-rw-r--r-- | configure.ac | 10 | ||||
-rw-r--r-- | include/Makefile.am | 4 | ||||
-rw-r--r-- | include/opkele/consumer.h | 174 | ||||
-rw-r--r-- | include/opkele/server.h | 98 | ||||
-rw-r--r-- | include/opkele/xconsumer.h | 38 | ||||
-rw-r--r-- | include/opkele/xserver.h | 34 | ||||
-rw-r--r-- | lib/Makefile.am | 6 | ||||
-rw-r--r-- | lib/consumer.cc | 396 | ||||
-rw-r--r-- | lib/server.cc | 172 | ||||
-rw-r--r-- | libopkele.pc.in | 6 |
10 files changed, 5 insertions, 933 deletions
diff --git a/configure.ac b/configure.ac index 5fb6bec..7fa2f85 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -163,22 +163,12 @@ AC_CHECK_HEADERS([tidy.h tidy/tidy.h],[ | |||
163 | ]) | 163 | ]) |
164 | ],[ | 164 | ],[ |
165 | test -z "$TIDY_LIBS" -a "$ac_header" = "tidy/tidy.h" \ | 165 | test -z "$TIDY_LIBS" -a "$ac_header" = "tidy/tidy.h" \ |
166 | && AC_MSG_ERROR([no required htmltidy library found. get one from http://tidy.sourceforge.net/]) | 166 | && AC_MSG_ERROR([no required htmltidy library found. get one from http://tidy.sourceforge.net/]) |
167 | ]) | 167 | ]) |
168 | 168 | ||
169 | if test -n "$PCRE_LIBS" -a -n "$PCRE_CFLAGS" ; then | ||
170 | AC_SUBST([PCRE_CFLAGS]) | ||
171 | AC_SUBST([PCRE_LIBS]) | ||
172 | : | ||
173 | else | ||
174 | PKG_CHECK_MODULES([PCRE],[libpcre],,[ | ||
175 | AC_MSG_ERROR([no libpcre found, go get it at http://www.pcre.org/]) | ||
176 | ]) | ||
177 | fi | ||
178 | |||
179 | PKG_CHECK_MODULES([SQLITE3],[sqlite3],[have_sqlite3=true],[have_sqlite3=false]) | 169 | PKG_CHECK_MODULES([SQLITE3],[sqlite3],[have_sqlite3=true],[have_sqlite3=false]) |
180 | AM_CONDITIONAL([HAVE_SQLITE3],[$have_sqlite3]) | 170 | AM_CONDITIONAL([HAVE_SQLITE3],[$have_sqlite3]) |
181 | PKG_CHECK_MODULES([KINGATE],[kingate-plaincgi],[have_kingate=true],[have_kingate=false]) | 171 | PKG_CHECK_MODULES([KINGATE],[kingate-plaincgi],[have_kingate=true],[have_kingate=false]) |
182 | AM_CONDITIONAL([HAVE_KINGATE],[$have_kingate]) | 172 | AM_CONDITIONAL([HAVE_KINGATE],[$have_kingate]) |
183 | PKG_CHECK_MODULES([UUID],[uuid],[have_uuid=true],[have_uuid=false]) | 173 | PKG_CHECK_MODULES([UUID],[uuid],[have_uuid=true],[have_uuid=false]) |
184 | AM_CONDITIONAL([HAVE_UUID],[$have_uuid]) | 174 | AM_CONDITIONAL([HAVE_UUID],[$have_uuid]) |
diff --git a/include/Makefile.am b/include/Makefile.am index f842bb9..08df18e 100644 --- a/include/Makefile.am +++ b/include/Makefile.am | |||
@@ -4,19 +4,15 @@ NODIST_HEADERS_ = \ | |||
4 | 4 | ||
5 | nobase_include_HEADERS = \ | 5 | nobase_include_HEADERS = \ |
6 | opkele/opkele-config.h \ | 6 | opkele/opkele-config.h \ |
7 | opkele/types.h \ | 7 | opkele/types.h \ |
8 | opkele/association.h \ | 8 | opkele/association.h \ |
9 | opkele/exception.h \ | 9 | opkele/exception.h \ |
10 | opkele/server.h \ | ||
11 | opkele/consumer.h \ | ||
12 | opkele/extension.h \ | 10 | opkele/extension.h \ |
13 | opkele/sreg.h \ | 11 | opkele/sreg.h \ |
14 | opkele/extension_chain.h \ | 12 | opkele/extension_chain.h \ |
15 | opkele/xconsumer.h \ | ||
16 | opkele/xserver.h \ | ||
17 | opkele/uris.h \ | 13 | opkele/uris.h \ |
18 | opkele/tr1-mem.h \ | 14 | opkele/tr1-mem.h \ |
19 | opkele/basic_rp.h opkele/prequeue_rp.h \ | 15 | opkele/basic_rp.h opkele/prequeue_rp.h \ |
20 | opkele/iterator.h \ | 16 | opkele/iterator.h \ |
21 | opkele/basic_op.h opkele/verify_op.h \ | 17 | opkele/basic_op.h opkele/verify_op.h \ |
22 | opkele/util.h \ | 18 | opkele/util.h \ |
diff --git a/include/opkele/consumer.h b/include/opkele/consumer.h deleted file mode 100644 index 3c1d318..0000000 --- a/include/opkele/consumer.h +++ b/dev/null | |||
@@ -1,174 +0,0 @@ | |||
1 | #ifndef __OPKELE_CONSUMER_H | ||
2 | #define __OPKELE_CONSUMER_H | ||
3 | |||
4 | #include <opkele/types.h> | ||
5 | #include <opkele/extension.h> | ||
6 | |||
7 | /** | ||
8 | * @file | ||
9 | * @brief OpenID consumer-side functionality | ||
10 | */ | ||
11 | |||
12 | namespace opkele { | ||
13 | |||
14 | /** | ||
15 | * implementation of basic consumer functionality | ||
16 | * | ||
17 | * @note | ||
18 | * The consumer uses libcurl internally, which means that if you're using | ||
19 | * libopkele in multithreaded environment you should call curl_global_init | ||
20 | * yourself before spawning any threads. | ||
21 | */ | ||
22 | class consumer_t { | ||
23 | public: | ||
24 | |||
25 | virtual ~consumer_t() { } | ||
26 | |||
27 | /** | ||
28 | * store association. The function should be overridden in the real | ||
29 | * implementation to provide persistent associations store. | ||
30 | * @param server the OpenID server | ||
31 | * @param handle association handle | ||
32 | * @param secret the secret associated with the server and handle | ||
33 | * @param expires_in the number of seconds until the handle is expired | ||
34 | * @return the assoc_t for the newly allocated association_t object | ||
35 | */ | ||
36 | virtual assoc_t store_assoc(const string& server,const string& handle,const secret_t& secret,int expires_in) = 0; | ||
37 | /** | ||
38 | * retrieve stored association. The function should be overridden | ||
39 | * in the real implementation to provide persistent assocations | ||
40 | * store. | ||
41 | * | ||
42 | * @note | ||
43 | * The user is responsible for handling associations expiry and | ||
44 | * this function should never return an expired or invalidated | ||
45 | * association. | ||
46 | * | ||
47 | * @param server the OpenID server | ||
48 | * @param handle association handle | ||
49 | * @return the autho_ptr<> for the newly allocated association_t object | ||
