| author | Michael Krelin <hacker@klever.net> | 2008-04-05 13:36:58 (UTC) |
|---|---|---|
| committer | Michael Krelin <hacker@klever.net> | 2008-04-05 13:36:58 (UTC) |
| commit | 5d91c1f9eb443a13e36bb607d8c1b770e561888c (patch) (unidiff) | |
| tree | a759130a46bc6ad6cbc7b0b9bd772243ca1903da /lib/basic_op.cc | |
| parent | 748a2a29a5667f372bf355ed737208a952ff79f0 (diff) | |
| download | libopkele-5d91c1f9eb443a13e36bb607d8c1b770e561888c.zip libopkele-5d91c1f9eb443a13e36bb607d8c1b770e561888c.tar.gz libopkele-5d91c1f9eb443a13e36bb607d8c1b770e561888c.tar.bz2 | |
empty trust_root is no trust root.
work around some thoughtful and considerate RPs that take the pain of sending
the trust_root parameter, but do not go into as much trouble as setting it to
anything but an empty string.
Signed-off-by: Michael Krelin <hacker@klever.net>
| -rw-r--r-- | lib/basic_op.cc | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/basic_op.cc b/lib/basic_op.cc index fa659ac..511b51a 100644 --- a/lib/basic_op.cc +++ b/lib/basic_op.cc | |||
| @@ -107,109 +107,115 @@ namespace opkele { | |||
| 107 | oum.set_field("ns",OIURI_OPENID20); | 107 | oum.set_field("ns",OIURI_OPENID20); |
| 108 | oum.set_field("assoc_type",a->assoc_type()); | 108 | oum.set_field("assoc_type",a->assoc_type()); |
| 109 | oum.set_field("assoc_handle",a->handle()); | 109 | oum.set_field("assoc_handle",a->handle()); |
| 110 | oum.set_field("expires_in",util::long_to_string(a->expires_in())); | 110 | oum.set_field("expires_in",util::long_to_string(a->expires_in())); |
| 111 | secret_t secret = a->secret(); | 111 | secret_t secret = a->secret(); |
| 112 | if(sts=="DH-SHA1" || sts=="DH-SHA256") { | 112 | if(sts=="DH-SHA1" || sts=="DH-SHA256") { |
| 113 | if(d_len != secret.size()) | 113 | if(d_len != secret.size()) |
| 114 | throw bad_input(OPKELE_CP_ "Association secret and session MAC are not of the same size"); | 114 | throw bad_input(OPKELE_CP_ "Association secret and session MAC are not of the same size"); |
| 115 | oum.set_field("session_type",sts); | 115 | oum.set_field("session_type",sts); |
| 116 | oum.set_field("dh_server_public",util::bignum_to_base64(dh->pub_key)); | 116 | oum.set_field("dh_server_public",util::bignum_to_base64(dh->pub_key)); |
| 117 | string b64; secret.enxor_to_base64(key_digest,b64); | 117 | string b64; secret.enxor_to_base64(key_digest,b64); |
| 118 | oum.set_field("enc_mac_key",b64); | 118 | oum.set_field("enc_mac_key",b64); |
| 119 | }else /* TODO: support cleartext over encrypted connection */ | 119 | }else /* TODO: support cleartext over encrypted connection */ |
| 120 | throw unsupported(OPKELE_CP_ "Unsupported session type"); | 120 | throw unsupported(OPKELE_CP_ "Unsupported session type"); |
| 121 | return oum; | 121 | return oum; |
| 122 | } catch(unsupported& u) { | 122 | } catch(unsupported& u) { |
| 123 | oum.reset_fields(); | 123 | oum.reset_fields(); |
| 124 | oum.set_field("ns",OIURI_OPENID20); | 124 | oum.set_field("ns",OIURI_OPENID20); |
| 125 | oum.set_field("error",u.what()); | 125 | oum.set_field("error",u.what()); |
| 126 | oum.set_field("error_code","unsupported-type"); | 126 | oum.set_field("error_code","unsupported-type"); |
| 127 | oum.set_field("session_type","DH-SHA256"); | 127 | oum.set_field("session_type","DH-SHA256"); |
