oauth
This commit is contained in:
mom040267
parent
449e39a7e1
commit
a620b61e04
@ -41,74 +41,105 @@
|
||||
|
||||
//////////// OAUTH //////////////////
|
||||
|
||||
static int check_oauth(void)
|
||||
{
|
||||
oauth_key_data_raw okdr = {
|
||||
"0123456789",
|
||||
"01234567890123456789012345678901",
|
||||
123456789,
|
||||
3600,
|
||||
"SHA1",
|
||||
"AES-256-CBC",
|
||||
"",
|
||||
"HMAC-SHA-1",
|
||||
""
|
||||
};
|
||||
static const char* shas[]={"SHA1","SHA256",NULL};
|
||||
static const char* encs[]={"AES-256-CBC","AES-128-CBC",
|
||||
#if !defined(TURN_NO_GCM)
|
||||
"AEAD_AES_128_GCM", "AEAD_AES_256_GCM",
|
||||
#endif
|
||||
NULL};
|
||||
static const char* hmacs[]={"HMAC-SHA-1","HMAC-SHA-256","HMAC-SHA-256-128",NULL};
|
||||
|
||||
oauth_key_data okd;
|
||||
static int check_oauth(void) {
|
||||
|
||||
convert_oauth_key_data_raw(&okdr,&okd);
|
||||
const char server_name[33] = "herod";
|
||||
|
||||
char err_msg[1025]="\0";
|
||||
size_t err_msg_size = sizeof(err_msg)-1;
|
||||
oauth_key key;
|
||||
for (size_t i_hmacs = 0; hmacs[i_hmacs]; ++i_hmacs) {
|
||||
|
||||
if(convert_oauth_key_data(&okd, &key, err_msg, err_msg_size)<0) {
|
||||
fprintf(stderr,"%s\n",err_msg);
|
||||
return -1;
|
||||
}
|
||||
for (size_t i_shas = 0; shas[i_shas]; ++i_shas) {
|
||||
|
||||
oauth_token ot = {
|
||||
{
|
||||
20,
|
||||
"01234567890123456789",
|
||||
123456789,
|
||||
3600
|
||||
},
|
||||
"",0
|
||||
};
|
||||
for (size_t i_encs = 0; encs[i_encs]; ++i_encs) {
|
||||
|
||||
char server_name[33]="herod";
|
||||
encoded_oauth_token etoken;
|
||||
printf("oauth token %s:%s:%s:",hmacs[i_hmacs],shas[i_shas],encs[i_encs]);
|
||||
|
||||
if(encode_oauth_token((u08bits *)server_name, &etoken, &key, &ot)<0) {
|
||||
fprintf(stderr,"%s: cannot encode oauth token\n",__FUNCTION__);
|
||||
return -1;
|
||||
}
|
||||
oauth_token ot = { { 20, "01234567890123456789", 123456789, 3600 } };
|
||||
oauth_token dot;
|
||||
oauth_key key;
|
||||
|
||||
oauth_token dot;
|
||||
{
|
||||
oauth_key_data okd;
|
||||
|
||||
if(decode_oauth_token((u08bits *)server_name, &etoken, &key, &dot)<0) {
|
||||
fprintf(stderr,"%s: cannot decode oauth token\n",__FUNCTION__);
|
||||
return -1;
|
||||
}
|
||||
{
|
||||
oauth_key_data_raw okdr = { "0123456789",
|
||||
"01234567890123456789012345678901", 123456789,
|
||||
3600, "", "", "", "", "" };
|
||||
|
||||
if(strcmp((char*)ot.enc_block.mac_key,(char*)dot.enc_block.mac_key)) {
|
||||
fprintf(stderr,"%s: wrong mac key: %s, must be %s\n",__FUNCTION__,(char*)dot.enc_block.mac_key,(char*)ot.enc_block.mac_key);
|
||||
return -1;
|
||||
}
|
||||
STRCPY(okdr.as_rs_alg, encs[i_encs]);
|
||||
STRCPY(okdr.auth_alg, hmacs[i_hmacs]);
|
||||
STRCPY(okdr.hkdf_hash_func, shas[i_shas]);
|
||||
|
||||
if(ot.enc_block.key_length != dot.enc_block.key_length) {
|
||||
fprintf(stderr,"%s: wrong key length: %d, must be %d\n",__FUNCTION__,(int)dot.enc_block.key_length,(int)ot.enc_block.key_length);
|
||||
return -1;
|
||||
}
|
||||
if(ot.enc_block.timestamp != dot.enc_block.timestamp) {
|
||||
fprintf(stderr,"%s: wrong timestamp: %llu, must be %llu\n",__FUNCTION__,(unsigned long long)dot.enc_block.timestamp,(unsigned long long)ot.enc_block.timestamp);
|
||||
return -1;
|
||||
}
|
||||
if(ot.enc_block.lifetime != dot.enc_block.lifetime) {
|
||||