50 | * @throw failed_lookup if no unexpired association found | ||
51 | */ | ||
52 | virtual assoc_t retrieve_assoc(const string& server,const string& handle) = 0; | ||
53 | /** | ||
54 | * invalidate stored association. The function should be overridden | ||
55 | * in the real implementation of the consumer. | ||
56 | * @param server the OpenID server | ||
57 | * @param handle association handle | ||
58 | */ | ||
59 | virtual void invalidate_assoc(const string& server,const string& handle) = 0; | ||
60 | /** | ||
61 | * retrieve any unexpired association for the server. If the | ||
62 | * function is not overridden in the real implementation, the new | ||
63 | * association will be established for each request. | ||
64 | * | ||
65 | * @note | ||
66 | * The user is responsible for handling associations and this | ||
67 | * function should never return an expired or invalidated | ||
68 | * association. | ||
69 | * | ||
70 | * @note | ||
71 | * It may be a good idea to pre-expire associations shortly before | ||
72 | * their time is really up to avoid association expiry in the | ||
73 | * middle of negotiations. | ||
74 | * | ||
75 | * @param server the OpenID server | ||
76 | * @return the assoc_t for the newly allocated association_t object | ||
77 | * @throw failed_lookup in case of absence of the handle | ||
78 | */ | ||
79 | virtual assoc_t find_assoc(const string& server); | ||
80 | |||
81 | /** | ||
82 | * retrieve the metainformation contained in link tags from the | ||
83 | * page pointed by url. the function may implement caching of the | ||
84 | * information. | ||
85 | * @param url url to harvest for link tags | ||
86 | * @param server reference to the string object where to put | ||
87 | * openid.server value | ||
88 | * @param delegate reference to the string object where to put the | ||
89 | * openid.delegate value (if any) | ||
90 | */ | ||
91 | virtual void retrieve_links(const string& url,string& server,string& delegate); | ||
92 | |||
93 | /** | ||
94 | * perform the associate request to OpenID server. | ||
95 | * @param server the OpenID server | ||
96 | * @return the assoc_t for the newly allocated association_t | ||
97 | * object, representing established association | ||
98 | * @throw exception in case of error | ||
99 | */ | ||
100 | assoc_t associate(const string& server); | ||
101 | /** | ||
102 | * prepare the parameters for the checkid_immediate | ||
103 | * request. | ||
104 | * @param identity the identity to verify | ||
105 | * @param return_to the return_to url to pass with the request | ||
106 | * @param trust_root the trust root to advertise with the request | ||
107 | * @param ext pointer to an extension(s) hooks object | ||
108 | * @return the location string | ||
109 | * @throw exception in case of error | ||
110 | */ | ||
111 | virtual string checkid_immediate(const string& identity,const string& return_to,const string& trust_root="",extension_t *ext=0); | ||
112 | /** | ||
113 | * prepare the parameters for the checkid_setup | ||
114 | * request. | ||
115 | * @param identity the identity to verify | ||
116 | * @param return_to the return_to url to pass with the request | ||
117 | * @param trust_root the trust root to advertise with the request | ||
118 | * @param ext pointer to an extension(s) hooks object | ||
119 | * @return the location string | ||
120 | * @throw exception in case of error | ||
121 | */ | ||
122 | virtual string checkid_setup(const string& identity,const string& return_to,const string& trust_root="",extension_t *ext=0); | ||
123 | /** | ||
124 | * the actual implementation behind checkid_immediate() and | ||
125 | * checkid_setup() functions. | ||
126 | * @param mode checkid_* mode - either mode_checkid_immediate or mode_checkid_setup | ||
127 | * @param identity the identity to verify | ||
128 | * @param return_to the return_to url to pass with the request | ||
129 | * @param trust_root the trust root to advertise with the request | ||
130 | * @param ext pointer to an extension(s) hooks object | ||
131 | * @return the location string | ||
132 | * @throw exception in case of error | ||
133 | */ | ||
134 | virtual string checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root="",extension_t *ext=0); | ||
135 | /** | ||
136 | * verify the id_res response | ||
137 | * @param pin the response parameters | ||
138 | * @param identity the identity being checked (if not specified, | ||
139 | * @param ext pointer to an extension(s) hooks object | ||
140 | * extracted from the openid.identity parameter | ||
141 | * @throw id_res_mismatch in case of signature mismatch | ||
142 | * @throw id_res_setup in case of openid.user_setup_url failure | ||
143 | * (supposedly checkid_immediate only) | ||
144 | * @throw id_res_failed in case of failure | ||
145 | * @throw id_res_expired_on_delivery if the association expired before it could've been verified | ||
146 | * @throw exception in case of other failures | ||
147 | */ | ||
148 | virtual void id_res(const params_t& pin,const string& identity="",extension_t *ext=0); | ||
149 | /** | ||
150 | * perform a check_authentication request. | ||
151 | * @param server the OpenID server | ||
152 | * @param p request parameters | ||
153 | */ | ||
154 | void check_authentication(const string& server,const params_t& p); | ||
155 | |||
156 | /** | ||
157 | * normalize URL by adding http:// and trailing slash if needed. | ||
158 | * @param url | ||
159 | * @return normalized url | ||
160 | */ | ||
161 | static string normalize(const string& url); | ||
162 | |||
163 | /** | ||
