1 files changed, 169 insertions, 0 deletions
diff --git a/lib/server.cc b/lib/server.cc
new file mode 100644
index 0000000..51d4554
--- a/dev/null
+++ b/lib/server.cc
@@ -0,0 +1,169 @@
+#include <vector>
+#include <openssl/sha.h>
+#include <openssl/hmac.h>
+#include <mimetic/mimetic.h>
+#include <opkele/util.h>
+#include <opkele/exception.h>
+#include <opkele/server.h>
+#include <opkele/data.h>
+namespace opkele {
+    using namespace std;
+    void server_t::associate(const params_t& pin,params_t& pout) {
+        util::dh_t dh;
+        util::bignum_t c_pub;
+        unsigned char key_sha1[SHA_DIGEST_LENGTH];
+        enum {
+            sess_cleartext,
+            sess_dh_sha1
+        } st = sess_cleartext;
+        if(
+                pin.has_param("openid.session_type")
+                && pin.get_param("openid.session_type")=="DH-SHA1" ) {
+            /* TODO: fallback to cleartext in case of exceptions here? */
+            if(!(dh = DH_new()))
+                throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
+            c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public"));
+            if(pin.has_param("openid.dh_modulus"))
+                dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus"));
+            else
+                dh->p = util::dec_to_bignum(data::_default_p);
+            if(pin.has_param("openid.dh_gen"))
+                dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen"));
+            else
+                dh->g = util::dec_to_bignum(data::_default_g);
+            if(!DH_generate_key(dh))
+                throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
+            vector<unsigned char> ck(DH_size(dh));
+            int cklen = DH_compute_key(&(ck.front()),c_pub,dh);
+            if(cklen<0)
+                throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
+            ck.resize(cklen);
+            // OpenID algorithm requires extra zero in case of set bit here
+            if(ck[0]&0x80) ck.insert(ck.begin(),1,0);
+            SHA1(&(ck.front()),ck.size(),key_sha1);
+            st = sess_dh_sha1;
+        }
+        assoc_t assoc = alloc_assoc(mode_associate);
+        time_t now = time(0);
+        pout.clear();
+        pout["assoc_type"] = assoc->assoc_type();
+        pout["assoc_handle"] = assoc->handle();
+        /* TODO: eventually remove deprecated stuff */
+        pout["issued"] = util::time_to_w3c(now);
+        pout["expiry"] = util::time_to_w3c(now+assoc->expires_in());
+        pout["expires_in"] = util::long_to_string(assoc->expires_in());
+        secret_t secret = assoc->secret();
+        switch(st) {
+            case sess_dh_sha1:
+                pout["session_type"] = "DH-SHA1";
+                pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key);
+                secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]);
+                break;
+            default:
+                secret.to_base64(pout["mac_key"]);
+                break;
+        }
+    }
+    void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout) {
+        checkid_(mode_checkid_immediate,pin,return_to,pout);
+    }
+    void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout) {
+        checkid_(mode_checkid_setup,pin,return_to,pout);
+    }
+    void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout) {
+        if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup)
+            throw bad_input(OPKELE_CP_ "invalid checkid_* mode");
+        assoc_t assoc;
+        try {
+            assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
+        }catch(failed_lookup& fl) {
+            // no handle specified or no valid handle found, going dumb
+            assoc = alloc_assoc(mode_checkid_setup);
+        }
+        string trust_root;
+        try {
+            trust_root = pin.get_param("openid.trust_root");
+        }catch(failed_lookup& fl) { }
+        string identity = pin.get_param("openid.identity");
+        return_to = pin.get_param("openid.return_to");
+        validate(*assoc,pin,identity,trust_root);
+        pout.clear();
+        pout["mode"] = "id_res";
+        pout["assoc_handle"] = assoc->handle();
+        if(pin.has_param("openid.assoc_handle") && assoc->stateless())
+            pout["invalidate_handle"] = pin.get_param("openid.assoc_handle");
