| -rw-r--r-- | lib/server.cc | 6 |
1 files changed, 1 insertions, 5 deletions
diff --git a/lib/server.cc b/lib/server.cc index 8c29abb..e81d4b6 100644 --- a/lib/server.cc +++ b/lib/server.cc | |||
| @@ -1,173 +1,169 @@ | |||
| 1 | #include <vector> | 1 | #include <vector> |
| 2 | #include <openssl/sha.h> | 2 | #include <openssl/sha.h> |
| 3 | #include <openssl/hmac.h> | 3 | #include <openssl/hmac.h> |
| 4 | #include <mimetic/mimetic.h> | ||
| 5 | #include <opkele/util.h> | 4 | #include <opkele/util.h> |
| 6 | #include <opkele/exception.h> | 5 | #include <opkele/exception.h> |
| 7 | #include <opkele/server.h> | 6 | #include <opkele/server.h> |
| 8 | #include <opkele/data.h> | 7 | #include <opkele/data.h> |
| 9 | 8 | ||
| 10 | namespace opkele { | 9 | namespace opkele { |
| 11 | using namespace std; | 10 | using namespace std; |
| 12 | 11 | ||
| 13 | void server_t::associate(const params_t& pin,params_t& pout) { | 12 | void server_t::associate(const params_t& pin,params_t& pout) { |
| 14 | util::dh_t dh; | 13 | util::dh_t dh; |
| 15 | util::bignum_t c_pub; | 14 | util::bignum_t c_pub; |
| 16 | unsigned char key_sha1[SHA_DIGEST_LENGTH]; | 15 | unsigned char key_sha1[SHA_DIGEST_LENGTH]; |
| 17 | enum { | 16 | enum { |
| 18 | sess_cleartext, | 17 | sess_cleartext, |
| 19 | sess_dh_sha1 | 18 | sess_dh_sha1 |
| 20 | } st = sess_cleartext; | 19 | } st = sess_cleartext; |
| 21 | if( | 20 | if( |
| 22 | pin.has_param("openid.session_type") | 21 | pin.has_param("openid.session_type") |
| 23 | && pin.get_param("openid.session_type")=="DH-SHA1" ) { | 22 | && pin.get_param("openid.session_type")=="DH-SHA1" ) { |
| 24 | /* TODO: fallback to cleartext in case of exceptions here? */ | 23 | /* TODO: fallback to cleartext in case of exceptions here? */ |
| 25 | if(!(dh = DH_new())) | 24 | if(!(dh = DH_new())) |
| 26 | throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); | 25 | throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); |
| 27 | c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public")); | 26 | c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public")); |
| 28 | if(pin.has_param("openid.dh_modulus")) | 27 | if(pin.has_param("openid.dh_modulus")) |
| 29 | dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus")); | 28 | dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus")); |
| 30 | else | 29 | else |
| 31 | dh->p = util::dec_to_bignum(data::_default_p); | 30 | dh->p = util::dec_to_bignum(data::_default_p); |
| 32 | if(pin.has_param("openid.dh_gen")) | 31 | if(pin.has_param("openid.dh_gen")) |
| 33 | dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen")); | 32 | dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen")); |
| 34 | else | 33 | else |
| 35 | dh->g = util::dec_to_bignum(data::_default_g); | 34 | dh->g = util::dec_to_bignum(data::_default_g); |
| 36 | if(!DH_generate_key(dh)) | 35 | if(!DH_generate_key(dh)) |
| 37 | throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); | 36 | throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); |
| 38 | vector<unsigned char> ck(DH_size(dh)); | 37 | vector<unsigned char> ck(DH_size(dh)); |
| 39 | int cklen = DH_compute_key(&(ck.front()),c_pub,dh); | 38 | int cklen = DH_compute_key(&(ck.front()),c_pub,dh); |
| 40 | if(cklen<0) | 39 | if(cklen<0) |
| 41 | throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); | 40 | throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); |
