-rw-r--r-- | configure.ac | 11 | ||||
-rw-r--r-- | include/opkele/util.h | 5 | ||||
-rw-r--r-- | lib/Makefile.am | 2 | ||||
-rw-r--r-- | lib/consumer.cc | 16 | ||||
-rw-r--r-- | lib/params.cc | 7 | ||||
-rw-r--r-- | lib/secret.cc | 22 | ||||
-rw-r--r-- | lib/server.cc | 6 | ||||
-rw-r--r-- | lib/util.cc | 67 | ||||
-rw-r--r-- | libopkele.pc.in | 2 |
9 files changed, 71 insertions, 67 deletions
diff --git a/configure.ac b/configure.ac index af7a301..2ce5f71 100644 --- a/configure.ac +++ b/configure.ac @@ -12,75 +12,64 @@ AC_HEADER_STDC AC_PATH_PROG([XSLTPROC],[xsltproc],[true]) AC_WITH_PKGCONFIG PKG_CHECK_MODULES([OPENSSL],[openssl],[ AC_MSG_RESULT([yes]) ],[ AC_MSG_ERROR([no openssl library found. get one from http://www.openssl.org/]) ] ) WANT_KONFORKA="yes" AC_ARG_ENABLE([konforka], AC_HELP_STRING([--disable-konforka],[do not use konforka library (default: use if found)]), [ test "${enableval}" = "no" && WANT_KONFORKA="no" ] ) if test "${WANT_KONFORKA}" = "yes" ; then PKG_CHECK_MODULES([KONFORKA],[konforka],[ AC_MSG_RESULT([yes]) AC_SUBST([KONFORKA_CFLAGS]) AC_SUBST([KONFORKA_LIBS]) AC_DEFINE([HAVE_KONFORKA],,[defined in presence of konforka library]) AC_DEFINE([OPKELE_HAVE_KONFORKA],,[defined in presence of konforka library]) AC_SUBST([KONFORKA_KONFORKA],[konforka]) ],[ AC_MSG_RESULT([no]) ] ) fi -AC_LANG_PUSH([C++]) - AC_CHECK_LIB([mimetic],[main],[ - MIMETIC_LIBS=-lmimetic - AC_SUBST([MIMETIC_CFLAGS]) - AC_SUBST([MIMETIC_LIBS]) - ],[ - AC_MSG_ERROR([no mimetic library found. get one from http://codesink.org/mimetic_mime_library.html]) - ] - ) -AC_LANG_POP([C++]) - WANT_DOXYGEN="yes" AC_ARG_ENABLE([doxygen], AC_HELP_STRING([--disable-doxygen],[do not generate documentation]), [ test "${enableval}" = "no" && WANT_DOXYGEN="no" ] ) if test "${WANT_DOXYGEN}" = "yes" ; then AC_WITH_DOXYGEN AC_WITH_DOT else AM_CONDITIONAL([HAVE_DOXYGEN],[false]) AM_CONDITIONAL([HAVE_DOT],[false]) fi LIBCURL_CHECK_CONFIG(,,,[ AC_MSG_ERROR([no required libcurl library. get one from http://curl.haxx.se/]) ]) AC_WITH_PCRE([ AC_WITH_PCREPP(,[ AC_MSG_ERROR([no pcre++ library found. get one at http://www.daemon.de/PCRE]) ]) ],[ AC_MSG_ERROR([no pcre library found. get one at http://www.pcre.org/]) ] ) AC_CONFIG_FILES([ Makefile libopkele.pc Doxyfile include/Makefile diff --git a/include/opkele/util.h b/include/opkele/util.h index 5372498..80d8b03 100644 --- a/include/opkele/util.h +++ b/include/opkele/util.h @@ -1,59 +1,64 @@ #ifndef __OPKELE_UTIL_H #define __OPKELE_UTIL_H #include <time.h> #include <string> +#include <vector> #include <openssl/bn.h> #include <openssl/dh.h> namespace opkele { using std::string; + using std::vector; namespace util { class bignum_t { public: BIGNUM *_bn; bignum_t() : _bn(0) { } bignum_t(BIGNUM *bn) : _bn(bn) { } ~bignum_t() throw() { if(_bn) BN_free(_bn); } bignum_t& operator=(BIGNUM *bn) { if(_bn) BN_free(_bn); _bn = bn; return *this; } operator const BIGNUM*(void) const { return _bn; } operator BIGNUM*(void) { return _bn; } }; class dh_t { public: DH *_dh; dh_t() : _dh(0) { } dh_t(DH *dh) : _dh(dh) { } ~dh_t() throw() { if(_dh) DH_free(_dh); } dh_t& operator=(DH *dh) { if(_dh) DH_free(_dh); _dh = dh; return *this; } operator const DH*(void) const { return _dh; } operator