1 files changed, 1 insertions, 1 deletions
diff --git a/lib/basic_rp.cc b/lib/basic_rp.cc
index 3cad71c..8125aa7 100644
--- a/lib/basic_rp.cc
+++ b/lib/basic_rp.cc
@@ -125,193 +125,193 @@ namespace opkele {
            mode_t mode,
            const string& return_to,const string& realm,
            extension_t *ext) {
        rv.reset_fields();
        rv.set_field("ns",OIURI_OPENID20);
        if(mode==mode_checkid_immediate)
            rv.set_field("mode","checkid_immediate");
        else if(mode==mode_checkid_setup)
            rv.set_field("mode","checkid_setup");
        else
            throw bad_input(OPKELE_CP_ "unknown checkid_* mode");
        if(realm.empty() && return_to.empty())
            throw bad_input(OPKELE_CP_ "At least one of realm and return_to must be non-empty");
        if(!realm.empty()) {
            rv.set_field("realm",realm);
            rv.set_field("trust_root",realm);
        }
        if(!return_to.empty())
            rv.set_field("return_to",return_to);
        const openid_endpoint_t& ep = get_endpoint();
        rv.set_field("claimed_id",ep.claimed_id);
        rv.set_field("identity",ep.local_id);
        try {
            rv.set_field("assoc_handle",find_assoc(ep.uri)->handle());
        }catch(dumb_RP& drp) {
        }catch(failed_lookup& fl) {
            try {
                rv.set_field("assoc_handle",associate(ep.uri)->handle());
            }catch(dumb_RP& drp) { }
        } OPKELE_RETHROW
        if(ext) ext->rp_checkid_hook(rv);
        return rv;
    }
    class signed_part_message_proxy : public basic_openid_message {
        public:
            const basic_openid_message& x;
            set<string> signeds;
            signed_part_message_proxy(const basic_openid_message& xx) : x(xx) {
                const string& slist = x.get_field("signed");
                string::size_type p = 0;
                while(true) {
                    string::size_type co = slist.find(',',p);
                    string f = (co==string::npos)
                        ?slist.substr(p):slist.substr(p,co-p);
                    signeds.insert(f);
                    if(co==string::npos) break;
                    p = co+1;
                }
            }
            bool has_field(const string& n) const {
                return signeds.find(n)!=signeds.end() && x.has_field(n); }
            const string& get_field(const string& n) const {
                if(signeds.find(n)==signeds.end())
                    throw failed_lookup(OPKELE_CP_ "The field isn't known to be signed");
                return x.get_field(n); }
            fields_iterator fields_begin() const {
                return signeds.begin(); }
            fields_iterator fields_end() const {
                return signeds.end(); }
    };
    static void parse_query(const string& u,string::size_type q,
            map<string,string>& p) {
        if(q==string::npos)
            return;
        assert(u[q]=='?');
        ++q;
        string::size_type l = u.size();
        while(q<l) {
            string::size_type eq = u.find('=',q);
            string::size_type am = u.find('&',q);
            if(am==string::npos) {
                if(eq==string::npos) {
                    p[""] = u.substr(q);
                }else{
                    p[u.substr(q,eq-q)] = u.substr(eq+1);
                }
                break;
            }else{
                if(eq==string::npos || eq>am) {
                    p[""] = u.substr(q,eq-q);
                }else{
                    p[u.substr(q,eq-q)] = u.substr(eq+1,am-eq-1);
                }
                q = ++am;
            }
        }
    }
    void basic_RP::id_res(const basic_openid_message& om,extension_t *ext) {
        reset_vars();
        bool o2 = om.has_field("ns")
-            && om.get_field("ns")==OIURI_OPENID20;
+            && om.get_field("ns")==OIURI_OPENID20 && !om.get_field("op_endpoint").empty();
        if( (!o2) && om.has_field("user_setup_url"))
            throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",
                    om.get_field("user_setup_url"));
        string m = om.get_field("mode");
        if(o2 && m=="setup_needed")
            throw id_res_setup(OPKELE_CP_ "setup needed, no setup url provided");