164 | * Canonicalize URL, by normalizing its appearance and following redirects. | ||
165 | * @param url | ||
166 | * @return canonicalized url | ||
167 | */ | ||
168 | virtual string canonicalize(const string& url); | ||
169 | |||
170 | }; | ||
171 | |||
172 | } | ||
173 | |||
174 | #endif /* __OPKELE_CONSUMER_H */ | ||
diff --git a/include/opkele/server.h b/include/opkele/server.h deleted file mode 100644 index 3c25646..0000000 --- a/include/opkele/server.h +++ b/dev/null | |||
@@ -1,98 +0,0 @@ | |||
1 | #ifndef __OPKELE_SERVER_H | ||
2 | #define __OPKELE_SERVER_H | ||
3 | |||
4 | /** | ||
5 | * @file | ||
6 | * @brief OpenID server-side functionality | ||
7 | */ | ||
8 | |||
9 | #include <opkele/types.h> | ||
10 | #include <opkele/extension.h> | ||
11 | |||
12 | namespace opkele { | ||
13 | |||
14 | /** | ||
15 | * implementation of basic server functionality | ||
16 | */ | ||
17 | class server_t { | ||
18 | public: | ||
19 | |||
20 | virtual ~server_t() { } | ||
21 | |||
22 | /** | ||
23 | * allocate the new association. The function should be overridden | ||
24 | * in the real implementation to provide persistent assocations | ||
25 | * store. | ||
26 | * @param mode the mode of request being processed to base the | ||
27 | * statelessness of the association upon | ||
28 | * @return the assoc_t for the newly allocated association_t object | ||
29 | */ | ||
30 | virtual assoc_t alloc_assoc(mode_t mode) = 0; | ||
31 | /** | ||
32 | * retrieve the association. The function should be overridden in | ||
33 | * the reqal implementation to provide persistent assocations | ||
34 | * store. | ||
35 | * @param h association handle | ||
36 | * @return the assoc_t for the newly allocated association_t object | ||
37 | * @throw failed_lookup in case of failure | ||
38 | */ | ||
39 | virtual assoc_t retrieve_assoc(const string& h) = 0; | ||
40 | |||
41 | /** | ||
42 | * validate the identity. | ||
43 | * @param assoc association object | ||
44 | * @param pin incoming request parameters | ||
45 | * @param identity being verified | ||
46 | * @param trust_root presented in the request | ||
47 | * @throw exception if identity can not be confirmed | ||
48 | */ | ||
49 | virtual void validate(const association_t& assoc,const params_t& pin,const string& identity,const string& trust_root) = 0; | ||
50 | |||
51 | |||
52 | /** | ||
53 | * process the associate request. | ||
54 | * @param pin the incoming request parameters | ||
55 | * @param pout the store for the response parameters | ||
56 | */ | ||
57 | void associate(const params_t& pin,params_t& pout); | ||
58 | /** | ||
59 | * process the checkid_immediate request. | ||
60 | * @param pin the incoming request parameters | ||
61 | * @param return_to reference to the object to store return_to url to | ||
62 | * @param pout the response parameters | ||
63 | * @param ext pointer to the extension hooks object | ||
64 | * @throw exception in case of errors or negative reply | ||
65 | */ | ||
66 | virtual void checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext=0); | ||
67 | /** | ||
68 | * process the checkid_setup request. | ||
69 | * @param pin the incoming request parameters | ||
70 | * @param return_to reference to the object to store return_to url to | ||
71 | * @param pout the response parameters | ||
72 | * @param ext pointer to the extension hooks object | ||
73 | * @throw exception in case of errors or negative reply | ||
74 | */ | ||
75 | virtual void checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext=0); | ||
76 | /** | ||
77 | * the actual functionality behind checkid_immediate() and | ||
78 | * checkid_setup() | ||
79 | * @param mode the request being processed (either | ||
80 | * mode_checkid_immediate or mode_checkid_setup) | ||
81 | * @param pin the incoming request parameters | ||
82 | * @param return_to reference to the object to store return_to url to | ||
83 | * @param pout the response parameters | ||
84 | * @param ext pointer to the extension hooks object | ||
85 | * @throw exception in case of errors or negative reply | ||
86 | */ | ||
87 | virtual void checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext=0); | ||
88 | /** | ||
89 | * process the check_authentication request. | ||
90 | * @param pin incoming request parameters | ||
91 | * @param pout response parameters | ||
92 | */ | ||
93 | void check_authentication(const params_t& pin,params_t& pout); | ||
94 | }; | ||
95 | |||
96 | } | ||
97 | |||
98 | #endif /* __OPKELE_SERVER_H */ | ||
diff --git a/include/opkele/xconsumer.h b/include/opkele/xconsumer.h deleted file mode 100644 index 42796c0..0000000 --- a/include/opkele/xconsumer.h +++ b/dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | #ifndef __OPKELE_XCONSUMER_H | ||
2 | #define __OPKELE_XCONSUMER_H | ||
3 | |||
4 | /** | ||
5 | * @file | ||
6 | * @brief OpenID consumer with built-in extension chain | ||
7 | */ | ||
8 | |||
9 | #include <opkele/extension_chain.h> | ||
10 | #include <opkele/consumer.h> | ||
11 | |||
12 | namespace opkele { | ||
13 | |||
14 | /** | ||
15 | * Extended OpenID consumer implementation with built in | ||
16 | * extensions chain. | ||
17 | */ | ||
18 | class xconsumer_t : public consumer_t, public extension_chain_t { | ||
19 | public: | ||
20 | |||
21 | string checkid_immediate(const string& identity,const string& return_to,const string& trust_root="",extension_t *ext=0) { | ||
22 | return consumer_t::checkid_immediate(identity,return_to,trust_root,this); | ||
23 | } | ||
