added more precise source tree version detection

Signed-off-by: Michael Krelin <hacker@klever.net>
author: Michael Krelin <hacker@klever.net> 2007-11-20 18:39:51 (UTC)
committer: Michael Krelin <hacker@klever.net> 2007-11-20 18:39:51 (UTC)
commit: c868af04ffd60a04c7a98a55cd92b5e12102b1e1 (patch) (unidiff)
tree: 0878b62d8c49f6edb175ee6c0605c27613bce2ab /lib/consumer.cc
parent: bc8cecfcf7e1dc593249200556e5553d7d025c05 (diff)
download: libopkele-c868af04ffd60a04c7a98a55cd92b5e12102b1e1.zip
libopkele-c868af04ffd60a04c7a98a55cd92b5e12102b1e1.tar.gz
libopkele-c868af04ffd60a04c7a98a55cd92b5e12102b1e1.tar.bz2
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/consumer.cc b/lib/consumer.cc
index f72ae08..76b6ea7 100644
--- a/lib/consumer.cc
+++ b/lib/consumer.cc
@@ -1,276 +1,276 @@
 #include <algorithm>
 #include <cassert>
 #include <opkele/util.h>
 #include <opkele/exception.h>
 #include <opkele/data.h>
 #include <opkele/consumer.h>
 #include <openssl/sha.h>
 #include <openssl/hmac.h>
 #include <curl/curl.h>
 #include <iostream>
 #include "config.h"
 #include <pcre.h>
 namespace opkele {
    using namespace std;
    class pcre_matches_t {
        public:
            int *_ov;
            int _s;
            pcre_matches_t() : _ov(0), _s(0) { }
            pcre_matches_t(int s) : _ov(0), _s(s) {
                if(_s&1) ++_s;
                _s += _s>>1;
                _ov = new int[_s];
            }
            ~pcre_matches_t() throw() { if(_ov) delete[] _ov; }
            int begin(int i) const { return _ov[i<<1]; }
            int end(int i) const { return _ov[(i<<1)+1]; }
            int length(int i) const { int t=i<<1; return _ov[t+1]-_ov[t]; }
    };
    class pcre_t {
        public:
            pcre *_p;
            pcre_t() : _p(0) { }
            pcre_t(pcre *p) : _p(p) { }
            pcre_t(const char *re,int opts) : _p(0) {
                static const char *errptr; static int erroffset;
                _p = pcre_compile(re,opts,&errptr,&erroffset,NULL);
                if(!_p)
                    throw internal_error(OPKELE_CP_ string("Failed to compile regexp: ")+errptr);
            }
            ~pcre_t() throw() { if(_p) (*pcre_free)(_p); }
            pcre_t& operator=(pcre *p) { if(_p) (*pcre_free)(_p); _p=p; return *this; }
            operator const pcre*(void) const { return _p; }
            operator pcre*(void) { return _p; }
            int exec(const string& s,pcre_matches_t& m) {
                if(!_p)
                    throw internal_error(OPKELE_CP_ "Trying to execute absent regexp");
                return pcre_exec(_p,NULL,s.c_str(),s.length(),0,0,m._ov,m._s);
            }
    };
    class curl_t {
        public:
            CURL *_c;
            curl_t() : _c(0) { }
            curl_t(CURL *c) : _c(c) { }
            ~curl_t() throw() { if(_c) curl_easy_cleanup(_c); }
            curl_t& operator=(CURL *c) { if(_c) curl_easy_cleanup(_c); _c=c; return *this; }
            operator const CURL*(void) const { return _c; }
            operator CURL*(void) { return _c; }
    };
    static CURLcode curl_misc_sets(CURL* c) {
        CURLcode r;
        (r=curl_easy_setopt(c,CURLOPT_FOLLOWLOCATION,1))
        || (r=curl_easy_setopt(c,CURLOPT_MAXREDIRS,5))
        || (r=curl_easy_setopt(c,CURLOPT_DNS_CACHE_TIMEOUT,120))
        || (r=curl_easy_setopt(c,CURLOPT_DNS_USE_GLOBAL_CACHE,1))
-        || (r=curl_easy_setopt(c,CURLOPT_USERAGENT,PACKAGE_NAME"/"PACKAGE_VERSION))
+        || (r=curl_easy_setopt(c,CURLOPT_USERAGENT,PACKAGE_NAME"/"PACKAGE_SRC_VERSION))
        || (r=curl_easy_setopt(c,CURLOPT_TIMEOUT,20))
        #ifdefDISABLE_CURL_SSL_VERIFYHOST
        || (r=curl_easy_setopt(c,CURLOPT_SSL_VERIFYHOST,0))
 #endif
        #ifdefDISABLE_CURL_SSL_VERIFYPEER
        || (r=curl_easy_setopt(c,CURLOPT_SSL_VERIFYPEER,0))
 #endif
        ;
        return r;
    }
    static size_t _curl_tostring(void *ptr,size_t size,size_t nmemb,void *stream) {
        string *str = (string*)stream;
