summaryrefslogtreecommitdiffabout
path: root/lib
Unidiff
Diffstat (limited to 'lib') (more/less context) (ignore whitespace changes)
-rw-r--r--lib/consumer.cc13
-rw-r--r--lib/server.cc11
-rw-r--r--lib/util.cc10
3 files changed, 20 insertions, 14 deletions
diff --git a/lib/consumer.cc b/lib/consumer.cc
index 12866f0..282f0cc 100644
--- a/lib/consumer.cc
+++ b/lib/consumer.cc
@@ -78,57 +78,58 @@ namespace opkele {
78 (r=curl_misc_sets(curl)) 78 (r=curl_misc_sets(curl))
79 || (r=curl_easy_setopt(curl,CURLOPT_URL,server.c_str())) 79 || (r=curl_easy_setopt(curl,CURLOPT_URL,server.c_str()))
80 || (r=curl_easy_setopt(curl,CURLOPT_POST,1)) 80 || (r=curl_easy_setopt(curl,CURLOPT_POST,1))
81 || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDS,request.data())) 81 || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDS,request.data()))
82 || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDSIZE,request.length())) 82 || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDSIZE,request.length()))
83 || (r=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,_curl_tostring)) 83 || (r=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,_curl_tostring))
84 || (r=curl_easy_setopt(curl,CURLOPT_WRITEDATA,&response)) 84 || (r=curl_easy_setopt(curl,CURLOPT_WRITEDATA,&response))
85 ; 85 ;
86 if(r) 86 if(r)
87 throw exception_curl(OPKELE_CP_ "failed to curl_easy_setopt()",r); 87 throw exception_curl(OPKELE_CP_ "failed to curl_easy_setopt()",r);
88 if(r=curl_easy_perform(curl)) 88 if(r=curl_easy_perform(curl))
89 throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r); 89 throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r);
90 params_t p; p.parse_keyvalues(response); 90 params_t p; p.parse_keyvalues(response);
91 if(p.has_param("assoc_type") && p.get_param("assoc_type")!="HMAC-SHA1") 91 if(p.has_param("assoc_type") && p.get_param("assoc_type")!="HMAC-SHA1")
92 throw bad_input(OPKELE_CP_ "unsupported assoc_type"); 92 throw bad_input(OPKELE_CP_ "unsupported assoc_type");
93 string st; 93 string st;
94 if(p.has_param("session_type")) st = p.get_param("session_type"); 94 if(p.has_param("session_type")) st = p.get_param("session_type");
95 if((!st.empty()) && st!="DH-SHA1") 95 if((!st.empty()) && st!="DH-SHA1")
96 throw bad_input(OPKELE_CP_ "unsupported session_type"); 96 throw bad_input(OPKELE_CP_ "unsupported session_type");
97 secret_t secret; 97 secret_t secret;
98 if(st.empty()) { 98 if(st.empty()) {
99 secret.from_base64(p.get_param("mac_key")); 99 secret.from_base64(p.get_param("mac_key"));
100 }else{ 100 }else{
101 util::bignum_t s_pub = util::base64_to_bignum(p.get_param("dh_server_public")); 101 util::bignum_t s_pub = util::base64_to_bignum(p.get_param("dh_server_public"));
102 vector<unsigned char> ck(DH_size(dh)); 102 vector<unsigned char> ck(DH_size(dh)+1);
103 int cklen = DH_compute_key(&(ck.front()),s_pub,dh); 103 unsigned char *ckptr = &(ck.front())+1;
104 int cklen = DH_compute_key(ckptr,s_pub,dh);
104 if(cklen<0) 105 if(cklen<0)
105 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); 106 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
106 ck.resize(cklen); 107 if(cklen && (*ckptr)&0x80) {
107 // OpenID algorithm requires extra zero in case of set bit here 108 (*(--ckptr)) = 0; ++cklen;
108 if(ck[0]&0x80) ck.insert(ck.begin(),1,0); 109 }
109 unsigned char key_sha1[SHA_DIGEST_LENGTH]; 110 unsigned char key_sha1[SHA_DIGEST_LENGTH];
110 SHA1(&(ck.front()),ck.size(),key_sha1); 111 SHA1(ckptr,cklen,key_sha1);
111 secret.enxor_from_base64(key_sha1,p.get_param("enc_mac_key")); 112 secret.enxor_from_base64(key_sha1,p.get_param("enc_mac_key"));
112 } 113 }
113 int expires_in = 0; 114 int expires_in = 0;
114 if(p.has_param("expires_in")) { 115 if(p.has_param("expires_in")) {
115 expires_in = util::string_to_long(p.get_param("expires_in")); 116 expires_in = util::string_to_long(p.get_param("expires_in"));
116 }else if(p.has_param("issued") && p.has_param("expiry")) { 117 }else if(p.has_param("issued") && p.has_param("expiry")) {
117 expires_in = util::w3c_to_time(p.get_param("expiry"))-util::w3c_to_time(p.get_param("issued")); 118 expires_in = util::w3c_to_time(p.get_param("expiry"))-util::w3c_to_time(p.get_param("issued"));
