author | Michael Krelin <hacker@klever.net> | 2007-01-12 12:58:25 (UTC) |
---|---|---|
committer | Michael Krelin <hacker@klever.net> | 2007-01-12 12:58:25 (UTC) |
commit | e79687a3d9a1631613de02d8e12bae36302b46ab (patch) (side-by-side diff) | |
tree | 4238c0d8d61f5e70ed1e98debb01315babb21686 | |
parent | 4cc2e58186e8cd9b96a3573c92f6664064cf11fe (diff) | |
download | libopkele-e79687a3d9a1631613de02d8e12bae36302b46ab.zip libopkele-e79687a3d9a1631613de02d8e12bae36302b46ab.tar.gz libopkele-e79687a3d9a1631613de02d8e12bae36302b46ab.tar.bz2 |
eliminated mimetic dependency and made use of openssl base64 encoder instead
-rw-r--r-- | configure.ac | 11 | ||||
-rw-r--r-- | include/opkele/util.h | 5 | ||||
-rw-r--r-- | lib/Makefile.am | 2 | ||||
-rw-r--r-- | lib/consumer.cc | 16 | ||||
-rw-r--r-- | lib/params.cc | 7 | ||||
-rw-r--r-- | lib/secret.cc | 22 | ||||
-rw-r--r-- | lib/server.cc | 6 | ||||
-rw-r--r-- | lib/util.cc | 67 | ||||
-rw-r--r-- | libopkele.pc.in | 2 |
9 files changed, 71 insertions, 67 deletions
diff --git a/configure.ac b/configure.ac index af7a301..2ce5f71 100644 --- a/configure.ac +++ b/configure.ac @@ -1,89 +1,78 @@ AC_INIT([libopkele], [0.0], [libopkele-bugs@klever.net]) AC_CONFIG_SRCDIR([include/opkele/opkele-config.h]) AC_CONFIG_HEADERS([config.h include/opkele/acconfig.h]) AM_INIT_AUTOMAKE([dist-bzip2]) AC_PROG_INSTALL AC_PROG_CXX AC_PROG_CC AC_PROG_LIBTOOL AC_HEADER_STDC AC_PATH_PROG([XSLTPROC],[xsltproc],[true]) AC_WITH_PKGCONFIG PKG_CHECK_MODULES([OPENSSL],[openssl],[ AC_MSG_RESULT([yes]) ],[ AC_MSG_ERROR([no openssl library found. get one from http://www.openssl.org/]) ] ) WANT_KONFORKA="yes" AC_ARG_ENABLE([konforka], AC_HELP_STRING([--disable-konforka],[do not use konforka library (default: use if found)]), [ test "${enableval}" = "no" && WANT_KONFORKA="no" ] ) if test "${WANT_KONFORKA}" = "yes" ; then PKG_CHECK_MODULES([KONFORKA],[konforka],[ AC_MSG_RESULT([yes]) AC_SUBST([KONFORKA_CFLAGS]) AC_SUBST([KONFORKA_LIBS]) AC_DEFINE([HAVE_KONFORKA],,[defined in presence of konforka library]) AC_DEFINE([OPKELE_HAVE_KONFORKA],,[defined in presence of konforka library]) AC_SUBST([KONFORKA_KONFORKA],[konforka]) ],[ AC_MSG_RESULT([no]) ] ) fi -AC_LANG_PUSH([C++]) - AC_CHECK_LIB([mimetic],[main],[ - MIMETIC_LIBS=-lmimetic - AC_SUBST([MIMETIC_CFLAGS]) - AC_SUBST([MIMETIC_LIBS]) - ],[ - AC_MSG_ERROR([no mimetic library found. get one from http://codesink.org/mimetic_mime_library.html]) - ] - ) -AC_LANG_POP([C++]) - WANT_DOXYGEN="yes" AC_ARG_ENABLE([doxygen], AC_HELP_STRING([--disable-doxygen],[do not generate documentation]), [ test "${enableval}" = "no" && WANT_DOXYGEN="no" ] ) if test "${WANT_DOXYGEN}" = "yes" ; then AC_WITH_DOXYGEN AC_WITH_DOT else AM_CONDITIONAL([HAVE_DOXYGEN],[false]) AM_CONDITIONAL([HAVE_DOT],[false]) fi LIBCURL_CHECK_CONFIG(,,,[ AC_MSG_ERROR([no required libcurl library. get one from http://curl.haxx.se/]) ]) AC_WITH_PCRE([ AC_WITH_PCREPP(,[ AC_MSG_ERROR([no pcre++ library found. get one at http://www.daemon.de/PCRE]) ]) ],[ AC_MSG_ERROR([no pcre library found. get one at http://www.pcre.org/]) ] ) AC_CONFIG_FILES([ Makefile libopkele.pc Doxyfile include/Makefile lib/Makefile ]) AC_OUTPUT diff --git a/include/opkele/util.h b/include/opkele/util.h index 5372498..80d8b03 100644 --- a/include/opkele/util.h +++ b/include/opkele/util.h @@ -1,59 +1,64 @@ #ifndef __OPKELE_UTIL_H #define __OPKELE_UTIL_H #include <time.h> #include <string> +#include <vector> #include <openssl/bn.h> #include <openssl/dh.h> namespace opkele { using std::string; + using