1 files changed, 1 insertions, 1 deletions
diff --git a/lib/server.cc b/lib/server.cc
index 8db97be..b1c5c3a 100644
--- a/lib/server.cc
+++ b/lib/server.cc
@@ -1,170 +1,170 @@
 #include <vector>
 #include <openssl/sha.h>
 #include <openssl/hmac.h>
 #include <opkele/util.h>
 #include <opkele/exception.h>
 #include <opkele/server.h>
 #include <opkele/data.h>
 namespace opkele {
    using namespace std;
    void server_t::associate(const params_t& pin,params_t& pout) {
        util::dh_t dh;
        util::bignum_t c_pub;
        unsigned char key_sha1[SHA_DIGEST_LENGTH];
        enum {
            sess_cleartext,
            sess_dh_sha1
        } st = sess_cleartext;
        if(
                pin.has_param("openid.session_type")
                && pin.get_param("openid.session_type")=="DH-SHA1" ) {
            /* TODO: fallback to cleartext in case of exceptions here? */
            if(!(dh = DH_new()))
                throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
            c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public"));
            if(pin.has_param("openid.dh_modulus"))
                dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus"));
            else
                dh->p = util::dec_to_bignum(data::_default_p);
            if(pin.has_param("openid.dh_gen"))
                dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen"));
            else
                dh->g = util::dec_to_bignum(data::_default_g);
            if(!DH_generate_key(dh))
                throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
            vector<unsigned char> ck(DH_size(dh)+1);
            unsigned char *ckptr = &(ck.front())+1;
-            int cklen = DH_compute_key(&(ck.front()),c_pub,dh);
+            int cklen = DH_compute_key(ckptr,c_pub,dh);
            if(cklen<0)
                throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
            if(cklen && (*ckptr)&0x80) {
                (*(--ckptr)) = 0; ++cklen;
            }
            SHA1(ckptr,cklen,key_sha1);
            st = sess_dh_sha1;
        }
        assoc_t assoc = alloc_assoc(mode_associate);
        time_t now = time(0);
        pout.clear();
        pout["assoc_type"] = assoc->assoc_type();
        pout["assoc_handle"] = assoc->handle();
        /* TODO: eventually remove deprecated stuff */
        pout["issued"] = util::time_to_w3c(now);
        pout["expiry"] = util::time_to_w3c(now+assoc->expires_in());
        pout["expires_in"] = util::long_to_string(assoc->expires_in());
        secret_t secret = assoc->secret();
        switch(st) {
            case sess_dh_sha1:
                pout["session_type"] = "DH-SHA1";
                pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key);
                secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]);
                break;
            default:
                secret.to_base64(pout["mac_key"]);
                break;
        }
    }
    void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
        checkid_(mode_checkid_immediate,pin,return_to,pout,ext);
    }
    void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
        checkid_(mode_checkid_setup,pin,return_to,pout,ext);
    }
    void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
        if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup)
            throw bad_input(OPKELE_CP_ "invalid checkid_* mode");
        pout.clear();
        assoc_t assoc;
        try {
            assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
        }catch(failed_lookup& fl) {
            // no handle specified or no valid handle found, going dumb
            assoc = alloc_assoc(mode_checkid_setup);
            if(pin.has_param("openid.assoc_handle"))
                pout["invalidate_handle"]=pin.get_param("openid.assoc_handle");
        }
        string trust_root;
        try {
            trust_root = pin.get_param("openid.trust_root");
        }catch(failed_lookup& fl) { }
        string identity = pin.get_param("openid.identity");
        return_to = pin.get_param("openid.return_to");
        validate(*assoc,pin,identity,trust_root);
        pout["mode"] = "id_res";
        pout["assoc_handle"] = assoc->handle();
        if(pin.has_param("openid.assoc_handle") && assoc->stateless())
            pout["invalidate_handle"] = pin.get_param("openid.assoc_handle");
        pout["identity"] = identity;
        pout["return_to"] = return_to;
        /* TODO: eventually remove deprecated stuff */
        time_t now = time(0);
        pout["issued"] = util::time_to_w3c(now);
