-rw-r--r-- | lib/server.cc | 172 |
1 files changed, 0 insertions, 172 deletions
diff --git a/lib/server.cc b/lib/server.cc deleted file mode 100644 index 0dea1eb..0000000 --- a/lib/server.cc +++ b/dev/null | |||
@@ -1,172 +0,0 @@ | |||
1 | #include <cstring> | ||
2 | #include <vector> | ||
3 | #include <openssl/sha.h> | ||
4 | #include <openssl/hmac.h> | ||
5 | #include <opkele/util.h> | ||
6 | #include <opkele/util-internal.h> | ||
7 | #include <opkele/exception.h> | ||
8 | #include <opkele/server.h> | ||
9 | #include <opkele/data.h> | ||
10 | |||
11 | namespace opkele { | ||
12 | using namespace std; | ||
13 | |||
14 | void server_t::associate(const params_t& pin,params_t& pout) { | ||
15 | util::dh_t dh; | ||
16 | util::bignum_t c_pub; | ||
17 | unsigned char key_sha1[SHA_DIGEST_LENGTH]; | ||
18 | enum { | ||
19 | sess_cleartext, | ||
20 | sess_dh_sha1 | ||
21 | } st = sess_cleartext; | ||
22 | if( | ||
23 | pin.has_param("openid.session_type") | ||
24 | && pin.get_param("openid.session_type")=="DH-SHA1" ) { | ||
25 | /* TODO: fallback to cleartext in case of exceptions here? */ | ||
26 | if(!(dh = DH_new())) | ||
27 | throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); | ||
28 | c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public")); | ||
29 | if(pin.has_param("openid.dh_modulus")) | ||
30 | dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus")); | ||
31 | else | ||
32 | dh->p = util::dec_to_bignum(data::_default_p); | ||
33 | if(pin.has_param("openid.dh_gen")) | ||
34 | dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen")); | ||
35 | else | ||
36 | dh->g = util::dec_to_bignum(data::_default_g); | ||
37 | if(!DH_generate_key(dh)) | ||
38 | throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); | ||
39 | vector<unsigned char> ck(DH_size(dh)+1); | ||
40 | unsigned char *ckptr = &(ck.front())+1; | ||
41 | int cklen = DH_compute_key(ckptr,c_pub,dh); | ||
42 | if(cklen<0) | ||
43 | throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); | ||
44 | if(cklen && (*ckptr)&0x80) { | ||
45 | (*(--ckptr)) = 0; ++cklen; | ||
46 | } | ||
47 | SHA1(ckptr,cklen,key_sha1); | ||
48 | st = sess_dh_sha1; | ||
49 | } | ||
50 | assoc_t assoc = alloc_assoc(mode_associate); | ||
51 | time_t now = time(0); | ||
52 | pout.clear(); | ||
53 | pout["assoc_type"] = assoc->assoc_type(); | ||
54 | pout["assoc_handle"] = assoc->handle(); | ||
55 | /* TODO: eventually remove deprecated stuff */ | ||
56 | pout["issued"] = util::time_to_w3c(now); | ||
57 | pout["expiry"] = util::time_to_w3c(now+assoc->expires_in()); | ||
58 | pout["expires_in"] = util::long_to_string(assoc->expires_in()); | ||
59 | secret_t secret = assoc->secret(); | ||
60 | switch(st) { | ||
61 | case sess_dh_sha1: | ||
62 | pout["session_type"] = "DH-SHA1"; | ||
63 | pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key); | ||
64 | secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]); | ||
65 | break; | ||
66 | default: | ||
67 | secret.to_base64(pout["mac_key"]); | ||
68 | break; | ||
69 | } | ||
70 | } | ||
71 | |||
72 | void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { | ||
73 | checkid_(mode_checkid_immediate,pin,return_to,pout,ext); | ||
74 | } | ||
75 | |||
76 | void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { | ||
77 | checkid_(mode_checkid_setup,pin,return_to,pout,ext); | ||
78 | } | ||
79 | |||
80 | void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { | ||
81 | if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup) | ||
82 | throw bad_input(OPKELE_CP_ "invalid checkid_* mode"); | ||
83 | pout.clear(); | ||