118 }else 119 }else
119 throw bad_input(OPKELE_CP_ "no expiration information"); 120 throw bad_input(OPKELE_CP_ "no expiration information");
120 return store_assoc(server,p.get_param("assoc_handle"),secret,expires_in); 121 return store_assoc(server,p.get_param("assoc_handle"),secret,expires_in);
121 } 122 }
122 123
123 string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { 124 string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {
124 return checkid_(mode_checkid_immediate,identity,return_to,trust_root,ext); 125 return checkid_(mode_checkid_immediate,identity,return_to,trust_root,ext);
125 } 126 }
126 string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { 127 string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {
127 return checkid_(mode_checkid_setup,identity,return_to,trust_root,ext); 128 return checkid_(mode_checkid_setup,identity,return_to,trust_root,ext);
128 } 129 }
129 string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { 130 string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {
130 params_t p; 131 params_t p;
131 if(mode==mode_checkid_immediate) 132 if(mode==mode_checkid_immediate)
132 p["mode"]="checkid_immediate"; 133 p["mode"]="checkid_immediate";
133 else if(mode==mode_checkid_setup) 134 else if(mode==mode_checkid_setup)
134 p["mode"]="checkid_setup"; 135 p["mode"]="checkid_setup";
diff --git a/lib/server.cc b/lib/server.cc
index e81d4b6..8db97be 100644
--- a/lib/server.cc
+++ b/lib/server.cc
@@ -13,56 +13,57 @@ namespace opkele {
13 util::dh_t dh; 13 util::dh_t dh;
14 util::bignum_t c_pub; 14 util::bignum_t c_pub;
15 unsigned char key_sha1[SHA_DIGEST_LENGTH]; 15 unsigned char key_sha1[SHA_DIGEST_LENGTH];
16 enum { 16 enum {
17 sess_cleartext, 17 sess_cleartext,
18 sess_dh_sha1 18 sess_dh_sha1
19 } st = sess_cleartext; 19 } st = sess_cleartext;
20 if( 20 if(
21 pin.has_param("openid.session_type") 21 pin.has_param("openid.session_type")
22 && pin.get_param("openid.session_type")=="DH-SHA1" ) { 22 && pin.get_param("openid.session_type")=="DH-SHA1" ) {
23 /* TODO: fallback to cleartext in case of exceptions here? */ 23 /* TODO: fallback to cleartext in case of exceptions here? */
24 if(!(dh = DH_new())) 24 if(!(dh = DH_new()))
25 throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); 25 throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
26 c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public")); 26 c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public"));
27 if(pin.has_param("openid.dh_modulus")) 27 if(pin.has_param("openid.dh_modulus"))
28 dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus")); 28 dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus"));
29 else 29 else
30 dh->p = util::dec_to_bignum(data::_default_p); 30 dh->p = util::dec_to_bignum(data::_default_p);
31 if(pin.has_param("openid.dh_gen")) 31 if(pin.has_param("openid.dh_gen"))
32 dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen")); 32 dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen"));
33 else 33 else
34 dh->g = util::dec_to_bignum(data::_default_g); 34 dh->g = util::dec_to_bignum(data::_default_g);
35 if(!DH_generate_key(dh)) 35 if(!DH_generate_key(dh))
36 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); 36 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
37 vector<unsigned char> ck(DH_size(dh)); 37 vector<unsigned char> ck(DH_size(dh)+1);
38 unsigned char *ckptr = &(ck.front())+1;
38 int cklen = DH_compute_key(&(ck.front()),c_pub,dh); 39 int cklen = DH_compute_key(&(ck.front()),c_pub,dh);
39 if(cklen<0) 40 if(cklen<0)
40 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); 41 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
41 ck.resize(cklen); 42 if(cklen && (*ckptr)&0x80) {
42 // OpenID algorithm requires extra zero in case of set bit here 43 (*(--ckptr)) = 0; ++cklen;
43 if(ck[0]&0x80) ck.insert(ck.begin(),1,0); 44 }
44 SHA1(&(ck.front()),ck.size(),key_sha1); 45 SHA1(ckptr,cklen,key_sha1);
45 st = sess_dh_sha1; 46 st = sess_dh_sha1;
46 } 47 }