24 | string chekid_setup(const string& identity,const string& return_to,const string& trust_root="",extension_t *ext=0) { | ||
25 | return consumer_t::checkid_setup(identity,return_to,trust_root,this); | ||
26 | } | ||
27 | string checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root="",extension_t *ext=0) { | ||
28 | return consumer_t::checkid_(mode,identity,return_to,trust_root,this); | ||
29 | } | ||
30 | void id_res(const params_t& pin,const string& identity="",extension_t *ext=0) { | ||
31 | consumer_t::id_res(pin,identity,this); | ||
32 | } | ||
33 | |||
34 | }; | ||
35 | |||
36 | } | ||
37 | |||
38 | #endif /* __OPKELE_XCONSUMER_H */ | ||
diff --git a/include/opkele/xserver.h b/include/opkele/xserver.h deleted file mode 100644 index c645d56..0000000 --- a/include/opkele/xserver.h +++ b/dev/null | |||
@@ -1,34 +0,0 @@ | |||
1 | #ifndef __OPKELE_XSERVER_H | ||
2 | #define __OPKELE_XSERVER_H | ||
3 | |||
4 | /** | ||
5 | * @file | ||
6 | * @brief OpenID server with built-in extension chain | ||
7 | */ | ||
8 | |||
9 | #include <opkele/extension_chain.h> | ||
10 | #include <opkele/server.h> | ||
11 | |||
12 | namespace opkele { | ||
13 | |||
14 | /** | ||
15 | * Extended OpenID server implementationwith built in | ||
16 | * extensions chain. | ||
17 | */ | ||
18 | class xserver_t : public server_t, public extension_chain_t { | ||
19 | public: | ||
20 | |||
21 | void checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext=0) { | ||
22 | server_t::checkid_immediate(pin,return_to,pout,this); | ||
23 | } | ||
24 | void checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext=0) { | ||
25 | server_t::checkid_setup(pin,return_to,pout,this); | ||
26 | } | ||
27 | void checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext=0) { | ||
28 | server_t::checkid_(mode,pin,return_to,pout,this); | ||
29 | } | ||
30 | }; | ||
31 | |||
32 | } | ||
33 | |||
34 | #endif /* __OPKELE_XSERVER_H */ | ||
diff --git a/lib/Makefile.am b/lib/Makefile.am index e76d7c0..8610597 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am | |||
@@ -4,26 +4,24 @@ AM_CPPFLAGS = ${CPPFLAGS_DEBUG} | |||
4 | DEFAULT_INCLUDES = -I${top_builddir} | 4 | DEFAULT_INCLUDES = -I${top_builddir} |
5 | INCLUDES = \ | 5 | INCLUDES = \ |
6 | -I${top_builddir}/include/ -I${top_srcdir}/include/ \ | 6 | -I${top_builddir}/include/ -I${top_srcdir}/include/ \ |
7 | ${KONFORKA_CFLAGS} \ | 7 | ${KONFORKA_CFLAGS} \ |
8 | ${OPENSSL_CFLAGS} \ | 8 | ${OPENSSL_CFLAGS} \ |
9 | ${LIBCURL_CPPFLAGS} \ | 9 | ${LIBCURL_CPPFLAGS} \ |
10 | ${PCRE_CFLAGS} ${EXPAT_CFLAGS} ${TIDY_CFLAGS} | 10 | ${EXPAT_CFLAGS} ${TIDY_CFLAGS} |
11 | libopkele_la_LIBADD = \ | 11 | libopkele_la_LIBADD = \ |
12 | ${LIBCURL} \ | 12 | ${LIBCURL} \ |
13 | ${PCRE_LIBS} ${EXPAT_LIBS} \ | 13 | ${EXPAT_LIBS} \ |
14 | ${OPENSSL_LIBS} \ | 14 | ${OPENSSL_LIBS} \ |
15 | ${KONFORKA_LIBS} ${TIDY_LIBS} | 15 | ${KONFORKA_LIBS} ${TIDY_LIBS} |
16 | 16 | ||
17 | libopkele_la_SOURCES = \ | 17 | libopkele_la_SOURCES = \ |
18 | params.cc \ | 18 | params.cc \ |
19 | util.cc \ | 19 | util.cc \ |
20 | server.cc \ | ||
21 | secret.cc \ | 20 | secret.cc \ |
22 | data.cc \ | 21 | data.cc \ |
23 | consumer.cc \ | ||
24 | exception.cc \ | 22 | exception.cc \ |
25 | extension.cc \ | 23 | extension.cc \ |
26 | sreg.cc \ | 24 | sreg.cc \ |
27 | extension_chain.cc \ | 25 | extension_chain.cc \ |
28 | curl.cc expat.cc \ | 26 | curl.cc expat.cc \ |
29 | discovery.cc \ | 27 | discovery.cc \ |
diff --git a/lib/consumer.cc b/lib/consumer.cc deleted file mode 100644 index 801496e..0000000 --- a/lib/consumer.cc +++ b/dev/null | |||
@@ -1,396 +0,0 @@ | |||
1 | #include <algorithm> | ||
2 | #include <cassert> | ||
3 | #include <cstring> | ||
4 | #include <opkele/util.h> | ||
5 | #include <opkele/util-internal.h> | ||
6 | #include <opkele/curl.h> | ||
7 | #include <opkele/exception.h> | ||
8 | #include <opkele/data.h> | ||
9 | #include <opkele/consumer.h> | ||
10 | #include <openssl/sha.h> | ||
11 | #include <openssl/hmac.h> | ||
12 | #include <iostream> | ||
13 | |||
14 | #include "config.h" | ||
15 | |||
16 | #include <pcre.h> | ||
17 | |||
18 | namespace opkele { | ||
19 | using namespace std; | ||
20 | using util::curl_t; | ||
21 | using util::curl_pick_t; | ||
22 | |||
23 | class pcre_matches_t { | ||
24 | public: | ||
25 | int *_ov; | ||
26 | int _s; | ||
27 | |||
28 | pcre_matches_t() : _ov(0), _s(0) { } | ||
29 | pcre_matches_t(int s) : _ov(0), _s(s) { | ||
30 | if(_s&1) ++_s; | ||
31 | _s += _s>>1; | ||
32 | _ov = new int[_s]; | ||
33 | } | ||
34 | ~pcre_matches_t() throw() { if(_ov) delete[] _ov; } | ||
35 | |||
36 | int begin(int i) const { return _ov[i<<1]; } | ||
37 | int end(int i) const { return _ov[(i<<1)+1]; } | ||
38 | int length(int i) const { int t=i<<1; return _ov[t+1]-_ov[t]; } | ||
39 | }; | ||
40 | |||
41 | class pcre_t { | ||
42 | public: | ||
43 | pcre *_p; | ||
44 | |||
45 | pcre_t() : _p(0) { } | ||
46 | pcre_t(pcre *p) : _p(p) { } | ||
47 | pcre_t(const char *re,int opts) : _p(0) { | ||
48 | static const char *errptr; static int erroffset; | ||
49 | _p = pcre_compile(re,opts,&errptr,&erroffset,NULL); | ||
50 | if(!_p) | ||
51 | throw internal_error(OPKELE_CP_ string("Failed to compile regexp: ")+errptr); | ||
52 | } | ||
53 | ~pcre_t() throw() { if(_p) (*pcre_free)(_p); } | ||
54 | |||
55 | pcre_t& operator=(pcre *p) { if(_p) (*pcre_free)(_p); _p=p; return *this; } | ||
56 | |||
57 | operator const pcre*(void) const { return _p; } | ||
58 | operator pcre*(void) { return _p; } | ||
59 | |||
60 | int exec(const string& s,pcre_matches_t& m) { | ||
61 | if(!_p) | ||