        if(m=="cancel")
            throw id_res_cancel(OPKELE_CP_ "authentication cancelled");
        bool go_dumb=false;
        try {
            string OP = o2
                ?om.get_field("op_endpoint")
                :get_endpoint().uri;
            assoc_t assoc = retrieve_assoc(
                    OP,om.get_field("assoc_handle"));
            if(om.get_field("sig")!=util::base64_signature(assoc,om))
                throw id_res_mismatch(OPKELE_CP_ "signature mismatch");
        }catch(dumb_RP& drp) {
            go_dumb=true;
        }catch(failed_lookup& e) {
            go_dumb=true;
        } OPKELE_RETHROW
        if(go_dumb) {
            try {
                string OP = o2
                    ?om.get_field("op_endpoint")
                    :get_endpoint().uri;
                check_authentication(OP,om);
            }catch(failed_check_authentication& fca) {
                throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");
            } OPKELE_RETHROW
        }
        signed_part_message_proxy signeds(om);
        if(o2) {
            check_nonce(om.get_field("op_endpoint"),
                    om.get_field("response_nonce"));
            static const char *mustsign[] = {
                "op_endpoint", "return_to", "response_nonce", "assoc_handle",
                "claimed_id", "identity" };
            for(size_t ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {
                if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms]))
                    throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs");
            }
            if( (
                    (om.has_field("claimed_id")?1:0)
                    ^
                    (om.has_field("identity")?1:0)
                )&1 )
                throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent");
            string turl = util::rfc_3986_normalize_uri(get_this_url());
            util::strip_uri_fragment_part(turl);
            string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to"));
            util::strip_uri_fragment_part(rurl);
            string::size_type
                tq = turl.find('?'), rq = rurl.find('?');
            if(
                    ((tq==string::npos)?turl:turl.substr(0,tq))
                    !=
                    ((rq==string::npos)?rurl:rurl.substr(0,rq))
              )
                throw id_res_bad_return_to(OPKELE_CP_ "return_to url doesn't match request url");
            map<string,string> tp; parse_query(turl,tq,tp);
            map<string,string> rp; parse_query(rurl,rq,rp);
            for(map<string,string>::const_iterator rpi=rp.begin();rpi!=rp.end();++rpi) {
                map<string,string>::const_iterator tpi = tp.find(rpi->first);
                if(tpi==tp.end())
                    throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request");
                if(tpi->second!=rpi->second)
                    throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't matche the request");
            }
            if(om.has_field("claimed_id")) {
                claimed_id = om.get_field("claimed_id");
                identity = om.get_field("identity");
                verify_OP(
                        om.get_field("op_endpoint"),
                        claimed_id, identity );
            }
        }else{
            claimed_id = get_endpoint().claimed_id;
            /* TODO: check if this is the identity we asked for */
            identity = om.get_field("identity");
        }
        if(ext) ext->rp_id_res_hook(om,signeds);
    }
    void basic_RP::check_authentication(const string& OP,
            const basic_openid_message& om){
        openid_message_t res;
        static const string checkauthmode = "check_authentication";
        direct_request(res,util::change_mode_message_proxy(om,checkauthmode),OP);
        if(res.has_field("is_valid")) {
            if(res.get_field("is_valid")=="true") {
                if(res.has_field("invalidate_handle"))

diff --git a/lib/basic_rp.cc b/lib/basic_rp.cc index 3cad71c..8125aa7 100644 --- a/lib/basic_rp.cc +++ b/lib/basic_rp.cc
@@ -125,193 +125,193 @@ namespace opkele {
125	mode_t mode,	125	mode_t mode,
126	const string& return_to,const string& realm,	126	const string& return_to,const string& realm,
