summaryrefslogtreecommitdiffabout
path: root/lib
Unidiff
Diffstat (limited to 'lib') (more/less context) (ignore whitespace changes)
-rw-r--r--lib/consumer.cc1
1 files changed, 0 insertions, 1 deletions
diff --git a/lib/consumer.cc b/lib/consumer.cc
index 62bec71..66db7dd 100644
--- a/lib/consumer.cc
+++ b/lib/consumer.cc
@@ -155,260 +155,259 @@ namespace opkele {
155 if(mode==mode_checkid_immediate) 155 if(mode==mode_checkid_immediate)
156 p["mode"]="checkid_immediate"; 156 p["mode"]="checkid_immediate";
157 else if(mode==mode_checkid_setup) 157 else if(mode==mode_checkid_setup)
158 p["mode"]="checkid_setup"; 158 p["mode"]="checkid_setup";
159 else 159 else
160 throw bad_input(OPKELE_CP_ "unknown checkid_* mode"); 160 throw bad_input(OPKELE_CP_ "unknown checkid_* mode");
161 string iurl = canonicalize(identity); 161 string iurl = canonicalize(identity);
162 string server, delegate; 162 string server, delegate;
163 retrieve_links(iurl,server,delegate); 163 retrieve_links(iurl,server,delegate);
164 p["identity"] = delegate.empty()?iurl:delegate; 164 p["identity"] = delegate.empty()?iurl:delegate;
165 if(!trust_root.empty()) 165 if(!trust_root.empty())
166 p["trust_root"] = trust_root; 166 p["trust_root"] = trust_root;
167 p["return_to"] = return_to; 167 p["return_to"] = return_to;
168 try { 168 try {
169 string ah = find_assoc(server)->handle(); 169 string ah = find_assoc(server)->handle();
170 p["assoc_handle"] = ah; 170 p["assoc_handle"] = ah;
171 }catch(failed_lookup& fl) { 171 }catch(failed_lookup& fl) {
172 string ah = associate(server)->handle(); 172 string ah = associate(server)->handle();
173 p["assoc_handle"] = ah; 173 p["assoc_handle"] = ah;
174 } 174 }
175 if(ext) ext->checkid_hook(p,identity); 175 if(ext) ext->checkid_hook(p,identity);
176 return p.append_query(server); 176 return p.append_query(server);
177 } 177 }
178 178
179 void consumer_t::id_res(const params_t& pin,const string& identity,extension_t *ext) { 179 void consumer_t::id_res(const params_t& pin,const string& identity,extension_t *ext) {
180 if(pin.has_param("openid.user_setup_url")) 180 if(pin.has_param("openid.user_setup_url"))
181 throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url")); 181 throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url"));
182 string server,delegate; 182 string server,delegate;
183 retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate); 183 retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate);
184 params_t ps; 184 params_t ps;
185 try { 185 try {
186 assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle")); 186 assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle"));
187 if(assoc->is_expired()) /* TODO: or should I throw some other exception to force programmer fix his implementation? */ 187 if(assoc->is_expired()) /* TODO: or should I throw some other exception to force programmer fix his implementation? */
188 throw failed_lookup(OPKELE_CP_ "retrieve_assoc() has returned expired handle"); 188 throw failed_lookup(OPKELE_CP_ "retrieve_assoc() has returned expired handle");
189 const string& sigenc = pin.get_param("openid.sig"); 189 const string& sigenc = pin.get_param("openid.sig");
190 vector<unsigned char> sig; 190 vector<unsigned char> sig;
191 util::decode_base64(sigenc,sig); 191 util::decode_base64(sigenc,sig);
192 const string& slist = pin.get_param("openid.signed"); 192 const string& slist = pin.get_param("openid.signed");
193 string kv; 193 string kv;
194 string::size_type p = 0; 194 string::size_type p = 0;
195 while(true) { 195 while(true) {
