summaryrefslogtreecommitdiffabout
path: root/lib/consumer.cc
Unidiff
Diffstat (limited to 'lib/consumer.cc') (more/less context) (ignore whitespace changes)
-rw-r--r--lib/consumer.cc29
1 files changed, 27 insertions, 2 deletions
diff --git a/lib/consumer.cc b/lib/consumer.cc
index bd76b61..cbe0769 100644
--- a/lib/consumer.cc
+++ b/lib/consumer.cc
@@ -92,120 +92,120 @@ namespace opkele {
92 throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r); 92 throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r);
93 params_t p; p.parse_keyvalues(response); 93 params_t p; p.parse_keyvalues(response);
94 if(p.has_param("assoc_type") && p.get_param("assoc_type")!="HMAC-SHA1") 94 if(p.has_param("assoc_type") && p.get_param("assoc_type")!="HMAC-SHA1")
95 throw bad_input(OPKELE_CP_ "unsupported assoc_type"); 95 throw bad_input(OPKELE_CP_ "unsupported assoc_type");
96 string st; 96 string st;
97 if(p.has_param("session_type")) st = p.get_param("session_type"); 97 if(p.has_param("session_type")) st = p.get_param("session_type");
98 if((!st.empty()) && st!="DH-SHA1") 98 if((!st.empty()) && st!="DH-SHA1")
99 throw bad_input(OPKELE_CP_ "unsupported session_type"); 99 throw bad_input(OPKELE_CP_ "unsupported session_type");
100 secret_t secret; 100 secret_t secret;
101 if(st.empty()) { 101 if(st.empty()) {
102 secret.from_base64(p.get_param("mac_key")); 102 secret.from_base64(p.get_param("mac_key"));
103 }else{ 103 }else{
104 util::bignum_t s_pub = util::base64_to_bignum(p.get_param("dh_server_public")); 104 util::bignum_t s_pub = util::base64_to_bignum(p.get_param("dh_server_public"));
105 vector<unsigned char> ck(DH_size(dh)); 105 vector<unsigned char> ck(DH_size(dh));
106 int cklen = DH_compute_key(&(ck.front()),s_pub,dh); 106 int cklen = DH_compute_key(&(ck.front()),s_pub,dh);
107 if(cklen<0) 107 if(cklen<0)
108 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); 108 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
109 ck.resize(cklen); 109 ck.resize(cklen);
110 // OpenID algorithm requires extra zero in case of set bit here 110 // OpenID algorithm requires extra zero in case of set bit here
111 if(ck[0]&0x80) ck.insert(ck.begin(),1,0); 111 if(ck[0]&0x80) ck.insert(ck.begin(),1,0);
112 unsigned char key_sha1[SHA_DIGEST_LENGTH]; 112 unsigned char key_sha1[SHA_DIGEST_LENGTH];
113 SHA1(&(ck.front()),ck.size(),key_sha1); 113 SHA1(&(ck.front()),ck.size(),key_sha1);
114 secret.enxor_from_base64(key_sha1,p.get_param("enc_mac_key")); 114 secret.enxor_from_base64(key_sha1,p.get_param("enc_mac_key"));
115 } 115 }
116 int expires_in = 0; 116 int expires_in = 0;
117 if(p.has_param("expires_in")) { 117 if(p.has_param("expires_in")) {
118 expires_in = util::string_to_long(p.get_param("expires_in")); 118 expires_in = util::string_to_long(p.get_param("expires_in"));
119 }else if(p.has_param("issued") && p.has_param("expiry")) { 119 }else if(p.has_param("issued") && p.has_param("expiry")) {
120 expires_in = util::w3c_to_time(p.get_param("expiry"))-util::w3c_to_time(p.get_param("issued")); 120 expires_in = util::w3c_to_time(p.get_param("expiry"))-util::w3c_to_time(p.get_param("issued"));
121 }else 121 }else
122 throw bad_input(OPKELE_CP_ "no expiration information"); 122 throw bad_input(OPKELE_CP_ "no expiration information");
123 return store_assoc(server,p.get_param("assoc_handle"),secret,expires_in); 123 return store_assoc(server,p.get_param("assoc_handle"),secret,expires_in);