        size_t bytes = size*nmemb;
        size_t get = min(16384-str->length(),bytes);
        str->append((const char*)ptr,get);
        return get;
    }
    assoc_t consumer_t::associate(const string& server) {
        util::dh_t dh = DH_new();
        if(!dh)
            throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
        dh->p = util::dec_to_bignum(data::_default_p);
        dh->g = util::dec_to_bignum(data::_default_g);
        if(!DH_generate_key(dh))
            throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
        string request = 
            "openid.mode=associate"
            "&openid.assoc_type=HMAC-SHA1"
            "&openid.session_type=DH-SHA1"
            "&openid.dh_consumer_public=";
        request += util::url_encode(util::bignum_to_base64(dh->pub_key));
        curl_t curl = curl_easy_init();
        if(!curl)
            throw exception_curl(OPKELE_CP_ "failed to curl_easy_init()");
        string response;
        CURLcode r;
        (r=curl_misc_sets(curl))
        || (r=curl_easy_setopt(curl,CURLOPT_URL,server.c_str()))
        || (r=curl_easy_setopt(curl,CURLOPT_POST,1))
        || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDS,request.data()))
        || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDSIZE,request.length()))
        || (r=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,_curl_tostring))
        || (r=curl_easy_setopt(curl,CURLOPT_WRITEDATA,&response))
        ;
        if(r)
            throw exception_curl(OPKELE_CP_ "failed to curl_easy_setopt()",r);
        if(r=curl_easy_perform(curl))
            throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r);
        params_t p; p.parse_keyvalues(response);
        if(p.has_param("assoc_type") && p.get_param("assoc_type")!="HMAC-SHA1")
            throw bad_input(OPKELE_CP_ "unsupported assoc_type");
        string st;
        if(p.has_param("session_type")) st = p.get_param("session_type");
        if((!st.empty()) && st!="DH-SHA1")
            throw bad_input(OPKELE_CP_ "unsupported session_type");
        secret_t secret;
        if(st.empty()) {
            secret.from_base64(p.get_param("mac_key"));
        }else{
            util::bignum_t s_pub = util::base64_to_bignum(p.get_param("dh_server_public"));
            vector<unsigned char> ck(DH_size(dh)+1);
            unsigned char *ckptr = &(ck.front())+1;
            int cklen = DH_compute_key(ckptr,s_pub,dh);
            if(cklen<0)
                throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
            if(cklen && (*ckptr)&0x80) {
                (*(--ckptr)) = 0; ++cklen;
            }
            unsigned char key_sha1[SHA_DIGEST_LENGTH];
            SHA1(ckptr,cklen,key_sha1);
            secret.enxor_from_base64(key_sha1,p.get_param("enc_mac_key"));
        }
        int expires_in = 0;
        if(p.has_param("expires_in")) {
            expires_in = util::string_to_long(p.get_param("expires_in"));
        }else if(p.has_param("issued") && p.has_param("expiry")) {
            expires_in = util::w3c_to_time(p.get_param("expiry"))-util::w3c_to_time(p.get_param("issued"));
        }else
            throw bad_input(OPKELE_CP_ "no expiration information");
        return store_assoc(server,p.get_param("assoc_handle"),secret,expires_in);
    }
    string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {
        return checkid_(mode_checkid_immediate,identity,return_to,trust_root,ext);
    }
    string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {
        return checkid_(mode_checkid_setup,identity,return_to,trust_root,ext);
    }
    string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {
        params_t p;
        if(mode==mode_checkid_immediate)
            p["mode"]="checkid_immediate";
        else if(mode==mode_checkid_setup)
            p["mode"]="checkid_setup";
        else
            throw bad_input(OPKELE_CP_ "unknown checkid_* mode");
        string iurl = canonicalize(identity);
        string server, delegate;