| 42 | ck.resize(cklen); | 41 | ck.resize(cklen); |
| 43 | // OpenID algorithm requires extra zero in case of set bit here | 42 | // OpenID algorithm requires extra zero in case of set bit here |
| 44 | if(ck[0]&0x80) ck.insert(ck.begin(),1,0); | 43 | if(ck[0]&0x80) ck.insert(ck.begin(),1,0); |
| 45 | SHA1(&(ck.front()),ck.size(),key_sha1); | 44 | SHA1(&(ck.front()),ck.size(),key_sha1); |
| 46 | st = sess_dh_sha1; | 45 | st = sess_dh_sha1; |
| 47 | } | 46 | } |
| 48 | assoc_t assoc = alloc_assoc(mode_associate); | 47 | assoc_t assoc = alloc_assoc(mode_associate); |
| 49 | time_t now = time(0); | 48 | time_t now = time(0); |
| 50 | pout.clear(); | 49 | pout.clear(); |
| 51 | pout["assoc_type"] = assoc->assoc_type(); | 50 | pout["assoc_type"] = assoc->assoc_type(); |
| 52 | pout["assoc_handle"] = assoc->handle(); | 51 | pout["assoc_handle"] = assoc->handle(); |
| 53 | /* TODO: eventually remove deprecated stuff */ | 52 | /* TODO: eventually remove deprecated stuff */ |
| 54 | pout["issued"] = util::time_to_w3c(now); | 53 | pout["issued"] = util::time_to_w3c(now); |
| 55 | pout["expiry"] = util::time_to_w3c(now+assoc->expires_in()); | 54 | pout["expiry"] = util::time_to_w3c(now+assoc->expires_in()); |
| 56 | pout["expires_in"] = util::long_to_string(assoc->expires_in()); | 55 | pout["expires_in"] = util::long_to_string(assoc->expires_in()); |
| 57 | secret_t secret = assoc->secret(); | 56 | secret_t secret = assoc->secret(); |
| 58 | switch(st) { | 57 | switch(st) { |
| 59 | case sess_dh_sha1: | 58 | case sess_dh_sha1: |
| 60 | pout["session_type"] = "DH-SHA1"; | 59 | pout["session_type"] = "DH-SHA1"; |
| 61 | pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key); | 60 | pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key); |
| 62 | secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]); | 61 | secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]); |
| 63 | break; | 62 | break; |
| 64 | default: | 63 | default: |
| 65 | secret.to_base64(pout["mac_key"]); | 64 | secret.to_base64(pout["mac_key"]); |
| 66 | break; | 65 | break; |
| 67 | } | 66 | } |
| 68 | } | 67 | } |
| 69 | 68 | ||
| 70 | void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { | 69 | void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { |
| 71 | checkid_(mode_checkid_immediate,pin,return_to,pout,ext); | 70 | checkid_(mode_checkid_immediate,pin,return_to,pout,ext); |
| 72 | } | 71 | } |
| 73 | 72 | ||
| 74 | void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { | 73 | void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { |
| 75 | checkid_(mode_checkid_setup,pin,return_to,pout,ext); | 74 | checkid_(mode_checkid_setup,pin,return_to,pout,ext); |
| 76 | } | 75 | } |
| 77 | 76 | ||
| 78 | void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { | 77 | void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { |
| 79 | if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup) | 78 | if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup) |
| 80 | throw bad_input(OPKELE_CP_ "invalid checkid_* mode"); | 79 | throw bad_input(OPKELE_CP_ "invalid checkid_* mode"); |
| 81 | pout.clear(); | 80 | pout.clear(); |
| 82 | assoc_t assoc; | 81 | assoc_t assoc; |
| 83 | try { | 82 | try { |
| 84 | assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); | 83 | assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); |