196 string::size_type co = slist.find(',',p); 196 string::size_type co = slist.find(',',p);
197 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); 197 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
198 kv += f; 198 kv += f;
199 kv += ':'; 199 kv += ':';
200 f.insert(0,"openid."); 200 f.insert(0,"openid.");
201 kv += pin.get_param(f); 201 kv += pin.get_param(f);
202 kv += '\n'; 202 kv += '\n';
203 if(ext) ps[f.substr(sizeof("openid.")-1)] = pin.get_param(f); 203 if(ext) ps[f.substr(sizeof("openid.")-1)] = pin.get_param(f);
204 if(co==string::npos) 204 if(co==string::npos)
205 break; 205 break;
206 p = co+1; 206 p = co+1;
207 } 207 }
208 secret_t secret = assoc->secret(); 208 secret_t secret = assoc->secret();
209 unsigned int md_len = 0; 209 unsigned int md_len = 0;
210 unsigned char *md = HMAC( 210 unsigned char *md = HMAC(
211 EVP_sha1(), 211 EVP_sha1(),
212 &(secret.front()),secret.size(), 212 &(secret.front()),secret.size(),
213 (const unsigned char *)kv.data(),kv.length(), 213 (const unsigned char *)kv.data(),kv.length(),
214 0,&md_len); 214 0,&md_len);
215 if(sig.size()!=md_len || memcmp(&(sig.front()),md,md_len)) 215 if(sig.size()!=md_len || memcmp(&(sig.front()),md,md_len))
216 throw id_res_mismatch(OPKELE_CP_ "signature mismatch"); 216 throw id_res_mismatch(OPKELE_CP_ "signature mismatch");
217 }catch(failed_lookup& e) { /* XXX: more specific? */ 217 }catch(failed_lookup& e) { /* XXX: more specific? */
218 const string& slist = pin.get_param("openid.signed"); 218 const string& slist = pin.get_param("openid.signed");
219 string::size_type pp = 0; 219 string::size_type pp = 0;
220 params_t p; 220 params_t p;
221 while(true) { 221 while(true) {
222 string::size_type co = slist.find(',',pp); 222 string::size_type co = slist.find(',',pp);
223 string f = "openid."; 223 string f = "openid.";
224 f += (co==string::npos)?slist.substr(pp):slist.substr(pp,co-pp); 224 f += (co==string::npos)?slist.substr(pp):slist.substr(pp,co-pp);
225 p[f] = pin.get_param(f); 225 p[f] = pin.get_param(f);
226 if(co==string::npos) 226 if(co==string::npos)
227 break; 227 break;
228 pp = co+1; 228 pp = co+1;
229 } 229 }
230 p["openid.assoc_handle"] = pin.get_param("openid.assoc_handle"); 230 p["openid.assoc_handle"] = pin.get_param("openid.assoc_handle");
231 p["openid.sig"] = pin.get_param("openid.sig"); 231 p["openid.sig"] = pin.get_param("openid.sig");
232 p["openid.signed"] = pin.get_param("openid.signed"); 232 p["openid.signed"] = pin.get_param("openid.signed");
233 try { 233 try {
234 string ih = pin.get_param("openid.invalidate_handle"); 234 string ih = pin.get_param("openid.invalidate_handle");
235 p["openid.invalidate_handle"] = ih; 235 p["openid.invalidate_handle"] = ih;
236 }catch(failed_lookup& fl) { } 236 }catch(failed_lookup& fl) { }
237 try { 237 try {
238 check_authentication(server,p); 238 check_authentication(server,p);
239 }catch(failed_check_authentication& fca) { 239 }catch(failed_check_authentication& fca) {
240 throw id_res_failed(OPKELE_CP_ "failed to check_authentication()"); 240 throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");
241 } 241 }
242 } 242 }
243 if(ext) ext->id_res_hook(pin,ps,identity); 243 if(ext) ext->id_res_hook(pin,ps,identity);
244 } 244 }
245 245
246 void consumer_t::check_authentication(const string& server,const params_t& p) { 246 void consumer_t::check_authentication(const string& server,const params_t& p) {
247 string request = "openid.mode=check_authentication"; 247 string request = "openid.mode=check_authentication";
248 for(params_t::const_iterator i=p.begin();i!=p.end();++i) { 248 for(params_t::const_iterator i=p.begin();i!=p.end();++i) {