127	extension_t *ext) {	127	extension_t *ext) {
128	rv.reset_fields();	128	rv.reset_fields();
129	rv.set_field("ns",OIURI_OPENID20);	129	rv.set_field("ns",OIURI_OPENID20);
130	if(mode==mode_checkid_immediate)	130	if(mode==mode_checkid_immediate)
131	rv.set_field("mode","checkid_immediate");	131	rv.set_field("mode","checkid_immediate");
132	else if(mode==mode_checkid_setup)	132	else if(mode==mode_checkid_setup)
133	rv.set_field("mode","checkid_setup");	133	rv.set_field("mode","checkid_setup");
134	else	134	else
135	throw bad_input(OPKELE_CP_ "unknown checkid_* mode");	135	throw bad_input(OPKELE_CP_ "unknown checkid_* mode");
136	if(realm.empty() && return_to.empty())	136	if(realm.empty() && return_to.empty())
137	throw bad_input(OPKELE_CP_ "At least one of realm and return_to must be non-empty");	137	throw bad_input(OPKELE_CP_ "At least one of realm and return_to must be non-empty");
138	if(!realm.empty()) {	138	if(!realm.empty()) {
139	rv.set_field("realm",realm);	139	rv.set_field("realm",realm);
140	rv.set_field("trust_root",realm);	140	rv.set_field("trust_root",realm);
141	}	141	}
142	if(!return_to.empty())	142	if(!return_to.empty())
143	rv.set_field("return_to",return_to);	143	rv.set_field("return_to",return_to);
144	const openid_endpoint_t& ep = get_endpoint();	144	const openid_endpoint_t& ep = get_endpoint();
145	rv.set_field("claimed_id",ep.claimed_id);	145	rv.set_field("claimed_id",ep.claimed_id);
146	rv.set_field("identity",ep.local_id);	146	rv.set_field("identity",ep.local_id);
147	try {	147	try {
148	rv.set_field("assoc_handle",find_assoc(ep.uri)->handle());	148	rv.set_field("assoc_handle",find_assoc(ep.uri)->handle());
149	}catch(dumb_RP& drp) {	149	}catch(dumb_RP& drp) {
150	}catch(failed_lookup& fl) {	150	}catch(failed_lookup& fl) {
151	try {	151	try {
152	rv.set_field("assoc_handle",associate(ep.uri)->handle());	152	rv.set_field("assoc_handle",associate(ep.uri)->handle());
153	}catch(dumb_RP& drp) { }	153	}catch(dumb_RP& drp) { }
154	} OPKELE_RETHROW	154	} OPKELE_RETHROW
155	if(ext) ext->rp_checkid_hook(rv);	155	if(ext) ext->rp_checkid_hook(rv);
156	return rv;	156	return rv;
157	}	157	}
158		158
159	class signed_part_message_proxy : public basic_openid_message {	159	class signed_part_message_proxy : public basic_openid_message {
160	public:	160	public:
161	const basic_openid_message& x;	161	const basic_openid_message& x;
162	set<string> signeds;	162	set<string> signeds;
163		163
164	signed_part_message_proxy(const basic_openid_message& xx) : x(xx) {	164	signed_part_message_proxy(const basic_openid_message& xx) : x(xx) {
165	const string& slist = x.get_field("signed");	165	const string& slist = x.get_field("signed");
166	string::size_type p = 0;	166	string::size_type p = 0;
167	while(true) {	167	while(true) {
168	string::size_type co = slist.find(',',p);	168	string::size_type co = slist.find(',',p);
169	string f = (co==string::npos)	169	string f = (co==string::npos)
170	?slist.substr(p):slist.substr(p,co-p);	170	?slist.substr(p):slist.substr(p,co-p);
171	signeds.insert(f);	171	signeds.insert(f);
172	if(co==string::npos) break;	172	if(co==string::npos) break;
173	p = co+1;	173	p = co+1;
174	}	174	}
175	}	175	}
176		176
177	bool has_field(const string& n) const {	177	bool has_field(const string& n) const {
178	return signeds.find(n)!=signeds.end() && x.has_field(n); }	178	return signeds.find(n)!=signeds.end() && x.has_field(n); }
179	const string& get_field(const string& n) const {	179	const string& get_field(const string& n) const {
180	if(signeds.find(n)==signeds.end())	180	if(signeds.find(n)==signeds.end())
181	throw failed_lookup(OPKELE_CP_ "The field isn't known to be signed");	181	throw failed_lookup(OPKELE_CP_ "The field isn't known to be signed");
182	return x.get_field(n); }	182	return x.get_field(n); }
183		183
184	fields_iterator fields_begin() const {	184	fields_iterator fields_begin() const {
185	return signeds.begin(); }	185	return signeds.begin(); }
186	fields_iterator fields_end() const {	186	fields_iterator fields_end() const {
187	return signeds.end(); }	187	return signeds.end(); }
188	};	188	};
189		189
190	static void parse_query(const string& u,string::size_type q,	190	static void parse_query(const string& u,string::size_type q,