DH*(void) { return _dh; } DH* operator->() { return _dh; } const DH* operator->() const { return _dh; } }; BIGNUM *base64_to_bignum(const string& b64); BIGNUM *dec_to_bignum(const string& dec); string bignum_to_base64(const BIGNUM *bn); string time_to_w3c(time_t t); time_t w3c_to_time(const string& w); string url_encode(const string& str); string long_to_string(long l); long string_to_long(const string& s); + + string encode_base64(const void *data,size_t length); + void decode_base64(const string& data,vector<unsigned char>& rv); } } #endif /* __OPKELE_UTIL_H */ diff --git a/lib/Makefile.am b/lib/Makefile.am index bdadd44..ec63c25 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -1,29 +1,27 @@ lib_LTLIBRARIES = libopkele.la INCLUDES = \ -I${top_srcdir}/include/ \ ${KONFORKA_CFLAGS} \ ${OPENSSL_CFLAGS} \ - ${MIMETIC_CFLAGS} \ ${LIBCURL_CPPFLAGS} \ ${PCREPP_CFLAGS} LDADD = \ ${LIBCURL} \ ${PCREPP_LIBS} \ - ${MIMETIC_LIBS} \ ${OPENSSL_LIBS} \ ${KONFORKA_LIBS} libopkele_la_SOURCES = \ params.cc \ util.cc \ server.cc \ secret.cc \ data.cc \ consumer.cc \ exception.cc \ extension.cc \ sreg.cc \ extension_chain.cc libopkele_la_LDFLAGS = \ -version-info 1:0:0 diff --git a/lib/consumer.cc b/lib/consumer.cc index b215aa8..331b1e9 100644 --- a/lib/consumer.cc +++ b/lib/consumer.cc @@ -1,54 +1,45 @@ #include <algorithm> +#include <cassert> #include <opkele/util.h> #include <opkele/exception.h> #include <opkele/data.h> #include <opkele/consumer.h> #include <openssl/sha.h> #include <openssl/hmac.h> -#include <mimetic/mimetic.h> #include <curl/curl.h> #include <pcre++.h> #include <iostream> -/* silly mimetic */ -#undef PACKAGE -#undef PACKAGE_BUGREPORT -#undef PACKAGE_NAME -#undef PACKAGE_STRING -#undef PACKAGE_TARNAME -#undef PACKAGE_VERSION -#undef VERSION - #include "config.h" namespace opkele { using namespace std; class curl_t { public: CURL *_c; curl_t() : _c(0) { } curl_t(CURL *c) : _c(c) { } ~curl_t() throw() { if(_c) curl_easy_cleanup(_c); } curl_t& operator=(CURL *c) { if(_c) curl_easy_cleanup(_c); _c=c; return *this; } operator const CURL*(void) const { return _c; } operator CURL*(void) { return _c; } }; static CURLcode curl_misc_sets(CURL* c) { CURLcode r; (r=curl_easy_setopt(c,CURLOPT_FOLLOWLOCATION,1)) || (r=curl_easy_setopt(c,CURLOPT_MAXREDIRS,5)) || (r=curl_easy_setopt(c,CURLOPT_DNS_CACHE_TIMEOUT,120)) || (r=curl_easy_setopt(c,CURLOPT_DNS_USE_GLOBAL_CACHE,1)) || (r=curl_easy_setopt(c,CURLOPT_USERAGENT,PACKAGE_NAME"/"PACKAGE_VERSION)) || (r=curl_easy_setopt(c,CURLOPT_TIMEOUT,20)) ; return r; } static size_t _curl_tostring(void *ptr,size_t size,size_t nmemb,void *stream) { @@ -137,69 +128,66 @@ namespace opkele { p["mode"]="checkid_setup"; else throw bad_input(OPKELE_CP_ "unknown checkid_* mode"); string iurl = canonicalize(identity); string server, delegate; retrieve_links(iurl,server,delegate); p["identity"] = delegate.empty()?iurl:delegate; if(!trust_root.empty()) p["trust_root"] = trust_root; p["return_to"] = return_to; try { try { string ah = find_assoc(server)->handle(); p["assoc_handle"] = ah; }catch(failed_lookup& fl) { string ah = associate(server)->handle(); p["assoc_handle"] = ah; } }catch(exception& e) { } if(ext) ext->checkid_hook(p,identity); return p.append_query(server); } void