| author | Michael Krelin <hacker@klever.net> | 2007-01-15 00:09:35 (UTC) |
|---|---|---|
| committer | Michael Krelin <hacker@klever.net> | 2007-01-15 00:09:35 (UTC) |
| commit | 6c7a4fbf0c0e68a500a6b5834a1f3877b160bf77 (patch) (unidiff) | |
| tree | ba6fa2874ab75f16cd588cc1a0729f6f78b18b93 /lib | |
| parent | 4cfc41760dea44228b590fa9682b19f8a2e38ec2 (diff) | |
| download | libopkele-6c7a4fbf0c0e68a500a6b5834a1f3877b160bf77.zip libopkele-6c7a4fbf0c0e68a500a6b5834a1f3877b160bf77.tar.gz libopkele-6c7a4fbf0c0e68a500a6b5834a1f3877b160bf77.tar.bz2 | |
--disable-ssl-verify-{host,peer} options added
| -rw-r--r-- | lib/consumer.cc | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/consumer.cc b/lib/consumer.cc index 331b1e9..dc49405 100644 --- a/lib/consumer.cc +++ b/lib/consumer.cc | |||
| @@ -1,104 +1,110 @@ | |||
| 1 | #include <algorithm> | 1 | #include <algorithm> |
| 2 | #include <cassert> | 2 | #include <cassert> |
| 3 | #include <opkele/util.h> | 3 | #include <opkele/util.h> |
| 4 | #include <opkele/exception.h> | 4 | #include <opkele/exception.h> |
| 5 | #include <opkele/data.h> | 5 | #include <opkele/data.h> |
| 6 | #include <opkele/consumer.h> | 6 | #include <opkele/consumer.h> |
| 7 | #include <openssl/sha.h> | 7 | #include <openssl/sha.h> |
| 8 | #include <openssl/hmac.h> | 8 | #include <openssl/hmac.h> |
| 9 | #include <curl/curl.h> | 9 | #include <curl/curl.h> |
| 10 | #include <pcre++.h> | 10 | #include <pcre++.h> |
| 11 | 11 | ||
| 12 | #include <iostream> | 12 | #include <iostream> |
| 13 | 13 | ||
| 14 | #include "config.h" | 14 | #include "config.h" |
| 15 | 15 | ||
| 16 | namespace opkele { | 16 | namespace opkele { |
| 17 | using namespace std; | 17 | using namespace std; |
| 18 | 18 | ||
| 19 | class curl_t { | 19 | class curl_t { |
| 20 | public: | 20 | public: |
| 21 | CURL *_c; | 21 | CURL *_c; |
| 22 | 22 | ||
| 23 | curl_t() : _c(0) { } | 23 | curl_t() : _c(0) { } |
| 24 | curl_t(CURL *c) : _c(c) { } | 24 | curl_t(CURL *c) : _c(c) { } |
| 25 | ~curl_t() throw() { if(_c) curl_easy_cleanup(_c); } | 25 | ~curl_t() throw() { if(_c) curl_easy_cleanup(_c); } |
| 26 | 26 | ||
| 27 | curl_t& operator=(CURL *c) { if(_c) curl_easy_cleanup(_c); _c=c; return *this; } | 27 | curl_t& operator=(CURL *c) { if(_c) curl_easy_cleanup(_c); _c=c; return *this; } |
| 28 | 28 | ||
| 29 | operator const CURL*(void) const { return _c; } | 29 | operator const CURL*(void) const { return _c; } |
| 30 | operator CURL*(void) { return _c; } | 30 | operator CURL*(void) { return _c; } |
| 31 | }; | 31 | }; |
| 32 | 32 | ||
| 33 | static CURLcode curl_misc_sets(CURL* c) { | 33 | static CURLcode curl_misc_sets(CURL* c) { |
| 34 | CURLcode r; | 34 | CURLcode r; |
| 35 | (r=curl_easy_setopt(c,CURLOPT_FOLLOWLOCATION,1)) | 35 | (r=curl_easy_setopt(c,CURLOPT_FOLLOWLOCATION,1)) |
| 36 | || (r=curl_easy_setopt(c,CURLOPT_MAXREDIRS,5)) | 36 | || (r=curl_easy_setopt(c,CURLOPT_MAXREDIRS,5)) |
| 37 | || (r=curl_easy_setopt(c,CURLOPT_DNS_CACHE_TIMEOUT,120)) | 37 | || (r=curl_easy_setopt(c,CURLOPT_DNS_CACHE_TIMEOUT,120)) |
| 38 | || (r=curl_easy_setopt(c,CURLOPT_DNS_USE_GLOBAL_CACHE,1)) | 38 | || (r=curl_easy_setopt(c,CURLOPT_DNS_USE_GLOBAL_CACHE,1)) |
