Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More

8.22.1 Problem

You want to allow users to confirm a request via email while preventing third parties from spoofing or falsifying confirmations.

8.22.2 Solution

Generate a random identifier, associate it with the email address to be confirmed, and save it for verification later. Send an email that contains the random identifier, along with instructions for responding to confirm receipt and approval. If a response is received, compare the identifier in the response with the saved identifier for the email address from which the response was received. If the identifiers don't match, ignore the response and do nothing; otherwise, the confirmation was successful.

8.22.3 Discussion

The most common use for confirmation requests is to ensure that an email address actually belongs to the person requesting membership on some kind of mass mailing list (whether it's a mailing list, newsletter, or some other type of mass mailing). Joining a mass mailing list typically involves either sending mail to an automated recipient or filling out a form on a web page.

The problem with this approach is that it is trivial for someone to register someone else's email address with a mailing list. For example, suppose that Alice wants to annoy Bob. If mailing lists accepted email addresses without any kind of confirmation, Alice could register Bob's email address with as many mailing lists as she could find. Suddenly, Bob would begin receiving large amounts of email from mailing lists with which he did not register. In extreme cases, this could lead to denial of service because Bob's mailbox could fill up with unwanted email, or if Bob has a slow network connection, it could take an unreasonable amount of time for him to download his email.

The solution to this problem is to confirm with Bob that he really made the requests for membership with the mailing lists. When a request for membership is sent for a mailing list, the mailing list software can send an email to the address for which membership was requested. This email will ask the recipient to respond with a confirmation that membership is truly desired.

The simplest form of such a confirmation request is to require the recipient to reply with an email containing some nonunique content, such as the word "subscribe" or something similar. This method is easiest for the mailing list software to deal with because it does not have to keep any information about what requests have been made or confirmed. It simply needs to respond to confirmation responses by adding the sender's email address to the mailing list roster.

Unfortunately, this is not an acceptable solution either, because Alice might know what response needs to be sent back to the confirmation request in order for the mailing list software to add Bob to its roster. If Alice knows what needs to be sent, she can easily forge a response email, making it appear to the mailing list software as if it came from Bob's email address.

Sending a confirmation request that requires an affirmative acknowledgement is a step in the right direction, but as we have just described it, it is not enough. Instead of requiring a nonunique acknowledgment, the confirmation request should contain a unique identifier that is generated at the time that the request for membership is made. To confirm the request, the recipient must send back a response that also contains the same unique identifier.

Because a unique identifier is used, it is not possible for Alice to know what she would need to send back to the mailing list software to get Bob's email address on the roster, unless she somehow had access to Bob's email. That would allow her to see the confirmation request and the unique identifier that it contains. Unfortunately, this is a much more difficult problem to solve, and it is one that cannot be easily solved in software, so we will not give it any further consideration.

To implement such a scheme, the mailing list software must maintain some state information. In particular, upon receipt of a request for membership, the software needs to generate the unique identifier to include in the confirmation requests, and it must store that identifier along with the email address for which membership has been requested. In addition, it is a good idea to maintain some kind of a timestamp so that confirmation requests will eventually expire. Expiring confirmation requests significantly reduces the likelihood that Alice can guess the unique identifier; more importantly, it also helps to reduce the amount of information that must be remembered to be able to confirm requests.

We define two functions in this recipe that provide the basic implementation for the confirmation request scheme we have just described. The first, spc_confirmation_create( ), creates a new confirmation request by generating a unique identifier and storing it with the email address for which confirmation is to be requested. It stores the confirmation request information in an in-memory list of pending confirmations, implemented simply as a dynamically allocated array. For use in a production environment, a hash table or binary tree might be a better solution for an in-memory data structure. Alternatively, the information could be stored in a database.

The function spc_confirmation_create( ) (SpcConfirmationCreate() on Windows) will return 0 if some kind of error occurs. Possible errors include memory allocation failures and attempts to add an address to the list of pending confirmations that already exists in the list. If the operation is successful, the return value will be 1. Two arguments are required by spc_confirmation_create( ):

address

Email address that is to be confirmed.

id

Pointer to a buffer that will be allocated by spc_confirmation_create( ). If the function returns successfully, the buffer will contain the unique identifier to send as part of the confirmation request email. It is the responsibility of the caller to free the buffer using free( ) on Unix or LocalFree( ) on Windows.

