summaryrefslogtreecommitdiffabout
Unidiff
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--lib/consumer.cc13
-rw-r--r--lib/server.cc11
-rw-r--r--lib/util.cc10
3 files changed, 20 insertions, 14 deletions
diff --git a/lib/consumer.cc b/lib/consumer.cc
index 12866f0..282f0cc 100644
--- a/lib/consumer.cc
+++ b/lib/consumer.cc
@@ -1,238 +1,239 @@
1#include <algorithm> 1#include <algorithm>
2#include <cassert> 2#include <cassert>
3#include <opkele/util.h> 3#include <opkele/util.h>
4#include <opkele/exception.h> 4#include <opkele/exception.h>
5#include <opkele/data.h> 5#include <opkele/data.h>
6#include <opkele/consumer.h> 6#include <opkele/consumer.h>
7#include <openssl/sha.h> 7#include <openssl/sha.h>
8#include <openssl/hmac.h> 8#include <openssl/hmac.h>
9#include <curl/curl.h> 9#include <curl/curl.h>
10#include <pcre++.h> 10#include <pcre++.h>
11 11
12#include <iostream> 12#include <iostream>
13 13
14#include "config.h" 14#include "config.h"
15 15
16namespace opkele { 16namespace opkele {
17 using namespace std; 17 using namespace std;
18 18
19 class curl_t { 19 class curl_t {
20 public: 20 public:
21 CURL *_c; 21 CURL *_c;
22 22
23 curl_t() : _c(0) { } 23 curl_t() : _c(0) { }
24 curl_t(CURL *c) : _c(c) { } 24 curl_t(CURL *c) : _c(c) { }
25 ~curl_t() throw() { if(_c) curl_easy_cleanup(_c); } 25 ~curl_t() throw() { if(_c) curl_easy_cleanup(_c); }
26 26
27 curl_t& operator=(CURL *c) { if(_c) curl_easy_cleanup(_c); _c=c; return *this; } 27 curl_t& operator=(CURL *c) { if(_c) curl_easy_cleanup(_c); _c=c; return *this; }
28 28
29 operator const CURL*(void) const { return _c; } 29 operator const CURL*(void) const { return _c; }
30 operator CURL*(void) { return _c; } 30 operator CURL*(void) { return _c; }
31 }; 31 };
32 32
33 static CURLcode curl_misc_sets(CURL* c) { 33 static CURLcode curl_misc_sets(CURL* c) {
34 CURLcode r; 34 CURLcode r;
35 (r=curl_easy_setopt(c,CURLOPT_FOLLOWLOCATION,1)) 35 (r=curl_easy_setopt(c,CURLOPT_FOLLOWLOCATION,1))
36 || (r=curl_easy_setopt(c,CURLOPT_MAXREDIRS,5)) 36 || (r=curl_easy_setopt(c,CURLOPT_MAXREDIRS,5))
37 || (r=curl_easy_setopt(c,CURLOPT_DNS_CACHE_TIMEOUT,120)) 37 || (r=curl_easy_setopt(c,CURLOPT_DNS_CACHE_TIMEOUT,120))
38 || (r=curl_easy_setopt(c,CURLOPT_DNS_USE_GLOBAL_CACHE,1)) 38 || (r=curl_easy_setopt(c,CURLOPT_DNS_USE_GLOBAL_CACHE,1))
39 || (r=curl_easy_setopt(c,CURLOPT_USERAGENT,PACKAGE_NAME"/"PACKAGE_VERSION)) 39 || (r=curl_easy_setopt(c,CURLOPT_USERAGENT,PACKAGE_NAME"/"PACKAGE_VERSION))
40 || (r=curl_easy_setopt(c,CURLOPT_TIMEOUT,20)) 40 || (r=curl_easy_setopt(c,CURLOPT_TIMEOUT,20))
41 #ifdefDISABLE_CURL_SSL_VERIFYHOST 41 #ifdefDISABLE_CURL_SSL_VERIFYHOST
42 || (r=curl_easy_setopt(c,CURLOPT_SSL_VERIFYHOST,0)) 42 || (r=curl_easy_setopt(c,CURLOPT_SSL_VERIFYHOST,0))
43#endif 43#endif
44 #ifdefDISABLE_CURL_SSL_VERIFYPEER 44 #ifdefDISABLE_CURL_SSL_VERIFYPEER
45 || (r=curl_easy_setopt(c,CURLOPT_SSL_VERIFYPEER,0)) 45 || (r=curl_easy_setopt(c,CURLOPT_SSL_VERIFYPEER,0))
46#endif 46#endif
47 ; 47 ;
48 return r; 48 return r;
49 } 49 }
50 50
51 static size_t _curl_tostring(void *ptr,size_t size,size_t nmemb,void *stream) { 51 static size_t _curl_tostring(void *ptr,size_t size,size_t nmemb,void *stream) {
52 string *str = (string*)stream; 52 string *str = (string*)stream;
53 size_t bytes = size*nmemb; 53 size_t bytes = size*nmemb;
54 size_t get = min(16384-str->length(),bytes); 54 size_t get = min(16384-str->length(),bytes);
55 str->append((const char*)ptr,get); 55 str->append((const char*)ptr,get);
56 return get; 56 return get;
57 } 57 }
58 58
59 assoc_t consumer_t::associate(const string& server) { 59 assoc_t consumer_t::associate(const string& server) {
60 util::dh_t dh = DH_new(); 60 util::dh_t dh = DH_new();
61 if(!dh) 61 if(!dh)
62 throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); 62 throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
63 dh->p = util::dec_to_bignum(data::_default_p); 63 dh->p = util::dec_to_bignum(data::_default_p);
64 dh->g = util::dec_to_bignum(data::_default_g); 64 dh->g = util::dec_to_bignum(data::_default_g);
65 if(!DH_generate_key(dh)) 65 if(!DH_generate_key(dh))
66 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); 66 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
67 string request = 67 string request =
68 "openid.mode=associate" 68 "openid.mode=associate"
69 "&openid.assoc_type=HMAC-SHA1" 69 "&openid.assoc_type=HMAC-SHA1"
70 "&openid.session_type=DH-SHA1" 70 "&openid.session_type=DH-SHA1"
71 "&openid.dh_consumer_public="; 71 "&openid.dh_consumer_public=";
72 request += util::url_encode(util::bignum_to_base64(dh->pub_key)); 72 request += util::url_encode(util::bignum_to_base64(dh->pub_key));
