1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
#!/usr/bin/env ruby
require 'openssl'
require 'securerandom'
require 'sinatra'
set :port, 4568
Service = "Mail"
ServicePassword = "{FvM<kgG}VpHxKJO;6Zo"
ReplayCache = []
def update_replaycache!(new_auth)
ReplayCache.push(new_auth)
now = Time.now.to_i
ReplayCache.delete_if { |auth|
_, _, als, ats = auth.split(?,)
now > als.to_i + ats.to_i
}
end
def decrypt(obj, key)
ticket = [obj].pack("H*").unpack("C*").pack("c*")
cipher = OpenSSL::Cipher::AES.new(256, :CBC).decrypt
cipher.key = Digest::SHA2.digest(key)
cipher.update(ticket) + cipher.final
end
post '/login' do
request.body.rewind
data = JSON.parse(request.body.read)
next "Invalid request\n" unless data.keys.sort == %w(authenticator ticket username)
sk, un, ws, sn, ls, ts = decrypt(data["ticket"], ServicePassword).split(?\0)
ls = ls.to_i
ts = ts.to_i
next "Invalid ticket\n" unless sn == Service
next "Invalid ticket\n" unless un == data["username"]
next "Invalid ticket\n" unless ws == request.ip
next "Invalid ticket\n" unless Time.now.to_i >= ts
next "Ticket expired\n" unless Time.now.to_i < (ts + ls)
begin
auth = decrypt(data["authenticator"], sk)
next "Replayed authenticator\n" if ReplayCache.include?(auth)
update_replaycache!(auth)
aun, aws, als, ats = auth.split(?,)
als = als.to_i
ats = ats.to_i
rescue OpenSSL::Cipher::CipherError
next "Invalid session key\n"
end
next "Invalid authenticator\n" unless aun == un
next "Invalid authenticator\n" unless aws == ws
next "Invalid authenticator\n" unless Time.now.to_i >= ats
next "Authenticator expired\n" unless Time.now.to_i < (ats + als)
"Login okay! You have no mail.\n"
end
|