        retrieve_links(iurl,server,delegate);
        p["identity"] = delegate.empty()?iurl:delegate;
        if(!trust_root.empty())
            p["trust_root"] = trust_root;
        p["return_to"] = return_to;
        try {
            string ah = find_assoc(server)->handle();
            p["assoc_handle"] = ah;
        }catch(failed_lookup& fl) {
            string ah = associate(server)->handle();
            p["assoc_handle"] = ah;
        }
        if(ext) ext->checkid_hook(p,identity);
        return p.append_query(server);
    }
    void consumer_t::id_res(const params_t& pin,const string& identity,extension_t *ext) {
        if(pin.has_param("openid.user_setup_url"))
            throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url"));
        string server,delegate;
        retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate);
        params_t ps;
        try {
            assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle"));
            if(assoc->is_expired()) /* TODO: or should I throw some other exception to force programmer fix his implementation? */
                throw failed_lookup(OPKELE_CP_ "retrieve_assoc() has returned expired handle");
            const string& sigenc = pin.get_param("openid.sig");
            vector<unsigned char> sig;
            util::decode_base64(sigenc,sig);
            const string& slist = pin.get_param("openid.signed");
            string kv;
            string::size_type p = 0;
            while(true) {
                string::size_type co = slist.find(',',p);
                string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
                kv += f;
                kv += ':';
                f.insert(0,"openid.");
                kv += pin.get_param(f);
                kv += '\n';
                if(ext) ps[f.substr(sizeof("openid.")-1)] = pin.get_param(f);
                if(co==string::npos)
                    break;
                p = co+1;
            }
            secret_t secret = assoc->secret();
            unsigned int md_len = 0;
            unsigned char *md = HMAC(
                    EVP_sha1(),
                    &(secret.front()),secret.size(),
                    (const unsigned char *)kv.data(),kv.length(),
                    0,&md_len);
            if(sig.size()!=md_len || memcmp(&(sig.front()),md,md_len))
                throw id_res_mismatch(OPKELE_CP_ "signature mismatch");
        }catch(failed_lookup& e) { /* XXX: more specific? */
            const string& slist = pin.get_param("openid.signed");
            string::size_type pp = 0;
            params_t p;
            while(true) {
                string::size_type co = slist.find(',',pp);
                string f = "openid.";
                f += (co==string::npos)?slist.substr(pp):slist.substr(pp,co-pp);
                p[f] = pin.get_param(f);
                if(co==string::npos)
                    break;
                pp = co+1;
            }
            p["openid.assoc_handle"] = pin.get_param("openid.assoc_handle");
            p["openid.sig"] = pin.get_param("openid.sig");
            p["openid.signed"] = pin.get_param("openid.signed");
            try {
                string ih = pin.get_param("openid.invalidate_handle");
                p["openid.invalidate_handle"] = ih;
            }catch(failed_lookup& fl) { }
            try {
                check_authentication(server,p);
            }catch(failed_check_authentication& fca) {
                throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");
            }
        }
        if(ext) ext->id_res_hook(pin,ps,identity);
    }
    void consumer_t::check_authentication(const string& server,const params_t& p) {
        string request = "openid.mode=check_authentication";
        for(params_t::const_iterator i=p.begin();i!=p.end();++i) {
            if(i->first!="openid.mode") {
                request += '&';
                request += i->first;
                request += '=';
