summaryrefslogtreecommitdiffabout
path: root/lib/basic_op.cc
Unidiff
Diffstat (limited to 'lib/basic_op.cc') (more/less context) (ignore whitespace changes)
-rw-r--r--lib/basic_op.cc1
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/basic_op.cc b/lib/basic_op.cc
index c247493..fa659ac 100644
--- a/lib/basic_op.cc
+++ b/lib/basic_op.cc
@@ -1,200 +1,201 @@
1#include <time.h> 1#include <time.h>
2#include <cassert> 2#include <cassert>
3#include <openssl/sha.h> 3#include <openssl/sha.h>
4#include <openssl/hmac.h> 4#include <openssl/hmac.h>
5#include <opkele/data.h> 5#include <opkele/data.h>
6#include <opkele/basic_op.h> 6#include <opkele/basic_op.h>
7#include <opkele/exception.h> 7#include <opkele/exception.h>
8#include <opkele/util.h> 8#include <opkele/util.h>
9#include <opkele/util-internal.h>
9#include <opkele/uris.h> 10#include <opkele/uris.h>
10 11
11namespace opkele { 12namespace opkele {
12 13
13 void basic_OP::reset_vars() { 14 void basic_OP::reset_vars() {
14 assoc.reset(); 15 assoc.reset();
15 return_to.clear(); realm.clear(); 16 return_to.clear(); realm.clear();
16 claimed_id.clear(); identity.clear(); 17 claimed_id.clear(); identity.clear();
17 invalidate_handle.clear(); 18 invalidate_handle.clear();
18 } 19 }
19 20
20 bool basic_OP::has_return_to() const { 21 bool basic_OP::has_return_to() const {
21 return !return_to.empty(); 22 return !return_to.empty();
22 } 23 }
23 const string& basic_OP::get_return_to() const { 24 const string& basic_OP::get_return_to() const {
24 if(return_to.empty()) 25 if(return_to.empty())
25 throw no_return_to(OPKELE_CP_ "No return_to URL provided with request"); 26 throw no_return_to(OPKELE_CP_ "No return_to URL provided with request");
26 return return_to; 27 return return_to;
27 } 28 }
28 29
29 const string& basic_OP::get_realm() const { 30 const string& basic_OP::get_realm() const {
30 assert(!realm.empty()); 31 assert(!realm.empty());
31 return realm; 32 return realm;
32 } 33 }
33 34
34 bool basic_OP::has_identity() const { 35 bool basic_OP::has_identity() const {
35 return !identity.empty(); 36 return !identity.empty();
36 } 37 }
37 const string& basic_OP::get_claimed_id() const { 38 const string& basic_OP::get_claimed_id() const {
38 if(claimed_id.empty()) 39 if(claimed_id.empty())
39 throw non_identity(OPKELE_CP_ "attempting to retrieve claimed_id of non-identity related request"); 40 throw non_identity(OPKELE_CP_ "attempting to retrieve claimed_id of non-identity related request");
40 assert(!identity.empty()); 41 assert(!identity.empty());
41 return claimed_id; 42 return claimed_id;
42 } 43 }
43 const string& basic_OP::get_identity() const { 44 const string& basic_OP::get_identity() const {
44 if(identity.empty()) 45 if(identity.empty())
45 throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related request"); 46 throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related request");
46 assert(!claimed_id.empty()); 47 assert(!claimed_id.empty());
47 return identity; 48 return identity;
48 } 49 }
49 50
50 bool basic_OP::is_id_select() const { 51 bool basic_OP::is_id_select() const {
51 return identity==IDURI_SELECT20; 52 return identity==IDURI_SELECT20;
52 } 53 }
53 54
54 void basic_OP::select_identity(const string& c,const string& i) { 55 void basic_OP::select_identity(const string& c,const string& i) {
55 claimed_id = c; identity = i; 56 claimed_id = c; identity = i;
56 } 57 }
57 void basic_OP::set_claimed_id(const string& c) { 58 void basic_OP::set_claimed_id(const string& c) {
58 claimed_id = c; 59 claimed_id = c;
59 } 60 }
60 61
61 basic_openid_message& basic_OP::associate( 62 basic_openid_message& basic_OP::associate(