191	map<string,string>& p) {	191	map<string,string>& p) {
192	if(q==string::npos)	192	if(q==string::npos)
193	return;	193	return;
194	assert(u[q]=='?');	194	assert(u[q]=='?');
195	++q;	195	++q;
196	string::size_type l = u.size();	196	string::size_type l = u.size();
197	while(q<l) {	197	while(q<l) {
198	string::size_type eq = u.find('=',q);	198	string::size_type eq = u.find('=',q);
199	string::size_type am = u.find('&',q);	199	string::size_type am = u.find('&',q);
200	if(am==string::npos) {	200	if(am==string::npos) {
201	if(eq==string::npos) {	201	if(eq==string::npos) {
202	p[""] = u.substr(q);	202	p[""] = u.substr(q);
203	}else{	203	}else{
204	p[u.substr(q,eq-q)] = u.substr(eq+1);	204	p[u.substr(q,eq-q)] = u.substr(eq+1);
205	}	205	}
206	break;	206	break;
207	}else{	207	}else{
208	if(eq==string::npos \|\| eq>am) {	208	if(eq==string::npos \|\| eq>am) {
209	p[""] = u.substr(q,eq-q);	209	p[""] = u.substr(q,eq-q);
210	}else{	210	}else{
211	p[u.substr(q,eq-q)] = u.substr(eq+1,am-eq-1);	211	p[u.substr(q,eq-q)] = u.substr(eq+1,am-eq-1);
212	}	212	}
213	q = ++am;	213	q = ++am;
214	}	214	}
215	}	215	}
216	}	216	}
217		217
218	void basic_RP::id_res(const basic_openid_message& om,extension_t *ext) {	218	void basic_RP::id_res(const basic_openid_message& om,extension_t *ext) {
219	reset_vars();	219	reset_vars();
220	bool o2 = om.has_field("ns")	220	bool o2 = om.has_field("ns")
221	&& om.get_field("ns")==OIURI_OPENID20;	221	&& om.get_field("ns")==OIURI_OPENID20 && !om.get_field("op_endpoint").empty();
222	if( (!o2) && om.has_field("user_setup_url"))	222	if( (!o2) && om.has_field("user_setup_url"))
223	throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",	223	throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",
224	om.get_field("user_setup_url"));	224	om.get_field("user_setup_url"));
225	string m = om.get_field("mode");	225	string m = om.get_field("mode");
226	if(o2 && m=="setup_needed")	226	if(o2 && m=="setup_needed")
227	throw id_res_setup(OPKELE_CP_ "setup needed, no setup url provided");	227	throw id_res_setup(OPKELE_CP_ "setup needed, no setup url provided");
228	if(m=="cancel")	228	if(m=="cancel")
229	throw id_res_cancel(OPKELE_CP_ "authentication cancelled");	229	throw id_res_cancel(OPKELE_CP_ "authentication cancelled");
230	bool go_dumb=false;	230	bool go_dumb=false;
231	try {	231	try {
232	string OP = o2	232	string OP = o2
233	?om.get_field("op_endpoint")	233	?om.get_field("op_endpoint")
234	:get_endpoint().uri;	234	:get_endpoint().uri;
235	assoc_t assoc = retrieve_assoc(	235	assoc_t assoc = retrieve_assoc(
236	OP,om.get_field("assoc_handle"));	236	OP,om.get_field("assoc_handle"));
237	if(om.get_field("sig")!=util::base64_signature(assoc,om))	237	if(om.get_field("sig")!=util::base64_signature(assoc,om))
238	throw id_res_mismatch(OPKELE_CP_ "signature mismatch");	238	throw id_res_mismatch(OPKELE_CP_ "signature mismatch");
239	}catch(dumb_RP& drp) {	239	}catch(dumb_RP& drp) {
240	go_dumb=true;	240	go_dumb=true;
241	}catch(failed_lookup& e) {	241	}catch(failed_lookup& e) {
242	go_dumb=true;	242	go_dumb=true;
243	} OPKELE_RETHROW	243	} OPKELE_RETHROW
244	if(go_dumb) {	244	if(go_dumb) {
245	try {	245	try {
246	string OP = o2	246	string OP = o2
247	?om.get_field("op_endpoint")	247	?om.get_field("op_endpoint")
248	:get_endpoint().uri;	248	:get_endpoint().uri;
249	check_authentication(OP,om);	249	check_authentication(OP,om);
250	}catch(failed_check_authentication& fca) {	250	}catch(failed_check_authentication& fca) {
251	throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");	251	throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");
252	} OPKELE_RETHROW	252	} OPKELE_RETHROW
253	}	253	}
254	signed_part_message_proxy signeds(om);	254	signed_part_message_proxy signeds(om);
255	if(o2) {	255	if(o2) {
256	check_nonce(om.get_field("op_endpoint"),	256	check_nonce(om.get_field("op_endpoint"),
257	om.get_field("response_nonce"));	257	om.get_field("response_nonce"));
258	static const char *mustsign[] = {	258	static const char *mustsign[] = {
259	"op_endpoint", "return_to", "response_nonce", "assoc_handle",	259	"op_endpoint", "return_to", "response_nonce", "assoc_handle",
260	"claimed_id", "identity" };	260	"claimed_id", "identity" };
