x42 / liboauth Goto Github PK

POSIX-C functions implementing the OAuth Core RFC 5849 standard

License: Other

C 93.47% Makefile 1.54% M4 4.99%

liboauth's Introduction

liboauth

liboauth is a collection of c functions implementing the http://oauth.net API.

liboauth provides functions to escape and encode stings according to OAuth specifications and offers high-level functionality built on top to sign requests or verify signatures using either NSS or OpenSSL for calculating the hash/signatures.

The included documentation in the doc/ folder and example code from tests/ can also be found online at http://liboauth.sourceforge.net/

Send bug-reports, patches or suggestions to [email protected]. or inquire information at http://groups.google.com/group/oauth/

License and Notes

The source-code of liboauth can be distributed under MIT License, or at your option: in terms of the the GNU General Public License. see COPYING.MIT or COPYING.GPL for details.

Note: OpenSSL is not strictly compatible with the GPL license. An exemption (to the GPL) allowing to link and redistribute liboauth with the OpenSSL library is is included in the source files. for more information, see LICENSE.OpenSSL and http://lists.debian.org/debian-legal/2004/05/msg00595.html

You can avoid this whole issue by using NSS instead of OpenSSL; configure with '--enable-nss'.

The Debian packaging that comes with the source-code is licensed under the GNU General Public License.

Test and Example Code

After compilation make check can be used to perform a off-line self-test.

There is also example code to perform and verify OAuth requests online, but they are not run automatically.

tests/oauthexample.c - CONNECTS TO INTERNET walk-though http://term.ie/oauth/example
tests/oauthtest.c - CONNECTS TO INTERNET gets a request-token from http://term.ie test-server
tests/oauthtest2.c - CONNECTS TO INTERNET gets a request-token from http://term.ie test-server using OAuth HTTP Authorization header: see http://oauth.net/core/1.0a/#auth_header and http://oauth.net/core/1.0a/#consumer_req_param
tests/selftest_wiki.c
tests/selftest_eran.c Test-Cases for parameter encoding, signatures, etc
tests/commontest.c Common Test-Case functions exercising the low-level API used by self-tests.
tests/oauthdatapost.c - CONNECTS TO INTERNET Experimental code to sign data uploads Note: The example keys have since been deleted from the test-server. Code remains for inspiration/example purposes.

liboauth's People

Contributors

Stargazers

Watchers

diff --git a/src/hash.c b/src/hash.c
index b7c016b..b16b001 100644
--- a/src/hash.c
+++ b/src/hash.c
@@ -364,6 +364,11 @@ looser:
 #include "oauth.h" // base64 encode fn's.
 #include <openssl/hmac.h>
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+#define EVP_MD_CTX_new EVP_MD_CTX_create
+#define EVP_MD_CTX_free EVP_MD_CTX_destroy
+#endif
+
 char *oauth_sign_hmac_sha1 (const char *m, const char *k) {
 	return(oauth_sign_hmac_sha1_raw (m, strlen(m), k, strlen(k)));
 }
@@ -388,7 +393,7 @@ char *oauth_sign_rsa_sha1 (const char *m, const char *k) {
 	unsigned char *sig = NULL;
 	unsigned char *passphrase = NULL;
 	unsigned int len=0;
-	EVP_MD_CTX md_ctx;
+	EVP_MD_CTX *md_ctx;
 
 	EVP_PKEY *pkey;
 	BIO *in;
@@ -401,24 +406,31 @@ char *oauth_sign_rsa_sha1 (const char *m, const char *k) {
 		return xstrdup("liboauth/OpenSSL: can not read private key");
 	}
 
+	md_ctx = EVP_MD_CTX_new();
+	if (md_ctx == NULL) {
+		return xstrdup("liboauth/OpenSSL: failed to allocate EVP_MD_CTX");
+	}
+
 	len = EVP_PKEY_size(pkey);
 	sig = (unsigned char*)xmalloc((len+1)*sizeof(char));
 
-	EVP_SignInit(&md_ctx, EVP_sha1());
-	EVP_SignUpdate(&md_ctx, m, strlen(m));
-	if (EVP_SignFinal (&md_ctx, sig, &len, pkey)) {
+	EVP_SignInit(md_ctx, EVP_sha1());
+	EVP_SignUpdate(md_ctx, m, strlen(m));
+	if (EVP_SignFinal (md_ctx, sig, &len, pkey)) {
 		char *tmp;
 		sig[len] = '\0';
 		tmp = oauth_encode_base64(len,sig);
 		OPENSSL_free(sig);
 		EVP_PKEY_free(pkey);
+		EVP_MD_CTX_free(md_ctx);
 		return tmp;
 	}
+	EVP_MD_CTX_free(md_ctx);
 	return xstrdup("liboauth/OpenSSL: rsa-sha1 signing failed");
 }
 
 int oauth_verify_rsa_sha1 (const char *m, const char *c, const char *s) {
-	EVP_MD_CTX md_ctx;
+	EVP_MD_CTX *md_ctx;
 	EVP_PKEY *pkey;
 	BIO *in;
 	X509 *cert = NULL;
@@ -439,13 +451,18 @@ int oauth_verify_rsa_sha1 (const char *m, const char *c, const char *s) {
 		return -2;
 	}
 
