-rw-r--r-- | include/Makefile.am | 1 | ||||
-rw-r--r-- | include/opkele/exception.h | 27 | ||||
-rw-r--r-- | lib/Makefile.am | 3 | ||||
-rw-r--r-- | lib/basic_op.cc | 320 |
4 files changed, 350 insertions, 1 deletions
diff --git a/include/Makefile.am b/include/Makefile.am index 50fcb62..37fb961 100644 --- a/include/Makefile.am +++ b/include/Makefile.am | |||
@@ -19,6 +19,7 @@ nobase_include_HEADERS = \ | |||
19 | opkele/basic_rp.h \ | 19 | opkele/basic_rp.h \ |
20 | opkele/prequeue_rp.h \ | 20 | opkele/prequeue_rp.h \ |
21 | opkele/iterator.h \ | 21 | opkele/iterator.h \ |
22 | opkele/basic_op.h \ | ||
22 | ${NODIST_HEADERS_} | 23 | ${NODIST_HEADERS_} |
23 | 24 | ||
24 | noinst_HEADERS = \ | 25 | noinst_HEADERS = \ |
diff --git a/include/opkele/exception.h b/include/opkele/exception.h index ccb39d9..5c8418e 100644 --- a/include/opkele/exception.h +++ b/include/opkele/exception.h | |||
@@ -330,6 +330,33 @@ namespace opkele { | |||
330 | : exception(OPKELE_E_CONS) { } | 330 | : exception(OPKELE_E_CONS) { } |
331 | }; | 331 | }; |
332 | 332 | ||
333 | /** | ||
334 | * thrown while processing OpenID request in OP. Signifies invalid realm | ||
335 | */ | ||
336 | class bad_realm : public exception { | ||
337 | public: | ||
338 | bad_realm(OPKELE_E_PARS) | ||
339 | : exception(OPKELE_E_CONS) { } | ||
340 | }; | ||
341 | |||
342 | /** | ||
343 | * thrown when attempting to retrieve return_to of one-way request | ||
344 | */ | ||
345 | class no_return_to : public exception { | ||
346 | public: | ||
347 | no_return_to(OPKELE_E_PARS) | ||
348 | : exception(OPKELE_E_CONS) { } | ||
349 | }; | ||
350 | |||
351 | /** | ||
352 | * thrown when querying identity of non-identity related request | ||
353 | */ | ||
354 | class non_identity : public exception { | ||
355 | public: | ||
356 | non_identity(OPKELE_E_PARS) | ||
357 | : exception(OPKELE_E_CONS) { } | ||
358 | }; | ||
359 | |||
333 | } | 360 | } |
334 | 361 | ||
335 | #endif /* __OPKELE_EXCEPTION_H */ | 362 | #endif /* __OPKELE_EXCEPTION_H */ |
diff --git a/lib/Makefile.am b/lib/Makefile.am index c58ec3f..ac312d1 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am | |||
@@ -29,6 +29,7 @@ libopkele_la_SOURCES = \ | |||
29 | discovery.cc \ | 29 | discovery.cc \ |
30 | basic_rp.cc \ | 30 | basic_rp.cc \ |
31 | prequeue_rp.cc \ | 31 | prequeue_rp.cc \ |
32 | openid_message.cc | 32 | openid_message.cc \ |
33 | basic_op.cc | ||
33 | libopkele_la_LDFLAGS = \ | 34 | libopkele_la_LDFLAGS = \ |
34 | -version-info 2:0:0 | 35 | -version-info 2:0:0 |
diff --git a/lib/basic_op.cc b/lib/basic_op.cc new file mode 100644 index 0000000..22012bc --- a/dev/null +++ b/lib/basic_op.cc | |||
@@ -0,0 +1,320 @@ | |||
1 | #include <time.h> | ||
2 | #include <cassert> | ||
3 | #include <openssl/sha.h> | ||
4 | #include <openssl/hmac.h> | ||
5 | #include <opkele/data.h> | ||
6 | #include <opkele/basic_op.h> | ||
7 | #include <opkele/exception.h> | ||
8 | #include <opkele/util.h> | ||
9 | #include <opkele/uris.h> | ||
10 | |||
11 | namespace opkele { | ||
12 | |||
13 | void basic_op::reset_vars() { | ||
14 | assoc.reset(); | ||
15 | return_to.clear(); realm.clear(); | ||
