summaryrefslogtreecommitdiffabout
Unidiff
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--lib/basic_rp.cc1
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/basic_rp.cc b/lib/basic_rp.cc
index 3357d0b..3cad71c 100644
--- a/lib/basic_rp.cc
+++ b/lib/basic_rp.cc
@@ -1,96 +1,97 @@
1#include <sys/types.h>
1#include <cassert> 2#include <cassert>
2#include <openssl/sha.h> 3#include <openssl/sha.h>
3#include <openssl/hmac.h> 4#include <openssl/hmac.h>
4#include <opkele/basic_rp.h> 5#include <opkele/basic_rp.h>
5#include <opkele/exception.h> 6#include <opkele/exception.h>
6#include <opkele/uris.h> 7#include <opkele/uris.h>
7#include <opkele/data.h> 8#include <opkele/data.h>
8#include <opkele/util.h> 9#include <opkele/util.h>
9#include <opkele/util-internal.h> 10#include <opkele/util-internal.h>
10#include <opkele/curl.h> 11#include <opkele/curl.h>
11#include <opkele/debug.h> 12#include <opkele/debug.h>
12 13
13namespace opkele { 14namespace opkele {
14 15
15 void basic_RP::reset_vars() { 16 void basic_RP::reset_vars() {
16 claimed_id.clear(); identity.clear(); 17 claimed_id.clear(); identity.clear();
17 } 18 }
18 19
19 const string& basic_RP::get_claimed_id() const { 20 const string& basic_RP::get_claimed_id() const {
20 if(claimed_id.empty()) 21 if(claimed_id.empty())
21 throw non_identity(OPKELE_CP_ "attempting to retreive claimed_id of non-identity assertion"); 22 throw non_identity(OPKELE_CP_ "attempting to retreive claimed_id of non-identity assertion");
22 assert(!identity.empty()); 23 assert(!identity.empty());
23 return claimed_id; 24 return claimed_id;
24 } 25 }
25 26
26 const string& basic_RP::get_identity() const { 27 const string& basic_RP::get_identity() const {
27 if(identity.empty()) 28 if(identity.empty())
28 throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related assertion"); 29 throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related assertion");
29 assert(!claimed_id.empty()); 30 assert(!claimed_id.empty());
30 return identity; 31 return identity;
31 } 32 }
32 33
33 static void dh_get_secret( 34 static void dh_get_secret(
34 secret_t& secret, const basic_openid_message& om, 35 secret_t& secret, const basic_openid_message& om,
35 const char *exp_assoc, const char *exp_sess, 36 const char *exp_assoc, const char *exp_sess,
36 util::dh_t& dh, 37 util::dh_t& dh,
37 size_t d_len, unsigned char *(*d_fun)(const unsigned char*,size_t,unsigned char*), 38 size_t d_len, unsigned char *(*d_fun)(const unsigned char*,size_t,unsigned char*),
38 size_t exp_s_len) try { 39 size_t exp_s_len) try {
39 if(om.get_field("assoc_type")!=exp_assoc || om.get_field("session_type")!=exp_sess) 40 if(om.get_field("assoc_type")!=exp_assoc || om.get_field("session_type")!=exp_sess)
40 throw bad_input(OPKELE_CP_ "Unexpected associate response"); 41 throw bad_input(OPKELE_CP_ "Unexpected associate response");
41 util::bignum_t s_pub = util::base64_to_bignum(om.get_field("dh_server_public")); 42 util::bignum_t s_pub = util::base64_to_bignum(om.get_field("dh_server_public"));
42 vector<unsigned char> ck(DH_size(dh)+1); 43 vector<unsigned char> ck(DH_size(dh)+1);
43 unsigned char *ckptr = &(ck.front())+1; 44 unsigned char *ckptr = &(ck.front())+1;
44 int cklen = DH_compute_key(ckptr,s_pub,dh); 45 int cklen = DH_compute_key(ckptr,s_pub,dh);
45 if(cklen<0) 46 if(cklen<0)
46 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); 47 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
47 if(cklen && (*ckptr)&0x80) { 48 if(cklen && (*ckptr)&0x80) {
48 (*(--ckptr))=0; ++cklen; } 49 (*(--ckptr))=0; ++cklen; }
49 assert(d_len<=SHA256_DIGEST_LENGTH); 50 assert(d_len<=SHA256_DIGEST_LENGTH);
50 unsigned char key_digest[SHA256_DIGEST_LENGTH]; 51 unsigned char key_digest[SHA256_DIGEST_LENGTH];