47 assoc_t assoc = alloc_assoc(mode_associate); 48 assoc_t assoc = alloc_assoc(mode_associate);
48 time_t now = time(0); 49 time_t now = time(0);
49 pout.clear(); 50 pout.clear();
50 pout["assoc_type"] = assoc->assoc_type(); 51 pout["assoc_type"] = assoc->assoc_type();
51 pout["assoc_handle"] = assoc->handle(); 52 pout["assoc_handle"] = assoc->handle();
52 /* TODO: eventually remove deprecated stuff */ 53 /* TODO: eventually remove deprecated stuff */
53 pout["issued"] = util::time_to_w3c(now); 54 pout["issued"] = util::time_to_w3c(now);
54 pout["expiry"] = util::time_to_w3c(now+assoc->expires_in()); 55 pout["expiry"] = util::time_to_w3c(now+assoc->expires_in());
55 pout["expires_in"] = util::long_to_string(assoc->expires_in()); 56 pout["expires_in"] = util::long_to_string(assoc->expires_in());
56 secret_t secret = assoc->secret(); 57 secret_t secret = assoc->secret();
57 switch(st) { 58 switch(st) {
58 case sess_dh_sha1: 59 case sess_dh_sha1:
59 pout["session_type"] = "DH-SHA1"; 60 pout["session_type"] = "DH-SHA1";
60 pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key); 61 pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key);
61 secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]); 62 secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]);
62 break; 63 break;
63 default: 64 default:
64 secret.to_base64(pout["mac_key"]); 65 secret.to_base64(pout["mac_key"]);
65 break; 66 break;
66 } 67 }
67 } 68 }
68 69
diff --git a/lib/util.cc b/lib/util.cc
index d9abca7..94f6f53 100644
--- a/lib/util.cc
+++ b/lib/util.cc
@@ -65,51 +65,55 @@ namespace opkele {
65 } 65 }
66 } 66 }
67 67
68 /* 68 /*
69 * big numerics 69 * big numerics
70 */ 70 */
71 71
72 BIGNUM *base64_to_bignum(const string& b64) { 72 BIGNUM *base64_to_bignum(const string& b64) {
73 vector<unsigned char> bin; 73 vector<unsigned char> bin;
74 decode_base64(b64,bin); 74 decode_base64(b64,bin);
75 BIGNUM *rv = BN_bin2bn(&(bin.front()),bin.size(),0); 75 BIGNUM *rv = BN_bin2bn(&(bin.front()),bin.size(),0);
76 if(!rv) 76 if(!rv)
77 throw failed_conversion(OPKELE_CP_ "failed to BN_bin2bn()"); 77 throw failed_conversion(OPKELE_CP_ "failed to BN_bin2bn()");
78 return rv; 78 return rv;
79 } 79 }
80 80
81 BIGNUM *dec_to_bignum(const string& dec) { 81 BIGNUM *dec_to_bignum(const string& dec) {
82 BIGNUM *rv = 0; 82 BIGNUM *rv = 0;
83 if(!BN_dec2bn(&rv,dec.c_str())) 83 if(!BN_dec2bn(&rv,dec.c_str()))
84 throw failed_conversion(OPKELE_CP_ "failed to BN_dec2bn()"); 84 throw failed_conversion(OPKELE_CP_ "failed to BN_dec2bn()");
85 return rv; 85 return rv;
86 } 86 }
87 87
88 string bignum_to_base64(const BIGNUM *bn) { 88 string bignum_to_base64(const BIGNUM *bn) {
89 vector<unsigned char> bin(BN_num_bytes(bn)); 89 vector<unsigned char> bin(BN_num_bytes(bn)+1);
90 int l = BN_bn2bin(bn,&(bin.front())); 90 unsigned char *binptr = &(bin.front())+1;
91 return encode_base64(&(bin.front()),l); 91 int l = BN_bn2bin(bn,binptr);
92 if(l && (*binptr)&0x80){
93 (*(--binptr)) = 0; ++l;
94 }
95 return encode_base64(binptr,l);
92 } 96 }
93 97
94 /* 98 /*
95 * w3c times 99 * w3c times
96 */ 100 */
97 101
98 string time_to_w3c(time_t t) { 102 string time_to_w3c(time_t t) {
99 struct tm tm_t; 103 struct tm tm_t;
100 if(!gmtime_r(&t,&tm_t)) 104 if(!gmtime_r(&t,&tm_t))
101 throw failed_conversion(OPKELE_CP_ "failed to BN_dec2bn()"); 105 throw failed_conversion(OPKELE_CP_ "failed to BN_dec2bn()");
102 char rv[25]; 106 char rv[25];
103 if(!strftime(rv,sizeof(rv)-1,"%Y-%m-%dT%H:%M:%SZ",&tm_t)) 107 if(!strftime(rv,sizeof(rv)-1,"%Y-%m-%dT%H:%M:%SZ",&tm_t))
104 throw failed_conversion(OPKELE_CP_ "failed to strftime()"); 108 throw failed_conversion(OPKELE_CP_ "failed to strftime()");
105 return rv; 109 return rv;
106 } 110 }
107 111
108 time_t w3c_to_time(const string& w) { 112 time_t w3c_to_time(const string& w) {
109 struct tm tm_t; 113 struct tm tm_t;
110 memset(&tm_t,0,sizeof(tm_t)); 114 memset(&tm_t,0,sizeof(tm_t));
111 if( 115 if(
112 sscanf( 116 sscanf(
113 w.c_str(), 117 w.c_str(),
114 "%04d-%02d-%02dT%02d:%02d:%02dZ", 118 "%04d-%02d-%02dT%02d:%02d:%02dZ",
115 &tm_t.tm_year,&tm_t.tm_mon,&tm_t.tm_mday, 119 &tm_t.tm_year,&tm_t.tm_mon,&tm_t.tm_mday,