16 | claimed_id.clear(); identity.clear(); | ||
17 | invalidate_handle.clear(); | ||
18 | } | ||
19 | |||
20 | bool basic_op::has_return_to() const { | ||
21 | return !return_to.empty(); | ||
22 | } | ||
23 | const string& basic_op::get_return_to() const { | ||
24 | if(return_to.empty()) | ||
25 | throw no_return_to(OPKELE_CP_ "No return_to URL provided with request"); | ||
26 | return return_to; | ||
27 | } | ||
28 | |||
29 | const string& basic_op::get_realm() const { | ||
30 | assert(!realm.empty()); | ||
31 | return realm; | ||
32 | } | ||
33 | |||
34 | bool basic_op::has_identity() const { | ||
35 | return !identity.empty(); | ||
36 | } | ||
37 | const string& basic_op::get_claimed_id() const { | ||
38 | if(claimed_id.empty()) | ||
39 | throw non_identity(OPKELE_CP_ "attempting to retrieve claimed_id of non-identity related request"); | ||
40 | assert(!identity.empty()); | ||
41 | return claimed_id; | ||
42 | } | ||
43 | const string& basic_op::get_identity() const { | ||
44 | if(identity.empty()) | ||
45 | throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related request"); | ||
46 | assert(!claimed_id.empty()); | ||
47 | return identity; | ||
48 | } | ||
49 | |||
50 | bool basic_op::is_id_select() const { | ||
51 | return identity==IDURI_SELECT20; | ||
52 | } | ||
53 | |||
54 | void basic_op::select_identity(const string& c,const string& i) { | ||
55 | claimed_id = c; identity = i; | ||
56 | } | ||
57 | void basic_op::set_claimed_id(const string& c) { | ||
58 | claimed_id = c; | ||
59 | } | ||
60 | |||
61 | basic_openid_message& basic_op::associate( | ||
62 | basic_openid_message& oum, | ||
63 | const basic_openid_message& inm) try { | ||
64 | assert(inm.get_field("mode")=="associate"); | ||
65 | util::dh_t dh; | ||
66 | util::bignum_t c_pub; | ||
67 | unsigned char key_digest[SHA256_DIGEST_LENGTH]; | ||
68 | size_t d_len = 0; | ||
69 | enum { | ||
70 | sess_cleartext, sess_dh_sha1, sess_dh_sha256 | ||
71 | } st = sess_cleartext; | ||
72 | string sts = inm.get_field("session_type"); | ||
73 | string ats = inm.get_field("assoc_type"); | ||
74 | if(sts=="DH-SHA1" || sts=="DH-SHA256") { | ||
75 | if(!(dh = DH_new())) | ||
76 | throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); | ||
77 | c_pub = util::base64_to_bignum(inm.get_field("dh_consumer_public")); | ||
78 | try { dh->p = util::base64_to_bignum(inm.get_field("dh_modulus")); | ||
79 | }catch(failed_lookup&) { | ||
80 | dh->p = util::dec_to_bignum(data::_default_p); } | ||
81 | try { dh->g = util::base64_to_bignum(inm.get_field("dh_gen")); | ||
82 | }catch(failed_lookup&) { | ||
83 | dh->g = util::dec_to_bignum(data::_default_g); } | ||
84 | if(!DH_generate_key(dh)) | ||
85 | throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); | ||
86 | vector<unsigned char> ck(DH_size(dh)+1); | ||
87 | unsigned char *ckptr = &(ck.front())+1; | ||
88 | int cklen = DH_compute_key(ckptr,c_pub,dh); | ||
89 | if(cklen<0) | ||
90 | throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); | ||
91 | if(cklen && (*ckptr)&0x80) { | ||
92 | (*(--ckptr)) = 0; ++cklen; } | ||
93 | if(sts=="DH-SHA1") { | ||