consumer_t::id_res(const params_t& pin,const string& identity,extension_t *ext) { if(pin.has_param("openid.user_setup_url")) throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url")); string server,delegate; retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate); params_t ps; try { assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle")); const string& sigenc = pin.get_param("openid.sig"); - mimetic::Base64::Decoder b; vector<unsigned char> sig; - mimetic::decode( - sigenc.begin(),sigenc.end(), b, - back_insert_iterator<vector<unsigned char> >(sig) ); + util::decode_base64(sigenc,sig); const string& slist = pin.get_param("openid.signed"); string kv; string::size_type p = 0; while(true) { string::size_type co = slist.find(',',p); string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); kv += f; kv += ':'; f.insert(0,"openid."); kv += pin.get_param(f); kv += '\n'; if(ext) ps[f.substr(sizeof("openid.")-1)] = pin.get_param(f); if(co==string::npos) break; p = co+1; } secret_t secret = assoc->secret(); unsigned int md_len = 0; unsigned char *md = HMAC( EVP_sha1(), &(secret.front()),secret.size(), (const unsigned char *)kv.data(),kv.length(), 0,&md_len); if(sig.size()!=md_len || memcmp(&(sig.front()),md,md_len)) throw id_res_mismatch(OPKELE_CP_ "signature mismatch"); }catch(failed_lookup& e) { /* XXX: more specific? */ const string& slist = pin.get_param("openid.signed"); string::size_type pp = 0; params_t p; while(true) { string::size_type co = slist.find(',',pp); string f = "openid."; diff --git a/lib/params.cc b/lib/params.cc index 14f1a53..03867d5 100644 --- a/lib/params.cc +++ b/lib/params.cc @@ -1,96 +1,91 @@ #include <opkele/types.h> #include <opkele/exception.h> #include <opkele/util.h> #include <openssl/sha.h> #include <openssl/hmac.h> -#include <mimetic/mimetic.h> namespace opkele { using namespace std; bool params_t::has_param(const string& n) const { return find(n)!=end(); } const string& params_t::get_param(const string& n) const { const_iterator i = find(n); if(i==end()) throw failed_lookup(OPKELE_CP_ n+": no such parameter"); return i->second; } string& params_t::get_param(const string& n) { iterator i = find(n); if(i==end()) throw failed_lookup(OPKELE_CP_ n+": no such parameter"); return i->second; } void params_t::parse_keyvalues(const string& kv) { clear(); string::size_type p = 0; while(true) { string::size_type co = kv.find(':',p); if(co==string::npos) break; string::size_type nl = kv.find('\n',co+1); if(nl==string::npos) throw bad_input(OPKELE_CP_ "malformed input"); insert(value_type(kv.substr(p,co-p),kv.substr(co+1,nl-co-1))); p = nl+1; } } void params_t::sign(secret_t secret,string& sig,const string& slist,const char *prefix) const { string kv; string::size_type p = 0; while(true) { string::size_type co = slist.find(',',p); string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); kv += f; kv += ':'; if(prefix) f.insert(0,prefix); kv += get_param(f); kv += '\n'; if(co==string::npos) break; p = co+1; } unsigned int md_len = 0; unsigned char *md = HMAC( EVP_sha1(), &(secret.front()),secret.size(), (const unsigned char *)kv.data(),kv.length(), 0,&md_len); - mimetic::Base64::Encoder b(0); - sig.erase(); - mimetic::encode( - md,md+md_len, b, - back_insert_iterator<string>(sig) ); + sig = util::encode_base64(md,md_len); } string params_t::append_query(const string& url,const char *prefix) const { string rv = url; bool p = true; if(rv.find('?')