                request += util::url_encode(i->second);
            }
author	Michael Krelin <hacker@klever.net>	2007-11-20 18:39:51 (UTC)
committer	Michael Krelin <hacker@klever.net>	2007-11-20 18:39:51 (UTC)
commit	c868af04ffd60a04c7a98a55cd92b5e12102b1e1 (patch) (unidiff)
tree	0878b62d8c49f6edb175ee6c0605c27613bce2ab /lib/consumer.cc
parent	bc8cecfcf7e1dc593249200556e5553d7d025c05 (diff)
download	libopkele-c868af04ffd60a04c7a98a55cd92b5e12102b1e1.zip libopkele-c868af04ffd60a04c7a98a55cd92b5e12102b1e1.tar.gz libopkele-c868af04ffd60a04c7a98a55cd92b5e12102b1e1.tar.bz2

diff --git a/lib/consumer.cc b/lib/consumer.cc index f72ae08..76b6ea7 100644 --- a/lib/consumer.cc +++ b/lib/consumer.cc
@@ -1,276 +1,276 @@
1	#include <algorithm>	1	#include <algorithm>
2	#include <cassert>	2	#include <cassert>
3	#include <opkele/util.h>	3	#include <opkele/util.h>
4	#include <opkele/exception.h>	4	#include <opkele/exception.h>
5	#include <opkele/data.h>	5	#include <opkele/data.h>
6	#include <opkele/consumer.h>	6	#include <opkele/consumer.h>
7	#include <openssl/sha.h>	7	#include <openssl/sha.h>
8	#include <openssl/hmac.h>	8	#include <openssl/hmac.h>
9	#include <curl/curl.h>	9	#include <curl/curl.h>
10		10
11	#include <iostream>	11	#include <iostream>
12		12
13	#include "config.h"	13	#include "config.h"
14		14
15	#include <pcre.h>	15	#include <pcre.h>
16		16
17	namespace opkele {	17	namespace opkele {
18	using namespace std;	18	using namespace std;
19		19
20	class pcre_matches_t {	20	class pcre_matches_t {
21	public:	21	public:
22	int *_ov;	22	int *_ov;
23	int _s;	23	int _s;
24		24
25	pcre_matches_t() : _ov(0), _s(0) { }	25	pcre_matches_t() : _ov(0), _s(0) { }
26	pcre_matches_t(int s) : _ov(0), _s(s) {	26	pcre_matches_t(int s) : _ov(0), _s(s) {
27	if(_s&1) ++_s;	27	if(_s&1) ++_s;
28	_s += _s>>1;	28	_s += _s>>1;
29	_ov = new int[_s];	29	_ov = new int[_s];
30	}	30	}
31	~pcre_matches_t() throw() { if(_ov) delete[] _ov; }	31	~pcre_matches_t() throw() { if(_ov) delete[] _ov; }
32		32
33	int begin(int i) const { return _ov[i<<1]; }	33	int begin(int i) const { return _ov[i<<1]; }
34	int end(int i) const { return _ov[(i<<1)+1]; }	34	int end(int i) const { return _ov[(i<<1)+1]; }
35	int length(int i) const { int t=i<<1; return _ov[t+1]-_ov[t]; }	35	int length(int i) const { int t=i<<1; return _ov[t+1]-_ov[t]; }
36	};	36	};
37		37
38	class pcre_t {	38	class pcre_t {
39	public:	39	public:
40	pcre *_p;	40	pcre *_p;
41		41
42	pcre_t() : _p(0) { }	42	pcre_t() : _p(0) { }
43	pcre_t(pcre *p) : _p(p) { }	43	pcre_t(pcre *p) : _p(p) { }
44	pcre_t(const char *re,int opts) : _p(0) {	44	pcre_t(const char *re,int opts) : _p(0) {
45	static const char *errptr; static int erroffset;	45	static const char *errptr; static int erroffset;
46	_p = pcre_compile(re,opts,&errptr,&erroffset,NULL);	46	_p = pcre_compile(re,opts,&errptr,&erroffset,NULL);
47	if(!_p)	47	if(!_p)
48	throw internal_error(OPKELE_CP_ string("Failed to compile regexp: ")+errptr);	48	throw internal_error(OPKELE_CP_ string("Failed to compile regexp: ")+errptr);
49	}	49	}
50	~pcre_t() throw() { if(_p) (*pcre_free)(_p); }	50	~pcre_t() throw() { if(_p) (*pcre_free)(_p); }
51		51
52	pcre_t& operator=(pcre p) { if(_p) (pcre_free)(_p); _p=p; return *this; }	52	pcre_t& operator=(pcre p) { if(_p) (pcre_free)(_p); _p=p; return *this; }
53		53
54	operator const pcre*(void) const { return _p; }	54	operator const pcre*(void) const { return _p; }
55	operator pcre*(void) { return _p; }	55	operator pcre*(void) { return _p; }
56		56
57	int exec(const string& s,pcre_matches_t& m) {	57	int exec(const string& s,pcre_matches_t& m) {
58	if(!_p)	58	if(!_p)
59	throw internal_error(OPKELE_CP_ "Trying to execute absent regexp");	59	throw internal_error(OPKELE_CP_ "Trying to execute absent regexp");
60	return pcre_exec(_p,NULL,s.c_str(),s.length(),0,0,m._ov,m._s);	60	return pcre_exec(_p,NULL,s.c_str(),s.length(),0,0,m._ov,m._s);
61	}	61	}
62	};	62	};
63		63
64	class curl_t {	64	class curl_t {
65	public:	65	public:
66	CURL *_c;	66	CURL *_c;
