-rw-r--r-- | lib/consumer.cc | 396 |
1 files changed, 0 insertions, 396 deletions
diff --git a/lib/consumer.cc b/lib/consumer.cc deleted file mode 100644 index 801496e..0000000 --- a/lib/consumer.cc +++ b/dev/null | |||
@@ -1,396 +0,0 @@ | |||
1 | #include <algorithm> | ||
2 | #include <cassert> | ||
3 | #include <cstring> | ||
4 | #include <opkele/util.h> | ||
5 | #include <opkele/util-internal.h> | ||
6 | #include <opkele/curl.h> | ||
7 | #include <opkele/exception.h> | ||
8 | #include <opkele/data.h> | ||
9 | #include <opkele/consumer.h> | ||
10 | #include <openssl/sha.h> | ||
11 | #include <openssl/hmac.h> | ||
12 | #include <iostream> | ||
13 | |||
14 | #include "config.h" | ||
15 | |||
16 | #include <pcre.h> | ||
17 | |||
18 | namespace opkele { | ||
19 | using namespace std; | ||
20 | using util::curl_t; | ||
21 | using util::curl_pick_t; | ||
22 | |||
23 | class pcre_matches_t { | ||
24 | public: | ||
25 | int *_ov; | ||
26 | int _s; | ||
27 | |||
28 | pcre_matches_t() : _ov(0), _s(0) { } | ||
29 | pcre_matches_t(int s) : _ov(0), _s(s) { | ||
30 | if(_s&1) ++_s; | ||
31 | _s += _s>>1; | ||
32 | _ov = new int[_s]; | ||
33 | } | ||
34 | ~pcre_matches_t() throw() { if(_ov) delete[] _ov; } | ||
35 | |||
36 | int begin(int i) const { return _ov[i<<1]; } | ||
37 | int end(int i) const { return _ov[(i<<1)+1]; } | ||
38 | int length(int i) const { int t=i<<1; return _ov[t+1]-_ov[t]; } | ||
39 | }; | ||
40 | |||
41 | class pcre_t { | ||
42 | public: | ||
43 | pcre *_p; | ||
44 | |||
45 | pcre_t() : _p(0) { } | ||
46 | pcre_t(pcre *p) : _p(p) { } | ||
47 | pcre_t(const char *re,int opts) : _p(0) { | ||
48 | static const char *errptr; static int erroffset; | ||
49 | _p = pcre_compile(re,opts,&errptr,&erroffset,NULL); | ||
50 | if(!_p) | ||
51 | throw internal_error(OPKELE_CP_ string("Failed to compile regexp: ")+errptr); | ||
52 | } | ||
53 | ~pcre_t() throw() { if(_p) (*pcre_free)(_p); } | ||
54 | |||
55 | pcre_t& operator=(pcre *p) { if(_p) (*pcre_free)(_p); _p=p; return *this; } | ||
56 | |||
57 | operator const pcre*(void) const { return _p; } | ||
58 | operator pcre*(void) { return _p; } | ||
59 | |||
60 | int exec(const string& s,pcre_matches_t& m) { | ||
61 | if(!_p) | ||
62 | throw internal_error(OPKELE_CP_ "Trying to execute absent regexp"); | ||
63 | return pcre_exec(_p,NULL,s.c_str(),s.length(),0,0,m._ov,m._s); | ||
64 | } | ||
65 | }; | ||
66 | |||
67 | assoc_t consumer_t::associate(const string& server) { | ||
68 | util::dh_t dh = DH_new(); | ||
69 | if(!dh) | ||
70 | throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); | ||
71 | dh->p = util::dec_to_bignum(data::_default_p); | ||
72 | dh->g = util::dec_to_bignum(data::_default_g); | ||
73 | if(!DH_generate_key(dh)) | ||
74 | throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); | ||
75 | string request = | ||
76 | "openid.mode=associate" | ||
77 | "&openid.assoc_type=HMAC-SHA1" | ||
78 | "&openid.session_type=DH-SHA1" | ||
79 | "&openid.dh_consumer_public="; | ||
80 | request += util::url_encode(util::bignum_to_base64(dh->pub_key)); | ||
81 | curl_pick_t curl = curl_pick_t::easy_init(); | ||
82 | if(!curl) | ||
83 | throw exception_curl(OPKELE_CP_ "failed to initialize curl"); | ||
84 | CURLcode r; | ||
85 | (r=curl.misc_sets()) | ||