std::vector; namespace util { class bignum_t { public: BIGNUM *_bn; bignum_t() : _bn(0) { } bignum_t(BIGNUM *bn) : _bn(bn) { } ~bignum_t() throw() { if(_bn) BN_free(_bn); } bignum_t& operator=(BIGNUM *bn) { if(_bn) BN_free(_bn); _bn = bn; return *this; } operator const BIGNUM*(void) const { return _bn; } operator BIGNUM*(void) { return _bn; } }; class dh_t { public: DH *_dh; dh_t() : _dh(0) { } dh_t(DH *dh) : _dh(dh) { } ~dh_t() throw() { if(_dh) DH_free(_dh); } dh_t& operator=(DH *dh) { if(_dh) DH_free(_dh); _dh = dh; return *this; } operator const DH*(void) const { return _dh; } operator DH*(void) { return _dh; } DH* operator->() { return _dh; } const DH* operator->() const { return _dh; } }; BIGNUM *base64_to_bignum(const string& b64); BIGNUM *dec_to_bignum(const string& dec); string bignum_to_base64(const BIGNUM *bn); string time_to_w3c(time_t t); time_t w3c_to_time(const string& w); string url_encode(const string& str); string long_to_string(long l); long string_to_long(const string& s); + + string encode_base64(const void *data,size_t length); + void decode_base64(const string& data,vector<unsigned char>& rv); } } #endif /* __OPKELE_UTIL_H */ diff --git a/lib/Makefile.am b/lib/Makefile.am index bdadd44..ec63c25 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -1,29 +1,27 @@ lib_LTLIBRARIES = libopkele.la INCLUDES = \ -I${top_srcdir}/include/ \ ${KONFORKA_CFLAGS} \ ${OPENSSL_CFLAGS} \ - ${MIMETIC_CFLAGS} \ ${LIBCURL_CPPFLAGS} \ ${PCREPP_CFLAGS} LDADD = \ ${LIBCURL} \ ${PCREPP_LIBS} \ - ${MIMETIC_LIBS} \ ${OPENSSL_LIBS} \ ${KONFORKA_LIBS} libopkele_la_SOURCES = \ params.cc \ util.cc \ server.cc \ secret.cc \ data.cc \ consumer.cc \ exception.cc \ extension.cc \ sreg.cc \ extension_chain.cc libopkele_la_LDFLAGS = \ -version-info 1:0:0 diff --git a/lib/consumer.cc b/lib/consumer.cc index b215aa8..331b1e9 100644 --- a/lib/consumer.cc +++ b/lib/consumer.cc @@ -1,269 +1,257 @@ #include <algorithm> +#include <cassert> #include <opkele/util.h> #include <opkele/exception.h> #include <opkele/data.h> #include <opkele/consumer.h> #include <openssl/sha.h> #include <openssl/hmac.h> -#include <mimetic/mimetic.h> #include <curl/curl.h> #include <pcre++.h> #include <iostream> -/* silly mimetic */ -#undef PACKAGE -#undef PACKAGE_BUGREPORT -#undef PACKAGE_NAME -#undef PACKAGE_STRING -#undef PACKAGE_TARNAME -#undef PACKAGE_VERSION -#undef VERSION - #include "config.h" namespace opkele { using namespace std; class curl_t { public: CURL *_c; curl_t() : _c(0) { } curl_t(CURL *c) : _c(c) { } ~curl_t() throw() { if(_c) curl_easy_cleanup(_c); } curl_t& operator=(CURL *c) { if(_c) curl_easy_cleanup(_c); _c=c; return *this; } operator const CURL*(void) const { return _c; } operator CURL*(void) { return _c; } }; static CURLcode curl_misc_sets(CURL* c) { CURLcode r; (r=curl_easy_setopt(c,CURLOPT_FOLLOWLOCATION,1)) || (r=curl_easy_setopt(c,CURLOPT_MAXREDIRS,5)) || (r=curl_easy_setopt(c,CURLOPT_DNS_CACHE_TIMEOUT,120)) || (r=curl_easy_setopt(c,CURLOPT_DNS_USE_GLOBAL_CACHE,1)) || (r=curl_easy_setopt(c,CURLOPT_USERAGENT,PACKAGE_NAME"/"PACKAGE_VERSION)) || (r=curl_easy_setopt(c,CURLOPT_TIMEOUT,20)) ; return r; } static size_t _curl_tostring(void *ptr,size_t size,size_t nmemb,void *stream) { string *str = (string*)stream; size_t bytes = size*nmemb; size_t get = min(16384-str->length(),bytes); str->append((const char*)ptr,get); return get; } assoc_t consumer_t::associate(const string& server) { util::dh_t dh = DH_new(); if(!dh) throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); dh->p = util::dec_to_bignum(data::_default_p); dh->g = util::dec_to_bignum(data::_default_g); if(!DH_generate_key(dh)) throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); string request = "openid.mode=associate" "&openid.assoc_type=HMAC-SHA1" "&openid.session_type=DH-SHA1" "&openid.dh_consumer_public="; request += util::url_encode(util::bignum_to_base64(dh->pub_key)); curl_t curl = curl_easy_init(); if(!curl) throw exception_curl(OPKELE_CP_ "failed to curl_easy_init()"); string response; CURLcode r; (r=curl_misc_sets(curl)) || (r=curl_easy_setopt(curl,CURLOPT_URL,server.c_str())) || (r=curl_easy_setopt(curl,CURLOPT_POST,1)) || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDS,request.data())) || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDSIZE,request.length())) || (r=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,_curl_tostring)) || (r=curl_easy_setopt(curl,CURLOPT_WRITEDATA,&response)) ; if(r) throw exception_curl(OPKELE_CP_ "failed to curl_easy_setopt()",r); if(r=curl_easy_perform(curl)) throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r); params_t p; p.parse_keyvalues(response); if(p.has_param("assoc_type") && p.get_param("assoc_type")!="HMAC-SHA1") throw bad_input(OPKELE_CP_ "unsupported assoc_type"); string st; if(p.has_param("session_type")) st = p.get_param("session_type"); if((!st.empty()) && st!="DH-SHA1") throw bad_input(OPKELE_CP_ "unsupported session_type"); secret_t secret; if(st.empty()) { secret.from_base64(p.get_param("mac_key")); }else{ util::bignum_t s_pub = util::base64_to_bignum(p.get_param("dh_server_public")); vector<unsigned char> ck(DH_size(dh)); int cklen = DH_compute_key(&(ck.front()),s_pub,dh); if(cklen<0) throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); ck.resize(cklen); // OpenID algorithm requires extra zero in case of set bit here if(ck[0]&0x80) ck.insert(ck.begin(),1,0); unsigned char key_sha1[SHA_DIGEST_LENGTH]; SHA1(&(ck.front()),ck.size(),key_sha1); secret.enxor_from_base64(key_sha1,p.get_param("enc_mac_key")); } int expires_in = 0; if(p.has_param("expires_in")) { expires_in = util::string_to_long(p.get_param("expires_in")); }else if(p.has_param("issued") && p.has_param("expiry")) { expires_in = util::w3c_to_time(p.get_param("expiry"))-util::w3c_to_time(p.get_param("issued")); }else throw bad_input(OPKELE_CP_ "no expiration information"); return store_assoc(server,p.get_param("assoc_handle"),secret,expires_in); } string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { return checkid_(mode_checkid_immediate,identity,return_to,trust_root,ext); } string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { return checkid_(mode_checkid_setup,identity,return_to,trust_root,ext); } string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { params_t p; if(mode==mode_checkid_immediate) p["mode"]="checkid_immediate"; else if(mode==mode_checkid_setup) p["mode"]="checkid_setup"; else throw bad_input(OPKELE_CP_ "unknown checkid_* mode"); string iurl = canonicalize(identity); string server, delegate; retrieve_links(iurl,server,delegate); p["identity"] = delegate.empty()?iurl:delegate; if(!trust_root.empty()) p["trust_root"] = trust_root; p["return_to"] = return_to; try { try { string ah = find_assoc(server)->handle(); p["assoc_handle"] = ah; }catch(failed_lookup& fl) { string ah = associate(server)->handle(); p["assoc_handle"] = ah; } }catch(exception& e) { } if(ext) ext->checkid_hook(p,identity); return p.append_query(server); } void consumer_t::id_res(const params_t& pin,const