| 85 | }catch(failed_lookup& fl) { | 84 | }catch(failed_lookup& fl) { |
| 86 | // no handle specified or no valid handle found, going dumb | 85 | // no handle specified or no valid handle found, going dumb |
| 87 | assoc = alloc_assoc(mode_checkid_setup); | 86 | assoc = alloc_assoc(mode_checkid_setup); |
| 88 | if(pin.has_param("openid.assoc_handle")) | 87 | if(pin.has_param("openid.assoc_handle")) |
| 89 | pout["invalidate_handle"]=pin.get_param("openid.assoc_handle"); | 88 | pout["invalidate_handle"]=pin.get_param("openid.assoc_handle"); |
| 90 | } | 89 | } |
| 91 | string trust_root; | 90 | string trust_root; |
| 92 | try { | 91 | try { |
| 93 | trust_root = pin.get_param("openid.trust_root"); | 92 | trust_root = pin.get_param("openid.trust_root"); |
| 94 | }catch(failed_lookup& fl) { } | 93 | }catch(failed_lookup& fl) { } |
| 95 | string identity = pin.get_param("openid.identity"); | 94 | string identity = pin.get_param("openid.identity"); |
| 96 | return_to = pin.get_param("openid.return_to"); | 95 | return_to = pin.get_param("openid.return_to"); |
| 97 | validate(*assoc,pin,identity,trust_root); | 96 | validate(*assoc,pin,identity,trust_root); |
| 98 | pout["mode"] = "id_res"; | 97 | pout["mode"] = "id_res"; |
| 99 | pout["assoc_handle"] = assoc->handle(); | 98 | pout["assoc_handle"] = assoc->handle(); |
| 100 | if(pin.has_param("openid.assoc_handle") && assoc->stateless()) | 99 | if(pin.has_param("openid.assoc_handle") && assoc->stateless()) |
| 101 | pout["invalidate_handle"] = pin.get_param("openid.assoc_handle"); | 100 | pout["invalidate_handle"] = pin.get_param("openid.assoc_handle"); |
| 102 | pout["identity"] = identity; | 101 | pout["identity"] = identity; |
| 103 | pout["return_to"] = return_to; | 102 | pout["return_to"] = return_to; |
| 104 | /* TODO: eventually remove deprecated stuff */ | 103 | /* TODO: eventually remove deprecated stuff */ |
| 105 | time_t now = time(0); | 104 | time_t now = time(0); |
| 106 | pout["issued"] = util::time_to_w3c(now); | 105 | pout["issued"] = util::time_to_w3c(now); |
| 107 | pout["valid_to"] = util::time_to_w3c(now+120); | 106 | pout["valid_to"] = util::time_to_w3c(now+120); |
| 108 | pout["exipres_in"] = "120"; | 107 | pout["exipres_in"] = "120"; |
| 109 | pout["signed"]="mode,identity,return_to"; | 108 | pout["signed"]="mode,identity,return_to"; |
| 110 | if(ext) ext->checkid_hook(pin,pout); | 109 | if(ext) ext->checkid_hook(pin,pout); |
| 111 | pout.sign(assoc->secret(),pout["sig"],pout["signed"]); | 110 | pout.sign(assoc->secret(),pout["sig"],pout["signed"]); |
| 112 | } | 111 | } |
| 113 | 112 | ||
| 114 | void server_t::check_authentication(const params_t& pin,params_t& pout) { | 113 | void server_t::check_authentication(const params_t& pin,params_t& pout) { |
| 115 | vector<unsigned char> sig; | 114 | vector<unsigned char> sig; |
| 116 | mimetic::Base64::Decoder b; | ||
| 117 | const string& sigenc = pin.get_param("openid.sig"); | 115 | const string& sigenc = pin.get_param("openid.sig"); |
| 118 | mimetic::decode( | 116 | util::decode_base64(sigenc,sig); |
| 119 | sigenc.begin(),sigenc.end(), b, | ||
| 120 | back_insert_iterator<vector<unsigned char> >(sig)); | ||
| 121 | assoc_t assoc; | 117 | assoc_t assoc; |
| 122 | try { | 118 | try { |
| 123 | assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); | 119 | assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); |