62 | throw internal_error(OPKELE_CP_ "Trying to execute absent regexp"); | ||
63 | return pcre_exec(_p,NULL,s.c_str(),s.length(),0,0,m._ov,m._s); | ||
64 | } | ||
65 | }; | ||
66 | |||
67 | assoc_t consumer_t::associate(const string& server) { | ||
68 | util::dh_t dh = DH_new(); | ||
69 | if(!dh) | ||
70 | throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); | ||
71 | dh->p = util::dec_to_bignum(data::_default_p); | ||
72 | dh->g = util::dec_to_bignum(data::_default_g); | ||
73 | if(!DH_generate_key(dh)) | ||
74 | throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); | ||
75 | string request = | ||
76 | "openid.mode=associate" | ||
77 | "&openid.assoc_type=HMAC-SHA1" | ||
78 | "&openid.session_type=DH-SHA1" | ||
79 | "&openid.dh_consumer_public="; | ||
80 | request += util::url_encode(util::bignum_to_base64(dh->pub_key)); | ||
81 | curl_pick_t curl = curl_pick_t::easy_init(); | ||
82 | if(!curl) | ||
83 | throw exception_curl(OPKELE_CP_ "failed to initialize curl"); | ||
84 | CURLcode r; | ||
85 | (r=curl.misc_sets()) | ||
86 | || (r=curl.easy_setopt(CURLOPT_URL,server.c_str())) | ||
87 | || (r=curl.easy_setopt(CURLOPT_POST,1)) | ||
88 | || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data())) | ||
89 | || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length())) | ||
90 | || (r=curl.set_write()) | ||
91 | ; | ||
92 | if(r) | ||
93 | throw exception_curl(OPKELE_CP_ "failed to set curly options",r); | ||
94 | if( (r=curl.easy_perform()) ) | ||
95 | throw exception_curl(OPKELE_CP_ "failed to perform curly request",r); | ||
96 | params_t p; p.parse_keyvalues(curl.response); | ||
97 | if(p.has_param("assoc_type") && p.get_param("assoc_type")!="HMAC-SHA1") | ||
98 | throw bad_input(OPKELE_CP_ "unsupported assoc_type"); | ||
99 | string st; | ||
100 | if(p.has_param("session_type")) st = p.get_param("session_type"); | ||
101 | if((!st.empty()) && st!="DH-SHA1") | ||
102 | throw bad_input(OPKELE_CP_ "unsupported session_type"); | ||
103 | secret_t secret; | ||
104 | if(st.empty()) { | ||
105 | secret.from_base64(p.get_param("mac_key")); | ||
106 | }else{ | ||
107 | util::bignum_t s_pub = util::base64_to_bignum(p.get_param("dh_server_public")); | ||
108 | vector<unsigned char> ck(DH_size(dh)+1); | ||
109 | unsigned char *ckptr = &(ck.front())+1; | ||
110 | int cklen = DH_compute_key(ckptr,s_pub,dh); | ||
111 | if(cklen<0) | ||
112 | throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); | ||
113 | if(cklen && (*ckptr)&0x80) { | ||
114 | (*(--ckptr)) = 0; ++cklen; | ||
115 | } | ||
116 | unsigned char key_sha1[SHA_DIGEST_LENGTH]; | ||
117 | SHA1(ckptr,cklen,key_sha1); | ||
118 | secret.enxor_from_base64(key_sha1,p.get_param("enc_mac_key")); | ||
119 | } | ||
120 | int expires_in = 0; | ||
121 | if(p.has_param("expires_in")) { | ||
122 | expires_in = util::string_to_long(p.get_param("expires_in")); | ||
123 | }else if(p.has_param("issued") && p.has_param("expiry")) { | ||
124 | expires_in = util::w3c_to_time(p.get_param("expiry"))-util::w3c_to_time(p.get_param("issued")); | ||
125 | }else | ||
126 | throw bad_input(OPKELE_CP_ "no expiration information"); | ||
127 | return store_assoc(server,p.get_param("assoc_handle"),secret,expires_in); | ||
128 | } | ||
129 | |||
130 | string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { | ||
131 | return checkid_(mode_checkid_immediate,identity,return_to,trust_root,ext); | ||
132 | } | ||
133 | string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { | ||
134 | return checkid_(mode_checkid_setup,identity,return_to,trust_root,ext); | ||
135 | } | ||
136 | string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { | ||
137 | params_t p; | ||
138 | if(mode==mode_checkid_immediate) | ||
139 | p["mode"]="checkid_immediate"; | ||
140 | else if(mode==mode_checkid_setup) | ||
141 | p["mode"]="checkid_setup"; | ||
142 | else | ||
143 | throw bad_input(OPKELE_CP_ "unknown checkid_* mode"); | ||
144 | string iurl = canonicalize(identity); | ||
145 | string server, delegate; | ||
146 | retrieve_links(iurl,server,delegate); | ||
147 | p["identity"] = delegate.empty()?iurl:delegate; | ||
148 | if(!trust_root.empty()) | ||
149 | p["trust_root"] = trust_root; | ||
150 | p["return_to"] = return_to; | ||
151 | try { | ||
152 | string ah = find_assoc(server)->handle(); | ||
153 | p["assoc_handle"] = ah; | ||
154 | }catch(failed_lookup& fl) { | ||
155 | string ah = associate(server)->handle(); | ||
156 | p["assoc_handle"] = ah; | ||
157 | } | ||
158 | if(ext) ext->checkid_hook(p); | ||
159 | return p.append_query(server); | ||
160 | } | ||
161 | |||
162 | void consumer_t::id_res(const params_t& pin,const string& identity,extension_t *ext) { | ||
163 | if(pin.has_param("openid.user_setup_url")) | ||
164 | throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url")); | ||
165 | string server,delegate; | ||
166 | retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate); | ||
167 | params_t ps; | ||
168 | try { | ||
169 | assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle")); | ||
170 | if(assoc->is_expired()) | ||
171 | throw id_res_expired_on_delivery(OPKELE_CP_ "retrieve_assoc() has returned expired handle"); | ||
172 | const string& sigenc = pin.get_param("openid.sig"); | ||
173 | vector<unsigned char> sig; | ||
174 | util::decode_base64(sigenc,sig); | ||
175 | const string& slist = pin.get_param("openid.signed"); | ||
176 | string kv; | ||
177 | string::size_type p = 0; | ||
178 | while(true) { | ||
179 | string::size_type co = slist.find(',',p); | ||
180 | string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); | ||
