summaryrefslogtreecommitdiffabout
path: root/lib/server.cc
Unidiff
Diffstat (limited to 'lib/server.cc') (more/less context) (ignore whitespace changes)
-rw-r--r--lib/server.cc1
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/server.cc b/lib/server.cc
index b1c5c3a..aa61035 100644
--- a/lib/server.cc
+++ b/lib/server.cc
@@ -1,170 +1,171 @@
1#include <cstring>
1#include <vector> 2#include <vector>
2#include <openssl/sha.h> 3#include <openssl/sha.h>
3#include <openssl/hmac.h> 4#include <openssl/hmac.h>
4#include <opkele/util.h> 5#include <opkele/util.h>
5#include <opkele/exception.h> 6#include <opkele/exception.h>
6#include <opkele/server.h> 7#include <opkele/server.h>
7#include <opkele/data.h> 8#include <opkele/data.h>
8 9
9namespace opkele { 10namespace opkele {
10 using namespace std; 11 using namespace std;
11 12
12 void server_t::associate(const params_t& pin,params_t& pout) { 13 void server_t::associate(const params_t& pin,params_t& pout) {
13 util::dh_t dh; 14 util::dh_t dh;
14 util::bignum_t c_pub; 15 util::bignum_t c_pub;
15 unsigned char key_sha1[SHA_DIGEST_LENGTH]; 16 unsigned char key_sha1[SHA_DIGEST_LENGTH];
16 enum { 17 enum {
17 sess_cleartext, 18 sess_cleartext,
18 sess_dh_sha1 19 sess_dh_sha1
19 } st = sess_cleartext; 20 } st = sess_cleartext;
20 if( 21 if(
21 pin.has_param("openid.session_type") 22 pin.has_param("openid.session_type")
22 && pin.get_param("openid.session_type")=="DH-SHA1" ) { 23 && pin.get_param("openid.session_type")=="DH-SHA1" ) {
23 /* TODO: fallback to cleartext in case of exceptions here? */ 24 /* TODO: fallback to cleartext in case of exceptions here? */
24 if(!(dh = DH_new())) 25 if(!(dh = DH_new()))
25 throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); 26 throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
26 c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public")); 27 c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public"));
27 if(pin.has_param("openid.dh_modulus")) 28 if(pin.has_param("openid.dh_modulus"))
28 dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus")); 29 dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus"));
29 else 30 else
30 dh->p = util::dec_to_bignum(data::_default_p); 31 dh->p = util::dec_to_bignum(data::_default_p);
31 if(pin.has_param("openid.dh_gen")) 32 if(pin.has_param("openid.dh_gen"))
32 dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen")); 33 dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen"));
33 else 34 else
34 dh->g = util::dec_to_bignum(data::_default_g); 35 dh->g = util::dec_to_bignum(data::_default_g);
35 if(!DH_generate_key(dh)) 36 if(!DH_generate_key(dh))
36 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); 37 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
37 vector<unsigned char> ck(DH_size(dh)+1); 38 vector<unsigned char> ck(DH_size(dh)+1);
38 unsigned char *ckptr = &(ck.front())+1; 39 unsigned char *ckptr = &(ck.front())+1;
39 int cklen = DH_compute_key(ckptr,c_pub,dh); 40 int cklen = DH_compute_key(ckptr,c_pub,dh);
40 if(cklen<0) 41 if(cklen<0)
41 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); 42 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
42 if(cklen && (*ckptr)&0x80) { 43 if(cklen && (*ckptr)&0x80) {
43 (*(--ckptr)) = 0; ++cklen; 44 (*(--ckptr)) = 0; ++cklen;
44 } 45 }
45 SHA1(ckptr,cklen,key_sha1); 46 SHA1(ckptr,cklen,key_sha1);
46 st = sess_dh_sha1; 47 st = sess_dh_sha1;
47 } 48 }
48 assoc_t assoc = alloc_assoc(mode_associate); 49 assoc_t assoc = alloc_assoc(mode_associate);
49 time_t now = time(0); 50 time_t now = time(0);
50 pout.clear(); 51 pout.clear();
51 pout["assoc_type"] = assoc->assoc_type(); 52 pout["assoc_type"] = assoc->assoc_type();
52 pout["assoc_handle"] = assoc->handle(); 53 pout["assoc_handle"] = assoc->handle();
53 /* TODO: eventually remove deprecated stuff */ 54 /* TODO: eventually remove deprecated stuff */