249 if(i->first!="openid.mode") { 249 if(i->first!="openid.mode") {
250 request += '&'; 250 request += '&';
251 request += i->first; 251 request += i->first;
252 request += '='; 252 request += '=';
253 request += util::url_encode(i->second); 253 request += util::url_encode(i->second);
254 } 254 }
255 } 255 }
256 curl_pick_t curl = curl_pick_t::easy_init(); 256 curl_pick_t curl = curl_pick_t::easy_init();
257 if(!curl) 257 if(!curl)
258 throw exception_curl(OPKELE_CP_ "failed to initialize curl"); 258 throw exception_curl(OPKELE_CP_ "failed to initialize curl");
259 CURLcode r; 259 CURLcode r;
260 (r=curl.misc_sets()) 260 (r=curl.misc_sets())
261 || (r=curl.easy_setopt(CURLOPT_URL,server.c_str())) 261 || (r=curl.easy_setopt(CURLOPT_URL,server.c_str()))
262 || (r=curl.easy_setopt(CURLOPT_POST,1)) 262 || (r=curl.easy_setopt(CURLOPT_POST,1))
263 || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data())) 263 || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data()))
264 || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length())) 264 || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length()))
265 || (r=curl.set_write()) 265 || (r=curl.set_write())
266 ; 266 ;
267 if(r) 267 if(r)
268 throw exception_curl(OPKELE_CP_ "failed to set curly options",r); 268 throw exception_curl(OPKELE_CP_ "failed to set curly options",r);
269 if( (r=curl.easy_perform()) ) 269 if( (r=curl.easy_perform()) )
270 throw exception_curl(OPKELE_CP_ "failed to perform curly request",r); 270 throw exception_curl(OPKELE_CP_ "failed to perform curly request",r);
271 params_t pp; pp.parse_keyvalues(curl.response); 271 params_t pp; pp.parse_keyvalues(curl.response);
272 if(pp.has_param("invalidate_handle")) 272 if(pp.has_param("invalidate_handle"))
273 invalidate_assoc(server,pp.get_param("invalidate_handle")); 273 invalidate_assoc(server,pp.get_param("invalidate_handle"));
274 if(pp.has_param("is_valid")) { 274 if(pp.has_param("is_valid")) {
275 if(pp.get_param("is_valid")=="true") 275 if(pp.get_param("is_valid")=="true")
276 return; 276 return;
277 }else if(pp.has_param("lifetime")) { 277 }else if(pp.has_param("lifetime")) {
278 if(util::string_to_long(pp.get_param("lifetime"))) 278 if(util::string_to_long(pp.get_param("lifetime")))
279 return; 279 return;
280 } 280 }
281 throw failed_check_authentication(OPKELE_CP_ "failed to verify response"); 281 throw failed_check_authentication(OPKELE_CP_ "failed to verify response");
282 } 282 }
283 283
284 void consumer_t::retrieve_links(const string& url,string& server,string& delegate) { 284 void consumer_t::retrieve_links(const string& url,string& server,string& delegate) {
285 server.erase(); 285 server.erase();
286 delegate.erase(); 286 delegate.erase();
287 curl_pick_t curl = curl_pick_t::easy_init(); 287 curl_pick_t curl = curl_pick_t::easy_init();
288 if(!curl) 288 if(!curl)
289 throw exception_curl(OPKELE_CP_ "failed to initialize curl"); 289 throw exception_curl(OPKELE_CP_ "failed to initialize curl");
290 string& html = curl.response; 290 string& html = curl.response;
291 CURLcode r; 291 CURLcode r;
292 (r=curl.misc_sets()) 292 (r=curl.misc_sets())
293 || (r=curl.easy_setopt(CURLOPT_URL,url.c_str())) 293 || (r=curl.easy_setopt(CURLOPT_URL,url.c_str()))
294 || (r=curl.set_write()); 294 || (r=curl.set_write());
295 ; 295 ;
296 if(r) 296 if(r)
297 throw exception_curl(OPKELE_CP_ "failed to set curly options",r); 297 throw exception_curl(OPKELE_CP_ "failed to set curly options",r);
298 r = curl.easy_perform(); 298 r = curl.easy_perform();
299 if(r && r!=CURLE_WRITE_ERROR) 299 if(r && r!=CURLE_WRITE_ERROR)