67		67
68	curl_t() : _c(0) { }	68	curl_t() : _c(0) { }
69	curl_t(CURL *c) : _c(c) { }	69	curl_t(CURL *c) : _c(c) { }
70	~curl_t() throw() { if(_c) curl_easy_cleanup(_c); }	70	~curl_t() throw() { if(_c) curl_easy_cleanup(_c); }
71		71
72	curl_t& operator=(CURL c) { if(_c) curl_easy_cleanup(_c); _c=c; return this; }	72	curl_t& operator=(CURL c) { if(_c) curl_easy_cleanup(_c); _c=c; return this; }
73		73
74	operator const CURL*(void) const { return _c; }	74	operator const CURL*(void) const { return _c; }
75	operator CURL*(void) { return _c; }	75	operator CURL*(void) { return _c; }
76	};	76	};
77		77
78	static CURLcode curl_misc_sets(CURL* c) {	78	static CURLcode curl_misc_sets(CURL* c) {
79	CURLcode r;	79	CURLcode r;
80	(r=curl_easy_setopt(c,CURLOPT_FOLLOWLOCATION,1))	80	(r=curl_easy_setopt(c,CURLOPT_FOLLOWLOCATION,1))
81	\|\| (r=curl_easy_setopt(c,CURLOPT_MAXREDIRS,5))	81	\|\| (r=curl_easy_setopt(c,CURLOPT_MAXREDIRS,5))
82	\|\| (r=curl_easy_setopt(c,CURLOPT_DNS_CACHE_TIMEOUT,120))	82	\|\| (r=curl_easy_setopt(c,CURLOPT_DNS_CACHE_TIMEOUT,120))
83	\|\| (r=curl_easy_setopt(c,CURLOPT_DNS_USE_GLOBAL_CACHE,1))	83	\|\| (r=curl_easy_setopt(c,CURLOPT_DNS_USE_GLOBAL_CACHE,1))
84	\|\| (r=curl_easy_setopt(c,CURLOPT_USERAGENT,PACKAGE_NAME"/"PACKAGE_VERSION))	84	\|\| (r=curl_easy_setopt(c,CURLOPT_USERAGENT,PACKAGE_NAME"/"PACKAGE_SRC_VERSION))
85	\|\| (r=curl_easy_setopt(c,CURLOPT_TIMEOUT,20))	85	\|\| (r=curl_easy_setopt(c,CURLOPT_TIMEOUT,20))
86	#ifdefDISABLE_CURL_SSL_VERIFYHOST	86	#ifdefDISABLE_CURL_SSL_VERIFYHOST
87	\|\| (r=curl_easy_setopt(c,CURLOPT_SSL_VERIFYHOST,0))	87	\|\| (r=curl_easy_setopt(c,CURLOPT_SSL_VERIFYHOST,0))
88	#endif	88	#endif
89	#ifdefDISABLE_CURL_SSL_VERIFYPEER	89	#ifdefDISABLE_CURL_SSL_VERIFYPEER
90	\|\| (r=curl_easy_setopt(c,CURLOPT_SSL_VERIFYPEER,0))	90	\|\| (r=curl_easy_setopt(c,CURLOPT_SSL_VERIFYPEER,0))
91	#endif	91	#endif
92	;	92	;
93	return r;	93	return r;
94	}	94	}
95		95
96	static size_t _curl_tostring(void ptr,size_t size,size_t nmemb,void stream) {	96	static size_t _curl_tostring(void ptr,size_t size,size_t nmemb,void stream) {
97	string str = (string)stream;	97	string str = (string)stream;
98	size_t bytes = size*nmemb;	98	size_t bytes = size*nmemb;
99	size_t get = min(16384-str->length(),bytes);	99	size_t get = min(16384-str->length(),bytes);
100	str->append((const char*)ptr,get);	100	str->append((const char*)ptr,get);
101	return get;	101	return get;
102	}	102	}
103		103
104	assoc_t consumer_t::associate(const string& server) {	104	assoc_t consumer_t::associate(const string& server) {
105	util::dh_t dh = DH_new();	105	util::dh_t dh = DH_new();
106	if(!dh)	106	if(!dh)
107	throw exception_openssl(OPKELE_CP_ "failed to DH_new()");	107	throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
108	dh->p = util::dec_to_bignum(data::_default_p);	108	dh->p = util::dec_to_bignum(data::_default_p);
109	dh->g = util::dec_to_bignum(data::_default_g);	109	dh->g = util::dec_to_bignum(data::_default_g);
110	if(!DH_generate_key(dh))	110	if(!DH_generate_key(dh))
111	throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");	111	throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
112	string request =	112	string request =
113	"openid.mode=associate"	113	"openid.mode=associate"
114	"&openid.assoc_type=HMAC-SHA1"	114	"&openid.assoc_type=HMAC-SHA1"
115	"&openid.session_type=DH-SHA1"	115	"&openid.session_type=DH-SHA1"
116	"&openid.dh_consumer_public=";	116	"&openid.dh_consumer_public=";
117	request += util::url_encode(util::bignum_to_base64(dh->pub_key));	117	request += util::url_encode(util::bignum_to_base64(dh->pub_key));
118	curl_t curl = curl_easy_init();	118	curl_t curl = curl_easy_init();
119	if(!curl)	119	if(!curl)
120	throw exception_curl(OPKELE_CP_ "failed to curl_easy_init()");	120	throw exception_curl(OPKELE_CP_ "failed to curl_easy_init()");
121	string response;	121	string response;
122	CURLcode r;	122	CURLcode r;
123	(r=curl_misc_sets(curl))	123	(r=curl_misc_sets(curl))