54 pout["issued"] = util::time_to_w3c(now); 55 pout["issued"] = util::time_to_w3c(now);
55 pout["expiry"] = util::time_to_w3c(now+assoc->expires_in()); 56 pout["expiry"] = util::time_to_w3c(now+assoc->expires_in());
56 pout["expires_in"] = util::long_to_string(assoc->expires_in()); 57 pout["expires_in"] = util::long_to_string(assoc->expires_in());
57 secret_t secret = assoc->secret(); 58 secret_t secret = assoc->secret();
58 switch(st) { 59 switch(st) {
59 case sess_dh_sha1: 60 case sess_dh_sha1:
60 pout["session_type"] = "DH-SHA1"; 61 pout["session_type"] = "DH-SHA1";
61 pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key); 62 pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key);
62 secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]); 63 secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]);
63 break; 64 break;
64 default: 65 default:
65 secret.to_base64(pout["mac_key"]); 66 secret.to_base64(pout["mac_key"]);
66 break; 67 break;
67 } 68 }
68 } 69 }
69 70
70 void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { 71 void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
71 checkid_(mode_checkid_immediate,pin,return_to,pout,ext); 72 checkid_(mode_checkid_immediate,pin,return_to,pout,ext);
72 } 73 }
73 74
74 void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { 75 void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
75 checkid_(mode_checkid_setup,pin,return_to,pout,ext); 76 checkid_(mode_checkid_setup,pin,return_to,pout,ext);
76 } 77 }
77 78
78 void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { 79 void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
79 if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup) 80 if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup)
80 throw bad_input(OPKELE_CP_ "invalid checkid_* mode"); 81 throw bad_input(OPKELE_CP_ "invalid checkid_* mode");
81 pout.clear(); 82 pout.clear();
82 assoc_t assoc; 83 assoc_t assoc;
83 try { 84 try {
84 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); 85 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
85 }catch(failed_lookup& fl) { 86 }catch(failed_lookup& fl) {
86 // no handle specified or no valid handle found, going dumb 87 // no handle specified or no valid handle found, going dumb
87 assoc = alloc_assoc(mode_checkid_setup); 88 assoc = alloc_assoc(mode_checkid_setup);
88 if(pin.has_param("openid.assoc_handle")) 89 if(pin.has_param("openid.assoc_handle"))
89 pout["invalidate_handle"]=pin.get_param("openid.assoc_handle"); 90 pout["invalidate_handle"]=pin.get_param("openid.assoc_handle");
90 } 91 }
91 string trust_root; 92 string trust_root;
92 try { 93 try {
93 trust_root = pin.get_param("openid.trust_root"); 94 trust_root = pin.get_param("openid.trust_root");
94 }catch(failed_lookup& fl) { } 95 }catch(failed_lookup& fl) { }
95 string identity = pin.get_param("openid.identity"); 96 string identity = pin.get_param("openid.identity");
96 return_to = pin.get_param("openid.return_to"); 97 return_to = pin.get_param("openid.return_to");
97 validate(*assoc,pin,identity,trust_root); 98 validate(*assoc,pin,identity,trust_root);
98 pout["mode"] = "id_res"; 99 pout["mode"] = "id_res";
99 pout["assoc_handle"] = assoc->handle(); 100 pout["assoc_handle"] = assoc->handle();
100 if(pin.has_param("openid.assoc_handle") && assoc->stateless()) 101 if(pin.has_param("openid.assoc_handle") && assoc->stateless())
101 pout["invalidate_handle"] = pin.get_param("openid.assoc_handle"); 102 pout["invalidate_handle"] = pin.get_param("openid.assoc_handle");
102 pout["identity"] = identity; 103 pout["identity"] = identity;
103 pout["return_to"] = return_to; 104 pout["return_to"] = return_to;
104 /* TODO: eventually remove deprecated stuff */ 105 /* TODO: eventually remove deprecated stuff */
105 time_t now = time(0); 106 time_t now = time(0);
106 pout["issued"] = util::time_to_w3c(now); 107 pout["issued"] = util::time_to_w3c(now);