        pout["valid_to"] = util::time_to_w3c(now+120);
        pout["exipres_in"] = "120";
        pout["signed"]="mode,identity,return_to";
        if(ext) ext->checkid_hook(pin,pout);
        pout.sign(assoc->secret(),pout["sig"],pout["signed"]);
    }
    void server_t::check_authentication(const params_t& pin,params_t& pout) {
        vector<unsigned char>  sig;
        const string& sigenc = pin.get_param("openid.sig");
        util::decode_base64(sigenc,sig);
        assoc_t assoc;
        try {
            assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
        }catch(failed_lookup& fl) {
            throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified");
        }
        if(!assoc->stateless())
            throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle");
        const string& slist = pin.get_param("openid.signed");
        string kv;
        string::size_type p =0;
        while(true) {
            string::size_type co = slist.find(',',p);
            string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
            kv += f;
            kv += ':';
            if(f=="mode")
                kv += "id_res";
            else {
                f.insert(0,"openid.");
                kv += pin.get_param(f);
            }
            kv += '\n';
            if(co==string::npos)
                break;
            p = co+1;
        }
        secret_t secret = assoc->secret();
        unsigned int md_len = 0;
        unsigned char *md = HMAC(
                EVP_sha1(),
                &(secret.front()),secret.size(),
                (const unsigned char *)kv.data(),kv.length(),
                0,&md_len);
        pout.clear();
        if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) {
            pout["is_valid"]="true";
            pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */
        }else{
            pout["is_valid"]="false";
            pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */
        }
        if(pin.has_param("openid.invalidate_handle")) {
            string h = pin.get_param("openid.invalidate_handle");
            try {
                assoc_t assoc = retrieve_assoc(h);
            }catch(invalid_handle& ih) {
                pout["invalidate_handle"] = h;
            }catch(failed_lookup& fl) { }
        }
    }
 }

diff --git a/lib/server.cc b/lib/server.cc index 8db97be..b1c5c3a 100644 --- a/lib/server.cc +++ b/lib/server.cc
@@ -1,170 +1,170 @@
1	#include <vector>	1	#include <vector>
2	#include <openssl/sha.h>	2	#include <openssl/sha.h>
3	#include <openssl/hmac.h>	3	#include <openssl/hmac.h>
4	#include <opkele/util.h>	4	#include <opkele/util.h>
5	#include <opkele/exception.h>	5	#include <opkele/exception.h>
6	#include <opkele/server.h>	6	#include <opkele/server.h>
7	#include <opkele/data.h>	7	#include <opkele/data.h>
8		8
9	namespace opkele {	9	namespace opkele {
10	using namespace std;	10	using namespace std;
11		11
12	void server_t::associate(const params_t& pin,params_t& pout) {	12	void server_t::associate(const params_t& pin,params_t& pout) {
13	util::dh_t dh;	13	util::dh_t dh;
14	util::bignum_t c_pub;	14	util::bignum_t c_pub;
15	unsigned char key_sha1[SHA_DIGEST_LENGTH];	15	unsigned char key_sha1[SHA_DIGEST_LENGTH];
16	enum {	16	enum {
17	sess_cleartext,	17	sess_cleartext,
18	sess_dh_sha1	18	sess_dh_sha1
19	} st = sess_cleartext;	19	} st = sess_cleartext;
20	if(	20	if(
21	pin.has_param("openid.session_type")	21	pin.has_param("openid.session_type")
22	&& pin.get_param("openid.session_type")=="DH-SHA1" ) {	22	&& pin.get_param("openid.session_type")=="DH-SHA1" ) {
23	/* TODO: fallback to cleartext in case of exceptions here? */	23	/* TODO: fallback to cleartext in case of exceptions here? */
24	if(!(dh = DH_new()))	24	if(!(dh = DH_new()))
25	throw exception_openssl(OPKELE_CP_ "failed to DH_new()");	25	throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
26	c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public"));	26	c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public"));
27	if(pin.has_param("openid.dh_modulus"))	27	if(pin.has_param("openid.dh_modulus"))
28	dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus"));	28	dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus"));
29	else	29	else
30	dh->p = util::dec_to_bignum(data::_default_p);	30	dh->p = util::dec_to_bignum(data::_default_p);
31	if(pin.has_param("openid.dh_gen"))	31	if(pin.has_param("openid.dh_gen"))
32	dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen"));	32	dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen"));
33	else	33	else
