openid.inc

  1. 7.x drupal-7.x/modules/openid/openid.inc
  2. 6.x drupal-6.x/modules/openid/openid.inc

OpenID utility functions.

File

drupal-6.x/modules/openid/openid.inc
View source
  1. <?php
  2. /**
  3. * @file
  4. * OpenID utility functions.
  5. */
  6. // Diffie-Hellman Key Exchange Default Value.
  7. define('OPENID_DH_DEFAULT_MOD', '155172898181473697471232257763715539915724801'.
  8. '966915404479707795314057629378541917580651227423698188993727816152646631'.
  9. '438561595825688188889951272158842675419950341258706556549803580104870537'.
  10. '681476726513255747040765857479291291572334510643245094715007229621094194'.
  11. '349783925984760375594985848253359305585439638443');
  12. // Constants for Diffie-Hellman key exchange computations.
  13. define('OPENID_DH_DEFAULT_GEN', '2');
  14. define('OPENID_SHA1_BLOCKSIZE', 64);
  15. define('OPENID_RAND_SOURCE', '/dev/urandom');
  16. // OpenID namespace URLs
  17. define('OPENID_NS_2_0', 'http://specs.openid.net/auth/2.0');
  18. define('OPENID_NS_1_1', 'http://openid.net/signon/1.1');
  19. define('OPENID_NS_1_0', 'http://openid.net/signon/1.0');
  20. /**
  21. * Performs an HTTP 302 redirect (for the 1.x protocol).
  22. */
  23. function openid_redirect_http($url, $message) {
  24. $query = array();
  25. foreach ($message as $key => $val) {
  26. $query[] = $key .'='. urlencode($val);
  27. }
  28. $sep = (strpos($url, '?') === FALSE) ? '?' : '&';
  29. header('Location: '. $url . $sep . implode('&', $query), TRUE, 302);
  30. exit;
  31. }
  32. /**
  33. * Creates a js auto-submit redirect for (for the 2.x protocol)
  34. */
  35. function openid_redirect($url, $message) {
  36. $output = '<html><head><title>'. t('OpenID redirect') ."</title></head>\n<body>";
  37. $output .= drupal_get_form('openid_redirect_form', $url, $message);
  38. $output .= '<script type="text/javascript">document.getElementById("openid-redirect-form").submit();</script>';
  39. $output .= "</body></html>\n";
  40. print $output;
  41. exit;
  42. }
  43. function openid_redirect_form(&$form_state, $url, $message) {
  44. $form = array();
  45. $form['#action'] = $url;
  46. $form['#method'] = "post";
  47. foreach ($message as $key => $value) {
  48. $form[$key] = array(
  49. '#type' => 'hidden',
  50. '#name' => $key,
  51. '#value' => $value,
  52. );
  53. }
  54. $form['submit'] = array(
  55. '#type' => 'submit',
  56. '#prefix' => '<noscript>',
  57. '#suffix' => '</noscript>',
  58. '#value' => t('Send'),
  59. );
  60. return $form;
  61. }
  62. /**
  63. * Determine if the given identifier is an XRI ID.
  64. */
  65. function _openid_is_xri($identifier) {
  66. // Strip the xri:// scheme from the identifier if present.
  67. if (strpos(strtolower($identifier), 'xri://') !== FALSE) {
  68. $identifier = substr($identifier, 6);
  69. }
  70. // Test whether the identifier starts with an XRI global context symbol or (.
  71. $firstchar = substr($identifier, 0, 1);
  72. if (strpos("=@+$!(", $firstchar) !== FALSE) {
  73. return TRUE;
  74. }
  75. return FALSE;
  76. }
  77. /**
  78. * Normalize the given identifier as per spec.
  79. */
  80. function _openid_normalize($identifier) {
  81. if (_openid_is_xri($identifier)) {
  82. return _openid_normalize_xri($identifier);
  83. }
  84. else {
  85. return _openid_normalize_url($identifier);
  86. }
  87. }
  88. function _openid_normalize_xri($xri) {
  89. $normalized_xri = $xri;
  90. if (stristr($xri, 'xri://') !== FALSE) {
  91. $normalized_xri = substr($xri, 6);
  92. }
  93. return $normalized_xri;
  94. }
  95. function _openid_normalize_url($url) {
  96. $normalized_url = $url;
  97. if (stristr($url, '://') === FALSE) {
  98. $normalized_url = 'http://'. $url;
  99. }
  100. // Strip the fragment and fragment delimiter if present.
  101. $normalized_url = strtok($normalized_url, '#');
  102. if (substr_count($normalized_url, '/') < 3) {
  103. $normalized_url .= '/';
  104. }
  105. return $normalized_url;
  106. }
  107. /**
  108. * Create a serialized message packet as per spec: $key:$value\n .
