| author | Michael Krelin <hacker@klever.net> | 2007-01-12 12:58:25 (UTC) |
|---|---|---|
| committer | Michael Krelin <hacker@klever.net> | 2007-01-12 12:58:25 (UTC) |
| commit | e79687a3d9a1631613de02d8e12bae36302b46ab (patch) (side-by-side diff) | |
| tree | 4238c0d8d61f5e70ed1e98debb01315babb21686 /lib | |
| parent | 4cc2e58186e8cd9b96a3573c92f6664064cf11fe (diff) | |
| download | libopkele-e79687a3d9a1631613de02d8e12bae36302b46ab.zip libopkele-e79687a3d9a1631613de02d8e12bae36302b46ab.tar.gz libopkele-e79687a3d9a1631613de02d8e12bae36302b46ab.tar.bz2 | |
eliminated mimetic dependency and made use of openssl base64 encoder instead
| -rw-r--r-- | lib/Makefile.am | 2 | ||||
| -rw-r--r-- | lib/consumer.cc | 16 | ||||
| -rw-r--r-- | lib/params.cc | 7 | ||||
| -rw-r--r-- | lib/secret.cc | 22 | ||||
| -rw-r--r-- | lib/server.cc | 6 | ||||
| -rw-r--r-- | lib/util.cc | 67 |
6 files changed, 65 insertions, 55 deletions
diff --git a/lib/Makefile.am b/lib/Makefile.am index bdadd44..ec63c25 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -1,29 +1,27 @@ lib_LTLIBRARIES = libopkele.la INCLUDES = \ -I${top_srcdir}/include/ \ ${KONFORKA_CFLAGS} \ ${OPENSSL_CFLAGS} \ - ${MIMETIC_CFLAGS} \ ${LIBCURL_CPPFLAGS} \ ${PCREPP_CFLAGS} LDADD = \ ${LIBCURL} \ ${PCREPP_LIBS} \ - ${MIMETIC_LIBS} \ ${OPENSSL_LIBS} \ ${KONFORKA_LIBS} libopkele_la_SOURCES = \ params.cc \ util.cc \ server.cc \ secret.cc \ data.cc \ consumer.cc \ exception.cc \ extension.cc \ sreg.cc \ extension_chain.cc libopkele_la_LDFLAGS = \ -version-info 1:0:0 diff --git a/lib/consumer.cc b/lib/consumer.cc index b215aa8..331b1e9 100644 --- a/lib/consumer.cc +++ b/lib/consumer.cc @@ -1,70 +1,61 @@ #include <algorithm> +#include <cassert> #include <opkele/util.h> #include <opkele/exception.h> #include <opkele/data.h> #include <opkele/consumer.h> #include <openssl/sha.h> #include <openssl/hmac.h> -#include <mimetic/mimetic.h> #include <curl/curl.h> #include <pcre++.h> #include <iostream> -/* silly mimetic */ -#undef PACKAGE -#undef PACKAGE_BUGREPORT -#undef PACKAGE_NAME -#undef PACKAGE_STRING -#undef PACKAGE_TARNAME -#undef PACKAGE_VERSION -#undef VERSION - #include "config.h" namespace opkele { using namespace std; class curl_t { public: CURL *_c; curl_t() : _c(0) { } curl_t(CURL *c) : _c(c) { } ~curl_t() throw() { if(_c) curl_easy_cleanup(_c); } curl_t& operator=(CURL *c) { if(_c) curl_easy_cleanup(_c); _c=c; return *this; } operator const CURL*(void) const { return _c; } operator CURL*(void) { return _c; } }; static CURLcode curl_misc_sets(CURL* c) { CURLcode r; (r=curl_easy_setopt(c,CURLOPT_FOLLOWLOCATION,1)) || (r=curl_easy_setopt(c,CURLOPT_MAXREDIRS,5)) || (r=curl_easy_setopt(c,CURLOPT_DNS_CACHE_TIMEOUT,120)) || (r=curl_easy_setopt(c,CURLOPT_DNS_USE_GLOBAL_CACHE,1)) || (r=curl_easy_setopt(c,CURLOPT_USERAGENT,PACKAGE_NAME"/"PACKAGE_VERSION)) || (r=curl_easy_setopt(c,CURLOPT_TIMEOUT,20)) ; return r; } static size_t _curl_tostring(void *ptr,size_t size,size_t nmemb,void *stream) { string *str = (string*)stream; size_t bytes = size*nmemb; size_t get = min(16384-str->length(),bytes); str->append((const char*)ptr,get); return get; } assoc_t consumer_t::associate(const string& server) { util::dh_t dh = DH_new(); if(!dh) throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); dh->p = util::dec_to_bignum(data::_default_p); dh->g = util::dec_to_bignum(data::_default_g); if(!DH_generate_key(dh)) throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); string request = @@ -121,101 +112,98 @@ namespace opkele { }else throw bad_input(OPKELE_CP_ "no expiration information"); return store_assoc(server,p.get_param("assoc_handle"),secret,expires_in); } string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { return checkid_(mode_checkid_immediate,identity,return_to,trust_root,ext); } string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { return checkid_(mode_checkid_setup,identity,return_to,trust_root,ext); } string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { params_t p; if(mode==mode_checkid_immediate) p["mode"]="checkid_immediate"; else if(mode==mode_checkid_setup) p["mode"]="checkid_setup"; else throw bad_input(OPKELE_CP_ "unknown checkid_* mode"); string iurl = canonicalize(identity); string server, delegate; retrieve_links(iurl,server,delegate); p["identity"] = delegate.empty()?iurl:delegate; if(!trust_root.empty()) p["trust_root"] = trust_root; p["return_to"] = return_to; try { try { string ah = find_assoc(server)->handle(); p["assoc_handle"] = ah; }catch(failed_lookup& fl) { string ah = associate(server)->handle(); p["assoc_handle"] = ah; } }catch(exception& e) { } if(ext) ext->checkid_hook(p,identity); return p.append_query(server); } void consumer_t::id_res(const params_t& pin,const string& identity,extension_t *ext) { if(pin.has_param("openid.user_setup_url")) throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url")); string server,delegate; retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate); params_t ps; try { assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle")); const string& sigenc = pin.get_param("openid.sig"); - mimetic::Base64::Decoder b; vector<unsigned char> sig; - mimetic::decode( - sigenc.begin(),sigenc.end(), b, - back_insert_iterator<vector<unsigned char> >(sig) ); + util::decode_base64(sigenc,sig); const string& slist = pin.get_param("openid.signed"); string kv; string::size_type p = 0; while(true) { string::size_type co = slist.find(',',p); string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); kv += f; kv += ':'; f.insert(0,"openid."); kv += pin.get_param(f); kv += '\n'; if(ext) ps[f.substr(sizeof("openid.")-1)] = pin.get_param(f); if(co==string::npos) break; p = co+1; } secret_t secret = assoc->secret(); unsigned int md_len = 0; unsigned char *md = HMAC( EVP_sha1(), &(secret.front()),secret.size(), (const unsigned char *)kv.data(),kv.length(), 0,&md_len); if(sig.size()!=md_len || memcmp(&(sig.front()),md,md_len)) throw id_res_mismatch(OPKELE_CP_ "signature mismatch"); }catch(failed_lookup& e) { /* XXX: more specific? */ const string& slist = pin.get_param("openid.signed"); string::size_type pp = 0; params_t p; while(true) { string::size_type co = slist.find(',',pp); string f = "openid."; f += (co==string::npos)?slist.substr(pp):slist.substr(pp,co-pp); p[f] = pin.get_param(f); if(co==string::npos) break; pp = co+1; } p["openid.assoc_handle"] = pin.get_param("openid.assoc_handle"); p["openid.sig"] = pin.get_param("openid.sig"); p["openid.signed"] = pin.get_param("openid.signed"); try { string ih = pin.get_param("openid.invalidate_handle"); p["openid.invalidate_handle"] = ih; }catch(failed_lookup& fl) { } try { check_authentication(server,p); }catch(failed_check_authentication& fca) { diff --git a/lib/params.cc b/lib/params.cc index 14f1a53..03867d5 100644 --- a/lib/params.cc +++ b/lib/params.cc @@ -1,96 +1,91 @@ #include <opkele/types.h> #include <opkele/exception.h> #include <opkele/util.h> #include <openssl/sha.h> #include <openssl/hmac.h> -#include <mimetic/mimetic.h> namespace opkele { using namespace std; bool params_t::has_param(const string& n) const { return find(n)!=end(); } const string& params_t::get_param(const string& n) const { const_iterator i = find(n); if(i==end()) throw failed_lookup(OPKELE_CP_ n+": no such parameter"); return i->second; } string& params_t::get_param(const string& n) { iterator i = find(n); if(i==end()) throw failed_lookup(OPKELE_CP_ n+": no such parameter"); return i->second; } void params_t::parse_keyvalues(const string& kv) { clear(); string::size_type p = 0; while(true) { string::size_type co = kv.find(':',p); if(co==string::npos) break; string::size_type nl = kv.find('\n',co+1); if(nl==string::npos) throw bad_input(OPKELE_CP_ "malformed input"); insert(value_type(kv.substr(p,co-p),kv.substr(co+1,nl-co-1))); p = nl+1; } } void params_t::sign(secret_t secret,string& sig,const string& slist,const char *prefix) const { string kv; string::size_type p = 0; while(true) { string::size_type co = slist.find(',',p); string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); kv += f; kv += ':'; if(prefix) f.insert(0,prefix); kv += get_param(f); kv += '\n'; if(co==string::npos) break; p = co+1; } unsigned int md_len = 0; unsigned char *md = HMAC( EVP_sha1(), &(secret.front()),secret.size(), (const unsigned char *)kv.data(),kv.length(), 0,&md_len); - mimetic::Base64::Encoder b(0); - sig.erase(); - mimetic::encode( - md,md+md_len, b, - back_insert_iterator<string>(sig) ); + sig = util::encode_base64(md,md_len); } string params_t::append_query(const string& url,const char *prefix) const { string rv = url; bool p = true; if(rv.find('?')==string::npos) { rv += '?'; p = false; } for(const_iterator i=begin();i!=end();++i) { if(p) rv += '&'; else p = true; rv += prefix; rv += i->first; rv += '='; rv += util::url_encode(i->second); } return rv; } ostream& operator << (ostream& o,const params_t& p) { for(params_t::const_iterator i=p.begin();i!=p.end();++i) o << i->first << ':' << i->second << '\n'; return o; } } diff --git a/lib/secret.cc b/lib/secret.cc index ae8a3c5..632a2ca 100644 --- a/lib/secret.cc +++ b/lib/secret.cc @@ -1,61 +1,49 @@ #include <algorithm> #include <functional> #include <opkele/types.h> #include <opkele/exception.h> -#include <mimetic/mimetic.h> +#include <opkele/util.h> namespace opkele { using namespace std; template<class __a1,class __a2,class __r> struct bitwise_xor : public binary_function<__a1,__a2,__r> { __r operator() (const __a1& a1,const __a2& a2) const { return a1^a2; } }; void secret_t::enxor_to_base64(const unsigned char *key_sha1,string& rv) const { if(size()!=20) throw bad_input(OPKELE_CP_ "wrong secret size"); vector<unsigned char> tmp; transform( begin(), end(), key_sha1, back_insert_iterator<vector<unsigned char> >(tmp), bitwise_xor<unsigned char,unsigned char,unsigned char>() ); - mimetic::Base64::Encoder b(0); - mimetic::encode( - tmp.begin(),tmp.end(), b, - back_insert_iterator<string>(rv) ); + rv = util::encode_base64(&(tmp.front()),tmp.size()); } void secret_t::enxor_from_base64(const unsigned char *key_sha1,const string& b64) { - mimetic::Base64::Decoder b; clear(); - mimetic::decode( - b64.begin(),b64.end(), b, - back_insert_iterator<secret_t>(*this) ); + util::decode_base64(b64,*this); transform( begin(), end(), key_sha1, begin(), bitwise_xor<unsigned char,unsigned char,unsigned char>() ); } void secret_t::to_base64(string& rv) const { if(size()!=20) throw bad_input(OPKELE_CP_ "wrong secret size"); - mimetic::Base64::Encoder b(0); - mimetic::encode( - begin(),end(), b, - back_insert_iterator<string>(rv) ); + rv = util::encode_base64(&(front()),size()); } void secret_t::from_base64(const string& b64) { - mimetic::Base64::Decoder b; - mimetic::decode( - b64.begin(),b64.end(), b, - back_insert_iterator<secret_t>(*this) ); + util::decode_base64(b64,*this); } } diff --git a/lib/server.cc b/lib/server.cc index 8c29abb..e81d4b6 100644 --- a/lib/server.cc +++ b/lib/server.cc @@ -1,52 +1,51 @@ #include <vector> #include <openssl/sha.h> #include <openssl/hmac.h> -#include <mimetic/mimetic.h> #include <opkele/util.h> #include <opkele/exception.h> #include <opkele/server.h> #include <opkele/data.h> namespace opkele { using namespace std; void server_t::associate(const params_t& pin,params_t& pout) { util::dh_t dh; util::bignum_t c_pub; unsigned char key_sha1[SHA_DIGEST_LENGTH]; enum { sess_cleartext, sess_dh_sha1 } st = sess_cleartext; if( pin.has_param("openid.session_type") && pin.get_param("openid.session_type")=="DH-SHA1" ) { /* TODO: fallback to cleartext in case of exceptions here? */ if(!