73 curl_t curl = curl_easy_init(); 73 curl_t curl = curl_easy_init();
74 if(!curl) 74 if(!curl)
75 throw exception_curl(OPKELE_CP_ "failed to curl_easy_init()"); 75 throw exception_curl(OPKELE_CP_ "failed to curl_easy_init()");
76 string response; 76 string response;
77 CURLcode r; 77 CURLcode r;
78 (r=curl_misc_sets(curl)) 78 (r=curl_misc_sets(curl))
79 || (r=curl_easy_setopt(curl,CURLOPT_URL,server.c_str())) 79 || (r=curl_easy_setopt(curl,CURLOPT_URL,server.c_str()))
80 || (r=curl_easy_setopt(curl,CURLOPT_POST,1)) 80 || (r=curl_easy_setopt(curl,CURLOPT_POST,1))
81 || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDS,request.data())) 81 || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDS,request.data()))
82 || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDSIZE,request.length())) 82 || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDSIZE,request.length()))
83 || (r=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,_curl_tostring)) 83 || (r=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,_curl_tostring))
84 || (r=curl_easy_setopt(curl,CURLOPT_WRITEDATA,&response)) 84 || (r=curl_easy_setopt(curl,CURLOPT_WRITEDATA,&response))
85 ; 85 ;
86 if(r) 86 if(r)
87 throw exception_curl(OPKELE_CP_ "failed to curl_easy_setopt()",r); 87 throw exception_curl(OPKELE_CP_ "failed to curl_easy_setopt()",r);
88 if(r=curl_easy_perform(curl)) 88 if(r=curl_easy_perform(curl))
89 throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r); 89 throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r);
90 params_t p; p.parse_keyvalues(response); 90 params_t p; p.parse_keyvalues(response);
91 if(p.has_param("assoc_type") && p.get_param("assoc_type")!="HMAC-SHA1") 91 if(p.has_param("assoc_type") && p.get_param("assoc_type")!="HMAC-SHA1")
92 throw bad_input(OPKELE_CP_ "unsupported assoc_type"); 92 throw bad_input(OPKELE_CP_ "unsupported assoc_type");
93 string st; 93 string st;
94 if(p.has_param("session_type")) st = p.get_param("session_type"); 94 if(p.has_param("session_type")) st = p.get_param("session_type");
95 if((!st.empty()) && st!="DH-SHA1") 95 if((!st.empty()) && st!="DH-SHA1")
96 throw bad_input(OPKELE_CP_ "unsupported session_type"); 96 throw bad_input(OPKELE_CP_ "unsupported session_type");
97 secret_t secret; 97 secret_t secret;
98 if(st.empty()) { 98 if(st.empty()) {
99 secret.from_base64(p.get_param("mac_key")); 99 secret.from_base64(p.get_param("mac_key"));
100 }else{ 100 }else{
101 util::bignum_t s_pub = util::base64_to_bignum(p.get_param("dh_server_public")); 101 util::bignum_t s_pub = util::base64_to_bignum(p.get_param("dh_server_public"));
102 vector<unsigned char> ck(DH_size(dh)); 102 vector<unsigned char> ck(DH_size(dh)+1);
103 int cklen = DH_compute_key(&(ck.front()),s_pub,dh); 103 unsigned char *ckptr = &(ck.front())+1;
104 int cklen = DH_compute_key(ckptr,s_pub,dh);
104 if(cklen<0) 105 if(cklen<0)
105 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); 106 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
106 ck.resize(cklen); 107 if(cklen && (*ckptr)&0x80) {
107 // OpenID algorithm requires extra zero in case of set bit here 108 (*(--ckptr)) = 0; ++cklen;
108 if(ck[0]&0x80) ck.insert(ck.begin(),1,0); 109 }
109 unsigned char key_sha1[SHA_DIGEST_LENGTH]; 110 unsigned char key_sha1[SHA_DIGEST_LENGTH];
110 SHA1(&(ck.front()),ck.size(),key_sha1); 111 SHA1(ckptr,cklen,key_sha1);
111 secret.enxor_from_base64(key_sha1,p.get_param("enc_mac_key")); 112 secret.enxor_from_base64(key_sha1,p.get_param("enc_mac_key"));
112 } 113 }
113 int expires_in = 0; 114 int expires_in = 0;
114 if(p.has_param("expires_in")) { 115 if(p.has_param("expires_in")) {
115 expires_in = util::string_to_long(p.get_param("expires_in")); 116 expires_in = util::string_to_long(p.get_param("expires_in"));
116 }else if(p.has_param("issued") && p.has_param("expiry")) { 117 }else if(p.has_param("issued") && p.has_param("expiry")) {
117 expires_in = util::w3c_to_time(p.get_param("expiry"))-util::w3c_to_time(p.get_param("issued")); 118 expires_in = util::w3c_to_time(p.get_param("expiry"))-util::w3c_to_time(p.get_param("issued"));
118 }else 119 }else
119 throw bad_input(OPKELE_CP_ "no expiration information"); 120 throw bad_input(OPKELE_CP_ "no expiration information");
120 return store_assoc(server,p.get_param("assoc_handle"),secret,expires_in); 121 return store_assoc(server,p.get_param("assoc_handle"),secret,expires_in);
121 } 122 }
122 123
123 string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { 124 string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {
124 return checkid_(mode_checkid_immediate,identity,return_to,trust_root,ext); 125 return checkid_(mode_checkid_immediate,identity,return_to,trust_root,ext);
125 } 126 }
126 string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { 127 string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {
127 return checkid_(mode_checkid_setup,identity,return_to,trust_root,ext); 128 return checkid_(mode_checkid_setup,identity,return_to,trust_root,ext);
128 } 129 }
129 string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { 130 string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {
130 params_t p; 131 params_t p;
131 if(mode==mode_checkid_immediate) 132 if(mode==mode_checkid_immediate)
132 p["mode"]="checkid_immediate"; 133 p["mode"]="checkid_immediate";
133 else if(mode==mode_checkid_setup) 134 else if(mode==mode_checkid_setup)
134 p["mode"]="checkid_setup"; 135 p["mode"]="checkid_setup";
135 else 136 else
136 throw bad_input(OPKELE_CP_ "unknown checkid_* mode"); 137 throw bad_input(OPKELE_CP_ "unknown checkid_* mode");
137 string iurl = canonicalize(identity); 138 string iurl = canonicalize(identity);
138 string server, delegate; 139 string server, delegate;
139 retrieve_links(iurl,server,delegate); 140 retrieve_links(iurl,server,delegate);
140 p["identity"] = delegate.empty()?iurl:delegate; 141 p["identity"] = delegate.empty()?iurl:delegate;
141 if(!trust_root.empty()) 142 if(!trust_root.empty())
142 p["trust_root"] = trust_root; 143 p["trust_root"] = trust_root;
143 p["return_to"] = return_to; 144 p["return_to"] = return_to;
144 try { 145 try {
145 string ah = find_assoc(server)->handle(); 146 string ah = find_assoc(server)->handle();
146 p["assoc_handle"] = ah; 147 p["assoc_handle"] = ah;
147 }catch(failed_lookup& fl) { 148 }catch(failed_lookup& fl) {
148 string ah = associate(server)->handle(); 149 string ah = associate(server)->handle();
149 p["assoc_handle"] = ah; 150 p["assoc_handle"] = ah;
150 } 151 }
151 if(ext) ext->checkid_hook(p,identity); 152 if(ext) ext->checkid_hook(p,identity);
152 return p.append_query(server); 153 return p.append_query(server);
153 } 154 }
154 155
155 void consumer_t::id_res(const params_t& pin,const string& identity,extension_t *ext) { 156 void consumer_t::id_res(const params_t& pin,const string& identity,extension_t *ext) {
156 if(pin.has_param("openid.user_setup_url")) 157 if(pin.has_param("openid.user_setup_url"))
157 throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url")); 158 throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url"));
158 string server,delegate; 159 string server,delegate;
159 retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate); 160 retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate);
160 params_t ps; 161 params_t ps;
161 try { 162 try {
162 assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle")); 163 assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle"));
163 const string& sigenc = pin.get_param("openid.sig"); 164 const string& sigenc = pin.get_param("openid.sig");
164 vector<unsigned char> sig; 165 vector<unsigned char> sig;
165 util::decode_base64(sigenc,sig); 166 util::decode_base64(sigenc,sig);
166 const string& slist = pin.get_param("openid.signed"); 167 const string& slist = pin.get_param("openid.signed");
167 string kv; 168 string kv;
168 string::size_type p = 0; 169 string::size_type p = 0;
169 while(true) { 170 while(true) {
170 string::size_type co = slist.find(',',p); 171 string::size_type co = slist.find(',',p);
171 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); 172 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
172 kv += f; 173 kv += f;
173 kv += ':'; 174 kv += ':';
174 f.insert(0,"openid."); 175 f.insert(0,"openid.");
175 kv += pin.get_param(f); 176 kv += pin.get_param(f);
176 kv += '\n'; 177 kv += '\n';
177 if(ext) ps[f.substr(sizeof("openid.")-1)] = pin.get_param(f); 178 if(ext) ps[f.substr(sizeof("openid.")-1)] = pin.get_param(f);
178 if(co==string::npos) 179 if(co==string::npos)
179 break; 180 break;
180 p = co+1; 181 p = co+1;
181 } 182 }
182 secret_t secret = assoc->secret(); 183 secret_t secret = assoc->secret();
183 unsigned int md_len = 0; 184 unsigned int md_len = 0;
184 unsigned char *md = HMAC( 185 unsigned char *md = HMAC(
185 EVP_sha1(), 186 EVP_sha1(),
186 &(secret.front()),secret.size(), 187 &(secret.front()),secret.size(),
187 (const unsigned char *)kv.data(),kv.length(), 188 (const unsigned char *)kv.data(),kv.length(),
188 0,&md_len); 189 0,&md_len);
189 if(sig.size()!=md_len || memcmp(&(sig.front()),md,md_len)) 190 if(sig.size()!=md_len || memcmp(&(sig.front()),md,md_len))
