Coder Social home page Coder Social logo

liboauth's Introduction

liboauth

liboauth is a collection of c functions implementing the http://oauth.net API.

liboauth provides functions to escape and encode stings according to OAuth specifications and offers high-level functionality built on top to sign requests or verify signatures using either NSS or OpenSSL for calculating the hash/signatures.

The included documentation in the doc/ folder and example code from tests/ can also be found online at http://liboauth.sourceforge.net/

Send bug-reports, patches or suggestions to [email protected]. or inquire information at http://groups.google.com/group/oauth/

Build Status

License and Notes

The source-code of liboauth can be distributed under MIT License, or at your option: in terms of the the GNU General Public License. see COPYING.MIT or COPYING.GPL for details.

Note: OpenSSL is not strictly compatible with the GPL license. An exemption (to the GPL) allowing to link and redistribute liboauth with the OpenSSL library is is included in the source files. for more information, see LICENSE.OpenSSL and http://lists.debian.org/debian-legal/2004/05/msg00595.html

You can avoid this whole issue by using NSS instead of OpenSSL; configure with '--enable-nss'.

The Debian packaging that comes with the source-code is licensed under the GNU General Public License.

Test and Example Code

After compilation make check can be used to perform a off-line self-test.

There is also example code to perform and verify OAuth requests online, but they are not run automatically.

  • tests/oauthexample.c - CONNECTS TO INTERNET walk-though http://term.ie/oauth/example

  • tests/oauthtest.c - CONNECTS TO INTERNET gets a request-token from http://term.ie test-server

  • tests/oauthtest2.c - CONNECTS TO INTERNET gets a request-token from http://term.ie test-server using OAuth HTTP Authorization header: see http://oauth.net/core/1.0a/#auth_header and http://oauth.net/core/1.0a/#consumer_req_param

  • tests/selftest_wiki.c

  • tests/selftest_eran.c Test-Cases for parameter encoding, signatures, etc

  • tests/commontest.c Common Test-Case functions exercising the low-level API used by self-tests.

  • tests/oauthdatapost.c - CONNECTS TO INTERNET Experimental code to sign data uploads Note: The example keys have since been deleted from the test-server. Code remains for inspiration/example purposes.

liboauth's People

Contributors

e7appew avatar kedars avatar prlw1 avatar traud avatar x42 avatar ya1gaurav avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

kedars distrotech hmgle callforsanity ewmailing ya1gaurav bernardxiong jadderbao 1242035 maledictus ericyao2013 e7appew welwit wilzegers nacpem vergaraed light1707 morphicdreamer trgswe xuebai5

liboauth's Issues

Can not compile in VS2013

In function oauth_body_hash_file, some variables have defined in middle, We must put them in the beginning. Please change it.

Possible Memory Leak

File: oauth_http.c
Memory allocation: line 512
Memory leak: line 520

char *oauth_exec_post (const char *u, const char *p) {
	char cmd[BUFSIZ];
	char *t1,*t2;
	char *cmdtpl = getenv(_OAUTH_ENV_HTTPCMD); **Memory allocation**
	if (!cmdtpl) cmdtpl = xstrdup (_OAUTH_DEF_HTTPCMD);
	else cmdtpl = xstrdup (cmdtpl); // clone getenv() string.

	// add URL and post param - error if no '%p' or '%u' present in definition
	t1=strstr(cmdtpl, "%p");
	t2=strstr(cmdtpl, "%u");
	if (!t1 || !t2) {
		fprintf(stderr, "\nliboauth: invalid HTTP command. set the '%s' environment variable.\n\n",_OAUTH_ENV_HTTPCMD);
		return(NULL); **Memory leak**
	}
	// TODO: check if there are exactly two '%' in cmdtpl
	*(++t1)= 's'; *(++t2)= 's';
	if (t1>t2) {
		t1=oauth_escape_shell(u);
		t2=oauth_escape_shell(p);
	} else {
		t1=oauth_escape_shell(p);
		t2=oauth_escape_shell(u);
	}
	snprintf(cmd, BUFSIZ, cmdtpl, t1, t2);
	xfree(cmdtpl);
	xfree(t1); xfree(t2);
	return oauth_exec_shell(cmd);
}

Support OpenSSL 1.1.0

In OpenSSL 1.1.0 EVP_MD_CTX is an opaque struct. This patch adds support for OpenSSL 1.1.0. It also compiles with 1.0.2.

diff --git a/src/hash.c b/src/hash.c
index b7c016b..b16b001 100644
--- a/src/hash.c
+++ b/src/hash.c
@@ -364,6 +364,11 @@ looser:
 #include "oauth.h" // base64 encode fn's.
 #include <openssl/hmac.h>
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+#define EVP_MD_CTX_new EVP_MD_CTX_create
+#define EVP_MD_CTX_free EVP_MD_CTX_destroy
+#endif
+
 char *oauth_sign_hmac_sha1 (const char *m, const char *k) {
 	return(oauth_sign_hmac_sha1_raw (m, strlen(m), k, strlen(k)));
 }
@@ -388,7 +393,7 @@ char *oauth_sign_rsa_sha1 (const char *m, const char *k) {
 	unsigned char *sig = NULL;
 	unsigned char *passphrase = NULL;
 	unsigned int len=0;
-	EVP_MD_CTX md_ctx;
+	EVP_MD_CTX *md_ctx;
 