| 39 | || (r=curl_easy_setopt(c,CURLOPT_USERAGENT,PACKAGE_NAME"/"PACKAGE_VERSION)) | 39 | || (r=curl_easy_setopt(c,CURLOPT_USERAGENT,PACKAGE_NAME"/"PACKAGE_VERSION)) |
| 40 | || (r=curl_easy_setopt(c,CURLOPT_TIMEOUT,20)) | 40 | || (r=curl_easy_setopt(c,CURLOPT_TIMEOUT,20)) |
| 41 | #ifdefDISABLE_CURL_SSL_VERIFYHOST | ||
| 42 | || (r=curl_easy_setopt(c,CURLOPT_SSL_VERIFYHOST,0)) | ||
| 43 | #endif | ||
| 44 | #ifdefDISABLE_CURL_SSL_VERYPEER | ||
| 45 | || (r=curl_easy_setopt(c,CURLOPT_SSL_VERIFYPEER,0)) | ||
| 46 | #endif | ||
| 41 | ; | 47 | ; |
| 42 | return r; | 48 | return r; |
| 43 | } | 49 | } |
| 44 | 50 | ||
| 45 | static size_t _curl_tostring(void *ptr,size_t size,size_t nmemb,void *stream) { | 51 | static size_t _curl_tostring(void *ptr,size_t size,size_t nmemb,void *stream) { |
| 46 | string *str = (string*)stream; | 52 | string *str = (string*)stream; |
| 47 | size_t bytes = size*nmemb; | 53 | size_t bytes = size*nmemb; |
| 48 | size_t get = min(16384-str->length(),bytes); | 54 | size_t get = min(16384-str->length(),bytes); |
| 49 | str->append((const char*)ptr,get); | 55 | str->append((const char*)ptr,get); |
| 50 | return get; | 56 | return get; |
| 51 | } | 57 | } |
| 52 | 58 | ||
| 53 | assoc_t consumer_t::associate(const string& server) { | 59 | assoc_t consumer_t::associate(const string& server) { |
| 54 | util::dh_t dh = DH_new(); | 60 | util::dh_t dh = DH_new(); |
| 55 | if(!dh) | 61 | if(!dh) |
| 56 | throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); | 62 | throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); |
| 57 | dh->p = util::dec_to_bignum(data::_default_p); | 63 | dh->p = util::dec_to_bignum(data::_default_p); |
| 58 | dh->g = util::dec_to_bignum(data::_default_g); | 64 | dh->g = util::dec_to_bignum(data::_default_g); |
| 59 | if(!DH_generate_key(dh)) | 65 | if(!DH_generate_key(dh)) |
| 60 | throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); | 66 | throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); |
| 61 | string request = | 67 | string request = |
| 62 | "openid.mode=associate" | 68 | "openid.mode=associate" |
| 63 | "&openid.assoc_type=HMAC-SHA1" | 69 | "&openid.assoc_type=HMAC-SHA1" |
| 64 | "&openid.session_type=DH-SHA1" | 70 | "&openid.session_type=DH-SHA1" |
| 65 | "&openid.dh_consumer_public="; | 71 | "&openid.dh_consumer_public="; |
| 66 | request += util::url_encode(util::bignum_to_base64(dh->pub_key)); | 72 | request += util::url_encode(util::bignum_to_base64(dh->pub_key)); |
| 67 | curl_t curl = curl_easy_init(); | 73 | curl_t curl = curl_easy_init(); |
| 68 | if(!curl) | 74 | if(!curl) |
| 69 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_init()"); | 75 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_init()"); |
| 70 | string response; | 76 | string response; |
| 71 | CURLcode r; | 77 | CURLcode r; |
| 72 | (r=curl_misc_sets(curl)) | 78 | (r=curl_misc_sets(curl)) |
| 73 | || (r=curl_easy_setopt(curl,CURLOPT_URL,server.c_str())) | 79 | || (r=curl_easy_setopt(curl,CURLOPT_URL,server.c_str())) |
| 74 | || (r=curl_easy_setopt(curl,CURLOPT_POST,1)) | 80 | || (r=curl_easy_setopt(curl,CURLOPT_POST,1)) |
