1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
#!/usr/bin/env ruby
require 'openssl'
require 'securerandom'
require 'sinatra'
Users = {
"Athena" => "Passw0rd!"
}
Services = {
"Mail" => "{FvM<kgG}VpHxKJO;6Zo"
}
def ticket(username, service, password, ws_address)
cipher = OpenSSL::Cipher::AES.new(256, :CBC).encrypt
cipher.key = Digest::SHA2.digest(password)
p = [username, ws_address, service].join(?\0)
s = cipher.update(p) + cipher.final
s.unpack('H*')[0].upcase + ?\n
end
def noleak(msg, ul, sl, ws)
puts "Error: #{msg}, returning nonsense to avoid leakage."
ticket(SecureRandom.alphanumeric(ul), SecureRandom.alphanumeric(sl), SecureRandom.alphanumeric(16), ws)
end
post '/ticket' do
request.body.rewind
data = JSON.parse(request.body.read)
next "Invalid request\n" unless data.keys.sort == %w(password service username)
ul = data["username"].length
sl = data["service"].length
ws = request.ip
next noleak("Invalid service", ul, sl, ws) unless Services.keys.include?(data["service"])
next noleak("Invalid username", ul, sl, ws) unless Users.keys.include?(data["username"])
next noleak("Invalid password", ul, sl, ws) unless Users[data["username"]] == data["password"]
next ticket(data["username"], data["service"], Services[data["service"]], ws)
end
|