fprintf(stderr,"%s: wrong lifetime: %lu, must be %lu\n",__FUNCTION__,(unsigned long)dot.enc_block.lifetime,(unsigned long)ot.enc_block.lifetime);
|
||||
return -1;
|
||||
convert_oauth_key_data_raw(&okdr, &okd);
|
||||
|
||||
char err_msg[1025] = "\0";
|
||||
size_t err_msg_size = sizeof(err_msg) - 1;
|
||||
|
||||
if (convert_oauth_key_data(&okd, &key, err_msg,
|
||||
err_msg_size) < 0) {
|
||||
fprintf(stderr, "%s\n", err_msg);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
{
|
||||
encoded_oauth_token etoken;
|
||||
|
||||
if (encode_oauth_token((u08bits *) server_name, &etoken,
|
||||
&key, &ot) < 0) {
|
||||
fprintf(stderr, "%s: cannot encode oauth token\n",
|
||||
__FUNCTION__);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (decode_oauth_token((u08bits *) server_name, &etoken,
|
||||
&key, &dot) < 0) {
|
||||
fprintf(stderr, "%s: cannot decode oauth token\n",
|
||||
__FUNCTION__);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
if (strcmp((char*) ot.enc_block.mac_key,
|
||||
(char*) dot.enc_block.mac_key)) {
|
||||
fprintf(stderr, "%s: wrong mac key: %s, must be %s\n",
|
||||
__FUNCTION__, (char*) dot.enc_block.mac_key,
|
||||
(char*) ot.enc_block.mac_key);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (ot.enc_block.key_length != dot.enc_block.key_length) {
|
||||
fprintf(stderr, "%s: wrong key length: %d, must be %d\n",
|
||||
__FUNCTION__, (int) dot.enc_block.key_length,
|
||||
(int) ot.enc_block.key_length);
|
||||
return -1;
|
||||
}
|
||||
if (ot.enc_block.timestamp != dot.enc_block.timestamp) {
|
||||
fprintf(stderr, "%s: wrong timestamp: %llu, must be %llu\n",
|
||||
__FUNCTION__,
|
||||
(unsigned long long) dot.enc_block.timestamp,
|
||||
(unsigned long long) ot.enc_block.timestamp);
|
||||
return -1;
|
||||
}
|
||||
if (ot.enc_block.lifetime != dot.enc_block.lifetime) {
|
||||
fprintf(stderr, "%s: wrong lifetime: %lu, must be %lu\n",
|
||||
__FUNCTION__,
|
||||
(unsigned long) dot.enc_block.lifetime,
|
||||
(unsigned long) ot.enc_block.lifetime);
|
||||
return -1;
|
||||
}
|
||||
|
||||
printf("OK\n");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
||||
@ -1669,9 +1669,9 @@ static void normalize_algorithm(char *s)
|
||||
{
|
||||
char c = *s;
|
||||
while(c) {
|
||||
if(c=='_') c='-';
|
||||
if(c=='_') *s='-';
|
||||
else if((c>='a')&&(c<='z')) {
|
||||
c = c - 'a' + 'A';
|
||||
*s = c - 'a' + 'A';
|
||||
}
|
||||
++s;
|
||||
c = *s;
|
||||
@ -1835,10 +1835,10 @@ int convert_oauth_key_data(oauth_key_data *oakd, oauth_key *key, char *err_msg,
|
||||
key->auth_alg = AUTH_ALG_HMAC_SHA_256_128;
|
||||
} else if(oakd->auth_alg[0]) {
|
||||
if(err_msg) {
|
||||
snprintf(err_msg,err_msg_size,"Wrong oAuth token hash algorithm: %s",oakd->auth_alg);
|
||||
snprintf(err_msg,err_msg_size,"Wrong oAuth token hash algorithm: %s (1)\n",oakd->auth_alg);
|
||||
}
|
||||
key->auth_alg = AUTH_ALG_ERROR;
|
||||
OAUTH_ERROR("Wrong oAuth token hash algorithm: %s",oakd->auth_alg);
|
||||
OAUTH_ERROR("Wrong oAuth token hash algorithm: %s (2)\n",oakd->auth_alg);
|
||||
return -1;
|
||||
}
|
||||
|
||||
@ -1855,9 +1855,9 @@ int convert_oauth_key_data(oauth_key_data *oakd, oauth_key *key, char *err_msg,
|
||||
#endif
|
||||
} else if(oakd->as_rs_alg[0]) {
|
||||
if(err_msg) {
|
||||
snprintf(err_msg,err_msg_size,"Wrong oAuth token encryption algorithm: %s",oakd->as_rs_alg);
|
||||
snprintf(err_msg,err_msg_size,"Wrong oAuth token encryption algorithm: %s (2)\n",oakd->as_rs_alg);
