the whole library rewritten

Signed-off-by: Michael Krelin <hacker@klever.net>
author: Michael Krelin <hacker@klever.net> 2008-01-20 21:08:05 (UTC)
committer: Michael Krelin <hacker@klever.net> 2008-01-20 21:08:05 (UTC)
commit: 9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc (patch) (side-by-side diff)
tree: 702473142242e80538c4801cc379ec98fba199dd /lib/basic_rp.cc
parent: 395a126cbf59b7a50f44da3096b68bab412ab33d (diff)
download: libopkele-9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc.zip
libopkele-9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc.tar.gz
libopkele-9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc.tar.bz2
1 files changed, 311 insertions, 0 deletions
diff --git a/lib/basic_rp.cc b/lib/basic_rp.cc
new file mode 100644
index 0000000..763a391
--- a/dev/null
+++ b/lib/basic_rp.cc
@@ -0,0 +1,311 @@
+#include <openssl/sha.h>
+#include <openssl/hmac.h>
+#include <opkele/basic_rp.h>
+#include <opkele/exception.h>
+#include <opkele/uris.h>
+#include <opkele/data.h>
+#include <opkele/util.h>
+#include <opkele/curl.h>
+
+namespace opkele {
+
+    static void dh_get_secret(
+	    secret_t& secret, const basic_openid_message& om,
+	    const char *exp_assoc, const char *exp_sess,
+	    util::dh_t& dh,
+	    size_t d_len, unsigned char *(*d_fun)(const unsigned char*,size_t,unsigned char*) ) try {
+	if(om.get_field("assoc_type")!=exp_assoc || om.get_field("session_type")!=exp_sess)
+	    throw bad_input(OPKELE_CP_ "Unexpected associate response");
+	util::bignum_t s_pub = util::base64_to_bignum(om.get_field("dh_server_public"));
+	vector<unsigned char> ck(DH_size(dh)+1);
+	unsigned char *ckptr = &(ck.front())+1;
+	int cklen = DH_compute_key(ckptr,s_pub,dh);
+	if(cklen<0)
+	    throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
+	if(cklen && (*ckptr)&0x80) {
+	    (*(--ckptr))=0; ++cklen; }
+	unsigned char key_digest[d_len];
+	secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key"));
+    }catch(opkele::failed_lookup& ofl) {
+	throw bad_input(OPKELE_CP_ "Incoherent response from OP");
+    } OPKELE_RETHROW
+
+    static void direct_request(basic_openid_message& oum,const basic_openid_message& inm,const string& OP) {
+	util::curl_pick_t curl = util::curl_pick_t::easy_init();
+	if(!curl)
+	    throw exception_curl(OPKELE_CP_ "failed to initialize curl");
+	string request = inm.query_string();
+	CURLcode r;
+	(r=curl.misc_sets())
+	    || (r=curl.easy_setopt(CURLOPT_URL,OP.c_str()))
+	    || (r=curl.easy_setopt(CURLOPT_POST,1))
+	    || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data()))
+	    || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length()))
+	    || (r=curl.set_write());
+	if(r)
+	    throw exception_curl(OPKELE_CP_ "failed to set curly options",r);
+	if( (r=curl.easy_perform()) )
+	    throw exception_curl(OPKELE_CP_ "failed to perform curly request",r);
+	oum.from_keyvalues(curl.response);
+    }
+
+
+    assoc_t basic_RP::associate(const string& OP) {
+	util::dh_t dh = DH_new();
+	if(!dh)
+	    throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
+	dh->p = util::dec_to_bignum(data::_default_p);
+	dh->g = util::dec_to_bignum(data::_default_g);
+	if(!DH_generate_key(dh))
+	    throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
+	openid_message_t req;
+	req.set_field("ns",OIURI_OPENID20);
+	req.set_field("mode","associate");
+	req.set_field("dh_modulus",util::bignum_to_base64(dh->p));
+	req.set_field("dh_gen",util::bignum_to_base64(dh->g));
+	req.set_field("dh_consumer_public",util::bignum_to_base64(dh->pub_key));
+	openid_message_t res;
+	req.set_field("assoc_type","HMAC-SHA256");
+	req.set_field("session_type","DH-SHA256");
+	secret_t secret;
+	int expires_in;
+	try {
+	    direct_request(res,req,OP);
+	    dh_get_secret( secret, res,
+		    "HMAC-SHA256", "DH-SHA256",
+		    dh, SHA256_DIGEST_LENGTH, SHA256 );
+	    expires_in = util::string_to_long(res.get_field("expires_in"));
+	}catch(exception& e) {
+	    try {
+		req.set_field("assoc_type","HMAC-SHA1");
+		req.set_field("session_type","DH-SHA1");