86 | || (r=curl.easy_setopt(CURLOPT_URL,server.c_str())) | ||
87 | || (r=curl.easy_setopt(CURLOPT_POST,1)) | ||
88 | || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data())) | ||
89 | || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length())) | ||
90 | || (r=curl.set_write()) | ||
91 | ; | ||
92 | if(r) | ||
93 | throw exception_curl(OPKELE_CP_ "failed to set curly options",r); | ||
94 | if( (r=curl.easy_perform()) ) | ||
95 | throw exception_curl(OPKELE_CP_ "failed to perform curly request",r); | ||
96 | params_t p; p.parse_keyvalues(curl.response); | ||
97 | if(p.has_param("assoc_type") && p.get_param("assoc_type")!="HMAC-SHA1") | ||
98 | throw bad_input(OPKELE_CP_ "unsupported assoc_type"); | ||
99 | string st; | ||
100 | if(p.has_param("session_type")) st = p.get_param("session_type"); | ||
101 | if((!st.empty()) && st!="DH-SHA1") | ||
102 | throw bad_input(OPKELE_CP_ "unsupported session_type"); | ||
103 | secret_t secret; | ||
104 | if(st.empty()) { | ||
105 | secret.from_base64(p.get_param("mac_key")); | ||
106 | }else{ | ||
107 | util::bignum_t s_pub = util::base64_to_bignum(p.get_param("dh_server_public")); | ||
108 | vector<unsigned char> ck(DH_size(dh)+1); | ||
109 | unsigned char *ckptr = &(ck.front())+1; | ||
110 | int cklen = DH_compute_key(ckptr,s_pub,dh); | ||
111 | if(cklen<0) | ||
112 | throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); | ||
113 | if(cklen && (*ckptr)&0x80) { | ||
114 | (*(--ckptr)) = 0; ++cklen; | ||
115 | } | ||
116 | unsigned char key_sha1[SHA_DIGEST_LENGTH]; | ||
117 | SHA1(ckptr,cklen,key_sha1); | ||
118 | secret.enxor_from_base64(key_sha1,p.get_param("enc_mac_key")); | ||
119 | } | ||
120 | int expires_in = 0; | ||
121 | if(p.has_param("expires_in")) { | ||
122 | expires_in = util::string_to_long(p.get_param("expires_in")); | ||
123 | }else if(p.has_param("issued") && p.has_param("expiry")) { | ||
124 | expires_in = util::w3c_to_time(p.get_param("expiry"))-util::w3c_to_time(p.get_param("issued")); | ||
125 | }else | ||
126 | throw bad_input(OPKELE_CP_ "no expiration information"); | ||
127 | return store_assoc(server,p.get_param("assoc_handle"),secret,expires_in); | ||
128 | } | ||
129 | |||
130 | string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { | ||
131 | return checkid_(mode_checkid_immediate,identity,return_to,trust_root,ext); | ||
132 | } | ||
133 | string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { | ||
134 | return checkid_(mode_checkid_setup,identity,return_to,trust_root,ext); | ||
135 | } | ||
136 | string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { | ||
137 | params_t p; | ||
138 | if(mode==mode_checkid_immediate) | ||
139 | p["mode"]="checkid_immediate"; | ||
140 | else if(mode==mode_checkid_setup) | ||
141 | p["mode"]="checkid_setup"; | ||
142 | else | ||
143 | throw bad_input(OPKELE_CP_ "unknown checkid_* mode"); | ||
144 | string iurl = canonicalize(identity); | ||
145 | string server, delegate; | ||
146 | retrieve_links(iurl,server,delegate); | ||
147 | p["identity"] = delegate.empty()?iurl:delegate; | ||
148 | if(!trust_root.empty()) | ||
149 | p["trust_root"] = trust_root; | ||
150 | p["return_to"] = return_to; | ||
151 | try { | ||
152 | string ah = find_assoc(server)->handle(); | ||
153 | p["assoc_handle"] = ah; | ||