string& identity,extension_t *ext) { if(pin.has_param("openid.user_setup_url")) throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url")); string server,delegate; retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate); params_t ps; try { assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle")); const string& sigenc = pin.get_param("openid.sig"); - mimetic::Base64::Decoder b; vector<unsigned char> sig; - mimetic::decode( - sigenc.begin(),sigenc.end(), b, - back_insert_iterator<vector<unsigned char> >(sig) ); + util::decode_base64(sigenc,sig); const string& slist = pin.get_param("openid.signed"); string kv; string::size_type p = 0; while(true) { string::size_type co = slist.find(',',p); string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); kv += f; kv += ':'; f.insert(0,"openid."); kv += pin.get_param(f); kv += '\n'; if(ext) ps[f.substr(sizeof("openid.")-1)] = pin.get_param(f); if(co==string::npos) break; p = co+1; } secret_t secret = assoc->secret(); unsigned int md_len = 0; unsigned char *md = HMAC( EVP_sha1(), &(secret.front()),secret.size(), (const unsigned char *)kv.data(),kv.length(), 0,&md_len); if(sig.size()!=md_len || memcmp(&(sig.front()),md,md_len)) throw id_res_mismatch(OPKELE_CP_ "signature mismatch"); }catch(failed_lookup& e) { /* XXX: more specific? */ const string& slist = pin.get_param("openid.signed"); string::size_type pp = 0; params_t p; while(true) { string::size_type co = slist.find(',',pp); string f = "openid."; f += (co==string::npos)?slist.substr(pp):slist.substr(pp,co-pp); p[f] = pin.get_param(f); if(co==string::npos) break; pp = co+1; } p["openid.assoc_handle"] = pin.get_param("openid.assoc_handle"); p["openid.sig"] = pin.get_param("openid.sig"); p["openid.signed"] = pin.get_param("openid.signed"); try { string ih = pin.get_param("openid.invalidate_handle"); p["openid.invalidate_handle"] = ih; }catch(failed_lookup& fl) { } try { check_authentication(server,p); }catch(failed_check_authentication& fca) { throw id_res_failed(OPKELE_CP_ "failed to check_authentication()"); } } if(ext) ext->id_res_hook(pin,ps,identity); } void consumer_t::check_authentication(const string& server,const params_t& p) { string request = "openid.mode=check_authentication"; for(params_t::const_iterator i=p.begin();i!=p.end();++i) { if(i->first!="openid.mode") { request += '&'; request += i->first; request += '='; request += util::url_encode(i->second); } } curl_t curl = curl_easy_init(); if(!curl) throw exception_curl(OPKELE_CP_ "failed to curl_easy_init()"); string response; CURLcode r; (r=curl_misc_sets(curl)) || (r=curl_easy_setopt(curl,CURLOPT_URL,server.c_str())) || (r=curl_easy_setopt(curl,CURLOPT_POST,1)) || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDS,request.data())) || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDSIZE,request.length())) || (r=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,_curl_tostring)) || (r=curl_easy_setopt(curl,CURLOPT_WRITEDATA,&response)) ; if(r) throw exception_curl(OPKELE_CP_ "failed to curl_easy_setopt()",r); if(r=curl_easy_perform(curl)) throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r); params_t pp; pp.parse_keyvalues(response); if(pp.has_param("invalidate_handle")) invalidate_assoc(server,pp.get_param("invalidate_handle")); if(pp.has_param("is_valid")) { if(pp.get_param("is_valid")=="true") return; }else if(pp.has_param("lifetime")) { if(util::string_to_long(pp.get_param("lifetime"))) return; } throw failed_check_authentication(OPKELE_CP_ "failed to verify response"); } void consumer_t::retrieve_links(const string& url,string& server,string& delegate) { server.erase(); diff --git a/lib/params.cc b/lib/params.cc index 14f1a53..03867d5 100644 --- a/lib/params.cc +++ b/lib/params.cc @@ -1,96 +1,91 @@ #include <opkele/types.h> #include <opkele/exception.h> #include <opkele/util.h> #include <openssl/sha.h> #include <openssl/hmac.h> -#include <mimetic/mimetic.h> namespace opkele { using namespace std; bool params_t::has_param(const string& n) const { return find(n)!