| 75 | || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDS,request.data())) | 81 | || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDS,request.data())) |
| 76 | || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDSIZE,request.length())) | 82 | || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDSIZE,request.length())) |
| 77 | || (r=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,_curl_tostring)) | 83 | || (r=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,_curl_tostring)) |
| 78 | || (r=curl_easy_setopt(curl,CURLOPT_WRITEDATA,&response)) | 84 | || (r=curl_easy_setopt(curl,CURLOPT_WRITEDATA,&response)) |
| 79 | ; | 85 | ; |
| 80 | if(r) | 86 | if(r) |
| 81 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_setopt()",r); | 87 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_setopt()",r); |
| 82 | if(r=curl_easy_perform(curl)) | 88 | if(r=curl_easy_perform(curl)) |
| 83 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r); | 89 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r); |
| 84 | params_t p; p.parse_keyvalues(response); | 90 | params_t p; p.parse_keyvalues(response); |
| 85 | if(p.has_param("assoc_type") && p.get_param("assoc_type")!="HMAC-SHA1") | 91 | if(p.has_param("assoc_type") && p.get_param("assoc_type")!="HMAC-SHA1") |
| 86 | throw bad_input(OPKELE_CP_ "unsupported assoc_type"); | 92 | throw bad_input(OPKELE_CP_ "unsupported assoc_type"); |
| 87 | string st; | 93 | string st; |
| 88 | if(p.has_param("session_type")) st = p.get_param("session_type"); | 94 | if(p.has_param("session_type")) st = p.get_param("session_type"); |
| 89 | if((!st.empty()) && st!="DH-SHA1") | 95 | if((!st.empty()) && st!="DH-SHA1") |
| 90 | throw bad_input(OPKELE_CP_ "unsupported session_type"); | 96 | throw bad_input(OPKELE_CP_ "unsupported session_type"); |
| 91 | secret_t secret; | 97 | secret_t secret; |
| 92 | if(st.empty()) { | 98 | if(st.empty()) { |
| 93 | secret.from_base64(p.get_param("mac_key")); | 99 | secret.from_base64(p.get_param("mac_key")); |
| 94 | }else{ | 100 | }else{ |
| 95 | util::bignum_t s_pub = util::base64_to_bignum(p.get_param("dh_server_public")); | 101 | util::bignum_t s_pub = util::base64_to_bignum(p.get_param("dh_server_public")); |
| 96 | vector<unsigned char> ck(DH_size(dh)); | 102 | vector<unsigned char> ck(DH_size(dh)); |
| 97 | int cklen = DH_compute_key(&(ck.front()),s_pub,dh); | 103 | int cklen = DH_compute_key(&(ck.front()),s_pub,dh); |
| 98 | if(cklen<0) | 104 | if(cklen<0) |
| 99 | throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); | 105 | throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); |
| 100 | ck.resize(cklen); | 106 | ck.resize(cklen); |
| 101 | // OpenID algorithm requires extra zero in case of set bit here | 107 | // OpenID algorithm requires extra zero in case of set bit here |
| 102 | if(ck[0]&0x80) ck.insert(ck.begin(),1,0); | 108 | if(ck[0]&0x80) ck.insert(ck.begin(),1,0); |
| 103 | unsigned char key_sha1[SHA_DIGEST_LENGTH]; | 109 | unsigned char key_sha1[SHA_DIGEST_LENGTH]; |
| 104 | SHA1(&(ck.front()),ck.size(),key_sha1); | 110 | SHA1(&(ck.front()),ck.size(),key_sha1); |