154 | }catch(failed_lookup& fl) { | ||
155 | string ah = associate(server)->handle(); | ||
156 | p["assoc_handle"] = ah; | ||
157 | } | ||
158 | if(ext) ext->checkid_hook(p); | ||
159 | return p.append_query(server); | ||
160 | } | ||
161 | |||
162 | void consumer_t::id_res(const params_t& pin,const string& identity,extension_t *ext) { | ||
163 | if(pin.has_param("openid.user_setup_url")) | ||
164 | throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url")); | ||
165 | string server,delegate; | ||
166 | retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate); | ||
167 | params_t ps; | ||
168 | try { | ||
169 | assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle")); | ||
170 | if(assoc->is_expired()) | ||
171 | throw id_res_expired_on_delivery(OPKELE_CP_ "retrieve_assoc() has returned expired handle"); | ||
172 | const string& sigenc = pin.get_param("openid.sig"); | ||
173 | vector<unsigned char> sig; | ||
174 | util::decode_base64(sigenc,sig); | ||
175 | const string& slist = pin.get_param("openid.signed"); | ||
176 | string kv; | ||
177 | string::size_type p = 0; | ||
178 | while(true) { | ||
179 | string::size_type co = slist.find(',',p); | ||
180 | string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); | ||
181 | kv += f; | ||
182 | kv += ':'; | ||
183 | f.insert(0,"openid."); | ||
184 | kv += pin.get_param(f); | ||
185 | kv += '\n'; | ||
186 | if(ext) ps[f.substr(sizeof("openid.")-1)] = pin.get_param(f); | ||
187 | if(co==string::npos) | ||
188 | break; | ||
189 | p = co+1; | ||
190 | } | ||
191 | secret_t secret = assoc->secret(); | ||
192 | unsigned int md_len = 0; | ||
193 | unsigned char *md = HMAC( | ||
194 | EVP_sha1(), | ||
195 | &(secret.front()),secret.size(), | ||
196 | (const unsigned char *)kv.data(),kv.length(), | ||
197 | 0,&md_len); | ||
198 | if(sig.size()!=md_len || memcmp(&(sig.front()),md,md_len)) | ||
199 | throw id_res_mismatch(OPKELE_CP_ "signature mismatch"); | ||
200 | }catch(failed_lookup& e) { | ||
201 | const string& slist = pin.get_param("openid.signed"); | ||
202 | string::size_type pp = 0; | ||
203 | params_t p; | ||
204 | while(true) { | ||
205 | string::size_type co = slist.find(',',pp); | ||
206 | string f = "openid."; | ||
207 | f += (co==string::npos)?slist.substr(pp):slist.substr(pp,co-pp); | ||
208 | p[f] = pin.get_param(f); | ||
209 | if(co==string::npos) | ||
210 | break; | ||
211 | pp = co+1; | ||
212 | } | ||
213 | p["openid.assoc_handle"] = pin.get_param("openid.assoc_handle"); | ||
214 | p["openid.sig"] = pin.get_param("openid.sig"); | ||
215 | p["openid.signed"] = pin.get_param("openid.signed"); | ||
216 | try { | ||
217 | string ih = pin.get_param("openid.invalidate_handle"); | ||
218 | p["openid.invalidate_handle"] = ih; | ||
219 | }catch(failed_lookup& fl) { } | ||
220 | try { | ||
221 | check_authentication(server,p); | ||
222 | }catch(failed_check_authentication& fca) { | ||
223 | throw id_res_failed(OPKELE_CP_ "failed to check_authentication()"); | ||
224 | } | ||
225 | } | ||
226 | if(ext) ext->id_res_hook(pin,ps); | ||
227 | } | ||
228 | |||
229 | void consumer_t::check_authentication(const string& server,const params_t& p) { | ||
230 | string request = "openid.mode=check_authentication"; | ||
231 | for(params_t::const_iterator i=p.begin();i!=p.end();++i) { | ||