=end(); } const string& params_t::get_param(const string& n) const { const_iterator i = find(n); if(i==end()) throw failed_lookup(OPKELE_CP_ n+": no such parameter"); return i->second; } string& params_t::get_param(const string& n) { iterator i = find(n); if(i==end()) throw failed_lookup(OPKELE_CP_ n+": no such parameter"); return i->second; } void params_t::parse_keyvalues(const string& kv) { clear(); string::size_type p = 0; while(true) { string::size_type co = kv.find(':',p); if(co==string::npos) break; string::size_type nl = kv.find('\n',co+1); if(nl==string::npos) throw bad_input(OPKELE_CP_ "malformed input"); insert(value_type(kv.substr(p,co-p),kv.substr(co+1,nl-co-1))); p = nl+1; } } void params_t::sign(secret_t secret,string& sig,const string& slist,const char *prefix) const { string kv; string::size_type p = 0; while(true) { string::size_type co = slist.find(',',p); string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); kv += f; kv += ':'; if(prefix) f.insert(0,prefix); kv += get_param(f); kv += '\n'; if(co==string::npos) break; p = co+1; } unsigned int md_len = 0; unsigned char *md = HMAC( EVP_sha1(), &(secret.front()),secret.size(), (const unsigned char *)kv.data(),kv.length(), 0,&md_len); - mimetic::Base64::Encoder b(0); - sig.erase(); - mimetic::encode( - md,md+md_len, b, - back_insert_iterator<string>(sig) ); + sig = util::encode_base64(md,md_len); } string params_t::append_query(const string& url,const char *prefix) const { string rv = url; bool p = true; if(rv.find('?')==string::npos) { rv += '?'; p = false; } for(const_iterator i=begin();i!=end();++i) { if(p) rv += '&'; else p = true; rv += prefix; rv += i->first; rv += '='; rv += util::url_encode(i->second); } return rv; } ostream& operator << (ostream& o,const params_t& p) { for(params_t::const_iterator i=p.begin();i!=p.end();++i) o << i->first << ':' << i->second << '\n'; return o; } } diff --git a/lib/secret.cc b/lib/secret.cc index ae8a3c5..632a2ca 100644 --- a/lib/secret.cc +++ b/lib/secret.cc @@ -1,61 +1,49 @@ #include <algorithm> #include <functional> #include <opkele/types.h> #include <opkele/exception.h> -#include <mimetic/mimetic.h> +#include <opkele/util.h> namespace opkele { using namespace std; template<class __a1,class __a2,class __r> struct bitwise_xor : public binary_function<__a1,__a2,__r> { __r operator() (const __a1& a1,const __a2& a2) const { return a1^a2; } }; void secret_t::enxor_to_base64(const unsigned char *key_sha1,string& rv) const { if(size()!=20) throw bad_input(OPKELE_CP_ "wrong secret size"); vector<unsigned char> tmp; transform( begin(), end(), key_sha1, back_insert_iterator<vector<unsigned char> >(tmp), bitwise_xor<unsigned char,unsigned char,unsigned char>() ); - mimetic::Base64::Encoder b(0); - mimetic::encode( - tmp.begin(),tmp.end(), b, - back_insert_iterator<string>(rv) ); + rv = util::encode_base64(&(tmp.front()),tmp.size()); } void secret_t::enxor_from_base64(const unsigned char *key_sha1,const string& b64) { - mimetic::Base64::Decoder b; clear(); - mimetic::decode( - b64.begin(),b64.end(), b, - back_insert_iterator<secret_t>(*this) ); + util::decode_base64(b64,*this); transform( begin(), end(), key_sha1, begin(), bitwise_xor<unsigned char,unsigned char,unsigned char>() ); } void secret_t::to_base64(string& rv) const { if(size()!