==string::npos) { rv += '?'; p = false; } for(const_iterator i=begin();i!=end();++i) { if(p) rv += '&'; else p = true; rv += prefix; rv += i->first; rv += '='; rv += util::url_encode(i->second); } return rv; } ostream& operator << (ostream& o,const params_t& p) { for(params_t::const_iterator i=p.begin();i!=p.end();++i) o << i->first << ':' << i->second << '\n'; return o; } } diff --git a/lib/secret.cc b/lib/secret.cc index ae8a3c5..632a2ca 100644 --- a/lib/secret.cc +++ b/lib/secret.cc @@ -1,61 +1,49 @@ #include <algorithm> #include <functional> #include <opkele/types.h> #include <opkele/exception.h> -#include <mimetic/mimetic.h> +#include <opkele/util.h> namespace opkele { using namespace std; template<class __a1,class __a2,class __r> struct bitwise_xor : public binary_function<__a1,__a2,__r> { __r operator() (const __a1& a1,const __a2& a2) const { return a1^a2; } }; void secret_t::enxor_to_base64(const unsigned char *key_sha1,string& rv) const { if(size()!=20) throw bad_input(OPKELE_CP_ "wrong secret size"); vector<unsigned char> tmp; transform( begin(), end(), key_sha1, back_insert_iterator<vector<unsigned char> >(tmp), bitwise_xor<unsigned char,unsigned char,unsigned char>() ); - mimetic::Base64::Encoder b(0); - mimetic::encode( - tmp.begin(),tmp.end(), b, - back_insert_iterator<string>(rv) ); + rv = util::encode_base64(&(tmp.front()),tmp.size()); } void secret_t::enxor_from_base64(const unsigned char *key_sha1,const string& b64) { - mimetic::Base64::Decoder b; clear(); - mimetic::decode( - b64.begin(),b64.end(), b, - back_insert_iterator<secret_t>(*this) ); + util::decode_base64(b64,*this); transform( begin(), end(), key_sha1, begin(), bitwise_xor<unsigned char,unsigned char,unsigned char>() ); } void secret_t::to_base64(string& rv) const { if(size()!=20) throw bad_input(OPKELE_CP_ "wrong secret size"); - mimetic::Base64::Encoder b(0); - mimetic::encode( - begin(),end(), b, - back_insert_iterator<string>(rv) ); + rv = util::encode_base64(&(front()),size()); } void secret_t::from_base64(const string& b64) { - mimetic::Base64::Decoder b; - mimetic::decode( - b64.begin(),b64.end(), b, - back_insert_iterator<secret_t>(*this) ); + util::decode_base64(b64,*this); } } diff --git a/lib/server.cc b/lib/server.cc index 8c29abb..e81d4b6 100644 --- a/lib/server.cc +++ b/lib/server.cc @@ -1,36 +1,35 @@ #include <vector> #include <openssl/sha.h> #include <openssl/hmac.h> -#include <mimetic/mimetic.h> #include <opkele/util.h> #include <opkele/exception.h> #include <opkele/server.h> #include <opkele/data.h> namespace opkele { using namespace std; void server_t::associate(const params_t& pin,params_t& pout) { util::dh_t dh; util::bignum_t c_pub; unsigned char key_sha1[SHA_DIGEST_LENGTH]; enum { sess_cleartext, sess_dh_sha1 } st = sess_cleartext; if( pin.has_param("openid.session_type") && pin.get_param("openid.session_type")=="DH-SHA1" ) { /* TODO: fallback to cleartext in case of exceptions here? */ if(!