232 | if(i->first!="openid.mode") { | ||
233 | request += '&'; | ||
234 | request += i->first; | ||
235 | request += '='; | ||
236 | request += util::url_encode(i->second); | ||
237 | } | ||
238 | } | ||
239 | curl_pick_t curl = curl_pick_t::easy_init(); | ||
240 | if(!curl) | ||
241 | throw exception_curl(OPKELE_CP_ "failed to initialize curl"); | ||
242 | CURLcode r; | ||
243 | (r=curl.misc_sets()) | ||
244 | || (r=curl.easy_setopt(CURLOPT_URL,server.c_str())) | ||
245 | || (r=curl.easy_setopt(CURLOPT_POST,1)) | ||
246 | || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data())) | ||
247 | || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length())) | ||
248 | || (r=curl.set_write()) | ||
249 | ; | ||
250 | if(r) | ||
251 | throw exception_curl(OPKELE_CP_ "failed to set curly options",r); | ||
252 | if( (r=curl.easy_perform()) ) | ||
253 | throw exception_curl(OPKELE_CP_ "failed to perform curly request",r); | ||
254 | params_t pp; pp.parse_keyvalues(curl.response); | ||
255 | if(pp.has_param("invalidate_handle")) | ||
256 | invalidate_assoc(server,pp.get_param("invalidate_handle")); | ||
257 | if(pp.has_param("is_valid")) { | ||
258 | if(pp.get_param("is_valid")=="true") | ||
259 | return; | ||
260 | }else if(pp.has_param("lifetime")) { | ||
261 | if(util::string_to_long(pp.get_param("lifetime"))) | ||
262 | return; | ||
263 | } | ||
264 | throw failed_check_authentication(OPKELE_CP_ "failed to verify response"); | ||
265 | } | ||
266 | |||
267 | void consumer_t::retrieve_links(const string& url,string& server,string& delegate) { | ||
268 | server.erase(); | ||
269 | delegate.erase(); | ||
270 | curl_pick_t curl = curl_pick_t::easy_init(); | ||
271 | if(!curl) | ||
272 | throw exception_curl(OPKELE_CP_ "failed to initialize curl"); | ||
273 | string& html = curl.response; | ||
274 | CURLcode r; | ||
275 | (r=curl.misc_sets()) | ||
276 | || (r=curl.easy_setopt(CURLOPT_URL,url.c_str())) | ||
277 | || (r=curl.set_write()); | ||
278 | ; | ||
279 | if(r) | ||
280 | throw exception_curl(OPKELE_CP_ "failed to set curly options",r); | ||
281 | r = curl.easy_perform(); | ||
282 | if(r && r!=CURLE_WRITE_ERROR) | ||
283 | throw exception_curl(OPKELE_CP_ "failed to perform curly request",r); | ||
284 | static const char *re_bre = "<\\s*body\\b", *re_hdre = "<\\s*head[^>]*>", | ||
285 | *re_lre = "<\\s*link\\b([^>]+)>", | ||
286 | *re_rre = "\\brel\\s*=\\s*['\"]([^'\"]+)['\"]", | ||
287 | *re_hre = "\\bhref\\s*=\\s*['\"]\\s*([^'\"\\s]+)\\s*['\"]"; | ||
288 | pcre_matches_t m1(3), m2(3); | ||
289 | pcre_t bre(re_bre,PCRE_CASELESS); | ||
290 | if(bre.exec(html,m1)>0) | ||
291 | html.erase(m1.begin(0)); | ||
292 | pcre_t hdre(re_hdre,PCRE_CASELESS); | ||
293 | if(hdre.exec(html,m1)<=0) | ||
294 | throw bad_input(OPKELE_CP_ "failed to find <head>"); | ||
295 | html.erase(0,m1.end(0)+1); | ||
296 | pcre_t lre(re_lre,PCRE_CASELESS), rre(re_rre,PCRE_CASELESS), hre(re_hre,PCRE_CASELESS); | ||
297 | bool gotit = false; | ||
298 | while( (!gotit) && lre.exec(html,m1)>=2 ) { | ||
299 | static const char *whitespace = " \t"; | ||
300 | string attrs(html,m1.begin(1),m1.length(1)); | ||
301 | html.erase(0,m1.end(0)+1); | ||
302 | if(!( rre.exec(attrs,m1)>=2 && hre.exec(attrs,m2)>=2 )) | ||
303 | continue; | ||
