summaryrefslogtreecommitdiffabout
path: root/lib/server.cc
Unidiff
Diffstat (limited to 'lib/server.cc') (more/less context) (ignore whitespace changes)
-rw-r--r--lib/server.cc172
1 files changed, 0 insertions, 172 deletions
diff --git a/lib/server.cc b/lib/server.cc
deleted file mode 100644
index 0dea1eb..0000000
--- a/lib/server.cc
+++ b/dev/null
@@ -1,172 +0,0 @@
1#include <cstring>
2#include <vector>
3#include <openssl/sha.h>
4#include <openssl/hmac.h>
5#include <opkele/util.h>
6#include <opkele/util-internal.h>
7#include <opkele/exception.h>
8#include <opkele/server.h>
9#include <opkele/data.h>
10
11namespace opkele {
12 using namespace std;
13
14 void server_t::associate(const params_t& pin,params_t& pout) {
15 util::dh_t dh;
16 util::bignum_t c_pub;
17 unsigned char key_sha1[SHA_DIGEST_LENGTH];
18 enum {
19 sess_cleartext,
20 sess_dh_sha1
21 } st = sess_cleartext;
22 if(
23 pin.has_param("openid.session_type")
24 && pin.get_param("openid.session_type")=="DH-SHA1" ) {
25 /* TODO: fallback to cleartext in case of exceptions here? */
26 if(!(dh = DH_new()))
27 throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
28 c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public"));
29 if(pin.has_param("openid.dh_modulus"))
30 dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus"));
31 else
32 dh->p = util::dec_to_bignum(data::_default_p);
33 if(pin.has_param("openid.dh_gen"))
34 dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen"));
35 else
36 dh->g = util::dec_to_bignum(data::_default_g);
37 if(!DH_generate_key(dh))
38 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
39 vector<unsigned char> ck(DH_size(dh)+1);
40 unsigned char *ckptr = &(ck.front())+1;
41 int cklen = DH_compute_key(ckptr,c_pub,dh);
42 if(cklen<0)
43 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
44 if(cklen && (*ckptr)&0x80) {
45 (*(--ckptr)) = 0; ++cklen;
46 }
47 SHA1(ckptr,cklen,key_sha1);
48 st = sess_dh_sha1;
49 }
50 assoc_t assoc = alloc_assoc(mode_associate);
51 time_t now = time(0);
52 pout.clear();
53 pout["assoc_type"] = assoc->assoc_type();
54 pout["assoc_handle"] = assoc->handle();
55 /* TODO: eventually remove deprecated stuff */
56 pout["issued"] = util::time_to_w3c(now);
57 pout["expiry"] = util::time_to_w3c(now+assoc->expires_in());
58 pout["expires_in"] = util::long_to_string(assoc->expires_in());
59 secret_t secret = assoc->secret();
60 switch(st) {
61 case sess_dh_sha1:
62 pout["session_type"] = "DH-SHA1";
63 pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key);
64 secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]);
65 break;
66 default:
67 secret.to_base64(pout["mac_key"]);
68 break;
69 }
70 }
71
72 void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
73 checkid_(mode_checkid_immediate,pin,return_to,pout,ext);
74 }
75
76 void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
77 checkid_(mode_checkid_setup,pin,return_to,pout,ext);
78 }
79
80 void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
81 if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup)
82 throw bad_input(OPKELE_CP_ "invalid checkid_* mode");
83 pout.clear();
84 assoc_t assoc;
85 try {
86 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
87 }catch(failed_lookup& fl) {
88 // no handle specified or no valid handle found, going dumb
89 assoc = alloc_assoc(mode_checkid_setup);
90 if(pin.has_param("openid.assoc_handle"))
91 pout["invalidate_handle"]=pin.get_param("openid.assoc_handle");
92 }
93 string trust_root;
94 try {
95 trust_root = pin.get_param("openid.trust_root");
96 }catch(failed_lookup& fl) { }
97 string identity = pin.get_param("openid.identity");
98 return_to = pin.get_param("openid.return_to");
99 validate(*assoc,pin,identity,trust_root);
100 pout["mode"] = "id_res";
101 pout["assoc_handle"] = assoc->handle();
102 if(pin.has_param("openid.assoc_handle") && assoc->stateless())
103 pout["invalidate_handle"] = pin.get_param("openid.assoc_handle");
104 pout["identity"] = identity;
105 pout["return_to"] = return_to;
106 /* TODO: eventually remove deprecated stuff */
107 time_t now = time(0);
108 pout["issued"] = util::time_to_w3c(now);
109 pout["valid_to"] = util::time_to_w3c(now+120);
110 pout["exipres_in"] = "120";
111 pout["signed"]="mode,identity,return_to";
112 if(ext) ext->checkid_hook(pin,pout);
113 pout["sig"] = util::base64_signature(assoc,pout);
114 }
115
116 void server_t::check_authentication(const params_t& pin,params_t& pout) {
117 vector<unsigned char> sig;
118 const string& sigenc = pin.get_param("openid.sig");
119 util::decode_base64(sigenc,sig);
120 assoc_t assoc;
121 try {
122 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
123 }catch(failed_lookup& fl) {
124 throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified");
125 }
126 if(!assoc->stateless())
127 throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle");
128 const string& slist = pin.get_param("openid.signed");
129 string kv;
130 string::size_type p =0;
131 while(true) {
132 string::size_type co = slist.find(',',p);
133 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
134 kv += f;
135 kv += ':';
136 if(f=="mode")
137 kv += "id_res";
138 else {
139 f.insert(0,"openid.");
140 kv += pin.get_param(f);
141 }
142 kv += '\n';
143 if(co==string::npos)
144 break;
145 p = co+1;
146 }
147 secret_t secret = assoc->secret();
148 unsigned int md_len = 0;
149 unsigned char *md = HMAC(
150 EVP_sha1(),
151 &(secret.front()),secret.size(),
152 (const unsigned char *)kv.data(),kv.length(),
153 0,&md_len);
154 pout.clear();
155 if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) {
156 pout["is_valid"]="true";
157 pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */
158 }else{
159 pout["is_valid"]="false";
160 pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */
161 }
162 if(pin.has_param("openid.invalidate_handle")) {
163 string h = pin.get_param("openid.invalidate_handle");
164 try {
165 assoc_t tmp = retrieve_assoc(h);
166 }catch(invalid_handle& ih) {
167 pout["invalidate_handle"] = h;
168 }catch(failed_lookup& fl) { }
169 }
170 }
171
172}