=20) throw bad_input(OPKELE_CP_ "wrong secret size"); - mimetic::Base64::Encoder b(0); - mimetic::encode( - begin(),end(), b, - back_insert_iterator<string>(rv) ); + rv = util::encode_base64(&(front()),size()); } void secret_t::from_base64(const string& b64) { - mimetic::Base64::Decoder b; - mimetic::decode( - b64.begin(),b64.end(), b, - back_insert_iterator<secret_t>(*this) ); + util::decode_base64(b64,*this); } } diff --git a/lib/server.cc b/lib/server.cc index 8c29abb..e81d4b6 100644 --- a/lib/server.cc +++ b/lib/server.cc @@ -1,173 +1,169 @@ #include <vector> #include <openssl/sha.h> #include <openssl/hmac.h> -#include <mimetic/mimetic.h> #include <opkele/util.h> #include <opkele/exception.h> #include <opkele/server.h> #include <opkele/data.h> namespace opkele { using namespace std; void server_t::associate(const params_t& pin,params_t& pout) { util::dh_t dh; util::bignum_t c_pub; unsigned char key_sha1[SHA_DIGEST_LENGTH]; enum { sess_cleartext, sess_dh_sha1 } st = sess_cleartext; if( pin.has_param("openid.session_type") && pin.get_param("openid.session_type")=="DH-SHA1" ) { /* TODO: fallback to cleartext in case of exceptions here? */ if(!(dh = DH_new())) throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public")); if(pin.has_param("openid.dh_modulus")) dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus")); else dh->p = util::dec_to_bignum(data::_default_p); if(pin.has_param("openid.dh_gen")) dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen")); else dh->g = util::dec_to_bignum(data::_default_g); if(!DH_generate_key(dh)) throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); vector<unsigned char> ck(DH_size(dh)); int cklen = DH_compute_key(&(ck.front()),c_pub,dh); if(cklen<0) throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); ck.resize(cklen); // OpenID algorithm requires extra zero in case of set bit here if(ck[0]&0x80) ck.insert(ck.begin(),1,0); SHA1(&(ck.front()),ck.size(),key_sha1); st = sess_dh_sha1; } assoc_t assoc = alloc_assoc(mode_associate); time_t now = time(0); pout.clear(); pout["assoc_type"] = assoc->assoc_type(); pout["assoc_handle"] = assoc->handle(); /* TODO: eventually remove deprecated stuff */ pout["issued"] = util::time_to_w3c(now); pout["expiry"] = util::time_to_w3c(now+assoc->expires_in()); pout["expires_in"] = util::long_to_string(assoc->expires_in()); secret_t secret = assoc->secret(); switch(st) { case sess_dh_sha1: pout["session_type"] = "DH-SHA1"; pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key); secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]); break; default: secret.to_base64(pout["mac_key"]); break; } } void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { checkid_(mode_checkid_immediate,pin,return_to,pout,ext); } void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { checkid_(mode_checkid_setup,pin,return_to,pout,ext); } void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup) throw bad_input(OPKELE_CP_ "invalid checkid_* mode"); pout.clear(); assoc_t assoc; try { assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); }catch(failed_lookup& fl) { // no handle specified or no valid handle found, going dumb assoc = alloc_assoc(mode_checkid_setup); if(pin.has_param("openid.assoc_handle")) pout["invalidate_handle"]=pin.get_param("openid.assoc_handle"); } string