0)
42 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); 43 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
43 if(cklen && (*ckptr)&0x80) { 44 if(cklen && (*ckptr)&0x80) {
44 (*(--ckptr)) = 0; ++cklen; 45 (*(--ckptr)) = 0; ++cklen;
45 } 46 }
46 SHA1(ckptr,cklen,key_sha1); 47 SHA1(ckptr,cklen,key_sha1);
47 st = sess_dh_sha1; 48 st = sess_dh_sha1;
48 } 49 }
49 assoc_t assoc = alloc_assoc(mode_associate); 50 assoc_t assoc = alloc_assoc(mode_associate);
50 time_t now = time(0); 51 time_t now = time(0);
51 pout.clear(); 52 pout.clear();
52 pout["assoc_type"] = assoc->assoc_type(); 53 pout["assoc_type"] = assoc->assoc_type();
53 pout["assoc_handle"] = assoc->handle(); 54 pout["assoc_handle"] = assoc->handle();
54 /* TODO: eventually remove deprecated stuff */ 55 /* TODO: eventually remove deprecated stuff */
55 pout["issued"] = util::time_to_w3c(now); 56 pout["issued"] = util::time_to_w3c(now);
56 pout["expiry"] = util::time_to_w3c(now+assoc->expires_in()); 57 pout["expiry"] = util::time_to_w3c(now+assoc->expires_in());
57 pout["expires_in"] = util::long_to_string(assoc->expires_in()); 58 pout["expires_in"] = util::long_to_string(assoc->expires_in());
58 secret_t secret = assoc->secret(); 59 secret_t secret = assoc->secret();
59 switch(st) { 60 switch(st) {
60 case sess_dh_sha1: 61 case sess_dh_sha1:
61 pout["session_type"] = "DH-SHA1"; 62 pout["session_type"] = "DH-SHA1";
62 pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key); 63 pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key);
63 secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]); 64 secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]);
64 break; 65 break;
65 default: 66 default:
66 secret.to_base64(pout["mac_key"]); 67 secret.to_base64(pout["mac_key"]);
67 break; 68 break;
68 } 69 }
69 } 70 }
70 71
71 void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { 72 void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
72 checkid_(mode_checkid_immediate,pin,return_to,pout,ext); 73 checkid_(mode_checkid_immediate,pin,return_to,pout,ext);
73 } 74 }
74 75
75 void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { 76 void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
76 checkid_(mode_checkid_setup,pin,return_to,pout,ext); 77 checkid_(mode_checkid_setup,pin,return_to,pout,ext);
77 } 78 }
78 79
79 void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { 80 void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
80 if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup) 81 if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup)
81 throw bad_input(OPKELE_CP_ "invalid checkid_* mode"); 82 throw bad_input(OPKELE_CP_ "invalid checkid_* mode");
82 pout.clear(); 83 pout.clear();
83 assoc_t assoc; 84 assoc_t assoc;
84 try { 85 try {
85 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); 86 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
86 }catch(failed_lookup& fl) { 87 }catch(failed_lookup& fl) {
87 // no handle specified or no valid handle found, going dumb 88 // no handle specified or no valid handle found, going dumb
88 assoc = alloc_assoc(mode_checkid_setup); 89 assoc = alloc_assoc(mode_checkid_setup);
89 if(pin.has_param("openid.assoc_handle")) 90 if(pin.has_param("openid.assoc_handle"))
90 pout["invalidate_handle"]=pin.get_param("openid.assoc_handle"); 91 pout["invalidate_handle"]=pin.get_param("openid.assoc_handle");
91 } 92 }
92 string trust_root; 93 string trust_root;
93 try { 94 try {
94 trust_root = pin.get_param("openid.trust_root"); 95 trust_root = pin.get_param("openid.trust_root");
95 }catch(failed_lookup& fl) { } 96 }catch(failed_lookup& fl) { }
96 string identity = pin.get_param("openid.identity"); 97 string identity = pin.get_param("openid.identity");
97 return_to = pin.get_param("openid.return_to"); 98 return_to = pin.get_param("openid.return_to");
98 validate(*assoc,pin,identity,trust_root); 99 validate(*assoc,pin,identity,trust_root);
99 pout["mode"] = "id_res"; 100 pout["mode"] = "id_res";
100 pout["assoc_handle"] = assoc->handle(); 101 pout["assoc_handle"] = assoc->handle();
101 if(pin.has_param("openid.assoc_handle") && assoc->stateless()) 102 if(pin.has_param("openid.assoc_handle") && assoc->stateless())
102 pout["invalidate_handle"] = pin.get_param("openid.assoc_handle"); 103 pout["invalidate_handle"] = pin.get_param("openid.assoc_handle");