| 124 | }catch(failed_lookup& fl) { | 120 | }catch(failed_lookup& fl) { |
| 125 | throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified"); | 121 | throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified"); |
| 126 | } | 122 | } |
| 127 | if(!assoc->stateless()) | 123 | if(!assoc->stateless()) |
| 128 | throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle"); | 124 | throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle"); |
| 129 | const string& slist = pin.get_param("openid.signed"); | 125 | const string& slist = pin.get_param("openid.signed"); |
| 130 | string kv; | 126 | string kv; |
| 131 | string::size_type p =0; | 127 | string::size_type p =0; |
| 132 | while(true) { | 128 | while(true) { |
| 133 | string::size_type co = slist.find(',',p); | 129 | string::size_type co = slist.find(',',p); |
| 134 | string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); | 130 | string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); |
| 135 | kv += f; | 131 | kv += f; |
| 136 | kv += ':'; | 132 | kv += ':'; |
| 137 | if(f=="mode") | 133 | if(f=="mode") |
| 138 | kv += "id_res"; | 134 | kv += "id_res"; |
| 139 | else { | 135 | else { |
| 140 | f.insert(0,"openid."); | 136 | f.insert(0,"openid."); |
| 141 | kv += pin.get_param(f); | 137 | kv += pin.get_param(f); |
| 142 | } | 138 | } |
| 143 | kv += '\n'; | 139 | kv += '\n'; |
| 144 | if(co==string::npos) | 140 | if(co==string::npos) |
| 145 | break; | 141 | break; |
| 146 | p = co+1; | 142 | p = co+1; |
| 147 | } | 143 | } |
| 148 | secret_t secret = assoc->secret(); | 144 | secret_t secret = assoc->secret(); |
| 149 | unsigned int md_len = 0; | 145 | unsigned int md_len = 0; |
| 150 | unsigned char *md = HMAC( | 146 | unsigned char *md = HMAC( |
| 151 | EVP_sha1(), | 147 | EVP_sha1(), |
| 152 | &(secret.front()),secret.size(), | 148 | &(secret.front()),secret.size(), |
| 153 | (const unsigned char *)kv.data(),kv.length(), | 149 | (const unsigned char *)kv.data(),kv.length(), |
| 154 | 0,&md_len); | 150 | 0,&md_len); |
| 155 | pout.clear(); | 151 | pout.clear(); |
| 156 | if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) { | 152 | if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) { |
| 157 | pout["is_valid"]="true"; | 153 | pout["is_valid"]="true"; |
| 158 | pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */ | 154 | pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */ |
| 159 | }else{ | 155 | }else{ |
| 160 | pout["is_valid"]="false"; | 156 | pout["is_valid"]="false"; |
| 161 | pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */ | 157 | pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */ |
| 162 | } | 158 | } |
| 163 | if(pin.has_param("openid.invalidate_handle")) { | 159 | if(pin.has_param("openid.invalidate_handle")) { |
| 164 | string h = pin.get_param("openid.invalidate_handle"); | 160 | string h = pin.get_param("openid.invalidate_handle"); |
| 165 | try { | 161 | try { |
| 166 | assoc_t assoc = retrieve_assoc(h); | 162 | assoc_t assoc = retrieve_assoc(h); |
| 167 | }catch(invalid_handle& ih) { | 163 | }catch(invalid_handle& ih) { |
| 168 | pout["invalidate_handle"] = h; | 164 | pout["invalidate_handle"] = h; |
| 169 | }catch(failed_lookup& fl) { } | 165 | }catch(failed_lookup& fl) { } |
| 170 | } | 166 | } |
| 171 | } | 167 | } |
| 172 | 168 | ||
| 173 | } | 169 | } |