  109. */
  110. function _openid_create_message($data) {
  111. $serialized = '';
  112. foreach ($data as $key => $value) {
  113. if ((strpos($key, ':') !== FALSE) || (strpos($key, "\n") !== FALSE) || (strpos($value, "\n") !== FALSE)) {
  114. return null;
  115. }
  116. $serialized .= "$key:$value\n";
  117. }
  118. return $serialized;
  119. }
  120. /**
  121. * Encode a message from _openid_create_message for HTTP Post
  122. */
  123. function _openid_encode_message($message) {
  124. $encoded_message = '';
  125. $items = explode("\n", $message);
  126. foreach ($items as $item) {
  127. $parts = explode(':', $item, 2);
  128. if (count($parts) == 2) {
  129. if ($encoded_message != '') {
  130. $encoded_message .= '&';
  131. }
  132. $encoded_message .= rawurlencode(trim($parts[0])) .'='. rawurlencode(trim($parts[1]));
  133. }
  134. }
  135. return $encoded_message;
  136. }
  137. /**
  138. * Convert a direct communication message
  139. * into an associative array.
  140. */
  141. function _openid_parse_message($message) {
  142. $parsed_message = array();
  143. $items = explode("\n", $message);
  144. foreach ($items as $item) {
  145. $parts = explode(':', $item, 2);
  146. if (count($parts) == 2) {
  147. $parsed_message[$parts[0]] = $parts[1];
  148. }
  149. }
  150. return $parsed_message;
  151. }
  152. /**
  153. * Return a nonce value - formatted per OpenID spec.
  154. */
  155. function _openid_nonce() {
  156. // YYYY-MM-DDThh:mm:ssTZD UTC, plus some optional extra unique chars
  157. return gmstrftime('%Y-%m-%dT%H:%M:%S%Z') .
  158. chr(mt_rand(0, 25) + 65) .
  159. chr(mt_rand(0, 25) + 65) .
  160. chr(mt_rand(0, 25) + 65) .
  161. chr(mt_rand(0, 25) + 65);
  162. }
  163. /**
  164. * Pull the href attribute out of an html link element.
  165. */
  166. function _openid_link_href($rel, $html) {
  167. $rel = preg_quote($rel);
  168. preg_match('|<link\s+rel=["\'](.*)'. $rel .'(.*)["\'](.*)/?>|iUs', $html, $matches);
  169. if (isset($matches[3])) {
  170. preg_match('|href=["\']([^"]+)["\']|iU', $matches[3], $href);
  171. return trim($href[1]);
  172. }
  173. return FALSE;
  174. }
  175. /**
  176. * Pull the http-equiv attribute out of an html meta element
  177. */
  178. function _openid_meta_httpequiv($equiv, $html) {
  179. preg_match('|<meta\s+http-equiv=["\']'. $equiv .'["\'](.*)/?>|iUs', $html, $matches);
  180. if (isset($matches[1])) {
  181. preg_match('|content=["\']([^"]+)["\']|iUs', $matches[1], $content);
  182. if (isset($content[1])) {
  183. return $content[1];
  184. }
  185. }
  186. return FALSE;
  187. }
  188. /**
  189. * Sign certain keys in a message
  190. * @param $association - object loaded from openid_association or openid_server_association table
  191. * - important fields are ->assoc_type and ->mac_key
  192. * @param $message_array - array of entire message about to be sent
  193. * @param $keys_to_sign - keys in the message to include in signature (without
  194. * 'openid.' appended)
  195. */
  196. function _openid_signature($association, $message_array, $keys_to_sign) {
  197. $signature = '';
  198. $sign_data = array();
  199. foreach ($keys_to_sign as $key) {
  200. if (isset($message_array['openid.'. $key])) {
  201. $sign_data[$key] = $message_array['openid.'. $key];
  202. }
  203. }
  204. $message = _openid_create_message($sign_data);
  205. $secret = base64_decode($association->mac_key);
  206. $signature = _openid_hmac($secret, $message);
  207. return base64_encode($signature);
  208. }
  209. function _openid_hmac($key, $text) {
  210. if (strlen($key) > OPENID_SHA1_BLOCKSIZE) {
  211. $key = _openid_sha1($key, true);
  212. }
  213. $key = str_pad($key, OPENID_SHA1_BLOCKSIZE, chr(0x00));
  214. $ipad = str_repeat(chr(0x36), OPENID_SHA1_BLOCKSIZE);
  215. $opad = str_repeat(chr(0x5c), OPENID_SHA1_BLOCKSIZE);
  216. $hash1 = _openid_sha1(($key ^ $ipad) . $text, true);
  217. $hmac = _openid_sha1(($key ^ $opad) . $hash1, true);
  218. return $hmac;
  219. }
  220. function _openid_sha1($text) {
  221. $hex = sha1($text);