124 } 124 }
125 125
126 string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root) { 126 string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root) {
127 return checkid_(mode_checkid_immediate,identity,return_to,trust_root); 127 return checkid_(mode_checkid_immediate,identity,return_to,trust_root);
128 } 128 }
129 string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root) { 129 string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root) {
130 return checkid_(mode_checkid_setup,identity,return_to,trust_root); 130 return checkid_(mode_checkid_setup,identity,return_to,trust_root);
131 } 131 }
132 string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root) { 132 string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root) {
133 params_t p; 133 params_t p;
134 if(mode==mode_checkid_immediate) 134 if(mode==mode_checkid_immediate)
135 p["mode"]="checkid_immediate"; 135 p["mode"]="checkid_immediate";
136 else if(mode==mode_checkid_setup) 136 else if(mode==mode_checkid_setup)
137 p["mode"]="checkid_setup"; 137 p["mode"]="checkid_setup";
138 else 138 else
139 throw bad_input(OPKELE_CP_ "unknown checkid_* mode"); 139 throw bad_input(OPKELE_CP_ "unknown checkid_* mode");
140 string iurl = util::canonicalize_url(identity); 140 string iurl = canonicalize(identity);
141 string server, delegate; 141 string server, delegate;
142 retrieve_links(iurl,server,delegate); 142 retrieve_links(iurl,server,delegate);
143 p["identity"] = delegate.empty()?iurl:delegate; 143 p["identity"] = delegate.empty()?iurl:delegate;
144 if(!trust_root.empty()) 144 if(!trust_root.empty())
145 p["trust_root"] = trust_root; 145 p["trust_root"] = trust_root;
146 p["return_to"] = return_to; 146 p["return_to"] = return_to;
147 try { 147 try {
148 try { 148 try {
149 string ah = find_assoc(server)->handle(); 149 string ah = find_assoc(server)->handle();
150 p["assoc_handle"] = ah; 150 p["assoc_handle"] = ah;
151 }catch(failed_lookup& fl) { 151 }catch(failed_lookup& fl) {
152 string ah = associate(server)->handle(); 152 string ah = associate(server)->handle();
153 p["assoc_handle"] = ah; 153 p["assoc_handle"] = ah;
154 } 154 }
155 }catch(exception& e) { } 155 }catch(exception& e) { }
156 return p.append_query(server); 156 return p.append_query(server);
157 } 157 }
158 158
159 void consumer_t::id_res(const params_t& pin,const string& identity) { 159 void consumer_t::id_res(const params_t& pin,const string& identity) {
160 if(pin.has_param("openid.user_setup_url")) 160 if(pin.has_param("openid.user_setup_url"))
161 throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url")); 161 throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url"));
162 string server,delegate; 162 string server,delegate;
163 retrieve_links(identity.empty()?pin.get_param("openid.identity"):util::canonicalize_url(identity),server,delegate); 163 retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate);
164 try { 164 try {
165 assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle")); 165 assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle"));
166 const string& sigenc = pin.get_param("openid.sig"); 166 const string& sigenc = pin.get_param("openid.sig");
167 mimetic::Base64::Decoder b; 167 mimetic::Base64::Decoder b;
168 vector<unsigned char> sig; 168 vector<unsigned char> sig;
169 mimetic::decode( 169 mimetic::decode(
170 sigenc.begin(),sigenc.end(), b, 170 sigenc.begin(),sigenc.end(), b,