+        pout["identity"] = identity;
+        pout["return_to"] = return_to;
+        /* TODO: eventually remove deprecated stuff */
+        time_t now = time(0);
+        pout["issued"] = util::time_to_w3c(now);
+        pout["valid_to"] = util::time_to_w3c(now+120);
+        pout["exipres_in"] = "120";
+        pout.sign(assoc->secret(),pout["sig"],pout["signed"]="mode,identity,return_to");
+    }
+    void server_t::check_authentication(const params_t& pin,params_t& pout) {
+        vector<unsigned char>  sig;
+        mimetic::Base64::Decoder b;
+        const string& sigenc = pin.get_param("openid.sig");
+        mimetic::decode(
+                sigenc.begin(),sigenc.end(), b,
+                back_insert_iterator<vector<unsigned char> >(sig));
+        assoc_t assoc;
+        try {
+            assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
+        }catch(failed_lookup& fl) {
+            throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified");
+        }
+        if(!assoc->stateless())
+            throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle");
+        const string& slist = pin.get_param("openid.signed");
+        string kv;
+        string::size_type p =0;
+        while(true) {
+            string::size_type co = slist.find(',',p);
+            string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
+            kv += f;
+            kv += ':';
+            if(f=="mode")
+                kv += "id_res";
+            else {
+                f.insert(0,"openid.");
+                kv += pin.get_param(f);
+            }
+            kv += '\n';
+            if(co==string::npos)
+                break;
+            p = co+1;
+        }
+        secret_t secret = assoc->secret();
+        unsigned int md_len = 0;
+        unsigned char *md = HMAC(
+                EVP_sha1(),
+                &(secret.front()),secret.size(),
+                (const unsigned char *)kv.data(),kv.length(),
+                0,&md_len);
+        pout.clear();
+        if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) {
+            pout["is_valid"]="true";
+            pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */
+        }else{
+            pout["is_valid"]="false";
+            pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */
+        }
+        if(pin.has_param("openid.invalidate_handle")) {
+            string h = pin.get_param("openid.invalidate_handle");
+            try {
+                assoc_t assoc = retrieve_assoc(h);
+            }catch(invalid_handle& ih) {
+                pout["invalidate_handle"] = h;
+            }catch(failed_lookup& fl) { }
+        }
+    }
+}

diff --git a/lib/server.cc b/lib/server.cc new file mode 100644 index 0000000..51d4554 --- a/dev/null +++ b/lib/server.cc
@@ -0,0 +1,169 @@
	1	#include <vector>
	2	#include <openssl/sha.h>
	3	#include <openssl/hmac.h>
	4	#include <mimetic/mimetic.h>
	5	#include <opkele/util.h>
	6	#include <opkele/exception.h>
	7	#include <opkele/server.h>
	8	#include <opkele/data.h>
	9
	10	namespace opkele {
	11	using namespace std;
	12
	13	void server_t::associate(const params_t& pin,params_t& pout) {
	14	util::dh_t dh;
	15	util::bignum_t c_pub;
	16	unsigned char key_sha1[SHA_DIGEST_LENGTH];
	17	enum {
	18	sess_cleartext,
	19	sess_dh_sha1
	20	} st = sess_cleartext;
	21	if(
	22	pin.has_param("openid.session_type")
	23	&& pin.get_param("openid.session_type")=="DH-SHA1" ) {
	24	/* TODO: fallback to cleartext in case of exceptions here? */
	25	if(!(dh = DH_new()))
	26	throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
	27	c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public"));
	28	if(pin.has_param("openid.dh_modulus"))
	29	dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus"));
	30	else
	31	dh->p = util::dec_to_bignum(data::_default_p);
	32	if(pin.has_param("openid.dh_gen"))
	33	dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen"));
	34	else
	35	dh->g = util::dec_to_bignum(data::_default_g);
	36	if(!DH_generate_key(dh))
	37	throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
	38	vector<unsigned char> ck(DH_size(dh));
	39	int cklen = DH_compute_key(&(ck.front()),c_pub,dh);
	40	if(cklen<0)
	41	throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
	42	ck.resize(cklen);
	43	// OpenID algorithm requires extra zero in case of set bit here