You may adjust the SPC_CONFIRMATION_EXPIRE macro from the default presented here. It controls how long pending confirmation requests will be honored and is specified in seconds.

Note that the code we are presenting here does not send or receive email at all. Programmatically sending and receiving email is outside the scope of this book.

#include <stdlib.h> #include <string.h> #include <time.h> /* Confirmation receipts must be received within one hour (3600 seconds) */ #define SPC_CONFIRMATION_EXPIRE 3600 typedef struct { char *address; char *id; time_t expire; } spc_confirmation_t; static unsigned long confirmation_count, confirmation_size; static spc_confirmation_t *confirmations; static int new_confirmation(const char *address, const char *id) { unsigned long i; spc_confirmation_t *tmp; /* first make sure that the address isn't already in the list */ for (i = 0; i < confirmation_count; i++) if (!strcmp(confirmations[i].address, address)) return 0; if (confirmation_count = = confirmation_size) { tmp = (spc_confirmation_t *)realloc(confirmations, sizeof(spc_confirmation_t) * (confirmation_size + 1)); if (!tmp) return 0; confirmations = tmp; confirmation_size++; } confirmations[confirmation_count].address = strdup(address); confirmations[confirmation_count].id = strdup(id); confirmations[confirmation_count].expire = time(0) + SPC_CONFIRMATION_EXPIRE; if (!confirmations[confirmation_count].address || !confirmations[confirmation_count].id) { if (confirmations[confirmation_count].address) free(confirmations[confirmation_count].address); if (confirmations[confirmation_count].id) free(confirmations[confirmation_count].id); return 0; } confirmation_count++; return 1; } int spc_confirmation_create(const char *address, char **id) { unsigned char buf[16]; if (!spc_rand(buf, sizeof(buf))) return 0; if (!(*id = (char *)spc_base64_encode(buf, sizeof(buf), 0))) return 0; if (!new_confirmation(address, *id)) { free(*id); return 0; } return 1; }

Upon receipt of a response to a confirmation request, the address from which it was sent and the unique identified contained within it should be passed as arguments to spc_confirmation_receive( ) (SpcConfirmationReceive() on Windows). If the address and unique identifier are in the list of pending requests, the return from this function will be 1; otherwise, it will be 0. Before the list is checked, expired entries will automatically be removed.

int spc_confirmation_receive(const char *address, const char *id) { time_t now; unsigned long i; /* Before we check the pending list of confirmations, prune the list to * remove expired entries. */ now = time(0); for (i = 0; i < confirmation_count; i++) { if (confirmations[i].expire <= now) { free(confirmations[i].address); free(confirmations[i].id); if (confirmation_count > 1 && i < confirmation_count - 1) confirmations[i] = confirmations[confirmation_count - 1]; i--; confirmation_count--; } } for (i = 0; i < confirmation_count; i++) { if (!strcmp(confirmations[i].address, address)) { if (strcmp(confirmations[i].id, id) != 0) return 0; free(confirmations[i].address); free(confirmations[i].id); if (confirmation_count > 1 && i < confirmation_count - 1) confirmations[i] = confirmations[confirmation_count - 1]; confirmation_count--; return 1; } } return 0; }

The Windows versions of spc_confirmation_create( ) and spc_confirmation_receive( ) are named SpcConfirmationCreate( ) and SpcConfirmationReceive( ), respectively. The arguments and return values for each are the same; however, there are enough subtle differences in the underlying implementation that we present an entirely separate code listing for Windows instead of using the preprocessor to have a single version.