  222. $raw = '';
  223. for ($i = 0; $i < 40; $i += 2) {
  224. $hexcode = substr($hex, $i, 2);
  225. $charcode = (int)base_convert($hexcode, 16, 10);
  226. $raw .= chr($charcode);
  227. }
  228. return $raw;
  229. }
  230. function _openid_dh_base64_to_long($str) {
  231. $b64 = base64_decode($str);
  232. return _openid_dh_binary_to_long($b64);
  233. }
  234. function _openid_dh_long_to_base64($str) {
  235. return base64_encode(_openid_dh_long_to_binary($str));
  236. }
  237. function _openid_dh_binary_to_long($str) {
  238. $bytes = array_merge(unpack('C*', $str));
  239. $n = 0;
  240. foreach ($bytes as $byte) {
  241. $n = bcmul($n, pow(2, 8));
  242. $n = bcadd($n, $byte);
  243. }
  244. return $n;
  245. }
  246. function _openid_dh_long_to_binary($long) {
  247. $cmp = bccomp($long, 0);
  248. if ($cmp < 0) {
  249. return FALSE;
  250. }
  251. if ($cmp == 0) {
  252. return "\x00";
  253. }
  254. $bytes = array();
  255. while (bccomp($long, 0) > 0) {
  256. array_unshift($bytes, bcmod($long, 256));
  257. $long = bcdiv($long, pow(2, 8));
  258. }
  259. if ($bytes && ($bytes[0] > 127)) {
  260. array_unshift($bytes, 0);
  261. }
  262. $string = '';
  263. foreach ($bytes as $byte) {
  264. $string .= pack('C', $byte);
  265. }
  266. return $string;
  267. }
  268. function _openid_dh_xorsecret($shared, $secret) {
  269. $dh_shared_str = _openid_dh_long_to_binary($shared);
  270. $sha1_dh_shared = _openid_sha1($dh_shared_str);
  271. $xsecret = "";
  272. for ($i = 0; $i < strlen($secret); $i++) {
  273. $xsecret .= chr(ord($secret[$i]) ^ ord($sha1_dh_shared[$i]));
  274. }
  275. return $xsecret;
  276. }
  277. function _openid_dh_rand($stop) {
  278. static $duplicate_cache = array();
  279. // Used as the key for the duplicate cache
  280. $rbytes = _openid_dh_long_to_binary($stop);
  281. if (array_key_exists($rbytes, $duplicate_cache)) {
  282. list($duplicate, $nbytes) = $duplicate_cache[$rbytes];
  283. }
  284. else {
  285. if ($rbytes[0] == "\x00") {
  286. $nbytes = strlen($rbytes) - 1;
  287. }
  288. else {
  289. $nbytes = strlen($rbytes);
  290. }
  291. $mxrand = bcpow(256, $nbytes);
  292. // If we get a number less than this, then it is in the
  293. // duplicated range.
  294. $duplicate = bcmod($mxrand, $stop);
  295. if (count($duplicate_cache) > 10) {
  296. $duplicate_cache = array();
  297. }
  298. $duplicate_cache[$rbytes] = array($duplicate, $nbytes);
  299. }
  300. do {
  301. $bytes = "\x00". drupal_random_bytes($nbytes);
  302. $n = _openid_dh_binary_to_long($bytes);
  303. // Keep looping if this value is in the low duplicated range.
  304. } while (bccomp($n, $duplicate) < 0);
  305. return bcmod($n, $stop);
  306. }
  307. function _openid_get_bytes($num_bytes) {
  308. return drupal_random_bytes($num_bytes);
  309. }
  310. function _openid_response($str = NULL) {
  311. $data = array();
  312. if (isset($_SERVER['REQUEST_METHOD'])) {
  313. $data = _openid_get_params($_SERVER['QUERY_STRING']);
  314. if ($_SERVER['REQUEST_METHOD'] == 'POST') {
  315. $str = file_get_contents('php://input');
  316. $post = array();
  317. if ($str !== false) {
  318. $post = _openid_get_params($str);
  319. }
  320. $data = array_merge($data, $post);
  321. }
  322. }
  323. return $data;
  324. }
  325. function _openid_get_params($str) {
  326. $chunks = explode("&", $str);
  327. $data = array();
  328. foreach ($chunks as $chunk) {
  329. $parts = explode("=", $chunk, 2);
  330. if (count($parts) == 2) {
  331. list($k, $v) = $parts;
  332. $data[$k] = urldecode($v);
  333. }
  334. }
  335. return $data;
  336. }
  337. /**
  338. * Provide bcpowmod support for PHP4.
  339. */
  340. if (!function_exists('bcpowmod')) {
  341. function bcpowmod($base, $exp, $mod) {
  342. $square = bcmod($base, $mod);
  343. $result = 1;
  344. while (bccomp($exp, 0) > 0) {
  345. if (bcmod($exp, 2)) {
  346. $result = bcmod(bcmul($result, $square), $mod);
  347. }
  348. $square = bcmod(bcmul($square, $square), $mod);
  349. $exp = bcdiv($exp, 2);
  350. }
  351. return $result;
  352. }
  353. }