94 | SHA1(ckptr,cklen,key_digest); d_len = SHA_DIGEST_LENGTH; | ||
95 | }else if(sts=="DH-SHA256") { | ||
96 | SHA256(ckptr,cklen,key_digest); d_len = SHA256_DIGEST_LENGTH; | ||
97 | }else | ||
98 | throw internal_error(OPKELE_CP_ "I thought I knew the session type"); | ||
99 | }else | ||
100 | throw unsupported(OPKELE_CP_ "Unsupported session_type"); | ||
101 | assoc_t assoc; | ||
102 | if(ats=="HMAC-SHA1") | ||
103 | assoc = alloc_assoc(ats,SHA_DIGEST_LENGTH,true); | ||
104 | else if(ats=="HMAC-SHA256") | ||
105 | assoc = alloc_assoc(ats,SHA256_DIGEST_LENGTH,true); | ||
106 | else | ||
107 | throw unsupported(OPKELE_CP_ "Unsupported assoc_type"); | ||
108 | oum.reset_fields(); | ||
109 | oum.set_field("ns",OIURI_OPENID20); | ||
110 | oum.set_field("assoc_type",assoc->assoc_type()); | ||
111 | oum.set_field("assoc_handle",assoc->handle()); | ||
112 | oum.set_field("expires_in",util::long_to_string(assoc->expires_in())); | ||
113 | secret_t secret = assoc->secret(); | ||
114 | if(sts=="DH-SHA1" || sts=="DH-SHA256") { | ||
115 | if(d_len != secret.size()) | ||
116 | throw bad_input(OPKELE_CP_ "Association secret and session MAC are not of the same size"); | ||
117 | oum.set_field("session_type",sts); | ||
118 | oum.set_field("dh_server_public",util::bignum_to_base64(dh->pub_key)); | ||
119 | string b64; secret.enxor_to_base64(key_digest,b64); | ||
120 | oum.set_field("enc_mac_key",b64); | ||
121 | }else /* TODO: support cleartext over encrypted connection */ | ||
122 | throw unsupported(OPKELE_CP_ "Unsupported session type"); | ||
123 | return oum; | ||
124 | } catch(unsupported& u) { | ||
125 | oum.reset_fields(); | ||
126 | oum.set_field("ns",OIURI_OPENID20); | ||
127 | oum.set_field("error",u.what()); | ||
128 | oum.set_field("error_code","unsupported-type"); | ||
129 | oum.set_field("session_type","DH-SHA256"); | ||
130 | oum.set_field("assoc_type","HMAC-SHA256"); | ||
131 | return oum; | ||
132 | } | ||
133 | |||
134 | void basic_op::checkid_(const basic_openid_message& inm, | ||
135 | extension_t *ext) { | ||
136 | reset_vars(); | ||
137 | string mode = inm.get_field("mode"); | ||
138 | if(mode=="checkid_setup") | ||
139 | mode = mode_checkid_setup; | ||
140 | else if(mode=="checkid_immediate") | ||
141 | mode = mode_checkid_immediate; | ||
142 | else | ||
143 | throw bad_input(OPKELE_CP_ "Invalid checkid_* mode"); | ||
144 | try { | ||
145 | assoc = retrieve_assoc(invalidate_handle=inm.get_field("assoc_handle")); | ||
146 | invalidate_handle.clear(); | ||
147 | }catch(failed_lookup&) { | ||
148 | // no handle specified or no valid assoc found, go dumb | ||
149 | assoc = alloc_assoc("HMAC-SHA256",SHA256_DIGEST_LENGTH,true); | ||
150 | } | ||
151 | try { | ||
152 | openid2 = (inm.get_field("ns")==OIURI_OPENID20); | ||
153 | }catch(failed_lookup&) { openid2 = false; } | ||
154 | try { | ||
155 | return_to = inm.get_field("return_to"); | ||
156 | }catch(failed_lookup&) { } | ||
157 | if(openid2) { | ||
158 | try { | ||
159 | realm = inm.get_field("realm"); | ||
160 | }catch(failed_lookup&) { | ||
161 | try { | ||
162 | realm = inm.get_field("trust_root"); | ||