+	md_ctx = EVP_MD_CTX_new();
+	if (md_ctx == NULL) {
+		return -2;
+	}
+
 	b64d= (unsigned char*) xmalloc(sizeof(char)*strlen(s));
 	slen = oauth_decode_base64(b64d, s);
 
-	EVP_VerifyInit(&md_ctx, EVP_sha1());
-	EVP_VerifyUpdate(&md_ctx, m, strlen(m));
-	err = EVP_VerifyFinal(&md_ctx, b64d, slen, pkey);
-	EVP_MD_CTX_cleanup(&md_ctx);
+	EVP_VerifyInit(md_ctx, EVP_sha1());
+	EVP_VerifyUpdate(md_ctx, m, strlen(m));
+	err = EVP_VerifyFinal(md_ctx, b64d, slen, pkey);
+	EVP_MD_CTX_free(md_ctx);
 	EVP_PKEY_free(pkey);
 	xfree(b64d);
 	return (err);
@@ -457,35 +474,41 @@ int oauth_verify_rsa_sha1 (const char *m, const char *c, const char *s) {
  */
 char *oauth_body_hash_file(char *filename) {
 	unsigned char fb[BUFSIZ];
-	EVP_MD_CTX ctx;
+	EVP_MD_CTX *ctx;
 	size_t len=0;
 	unsigned char *md;
 	FILE *F= fopen(filename, "r");
 	if (!F) return NULL;
 
-	EVP_MD_CTX_init(&ctx);
-	EVP_DigestInit(&ctx,EVP_sha1());
+	ctx = EVP_MD_CTX_new();
+	if (ctx == NULL) {
+		return xstrdup("liboauth/OpenSSL: failed to allocate EVP_MD_CTX");
+	}
+	EVP_DigestInit(ctx,EVP_sha1());
 	while (!feof(F) && (len=fread(fb,sizeof(char),BUFSIZ, F))>0) {
-		EVP_DigestUpdate(&ctx, fb, len);
+		EVP_DigestUpdate(ctx, fb, len);
 	}
 	fclose(F);
 	len=0;
 	md=(unsigned char*) xcalloc(EVP_MD_size(EVP_sha1()),sizeof(unsigned char));
-	EVP_DigestFinal(&ctx, md,(unsigned int*) &len);
-	EVP_MD_CTX_cleanup(&ctx);
+	EVP_DigestFinal(ctx, md,(unsigned int*) &len);
+	EVP_MD_CTX_free(ctx);
 	return oauth_body_hash_encode(len, md);
 }
 
 char *oauth_body_hash_data(size_t length, const char *data) {
-	EVP_MD_CTX ctx;
+	EVP_MD_CTX *ctx;
 	size_t len=0;
 	unsigned char *md;
 	md=(unsigned char*) xcalloc(EVP_MD_size(EVP_sha1()),sizeof(unsigned char));
-	EVP_MD_CTX_init(&ctx);
-	EVP_DigestInit(&ctx,EVP_sha1());
-	EVP_DigestUpdate(&ctx, data, length);
-	EVP_DigestFinal(&ctx, md,(unsigned int*) &len);
-	EVP_MD_CTX_cleanup(&ctx);
+	ctx = EVP_MD_CTX_new();
+	if (ctx == NULL) {
+		return xstrdup("liboauth/OpenSSL: failed to allocate EVP_MD_CTX");
+	}
+	EVP_DigestInit(ctx,EVP_sha1());
+	EVP_DigestUpdate(ctx, data, length);
+	EVP_DigestFinal(ctx, md,(unsigned int*) &len);
+	EVP_MD_CTX_free(ctx);
 	return oauth_body_hash_encode(len, md);
 }

Possible Memory Leak

File: oauth_http.c
Memory allocation: line 512
Memory leak: line 520

char *oauth_exec_post (const char *u, const char *p) {
	char cmd[BUFSIZ];
	char *t1,*t2;
	char *cmdtpl = getenv(_OAUTH_ENV_HTTPCMD); **Memory allocation**
	if (!cmdtpl) cmdtpl = xstrdup (_OAUTH_DEF_HTTPCMD);
	else cmdtpl = xstrdup (cmdtpl); // clone getenv() string.

	// add URL and post param - error if no '%p' or '%u' present in definition
	t1=strstr(cmdtpl, "%p");
	t2=strstr(cmdtpl, "%u");
	if (!t1 || !t2) {
		fprintf(stderr, "\nliboauth: invalid HTTP command. set the '%s' environment variable.\n\n",_OAUTH_ENV_HTTPCMD);
		return(NULL); **Memory leak**
	}
	// TODO: check if there are exactly two '%' in cmdtpl
	*(++t1)= 's'; *(++t2)= 's';
	if (t1>t2) {
		t1=oauth_escape_shell(u);
		t2=oauth_escape_shell(p);
	} else {
		t1=oauth_escape_shell(p);
		t2=oauth_escape_shell(u);
	}
	snprintf(cmd, BUFSIZ, cmdtpl, t1, t2);
	xfree(cmdtpl);
	xfree(t1); xfree(t2);
	return oauth_exec_shell(cmd);
}

x42 / liboauth Goto Github PK

liboauth's Introduction

liboauth

License and Notes

Test and Example Code

liboauth's People

Contributors

Stargazers

Watchers

Forkers

liboauth's Issues

You Should Update the www.oauth.net page to point to this project

Missing configure file.

Can not compile in VS2013

Support OpenSSL 1.1.0

Possible Memory Leak

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent