/ Published in: PHP
Not sure if this works yet
Expand |
Embed | Plain Text
Copy this code and paste it in your HTML
<? # Copyright (c) 2005 JP Sugarbroad # Permission is granted to use this in any way you want, provided that you # include the above copyright notice (or one with similar effect) in any work # including non-trivial parts of this one. # Change history: # 20050706.0: Fixed XTEA routines and signatures # 20050707.0: More XTEA fixes # 20050707.1: valid_root fix (thanks to meepbear) # 20050708.0: Fix cookie check # 20050708.1: Remove issued field from token # 20050713.0: Update to new protocol, added example login code # 20070110.0: Fix a bug in the XTEA implementation # (changed a = intval(a + b) to a = intval(a + (b)) function t2utc($t) { } function utc2t($s) { } # * is NOT OK # *.x is NOT OK # *.x.<tld_list non-element> is NOT OK # Anything else is OK # List from: http://www.iana.org/gtld/gtld.htm "aero" => 1, "biz" => 1, "com" => 1, "coop" => 1, "edu" => 1, "gov" => 1, "info" => 1, "int" => 1, "mil" => 1, "museum" => 1, "name" => 1, "net" => 1, "org" => 1, "pro" => 1); function valid_wildcard($h) { case false: # Not wildcard return true; case 0: # Wildcard break; default: # * not at start return false; } if ($h[0] != "*") return false; # *xyz.stuff is bad case 0: case 1: case 2: return false; case 3: default: return true; } } function valid_root($root, $ret) { if ($root["scheme"] != $ret["scheme"]) return false; if ($root["port"] != $ret["port"]) return false; $h = $root["host"]; if (!valid_wildcard($h)) return false; if ($h[0] == "*") { } else { if ($h != $ret["host"]) return false; } foreach ($p1 as $k => $v) { if ($p2[$k] != $v) return false; } return true; } function randbytes($n) { return $s; } function xtea_block($k, $v) { $sum = 0; $delta = 0x9E3779B9; for ($i = 0; $i < 32; $i++) { } } function xtea_encrypt($key, $data) { $v = randbytes(8); $out = $v; $i = 0; while ($i < $l) { $v = xtea_block($key, $v); $i += 8; $v ^= $p; $out .= $v; } return $out; } function xtea_decrypt($key, $data) { $i = 8; $out = ""; while ($i < $l) { $v = xtea_block($key, $v); $i += 8; $out .= $v ^ $c; $v = $c; } return $out; } function hmac($key, $str) { } function sign_array($key, $data) { $token = ""; $token .= "$f:$data[$f]\n"; } } function make_handle($expiry, $exposed, $key) { } function check_handle($bh, $exposed_ok) { # IV + HMAC + expiry + exposed $handle = xtea_decrypt(SIGKEY, $handle); } function make_args($prefix, $data) { $url = ""; foreach ($data as $k => $v) { } } function continuation() { $url = ""; foreach ($_REQUEST as $k => $v) { } return $url; } $ret = $_REQUEST["openid_return_to"]; if ($ret) { ?><html> <head><title>Bad Request</title></head> <body><p>The OpenID endpoint received an invalid request.</p></body> </html><? exit; } $retp = "$ret&"; } else { $retp = "$ret?"; } } $self = "http://" . $_SERVER["SERVER_NAME"]; if ($_SERVER["SERVER_PORT"] != 80) $self .= ":" . $SERVER["SERVER_PORT"]; $self .= "$_SERVER[PHP_SELF]?"; function badreq($msg) { global $ret, $retp; if ($_SERVER["REQUEST_METHOD"] == "POST") { print "error:$msg\n"; exit; } if ($ret) { } else { } ?><html> <head><title>OpenID endpoint</title></head> <body><p>This is an OpenID server endpoint, not a human-readable resource. For more information, see <a href="http://openid.net/">http://openid.net/</a>.</p> <? if ($msg) { ?> <? } ?