+		direct_request(res,req,OP);
+		dh_get_secret( secret, res,
+			"HMAC-SHA1", "DH-SHA1",
+			dh, SHA_DIGEST_LENGTH, SHA1 );
+		expires_in = util::string_to_long(res.get_field("expires_in"));
+	    }catch(bad_input& e) {
+		throw dumb_RP(OPKELE_CP_ "OP failed to supply an association");
+	    }
+	}
+	return store_assoc(
+		OP, res.get_field("assoc_handle"),
+		res.get_field("assoc_type"), secret,
+		expires_in );
+    }
+
+    basic_openid_message& basic_RP::checkid_(
+	    basic_openid_message& rv,
+	    mode_t mode,
+	    const string& return_to,const string& realm,
+	    extension_t *ext) {
+	rv.reset_fields();
+	rv.set_field("ns",OIURI_OPENID20);
+	if(mode==mode_checkid_immediate)
+	    rv.set_field("mode","checkid_immediate");
+	else if(mode==mode_checkid_setup)
+	    rv.set_field("mode","checkid_setup");
+	else
+	    throw bad_input(OPKELE_CP_ "unknown checkid_* mode");
+	if(realm.empty() && return_to.empty())
+	    throw bad_input(OPKELE_CP_ "At least one of realm and return_to must be non-empty");
+	if(!realm.empty()) {
+	    rv.set_field("realm",realm);
+	    rv.set_field("trust_root",realm);
+	}
+	if(!return_to.empty())
+	    rv.set_field("return_to",return_to);
+	const openid_endpoint_t& ep = get_endpoint();
+	rv.set_field("claimed_id",ep.claimed_id);
+	rv.set_field("identity",ep.local_id);
+	try {
+	    rv.set_field("assoc_handle",find_assoc(ep.uri)->handle());
+	}catch(dumb_RP& drp) {
+	}catch(failed_lookup& fl) {
+	    try {
+		rv.set_field("assoc_handle",associate(ep.uri)->handle());
+	    }catch(dumb_RP& drp) { }
+	} OPKELE_RETHROW
+	if(ext) ext->checkid_hook(rv);
+	return rv;
+    }
+
+    class signed_part_message_proxy : public basic_openid_message {
+	public:
+	    const basic_openid_message& x;
+	    set<string> signeds;
+
+	    signed_part_message_proxy(const basic_openid_message& xx) : x(xx) {
+		const string& slist = x.get_field("signed");
+		string::size_type p = 0;
+		while(true) {
+		    string::size_type co = slist.find(',',p);
+		    string f = (co==string::npos)
+			?slist.substr(p):slist.substr(p,co-p);
+		    signeds.insert(f);
+		    if(co==string::npos) break;
+		    p = co+1;
+		}
+	    }
+
+	    bool has_field(const string& n) const {
+		return signeds.find(n)!=signeds.end() && x.has_field(n); }
+	    const string& get_field(const string& n) const {
+		if(signeds.find(n)==signeds.end())
+		    throw failed_lookup(OPKELE_CP_ "The field isn't known to be signed");
+		return x.get_field(n); }
+
+	    fields_iterator fields_begin() const {
+		return signeds.begin(); }
+	    fields_iterator fields_end() const {
+		return signeds.end(); }
+    };
+
+    static void parse_query(const string& u,string::size_type q,
+	    map<string,string>& p) {
+	if(q==string::npos)
+	    return;
+	assert(u[q]=='?');
+	++q;
+	string::size_type l = u.size();
+	while(q<l) {
+	    string::size_type eq = u.find('=',q);
+	    string::size_type am = u.find('&',q);
+	    if(am==string::npos) {
+		if(eq==string::npos) {
+		    p[""] = u.substr(q);
+		}else{
+		    p[u.substr(q,eq-q)] = u.substr(eq+1);
+		}
+		break;
+	    }else{
+		if(eq==string::npos || eq>am) {
+		    p[""] = u.substr(q,eq-q);
+		}else{
+		    p[u.substr(q,eq-q)] = u.substr(eq+1,am-eq-1);
+		}
+		q = ++am;
+	    }
+	}
+    }
+
+    void basic_RP::id_res(const basic_openid_message& om,extension_t *ext) {
+	bool o2 = om.has_field("ns")
+	    && om.get_field("ns")==OIURI_OPENID20;
+	if( (!o2) && om.has_field("user_setup_url"))
+	    throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",
+		    om.get_field("user_setup_url"));
+	string m = om.get_field("mode");
+	if(o2 && m=="setup_needed")
+	    throw id_res_setup(OPKELE_CP_ "setup needed, no setup url provided");
+	if(m=="cancel")
+	    throw id_res_cancel(OPKELE_CP_ "authentication cancelled");
+	bool go_dumb=false;
+	try {
+	    string OP = o2
+		?om.get_field("op_endpoint")
+		:get_endpoint().uri;
+	    assoc_t assoc = retrieve_assoc(
+		    OP,om.get_field("assoc_handle"));
+	    if(om.get_field("sig")!=util::base64_signature(assoc,om))
+		throw id_res_mismatch(OPKELE_CP_ "signature mismatch");