trust_root; try { trust_root = pin.get_param("openid.trust_root"); }catch(failed_lookup& fl) { } string identity = pin.get_param("openid.identity"); return_to = pin.get_param("openid.return_to"); validate(*assoc,pin,identity,trust_root); pout["mode"] = "id_res"; pout["assoc_handle"] = assoc->handle(); if(pin.has_param("openid.assoc_handle") && assoc->stateless()) pout["invalidate_handle"] = pin.get_param("openid.assoc_handle"); pout["identity"] = identity; pout["return_to"] = return_to; /* TODO: eventually remove deprecated stuff */ time_t now = time(0); pout["issued"] = util::time_to_w3c(now); pout["valid_to"] = util::time_to_w3c(now+120); pout["exipres_in"] = "120"; pout["signed"]="mode,identity,return_to"; if(ext) ext->checkid_hook(pin,pout); pout.sign(assoc->secret(),pout["sig"],pout["signed"]); } void server_t::check_authentication(const params_t& pin,params_t& pout) { vector<unsigned char> sig; - mimetic::Base64::Decoder b; const string& sigenc = pin.get_param("openid.sig"); - mimetic::decode( - sigenc.begin(),sigenc.end(), b, - back_insert_iterator<vector<unsigned char> >(sig)); + util::decode_base64(sigenc,sig); assoc_t assoc; try { assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); }catch(failed_lookup& fl) { throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified"); } if(!assoc->stateless()) throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle"); const string& slist = pin.get_param("openid.signed"); string kv; string::size_type p =0; while(true) { string::size_type co = slist.find(',',p); string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); kv += f; kv += ':'; if(f=="mode") kv += "id_res"; else { f.insert(0,"openid."); kv += pin.get_param(f); } kv += '\n'; if(co==string::npos) break; p = co+1; } secret_t secret = assoc->secret(); unsigned int md_len = 0; unsigned char *md = HMAC( EVP_sha1(), &(secret.front()),secret.size(), (const unsigned char *)kv.data(),kv.length(), 0,&md_len); pout.clear(); if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) { pout["is_valid"]="true"; pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */ }else{ pout["is_valid"]="false"; pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */ } if(pin.has_param("openid.invalidate_handle")) { string h = pin.get_param("openid.invalidate_handle"); try { assoc_t assoc = retrieve_assoc(h); }catch(invalid_handle& ih) { pout["invalidate_handle"] = h; }catch(failed_lookup& fl) { } } } } diff --git a/lib/util.cc b/lib/util.cc index d78b5e0..d9abca7 100644 --- a/lib/util.cc +++ b/lib/util.cc @@ -1,113 +1,158 @@ #include <errno.h> #include <cassert> #include <vector> #include <string> -#include <mimetic/mimetic.h> +#include <openssl/bio.h> +#include <openssl/evp.h> #include <curl/curl.h> #include "opkele/util.h" #include "opkele/exception.h" namespace opkele { using namespace std; namespace util { /* + * base64 + */ + string encode_base64(const void *data,size_t length) { + BIO *b64 = 0, *bmem = 0; + try { + b64 = BIO_new(BIO_f_base64()); + if(!b64) + throw exception_openssl(OPKELE_CP_ "failed to BIO_new() base64 encoder"); + BIO_set_flags(b64,BIO_FLAGS_BASE64_NO_NL); + bmem = BIO_new(BIO_s_mem()); + BIO_set_flags(b64,BIO_CLOSE); + if(!bmem) + throw exception_openssl(OPKELE_CP_ "failed to BIO_new() memory buffer"); + BIO_push(b64,bmem); + if(BIO_write(b64,data,length)!