300 throw exception_curl(OPKELE_CP_ "failed to perform curly request",r); 300 throw exception_curl(OPKELE_CP_ "failed to perform curly request",r);
301 static const char *re_bre = "<\\s*body\\b", *re_hdre = "<\\s*head[^>]*>", 301 static const char *re_bre = "<\\s*body\\b", *re_hdre = "<\\s*head[^>]*>",
302 *re_lre = "<\\s*link\\b([^>]+)>", 302 *re_lre = "<\\s*link\\b([^>]+)>",
303 *re_rre = "\\brel\\s*=\\s*['\"]([^'\"]+)['\"]", 303 *re_rre = "\\brel\\s*=\\s*['\"]([^'\"]+)['\"]",
304 *re_hre = "\\bhref\\s*=\\s*['\"]\\s*([^'\"\\s]+)\\s*['\"]"; 304 *re_hre = "\\bhref\\s*=\\s*['\"]\\s*([^'\"\\s]+)\\s*['\"]";
305 pcre_matches_t m1(3), m2(3); 305 pcre_matches_t m1(3), m2(3);
306 pcre_t bre(re_bre,PCRE_CASELESS); 306 pcre_t bre(re_bre,PCRE_CASELESS);
307 if(bre.exec(html,m1)>0) 307 if(bre.exec(html,m1)>0)
308 html.erase(m1.begin(0)); 308 html.erase(m1.begin(0));
309 pcre_t hdre(re_hdre,PCRE_CASELESS); 309 pcre_t hdre(re_hdre,PCRE_CASELESS);
310 if(hdre.exec(html,m1)<=0) 310 if(hdre.exec(html,m1)<=0)
311 throw bad_input(OPKELE_CP_ "failed to find <head>"); 311 throw bad_input(OPKELE_CP_ "failed to find <head>");
312 html.erase(0,m1.end(0)+1); 312 html.erase(0,m1.end(0)+1);
313 pcre_t lre(re_lre,PCRE_CASELESS), rre(re_rre,PCRE_CASELESS), hre(re_hre,PCRE_CASELESS); 313 pcre_t lre(re_lre,PCRE_CASELESS), rre(re_rre,PCRE_CASELESS), hre(re_hre,PCRE_CASELESS);
314 bool gotit = false; 314 bool gotit = false;
315 while( (!gotit) && lre.exec(html,m1)>=2 ) { 315 while( (!gotit) && lre.exec(html,m1)>=2 ) {
316 static const char *whitespace = " \t"; 316 static const char *whitespace = " \t";
317 string attrs(html,m1.begin(1),m1.length(1)); 317 string attrs(html,m1.begin(1),m1.length(1));
318 html.erase(0,m1.end(0)+1); 318 html.erase(0,m1.end(0)+1);
319 if(!( rre.exec(attrs,m1)>=2 && hre.exec(attrs,m2)>=2 )) 319 if(!( rre.exec(attrs,m1)>=2 && hre.exec(attrs,m2)>=2 ))
320 continue; 320 continue;
321 string rels(attrs,m1.begin(1),m1.length(1)); 321 string rels(attrs,m1.begin(1),m1.length(1));
322 for(string::size_type ns = rels.find_first_not_of(whitespace); 322 for(string::size_type ns = rels.find_first_not_of(whitespace);
323 ns!=string::npos; 323 ns!=string::npos;
324 ns=rels.find_first_not_of(whitespace,ns)) { 324 ns=rels.find_first_not_of(whitespace,ns)) {
325 string::size_type s = rels.find_first_of(whitespace,ns); 325 string::size_type s = rels.find_first_of(whitespace,ns);
326 string rel; 326 string rel;
327 if(s==string::npos) { 327 if(s==string::npos) {
328 rel.assign(rels,ns,string::npos); 328 rel.assign(rels,ns,string::npos);
329 ns=string::npos; 329 ns=string::npos;
330 }else{ 330 }else{
331 rel.assign(rels,ns,s-ns); 331 rel.assign(rels,ns,s-ns);
332 ns=s; 332 ns=s;
333 } 333 }
334 if(rel=="openid.server") { 334 if(rel=="openid.server") {
335 server.assign(attrs,m2.begin(1),m2.length(1)); 335 server.assign(attrs,m2.begin(1),m2.length(1));
336 if(!delegate.empty()) { 336 if(!delegate.empty()) {
337 gotit = true; 337 gotit = true;
338 break; 338 break;
339 } 339 }
340 }else if(rel=="openid.delegate") { 340 }else if(rel=="openid.delegate") {
341 delegate.assign(attrs,m2.begin(1),m2.length(1)); 341 delegate.assign(attrs,m2.begin(1),m2.length(1));
342 if(!server.empty()) { 342 if(!server.empty()) {
343 gotit = true; 343 gotit = true;
344 break; 344 break;
345 } 345 }
346 } 346 }
347 if(ns==string::npos) break;
348 } 347 }
349 } 348 }
350 if(server.empty()) 349 if(server.empty())
351 throw failed_assertion(OPKELE_CP_ "The location has no openid.server declaration"); 350 throw failed_assertion(OPKELE_CP_ "The location has no openid.server declaration");
