summaryrefslogtreecommitdiffabout
path: root/lib/server.cc
Unidiff
Diffstat (limited to 'lib/server.cc') (more/less context) (ignore whitespace changes)
-rw-r--r--lib/server.cc11
1 files changed, 6 insertions, 5 deletions
diff --git a/lib/server.cc b/lib/server.cc
index e81d4b6..8db97be 100644
--- a/lib/server.cc
+++ b/lib/server.cc
@@ -1,169 +1,170 @@
1#include <vector> 1#include <vector>
2#include <openssl/sha.h> 2#include <openssl/sha.h>
3#include <openssl/hmac.h> 3#include <openssl/hmac.h>
4#include <opkele/util.h> 4#include <opkele/util.h>
5#include <opkele/exception.h> 5#include <opkele/exception.h>
6#include <opkele/server.h> 6#include <opkele/server.h>
7#include <opkele/data.h> 7#include <opkele/data.h>
8 8
9namespace opkele { 9namespace opkele {
10 using namespace std; 10 using namespace std;
11 11
12 void server_t::associate(const params_t& pin,params_t& pout) { 12 void server_t::associate(const params_t& pin,params_t& pout) {
13 util::dh_t dh; 13 util::dh_t dh;
14 util::bignum_t c_pub; 14 util::bignum_t c_pub;
15 unsigned char key_sha1[SHA_DIGEST_LENGTH]; 15 unsigned char key_sha1[SHA_DIGEST_LENGTH];
16 enum { 16 enum {
17 sess_cleartext, 17 sess_cleartext,
18 sess_dh_sha1 18 sess_dh_sha1
19 } st = sess_cleartext; 19 } st = sess_cleartext;
20 if( 20 if(
21 pin.has_param("openid.session_type") 21 pin.has_param("openid.session_type")
22 && pin.get_param("openid.session_type")=="DH-SHA1" ) { 22 && pin.get_param("openid.session_type")=="DH-SHA1" ) {
23 /* TODO: fallback to cleartext in case of exceptions here? */ 23 /* TODO: fallback to cleartext in case of exceptions here? */
24 if(!(dh = DH_new())) 24 if(!(dh = DH_new()))
25 throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); 25 throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
26 c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public")); 26 c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public"));
27 if(pin.has_param("openid.dh_modulus")) 27 if(pin.has_param("openid.dh_modulus"))
28 dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus")); 28 dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus"));
29 else 29 else
30 dh->p = util::dec_to_bignum(data::_default_p); 30 dh->p = util::dec_to_bignum(data::_default_p);
31 if(pin.has_param("openid.dh_gen")) 31 if(pin.has_param("openid.dh_gen"))
32 dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen")); 32 dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen"));
33 else 33 else
34 dh->g = util::dec_to_bignum(data::_default_g); 34 dh->g = util::dec_to_bignum(data::_default_g);
35 if(!DH_generate_key(dh)) 35 if(!DH_generate_key(dh))
36 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); 36 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
37 vector<unsigned char> ck(DH_size(dh)); 37 vector<unsigned char> ck(DH_size(dh)+1);
38 unsigned char *ckptr = &(ck.front())+1;
38 int cklen = DH_compute_key(&(ck.front()),c_pub,dh); 39 int cklen = DH_compute_key(&(ck.front()),c_pub,dh);
39 if(cklen<0) 40 if(cklen<0)
40 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); 41 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
41 ck.resize(cklen); 42 if(cklen && (*ckptr)&0x80) {
42 // OpenID algorithm requires extra zero in case of set bit here 43 (*(--ckptr)) = 0; ++cklen;
43 if(ck[0]&0x80) ck.insert(ck.begin(),1,0); 44 }
44 SHA1(&(ck.front()),ck.size(),key_sha1); 45 SHA1(ckptr,cklen,key_sha1);
45 st = sess_dh_sha1; 46 st = sess_dh_sha1;
46 } 47 }
47 assoc_t assoc = alloc_assoc(mode_associate); 48 assoc_t assoc = alloc_assoc(mode_associate);
48 time_t now = time(0); 49 time_t now = time(0);
49 pout.clear(); 50 pout.clear();
50 pout["assoc_type"] = assoc->assoc_type(); 51 pout["assoc_type"] = assoc->assoc_type();
51 pout["assoc_handle"] = assoc->handle(); 52 pout["assoc_handle"] = assoc->handle();
52 /* TODO: eventually remove deprecated stuff */ 53 /* TODO: eventually remove deprecated stuff */
53 pout["issued"] = util::time_to_w3c(now); 54 pout["issued"] = util::time_to_w3c(now);
54 pout["expiry"] = util::time_to_w3c(now+assoc->expires_in()); 55 pout["expiry"] = util::time_to_w3c(now+assoc->expires_in());
55 pout["expires_in"] = util::long_to_string(assoc->expires_in()); 56 pout["expires_in"] = util::long_to_string(assoc->expires_in());
56 secret_t secret = assoc->secret(); 57 secret_t secret = assoc->secret();
57 switch(st) { 58 switch(st) {
58 case sess_dh_sha1: 59 case sess_dh_sha1:
59 pout["session_type"] = "DH-SHA1"; 60 pout["session_type"] = "DH-SHA1";
60 pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key); 61 pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key);
61 secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]); 62 secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]);
62 break; 63 break;
63 default: 64 default:
64 secret.to_base64(pout["mac_key"]); 65 secret.to_base64(pout["mac_key"]);
65 break; 66 break;
66 } 67 }
67 } 68 }
68 69
69 void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { 70 void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
70 checkid_(mode_checkid_immediate,pin,return_to,pout,ext); 71 checkid_(mode_checkid_immediate,pin,return_to,pout,ext);
71 } 72 }
72 73
73 void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { 74 void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
74 checkid_(mode_checkid_setup,pin,return_to,pout,ext); 75 checkid_(mode_checkid_setup,pin,return_to,pout,ext);
75 } 76 }
76 77
77 void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { 78 void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
78 if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup) 79 if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup)
79 throw bad_input(OPKELE_CP_ "invalid checkid_* mode"); 80 throw bad_input(OPKELE_CP_ "invalid checkid_* mode");
80 pout.clear(); 81 pout.clear();
81 assoc_t assoc; 82 assoc_t assoc;
82 try { 83 try {
83 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); 84 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
84 }catch(failed_lookup& fl) { 85 }catch(failed_lookup& fl) {
85 // no handle specified or no valid handle found, going dumb 86 // no handle specified or no valid handle found, going dumb
86 assoc = alloc_assoc(mode_checkid_setup); 87 assoc = alloc_assoc(mode_checkid_setup);
87 if(pin.has_param("openid.assoc_handle")) 88 if(pin.has_param("openid.assoc_handle"))
88 pout["invalidate_handle"]=pin.get_param("openid.assoc_handle"); 89 pout["invalidate_handle"]=pin.get_param("openid.assoc_handle");
89 } 90 }
90 string trust_root; 91 string trust_root;
91 try { 92 try {
92 trust_root = pin.get_param("openid.trust_root"); 93 trust_root = pin.get_param("openid.trust_root");
93 }catch(failed_lookup& fl) { } 94 }catch(failed_lookup& fl) { }
94 string identity = pin.get_param("openid.identity"); 95 string identity = pin.get_param("openid.identity");
95 return_to = pin.get_param("openid.return_to"); 96 return_to = pin.get_param("openid.return_to");
96 validate(*assoc,pin,identity,trust_root); 97 validate(*assoc,pin,identity,trust_root);
97 pout["mode"] = "id_res"; 98 pout["mode"] = "id_res";
98 pout["assoc_handle"] = assoc->handle(); 99 pout["assoc_handle"] = assoc->handle();
99 if(pin.has_param("openid.assoc_handle") && assoc->stateless()) 100 if(pin.has_param("openid.assoc_handle") && assoc->stateless())
100 pout["invalidate_handle"] = pin.get_param("openid.assoc_handle"); 101 pout["invalidate_handle"] = pin.get_param("openid.assoc_handle");
101 pout["identity"] = identity; 102 pout["identity"] = identity;
102 pout["return_to"] = return_to; 103 pout["return_to"] = return_to;
103 /* TODO: eventually remove deprecated stuff */ 104 /* TODO: eventually remove deprecated stuff */
104 time_t now = time(0); 105 time_t now = time(0);
105 pout["issued"] = util::time_to_w3c(now); 106 pout["issued"] = util::time_to_w3c(now);
106 pout["valid_to"] = util::time_to_w3c(now+120); 107 pout["valid_to"] = util::time_to_w3c(now+120);
107 pout["exipres_in"] = "120"; 108 pout["exipres_in"] = "120";
108 pout["signed"]="mode,identity,return_to"; 109 pout["signed"]="mode,identity,return_to";
109 if(ext) ext->checkid_hook(pin,pout); 110 if(ext) ext->checkid_hook(pin,pout);
110 pout.sign(assoc->secret(),pout["sig"],pout["signed"]); 111 pout.sign(assoc->secret(),pout["sig"],pout["signed"]);
111 } 112 }
112 113
113 void server_t::check_authentication(const params_t& pin,params_t& pout) { 114 void server_t::check_authentication(const params_t& pin,params_t& pout) {
114 vector<unsigned char> sig; 115 vector<unsigned char> sig;
115 const string& sigenc = pin.get_param("openid.sig"); 116 const string& sigenc = pin.get_param("openid.sig");
116 util::decode_base64(sigenc,sig); 117 util::decode_base64(sigenc,sig);
117 assoc_t assoc; 118 assoc_t assoc;
118 try { 119 try {
119 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); 120 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
120 }catch(failed_lookup& fl) { 121 }catch(failed_lookup& fl) {
121 throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified"); 122 throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified");
122 } 123 }
123 if(!assoc->stateless()) 124 if(!assoc->stateless())
124 throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle"); 125 throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle");
125 const string& slist = pin.get_param("openid.signed"); 126 const string& slist = pin.get_param("openid.signed");
126 string kv; 127 string kv;
127 string::size_type p =0; 128 string::size_type p =0;
128 while(true) { 129 while(true) {
129 string::size_type co = slist.find(',',p); 130 string::size_type co = slist.find(',',p);
130 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); 131 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
131 kv += f; 132 kv += f;
132 kv += ':'; 133 kv += ':';
133 if(f=="mode") 134 if(f=="mode")
134 kv += "id_res"; 135 kv += "id_res";
135 else { 136 else {
136 f.insert(0,"openid."); 137 f.insert(0,"openid.");
137 kv += pin.get_param(f); 138 kv += pin.get_param(f);
138 } 139 }
139 kv += '\n'; 140 kv += '\n';
140 if(co==string::npos) 141 if(co==string::npos)
141 break; 142 break;
142 p = co+1; 143 p = co+1;
143 } 144 }
144 secret_t secret = assoc->secret(); 145 secret_t secret = assoc->secret();
145 unsigned int md_len = 0; 146 unsigned int md_len = 0;
146 unsigned char *md = HMAC( 147 unsigned char *md = HMAC(
147 EVP_sha1(), 148 EVP_sha1(),
148 &(secret.front()),secret.size(), 149 &(secret.front()),secret.size(),
149 (const unsigned char *)kv.data(),kv.length(), 150 (const unsigned char *)kv.data(),kv.length(),
150 0,&md_len); 151 0,&md_len);
151 pout.clear(); 152 pout.clear();
152 if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) { 153 if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) {
153 pout["is_valid"]="true"; 154 pout["is_valid"]="true";
154 pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */ 155 pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */
155 }else{ 156 }else{
156 pout["is_valid"]="false"; 157 pout["is_valid"]="false";
157 pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */ 158 pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */
158 } 159 }
159 if(pin.has_param("openid.invalidate_handle")) { 160 if(pin.has_param("openid.invalidate_handle")) {
160 string h = pin.get_param("openid.invalidate_handle"); 161 string h = pin.get_param("openid.invalidate_handle");
161 try { 162 try {
162 assoc_t assoc = retrieve_assoc(h); 163 assoc_t assoc = retrieve_assoc(h);
163 }catch(invalid_handle& ih) { 164 }catch(invalid_handle& ih) {
164 pout["invalidate_handle"] = h; 165 pout["invalidate_handle"] = h;
165 }catch(failed_lookup& fl) { } 166 }catch(failed_lookup& fl) { }
166 } 167 }
167 } 168 }
168 169
169} 170}