51 secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key")); 52 secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key"));
52 if(secret.size()!=exp_s_len) 53 if(secret.size()!=exp_s_len)
53 throw bad_input(OPKELE_CP_ "Secret length isn't consistent with association type"); 54 throw bad_input(OPKELE_CP_ "Secret length isn't consistent with association type");
54 }catch(opkele::failed_lookup& ofl) { 55 }catch(opkele::failed_lookup& ofl) {
55 throw bad_input(OPKELE_CP_ "Incoherent response from OP"); 56 throw bad_input(OPKELE_CP_ "Incoherent response from OP");
56 } OPKELE_RETHROW 57 } OPKELE_RETHROW
57 58
58 static void direct_request(basic_openid_message& oum,const basic_openid_message& inm,const string& OP) { 59 static void direct_request(basic_openid_message& oum,const basic_openid_message& inm,const string& OP) {
59 util::curl_pick_t curl = util::curl_pick_t::easy_init(); 60 util::curl_pick_t curl = util::curl_pick_t::easy_init();
60 if(!curl) 61 if(!curl)
61 throw exception_curl(OPKELE_CP_ "failed to initialize curl"); 62 throw exception_curl(OPKELE_CP_ "failed to initialize curl");
62 string request = inm.query_string(); 63 string request = inm.query_string();
63 CURLcode r; 64 CURLcode r;
64 (r=curl.misc_sets()) 65 (r=curl.misc_sets())
65 || (r=curl.easy_setopt(CURLOPT_URL,OP.c_str())) 66 || (r=curl.easy_setopt(CURLOPT_URL,OP.c_str()))
66 || (r=curl.easy_setopt(CURLOPT_POST,1)) 67 || (r=curl.easy_setopt(CURLOPT_POST,1))
67 || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data())) 68 || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data()))
68 || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length())) 69 || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length()))
69 || (r=curl.set_write()); 70 || (r=curl.set_write());
70 if(r) 71 if(r)
71 throw exception_curl(OPKELE_CP_ "failed to set curly options",r); 72 throw exception_curl(OPKELE_CP_ "failed to set curly options",r);
72 if( (r=curl.easy_perform()) ) 73 if( (r=curl.easy_perform()) )
73 throw exception_curl(OPKELE_CP_ "failed to perform curly request",r); 74 throw exception_curl(OPKELE_CP_ "failed to perform curly request",r);
74 oum.from_keyvalues(curl.response); 75 oum.from_keyvalues(curl.response);
75 } 76 }
76 77
77 78
78 assoc_t basic_RP::associate(const string& OP) { 79 assoc_t basic_RP::associate(const string& OP) {
79 util::dh_t dh = DH_new(); 80 util::dh_t dh = DH_new();
80 if(!dh) 81 if(!dh)
81 throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); 82 throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
82 dh->p = util::dec_to_bignum(data::_default_p); 83 dh->p = util::dec_to_bignum(data::_default_p);
83 dh->g = util::dec_to_bignum(data::_default_g); 84 dh->g = util::dec_to_bignum(data::_default_g);
84 if(!DH_generate_key(dh)) 85 if(!DH_generate_key(dh))
85 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); 86 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
86 openid_message_t req; 87 openid_message_t req;
87 req.set_field("ns",OIURI_OPENID20); 88 req.set_field("ns",OIURI_OPENID20);
88 req.set_field("mode","associate"); 89 req.set_field("mode","associate");
89 req.set_field("dh_modulus",util::bignum_to_base64(dh->p)); 90 req.set_field("dh_modulus",util::bignum_to_base64(dh->p));
90 req.set_field("dh_gen",util::bignum_to_base64(dh->g)); 91 req.set_field("dh_gen",util::bignum_to_base64(dh->g));
91 req.set_field("dh_consumer_public",util::bignum_to_base64(dh->pub_key)); 92 req.set_field("dh_consumer_public",util::bignum_to_base64(dh->pub_key));
92 openid_message_t res; 93 openid_message_t res;
93 req.set_field("assoc_type","HMAC-SHA256"); 94 req.set_field("assoc_type","HMAC-SHA256");
94 req.set_field("session_type","DH-SHA256"); 95 req.set_field("session_type","DH-SHA256");
95 secret_t secret; 96 secret_t secret;
96 int expires_in; 97 int expires_in;