163 | }catch(failed_lookup&) { | ||
164 | if(return_to.empty()) | ||
165 | throw bad_input(OPKELE_CP_ | ||
166 | "Both realm and return_to are unset"); | ||
167 | realm = return_to; | ||
168 | } | ||
169 | } | ||
170 | }else{ | ||
171 | try { | ||
172 | realm = inm.get_field("trust_root"); | ||
173 | }catch(failed_lookup&) { | ||
174 | if(return_to.empty()) | ||
175 | throw bad_input(OPKELE_CP_ | ||
176 | "Both realm and return_to are unset"); | ||
177 | realm = return_to; | ||
178 | } | ||
179 | } | ||
180 | try { | ||
181 | identity = inm.get_field("identity"); | ||
182 | try { | ||
183 | claimed_id = inm.get_field("claimed_id"); | ||
184 | }catch(failed_lookup&) { | ||
185 | if(openid2) | ||
186 | throw bad_input(OPKELE_CP_ | ||
187 | "claimed_id and identity must be either both present or both absent"); | ||
188 | } | ||
189 | }catch(failed_lookup&) { | ||
190 | if(openid2 && inm.has_field("claimed_id")) | ||
191 | throw bad_input(OPKELE_CP_ | ||
192 | "claimed_id and identity must be either both present or both absent"); | ||
193 | } | ||
194 | verify_return_to(); | ||
195 | } | ||
196 | |||
197 | basic_openid_message& basic_op::id_res(basic_openid_message& om) { | ||
198 | assert(assoc); | ||
199 | assert(!return_to.empty()); | ||
200 | assert(!is_id_select()); | ||
201 | time_t now = time(0); | ||
202 | struct tm gmt; gmtime_r(&now,&gmt); | ||
203 | char w3timestr[24]; | ||
204 | if(!strftime(w3timestr,sizeof(w3timestr),"%Y-%m-%dT%H:%M:%SZ",&gmt)) | ||
205 | throw failed_conversion(OPKELE_CP_ | ||
206 | "Failed to build time string for nonce" ); | ||
207 | om.set_field("ns",OIURI_OPENID20); | ||
208 | om.set_field("mode","id_res"); | ||
209 | om.set_field("op_endpoint",get_op_endpoint()); | ||
210 | string ats = "ns,mode,op_endpoint,return_to,response_nonce," | ||
211 | "assoc_handle,signed"; | ||
212 | if(!identity.empty()) { | ||
213 | om.set_field("identity",identity); | ||
214 | om.set_field("claimed_id",claimed_id); | ||
215 | ats += ",identity,claimed_id"; | ||
216 | } | ||
217 | om.set_field("return_to",return_to); | ||
218 | string nonce = w3timestr; | ||
219 | om.set_field("response_nonce",alloc_nonce(nonce,assoc->stateless())); | ||
220 | if(!invalidate_handle.empty()) { | ||
221 | om.set_field("invalidate_handle",invalidate_handle); | ||
222 | ats += ",invalidate_handle"; | ||
223 | } | ||
224 | om.set_field("assoc_handle",assoc->handle()); | ||
225 | om.add_to_signed(ats); | ||
226 | om.set_field("sig",util::base64_signature(assoc,om)); | ||
227 | return om; | ||
228 | } | ||
229 | |||
230 | basic_openid_message& basic_op::cancel(basic_openid_message& om) { | ||
231 | assert(!return_to.empty()); | ||
232 | om.set_field("ns",OIURI_OPENID20); | ||
233 | om.set_field("mode","cancel"); | ||
234 | return om; | ||
235 | } | ||
236 | |||
237 | basic_openid_message& basic_op::error(basic_openid_message& om, | ||
238 | const string& error,const string& contact, | ||
239 | const string& reference ) { | ||
240 | assert(!return_to.empty()); | ||
241 | om.set_field("ns",OIURI_OPENID20); | ||
242 | om.set_field("mode","error"); | ||
243 | om.set_field("error",error); | ||