304 | string rels(attrs,m1.begin(1),m1.length(1)); | ||
305 | for(string::size_type ns = rels.find_first_not_of(whitespace); | ||
306 | ns!=string::npos; | ||
307 | ns=rels.find_first_not_of(whitespace,ns)) { | ||
308 | string::size_type s = rels.find_first_of(whitespace,ns); | ||
309 | string rel; | ||
310 | if(s==string::npos) { | ||
311 | rel.assign(rels,ns,string::npos); | ||
312 | ns=string::npos; | ||
313 | }else{ | ||
314 | rel.assign(rels,ns,s-ns); | ||
315 | ns=s; | ||
316 | } | ||
317 | if(rel=="openid.server") { | ||
318 | server.assign(attrs,m2.begin(1),m2.length(1)); | ||
319 | if(!delegate.empty()) { | ||
320 | gotit = true; | ||
321 | break; | ||
322 | } | ||
323 | }else if(rel=="openid.delegate") { | ||
324 | delegate.assign(attrs,m2.begin(1),m2.length(1)); | ||
325 | if(!server.empty()) { | ||
326 | gotit = true; | ||
327 | break; | ||
328 | } | ||
329 | } | ||
330 | } | ||
331 | } | ||
332 | if(server.empty()) | ||
333 | throw failed_assertion(OPKELE_CP_ "The location has no openid.server declaration"); | ||
334 | } | ||
335 | |||
336 | assoc_t consumer_t::find_assoc(const string& /* server */) { | ||
337 | throw failed_lookup(OPKELE_CP_ "no find_assoc() provided"); | ||
338 | } | ||
339 | |||
340 | string consumer_t::normalize(const string& url) { | ||
341 | string rv = url; | ||
342 | // strip leading and trailing spaces | ||
343 | string::size_type i = rv.find_first_not_of(" \t\r\n"); | ||
344 | if(i==string::npos) | ||
345 | throw bad_input(OPKELE_CP_ "empty URL"); | ||
346 | if(i) | ||
347 | rv.erase(0,i); | ||
348 | i = rv.find_last_not_of(" \t\r\n"); | ||
349 | assert(i!=string::npos); | ||
350 | if(i<(rv.length()-1)) | ||
351 | rv.erase(i+1); | ||
352 | // add missing http:// | ||
353 | i = rv.find("://"); | ||
354 | if(i==string::npos) { // primitive. but do we need more? | ||
355 | rv.insert(0,"http://"); | ||
356 | i = sizeof("http://")-1; | ||
357 | }else{ | ||
358 | i += sizeof("://")-1; | ||
359 | } | ||
360 | string::size_type qm = rv.find('?',i); | ||
361 | string::size_type sl = rv.find('/',i); | ||
362 | if(qm!=string::npos) { | ||
363 | if(sl==string::npos || sl>qm) | ||
364 | rv.insert(qm,1,'/'); | ||
365 | }else{ | ||
366 | if(sl==string::npos) | ||
367 | rv += '/'; | ||
368 | } | ||
369 | return rv; | ||
370 | } | ||
371 | |||
372 | string consumer_t::canonicalize(const string& url) { | ||
373 | string rv = normalize(url); | ||
374 | curl_t curl = curl_t::easy_init(); | ||
375 | if(!curl) | ||
376 | throw exception_curl(OPKELE_CP_ "failed to initialize curl()"); | ||
377 | string html; | ||
378 | CURLcode r; | ||
379 | (r=curl.misc_sets()) | ||
380 | || (r=curl.easy_setopt(CURLOPT_URL,rv.c_str())) | ||
381 | || (r=curl.easy_setopt(CURLOPT_NOBODY,1)) | ||
382 | ; | ||
383 | if(r) | ||
384 | throw exception_curl(OPKELE_CP_ "failed to set curly options",r); | ||
385 | r = curl.easy_perform(); | ||
386 | if(r) | ||
387 | throw exception_curl(OPKELE_CP_ "failed to perform curly request",r); | ||
388 | const char *eu = 0; | ||
389 | r = curl.easy_getinfo(CURLINFO_EFFECTIVE_URL,&eu); | ||
390 | if(r) | ||
391 | throw exception_curl(OPKELE_CP_ "failed to get CURLINFO_EFFECTIVE_URL",r); | ||
392 | rv = eu; | ||
393 | return normalize(rv); | ||
394 | } | ||
395 | |||
396 | } | ||