190 throw id_res_mismatch(OPKELE_CP_ "signature mismatch"); 191 throw id_res_mismatch(OPKELE_CP_ "signature mismatch");
191 }catch(failed_lookup& e) { /* XXX: more specific? */ 192 }catch(failed_lookup& e) { /* XXX: more specific? */
192 const string& slist = pin.get_param("openid.signed"); 193 const string& slist = pin.get_param("openid.signed");
193 string::size_type pp = 0; 194 string::size_type pp = 0;
194 params_t p; 195 params_t p;
195 while(true) { 196 while(true) {
196 string::size_type co = slist.find(',',pp); 197 string::size_type co = slist.find(',',pp);
197 string f = "openid."; 198 string f = "openid.";
198 f += (co==string::npos)?slist.substr(pp):slist.substr(pp,co-pp); 199 f += (co==string::npos)?slist.substr(pp):slist.substr(pp,co-pp);
199 p[f] = pin.get_param(f); 200 p[f] = pin.get_param(f);
200 if(co==string::npos) 201 if(co==string::npos)
201 break; 202 break;
202 pp = co+1; 203 pp = co+1;
203 } 204 }
204 p["openid.assoc_handle"] = pin.get_param("openid.assoc_handle"); 205 p["openid.assoc_handle"] = pin.get_param("openid.assoc_handle");
205 p["openid.sig"] = pin.get_param("openid.sig"); 206 p["openid.sig"] = pin.get_param("openid.sig");
206 p["openid.signed"] = pin.get_param("openid.signed"); 207 p["openid.signed"] = pin.get_param("openid.signed");
207 try { 208 try {
208 string ih = pin.get_param("openid.invalidate_handle"); 209 string ih = pin.get_param("openid.invalidate_handle");
209 p["openid.invalidate_handle"] = ih; 210 p["openid.invalidate_handle"] = ih;
210 }catch(failed_lookup& fl) { } 211 }catch(failed_lookup& fl) { }
211 try { 212 try {
212 check_authentication(server,p); 213 check_authentication(server,p);
213 }catch(failed_check_authentication& fca) { 214 }catch(failed_check_authentication& fca) {
214 throw id_res_failed(OPKELE_CP_ "failed to check_authentication()"); 215 throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");
215 } 216 }
216 } 217 }
217 if(ext) ext->id_res_hook(pin,ps,identity); 218 if(ext) ext->id_res_hook(pin,ps,identity);
218 } 219 }
219 220
220 void consumer_t::check_authentication(const string& server,const params_t& p) { 221 void consumer_t::check_authentication(const string& server,const params_t& p) {
221 string request = "openid.mode=check_authentication"; 222 string request = "openid.mode=check_authentication";
222 for(params_t::const_iterator i=p.begin();i!=p.end();++i) { 223 for(params_t::const_iterator i=p.begin();i!=p.end();++i) {
223 if(i->first!="openid.mode") { 224 if(i->first!="openid.mode") {
224 request += '&'; 225 request += '&';
225 request += i->first; 226 request += i->first;
226 request += '='; 227 request += '=';
227 request += util::url_encode(i->second); 228 request += util::url_encode(i->second);
228 } 229 }
229 } 230 }
230 curl_t curl = curl_easy_init(); 231 curl_t curl = curl_easy_init();
231 if(!curl) 232 if(!curl)
232 throw exception_curl(OPKELE_CP_ "failed to curl_easy_init()"); 233 throw exception_curl(OPKELE_CP_ "failed to curl_easy_init()");
233 string response; 234 string response;
234 CURLcode r; 235 CURLcode r;
235 (r=curl_misc_sets(curl)) 236 (r=curl_misc_sets(curl))
236 || (r=curl_easy_setopt(curl,CURLOPT_URL,server.c_str())) 237 || (r=curl_easy_setopt(curl,CURLOPT_URL,server.c_str()))
237 || (r=curl_easy_setopt(curl,CURLOPT_POST,1)) 238 || (r=curl_easy_setopt(curl,CURLOPT_POST,1))
238 || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDS,request.data())) 239 || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDS,request.data()))
diff --git a/lib/server.cc b/lib/server.cc
index e81d4b6..8db97be 100644
--- a/lib/server.cc
+++ b/lib/server.cc
@@ -1,169 +1,170 @@
1#include <vector> 1#include <vector>
2#include <openssl/sha.h> 2#include <openssl/sha.h>
3#include <openssl/hmac.h> 3#include <openssl/hmac.h>
4#include <opkele/util.h> 4#include <opkele/util.h>
5#include <opkele/exception.h> 5#include <opkele/exception.h>
6#include <opkele/server.h> 6#include <opkele/server.h>
7#include <opkele/data.h> 7#include <opkele/data.h>
8 8
9namespace opkele { 9namespace opkele {
10 using namespace std; 10 using namespace std;
11 11
12 void server_t::associate(const params_t& pin,params_t& pout) { 12 void server_t::associate(const params_t& pin,params_t& pout) {
13 util::dh_t dh; 13 util::dh_t dh;
14 util::bignum_t c_pub; 14 util::bignum_t c_pub;
15 unsigned char key_sha1[SHA_DIGEST_LENGTH]; 15 unsigned char key_sha1[SHA_DIGEST_LENGTH];
16 enum { 16 enum {
17 sess_cleartext, 17 sess_cleartext,
18 sess_dh_sha1 18 sess_dh_sha1
19 } st = sess_cleartext; 19 } st = sess_cleartext;
20 if( 20 if(
21 pin.has_param("openid.session_type") 21 pin.has_param("openid.session_type")