	44	if(ck[0]&0x80) ck.insert(ck.begin(),1,0);
	45	SHA1(&(ck.front()),ck.size(),key_sha1);
	46	st = sess_dh_sha1;
	47	}
	48	assoc_t assoc = alloc_assoc(mode_associate);
	49	time_t now = time(0);
	50	pout.clear();
	51	pout["assoc_type"] = assoc->assoc_type();
	52	pout["assoc_handle"] = assoc->handle();
	53	/* TODO: eventually remove deprecated stuff */
	54	pout["issued"] = util::time_to_w3c(now);
	55	pout["expiry"] = util::time_to_w3c(now+assoc->expires_in());
	56	pout["expires_in"] = util::long_to_string(assoc->expires_in());
	57	secret_t secret = assoc->secret();
	58	switch(st) {
	59	case sess_dh_sha1:
	60	pout["session_type"] = "DH-SHA1";
	61	pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key);
	62	secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]);
	63	break;
	64	default:
	65	secret.to_base64(pout["mac_key"]);
	66	break;
	67	}
	68	}
	69
	70	void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout) {
	71	checkid_(mode_checkid_immediate,pin,return_to,pout);
	72	}
	73
	74	void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout) {
	75	checkid_(mode_checkid_setup,pin,return_to,pout);
	76	}
	77
	78	void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout) {
	79	if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup)
	80	throw bad_input(OPKELE_CP_ "invalid checkid_* mode");
	81	assoc_t assoc;
	82	try {
	83	assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
	84	}catch(failed_lookup& fl) {
	85	// no handle specified or no valid handle found, going dumb
	86	assoc = alloc_assoc(mode_checkid_setup);
	87	}
	88	string trust_root;
	89	try {
	90	trust_root = pin.get_param("openid.trust_root");
	91	}catch(failed_lookup& fl) { }
	92	string identity = pin.get_param("openid.identity");
	93	return_to = pin.get_param("openid.return_to");
	94	validate(*assoc,pin,identity,trust_root);
	95	pout.clear();
	96	pout["mode"] = "id_res";
	97	pout["assoc_handle"] = assoc->handle();
	98	if(pin.has_param("openid.assoc_handle") && assoc->stateless())
	99	pout["invalidate_handle"] = pin.get_param("openid.assoc_handle");
	100	pout["identity"] = identity;
	101	pout["return_to"] = return_to;
	102	/* TODO: eventually remove deprecated stuff */
	103	time_t now = time(0);
	104	pout["issued"] = util::time_to_w3c(now);
	105	pout["valid_to"] = util::time_to_w3c(now+120);
	106	pout["exipres_in"] = "120";
	107	pout.sign(assoc->secret(),pout["sig"],pout["signed"]="mode,identity,return_to");
	108	}
	109
	110	void server_t::check_authentication(const params_t& pin,params_t& pout) {
	111	vector<unsigned char> sig;
	112	mimetic::Base64::Decoder b;
	113	const string& sigenc = pin.get_param("openid.sig");
	114	mimetic::decode(
	115	sigenc.begin(),sigenc.end(), b,
	116	back_insert_iterator<vector<unsigned char> >(sig));
	117	assoc_t assoc;
	118	try {
	119	assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
	120	}catch(failed_lookup& fl) {
	121	throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified");
	122	}
	123	if(!assoc->stateless())
	124	throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle");
	125	const string& slist = pin.get_param("openid.signed");
	126	string kv;
	127	string::size_type p =0;
	128	while(true) {
	129	string::size_type co = slist.find(',',p);
	130	string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
	131	kv += f;
	132	kv += ':';
	133	if(f=="mode")
	134	kv += "id_res";
	135	else {
	136	f.insert(0,"openid.");
	137	kv += pin.get_param(f);
	138	}
	139	kv += '\n';
	140	if(co==string::npos)
	141	break;
	142	p = co+1;
	143	}
	144	secret_t secret = assoc->secret();
	145	unsigned int md_len = 0;
	146	unsigned char *md = HMAC(
	147	EVP_sha1(),
	148	&(secret.front()),secret.size(),
	149	(const unsigned char *)kv.data(),kv.length(),
	150	0,&md_len);
	151	pout.clear();
	152	if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) {
	153	pout["is_valid"]="true";
	154	pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */
	155	}else{
	156	pout["is_valid"]="false";
	157	pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */
	158	}
	159	if(pin.has_param("openid.invalidate_handle")) {
	160	string h = pin.get_param("openid.invalidate_handle");
	161	try {
	162	assoc_t assoc = retrieve_assoc(h);
	163	}catch(invalid_handle& ih) {
	164	pout["invalidate_handle"] = h;
	165	}catch(failed_lookup& fl) { }
	166	}
	167	}
	168
	169	}