124	\|\| (r=curl_easy_setopt(curl,CURLOPT_URL,server.c_str()))	124	\|\| (r=curl_easy_setopt(curl,CURLOPT_URL,server.c_str()))
125	\|\| (r=curl_easy_setopt(curl,CURLOPT_POST,1))	125	\|\| (r=curl_easy_setopt(curl,CURLOPT_POST,1))
126	\|\| (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDS,request.data()))	126	\|\| (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDS,request.data()))
127	\|\| (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDSIZE,request.length()))	127	\|\| (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDSIZE,request.length()))
128	\|\| (r=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,_curl_tostring))	128	\|\| (r=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,_curl_tostring))
129	\|\| (r=curl_easy_setopt(curl,CURLOPT_WRITEDATA,&response))	129	\|\| (r=curl_easy_setopt(curl,CURLOPT_WRITEDATA,&response))
130	;	130	;
131	if(r)	131	if(r)
132	throw exception_curl(OPKELE_CP_ "failed to curl_easy_setopt()",r);	132	throw exception_curl(OPKELE_CP_ "failed to curl_easy_setopt()",r);
133	if(r=curl_easy_perform(curl))	133	if(r=curl_easy_perform(curl))
134	throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r);	134	throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r);
135	params_t p; p.parse_keyvalues(response);	135	params_t p; p.parse_keyvalues(response);
136	if(p.has_param("assoc_type") && p.get_param("assoc_type")!="HMAC-SHA1")	136	if(p.has_param("assoc_type") && p.get_param("assoc_type")!="HMAC-SHA1")
137	throw bad_input(OPKELE_CP_ "unsupported assoc_type");	137	throw bad_input(OPKELE_CP_ "unsupported assoc_type");
138	string st;	138	string st;
139	if(p.has_param("session_type")) st = p.get_param("session_type");	139	if(p.has_param("session_type")) st = p.get_param("session_type");
140	if((!st.empty()) && st!="DH-SHA1")	140	if((!st.empty()) && st!="DH-SHA1")
141	throw bad_input(OPKELE_CP_ "unsupported session_type");	141	throw bad_input(OPKELE_CP_ "unsupported session_type");
142	secret_t secret;	142	secret_t secret;
143	if(st.empty()) {	143	if(st.empty()) {
144	secret.from_base64(p.get_param("mac_key"));	144	secret.from_base64(p.get_param("mac_key"));
145	}else{	145	}else{
146	util::bignum_t s_pub = util::base64_to_bignum(p.get_param("dh_server_public"));	146	util::bignum_t s_pub = util::base64_to_bignum(p.get_param("dh_server_public"));
147	vector<unsigned char> ck(DH_size(dh)+1);	147	vector<unsigned char> ck(DH_size(dh)+1);
148	unsigned char *ckptr = &(ck.front())+1;	148	unsigned char *ckptr = &(ck.front())+1;
149	int cklen = DH_compute_key(ckptr,s_pub,dh);	149	int cklen = DH_compute_key(ckptr,s_pub,dh);
150	if(cklen<0)	150	if(cklen<0)
151	throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");	151	throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
152	if(cklen && (*ckptr)&0x80) {	152	if(cklen && (*ckptr)&0x80) {
153	(*(--ckptr)) = 0; ++cklen;	153	(*(--ckptr)) = 0; ++cklen;
154	}	154	}
155	unsigned char key_sha1[SHA_DIGEST_LENGTH];	155	unsigned char key_sha1[SHA_DIGEST_LENGTH];
156	SHA1(ckptr,cklen,key_sha1);	156	SHA1(ckptr,cklen,key_sha1);
157	secret.enxor_from_base64(key_sha1,p.get_param("enc_mac_key"));	157	secret.enxor_from_base64(key_sha1,p.get_param("enc_mac_key"));
158	}	158	}
159	int expires_in = 0;	159	int expires_in = 0;
160	if(p.has_param("expires_in")) {	160	if(p.has_param("expires_in")) {
161	expires_in = util::string_to_long(p.get_param("expires_in"));	161	expires_in = util::string_to_long(p.get_param("expires_in"));
162	}else if(p.has_param("issued") && p.has_param("expiry")) {	162	}else if(p.has_param("issued") && p.has_param("expiry")) {
163	expires_in = util::w3c_to_time(p.get_param("expiry"))-util::w3c_to_time(p.get_param("issued"));	163	expires_in = util::w3c_to_time(p.get_param("expiry"))-util::w3c_to_time(p.get_param("issued"));
164	}else	164	}else
165	throw bad_input(OPKELE_CP_ "no expiration information");	165	throw bad_input(OPKELE_CP_ "no expiration information");
166	return store_assoc(server,p.get_param("assoc_handle"),secret,expires_in);	166	return store_assoc(server,p.get_param("assoc_handle"),secret,expires_in);