34	dh->g = util::dec_to_bignum(data::_default_g);	34	dh->g = util::dec_to_bignum(data::_default_g);
35	if(!DH_generate_key(dh))	35	if(!DH_generate_key(dh))
36	throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");	36	throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
37	vector<unsigned char> ck(DH_size(dh)+1);	37	vector<unsigned char> ck(DH_size(dh)+1);
38	unsigned char *ckptr = &(ck.front())+1;	38	unsigned char *ckptr = &(ck.front())+1;
39	int cklen = DH_compute_key(&(ck.front()),c_pub,dh);	39	int cklen = DH_compute_key(ckptr,c_pub,dh);
40	if(cklen<0)	40	if(cklen<0)
41	throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");	41	throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
42	if(cklen && (*ckptr)&0x80) {	42	if(cklen && (*ckptr)&0x80) {
43	(*(--ckptr)) = 0; ++cklen;	43	(*(--ckptr)) = 0; ++cklen;
44	}	44	}
45	SHA1(ckptr,cklen,key_sha1);	45	SHA1(ckptr,cklen,key_sha1);
46	st = sess_dh_sha1;	46	st = sess_dh_sha1;
47	}	47	}
48	assoc_t assoc = alloc_assoc(mode_associate);	48	assoc_t assoc = alloc_assoc(mode_associate);
49	time_t now = time(0);	49	time_t now = time(0);
50	pout.clear();	50	pout.clear();
51	pout["assoc_type"] = assoc->assoc_type();	51	pout["assoc_type"] = assoc->assoc_type();
52	pout["assoc_handle"] = assoc->handle();	52	pout["assoc_handle"] = assoc->handle();
53	/* TODO: eventually remove deprecated stuff */	53	/* TODO: eventually remove deprecated stuff */
54	pout["issued"] = util::time_to_w3c(now);	54	pout["issued"] = util::time_to_w3c(now);
55	pout["expiry"] = util::time_to_w3c(now+assoc->expires_in());	55	pout["expiry"] = util::time_to_w3c(now+assoc->expires_in());
56	pout["expires_in"] = util::long_to_string(assoc->expires_in());	56	pout["expires_in"] = util::long_to_string(assoc->expires_in());
57	secret_t secret = assoc->secret();	57	secret_t secret = assoc->secret();
58	switch(st) {	58	switch(st) {
59	case sess_dh_sha1:	59	case sess_dh_sha1:
60	pout["session_type"] = "DH-SHA1";	60	pout["session_type"] = "DH-SHA1";
61	pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key);	61	pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key);
62	secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]);	62	secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]);
63	break;	63	break;
64	default:	64	default:
65	secret.to_base64(pout["mac_key"]);	65	secret.to_base64(pout["mac_key"]);
66	break;	66	break;
67	}	67	}
68	}	68	}
69		69
70	void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {	70	void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
71	checkid_(mode_checkid_immediate,pin,return_to,pout,ext);	71	checkid_(mode_checkid_immediate,pin,return_to,pout,ext);
72	}	72	}
73		73
74	void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {	74	void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
75	checkid_(mode_checkid_setup,pin,return_to,pout,ext);	75	checkid_(mode_checkid_setup,pin,return_to,pout,ext);
76	}	76	}
77		77
78	void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {	78	void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
79	if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup)	79	if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup)
80	throw bad_input(OPKELE_CP_ "invalid checkid_* mode");	80	throw bad_input(OPKELE_CP_ "invalid checkid_* mode");
81	pout.clear();	81	pout.clear();
82	assoc_t assoc;	82	assoc_t assoc;
83	try {	83	try {
84	assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));	84	assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
85	}catch(failed_lookup& fl) {	85	}catch(failed_lookup& fl) {
86	// no handle specified or no valid handle found, going dumb	86	// no handle specified or no valid handle found, going dumb
87	assoc = alloc_assoc(mode_checkid_setup);	87	assoc = alloc_assoc(mode_checkid_setup);
88	if(pin.has_param("openid.assoc_handle"))	88	if(pin.has_param("openid.assoc_handle"))
89	pout["invalidate_handle"]=pin.get_param("openid.assoc_handle");	89	pout["invalidate_handle"]=pin.get_param("openid.assoc_handle");
90	}	90	}
91	string trust_root;	91	string trust_root;
92	try {	92	try {
93	trust_root = pin.get_param("openid.trust_root");	93	trust_root = pin.get_param("openid.trust_root");
94	}catch(failed_lookup& fl) { }	94	}catch(failed_lookup& fl) { }
95	string identity = pin.get_param("openid.identity");	95	string identity = pin.get_param("openid.identity");
96	return_to = pin.get_param("openid.return_to");	96	return_to = pin.get_param("openid.return_to");
97	validate(*assoc,pin,identity,trust_root);	97	validate(*assoc,pin,identity,trust_root);
98	pout["mode"] = "id_res";	98	pout["mode"] = "id_res";