(dh = DH_new())) throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public")); if(pin.has_param("openid.dh_modulus")) dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus")); else dh->p = util::dec_to_bignum(data::_default_p); if(pin.has_param("openid.dh_gen")) dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen")); else dh->g = util::dec_to_bignum(data::_default_g); if(!DH_generate_key(dh)) @@ -84,69 +83,66 @@ namespace opkele { assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); }catch(failed_lookup& fl) { // no handle specified or no valid handle found, going dumb assoc = alloc_assoc(mode_checkid_setup); if(pin.has_param("openid.assoc_handle")) pout["invalidate_handle"]=pin.get_param("openid.assoc_handle"); } string trust_root; try { trust_root = pin.get_param("openid.trust_root"); }catch(failed_lookup& fl) { } string identity = pin.get_param("openid.identity"); return_to = pin.get_param("openid.return_to"); validate(*assoc,pin,identity,trust_root); pout["mode"] = "id_res"; pout["assoc_handle"] = assoc->handle(); if(pin.has_param("openid.assoc_handle") && assoc->stateless()) pout["invalidate_handle"] = pin.get_param("openid.assoc_handle"); pout["identity"] = identity; pout["return_to"] = return_to; /* TODO: eventually remove deprecated stuff */ time_t now = time(0); pout["issued"] = util::time_to_w3c(now); pout["valid_to"] = util::time_to_w3c(now+120); pout["exipres_in"] = "120"; pout["signed"]="mode,identity,return_to"; if(ext) ext->checkid_hook(pin,pout); pout.sign(assoc->secret(),pout["sig"],pout["signed"]); } void server_t::check_authentication(const params_t& pin,params_t& pout) { vector<unsigned char> sig; - mimetic::Base64::Decoder b; const string& sigenc = pin.get_param("openid.sig"); - mimetic::decode( - sigenc.begin(),sigenc.end(), b, - back_insert_iterator<vector<unsigned char> >(sig)); + util::decode_base64(sigenc,sig); assoc_t assoc; try { assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); }catch(failed_lookup& fl) { throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified"); } if(!assoc->stateless()) throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle"); const string& slist = pin.get_param("openid.signed"); string kv; string::size_type p =0; while(true) { string::size_type co = slist.find(',',p); string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); kv += f; kv += ':'; if(f=="mode") kv += "id_res"; else { f.insert(0,"openid."); kv += pin.get_param(f); } kv += '\n'; if(co==string::npos) break; p = co+1; } secret_t secret = assoc->secret(); unsigned int md_len = 0; unsigned char *md = HMAC( EVP_sha1(), &(secret.front()),secret.size(), diff --git a/lib/util.cc b/lib/util.cc index d78b5e0..d9abca7 100644 --- a/lib/util.cc +++ b/lib/util.cc @@ -1,78 +1,123 @@ #include <errno.h> #include <cassert> #include <vector> #include <string> -#include <mimetic/mimetic.h> +#include <openssl/bio.h> +#include <openssl/evp.h> #include <curl/curl.h> #include "opkele/util.h" #include "opkele/exception.h" namespace opkele { using namespace std; namespace util { /* + * base64 + */ + string encode_base64(const void *data,size_t length) { + BIO *b64 = 0, *bmem = 0; + try { + b64 = BIO_new(BIO_f_base64()); + if(!b64) + throw exception_openssl(OPKELE_CP_ "failed to BIO_new() base64 encoder"); + BIO_set_flags(b64,BIO_FLAGS_BASE64_NO_NL); + bmem = BIO_new(BIO_s_mem()); + BIO_set_flags(b64,BIO_CLOSE); + if(!bmem) + throw exception_openssl(OPKELE_CP_ "failed to BIO_new() memory buffer"); + BIO_push(b64,bmem); + if(BIO_write(b64,data,length)!