181 | kv += f; | ||
182 | kv += ':'; | ||
183 | f.insert(0,"openid."); | ||
184 | kv += pin.get_param(f); | ||
185 | kv += '\n'; | ||
186 | if(ext) ps[f.substr(sizeof("openid.")-1)] = pin.get_param(f); | ||
187 | if(co==string::npos) | ||
188 | break; | ||
189 | p = co+1; | ||
190 | } | ||
191 | secret_t secret = assoc->secret(); | ||
192 | unsigned int md_len = 0; | ||
193 | unsigned char *md = HMAC( | ||
194 | EVP_sha1(), | ||
195 | &(secret.front()),secret.size(), | ||
196 | (const unsigned char *)kv.data(),kv.length(), | ||
197 | 0,&md_len); | ||
198 | if(sig.size()!=md_len || memcmp(&(sig.front()),md,md_len)) | ||
199 | throw id_res_mismatch(OPKELE_CP_ "signature mismatch"); | ||
200 | }catch(failed_lookup& e) { | ||
201 | const string& slist = pin.get_param("openid.signed"); | ||
202 | string::size_type pp = 0; | ||
203 | params_t p; | ||
204 | while(true) { | ||
205 | string::size_type co = slist.find(',',pp); | ||
206 | string f = "openid."; | ||
207 | f += (co==string::npos)?slist.substr(pp):slist.substr(pp,co-pp); | ||
208 | p[f] = pin.get_param(f); | ||
209 | if(co==string::npos) | ||
210 | break; | ||
211 | pp = co+1; | ||
212 | } | ||
213 | p["openid.assoc_handle"] = pin.get_param("openid.assoc_handle"); | ||
214 | p["openid.sig"] = pin.get_param("openid.sig"); | ||
215 | p["openid.signed"] = pin.get_param("openid.signed"); | ||
216 | try { | ||
217 | string ih = pin.get_param("openid.invalidate_handle"); | ||
218 | p["openid.invalidate_handle"] = ih; | ||
219 | }catch(failed_lookup& fl) { } | ||
220 | try { | ||
221 | check_authentication(server,p); | ||
222 | }catch(failed_check_authentication& fca) { | ||
223 | throw id_res_failed(OPKELE_CP_ "failed to check_authentication()"); | ||
224 | } | ||
225 | } | ||
226 | if(ext) ext->id_res_hook(pin,ps); | ||
227 | } | ||
228 | |||
229 | void consumer_t::check_authentication(const string& server,const params_t& p) { | ||
230 | string request = "openid.mode=check_authentication"; | ||
231 | for(params_t::const_iterator i=p.begin();i!=p.end();++i) { | ||
232 | if(i->first!="openid.mode") { | ||
233 | request += '&'; | ||
234 | request += i->first; | ||
235 | request += '='; | ||
236 | request += util::url_encode(i->second); | ||
237 | } | ||
238 | } | ||
239 | curl_pick_t curl = curl_pick_t::easy_init(); | ||
240 | if(!curl) | ||
241 | throw exception_curl(OPKELE_CP_ "failed to initialize curl"); | ||
242 | CURLcode r; | ||
243 | (r=curl.misc_sets()) | ||
244 | || (r=curl.easy_setopt(CURLOPT_URL,server.c_str())) | ||
245 | || (r=curl.easy_setopt(CURLOPT_POST,1)) | ||
246 | || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data())) | ||
247 | || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length())) | ||
248 | || (r=curl.set_write()) | ||
249 | ; | ||
250 | if(r) | ||
251 | throw exception_curl(OPKELE_CP_ "failed to set curly options",r); | ||
252 | if( (r=curl.easy_perform()) ) | ||
253 | throw exception_curl(OPKELE_CP_ "failed to perform curly request",r); | ||
254 | params_t pp; pp.parse_keyvalues(curl.response); | ||
255 | if(pp.has_param("invalidate_handle")) | ||
256 | invalidate_assoc(server,pp.get_param("invalidate_handle")); | ||
257 | if(pp.has_param("is_valid")) { | ||
258 | if(pp.get_param("is_valid")=="true") | ||
259 | return; | ||
260 | }else if(pp.has_param("lifetime")) { | ||
261 | if(util::string_to_long(pp.get_param("lifetime"))) | ||
262 | return; | ||
263 | } | ||
264 | throw failed_check_authentication(OPKELE_CP_ "failed to verify response"); | ||
265 | } | ||
266 | |||
267 | void consumer_t::retrieve_links(const string& url,string& server,string& delegate) { | ||
268 | server.erase(); | ||
269 | delegate.erase(); | ||
270 | curl_pick_t curl = curl_pick_t::easy_init(); | ||
271 | if(!curl) | ||
272 | throw exception_curl(OPKELE_CP_ "failed to initialize curl"); | ||
273 | string& html = curl.response; | ||
274 | CURLcode r; | ||
275 | (r=curl.misc_sets()) | ||
276 | || (r=curl.easy_setopt(CURLOPT_URL,url.c_str())) | ||
277 | || (r=curl.set_write()); | ||
278 | ; | ||
279 | if(r) | ||
280 | throw exception_curl(OPKELE_CP_ "failed to set curly options",r); | ||
281 | r = curl.easy_perform(); | ||
282 | if(r && r!=CURLE_WRITE_ERROR) | ||
283 | throw exception_curl(OPKELE_CP_ "failed to perform curly request",r); | ||
284 | static const char *re_bre = "<\\s*body\\b", *re_hdre = "<\\s*head[^>]*>", | ||
285 | *re_lre = "<\\s*link\\b([^>]+)>", | ||
286 | *re_rre = "\\brel\\s*=\\s*['\"]([^'\"]+)['\"]", | ||
287 | *re_hre = "\\bhref\\s*=\\s*['\"]\\s*([^'\"\\s]+)\\s*['\"]"; | ||
288 | pcre_matches_t m1(3), m2(3); | ||
289 | pcre_t bre(re_bre,PCRE_CASELESS); | ||
290 | if(bre.exec(html,m1)>0) | ||
291 | html.erase(m1.begin(0)); | ||
292 | pcre_t hdre(re_hdre,PCRE_CASELESS); | ||
293 | if(hdre.exec(html,m1)<=0) | ||
294 | throw bad_input(OPKELE_CP_ "failed to find <head>"); | ||
295 | html.erase(0,m1.end(0)+1); | ||
296 | pcre_t lre(re_lre,PCRE_CASELESS), rre(re_rre,PCRE_CASELESS), hre(re_hre,PCRE_CASELESS); | ||
297 | bool gotit = false; | ||
298 | while( (!gotit) && lre.exec(html,m1)>=2 ) { | ||
299 | static const char *whitespace = " \t"; | ||
300 | string attrs(html,m1.begin(1),m1.length(1)); | ||
301 | html.erase(0,m1.end(0)+1); | ||
302 | if(!( rre.exec(attrs,m1)>=2 && hre.exec(attrs,m2)>=2 )) | ||
303 | continue; | ||
304 | string rels(attrs,m1.begin(1),m1.length(1)); | ||
305 | for(string::size_type ns = rels.find_first_not_of(whitespace); | ||
306 | ns!=string::npos; | ||
307 | ns=rels.find_first_not_of(whitespace,ns)) { | ||