171 back_insert_iterator<vector<unsigned char> >(sig) ); 171 back_insert_iterator<vector<unsigned char> >(sig) );
172 const string& slist = pin.get_param("openid.signed"); 172 const string& slist = pin.get_param("openid.signed");
173 string kv; 173 string kv;
174 string::size_type p = 0; 174 string::size_type p = 0;
175 while(true) { 175 while(true) {
176 string::size_type co = slist.find(',',p); 176 string::size_type co = slist.find(',',p);
177 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); 177 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
178 kv += f; 178 kv += f;
179 kv += ':'; 179 kv += ':';
180 f.insert(0,"openid."); 180 f.insert(0,"openid.");
181 kv += pin.get_param(f); 181 kv += pin.get_param(f);
182 kv += '\n'; 182 kv += '\n';
183 if(co==string::npos) 183 if(co==string::npos)
184 break; 184 break;
185 p = co+1; 185 p = co+1;
186 } 186 }
187 secret_t secret = assoc->secret(); 187 secret_t secret = assoc->secret();
188 unsigned int md_len = 0; 188 unsigned int md_len = 0;
189 unsigned char *md = HMAC( 189 unsigned char *md = HMAC(
190 EVP_sha1(), 190 EVP_sha1(),
191 &(secret.front()),secret.size(), 191 &(secret.front()),secret.size(),
192 (const unsigned char *)kv.data(),kv.length(), 192 (const unsigned char *)kv.data(),kv.length(),
193 0,&md_len); 193 0,&md_len);
194 if(sig.size()!=md_len || memcmp(&(sig.front()),md,md_len)) 194 if(sig.size()!=md_len || memcmp(&(sig.front()),md,md_len))
195 throw id_res_mismatch(OPKELE_CP_ "signature mismatch"); 195 throw id_res_mismatch(OPKELE_CP_ "signature mismatch");
196 }catch(failed_lookup& e) { /* XXX: more specific? */ 196 }catch(failed_lookup& e) { /* XXX: more specific? */
197 const string& slist = pin.get_param("openid.signed"); 197 const string& slist = pin.get_param("openid.signed");
198 string::size_type pp = 0; 198 string::size_type pp = 0;
199 params_t p; 199 params_t p;
200 while(true) { 200 while(true) {
201 string::size_type co = slist.find(',',pp); 201 string::size_type co = slist.find(',',pp);
202 string f = "openid."; 202 string f = "openid.";
203 f += (co==string::npos)?slist.substr(pp):slist.substr(pp,co-pp); 203 f += (co==string::npos)?slist.substr(pp):slist.substr(pp,co-pp);
204 p[f] = pin.get_param(f); 204 p[f] = pin.get_param(f);
205 if(co==string::npos) 205 if(co==string::npos)
206 break; 206 break;
207 pp = co+1; 207 pp = co+1;
208 } 208 }
209 p["openid.assoc_handle"] = pin.get_param("openid.assoc_handle"); 209 p["openid.assoc_handle"] = pin.get_param("openid.assoc_handle");
210 p["openid.sig"] = pin.get_param("openid.sig"); 210 p["openid.sig"] = pin.get_param("openid.sig");
211 p["openid.signed"] = pin.get_param("openid.signed"); 211 p["openid.signed"] = pin.get_param("openid.signed");
@@ -268,49 +268,74 @@ namespace opkele {
268 if(!curl) 268 if(!curl)
269 throw exception_curl(OPKELE_CP_ "failed to curl_easy_init()"); 269 throw exception_curl(OPKELE_CP_ "failed to curl_easy_init()");
270 string html; 270 string html;
271 CURLcode r; 271 CURLcode r;
272 (r=curl_misc_sets(curl)) 272 (r=curl_misc_sets(curl))
273 || (r=curl_easy_setopt(curl,CURLOPT_URL,url.c_str())) 273 || (r=curl_easy_setopt(curl,CURLOPT_URL,url.c_str()))
274 || (r=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,_curl_tostring)) 274 || (r=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,_curl_tostring))