84 | assoc_t assoc; | ||
85 | try { | ||
86 | assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); | ||
87 | }catch(failed_lookup& fl) { | ||
88 | // no handle specified or no valid handle found, going dumb | ||
89 | assoc = alloc_assoc(mode_checkid_setup); | ||
90 | if(pin.has_param("openid.assoc_handle")) | ||
91 | pout["invalidate_handle"]=pin.get_param("openid.assoc_handle"); | ||
92 | } | ||
93 | string trust_root; | ||
94 | try { | ||
95 | trust_root = pin.get_param("openid.trust_root"); | ||
96 | }catch(failed_lookup& fl) { } | ||
97 | string identity = pin.get_param("openid.identity"); | ||
98 | return_to = pin.get_param("openid.return_to"); | ||
99 | validate(*assoc,pin,identity,trust_root); | ||
100 | pout["mode"] = "id_res"; | ||
101 | pout["assoc_handle"] = assoc->handle(); | ||
102 | if(pin.has_param("openid.assoc_handle") && assoc->stateless()) | ||
103 | pout["invalidate_handle"] = pin.get_param("openid.assoc_handle"); | ||
104 | pout["identity"] = identity; | ||
105 | pout["return_to"] = return_to; | ||
106 | /* TODO: eventually remove deprecated stuff */ | ||
107 | time_t now = time(0); | ||
108 | pout["issued"] = util::time_to_w3c(now); | ||
109 | pout["valid_to"] = util::time_to_w3c(now+120); | ||
110 | pout["exipres_in"] = "120"; | ||
111 | pout["signed"]="mode,identity,return_to"; | ||
112 | if(ext) ext->checkid_hook(pin,pout); | ||
113 | pout["sig"] = util::base64_signature(assoc,pout); | ||
114 | } | ||
115 | |||
116 | void server_t::check_authentication(const params_t& pin,params_t& pout) { | ||
117 | vector<unsigned char> sig; | ||
118 | const string& sigenc = pin.get_param("openid.sig"); | ||
119 | util::decode_base64(sigenc,sig); | ||
120 | assoc_t assoc; | ||
121 | try { | ||
122 | assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); | ||
123 | }catch(failed_lookup& fl) { | ||
124 | throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified"); | ||
125 | } | ||
126 | if(!assoc->stateless()) | ||
127 | throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle"); | ||
128 | const string& slist = pin.get_param("openid.signed"); | ||
129 | string kv; | ||
130 | string::size_type p =0; | ||
131 | while(true) { | ||
132 | string::size_type co = slist.find(',',p); | ||
133 | string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); | ||
134 | kv += f; | ||
135 | kv += ':'; | ||
136 | if(f=="mode") | ||
137 | kv += "id_res"; | ||
138 | else { | ||
139 | f.insert(0,"openid."); | ||
140 | kv += pin.get_param(f); | ||
141 | } | ||
142 | kv += '\n'; | ||
143 | if(co==string::npos) | ||
144 | break; | ||
145 | p = co+1; | ||
146 | } | ||
147 | secret_t secret = assoc->secret(); | ||
148 | unsigned int md_len = 0; | ||
149 | unsigned char *md = HMAC( | ||
150 | EVP_sha1(), | ||
151 | &(secret.front()),secret.size(), | ||
152 | (const unsigned char *)kv.data(),kv.length(), | ||
153 | 0,&md_len); | ||
154 | pout.clear(); | ||
155 | if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) { | ||
156 | pout["is_valid"]="true"; | ||
157 | pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */ | ||
158 | }else{ | ||
159 | pout["is_valid"]="false"; | ||
160 | pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */ | ||
161 | } | ||
162 | if(pin.has_param("openid.invalidate_handle")) { | ||
163 | string h = pin.get_param("openid.invalidate_handle"); | ||
164 | try { | ||
165 | assoc_t tmp = retrieve_assoc(h); | ||
166 | }catch(invalid_handle& ih) { | ||
167 | pout["invalidate_handle"] = h; | ||
168 | }catch(failed_lookup& fl) { } | ||
169 | } | ||
170 | } | ||
171 | |||
172 | } | ||