308 | string::size_type s = rels.find_first_of(whitespace,ns); | ||
309 | string rel; | ||
310 | if(s==string::npos) { | ||
311 | rel.assign(rels,ns,string::npos); | ||
312 | ns=string::npos; | ||
313 | }else{ | ||
314 | rel.assign(rels,ns,s-ns); | ||
315 | ns=s; | ||
316 | } | ||
317 | if(rel=="openid.server") { | ||
318 | server.assign(attrs,m2.begin(1),m2.length(1)); | ||
319 | if(!delegate.empty()) { | ||
320 | gotit = true; | ||
321 | break; | ||
322 | } | ||
323 | }else if(rel=="openid.delegate") { | ||
324 | delegate.assign(attrs,m2.begin(1),m2.length(1)); | ||
325 | if(!server.empty()) { | ||
326 | gotit = true; | ||
327 | break; | ||
328 | } | ||
329 | } | ||
330 | } | ||
331 | } | ||
332 | if(server.empty()) | ||
333 | throw failed_assertion(OPKELE_CP_ "The location has no openid.server declaration"); | ||
334 | } | ||
335 | |||
336 | assoc_t consumer_t::find_assoc(const string& /* server */) { | ||
337 | throw failed_lookup(OPKELE_CP_ "no find_assoc() provided"); | ||
338 | } | ||
339 | |||
340 | string consumer_t::normalize(const string& url) { | ||
341 | string rv = url; | ||
342 | // strip leading and trailing spaces | ||
343 | string::size_type i = rv.find_first_not_of(" \t\r\n"); | ||
344 | if(i==string::npos) | ||
345 | throw bad_input(OPKELE_CP_ "empty URL"); | ||
346 | if(i) | ||
347 | rv.erase(0,i); | ||
348 | i = rv.find_last_not_of(" \t\r\n"); | ||
349 | assert(i!=string::npos); | ||
350 | if(i<(rv.length()-1)) | ||
351 | rv.erase(i+1); | ||
352 | // add missing http:// | ||
353 | i = rv.find("://"); | ||
354 | if(i==string::npos) { // primitive. but do we need more? | ||
355 | rv.insert(0,"http://"); | ||
356 | i = sizeof("http://")-1; | ||
357 | }else{ | ||
358 | i += sizeof("://")-1; | ||
359 | } | ||
360 | string::size_type qm = rv.find('?',i); | ||
361 | string::size_type sl = rv.find('/',i); | ||
362 | if(qm!=string::npos) { | ||
363 | if(sl==string::npos || sl>qm) | ||
364 | rv.insert(qm,1,'/'); | ||
365 | }else{ | ||
366 | if(sl==string::npos) | ||
367 | rv += '/'; | ||
368 | } | ||
369 | return rv; | ||
370 | } | ||
371 | |||
372 | string consumer_t::canonicalize(const string& url) { | ||
373 | string rv = normalize(url); | ||
374 | curl_t curl = curl_t::easy_init(); | ||
375 | if(!curl) | ||
376 | throw exception_curl(OPKELE_CP_ "failed to initialize curl()"); | ||
377 | string html; | ||
378 | CURLcode r; | ||
379 | (r=curl.misc_sets()) | ||
380 | || (r=curl.easy_setopt(CURLOPT_URL,rv.c_str())) | ||
381 | || (r=curl.easy_setopt(CURLOPT_NOBODY,1)) | ||
382 | ; | ||
383 | if(r) | ||
384 | throw exception_curl(OPKELE_CP_ "failed to set curly options",r); | ||
385 | r = curl.easy_perform(); | ||
386 | if(r) | ||
387 | throw exception_curl(OPKELE_CP_ "failed to perform curly request",r); | ||
388 | const char *eu = 0; | ||
389 | r = curl.easy_getinfo(CURLINFO_EFFECTIVE_URL,&eu); | ||
390 | if(r) | ||
391 | throw exception_curl(OPKELE_CP_ "failed to get CURLINFO_EFFECTIVE_URL",r); | ||
392 | rv = eu; | ||
393 | return normalize(rv); | ||
394 | } | ||
395 | |||
396 | } | ||
diff --git a/lib/server.cc b/lib/server.cc deleted file mode 100644 index 0dea1eb..0000000 --- a/lib/server.cc +++ b/dev/null | |||
@@ -1,172 +0,0 @@ | |||
1 | #include <cstring> | ||
2 | #include <vector> | ||
3 | #include <openssl/sha.h> | ||
4 | #include <openssl/hmac.h> | ||
5 | #include <opkele/util.h> | ||
6 | #include <opkele/util-internal.h> | ||
7 | #include <opkele/exception.h> | ||
8 | #include <opkele/server.h> | ||
9 | #include <opkele/data.h> | ||
10 | |||
11 | namespace opkele { | ||
12 | using namespace std; | ||
13 | |||
14 | void server_t::associate(const params_t& pin,params_t& pout) { | ||
15 | util::dh_t dh; | ||
16 | util::bignum_t c_pub; | ||
17 | unsigned char key_sha1[SHA_DIGEST_LENGTH]; | ||
18 | enum { | ||
19 | sess_cleartext, | ||
20 | sess_dh_sha1 | ||
21 | } st = sess_cleartext; | ||
22 | if( | ||
23 | pin.has_param("openid.session_type") | ||
24 | && pin.get_param("openid.session_type")=="DH-SHA1" ) { | ||
25 | /* TODO: fallback to cleartext in case of exceptions here? */ | ||
26 | if(!(dh = DH_new())) | ||
27 | throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); | ||
28 | c_pub = util::base64_to_bignum(pin.get_param("openid.dh_consumer_public")); | ||
29 | if(pin.has_param("openid.dh_modulus")) | ||
30 | dh->p = util::base64_to_bignum(pin.get_param("openid.dh_modulus")); | ||
31 | else | ||
32 | dh->p = util::dec_to_bignum(data::_default_p); | ||
33 | if(pin.has_param("openid.dh_gen")) | ||
34 | dh->g = util::base64_to_bignum(pin.get_param("openid.dh_gen")); | ||
35 | else | ||
36 | dh->g = util::dec_to_bignum(data::_default_g); | ||
37 | if(!DH_generate_key(dh)) | ||
38 | throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); | ||
39 | vector<unsigned char> ck(DH_size(dh)+1); | ||
40 | unsigned char *ckptr = &(ck.front())+1; | ||
41 | int cklen = DH_compute_key(ckptr,c_pub,dh); | ||
42 | if(cklen<0) | ||
43 | throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); | ||
44 | if(cklen && (*ckptr)&0x80) { | ||
45 | (*(--ckptr)) = 0; ++cklen; | ||
46 | } | ||
47 | SHA1(ckptr,cklen,key_sha1); | ||
48 | st = sess_dh_sha1; | ||
49 | } | ||
50 | assoc_t assoc = alloc_assoc(mode_associate); | ||
51 | time_t now = time(0); | ||
52 | pout.clear(); | ||
53 | pout["assoc_type"] = assoc->assoc_type(); | ||
54 | pout["assoc_handle"] = assoc->handle(); | ||
55 | /* TODO: eventually remove deprecated stuff */ | ||
56 | pout["issued"] = util::time_to_w3c(now); | ||
57 | pout["expiry"] = util::time_to_w3c(now+assoc->expires_in()); | ||