352 } 351 }
353 352
354 assoc_t consumer_t::find_assoc(const string& /* server */) { 353 assoc_t consumer_t::find_assoc(const string& /* server */) {
355 throw failed_lookup(OPKELE_CP_ "no find_assoc() provided"); 354 throw failed_lookup(OPKELE_CP_ "no find_assoc() provided");
356 } 355 }
357 356
358 string consumer_t::normalize(const string& url) { 357 string consumer_t::normalize(const string& url) {
359 string rv = url; 358 string rv = url;
360 // strip leading and trailing spaces 359 // strip leading and trailing spaces
361 string::size_type i = rv.find_first_not_of(" \t\r\n"); 360 string::size_type i = rv.find_first_not_of(" \t\r\n");
362 if(i==string::npos) 361 if(i==string::npos)
363 throw bad_input(OPKELE_CP_ "empty URL"); 362 throw bad_input(OPKELE_CP_ "empty URL");
364 if(i) 363 if(i)
365 rv.erase(0,i); 364 rv.erase(0,i);
366 i = rv.find_last_not_of(" \t\r\n"); 365 i = rv.find_last_not_of(" \t\r\n");
367 assert(i!=string::npos); 366 assert(i!=string::npos);
368 if(i<(rv.length()-1)) 367 if(i<(rv.length()-1))
369 rv.erase(i+1); 368 rv.erase(i+1);
370 // add missing http:// 369 // add missing http://
371 i = rv.find("://"); 370 i = rv.find("://");
372 if(i==string::npos) { // primitive. but do we need more? 371 if(i==string::npos) { // primitive. but do we need more?
373 rv.insert(0,"http://"); 372 rv.insert(0,"http://");
374 i = sizeof("http://")-1; 373 i = sizeof("http://")-1;
375 }else{ 374 }else{
376 i += sizeof("://")-1; 375 i += sizeof("://")-1;
377 } 376 }
378 string::size_type qm = rv.find('?',i); 377 string::size_type qm = rv.find('?',i);
379 string::size_type sl = rv.find('/',i); 378 string::size_type sl = rv.find('/',i);
380 if(qm!=string::npos) { 379 if(qm!=string::npos) {
381 if(sl==string::npos || sl>qm) 380 if(sl==string::npos || sl>qm)
382 rv.insert(qm,1,'/'); 381 rv.insert(qm,1,'/');
383 }else{ 382 }else{
384 if(sl==string::npos) 383 if(sl==string::npos)
385 rv += '/'; 384 rv += '/';
386 } 385 }
387 return rv; 386 return rv;
388 } 387 }
389 388
390 string consumer_t::canonicalize(const string& url) { 389 string consumer_t::canonicalize(const string& url) {
391 string rv = normalize(url); 390 string rv = normalize(url);
392 curl_t curl = curl_t::easy_init(); 391 curl_t curl = curl_t::easy_init();
393 if(!curl) 392 if(!curl)
394 throw exception_curl(OPKELE_CP_ "failed to initialize curl()"); 393 throw exception_curl(OPKELE_CP_ "failed to initialize curl()");
395 string html; 394 string html;
396 CURLcode r; 395 CURLcode r;
397 (r=curl.misc_sets()) 396 (r=curl.misc_sets())
398 || (r=curl.easy_setopt(CURLOPT_URL,rv.c_str())) 397 || (r=curl.easy_setopt(CURLOPT_URL,rv.c_str()))
399 || (r=curl.easy_setopt(CURLOPT_NOBODY,1)) 398 || (r=curl.easy_setopt(CURLOPT_NOBODY,1))
400 ; 399 ;
401 if(r) 400 if(r)
402 throw exception_curl(OPKELE_CP_ "failed to set curly options",r); 401 throw exception_curl(OPKELE_CP_ "failed to set curly options",r);
403 r = curl.easy_perform(); 402 r = curl.easy_perform();
404 if(r) 403 if(r)
405 throw exception_curl(OPKELE_CP_ "failed to perform curly request",r); 404 throw exception_curl(OPKELE_CP_ "failed to perform curly request",r);
406 const char *eu = 0; 405 const char *eu = 0;
407 r = curl.easy_getinfo(CURLINFO_EFFECTIVE_URL,&eu); 406 r = curl.easy_getinfo(CURLINFO_EFFECTIVE_URL,&eu);
408 if(r) 407 if(r)
409 throw exception_curl(OPKELE_CP_ "failed to get CURLINFO_EFFECTIVE_URL",r); 408 throw exception_curl(OPKELE_CP_ "failed to get CURLINFO_EFFECTIVE_URL",r);
410 rv = eu; 409 rv = eu;
411 return normalize(rv); 410 return normalize(rv);
412 } 411 }
413 412
414} 413}