244 | om.set_field("contact",contact); | ||
245 | om.set_field("reference",reference); | ||
246 | return om; | ||
247 | } | ||
248 | |||
249 | basic_openid_message& basic_op::setup_needed( | ||
250 | basic_openid_message& oum,const basic_openid_message& inm) { | ||
251 | assert(mode==mode_checkid_immediate); | ||
252 | assert(!return_to.empty()); | ||
253 | if(openid2) { | ||
254 | oum.set_field("ns",OIURI_OPENID20); | ||
255 | oum.set_field("mode","setup_needed"); | ||
256 | }else{ | ||
257 | oum.set_field("mode","id_res"); | ||
258 | static const string setupmode = "checkid_setup"; | ||
259 | oum.set_field("user_setup_url", | ||
260 | util::change_mode_message_proxy(inm,setupmode) | ||
261 | .append_query(get_op_endpoint())); | ||
262 | } | ||
263 | return oum; | ||
264 | } | ||
265 | |||
266 | basic_openid_message& basic_op::check_authentication( | ||
267 | basic_openid_message& oum, | ||
268 | const basic_openid_message& inm) try { | ||
269 | assert(inm.get_field("mode")=="check_authentication"); | ||
270 | oum.reset_fields(); | ||
271 | oum.set_field("ns",OIURI_OPENID20); | ||
272 | bool o2; | ||
273 | try { | ||
274 | o2 = (inm.get_field("ns")==OIURI_OPENID20); | ||
275 | }catch(failed_lookup&) { o2 = false; } | ||
276 | string nonce; | ||
277 | if(o2) { | ||
278 | try { | ||
279 | if(!check_nonce(nonce = inm.get_field("response_nonce"))) | ||
280 | throw failed_check_authentication(OPKELE_CP_ "Invalid nonce"); | ||
281 | }catch(failed_lookup&) { | ||
282 | throw failed_check_authentication(OPKELE_CP_ "No nonce provided with check_authentication request"); | ||
283 | } | ||
284 | } | ||
285 | try { | ||
286 | assoc = retrieve_assoc(inm.get_field("assoc_handle")); | ||
287 | if(!assoc->stateless()) | ||
288 | throw failed_check_authentication(OPKELE_CP_ "Will not do check_authentication on a stateful handle"); | ||
289 | }catch(failed_lookup&) { | ||
290 | throw failed_check_authentication(OPKELE_CP_ "No assoc_handle or invalid assoc_handle specified with check_authentication request"); | ||
291 | } | ||
292 | static const string idresmode = "id_res"; | ||
293 | try { | ||
294 | if(util::base64_signature(assoc,util::change_mode_message_proxy(inm,idresmode))!=inm.get_field("sig")) | ||
295 | throw failed_check_authentication(OPKELE_CP_ "Signature mismatch"); | ||
296 | }catch(failed_lookup&) { | ||
297 | throw failed_check_authentication(OPKELE_CP_ "failed to calculate signature"); | ||
298 | } | ||
299 | oum.set_field("is_valid","true"); | ||
300 | try { | ||
301 | string h = inm.get_field("invalidate_handle"); | ||
302 | try { | ||
303 | assoc_t ih = retrieve_assoc(h); | ||
304 | }catch(invalid_handle& ih) { | ||
305 | oum.set_field("invalidate_handle",h); | ||
306 | }catch(failed_lookup& ih) { | ||
307 | oum.set_field("invalidate_handle",h); | ||
308 | } | ||
309 | }catch(failed_lookup&) { } | ||
310 | if(o2) { | ||
311 | assert(!nonce.empty()); | ||
312 | invalidate_nonce(nonce); | ||
313 | } | ||
314 | return oum; | ||
315 | }catch(failed_check_authentication& ) { | ||
316 | oum.set_field("is_valid","false"); | ||
317 | return oum; | ||
318 | } | ||
319 | |||
320 | } | ||