=length) + throw exception_openssl(OPKELE_CP_ "failed to BIO_write()"); + BIO_flush(b64); + char *rvd; + long rvl = BIO_get_mem_data(bmem,&rvd); + string rv(rvd,rvl); + BIO_free_all(b64); + return rv; + }catch(...) { + if(b64) BIO_free_all(b64); + throw; + } + } + + void decode_base64(const string& data,vector<unsigned char>& rv) { + BIO *b64 = 0, *bmem = 0; + rv.clear(); + try { + bmem = BIO_new_mem_buf((void*)data.data(),data.size()); + if(!bmem) + throw exception_openssl(OPKELE_CP_ "failed to BIO_new_mem_buf()"); + b64 = BIO_new(BIO_f_base64()); + if(!b64) + throw exception_openssl(OPKELE_CP_ "failed to BIO_new() base64 decoder"); + BIO_set_flags(b64,BIO_FLAGS_BASE64_NO_NL); + BIO_push(b64,bmem); + unsigned char tmp[512]; + size_t rb = 0; + while((rb=BIO_read(b64,tmp,sizeof(tmp)))>0) + rv.insert(rv.end(),tmp,&tmp[rb]); + BIO_free_all(b64); + }catch(...) { + if(b64) BIO_free_all(b64); + throw; + } + } + + /* * big numerics */ BIGNUM *base64_to_bignum(const string& b64) { vector<unsigned char> bin; - mimetic::Base64::Decoder b; - mimetic::decode( - b64.begin(),b64.end(), b, - back_insert_iterator<vector<unsigned char> >(bin) ); + decode_base64(b64,bin); BIGNUM *rv = BN_bin2bn(&(bin.front()),bin.size(),0); if(!rv) throw failed_conversion(OPKELE_CP_ "failed to BN_bin2bn()"); return rv; } BIGNUM *dec_to_bignum(const string& dec) { BIGNUM *rv = 0; if(!BN_dec2bn(&rv,dec.c_str())) throw failed_conversion(OPKELE_CP_ "failed to BN_dec2bn()"); return rv; } string bignum_to_base64(const BIGNUM *bn) { vector<unsigned char> bin(BN_num_bytes(bn)); int l = BN_bn2bin(bn,&(bin.front())); - string rv; - mimetic::Base64::Encoder b(0); - mimetic::encode( - bin.begin(),bin.begin()+l, b, - back_insert_iterator<string>(rv) ); - return rv; + return encode_base64(&(bin.front()),l); } /* * w3c times */ string time_to_w3c(time_t t) { struct tm tm_t; if(!gmtime_r(&t,&tm_t)) throw failed_conversion(OPKELE_CP_ "failed to BN_dec2bn()"); char rv[25]; if(!strftime(rv,sizeof(rv)-1,"%Y-%m-%dT%H:%M:%SZ",&tm_t)) throw failed_conversion(OPKELE_CP_ "failed to strftime()"); return rv; } time_t w3c_to_time(const string& w) { struct tm tm_t; memset(&tm_t,0,sizeof(tm_t)); if( sscanf( w.c_str(), "%04d-%02d-%02dT%02d:%02d:%02dZ", &tm_t.tm_year,&tm_t.tm_mon,&tm_t.tm_mday, &tm_t.tm_hour,&tm_t.tm_min,&tm_t.tm_sec ) != 6 ) throw failed_conversion(OPKELE_CP_ "failed to sscanf()"); tm_t.tm_mon--; tm_t.tm_year-=1900; time_t rv = mktime(&tm_t); if(rv==(time_t)-1) throw failed_conversion(OPKELE_CP_ "failed to mktime()"); return rv; } /* * */ string url_encode(const string& str) { char * t = curl_escape(str.c_str(),str.length()); if(!t) throw failed_conversion(OPKELE_CP_ "failed to curl_escape()"); string rv(t); curl_free(t); return rv; } string long_to_string(long l) { char rv[32]; int r=snprintf(rv,sizeof(rv),"%ld",l); if(r<0 || r>=sizeof(rv)) throw failed_conversion(OPKELE_CP_ "failed to snprintf()"); return rv; } long string_to_long(const string& s) { char *endptr = 0; long rv = strtol(s.c_str(),&endptr,10); if((!endptr) || endptr==s.c_str()) throw failed_conversion(OPKELE_CP_ "failed to strtol()"); return rv; } } } diff --git a/libopkele.pc.in b/libopkele.pc.in index 60bca34..286720e 100644 --- a/libopkele.pc.in +++ b/libopkele.pc.in @@ -1,11 +1,11 @@ prefix=@prefix@ exec_prefix=@exec_prefix@ libdir=@libdir@ includedir=@includedir@ Name: libopkele Description: C++ implementation of OpenID protocol Version: @VERSION@ Requires: openssl @KONFORKA_KONFORKA@ Cflags: -I${includedir} @LIBCURL_CPPFLAGS@ @PCREPP_CFLAGS@ -Libs: -L${libdir} -lopkele @LIBCURL@ @PCREPP_LIBS@ @MIMETIC_LIBS@ +Libs: -L${libdir} -lopkele @LIBCURL@ @PCREPP_LIBS@ |