|
||||
}
|
||||
OAUTH_ERROR("Wrong oAuth token encryption algorithm: %s",oakd->as_rs_alg);
|
||||
OAUTH_ERROR("Wrong oAuth token encryption algorithm: %s (3)\n",oakd->as_rs_alg);
|
||||
return -1;
|
||||
}
|
||||
|
||||
@ -2008,6 +2008,8 @@ static int encode_oauth_token_normal(u08bits *server_name, encoded_oauth_token *
|
||||
EVP_EncryptFinal_ex(&ctx, encoded_field + outl, &tmp_outl);
|
||||
outl += tmp_outl;
|
||||
|
||||
EVP_CIPHER_CTX_cleanup(&ctx);
|
||||
|
||||
size_t sn_len = strlen((char*)server_name);
|
||||
ns_bcopy(server_name,encoded_field+outl,sn_len);
|
||||
outl += sn_len;
|
||||
@ -2054,6 +2056,7 @@ static int decode_oauth_token_normal(u08bits *server_name, encoded_oauth_token *
|
||||
if(!md)
|
||||
return -1;
|
||||
unsigned int hmac_len = EVP_MD_size(md);
|
||||
update_hmac_len(key->auth_alg,&hmac_len);
|
||||
if(hmac_len != mac_size) {
|
||||
OAUTH_ERROR("%s: mac size is wrong: %d, must be %d\n",__FUNCTION__,(int)mac_size,(int)hmac_len);
|
||||
return -1;
|
||||
@ -2073,9 +2076,6 @@ static int decode_oauth_token_normal(u08bits *server_name, encoded_oauth_token *
|
||||
}
|
||||
}
|
||||
|
||||
ns_bcopy(mac,dtoken->mac,mac_size);
|
||||
dtoken->mac_size = mac_size;
|
||||
|
||||
unsigned char decoded_field[MAX_ENCODED_OAUTH_TOKEN_SIZE];
|
||||
|
||||
const EVP_CIPHER * cipher = get_cipher_type(key->as_rs_alg);
|
||||
@ -2092,6 +2092,8 @@ static int decode_oauth_token_normal(u08bits *server_name, encoded_oauth_token *
|
||||
EVP_DecryptFinal_ex(&ctx, decoded_field + outl, &tmp_outl);
|
||||
outl += tmp_outl;
|
||||
|
||||
EVP_CIPHER_CTX_cleanup(&ctx);
|
||||
|
||||
size_t len = 0;
|
||||
|
||||
dtoken->enc_block.key_length = nswap16(*((uint16_t*)(decoded_field+len)));
|
||||
@ -2190,6 +2192,8 @@ static int encode_oauth_token_aead(u08bits *server_name, encoded_oauth_token *et
|
||||
|
||||
etoken->size = outl;
|
||||
|
||||
EVP_CIPHER_CTX_cleanup(&ctx);
|
||||
|
||||
return 0;
|
||||
}
|
||||
return -1;
|
||||
@ -2210,8 +2214,6 @@ static int decode_oauth_token_aead(u08bits *server_name, encoded_oauth_token *et
|
||||
unsigned char* nonce = ((unsigned char*)etoken->token) + encoded_field_size + OAUTH_AEAD_TAG_SIZE;
|
||||
unsigned char* tag = ((unsigned char*)etoken->token) + encoded_field_size;
|
||||
|
||||
dtoken->mac_size = 0;
|
||||
|
||||
unsigned char decoded_field[MAX_ENCODED_OAUTH_TOKEN_SIZE];
|
||||
|
||||
const EVP_CIPHER * cipher = get_cipher_type(key->as_rs_alg);
|
||||
@ -2247,11 +2249,14 @@ static int decode_oauth_token_aead(u08bits *server_name, encoded_oauth_token *et
|
||||
|
||||
int tmp_outl = 0;
|
||||
if(EVP_DecryptFinal_ex(&ctx, decoded_field + outl, &tmp_outl)<1) {
|
||||
EVP_CIPHER_CTX_cleanup(&ctx);
|
||||
OAUTH_ERROR("%s: token integrity check failed\n",__FUNCTION__);
|
||||
return -1;
|
||||
}
|
||||
outl += tmp_outl;
|
||||
|
||||
EVP_CIPHER_CTX_cleanup(&ctx);
|
||||
|
||||
size_t len = 0;
|
||||
|
||||
dtoken->enc_block.key_length = nswap16(*((uint16_t*)(decoded_field+len)));
|
||||
|
||||
@ -158,8 +158,6 @@ typedef struct _oauth_encrypted_block oauth_encrypted_block;
|
||||
|
||||
struct _oauth_token {
|
||||
oauth_encrypted_block enc_block;
|
||||
uint8_t mac[MAXSHASIZE];
|
||||
size_t mac_size;
|
||||
};
|
||||
|
||||
typedef struct _oauth_token oauth_token;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user