the whole library rewritten

Signed-off-by: Michael Krelin <hacker@klever.net>
author: Michael Krelin <hacker@klever.net> 2008-01-20 21:08:05 (UTC)
committer: Michael Krelin <hacker@klever.net> 2008-01-20 21:08:05 (UTC)
commit: 9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc (patch) (unidiff)
tree: 702473142242e80538c4801cc379ec98fba199dd /lib/server.cc
parent: 395a126cbf59b7a50f44da3096b68bab412ab33d (diff)
download: libopkele-9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc.zip
libopkele-9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc.tar.gz
libopkele-9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc.tar.bz2
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/server.cc b/lib/server.cc
index 282521e..776f1ae 100644
--- a/lib/server.cc
+++ b/lib/server.cc
@@ -16,156 +16,156 @@ namespace opkele {
        unsigned char key_sha1[SHA_DIGEST_LENGTH];
        enum {
            sess_cleartext,
            sess_dh_sha1
        } st = sess_cleartext;
        if(
                pin.has_param("openid.session_type")
                && pin.get_param("openid.session_type")=="DH-SHA1" ) {
            /* TODO: fallback to cleartext in case of exceptions here? */
            if(!(dh = DH_new()))
                throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
            c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public"));
            if(pin.has_param("openid.dh_modulus"))
                dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus"));
            else
                dh->p = util::dec_to_bignum(data::_default_p);
            if(pin.has_param("openid.dh_gen"))
                dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen"));
            else
                dh->g = util::dec_to_bignum(data::_default_g);
            if(!DH_generate_key(dh))
                throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
            vector<unsigned char> ck(DH_size(dh)+1);
            unsigned char *ckptr = &(ck.front())+1;
            int cklen = DH_compute_key(ckptr,c_pub,dh);
            if(cklen<0)
                throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
            if(cklen && (*ckptr)&0x80) {
                (*(--ckptr)) = 0; ++cklen;
            }
            SHA1(ckptr,cklen,key_sha1);
            st = sess_dh_sha1;
        }
        assoc_t assoc = alloc_assoc(mode_associate);
        time_t now = time(0);
        pout.clear();
        pout["assoc_type"] = assoc->assoc_type();
        pout["assoc_handle"] = assoc->handle();
        /* TODO: eventually remove deprecated stuff */
        pout["issued"] = util::time_to_w3c(now);
        pout["expiry"] = util::time_to_w3c(now+assoc->expires_in());
        pout["expires_in"] = util::long_to_string(assoc->expires_in());
        secret_t secret = assoc->secret();
        switch(st) {
            case sess_dh_sha1:
                pout["session_type"] = "DH-SHA1";
                pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key);
                secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]);
                break;
            default:
                secret.to_base64(pout["mac_key"]);
                break;
        }
    }
    void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
        checkid_(mode_checkid_immediate,pin,return_to,pout,ext);
    }
    void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
        checkid_(mode_checkid_setup,pin,return_to,pout,ext);
    }
    void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
        if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup)
            throw bad_input(OPKELE_CP_ "invalid checkid_* mode");
        pout.clear();
        assoc_t assoc;
        try {
            assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
        }catch(failed_lookup& fl) {
            // no handle specified or no valid handle found, going dumb
            assoc = alloc_assoc(mode_checkid_setup);
            if(pin.has_param("openid.assoc_handle"))
                pout["invalidate_handle"]=pin.get_param("openid.assoc_handle");
        }
        string trust_root;
        try {
            trust_root = pin.get_param("openid.trust_root");
        }catch(failed_lookup& fl) { }
        string identity = pin.get_param("openid.identity");
        return_to = pin.get_param("openid.return_to");
        validate(*assoc,pin,identity,trust_root);
        pout["mode"] = "id_res";
        pout["assoc_handle"] = assoc->handle();
        if(pin.has_param("openid.assoc_handle") && assoc->stateless())
            pout["invalidate_handle"] = pin.get_param("openid.assoc_handle");
        pout["identity"] = identity;
        pout["return_to"] = return_to;
        /* TODO: eventually remove deprecated stuff */
        time_t now = time(0);
        pout["issued"] = util::time_to_w3c(now);
        pout["valid_to"] = util::time_to_w3c(now+120);
        pout["exipres_in"] = "120";
        pout["signed"]="mode,identity,return_to";
        if(ext) ext->checkid_hook(pin,pout);
-        pout.sign(assoc->secret(),pout["sig"],pout["signed"]);
+        pout["sig"] = util::base64_signature(assoc,pout);
    }
    void server_t::check_authentication(const params_t& pin,params_t& pout) {
        vector<unsigned char>  sig;
        const string& sigenc = pin.get_param("openid.sig");
        util::decode_base64(sigenc,sig);
        assoc_t assoc;
        try {
            assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
        }catch(failed_lookup& fl) {
            throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified");
        }
        if(!assoc->stateless())
            throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle");
        const string& slist = pin.get_param("openid.signed");
        string kv;
        string::size_type p =0;
        while(true) {
            string::size_type co = slist.find(',',p);
            string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
            kv += f;
            kv += ':';
            if(f=="mode")
                kv += "id_res";
            else {
                f.insert(0,"openid.");
                kv += pin.get_param(f);
            }
            kv += '\n';
            if(co==string::npos)
                break;
            p = co+1;
        }
        secret_t secret = assoc->secret();
        unsigned int md_len = 0;
        unsigned char *md = HMAC(
                EVP_sha1(),
                &(secret.front()),secret.size(),
                (const unsigned char *)kv.data(),kv.length(),
                0,&md_len);
        pout.clear();
        if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) {
            pout["is_valid"]="true";
            pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */
        }else{
            pout["is_valid"]="false";
            pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */
        }
        if(pin.has_param("openid.invalidate_handle")) {
            string h = pin.get_param("openid.invalidate_handle");
            try {
                assoc_t tmp = retrieve_assoc(h);
            }catch(invalid_handle& ih) {
                pout["invalidate_handle"] = h;
            }catch(failed_lookup& fl) { }
        }
    }
 }
author	Michael Krelin <hacker@klever.net>	2008-01-20 21:08:05 (UTC)
committer	Michael Krelin <hacker@klever.net>	2008-01-20 21:08:05 (UTC)
commit	9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc (patch) (unidiff)
tree	702473142242e80538c4801cc379ec98fba199dd /lib/server.cc
parent	395a126cbf59b7a50f44da3096b68bab412ab33d (diff)
download	libopkele-9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc.zip libopkele-9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc.tar.gz libopkele-9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc.tar.bz2

diff --git a/lib/server.cc b/lib/server.cc index 282521e..776f1ae 100644 --- a/lib/server.cc +++ b/lib/server.cc
@@ -16,156 +16,156 @@ namespace opkele {
16	unsigned char key_sha1[SHA_DIGEST_LENGTH];	16	unsigned char key_sha1[SHA_DIGEST_LENGTH];
17	enum {	17	enum {
18	sess_cleartext,	18	sess_cleartext,
19	sess_dh_sha1	19	sess_dh_sha1
20	} st = sess_cleartext;	20	} st = sess_cleartext;
21	if(	21	if(
22	pin.has_param("openid.session_type")	22	pin.has_param("openid.session_type")
23	&& pin.get_param("openid.session_type")=="DH-SHA1" ) {	23	&& pin.get_param("openid.session_type")=="DH-SHA1" ) {
24	/* TODO: fallback to cleartext in case of exceptions here? */	24	/* TODO: fallback to cleartext in case of exceptions here? */
25	if(!(dh = DH_new()))	25	if(!(dh = DH_new()))
26	throw exception_openssl(OPKELE_CP_ "failed to DH_new()");	26	throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
27	c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public"));	27	c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public"));
28	if(pin.has_param("openid.dh_modulus"))	28	if(pin.has_param("openid.dh_modulus"))
29	dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus"));	29	dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus"));
30	else	30	else
31	dh->p = util::dec_to_bignum(data::_default_p);	31	dh->p = util::dec_to_bignum(data::_default_p);
32	if(pin.has_param("openid.dh_gen"))	32	if(pin.has_param("openid.dh_gen"))
33	dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen"));	33	dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen"));
34	else	34	else
35	dh->g = util::dec_to_bignum(data::_default_g);	35	dh->g = util::dec_to_bignum(data::_default_g);
36	if(!DH_generate_key(dh))	36	if(!DH_generate_key(dh))
37	throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");	37	throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
38	vector<unsigned char> ck(DH_size(dh)+1);	38	vector<unsigned char> ck(DH_size(dh)+1);
39	unsigned char *ckptr = &(ck.front())+1;	39	unsigned char *ckptr = &(ck.front())+1;
40	int cklen = DH_compute_key(ckptr,c_pub,dh);	40	int cklen = DH_compute_key(ckptr,c_pub,dh);
41	if(cklen<0)	41	if(cklen<0)
42	throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");	42	throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
43	if(cklen && (*ckptr)&0x80) {	43	if(cklen && (*ckptr)&0x80) {
44	(*(--ckptr)) = 0; ++cklen;	44	(*(--ckptr)) = 0; ++cklen;
45	}	45	}
46	SHA1(ckptr,cklen,key_sha1);	46	SHA1(ckptr,cklen,key_sha1);
47	st = sess_dh_sha1;	47	st = sess_dh_sha1;
48	}	48	}
49	assoc_t assoc = alloc_assoc(mode_associate);	49	assoc_t assoc = alloc_assoc(mode_associate);
50	time_t now = time(0);	50	time_t now = time(0);
51	pout.clear();	51	pout.clear();
52	pout["assoc_type"] = assoc->assoc_type();	52	pout["assoc_type"] = assoc->assoc_type();
53	pout["assoc_handle"] = assoc->handle();	53	pout["assoc_handle"] = assoc->handle();
54	/* TODO: eventually remove deprecated stuff */	54	/* TODO: eventually remove deprecated stuff */
55	pout["issued"] = util::time_to_w3c(now);	55	pout["issued"] = util::time_to_w3c(now);
56	pout["expiry"] = util::time_to_w3c(now+assoc->expires_in());	56	pout["expiry"] = util::time_to_w3c(now+assoc->expires_in());
57	pout["expires_in"] = util::long_to_string(assoc->expires_in());	57	pout["expires_in"] = util::long_to_string(assoc->expires_in());
58	secret_t secret = assoc->secret();	58	secret_t secret = assoc->secret();
59	switch(st) {	59	switch(st) {
60	case sess_dh_sha1:	60	case sess_dh_sha1:
61	pout["session_type"] = "DH-SHA1";	61	pout["session_type"] = "DH-SHA1";
62	pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key);	62	pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key);
63	secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]);	63	secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]);
64	break;	64	break;
65	default:	65	default:
66	secret.to_base64(pout["mac_key"]);	66	secret.to_base64(pout["mac_key"]);
67	break;	67	break;
68	}	68	}
69	}	69	}
70		70
71	void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {	71	void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
72	checkid_(mode_checkid_immediate,pin,return_to,pout,ext);	72	checkid_(mode_checkid_immediate,pin,return_to,pout,ext);
73	}	73	}
74		74
75	void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {	75	void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
76	checkid_(mode_checkid_setup,pin,return_to,pout,ext);	76	checkid_(mode_checkid_setup,pin,return_to,pout,ext);
77	}	77	}
78		78
79	void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {	79	void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
80	if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup)	80	if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup)
81	throw bad_input(OPKELE_CP_ "invalid checkid_* mode");	81	throw bad_input(OPKELE_CP_ "invalid checkid_* mode");
82	pout.clear();	82	pout.clear();
83	assoc_t assoc;	83	assoc_t assoc;
84	try {	84	try {
85	assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));	85	assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
86	}catch(failed_lookup& fl) {	86	}catch(failed_lookup& fl) {
87	// no handle specified or no valid handle found, going dumb	87	// no handle specified or no valid handle found, going dumb
88	assoc = alloc_assoc(mode_checkid_setup);	88	assoc = alloc_assoc(mode_checkid_setup);
89	if(pin.has_param("openid.assoc_handle"))	89	if(pin.has_param("openid.assoc_handle"))
90	pout["invalidate_handle"]=pin.get_param("openid.assoc_handle");	90	pout["invalidate_handle"]=pin.get_param("openid.assoc_handle");
91	}	91	}
92	string trust_root;	92	string trust_root;
93	try {	93	try {
94	trust_root = pin.get_param("openid.trust_root");	94	trust_root = pin.get_param("openid.trust_root");
95	}catch(failed_lookup& fl) { }	95	}catch(failed_lookup& fl) { }
96	string identity = pin.get_param("openid.identity");	96	string identity = pin.get_param("openid.identity");
97	return_to = pin.get_param("openid.return_to");	97	return_to = pin.get_param("openid.return_to");
98	validate(*assoc,pin,identity,trust_root);	98	validate(*assoc,pin,identity,trust_root);
99	pout["mode"] = "id_res";	99	pout["mode"] = "id_res";