275 || (r=curl_easy_setopt(curl,CURLOPT_WRITEDATA,&html)) 275 || (r=curl_easy_setopt(curl,CURLOPT_WRITEDATA,&html))
276 ; 276 ;
277 if(r) 277 if(r)
278 throw exception_curl(OPKELE_CP_ "failed to curl_easy_setopt()",r); 278 throw exception_curl(OPKELE_CP_ "failed to curl_easy_setopt()",r);
279 r = curl_easy_perform(curl); 279 r = curl_easy_perform(curl);
280 if(r && r!=CURLE_WRITE_ERROR) 280 if(r && r!=CURLE_WRITE_ERROR)
281 throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r); 281 throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r);
282 pcrepp::Pcre bre("<body\\b",PCRE_CASELESS); 282 pcrepp::Pcre bre("<body\\b",PCRE_CASELESS);
283 // strip out everything past body 283 // strip out everything past body
284 if(bre.search(html)) 284 if(bre.search(html))
285 html.erase(bre.get_match_start()); 285 html.erase(bre.get_match_start());
286 pcrepp::Pcre hdre("<head[^>]*>",PCRE_CASELESS); 286 pcrepp::Pcre hdre("<head[^>]*>",PCRE_CASELESS);
287 if(!hdre.search(html)) 287 if(!hdre.search(html))
288 throw bad_input(OPKELE_CP_ "failed to find head"); 288 throw bad_input(OPKELE_CP_ "failed to find head");
289 html.erase(0,hdre.get_match_end()+1); 289 html.erase(0,hdre.get_match_end()+1);
290 pcrepp::Pcre lre("<link\\b([^>]+)>",PCRE_CASELESS), 290 pcrepp::Pcre lre("<link\\b([^>]+)>",PCRE_CASELESS),
291 rre("\\brel=['\"]([^'\"]+)['\"]",PCRE_CASELESS), 291 rre("\\brel=['\"]([^'\"]+)['\"]",PCRE_CASELESS),
292 hre("\\bhref=['\"]([^'\"]+)['\"]",PCRE_CASELESS); 292 hre("\\bhref=['\"]([^'\"]+)['\"]",PCRE_CASELESS);
293 while(lre.search(html)) { 293 while(lre.search(html)) {
294 string attrs = lre[0]; 294 string attrs = lre[0];
295 html.erase(0,lre.get_match_end()+1); 295 html.erase(0,lre.get_match_end()+1);
296 if(!(rre.search(attrs)&&hre.search(attrs))) 296 if(!(rre.search(attrs)&&hre.search(attrs)))
297 continue; 297 continue;
298 if(rre[0]=="openid.server") { 298 if(rre[0]=="openid.server") {
299 server = hre[0]; 299 server = hre[0];
300 if(!delegate.empty()) 300 if(!delegate.empty())
301 break; 301 break;
302 }else if(rre[0]=="openid.delegate") { 302 }else if(rre[0]=="openid.delegate") {
303 delegate = hre[0]; 303 delegate = hre[0];
304 if(!server.empty()) 304 if(!server.empty())
305 break; 305 break;
306 } 306 }
307 } 307 }
308 if(server.empty()) 308 if(server.empty())
309 throw failed_assertion(OPKELE_CP_ "The location has no openid.server declaration"); 309 throw failed_assertion(OPKELE_CP_ "The location has no openid.server declaration");
310 } 310 }
311 311
312 assoc_t consumer_t::find_assoc(const string& server) { 312 assoc_t consumer_t::find_assoc(const string& server) {
313 throw failed_lookup(OPKELE_CP_ "no find_assoc() provided"); 313 throw failed_lookup(OPKELE_CP_ "no find_assoc() provided");
314 } 314 }
315 315
316 string consumer_t::canonicalize(const string& url) {
317 string rv = url;
318 // strip leading and trailing spaces
319 string::size_type i = rv.find_first_not_of(" \t\r\n");
320 if(i==string::npos)
321 throw bad_input(OPKELE_CP_ "empty URL");
322 if(i)
323 rv.erase(0,i);
324 i = rv.find_last_not_of(" \t\r\n");
325 assert(i!=string::npos);
326 if(i<(rv.length()-1))
327 rv.erase(i+1);
328 // add missing http://
329 i = rv.find("://");
330 if(i==string::npos) { // primitive. but do we need more?
331 rv.insert(0,"http://");
332 i = sizeof("http://")-1;
333 }else{
334 i += sizeof("://")-1;
335 }
336 if(rv.find('/',i)==string::npos)
337 rv += '/';
338 return rv;
339 }
340
316} 341}