> </html><? exit; } $mode = $_REQUEST["openid_mode"]; switch ($mode) { case "check_authentication": $sig = $_REQUEST["openid_signed"]; $resp["signed"] = $sig; $resp[$f] = $_REQUEST["openid_" . $f]; } $resp["mode"] = "id_res"; $key = check_handle($_REQUEST["openid_assoc_handle"], false); if ($key && $_REQUEST["openid_sig"] == sign_array($key, $resp)) { print "is_valid:" . ($l ? 1 : 0) . "\nlifetime:" . $l . "\n"; } else { print "is_valid:0\nlifetime:0\n"; } $ih = $_REQUEST["openid_invalidate_handle"]; if ($ih && !check_handle($ih, true)) { print "invalidate_handle:$ih\n"; } exit; case "associate": $t = $_REQUEST["openid_assoc_type"]; $e = $t + ASSOC_TIME; $r = randbytes(KEY_LEN); $handle = make_handle($e, true, $r); print "assoc_type:HMAC-SHA1\nassoc_handle:" . $handle . "\nissued:" . t2utc($t) . # COMPAT "\nexpiry:" . t2utc($e) . # COMPAT "\nexpires_in:" . ASSOC_TIME . "\n"; exit; case "login": case "checkid_immediate": case "checkid_setup": if ($_SERVER["REQUEST_METHOD"] != "GET") { badreq("Mode $mode requires GET method"); } break; case null: badreq(null); default: badreq("Unknown mode $mode"); } if (!$ret) badreq("return_to required"); # If we have checkid_setup issue a redirect with mode login, then we don't # have to make this a function. But that's an extra redirect we don't need. function login() { global $mode, $retp, $self; # Temporary code $_COOKIE[COOKIE_NAME] = COOKIE_VALUE; $mode = "checkid_immediate"; # login.php should set the cookie correctly and then send the user back to # the return_to parameter. Don't use a redirect, that can cause a redirect # loop. Change checkid_immediate to login_cancel if they cancel the login. # (Use substr_replace, not str_replace, to avoid corrupting the # continuation.) # $url = $self . "openid.mode=checkid_immediate" . continuation(); # header("Location: http://host/path/to/login.php?return_to=" . urlencode($url)); # exit; } if ($mode == "login") login(); if ($mode == "login_cancel") { exit; } if ($_COOKIE[COOKIE_NAME] != COOKIE_VALUE) { if ($mode == "checkid_setup") { login(); } else { $url = "http://$_SERVER[SERVER_NAME]$_SERVER[PHP_SELF]?openid.mode=login" . continuation(); ?><html> <head><title>Login required</title></head> <body><p>You need to <a href="<?=htmlspecialchars($url)?>">log in</a> to be authenticated.</p></body> </html><? exit; } } $id = $_REQUEST["openid_identity"]; #if ($id != "http://taral.net/") badreq("Unrecognized identity"); $root = $_REQUEST["openid_trust_root"]; if (!$root || !valid_root($root, $ret)) { $root = $ret; } switch ($root) { case "http://www.lifewiki.net/": case "http://*.danga.com/openid/demo/": break; default: badreq("Requester not trusted"); } "mode" => "id_res", "identity" => $id, "issued" => t2utc($t), # COMPAT "valid_to" => t2utc($t + VALID_TIME), "return_to" => $ret, "signed" => "mode,issued,valid_to,identity,return_to"); $handle = $_REQUEST["openid_assoc_handle"]; if ($handle) { $key = check_handle($handle, true); if ($key == false) $resp["invalidate_handle"] = $handle; } if (!$key) { $key = randbytes(KEY_LEN); $handle = make_handle($t + ASSOC_TIME, false, $key); } $resp["sig"] = sign_array($key, $resp); $resp["assoc_handle"] = $handle; $url = $retp . make_args("openid.", $resp); ?><html> <head><title>Authentication OK</title></head> <body><p>Authentication complete. <a href="<?=htmlspecialchars($url)?>">Click here to proceed</a></p></body> </html>