(dh = DH_new())) throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public")); if(pin.has_param("openid.dh_modulus")) dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus")); else dh->p = util::dec_to_bignum(data::_default_p); if(pin.has_param("openid.dh_gen")) dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen")); else dh->g = util::dec_to_bignum(data::_default_g); if(!DH_generate_key(dh)) throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); vector<unsigned char> ck(DH_size(dh)); int cklen = DH_compute_key(&(ck.front()),c_pub,dh); if(cklen<0) throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); ck.resize(cklen); // OpenID algorithm requires extra zero in case of set bit here if(ck[0]&0x80) ck.insert(ck.begin(),1,0); SHA1(&(ck.front()),ck.size(),key_sha1); st = sess_dh_sha1; } assoc_t assoc = alloc_assoc(mode_associate); time_t now = time(0); pout.clear(); pout["assoc_type"] = assoc->assoc_type(); pout["assoc_handle"] = assoc->handle(); @@ -68,101 +67,98 @@ namespace opkele { } void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { checkid_(mode_checkid_immediate,pin,return_to,pout,ext); } void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { checkid_(mode_checkid_setup,pin,return_to,pout,ext); } void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup) throw bad_input(OPKELE_CP_ "invalid checkid_* mode"); pout.clear(); assoc_t assoc; try { assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); }catch(failed_lookup& fl) { // no handle specified or no valid handle found, going dumb assoc = alloc_assoc(mode_checkid_setup); if(pin.has_param("openid.assoc_handle")) pout["invalidate_handle"]=pin.get_param("openid.assoc_handle"); } string trust_root; try { trust_root = pin.get_param("openid.trust_root"); }catch(failed_lookup& fl) { } string identity = pin.get_param("openid.identity"); return_to = pin.get_param("openid.return_to"); validate(*assoc,pin,identity,trust_root); pout["mode"] = "id_res"; pout["assoc_handle"] = assoc->handle(); if(pin.has_param("openid.assoc_handle") && assoc->stateless()) pout["invalidate_handle"] = pin.get_param("openid.assoc_handle"); pout["identity"] = identity; pout["return_to"] = return_to; /* TODO: eventually remove deprecated stuff */ time_t now = time(0); pout["issued"] = util::time_to_w3c(now); pout["valid_to"] = util::time_to_w3c(now+120); pout["exipres_in"] = "120"; pout["signed"]="mode,identity,return_to"; if(ext) ext->checkid_hook(pin,pout); pout.sign(assoc->secret(),pout["sig"],pout["signed"]); } void server_t::check_authentication(const params_t& pin,params_t& pout) { vector<unsigned char> sig; - mimetic::Base64::Decoder b; const string& sigenc = pin.get_param("openid.sig"); - mimetic::decode( - sigenc.begin(),sigenc.end(), b, - back_insert_iterator<vector<unsigned char> >(sig)); + util::decode_base64(sigenc,sig); assoc_t assoc; try { assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); }catch(failed_lookup& fl) { throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified"); } if(!assoc->stateless()) throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle"); const string& slist = pin.get_param("openid.signed"); string kv; string::size_type p =0; while(true) { string::size_type co = slist.find(',',p); string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); kv += f; kv += ':'; if(f=="mode") kv += "id_res"; else { f.insert(0,"openid."); kv += pin.get_param(f); } kv += '\n'; if(co==string::npos) break; p = co+1; } secret_t secret = assoc->secret(); unsigned int md_len = 0; unsigned char *md = HMAC( EVP_sha1(), &(secret.front()),secret.size(), (const unsigned char *)kv.data(),kv.length(), 0,&md_len); pout.clear(); if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) { pout["is_valid"]="true"; pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */ }else{ pout["is_valid"]="false"; pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */ } if(pin.has_param("openid.invalidate_handle")) { string h = pin.get_param("openid.invalidate_handle"); try { assoc_t assoc = retrieve_assoc(h); }catch(invalid_handle& ih) { pout["invalidate_handle"] = h; diff --git a/lib/util.cc b/lib/util.cc index d78b5e0..d9abca7 100644 --- a/lib/util.cc +++ b/lib/util.cc @@ -1,94 +1,139 @@ #include <errno.h> #include <cassert> #include <vector> #include <string> -#include <mimetic/mimetic.h> +#include <openssl/bio.h> +#include <openssl/evp.h> #include <curl/curl.h> #include "opkele/util.h" #include "opkele/exception.h" namespace opkele { using namespace std; namespace util { /* + * base64 + */ + string encode_base64(const void *data,size_t length) { + BIO *b64 = 0, *bmem = 0; + try { + b64 = BIO_new(BIO_f_base64()); + if(!b64) + throw exception_openssl(OPKELE_CP_ "failed to BIO_new() base64 encoder"); + BIO_set_flags(b64,BIO_FLAGS_BASE64_NO_NL); + bmem = BIO_new(BIO_s_mem()); + BIO_set_flags(b64,BIO_CLOSE); + if(!bmem) + throw exception_openssl(OPKELE_CP_ "failed to BIO_new() memory buffer"); + BIO_push(b64,bmem); + if(BIO_write(b64,data,length)!=length) + throw exception_openssl(OPKELE_CP_ "failed to BIO_write()"); + BIO_flush(b64); + char *rvd; + long rvl = BIO_get_mem_data(bmem,&rvd); + string rv(rvd,rvl); + BIO_free_all(b64); + return rv; + }catch(...) { + if(b64) BIO_free_all(b64); + throw; + } + } + + void decode_base64(const string& data,vector<unsigned char>& rv) { + BIO *b64 = 0, *bmem = 0; + rv.clear(); + try { + bmem = BIO_new_mem_buf((void*)data.data(),data.size()); + if(!bmem) + throw exception_openssl(OPKELE_CP_ "failed to BIO_new_mem_buf()"); + b64 = BIO_new(BIO_f_base64()); + if(!b64) + throw exception_openssl(OPKELE_CP_ "failed to BIO_new() base64 decoder"); + BIO_set_flags(b64,BIO_FLAGS_BASE64_NO_NL); + BIO_push(b64,bmem); + unsigned char tmp[512]; + size_t rb = 0; + while((rb=BIO_read(b64,tmp,sizeof(tmp)))>0) + rv.insert(rv.end(),tmp,&tmp[rb]); + BIO_free_all(b64); + }catch(...) { + if(b64) BIO_free_all(b64); + throw; + } + } + + /* * big numerics */ BIGNUM *base64_to_bignum(const string& b64) { vector<unsigned char> bin; - mimetic::Base64::Decoder b; - mimetic::decode( - b64.begin(),b64.end(), b, - back_insert_iterator<vector<unsigned char> >(bin) ); + decode_base64(b64,bin); BIGNUM *rv = BN_bin2bn(&(bin.front()),bin.size(),0); if(!rv) throw failed_conversion(OPKELE_CP_ "failed to BN_bin2bn()"); return rv; } BIGNUM *dec_to_bignum(const string& dec) { BIGNUM *rv = 0; if(!BN_dec2bn(&rv,dec.c_str())) throw failed_conversion(OPKELE_CP_ "failed to BN_dec2bn()"); return rv; } string bignum_to_base64(const BIGNUM *bn) { vector<unsigned char> bin(BN_num_bytes(bn)); int l = BN_bn2bin(bn,&(bin.front())); - string rv; - mimetic::Base64::Encoder b(0); - mimetic::encode( - bin.begin(),bin.begin()+l, b, - back_insert_iterator<string>(rv) ); - return rv; + return encode_base64(&(bin.front()),l); } /* * w3c times */ string time_to_w3c(time_t t) { struct tm tm_t; if(!gmtime_r(&t,&tm_t)) throw failed_conversion(OPKELE_CP_ "failed to BN_dec2bn()"); char rv[25]; if(!strftime(rv,sizeof(rv)-1,"%Y-%m-%dT%H:%M:%SZ",&tm_t)) throw failed_conversion(OPKELE_CP_ "failed to strftime()"); return rv; } time_t w3c_to_time(const string& w) { struct tm tm_t; memset(&tm_t,0,sizeof(tm_t)); if( sscanf( w.c_str(), "%04d-%02d-%02dT%02d:%02d:%02dZ", &tm_t.tm_year,&tm_t.tm_mon,&tm_t.tm_mday, &tm_t.tm_hour,&tm_t.tm_min,&tm_t.tm_sec ) != 6 ) throw failed_conversion(OPKELE_CP_ "failed to sscanf()"); tm_t.tm_mon--; tm_t.tm_year-=1900; time_t rv = mktime(&tm_t); if(rv==(time_t)-1) throw failed_conversion(OPKELE_CP_ "failed to mktime()"); return rv; } /* * */ string url_encode(const string& str) { char * t = curl_escape(str.c_str(),str.length()); if(!t) throw failed_conversion(OPKELE_CP_ "failed to curl_escape()"); string rv(t); curl_free(t); return rv; } |