261	for(size_t ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {	261	for(size_t ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {
262	if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms]))	262	if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms]))
263	throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs");	263	throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs");
264	}	264	}
265	if( (	265	if( (
266	(om.has_field("claimed_id")?1:0)	266	(om.has_field("claimed_id")?1:0)
267	^	267	^
268	(om.has_field("identity")?1:0)	268	(om.has_field("identity")?1:0)
269	)&1 )	269	)&1 )
270	throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent");	270	throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent");
271		271
272	string turl = util::rfc_3986_normalize_uri(get_this_url());	272	string turl = util::rfc_3986_normalize_uri(get_this_url());
273	util::strip_uri_fragment_part(turl);	273	util::strip_uri_fragment_part(turl);
274	string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to"));	274	string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to"));
275	util::strip_uri_fragment_part(rurl);	275	util::strip_uri_fragment_part(rurl);
276	string::size_type	276	string::size_type
277	tq = turl.find('?'), rq = rurl.find('?');	277	tq = turl.find('?'), rq = rurl.find('?');
278	if(	278	if(
279	((tq==string::npos)?turl:turl.substr(0,tq))	279	((tq==string::npos)?turl:turl.substr(0,tq))
280	!=	280	!=
281	((rq==string::npos)?rurl:rurl.substr(0,rq))	281	((rq==string::npos)?rurl:rurl.substr(0,rq))
282	)	282	)
283	throw id_res_bad_return_to(OPKELE_CP_ "return_to url doesn't match request url");	283	throw id_res_bad_return_to(OPKELE_CP_ "return_to url doesn't match request url");
284	map<string,string> tp; parse_query(turl,tq,tp);	284	map<string,string> tp; parse_query(turl,tq,tp);
285	map<string,string> rp; parse_query(rurl,rq,rp);	285	map<string,string> rp; parse_query(rurl,rq,rp);
286	for(map<string,string>::const_iterator rpi=rp.begin();rpi!=rp.end();++rpi) {	286	for(map<string,string>::const_iterator rpi=rp.begin();rpi!=rp.end();++rpi) {
287	map<string,string>::const_iterator tpi = tp.find(rpi->first);	287	map<string,string>::const_iterator tpi = tp.find(rpi->first);
288	if(tpi==tp.end())	288	if(tpi==tp.end())
289	throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request");	289	throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request");
290	if(tpi->second!=rpi->second)	290	if(tpi->second!=rpi->second)
291	throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't matche the request");	291	throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't matche the request");
292	}	292	}
293		293
294	if(om.has_field("claimed_id")) {	294	if(om.has_field("claimed_id")) {
295	claimed_id = om.get_field("claimed_id");	295	claimed_id = om.get_field("claimed_id");
296	identity = om.get_field("identity");	296	identity = om.get_field("identity");
297	verify_OP(	297	verify_OP(
298	om.get_field("op_endpoint"),	298	om.get_field("op_endpoint"),
299	claimed_id, identity );	299	claimed_id, identity );
300	}	300	}
301		301
302	}else{	302	}else{
303	claimed_id = get_endpoint().claimed_id;	303	claimed_id = get_endpoint().claimed_id;
304	/* TODO: check if this is the identity we asked for */	304	/* TODO: check if this is the identity we asked for */
305	identity = om.get_field("identity");	305	identity = om.get_field("identity");
306	}	306	}
307	if(ext) ext->rp_id_res_hook(om,signeds);	307	if(ext) ext->rp_id_res_hook(om,signeds);
308	}	308	}
309		309
310	void basic_RP::check_authentication(const string& OP,	310	void basic_RP::check_authentication(const string& OP,
311	const basic_openid_message& om){	311	const basic_openid_message& om){
312	openid_message_t res;	312	openid_message_t res;
313	static const string checkauthmode = "check_authentication";	313	static const string checkauthmode = "check_authentication";
314	direct_request(res,util::change_mode_message_proxy(om,checkauthmode),OP);	314	direct_request(res,util::change_mode_message_proxy(om,checkauthmode),OP);
315	if(res.has_field("is_valid")) {	315	if(res.has_field("is_valid")) {
316	if(res.get_field("is_valid")=="true") {	316	if(res.get_field("is_valid")=="true") {
317	if(res.has_field("invalidate_handle"))	317	if(res.has_field("invalidate_handle"))