 	EVP_PKEY *pkey;
 	BIO *in;
@@ -401,24 +406,31 @@ char *oauth_sign_rsa_sha1 (const char *m, const char *k) {
 		return xstrdup("liboauth/OpenSSL: can not read private key");
 	}
 
+	md_ctx = EVP_MD_CTX_new();
+	if (md_ctx == NULL) {
+		return xstrdup("liboauth/OpenSSL: failed to allocate EVP_MD_CTX");
+	}
+
 	len = EVP_PKEY_size(pkey);
 	sig = (unsigned char*)xmalloc((len+1)*sizeof(char));
 
-	EVP_SignInit(&md_ctx, EVP_sha1());
-	EVP_SignUpdate(&md_ctx, m, strlen(m));
-	if (EVP_SignFinal (&md_ctx, sig, &len, pkey)) {
+	EVP_SignInit(md_ctx, EVP_sha1());
+	EVP_SignUpdate(md_ctx, m, strlen(m));
+	if (EVP_SignFinal (md_ctx, sig, &len, pkey)) {
 		char *tmp;
 		sig[len] = '\0';
 		tmp = oauth_encode_base64(len,sig);
 		OPENSSL_free(sig);
 		EVP_PKEY_free(pkey);
+		EVP_MD_CTX_free(md_ctx);
 		return tmp;
 	}
+	EVP_MD_CTX_free(md_ctx);
 	return xstrdup("liboauth/OpenSSL: rsa-sha1 signing failed");
 }
 
 int oauth_verify_rsa_sha1 (const char *m, const char *c, const char *s) {
-	EVP_MD_CTX md_ctx;
+	EVP_MD_CTX *md_ctx;
 	EVP_PKEY *pkey;
 	BIO *in;
 	X509 *cert = NULL;
@@ -439,13 +451,18 @@ int oauth_verify_rsa_sha1 (const char *m, const char *c, const char *s) {
 		return -2;
 	}
 
+	md_ctx = EVP_MD_CTX_new();
+	if (md_ctx == NULL) {
+		return -2;
+	}
+
 	b64d= (unsigned char*) xmalloc(sizeof(char)*strlen(s));
 	slen = oauth_decode_base64(b64d, s);
 
-	EVP_VerifyInit(&md_ctx, EVP_sha1());
-	EVP_VerifyUpdate(&md_ctx, m, strlen(m));
-	err = EVP_VerifyFinal(&md_ctx, b64d, slen, pkey);
-	EVP_MD_CTX_cleanup(&md_ctx);
+	EVP_VerifyInit(md_ctx, EVP_sha1());
+	EVP_VerifyUpdate(md_ctx, m, strlen(m));
+	err = EVP_VerifyFinal(md_ctx, b64d, slen, pkey);
+	EVP_MD_CTX_free(md_ctx);
 	EVP_PKEY_free(pkey);
 	xfree(b64d);
 	return (err);
@@ -457,35 +474,41 @@ int oauth_verify_rsa_sha1 (const char *m, const char *c, const char *s) {
  */
 char *oauth_body_hash_file(char *filename) {
 	unsigned char fb[BUFSIZ];
-	EVP_MD_CTX ctx;
+	EVP_MD_CTX *ctx;
 	size_t len=0;
 	unsigned char *md;
 	FILE *F= fopen(filename, "r");
 	if (!F) return NULL;
 
-	EVP_MD_CTX_init(&ctx);
-	EVP_DigestInit(&ctx,EVP_sha1());
+	ctx = EVP_MD_CTX_new();
+	if (ctx == NULL) {
+		return xstrdup("liboauth/OpenSSL: failed to allocate EVP_MD_CTX");
+	}
+	EVP_DigestInit(ctx,EVP_sha1());
 	while (!feof(F) && (len=fread(fb,sizeof(char),BUFSIZ, F))>0) {
-		EVP_DigestUpdate(&ctx, fb, len);
+		EVP_DigestUpdate(ctx, fb, len);
 	}
 	fclose(F);
 	len=0;
 	md=(unsigned char*) xcalloc(EVP_MD_size(EVP_sha1()),sizeof(unsigned char));
-	EVP_DigestFinal(&ctx, md,(unsigned int*) &len);
-	EVP_MD_CTX_cleanup(&ctx);
+	EVP_DigestFinal(ctx, md,(unsigned int*) &len);
+	EVP_MD_CTX_free(ctx);
 	return oauth_body_hash_encode(len, md);
 }
 
 char *oauth_body_hash_data(size_t length, const char *data) {
-	EVP_MD_CTX ctx;
+	EVP_MD_CTX *ctx;
 	size_t len=0;
 	unsigned char *md;
 	md=(unsigned char*) xcalloc(EVP_MD_size(EVP_sha1()),sizeof(unsigned char));
-	EVP_MD_CTX_init(&ctx);
-	EVP_DigestInit(&ctx,EVP_sha1());
-	EVP_DigestUpdate(&ctx, data, length);
-	EVP_DigestFinal(&ctx, md,(unsigned int*) &len);
-	EVP_MD_CTX_cleanup(&ctx);
+	ctx = EVP_MD_CTX_new();
+	if (ctx == NULL) {
+		return xstrdup("liboauth/OpenSSL: failed to allocate EVP_MD_CTX");
+	}
+	EVP_DigestInit(ctx,EVP_sha1());
+	EVP_DigestUpdate(ctx, data, length);
+	EVP_DigestFinal(ctx, md,(unsigned int*) &len);
+	EVP_MD_CTX_free(ctx);
 	return oauth_body_hash_encode(len, md);
 }

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.