100	pout["assoc_handle"] = assoc->handle();	100	pout["assoc_handle"] = assoc->handle();
101	if(pin.has_param("openid.assoc_handle") && assoc->stateless())	101	if(pin.has_param("openid.assoc_handle") && assoc->stateless())
102	pout["invalidate_handle"] = pin.get_param("openid.assoc_handle");	102	pout["invalidate_handle"] = pin.get_param("openid.assoc_handle");
103	pout["identity"] = identity;	103	pout["identity"] = identity;
104	pout["return_to"] = return_to;	104	pout["return_to"] = return_to;
105	/* TODO: eventually remove deprecated stuff */	105	/* TODO: eventually remove deprecated stuff */
106	time_t now = time(0);	106	time_t now = time(0);
107	pout["issued"] = util::time_to_w3c(now);	107	pout["issued"] = util::time_to_w3c(now);
108	pout["valid_to"] = util::time_to_w3c(now+120);	108	pout["valid_to"] = util::time_to_w3c(now+120);
109	pout["exipres_in"] = "120";	109	pout["exipres_in"] = "120";
110	pout["signed"]="mode,identity,return_to";	110	pout["signed"]="mode,identity,return_to";
111	if(ext) ext->checkid_hook(pin,pout);	111	if(ext) ext->checkid_hook(pin,pout);
112	pout.sign(assoc->secret(),pout["sig"],pout["signed"]);	112	pout["sig"] = util::base64_signature(assoc,pout);
113	}	113	}
114		114
115	void server_t::check_authentication(const params_t& pin,params_t& pout) {	115	void server_t::check_authentication(const params_t& pin,params_t& pout) {
116	vector<unsigned char> sig;	116	vector<unsigned char> sig;
117	const string& sigenc = pin.get_param("openid.sig");	117	const string& sigenc = pin.get_param("openid.sig");
118	util::decode_base64(sigenc,sig);	118	util::decode_base64(sigenc,sig);
119	assoc_t assoc;	119	assoc_t assoc;
120	try {	120	try {
121	assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));	121	assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
122	}catch(failed_lookup& fl) {	122	}catch(failed_lookup& fl) {
123	throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified");	123	throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified");
124	}	124	}
125	if(!assoc->stateless())	125	if(!assoc->stateless())
126	throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle");	126	throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle");
127	const string& slist = pin.get_param("openid.signed");	127	const string& slist = pin.get_param("openid.signed");
128	string kv;	128	string kv;
129	string::size_type p =0;	129	string::size_type p =0;
130	while(true) {	130	while(true) {
131	string::size_type co = slist.find(',',p);	131	string::size_type co = slist.find(',',p);
132	string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);	132	string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
133	kv += f;	133	kv += f;
134	kv += ':';	134	kv += ':';
135	if(f=="mode")	135	if(f=="mode")
136	kv += "id_res";	136	kv += "id_res";
137	else {	137	else {
138	f.insert(0,"openid.");	138	f.insert(0,"openid.");
139	kv += pin.get_param(f);	139	kv += pin.get_param(f);
140	}	140	}
141	kv += '\n';	141	kv += '\n';
142	if(co==string::npos)	142	if(co==string::npos)
143	break;	143	break;
144	p = co+1;	144	p = co+1;
145	}	145	}
146	secret_t secret = assoc->secret();	146	secret_t secret = assoc->secret();
147	unsigned int md_len = 0;	147	unsigned int md_len = 0;
148	unsigned char *md = HMAC(	148	unsigned char *md = HMAC(
149	EVP_sha1(),	149	EVP_sha1(),
150	&(secret.front()),secret.size(),	150	&(secret.front()),secret.size(),
151	(const unsigned char *)kv.data(),kv.length(),	151	(const unsigned char *)kv.data(),kv.length(),
152	0,&md_len);	152	0,&md_len);
153	pout.clear();	153	pout.clear();
154	if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) {	154	if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) {
155	pout["is_valid"]="true";	155	pout["is_valid"]="true";
156	pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */	156	pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */
157	}else{	157	}else{
158	pout["is_valid"]="false";	158	pout["is_valid"]="false";
159	pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */	159	pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */
160	}	160	}
161	if(pin.has_param("openid.invalidate_handle")) {	161	if(pin.has_param("openid.invalidate_handle")) {
162	string h = pin.get_param("openid.invalidate_handle");	162	string h = pin.get_param("openid.invalidate_handle");
163	try {	163	try {
164	assoc_t tmp = retrieve_assoc(h);	164	assoc_t tmp = retrieve_assoc(h);
165	}catch(invalid_handle& ih) {	165	}catch(invalid_handle& ih) {
166	pout["invalidate_handle"] = h;	166	pout["invalidate_handle"] = h;
167	}catch(failed_lookup& fl) { }	167	}catch(failed_lookup& fl) { }
168	}	168	}
169	}	169	}
170		170
171	}	171	}