| 128 | oum.set_field("assoc_type","HMAC-SHA256"); | 128 | oum.set_field("assoc_type","HMAC-SHA256"); |
| 129 | return oum; | 129 | return oum; |
| 130 | } | 130 | } |
| 131 | 131 | ||
| 132 | void basic_OP::checkid_(const basic_openid_message& inm, | 132 | void basic_OP::checkid_(const basic_openid_message& inm, |
| 133 | extension_t *ext) { | 133 | extension_t *ext) { |
| 134 | reset_vars(); | 134 | reset_vars(); |
| 135 | string modestr = inm.get_field("mode"); | 135 | string modestr = inm.get_field("mode"); |
| 136 | if(modestr=="checkid_setup") | 136 | if(modestr=="checkid_setup") |
| 137 | mode = mode_checkid_setup; | 137 | mode = mode_checkid_setup; |
| 138 | else if(modestr=="checkid_immediate") | 138 | else if(modestr=="checkid_immediate") |
| 139 | mode = mode_checkid_immediate; | 139 | mode = mode_checkid_immediate; |
| 140 | else | 140 | else |
| 141 | throw bad_input(OPKELE_CP_ "Invalid checkid_* mode"); | 141 | throw bad_input(OPKELE_CP_ "Invalid checkid_* mode"); |
| 142 | try { | 142 | try { |
| 143 | assoc = retrieve_assoc(invalidate_handle=inm.get_field("assoc_handle")); | 143 | assoc = retrieve_assoc(invalidate_handle=inm.get_field("assoc_handle")); |
| 144 | invalidate_handle.clear(); | 144 | invalidate_handle.clear(); |
| 145 | }catch(failed_lookup&) { } | 145 | }catch(failed_lookup&) { } |
| 146 | try { | 146 | try { |
| 147 | openid2 = (inm.get_field("ns")==OIURI_OPENID20); | 147 | openid2 = (inm.get_field("ns")==OIURI_OPENID20); |
| 148 | }catch(failed_lookup&) { openid2 = false; } | 148 | }catch(failed_lookup&) { openid2 = false; } |
| 149 | try { | 149 | try { |
| 150 | return_to = inm.get_field("return_to"); | 150 | return_to = inm.get_field("return_to"); |
| 151 | }catch(failed_lookup&) { } | 151 | }catch(failed_lookup&) { } |
| 152 | if(openid2) { | 152 | if(openid2) { |
| 153 | try { | 153 | try { |
| 154 | realm = inm.get_field("realm"); | 154 | realm = inm.get_field("realm"); |
| 155 | if(realm.empty()) | ||
| 156 | throw failed_lookup(OPKELE_CP_ "Empty realm doesn't count"); | ||
| 155 | }catch(failed_lookup&) { | 157 | }catch(failed_lookup&) { |
| 156 | try { | 158 | try { |
| 157 | realm = inm.get_field("trust_root"); | 159 | realm = inm.get_field("trust_root"); |
| 160 | if(realm.empty()) | ||
| 161 | throw failed_lookup(OPKELE_CP_ "Empty trust_root doesn't count"); | ||
| 158 | }catch(failed_lookup&) { | 162 | }catch(failed_lookup&) { |
| 159 | if(return_to.empty()) | 163 | if(return_to.empty()) |
| 160 | throw bad_input(OPKELE_CP_ | 164 | throw bad_input(OPKELE_CP_ |
| 161 | "Both realm and return_to are unset"); | 165 | "Both realm and return_to are unset"); |
| 162 | realm = return_to; | 166 | realm = return_to; |
| 163 | } | 167 | } |
| 164 | } | 168 | } |
| 165 | }else{ | 169 | }else{ |
| 166 | try { | 170 | try { |
| 167 | realm = inm.get_field("trust_root"); | 171 | realm = inm.get_field("trust_root"); |
| 172 | if(realm.empty()) | ||
| 173 | throw failed_lookup(OPKELE_CP_ "Empty trust_root doesn't count"); | ||
| 168 | }catch(failed_lookup&) { | 174 | }catch(failed_lookup&) { |
| 169 | if(return_to.empty()) | 175 | if(return_to.empty()) |
| 170 | throw bad_input(OPKELE_CP_ | 176 | throw bad_input(OPKELE_CP_ |
| 171 | "Both realm and return_to are unset"); | 177 | "Both realm and return_to are unset"); |