167	}	167	}
168		168
169	string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {	169	string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {
170	return checkid_(mode_checkid_immediate,identity,return_to,trust_root,ext);	170	return checkid_(mode_checkid_immediate,identity,return_to,trust_root,ext);
171	}	171	}
172	string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {	172	string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {
173	return checkid_(mode_checkid_setup,identity,return_to,trust_root,ext);	173	return checkid_(mode_checkid_setup,identity,return_to,trust_root,ext);
174	}	174	}
175	string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {	175	string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {
176	params_t p;	176	params_t p;
177	if(mode==mode_checkid_immediate)	177	if(mode==mode_checkid_immediate)
178	p["mode"]="checkid_immediate";	178	p["mode"]="checkid_immediate";
179	else if(mode==mode_checkid_setup)	179	else if(mode==mode_checkid_setup)
180	p["mode"]="checkid_setup";	180	p["mode"]="checkid_setup";
181	else	181	else
182	throw bad_input(OPKELE_CP_ "unknown checkid_* mode");	182	throw bad_input(OPKELE_CP_ "unknown checkid_* mode");
183	string iurl = canonicalize(identity);	183	string iurl = canonicalize(identity);
184	string server, delegate;	184	string server, delegate;
185	retrieve_links(iurl,server,delegate);	185	retrieve_links(iurl,server,delegate);
186	p["identity"] = delegate.empty()?iurl:delegate;	186	p["identity"] = delegate.empty()?iurl:delegate;
187	if(!trust_root.empty())	187	if(!trust_root.empty())
188	p["trust_root"] = trust_root;	188	p["trust_root"] = trust_root;
189	p["return_to"] = return_to;	189	p["return_to"] = return_to;
190	try {	190	try {
191	string ah = find_assoc(server)->handle();	191	string ah = find_assoc(server)->handle();
192	p["assoc_handle"] = ah;	192	p["assoc_handle"] = ah;
193	}catch(failed_lookup& fl) {	193	}catch(failed_lookup& fl) {
194	string ah = associate(server)->handle();	194	string ah = associate(server)->handle();
195	p["assoc_handle"] = ah;	195	p["assoc_handle"] = ah;
196	}	196	}
197	if(ext) ext->checkid_hook(p,identity);	197	if(ext) ext->checkid_hook(p,identity);
198	return p.append_query(server);	198	return p.append_query(server);
199	}	199	}
200		200
201	void consumer_t::id_res(const params_t& pin,const string& identity,extension_t *ext) {	201	void consumer_t::id_res(const params_t& pin,const string& identity,extension_t *ext) {
202	if(pin.has_param("openid.user_setup_url"))	202	if(pin.has_param("openid.user_setup_url"))
203	throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url"));	203	throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url"));
204	string server,delegate;	204	string server,delegate;
205	retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate);	205	retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate);
206	params_t ps;	206	params_t ps;
207	try {	207	try {
208	assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle"));	208	assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle"));
209	if(assoc->is_expired()) /* TODO: or should I throw some other exception to force programmer fix his implementation? */	209	if(assoc->is_expired()) /* TODO: or should I throw some other exception to force programmer fix his implementation? */
210	throw failed_lookup(OPKELE_CP_ "retrieve_assoc() has returned expired handle");	210	throw failed_lookup(OPKELE_CP_ "retrieve_assoc() has returned expired handle");
211	const string& sigenc = pin.get_param("openid.sig");	211	const string& sigenc = pin.get_param("openid.sig");
212	vector<unsigned char> sig;	212	vector<unsigned char> sig;
213	util::decode_base64(sigenc,sig);	213	util::decode_base64(sigenc,sig);
214	const string& slist = pin.get_param("openid.signed");	214	const string& slist = pin.get_param("openid.signed");
215	string kv;	215	string kv;
216	string::size_type p = 0;	216	string::size_type p = 0;