22 && pin.get_param("openid.session_type")=="DH-SHA1" ) { 22 && pin.get_param("openid.session_type")=="DH-SHA1" ) {
23 /* TODO: fallback to cleartext in case of exceptions here? */ 23 /* TODO: fallback to cleartext in case of exceptions here? */
24 if(!(dh = DH_new())) 24 if(!(dh = DH_new()))
25 throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); 25 throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
26 c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public")); 26 c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public"));
27 if(pin.has_param("openid.dh_modulus")) 27 if(pin.has_param("openid.dh_modulus"))
28 dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus")); 28 dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus"));
29 else 29 else
30 dh->p = util::dec_to_bignum(data::_default_p); 30 dh->p = util::dec_to_bignum(data::_default_p);
31 if(pin.has_param("openid.dh_gen")) 31 if(pin.has_param("openid.dh_gen"))
32 dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen")); 32 dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen"));
33 else 33 else
34 dh->g = util::dec_to_bignum(data::_default_g); 34 dh->g = util::dec_to_bignum(data::_default_g);
35 if(!DH_generate_key(dh)) 35 if(!DH_generate_key(dh))
36 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); 36 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
37 vector<unsigned char> ck(DH_size(dh)); 37 vector<unsigned char> ck(DH_size(dh)+1);
38 unsigned char *ckptr = &(ck.front())+1;
38 int cklen = DH_compute_key(&(ck.front()),c_pub,dh); 39 int cklen = DH_compute_key(&(ck.front()),c_pub,dh);
39 if(cklen<0) 40 if(cklen<0)
40 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); 41 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
41 ck.resize(cklen); 42 if(cklen && (*ckptr)&0x80) {
42 // OpenID algorithm requires extra zero in case of set bit here 43 (*(--ckptr)) = 0; ++cklen;
43 if(ck[0]&0x80) ck.insert(ck.begin(),1,0); 44 }
44 SHA1(&(ck.front()),ck.size(),key_sha1); 45 SHA1(ckptr,cklen,key_sha1);
45 st = sess_dh_sha1; 46 st = sess_dh_sha1;
46 } 47 }
47 assoc_t assoc = alloc_assoc(mode_associate); 48 assoc_t assoc = alloc_assoc(mode_associate);
48 time_t now = time(0); 49 time_t now = time(0);
49 pout.clear(); 50 pout.clear();
50 pout["assoc_type"] = assoc->assoc_type(); 51 pout["assoc_type"] = assoc->assoc_type();
51 pout["assoc_handle"] = assoc->handle(); 52 pout["assoc_handle"] = assoc->handle();
52 /* TODO: eventually remove deprecated stuff */ 53 /* TODO: eventually remove deprecated stuff */
53 pout["issued"] = util::time_to_w3c(now); 54 pout["issued"] = util::time_to_w3c(now);
54 pout["expiry"] = util::time_to_w3c(now+assoc->expires_in()); 55 pout["expiry"] = util::time_to_w3c(now+assoc->expires_in());
55 pout["expires_in"] = util::long_to_string(assoc->expires_in()); 56 pout["expires_in"] = util::long_to_string(assoc->expires_in());
56 secret_t secret = assoc->secret(); 57 secret_t secret = assoc->secret();
57 switch(st) { 58 switch(st) {
58 case sess_dh_sha1: 59 case sess_dh_sha1:
59 pout["session_type"] = "DH-SHA1"; 60 pout["session_type"] = "DH-SHA1";
60 pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key); 61 pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key);
61 secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]); 62 secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]);
62 break; 63 break;
63 default: 64 default:
64 secret.to_base64(pout["mac_key"]); 65 secret.to_base64(pout["mac_key"]);
65 break; 66 break;
66 } 67 }
67 } 68 }
68 69
69 void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { 70 void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
70 checkid_(mode_checkid_immediate,pin,return_to,pout,ext); 71 checkid_(mode_checkid_immediate,pin,return_to,pout,ext);
71 } 72 }
72 73
73 void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { 74 void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
74 checkid_(mode_checkid_setup,pin,return_to,pout,ext); 75 checkid_(mode_checkid_setup,pin,return_to,pout,ext);
75 } 76 }
76 77
77 void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { 78 void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
78 if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup) 79 if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup)
79 throw bad_input(OPKELE_CP_ "invalid checkid_* mode"); 80 throw bad_input(OPKELE_CP_ "invalid checkid_* mode");
80 pout.clear(); 81 pout.clear();
81 assoc_t assoc; 82 assoc_t assoc;
82 try { 83 try {
83 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); 84 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
84 }catch(failed_lookup& fl) { 85 }catch(failed_lookup& fl) {