+	}catch(dumb_RP& drp) {
+	    go_dumb=true;
+	}catch(failed_lookup& e) {
+	    go_dumb=true;
+	} OPKELE_RETHROW
+	if(go_dumb) {
+	    try {
+		string OP = o2
+		    ?om.get_field("op_endpoint")
+		    :get_endpoint().uri;
+		check_authentication(OP,om);
+	    }catch(failed_check_authentication& fca) {
+		throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");
+	    } OPKELE_RETHROW
+	}
+	signed_part_message_proxy signeds(om);
+	if(o2) {
+	    check_nonce(om.get_field("op_endpoint"),
+		    om.get_field("response_nonce"));
+	    static const char *mustsign[] = {
+		"op_endpoint", "return_to", "response_nonce", "assoc_handle",
+		"claimed_id", "identity" };
+	    for(int ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {
+		if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms]))
+		    throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs");
+	    }
+	    if( (
+		    (om.has_field("claimed_id")?1:0)
+		    ^
+		    (om.has_field("identity")?1:0)
+		)&1 )
+		throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent");
+
+	    string turl = util::rfc_3986_normalize_uri(get_this_url());
+	    util::strip_uri_fragment_part(turl);
+	    string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to"));
+	    util::strip_uri_fragment_part(rurl);
+	    string::size_type
+		tq = turl.find('?'), rq = rurl.find('?');
+	    if(
+		    ((tq==string::npos)?turl:turl.substr(0,tq))
+		    !=
+		    ((rq==string::npos)?rurl:rurl.substr(0,rq))
+	      )
+		throw id_res_bad_return_to(OPKELE_CP_ "return_to url doesn't match request url");
+	    map<string,string> tp; parse_query(turl,tq,tp);
+	    map<string,string> rp; parse_query(rurl,rq,rp);
+	    for(map<string,string>::const_iterator rpi=rp.begin();rpi!=rp.end();++rpi) {
+		map<string,string>::const_iterator tpi = tp.find(rpi->first);
+		if(tpi==tp.end())
+		    throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request");
+		if(tpi->second!=rpi->second)
+		    throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't matche the request");
+	    }
+
+	    if(om.has_field("claimed_id")) {
+		verify_OP(
+			om.get_field("op_endpoint"),
+			om.get_field("claimed_id"),
+			om.get_field("identity") );
+	    }
+
+	}
+	if(ext) ext->id_res_hook(om,signeds);
+    }
+
+    class check_auth_message_proxy : public basic_openid_message {
+	public:
+	    const basic_openid_message& x;
+
+	    check_auth_message_proxy(const basic_openid_message& xx) : x(xx) { }
+
+	    bool has_field(const string& n) const { return x.has_field(n); }
+	    const string& get_field(const string& n) const {
+		static const string checkauthmode="check_authentication";
+		return (n=="mode")?checkauthmode:x.get_field(n); }
+	    bool has_ns(const string& uri) const {return x.has_ns(uri); }
+	    string get_ns(const string& uri) const { return x.get_ns(uri); }
+	    fields_iterator fields_begin() const {
+		return x.fields_begin(); }
+	    fields_iterator fields_end() const {
+		return x.fields_end(); }
+    };
+
+    void basic_RP::check_authentication(const string& OP,
+	    const basic_openid_message& om){
+	openid_message_t res;
+	direct_request(res,check_auth_message_proxy(om),OP);
+	if(res.has_field("is_valid")) {
+	    if(res.get_field("is_valid")=="true") {
+		if(res.has_field("invalidate_handle"))
+		    invalidate_assoc(OP,res.get_field("invalidate_handle"));
+		return;
+	    }
+	}
+	throw failed_check_authentication(
+		OPKELE_CP_ "failed to verify response");
+    }
+
+}
author	Michael Krelin <hacker@klever.net>	2008-01-20 21:08:05 (UTC)
committer	Michael Krelin <hacker@klever.net>	2008-01-20 21:08:05 (UTC)
commit	9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc (patch) (side-by-side diff)
tree	702473142242e80538c4801cc379ec98fba199dd /lib/basic_rp.cc
parent	395a126cbf59b7a50f44da3096b68bab412ab33d (diff)
download	libopkele-9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc.zip libopkele-9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc.tar.gz libopkele-9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc.tar.bz2