217	while(true) {	217	while(true) {
218	string::size_type co = slist.find(',',p);	218	string::size_type co = slist.find(',',p);
219	string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);	219	string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
220	kv += f;	220	kv += f;
221	kv += ':';	221	kv += ':';
222	f.insert(0,"openid.");	222	f.insert(0,"openid.");
223	kv += pin.get_param(f);	223	kv += pin.get_param(f);
224	kv += '\n';	224	kv += '\n';
225	if(ext) ps[f.substr(sizeof("openid.")-1)] = pin.get_param(f);	225	if(ext) ps[f.substr(sizeof("openid.")-1)] = pin.get_param(f);
226	if(co==string::npos)	226	if(co==string::npos)
227	break;	227	break;
228	p = co+1;	228	p = co+1;
229	}	229	}
230	secret_t secret = assoc->secret();	230	secret_t secret = assoc->secret();
231	unsigned int md_len = 0;	231	unsigned int md_len = 0;
232	unsigned char *md = HMAC(	232	unsigned char *md = HMAC(
233	EVP_sha1(),	233	EVP_sha1(),
234	&(secret.front()),secret.size(),	234	&(secret.front()),secret.size(),
235	(const unsigned char *)kv.data(),kv.length(),	235	(const unsigned char *)kv.data(),kv.length(),
236	0,&md_len);	236	0,&md_len);
237	if(sig.size()!=md_len \|\| memcmp(&(sig.front()),md,md_len))	237	if(sig.size()!=md_len \|\| memcmp(&(sig.front()),md,md_len))
238	throw id_res_mismatch(OPKELE_CP_ "signature mismatch");	238	throw id_res_mismatch(OPKELE_CP_ "signature mismatch");
239	}catch(failed_lookup& e) { /* XXX: more specific? */	239	}catch(failed_lookup& e) { /* XXX: more specific? */
240	const string& slist = pin.get_param("openid.signed");	240	const string& slist = pin.get_param("openid.signed");
241	string::size_type pp = 0;	241	string::size_type pp = 0;
242	params_t p;	242	params_t p;
243	while(true) {	243	while(true) {
244	string::size_type co = slist.find(',',pp);	244	string::size_type co = slist.find(',',pp);
245	string f = "openid.";	245	string f = "openid.";
246	f += (co==string::npos)?slist.substr(pp):slist.substr(pp,co-pp);	246	f += (co==string::npos)?slist.substr(pp):slist.substr(pp,co-pp);
247	p[f] = pin.get_param(f);	247	p[f] = pin.get_param(f);
248	if(co==string::npos)	248	if(co==string::npos)
249	break;	249	break;
250	pp = co+1;	250	pp = co+1;
251	}	251	}
252	p["openid.assoc_handle"] = pin.get_param("openid.assoc_handle");	252	p["openid.assoc_handle"] = pin.get_param("openid.assoc_handle");
253	p["openid.sig"] = pin.get_param("openid.sig");	253	p["openid.sig"] = pin.get_param("openid.sig");
254	p["openid.signed"] = pin.get_param("openid.signed");	254	p["openid.signed"] = pin.get_param("openid.signed");
255	try {	255	try {
256	string ih = pin.get_param("openid.invalidate_handle");	256	string ih = pin.get_param("openid.invalidate_handle");
257	p["openid.invalidate_handle"] = ih;	257	p["openid.invalidate_handle"] = ih;
258	}catch(failed_lookup& fl) { }	258	}catch(failed_lookup& fl) { }
259	try {	259	try {
260	check_authentication(server,p);	260	check_authentication(server,p);
261	}catch(failed_check_authentication& fca) {	261	}catch(failed_check_authentication& fca) {
262	throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");	262	throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");
263	}	263	}
264	}	264	}
265	if(ext) ext->id_res_hook(pin,ps,identity);	265	if(ext) ext->id_res_hook(pin,ps,identity);
266	}	266	}
267		267
268	void consumer_t::check_authentication(const string& server,const params_t& p) {	268	void consumer_t::check_authentication(const string& server,const params_t& p) {
269	string request = "openid.mode=check_authentication";	269	string request = "openid.mode=check_authentication";
270	for(params_t::const_iterator i=p.begin();i!=p.end();++i) {	270	for(params_t::const_iterator i=p.begin();i!=p.end();++i) {
271	if(i->first!="openid.mode") {	271	if(i->first!="openid.mode") {
272	request += '&';	272	request += '&';
273	request += i->first;	273	request += i->first;
274	request += '=';	274	request += '=';
275	request += util::url_encode(i->second);	275	request += util::url_encode(i->second);
276	}	276	}