| 172 | realm = return_to; | 178 | realm = return_to; |
| 173 | } | 179 | } |
| 174 | } | 180 | } |
| 175 | try { | 181 | try { |
| 176 | identity = inm.get_field("identity"); | 182 | identity = inm.get_field("identity"); |
| 177 | try { | 183 | try { |
| 178 | claimed_id = inm.get_field("claimed_id"); | 184 | claimed_id = inm.get_field("claimed_id"); |
| 179 | }catch(failed_lookup&) { | 185 | }catch(failed_lookup&) { |
| 180 | if(openid2) | 186 | if(openid2) |
| 181 | throw bad_input(OPKELE_CP_ | 187 | throw bad_input(OPKELE_CP_ |
| 182 | "claimed_id and identity must be either both present or both absent"); | 188 | "claimed_id and identity must be either both present or both absent"); |
| 183 | claimed_id = identity; | 189 | claimed_id = identity; |
| 184 | } | 190 | } |
| 185 | }catch(failed_lookup&) { | 191 | }catch(failed_lookup&) { |
| 186 | if(openid2 && inm.has_field("claimed_id")) | 192 | if(openid2 && inm.has_field("claimed_id")) |
| 187 | throw bad_input(OPKELE_CP_ | 193 | throw bad_input(OPKELE_CP_ |
| 188 | "claimed_id and identity must be either both present or both absent"); | 194 | "claimed_id and identity must be either both present or both absent"); |
| 189 | } | 195 | } |
| 190 | verify_return_to(); | 196 | verify_return_to(); |
| 191 | if(ext) ext->op_checkid_hook(inm); | 197 | if(ext) ext->op_checkid_hook(inm); |
| 192 | } | 198 | } |
| 193 | 199 | ||
| 194 | basic_openid_message& basic_OP::id_res(basic_openid_message& om, | 200 | basic_openid_message& basic_OP::id_res(basic_openid_message& om, |
| 195 | extension_t *ext) { | 201 | extension_t *ext) { |
| 196 | assert(!return_to.empty()); | 202 | assert(!return_to.empty()); |
| 197 | assert(!is_id_select()); | 203 | assert(!is_id_select()); |
| 198 | if(!assoc) { | 204 | if(!assoc) { |
| 199 | assoc = alloc_assoc("HMAC-SHA256",SHA256_DIGEST_LENGTH,true); | 205 | assoc = alloc_assoc("HMAC-SHA256",SHA256_DIGEST_LENGTH,true); |
| 200 | } | 206 | } |
| 201 | time_t now = time(0); | 207 | time_t now = time(0); |
| 202 | struct tm gmt; gmtime_r(&now,&gmt); | 208 | struct tm gmt; gmtime_r(&now,&gmt); |
| 203 | char w3timestr[24]; | 209 | char w3timestr[24]; |
| 204 | if(!strftime(w3timestr,sizeof(w3timestr),"%Y-%m-%dT%H:%M:%SZ",&gmt)) | 210 | if(!strftime(w3timestr,sizeof(w3timestr),"%Y-%m-%dT%H:%M:%SZ",&gmt)) |
| 205 | throw failed_conversion(OPKELE_CP_ | 211 | throw failed_conversion(OPKELE_CP_ |
| 206 | "Failed to build time string for nonce" ); | 212 | "Failed to build time string for nonce" ); |
| 207 | om.set_field("ns",OIURI_OPENID20); | 213 | om.set_field("ns",OIURI_OPENID20); |
| 208 | om.set_field("mode","id_res"); | 214 | om.set_field("mode","id_res"); |
| 209 | om.set_field("op_endpoint",get_op_endpoint()); | 215 | om.set_field("op_endpoint",get_op_endpoint()); |
| 210 | string ats = "ns,mode,op_endpoint,return_to,response_nonce," | 216 | string ats = "ns,mode,op_endpoint,return_to,response_nonce," |
| 211 | "assoc_handle,signed"; | 217 | "assoc_handle,signed"; |
| 212 | if(!identity.empty()) { | 218 | if(!identity.empty()) { |
| 213 | om.set_field("identity",identity); | 219 | om.set_field("identity",identity); |
| 214 | om.set_field("claimed_id",claimed_id); | 220 | om.set_field("claimed_id",claimed_id); |
| 215 | ats += ",identity,claimed_id"; | 221 | ats += ",identity,claimed_id"; |