85 // no handle specified or no valid handle found, going dumb 86 // no handle specified or no valid handle found, going dumb
86 assoc = alloc_assoc(mode_checkid_setup); 87 assoc = alloc_assoc(mode_checkid_setup);
87 if(pin.has_param("openid.assoc_handle")) 88 if(pin.has_param("openid.assoc_handle"))
88 pout["invalidate_handle"]=pin.get_param("openid.assoc_handle"); 89 pout["invalidate_handle"]=pin.get_param("openid.assoc_handle");
89 } 90 }
90 string trust_root; 91 string trust_root;
91 try { 92 try {
92 trust_root = pin.get_param("openid.trust_root"); 93 trust_root = pin.get_param("openid.trust_root");
93 }catch(failed_lookup& fl) { } 94 }catch(failed_lookup& fl) { }
94 string identity = pin.get_param("openid.identity"); 95 string identity = pin.get_param("openid.identity");
95 return_to = pin.get_param("openid.return_to"); 96 return_to = pin.get_param("openid.return_to");
96 validate(*assoc,pin,identity,trust_root); 97 validate(*assoc,pin,identity,trust_root);
97 pout["mode"] = "id_res"; 98 pout["mode"] = "id_res";
98 pout["assoc_handle"] = assoc->handle(); 99 pout["assoc_handle"] = assoc->handle();
99 if(pin.has_param("openid.assoc_handle") && assoc->stateless()) 100 if(pin.has_param("openid.assoc_handle") && assoc->stateless())
100 pout["invalidate_handle"] = pin.get_param("openid.assoc_handle"); 101 pout["invalidate_handle"] = pin.get_param("openid.assoc_handle");
101 pout["identity"] = identity; 102 pout["identity"] = identity;
102 pout["return_to"] = return_to; 103 pout["return_to"] = return_to;
103 /* TODO: eventually remove deprecated stuff */ 104 /* TODO: eventually remove deprecated stuff */
104 time_t now = time(0); 105 time_t now = time(0);
105 pout["issued"] = util::time_to_w3c(now); 106 pout["issued"] = util::time_to_w3c(now);
106 pout["valid_to"] = util::time_to_w3c(now+120); 107 pout["valid_to"] = util::time_to_w3c(now+120);
107 pout["exipres_in"] = "120"; 108 pout["exipres_in"] = "120";
108 pout["signed"]="mode,identity,return_to"; 109 pout["signed"]="mode,identity,return_to";
109 if(ext) ext->checkid_hook(pin,pout); 110 if(ext) ext->checkid_hook(pin,pout);
110 pout.sign(assoc->secret(),pout["sig"],pout["signed"]); 111 pout.sign(assoc->secret(),pout["sig"],pout["signed"]);
111 } 112 }
112 113
113 void server_t::check_authentication(const params_t& pin,params_t& pout) { 114 void server_t::check_authentication(const params_t& pin,params_t& pout) {
114 vector<unsigned char> sig; 115 vector<unsigned char> sig;
115 const string& sigenc = pin.get_param("openid.sig"); 116 const string& sigenc = pin.get_param("openid.sig");
116 util::decode_base64(sigenc,sig); 117 util::decode_base64(sigenc,sig);
117 assoc_t assoc; 118 assoc_t assoc;
118 try { 119 try {
119 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); 120 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
120 }catch(failed_lookup& fl) { 121 }catch(failed_lookup& fl) {
121 throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified"); 122 throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified");
122 } 123 }
123 if(!assoc->stateless()) 124 if(!assoc->stateless())
124 throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle"); 125 throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle");
125 const string& slist = pin.get_param("openid.signed"); 126 const string& slist = pin.get_param("openid.signed");
126 string kv; 127 string kv;
127 string::size_type p =0; 128 string::size_type p =0;
128 while(true) { 129 while(true) {
129 string::size_type co = slist.find(',',p); 130 string::size_type co = slist.find(',',p);
130 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); 131 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
131 kv += f; 132 kv += f;
132 kv += ':'; 133 kv += ':';
133 if(f=="mode") 134 if(f=="mode")
134 kv += "id_res"; 135 kv += "id_res";
135 else { 136 else {
136 f.insert(0,"openid."); 137 f.insert(0,"openid.");
137 kv += pin.get_param(f); 138 kv += pin.get_param(f);
138 } 139 }
139 kv += '\n'; 140 kv += '\n';
140 if(co==string::npos) 141 if(co==string::npos)
141 break; 142 break;
142 p = co+1; 143 p = co+1;
143 } 144 }
144 secret_t secret = assoc->secret(); 145 secret_t secret = assoc->secret();
145 unsigned int md_len = 0; 146 unsigned int md_len = 0;
146 unsigned char *md = HMAC( 147 unsigned char *md = HMAC(
147 EVP_sha1(), 148 EVP_sha1(),
148 &(secret.front()),secret.size(), 149 &(secret.front()),secret.size(),
149 (const unsigned char *)kv.data(),kv.length(), 150 (const unsigned char *)kv.data(),kv.length(),
150 0,&md_len); 151 0,&md_len);
151 pout.clear(); 152 pout.clear();