99	pout["assoc_handle"] = assoc->handle();	99	pout["assoc_handle"] = assoc->handle();
100	if(pin.has_param("openid.assoc_handle") && assoc->stateless())	100	if(pin.has_param("openid.assoc_handle") && assoc->stateless())
101	pout["invalidate_handle"] = pin.get_param("openid.assoc_handle");	101	pout["invalidate_handle"] = pin.get_param("openid.assoc_handle");
102	pout["identity"] = identity;	102	pout["identity"] = identity;
103	pout["return_to"] = return_to;	103	pout["return_to"] = return_to;
104	/* TODO: eventually remove deprecated stuff */	104	/* TODO: eventually remove deprecated stuff */
105	time_t now = time(0);	105	time_t now = time(0);
106	pout["issued"] = util::time_to_w3c(now);	106	pout["issued"] = util::time_to_w3c(now);
107	pout["valid_to"] = util::time_to_w3c(now+120);	107	pout["valid_to"] = util::time_to_w3c(now+120);
108	pout["exipres_in"] = "120";	108	pout["exipres_in"] = "120";
109	pout["signed"]="mode,identity,return_to";	109	pout["signed"]="mode,identity,return_to";
110	if(ext) ext->checkid_hook(pin,pout);	110	if(ext) ext->checkid_hook(pin,pout);
111	pout.sign(assoc->secret(),pout["sig"],pout["signed"]);	111	pout.sign(assoc->secret(),pout["sig"],pout["signed"]);
112	}	112	}
113		113
114	void server_t::check_authentication(const params_t& pin,params_t& pout) {	114	void server_t::check_authentication(const params_t& pin,params_t& pout) {
115	vector<unsigned char> sig;	115	vector<unsigned char> sig;
116	const string& sigenc = pin.get_param("openid.sig");	116	const string& sigenc = pin.get_param("openid.sig");
117	util::decode_base64(sigenc,sig);	117	util::decode_base64(sigenc,sig);
118	assoc_t assoc;	118	assoc_t assoc;
119	try {	119	try {
120	assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));	120	assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
121	}catch(failed_lookup& fl) {	121	}catch(failed_lookup& fl) {
122	throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified");	122	throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified");
123	}	123	}
124	if(!assoc->stateless())	124	if(!assoc->stateless())
125	throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle");	125	throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle");
126	const string& slist = pin.get_param("openid.signed");	126	const string& slist = pin.get_param("openid.signed");
127	string kv;	127	string kv;
128	string::size_type p =0;	128	string::size_type p =0;
129	while(true) {	129	while(true) {
130	string::size_type co = slist.find(',',p);	130	string::size_type co = slist.find(',',p);
131	string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);	131	string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
132	kv += f;	132	kv += f;
133	kv += ':';	133	kv += ':';
134	if(f=="mode")	134	if(f=="mode")
135	kv += "id_res";	135	kv += "id_res";
136	else {	136	else {
137	f.insert(0,"openid.");	137	f.insert(0,"openid.");
138	kv += pin.get_param(f);	138	kv += pin.get_param(f);
139	}	139	}
140	kv += '\n';	140	kv += '\n';
141	if(co==string::npos)	141	if(co==string::npos)
142	break;	142	break;
143	p = co+1;	143	p = co+1;
144	}	144	}
145	secret_t secret = assoc->secret();	145	secret_t secret = assoc->secret();
146	unsigned int md_len = 0;	146	unsigned int md_len = 0;
147	unsigned char *md = HMAC(	147	unsigned char *md = HMAC(
148	EVP_sha1(),	148	EVP_sha1(),
149	&(secret.front()),secret.size(),	149	&(secret.front()),secret.size(),
150	(const unsigned char *)kv.data(),kv.length(),	150	(const unsigned char *)kv.data(),kv.length(),
151	0,&md_len);	151	0,&md_len);
152	pout.clear();	152	pout.clear();
153	if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) {	153	if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) {
154	pout["is_valid"]="true";	154	pout["is_valid"]="true";
155	pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */	155	pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */
156	}else{	156	}else{
157	pout["is_valid"]="false";	157	pout["is_valid"]="false";
158	pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */	158	pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */
159	}	159	}
160	if(pin.has_param("openid.invalidate_handle")) {	160	if(pin.has_param("openid.invalidate_handle")) {
161	string h = pin.get_param("openid.invalidate_handle");	161	string h = pin.get_param("openid.invalidate_handle");
162	try {	162	try {
163	assoc_t assoc = retrieve_assoc(h);	163	assoc_t assoc = retrieve_assoc(h);
164	}catch(invalid_handle& ih) {	164	}catch(invalid_handle& ih) {
165	pout["invalidate_handle"] = h;	165	pout["invalidate_handle"] = h;
166	}catch(failed_lookup& fl) { }	166	}catch(failed_lookup& fl) { }
167	}	167	}
168	}	168	}
169		169
170	}	170	}