=length) + throw exception_openssl(OPKELE_CP_ "failed to BIO_write()"); + BIO_flush(b64); + char *rvd; + long rvl = BIO_get_mem_data(bmem,&rvd); + string rv(rvd,rvl); + BIO_free_all(b64); + return rv; + }catch(...) { + if(b64) BIO_free_all(b64); + throw; + } + } + + void decode_base64(const string& data,vector<unsigned char>& rv) { + BIO *b64 = 0, *bmem = 0; + rv.clear(); + try { + bmem = BIO_new_mem_buf((void*)data.data(),data.size()); + if(!bmem) + throw exception_openssl(OPKELE_CP_ "failed to BIO_new_mem_buf()"); + b64 = BIO_new(BIO_f_base64()); + if(!b64) + throw exception_openssl(OPKELE_CP_ "failed to BIO_new() base64 decoder"); + BIO_set_flags(b64,BIO_FLAGS_BASE64_NO_NL); + BIO_push(b64,bmem); + unsigned char tmp[512]; + size_t rb = 0; + while((rb=BIO_read(b64,tmp,sizeof(tmp)))>0) + rv.insert(rv.end(),tmp,&tmp[rb]); + BIO_free_all(b64); + }catch(...) { + if(b64) BIO_free_all(b64); + throw; + } + } + + /* * big numerics */ BIGNUM *base64_to_bignum(const string& b64) { vector<unsigned char> bin; - mimetic::Base64::Decoder b; - mimetic::decode( - b64.begin(),b64.end(), b, - back_insert_iterator<vector<unsigned char> >(bin) ); + decode_base64(b64,bin); BIGNUM *rv = BN_bin2bn(&(bin.front()),bin.size(),0); if(!rv) throw failed_conversion(OPKELE_CP_ "failed to BN_bin2bn()"); return rv; } BIGNUM *dec_to_bignum(const string& dec) { BIGNUM *rv = 0; if(!BN_dec2bn(&rv,dec.c_str())) throw failed_conversion(OPKELE_CP_ "failed to BN_dec2bn()"); return rv; } string bignum_to_base64(const BIGNUM *bn) { vector<unsigned char> bin(BN_num_bytes(bn)); int l = BN_bn2bin(bn,&(bin.front())); - string rv; - mimetic::Base64::Encoder b(0); - mimetic::encode( - bin.begin(),bin.begin()+l, b, - back_insert_iterator<string>(rv) ); - return rv; + return encode_base64(&(bin.front()),l); } /* * w3c times */ string time_to_w3c(time_t t) { struct tm tm_t; if(!gmtime_r(&t,&tm_t)) throw failed_conversion(OPKELE_CP_ "failed to BN_dec2bn()"); char rv[25]; if(!strftime(rv,sizeof(rv)-1,"%Y-%m-%dT%H:%M:%SZ",&tm_t)) throw failed_conversion(OPKELE_CP_ "failed to strftime()"); return rv; } time_t w3c_to_time(const string& w) { struct tm tm_t; memset(&tm_t,0,sizeof(tm_t)); if( sscanf( w.c_str(), "%04d-%02d-%02dT%02d:%02d:%02dZ", &tm_t.tm_year,&tm_t.tm_mon,&tm_t.tm_mday, &tm_t.tm_hour,&tm_t.tm_min,&tm_t.tm_sec ) != 6 ) throw failed_conversion(OPKELE_CP_ "failed to sscanf()"); tm_t.tm_mon--; tm_t.tm_year-=1900; time_t rv = mktime(&tm_t); if(rv==(time_t)-1) throw failed_conversion(OPKELE_CP_ "failed to mktime()"); diff --git a/libopkele.pc.in b/libopkele.pc.in index 60bca34..286720e 100644 --- a/libopkele.pc.in +++ b/libopkele.pc.in @@ -1,11 +1,11 @@ prefix=@prefix@ exec_prefix=@exec_prefix@ libdir=@libdir@ includedir=@includedir@ Name: libopkele Description: C++ implementation of OpenID protocol Version: @VERSION@ Requires: openssl @KONFORKA_KONFORKA@ Cflags: -I${includedir} @LIBCURL_CPPFLAGS@ @PCREPP_CFLAGS@ -Libs: -L${libdir} -lopkele @LIBCURL@ @PCREPP_LIBS@ @MIMETIC_LIBS@ +Libs: -L${libdir} -lopkele @LIBCURL@ @PCREPP_LIBS@ |