summaryrefslogtreecommitdiffabout
path: root/lib/server.cc
Unidiff
Diffstat (limited to 'lib/server.cc') (more/less context) (ignore whitespace changes)
-rw-r--r--lib/server.cc169
1 files changed, 169 insertions, 0 deletions
diff --git a/lib/server.cc b/lib/server.cc
new file mode 100644
index 0000000..51d4554
--- a/dev/null
+++ b/lib/server.cc
@@ -0,0 +1,169 @@
1#include <vector>
2#include <openssl/sha.h>
3#include <openssl/hmac.h>
4#include <mimetic/mimetic.h>
5#include <opkele/util.h>
6#include <opkele/exception.h>
7#include <opkele/server.h>
8#include <opkele/data.h>
9
10namespace opkele {
11 using namespace std;
12
13 void server_t::associate(const params_t& pin,params_t& pout) {
14 util::dh_t dh;
15 util::bignum_t c_pub;
16 unsigned char key_sha1[SHA_DIGEST_LENGTH];
17 enum {
18 sess_cleartext,
19 sess_dh_sha1
20 } st = sess_cleartext;
21 if(
22 pin.has_param("openid.session_type")
23 && pin.get_param("openid.session_type")=="DH-SHA1" ) {
24 /* TODO: fallback to cleartext in case of exceptions here? */
25 if(!(dh = DH_new()))
26 throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
27 c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public"));
28 if(pin.has_param("openid.dh_modulus"))
29 dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus"));
30 else
31 dh->p = util::dec_to_bignum(data::_default_p);
32 if(pin.has_param("openid.dh_gen"))
33 dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen"));
34 else
35 dh->g = util::dec_to_bignum(data::_default_g);
36 if(!DH_generate_key(dh))
37 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
38 vector<unsigned char> ck(DH_size(dh));
39 int cklen = DH_compute_key(&(ck.front()),c_pub,dh);
40 if(cklen<0)
41 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
42 ck.resize(cklen);
43 // OpenID algorithm requires extra zero in case of set bit here
44 if(ck[0]&0x80) ck.insert(ck.begin(),1,0);
45 SHA1(&(ck.front()),ck.size(),key_sha1);
46 st = sess_dh_sha1;
47 }
48 assoc_t assoc = alloc_assoc(mode_associate);
49 time_t now = time(0);
50 pout.clear();
51 pout["assoc_type"] = assoc->assoc_type();
52 pout["assoc_handle"] = assoc->handle();
53 /* TODO: eventually remove deprecated stuff */
54 pout["issued"] = util::time_to_w3c(now);
55 pout["expiry"] = util::time_to_w3c(now+assoc->expires_in());
56 pout["expires_in"] = util::long_to_string(assoc->expires_in());
57 secret_t secret = assoc->secret();
58 switch(st) {
59 case sess_dh_sha1:
60 pout["session_type"] = "DH-SHA1";
61 pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key);
62 secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]);
63 break;
64 default:
65 secret.to_base64(pout["mac_key"]);
66 break;
67 }
68 }
69
70 void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout) {
71 checkid_(mode_checkid_immediate,pin,return_to,pout);
72 }
73
74 void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout) {
75 checkid_(mode_checkid_setup,pin,return_to,pout);
76 }
77
78 void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout) {
79 if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup)
80 throw bad_input(OPKELE_CP_ "invalid checkid_* mode");
81 assoc_t assoc;
82 try {
83 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
84 }catch(failed_lookup& fl) {
85 // no handle specified or no valid handle found, going dumb
86 assoc = alloc_assoc(mode_checkid_setup);
87 }
88 string trust_root;
89 try {
90 trust_root = pin.get_param("openid.trust_root");
91 }catch(failed_lookup& fl) { }
92 string identity = pin.get_param("openid.identity");
93 return_to = pin.get_param("openid.return_to");
94 validate(*assoc,pin,identity,trust_root);
95 pout.clear();
96 pout["mode"] = "id_res";
97 pout["assoc_handle"] = assoc->handle();
98 if(pin.has_param("openid.assoc_handle") && assoc->stateless())
99 pout["invalidate_handle"] = pin.get_param("openid.assoc_handle");
100 pout["identity"] = identity;
101 pout["return_to"] = return_to;
102 /* TODO: eventually remove deprecated stuff */
103 time_t now = time(0);
104 pout["issued"] = util::time_to_w3c(now);
105 pout["valid_to"] = util::time_to_w3c(now+120);
106 pout["exipres_in"] = "120";
107 pout.sign(assoc->secret(),pout["sig"],pout["signed"]="mode,identity,return_to");
108 }
109
110 void server_t::check_authentication(const params_t& pin,params_t& pout) {
111 vector<unsigned char> sig;
112 mimetic::Base64::Decoder b;
113 const string& sigenc = pin.get_param("openid.sig");
114 mimetic::decode(
115 sigenc.begin(),sigenc.end(), b,
116 back_insert_iterator<vector<unsigned char> >(sig));
117 assoc_t assoc;
118 try {
119 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
120 }catch(failed_lookup& fl) {
121 throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified");
122 }
123 if(!assoc->stateless())
124 throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle");
125 const string& slist = pin.get_param("openid.signed");
126 string kv;
127 string::size_type p =0;
128 while(true) {
129 string::size_type co = slist.find(',',p);
130 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
131 kv += f;
132 kv += ':';
133 if(f=="mode")
134 kv += "id_res";
135 else {
136 f.insert(0,"openid.");
137 kv += pin.get_param(f);
138 }
139 kv += '\n';
140 if(co==string::npos)
141 break;
142 p = co+1;
143 }
144 secret_t secret = assoc->secret();
145 unsigned int md_len = 0;
146 unsigned char *md = HMAC(
147 EVP_sha1(),
148 &(secret.front()),secret.size(),
149 (const unsigned char *)kv.data(),kv.length(),
150 0,&md_len);
151 pout.clear();
152 if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) {
153 pout["is_valid"]="true";
154 pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */
155 }else{
156 pout["is_valid"]="false";
157 pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */
158 }
159 if(pin.has_param("openid.invalidate_handle")) {
160 string h = pin.get_param("openid.invalidate_handle");
161 try {
162 assoc_t assoc = retrieve_assoc(h);
163 }catch(invalid_handle& ih) {
164 pout["invalidate_handle"] = h;
165 }catch(failed_lookup& fl) { }
166 }
167 }
168
169}