152 if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) { 153 if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) {
153 pout["is_valid"]="true"; 154 pout["is_valid"]="true";
154 pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */ 155 pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */
155 }else{ 156 }else{
156 pout["is_valid"]="false"; 157 pout["is_valid"]="false";
157 pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */ 158 pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */
158 } 159 }
159 if(pin.has_param("openid.invalidate_handle")) { 160 if(pin.has_param("openid.invalidate_handle")) {
160 string h = pin.get_param("openid.invalidate_handle"); 161 string h = pin.get_param("openid.invalidate_handle");
161 try { 162 try {
162 assoc_t assoc = retrieve_assoc(h); 163 assoc_t assoc = retrieve_assoc(h);
163 }catch(invalid_handle& ih) { 164 }catch(invalid_handle& ih) {
164 pout["invalidate_handle"] = h; 165 pout["invalidate_handle"] = h;
165 }catch(failed_lookup& fl) { } 166 }catch(failed_lookup& fl) { }
166 } 167 }
167 } 168 }
168 169
169} 170}
diff --git a/lib/util.cc b/lib/util.cc
index d9abca7..94f6f53 100644
--- a/lib/util.cc
+++ b/lib/util.cc
@@ -1,158 +1,162 @@
1#include <errno.h> 1#include <errno.h>
2#include <cassert> 2#include <cassert>
3#include <vector> 3#include <vector>
4#include <string> 4#include <string>
5#include <openssl/bio.h> 5#include <openssl/bio.h>
6#include <openssl/evp.h> 6#include <openssl/evp.h>
7#include <curl/curl.h> 7#include <curl/curl.h>
8#include "opkele/util.h" 8#include "opkele/util.h"
9#include "opkele/exception.h" 9#include "opkele/exception.h"
10 10
11namespace opkele { 11namespace opkele {
12 using namespace std; 12 using namespace std;
13 13
14 namespace util { 14 namespace util {
15 15
16 /* 16 /*
17 * base64 17 * base64
18 */ 18 */
19 string encode_base64(const void *data,size_t length) { 19 string encode_base64(const void *data,size_t length) {
20 BIO *b64 = 0, *bmem = 0; 20 BIO *b64 = 0, *bmem = 0;
21 try { 21 try {
22 b64 = BIO_new(BIO_f_base64()); 22 b64 = BIO_new(BIO_f_base64());
23 if(!b64) 23 if(!b64)
24 throw exception_openssl(OPKELE_CP_ "failed to BIO_new() base64 encoder"); 24 throw exception_openssl(OPKELE_CP_ "failed to BIO_new() base64 encoder");
25 BIO_set_flags(b64,BIO_FLAGS_BASE64_NO_NL); 25 BIO_set_flags(b64,BIO_FLAGS_BASE64_NO_NL);
26 bmem = BIO_new(BIO_s_mem()); 26 bmem = BIO_new(BIO_s_mem());
27 BIO_set_flags(b64,BIO_CLOSE); 27 BIO_set_flags(b64,BIO_CLOSE);
28 if(!bmem) 28 if(!bmem)
29 throw exception_openssl(OPKELE_CP_ "failed to BIO_new() memory buffer"); 29 throw exception_openssl(OPKELE_CP_ "failed to BIO_new() memory buffer");
30 BIO_push(b64,bmem); 30 BIO_push(b64,bmem);
31 if(BIO_write(b64,data,length)!=length) 31 if(BIO_write(b64,data,length)!=length)
32 throw exception_openssl(OPKELE_CP_ "failed to BIO_write()"); 32 throw exception_openssl(OPKELE_CP_ "failed to BIO_write()");
33 BIO_flush(b64); 33 BIO_flush(b64);
34 char *rvd; 34 char *rvd;
35 long rvl = BIO_get_mem_data(bmem,&rvd); 35 long rvl = BIO_get_mem_data(bmem,&rvd);
36 string rv(rvd,rvl); 36 string rv(rvd,rvl);
37 BIO_free_all(b64); 37 BIO_free_all(b64);
38 return rv; 38 return rv;
39 }catch(...) { 39 }catch(...) {
40 if(b64) BIO_free_all(b64); 40 if(b64) BIO_free_all(b64);
41 throw; 41 throw;
42 } 42 }
43 } 43 }
44 44
45 void decode_base64(const string& data,vector<unsigned char>& rv) { 45 void decode_base64(const string& data,vector<unsigned char>& rv) {
46 BIO *b64 = 0, *bmem = 0; 46 BIO *b64 = 0, *bmem = 0;
47 rv.clear(); 47 rv.clear();
48 try { 48 try {
49 bmem = BIO_new_mem_buf((void*)data.data(),data.size()); 49 bmem = BIO_new_mem_buf((void*)data.data(),data.size());
50 if(!bmem) 50 if(!bmem)
51 throw exception_openssl(OPKELE_CP_ "failed to BIO_new_mem_buf()"); 51 throw exception_openssl(OPKELE_CP_ "failed to BIO_new_mem_buf()");
52 b64 = BIO_new(BIO_f_base64()); 52 b64 = BIO_new(BIO_f_base64());
53 if(!b64) 53 if(!b64)
54 throw exception_openssl(OPKELE_CP_ "failed to BIO_new() base64 decoder"); 54 throw exception_openssl(OPKELE_CP_ "failed to BIO_new() base64 decoder");
55 BIO_set_flags(b64,BIO_FLAGS_BASE64_NO_NL); 55 BIO_set_flags(b64,BIO_FLAGS_BASE64_NO_NL);
56 BIO_push(b64,bmem); 56 BIO_push(b64,bmem);
57 unsigned char tmp[512]; 57 unsigned char tmp[512];
58 size_t rb = 0; 58 size_t rb = 0;
59 while((rb=BIO_read(b64,tmp,sizeof(tmp)))>0) 59 while((rb=BIO_read(b64,tmp,sizeof(tmp)))>0)
60 rv.insert(rv.end(),tmp,&tmp[rb]); 60 rv.insert(rv.end(),tmp,&tmp[rb]);
61 BIO_free_all(b64); 61 BIO_free_all(b64);
62 }catch(...) { 62 }catch(...) {
63 if(b64) BIO_free_all(b64); 63 if(b64) BIO_free_all(b64);
64 throw; 64 throw;