103 pout["identity"] = identity; 104 pout["identity"] = identity;
104 pout["return_to"] = return_to; 105 pout["return_to"] = return_to;
105 /* TODO: eventually remove deprecated stuff */ 106 /* TODO: eventually remove deprecated stuff */
106 time_t now = time(0); 107 time_t now = time(0);
107 pout["issued"] = util::time_to_w3c(now); 108 pout["issued"] = util::time_to_w3c(now);
108 pout["valid_to"] = util::time_to_w3c(now+120); 109 pout["valid_to"] = util::time_to_w3c(now+120);
109 pout["exipres_in"] = "120"; 110 pout["exipres_in"] = "120";
110 pout["signed"]="mode,identity,return_to"; 111 pout["signed"]="mode,identity,return_to";
111 if(ext) ext->checkid_hook(pin,pout); 112 if(ext) ext->checkid_hook(pin,pout);
112 pout["sig"] = util::base64_signature(assoc,pout); 113 pout["sig"] = util::base64_signature(assoc,pout);
113 } 114 }
114 115
115 void server_t::check_authentication(const params_t& pin,params_t& pout) { 116 void server_t::check_authentication(const params_t& pin,params_t& pout) {
116 vector<unsigned char> sig; 117 vector<unsigned char> sig;
117 const string& sigenc = pin.get_param("openid.sig"); 118 const string& sigenc = pin.get_param("openid.sig");
118 util::decode_base64(sigenc,sig); 119 util::decode_base64(sigenc,sig);
119 assoc_t assoc; 120 assoc_t assoc;
120 try { 121 try {
121 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); 122 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
122 }catch(failed_lookup& fl) { 123 }catch(failed_lookup& fl) {
123 throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified"); 124 throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified");
124 } 125 }
125 if(!assoc->stateless()) 126 if(!assoc->stateless())
126 throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle"); 127 throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle");
127 const string& slist = pin.get_param("openid.signed"); 128 const string& slist = pin.get_param("openid.signed");
128 string kv; 129 string kv;
129 string::size_type p =0; 130 string::size_type p =0;
130 while(true) { 131 while(true) {
131 string::size_type co = slist.find(',',p); 132 string::size_type co = slist.find(',',p);
132 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); 133 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
133 kv += f; 134 kv += f;
134 kv += ':'; 135 kv += ':';
135 if(f=="mode") 136 if(f=="mode")
136 kv += "id_res"; 137 kv += "id_res";
137 else { 138 else {
138 f.insert(0,"openid."); 139 f.insert(0,"openid.");
139 kv += pin.get_param(f); 140 kv += pin.get_param(f);
140 } 141 }
141 kv += '\n'; 142 kv += '\n';
142 if(co==string::npos) 143 if(co==string::npos)
143 break; 144 break;
144 p = co+1; 145 p = co+1;
145 } 146 }
146 secret_t secret = assoc->secret(); 147 secret_t secret = assoc->secret();
147 unsigned int md_len = 0; 148 unsigned int md_len = 0;
148 unsigned char *md = HMAC( 149 unsigned char *md = HMAC(
149 EVP_sha1(), 150 EVP_sha1(),
150 &(secret.front()),secret.size(), 151 &(secret.front()),secret.size(),
151 (const unsigned char *)kv.data(),kv.length(), 152 (const unsigned char *)kv.data(),kv.length(),
152 0,&md_len); 153 0,&md_len);
153 pout.clear(); 154 pout.clear();
154 if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) { 155 if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) {
155 pout["is_valid"]="true"; 156 pout["is_valid"]="true";
156 pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */ 157 pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */
157 }else{ 158 }else{
158 pout["is_valid"]="false"; 159 pout["is_valid"]="false";
159 pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */ 160 pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */
160 } 161 }
161 if(pin.has_param("openid.invalidate_handle")) { 162 if(pin.has_param("openid.invalidate_handle")) {
162 string h = pin.get_param("openid.invalidate_handle"); 163 string h = pin.get_param("openid.invalidate_handle");
163 try { 164 try {
164 assoc_t tmp = retrieve_assoc(h); 165 assoc_t tmp = retrieve_assoc(h);
165 }catch(invalid_handle& ih) { 166 }catch(invalid_handle& ih) {
166 pout["invalidate_handle"] = h; 167 pout["invalidate_handle"] = h;
167 }catch(failed_lookup& fl) { } 168 }catch(failed_lookup& fl) { }
168 } 169 }
169 } 170 }
170 171
171} 172}