58 | pout["expires_in"] = util::long_to_string(assoc->expires_in()); | ||
59 | secret_t secret = assoc->secret(); | ||
60 | switch(st) { | ||
61 | case sess_dh_sha1: | ||
62 | pout["session_type"] = "DH-SHA1"; | ||
63 | pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key); | ||
64 | secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]); | ||
65 | break; | ||
66 | default: | ||
67 | secret.to_base64(pout["mac_key"]); | ||
68 | break; | ||
69 | } | ||
70 | } | ||
71 | |||
72 | void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { | ||
73 | checkid_(mode_checkid_immediate,pin,return_to,pout,ext); | ||
74 | } | ||
75 | |||
76 | void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { | ||
77 | checkid_(mode_checkid_setup,pin,return_to,pout,ext); | ||
78 | } | ||
79 | |||
80 | void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { | ||
81 | if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup) | ||
82 | throw bad_input(OPKELE_CP_ "invalid checkid_* mode"); | ||
83 | pout.clear(); | ||
84 | assoc_t assoc; | ||
85 | try { | ||
86 | assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); | ||
87 | }catch(failed_lookup& fl) { | ||
88 | // no handle specified or no valid handle found, going dumb | ||
89 | assoc = alloc_assoc(mode_checkid_setup); | ||
90 | if(pin.has_param("openid.assoc_handle")) | ||
91 | pout["invalidate_handle"]=pin.get_param("openid.assoc_handle"); | ||
92 | } | ||
93 | string trust_root; | ||
94 | try { | ||
95 | trust_root = pin.get_param("openid.trust_root"); | ||
96 | }catch(failed_lookup& fl) { } | ||
97 | string identity = pin.get_param("openid.identity"); | ||
98 | return_to = pin.get_param("openid.return_to"); | ||
99 | validate(*assoc,pin,identity,trust_root); | ||
100 | pout["mode"] = "id_res"; | ||
101 | pout["assoc_handle"] = assoc->handle(); | ||
102 | if(pin.has_param("openid.assoc_handle") && assoc->stateless()) | ||
103 | pout["invalidate_handle"] = pin.get_param("openid.assoc_handle"); | ||
104 | pout["identity"] = identity; | ||
105 | pout["return_to"] = return_to; | ||
106 | /* TODO: eventually remove deprecated stuff */ | ||
107 | time_t now = time(0); | ||
108 | pout["issued"] = util::time_to_w3c(now); | ||
109 | pout["valid_to"] = util::time_to_w3c(now+120); | ||
110 | pout["exipres_in"] = "120"; | ||
111 | pout["signed"]="mode,identity,return_to"; | ||
112 | if(ext) ext->checkid_hook(pin,pout); | ||
113 | pout["sig"] = util::base64_signature(assoc,pout); | ||
114 | } | ||
115 | |||
116 | void server_t::check_authentication(const params_t& pin,params_t& pout) { | ||
117 | vector<unsigned char> sig; | ||
118 | const string& sigenc = pin.get_param("openid.sig"); | ||
119 | util::decode_base64(sigenc,sig); | ||
120 | assoc_t assoc; | ||
121 | try { | ||
122 | assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); | ||
123 | }catch(failed_lookup& fl) { | ||
124 | throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified"); | ||
125 | } | ||
126 | if(!assoc->stateless()) | ||
127 | throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle"); | ||
128 | const string& slist = pin.get_param("openid.signed"); | ||
129 | string kv; | ||
130 | string::size_type p =0; | ||
131 | while(true) { | ||
132 | string::size_type co = slist.find(',',p); | ||
133 | string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); | ||
134 | kv += f; | ||
135 | kv += ':'; | ||
136 | if(f=="mode") | ||
137 | kv += "id_res"; | ||
138 | else { | ||
139 | f.insert(0,"openid."); | ||
140 | kv += pin.get_param(f); | ||
141 | } | ||
142 | kv += '\n'; | ||
143 | if(co==string::npos) | ||
144 | break; | ||
145 | p = co+1; | ||
146 | } | ||
147 | secret_t secret = assoc->secret(); | ||
148 | unsigned int md_len = 0; | ||
149 | unsigned char *md = HMAC( | ||
150 | EVP_sha1(), | ||
151 | &(secret.front()),secret.size(), | ||
152 | (const unsigned char *)kv.data(),kv.length(), | ||
153 | 0,&md_len); | ||
154 | pout.clear(); | ||
155 | if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) { | ||
156 | pout["is_valid"]="true"; | ||
157 | pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */ | ||
158 | }else{ | ||
159 | pout["is_valid"]="false"; | ||
160 | pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */ | ||
161 | } | ||
162 | if(pin.has_param("openid.invalidate_handle")) { | ||
163 | string h = pin.get_param("openid.invalidate_handle"); | ||
164 | try { | ||
165 | assoc_t tmp = retrieve_assoc(h); | ||
166 | }catch(invalid_handle& ih) { | ||
167 | pout["invalidate_handle"] = h; | ||
168 | }catch(failed_lookup& fl) { } | ||
169 | } | ||
170 | } | ||
171 | |||
172 | } | ||
diff --git a/libopkele.pc.in b/libopkele.pc.in index 2720a6a..268f998 100644 --- a/libopkele.pc.in +++ b/libopkele.pc.in | |||
@@ -3,9 +3,9 @@ exec_prefix=@exec_prefix@ | |||
3 | libdir=@libdir@ | 3 | libdir=@libdir@ |
4 | includedir=@includedir@ | 4 | includedir=@includedir@ |
5 | 5 | ||
6 | Name: libopkele | 6 | Name: libopkele |
7 | Description: C++ implementation of OpenID protocol | 7 | Description: C++ implementation of OpenID protocol |
8 | Version: @VERSION@ | 8 | Version: @VERSION@ |
9 | Requires: openssl libpcre @KONFORKA_KONFORKA@ @UUID_UUID@ | 9 | Requires: openssl @KONFORKA_KONFORKA@ @UUID_UUID@ |
10 | Cflags: -I${includedir} @LIBCURL_CPPFLAGS@ @PCRE_CFLAGS@ @EXPAT_CFLAGS@ @TIDY_CFLAGS@ | 10 | Cflags: -I${includedir} @LIBCURL_CPPFLAGS@ @EXPAT_CFLAGS@ @TIDY_CFLAGS@ |
11 | Libs: -L${libdir} -lopkele @LIBCURL@ @PCRE_LIBS@ @EXPAT_LIBS@ @TIDY_LIBS@ | 11 | Libs: -L${libdir} -lopkele @LIBCURL@ @EXPAT_LIBS@ @TIDY_LIBS@ |