107 pout["valid_to"] = util::time_to_w3c(now+120); 108 pout["valid_to"] = util::time_to_w3c(now+120);
108 pout["exipres_in"] = "120"; 109 pout["exipres_in"] = "120";
109 pout["signed"]="mode,identity,return_to"; 110 pout["signed"]="mode,identity,return_to";
110 if(ext) ext->checkid_hook(pin,pout); 111 if(ext) ext->checkid_hook(pin,pout);
111 pout.sign(assoc->secret(),pout["sig"],pout["signed"]); 112 pout.sign(assoc->secret(),pout["sig"],pout["signed"]);
112 } 113 }
113 114
114 void server_t::check_authentication(const params_t& pin,params_t& pout) { 115 void server_t::check_authentication(const params_t& pin,params_t& pout) {
115 vector<unsigned char> sig; 116 vector<unsigned char> sig;
116 const string& sigenc = pin.get_param("openid.sig"); 117 const string& sigenc = pin.get_param("openid.sig");
117 util::decode_base64(sigenc,sig); 118 util::decode_base64(sigenc,sig);
118 assoc_t assoc; 119 assoc_t assoc;
119 try { 120 try {
120 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); 121 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
121 }catch(failed_lookup& fl) { 122 }catch(failed_lookup& fl) {
122 throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified"); 123 throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified");
123 } 124 }
124 if(!assoc->stateless()) 125 if(!assoc->stateless())
125 throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle"); 126 throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle");
126 const string& slist = pin.get_param("openid.signed"); 127 const string& slist = pin.get_param("openid.signed");
127 string kv; 128 string kv;
128 string::size_type p =0; 129 string::size_type p =0;
129 while(true) { 130 while(true) {
130 string::size_type co = slist.find(',',p); 131 string::size_type co = slist.find(',',p);
131 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); 132 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
132 kv += f; 133 kv += f;
133 kv += ':'; 134 kv += ':';
134 if(f=="mode") 135 if(f=="mode")
135 kv += "id_res"; 136 kv += "id_res";
136 else { 137 else {
137 f.insert(0,"openid."); 138 f.insert(0,"openid.");
138 kv += pin.get_param(f); 139 kv += pin.get_param(f);
139 } 140 }
140 kv += '\n'; 141 kv += '\n';
141 if(co==string::npos) 142 if(co==string::npos)
142 break; 143 break;
143 p = co+1; 144 p = co+1;
144 } 145 }
145 secret_t secret = assoc->secret(); 146 secret_t secret = assoc->secret();
146 unsigned int md_len = 0; 147 unsigned int md_len = 0;
147 unsigned char *md = HMAC( 148 unsigned char *md = HMAC(
148 EVP_sha1(), 149 EVP_sha1(),
149 &(secret.front()),secret.size(), 150 &(secret.front()),secret.size(),
150 (const unsigned char *)kv.data(),kv.length(), 151 (const unsigned char *)kv.data(),kv.length(),
151 0,&md_len); 152 0,&md_len);
152 pout.clear(); 153 pout.clear();
153 if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) { 154 if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) {
154 pout["is_valid"]="true"; 155 pout["is_valid"]="true";
155 pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */ 156 pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */
156 }else{ 157 }else{
157 pout["is_valid"]="false"; 158 pout["is_valid"]="false";
158 pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */ 159 pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */
159 } 160 }
160 if(pin.has_param("openid.invalidate_handle")) { 161 if(pin.has_param("openid.invalidate_handle")) {
161 string h = pin.get_param("openid.invalidate_handle"); 162 string h = pin.get_param("openid.invalidate_handle");
162 try { 163 try {
163 assoc_t assoc = retrieve_assoc(h); 164 assoc_t assoc = retrieve_assoc(h);
164 }catch(invalid_handle& ih) { 165 }catch(invalid_handle& ih) {
165 pout["invalidate_handle"] = h; 166 pout["invalidate_handle"] = h;
166 }catch(failed_lookup& fl) { } 167 }catch(failed_lookup& fl) { }
167 } 168 }
168 } 169 }
169 170
170} 171}