#include <windows.h> /* Confirmation receipts must be received within one hour (3600 seconds) */ #define SPC_CONFIRMATION_EXPIRE 3600 typedef struct { LPTSTR lpszAddress; LPSTR lpszID; LARGE_INTEGER liExpire; } SPC_CONFIRMATION; static DWORD dwConfirmationCount, dwConfirmationSize; static SPC_CONFIRMATION *pConfirmations; static BOOL NewConfirmation(LPCTSTR lpszAddress, LPCSTR lpszID) { DWORD dwIndex; LARGE_INTEGER liExpire; SPC_CONFIRMATION *pTemp; /* first make sure that the address isn't already in the list */ for (dwIndex = 0; dwIndex < dwConfirmationCount; dwIndex++) { if (CompareString(LOCALE_USER_DEFAULT, NORM_IGNORECASE, pConfirmations[dwIndex].lpszAddress, -1, lpszAddress, -1) = = CSTR_EQUAL) return FALSE; } if (dwConfirmationCount = = dwConfirmationSize) { if (!pConfirmations) pTemp = (SPC_CONFIRMATION *)LocalAlloc(LMEM_FIXED, sizeof(SPC_CONFIRMATION)); else pTemp = (SPC_CONFIRMATION *)LocalReAlloc(pConfirmations, sizeof(SPC_CONFIRMATION) * (dwConfirmationSize + 1), 0); if (!pTemp) return FALSE; pConfirmations = pTemp; dwConfirmationSize++; } pConfirmations[dwConfirmationCount].lpszAddress = (LPTSTR)LocalAlloc( LMEM_FIXED, sizeof(TCHAR) * (lstrlen(lpszAddress) + 1)); if (!pConfirmations[dwConfirmationCount].lpszAddress) return FALSE; lstrcpy(pConfirmations[dwConfirmationCount].lpszAddress, lpszAddress); pConfirmations[dwConfirmationCount].lpszID = (LPSTR)LocalAlloc(LMEM_FIXED, lstrlenA(lpszID) + 1); if (!pConfirmations[dwConfirmationCount].lpszID) { LocalFree(pConfirmations[dwConfirmationCount].lpszAddress); return FALSE; } lstrcpyA(pConfirmations[dwConfirmationCount].lpszID, lpszID); /* File Times are 100-nanosecond intervals since January 1, 1601 */ GetSystemTimeAsFileTime((LPFILETIME)&liExpire); liExpire.QuadPart += (SPC_CONFIRMATION_EXPIRE * (__int64)10000000); pConfirmations[dwConfirmationCount].liExpire = liExpire; dwConfirmationCount++; return TRUE; } BOOL SpcConfirmationCreate(LPCTSTR lpszAddress, LPSTR *lpszID) { BYTE pbBuffer[16]; if (!spc_rand(pbBuffer, sizeof(pbBuffer))) return FALSE; if (!(*lpszID = (LPSTR)spc_base64_encode(pbBuffer, sizeof(pbBuffer), 0))) return FALSE; if (!NewConfirmation(lpszAddress, *lpszID)) { LocalFree(*lpszID); return FALSE; } return TRUE; } BOOL SpcConfirmationReceive(LPCTSTR lpszAddress, LPCSTR lpszID) { DWORD dwIndex; LARGE_INTEGER liNow; /* Before we check the pending list of confirmations, prune the list to * remove expired entries. */ GetSystemTimeAsFileTime((LPFILETIME)&liNow); for (dwIndex = 0; dwIndex < dwConfirmationCount; dwIndex++) { if (pConfirmations[dwIndex].liExpire.QuadPart <= liNow.QuadPart) { LocalFree(pConfirmations[dwIndex].lpszAddress); LocalFree(pConfirmations[dwIndex].lpszID); if (dwConfirmationCount > 1 && dwIndex < dwConfirmationCount - 1) pConfirmations[dwIndex] = pConfirmations[dwConfirmationCount - 1]; dwIndex--; dwConfirmationCount--; } } for (dwIndex = 0; dwIndex < dwConfirmationCount; dwIndex++) { if (CompareString(LOCALE_USER_DEFAULT, NORM_IGNORECASE, pConfirmations[dwIndex].lpszAddress, -1, lpszAddress, -1) = = CSTR_EQUAL) { if (lstrcmpA(pConfirmations[dwIndex].lpszID, lpszID) != 0) return FALSE; LocalFree(pConfirmations[dwIndex].lpszAddress); LocalFree(pConfirmations[dwIndex].lpszID); if (dwConfirmationCount > 1 && dwIndex < dwConfirmationCount - 1) pConfirmations[dwIndex] = pConfirmations[dwConfirmationCount - 1]; dwConfirmationCount--; return TRUE; } } return FALSE; }

8.22.4 See Also

Recipe 11.2

Категории