65 } 65 }
66 } 66 }
67 67
68 /* 68 /*
69 * big numerics 69 * big numerics
70 */ 70 */
71 71
72 BIGNUM *base64_to_bignum(const string& b64) { 72 BIGNUM *base64_to_bignum(const string& b64) {
73 vector<unsigned char> bin; 73 vector<unsigned char> bin;
74 decode_base64(b64,bin); 74 decode_base64(b64,bin);
75 BIGNUM *rv = BN_bin2bn(&(bin.front()),bin.size(),0); 75 BIGNUM *rv = BN_bin2bn(&(bin.front()),bin.size(),0);
76 if(!rv) 76 if(!rv)
77 throw failed_conversion(OPKELE_CP_ "failed to BN_bin2bn()"); 77 throw failed_conversion(OPKELE_CP_ "failed to BN_bin2bn()");
78 return rv; 78 return rv;
79 } 79 }
80 80
81 BIGNUM *dec_to_bignum(const string& dec) { 81 BIGNUM *dec_to_bignum(const string& dec) {
82 BIGNUM *rv = 0; 82 BIGNUM *rv = 0;
83 if(!BN_dec2bn(&rv,dec.c_str())) 83 if(!BN_dec2bn(&rv,dec.c_str()))
84 throw failed_conversion(OPKELE_CP_ "failed to BN_dec2bn()"); 84 throw failed_conversion(OPKELE_CP_ "failed to BN_dec2bn()");
85 return rv; 85 return rv;
86 } 86 }
87 87
88 string bignum_to_base64(const BIGNUM *bn) { 88 string bignum_to_base64(const BIGNUM *bn) {
89 vector<unsigned char> bin(BN_num_bytes(bn)); 89 vector<unsigned char> bin(BN_num_bytes(bn)+1);
90 int l = BN_bn2bin(bn,&(bin.front())); 90 unsigned char *binptr = &(bin.front())+1;
91 return encode_base64(&(bin.front()),l); 91 int l = BN_bn2bin(bn,binptr);
92 if(l && (*binptr)&0x80){
93 (*(--binptr)) = 0; ++l;
94 }
95 return encode_base64(binptr,l);
92 } 96 }
93 97
94 /* 98 /*
95 * w3c times 99 * w3c times
96 */ 100 */
97 101
98 string time_to_w3c(time_t t) { 102 string time_to_w3c(time_t t) {
99 struct tm tm_t; 103 struct tm tm_t;
100 if(!gmtime_r(&t,&tm_t)) 104 if(!gmtime_r(&t,&tm_t))
101 throw failed_conversion(OPKELE_CP_ "failed to BN_dec2bn()"); 105 throw failed_conversion(OPKELE_CP_ "failed to BN_dec2bn()");
102 char rv[25]; 106 char rv[25];
103 if(!strftime(rv,sizeof(rv)-1,"%Y-%m-%dT%H:%M:%SZ",&tm_t)) 107 if(!strftime(rv,sizeof(rv)-1,"%Y-%m-%dT%H:%M:%SZ",&tm_t))
104 throw failed_conversion(OPKELE_CP_ "failed to strftime()"); 108 throw failed_conversion(OPKELE_CP_ "failed to strftime()");
105 return rv; 109 return rv;
106 } 110 }
107 111
108 time_t w3c_to_time(const string& w) { 112 time_t w3c_to_time(const string& w) {
109 struct tm tm_t; 113 struct tm tm_t;
110 memset(&tm_t,0,sizeof(tm_t)); 114 memset(&tm_t,0,sizeof(tm_t));
111 if( 115 if(
112 sscanf( 116 sscanf(
113 w.c_str(), 117 w.c_str(),
114 "%04d-%02d-%02dT%02d:%02d:%02dZ", 118 "%04d-%02d-%02dT%02d:%02d:%02dZ",
115 &tm_t.tm_year,&tm_t.tm_mon,&tm_t.tm_mday, 119 &tm_t.tm_year,&tm_t.tm_mon,&tm_t.tm_mday,
116 &tm_t.tm_hour,&tm_t.tm_min,&tm_t.tm_sec 120 &tm_t.tm_hour,&tm_t.tm_min,&tm_t.tm_sec
117 ) != 6 ) 121 ) != 6 )
118 throw failed_conversion(OPKELE_CP_ "failed to sscanf()"); 122 throw failed_conversion(OPKELE_CP_ "failed to sscanf()");
119 tm_t.tm_mon--; 123 tm_t.tm_mon--;
120 tm_t.tm_year-=1900; 124 tm_t.tm_year-=1900;
121 time_t rv = mktime(&tm_t); 125 time_t rv = mktime(&tm_t);
122 if(rv==(time_t)-1) 126 if(rv==(time_t)-1)
123 throw failed_conversion(OPKELE_CP_ "failed to mktime()"); 127 throw failed_conversion(OPKELE_CP_ "failed to mktime()");
124 return rv; 128 return rv;
125 } 129 }
126 130
127 /* 131 /*
128 * 132 *
129 */ 133 */
130 134
131 string url_encode(const string& str) { 135 string url_encode(const string& str) {
132 char * t = curl_escape(str.c_str(),str.length()); 136 char * t = curl_escape(str.c_str(),str.length());
133 if(!t) 137 if(!t)
134 throw failed_conversion(OPKELE_CP_ "failed to curl_escape()"); 138 throw failed_conversion(OPKELE_CP_ "failed to curl_escape()");
135 string rv(t); 139 string rv(t);
136 curl_free(t); 140 curl_free(t);
137 return rv; 141 return rv;
138 } 142 }
139 143
140 string long_to_string(long l) { 144 string long_to_string(long l) {
141 char rv[32]; 145 char rv[32];
142 int r=snprintf(rv,sizeof(rv),"%ld",l); 146 int r=snprintf(rv,sizeof(rv),"%ld",l);
143 if(r<0 || r>=sizeof(rv)) 147 if(r<0 || r>=sizeof(rv))
144 throw failed_conversion(OPKELE_CP_ "failed to snprintf()"); 148 throw failed_conversion(OPKELE_CP_ "failed to snprintf()");
145 return rv; 149 return rv;
146 } 150 }
147 151
148 long string_to_long(const string& s) { 152 long string_to_long(const string& s) {
149 char *endptr = 0; 153 char *endptr = 0;
150 long rv = strtol(s.c_str(),&endptr,10); 154 long rv = strtol(s.c_str(),&endptr,10);
151 if((!endptr) || endptr==s.c_str()) 155 if((!endptr) || endptr==s.c_str())
152 throw failed_conversion(OPKELE_CP_ "failed to strtol()"); 156 throw failed_conversion(OPKELE_CP_ "failed to strtol()");
153 return rv; 157 return rv;
154 } 158 }
155 159
156 } 160 }
157 161
158} 162}