62 basic_openid_message& oum, 63 basic_openid_message& oum,
63 const basic_openid_message& inm) try { 64 const basic_openid_message& inm) try {
64 assert(inm.get_field("mode")=="associate"); 65 assert(inm.get_field("mode")=="associate");
65 util::dh_t dh; 66 util::dh_t dh;
66 util::bignum_t c_pub; 67 util::bignum_t c_pub;
67 unsigned char key_digest[SHA256_DIGEST_LENGTH]; 68 unsigned char key_digest[SHA256_DIGEST_LENGTH];
68 size_t d_len = 0; 69 size_t d_len = 0;
69 string sts = inm.get_field("session_type"); 70 string sts = inm.get_field("session_type");
70 string ats = inm.get_field("assoc_type"); 71 string ats = inm.get_field("assoc_type");
71 if(sts=="DH-SHA1" || sts=="DH-SHA256") { 72 if(sts=="DH-SHA1" || sts=="DH-SHA256") {
72 if(!(dh = DH_new())) 73 if(!(dh = DH_new()))
73 throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); 74 throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
74 c_pub = util::base64_to_bignum(inm.get_field("dh_consumer_public")); 75 c_pub = util::base64_to_bignum(inm.get_field("dh_consumer_public"));
75 try { dh->p = util::base64_to_bignum(inm.get_field("dh_modulus")); 76 try { dh->p = util::base64_to_bignum(inm.get_field("dh_modulus"));
76 }catch(failed_lookup&) { 77 }catch(failed_lookup&) {
77 dh->p = util::dec_to_bignum(data::_default_p); } 78 dh->p = util::dec_to_bignum(data::_default_p); }
78 try { dh->g = util::base64_to_bignum(inm.get_field("dh_gen")); 79 try { dh->g = util::base64_to_bignum(inm.get_field("dh_gen"));
79 }catch(failed_lookup&) { 80 }catch(failed_lookup&) {
80 dh->g = util::dec_to_bignum(data::_default_g); } 81 dh->g = util::dec_to_bignum(data::_default_g); }
81 if(!DH_generate_key(dh)) 82 if(!DH_generate_key(dh))
82 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); 83 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
83 vector<unsigned char> ck(DH_size(dh)+1); 84 vector<unsigned char> ck(DH_size(dh)+1);
84 unsigned char *ckptr = &(ck.front())+1; 85 unsigned char *ckptr = &(ck.front())+1;
85 int cklen = DH_compute_key(ckptr,c_pub,dh); 86 int cklen = DH_compute_key(ckptr,c_pub,dh);
86 if(cklen<0) 87 if(cklen<0)
87 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); 88 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
88 if(cklen && (*ckptr)&0x80) { 89 if(cklen && (*ckptr)&0x80) {
89 (*(--ckptr)) = 0; ++cklen; } 90 (*(--ckptr)) = 0; ++cklen; }
90 if(sts=="DH-SHA1") { 91 if(sts=="DH-SHA1") {
91 SHA1(ckptr,cklen,key_digest); d_len = SHA_DIGEST_LENGTH; 92 SHA1(ckptr,cklen,key_digest); d_len = SHA_DIGEST_LENGTH;
92 }else if(sts=="DH-SHA256") { 93 }else if(sts=="DH-SHA256") {
93 SHA256(ckptr,cklen,key_digest); d_len = SHA256_DIGEST_LENGTH; 94 SHA256(ckptr,cklen,key_digest); d_len = SHA256_DIGEST_LENGTH;
94 }else 95 }else
95 throw internal_error(OPKELE_CP_ "I thought I knew the session type"); 96 throw internal_error(OPKELE_CP_ "I thought I knew the session type");
96 }else 97 }else
97 throw unsupported(OPKELE_CP_ "Unsupported session_type"); 98 throw unsupported(OPKELE_CP_ "Unsupported session_type");
98 assoc_t a; 99 assoc_t a;
99 if(ats=="HMAC-SHA1") 100 if(ats=="HMAC-SHA1")
100 a = alloc_assoc(ats,SHA_DIGEST_LENGTH,false); 101 a = alloc_assoc(ats,SHA_DIGEST_LENGTH,false);
101 else if(ats=="HMAC-SHA256") 102 else if(ats=="HMAC-SHA256")
102 a = alloc_assoc(ats,SHA256_DIGEST_LENGTH,false); 103 a = alloc_assoc(ats,SHA256_DIGEST_LENGTH,false);
103 else 104 else
104 throw unsupported(OPKELE_CP_ "Unsupported assoc_type"); 105 throw unsupported(OPKELE_CP_ "Unsupported assoc_type");
105 oum.reset_fields(); 106 oum.reset_fields();
106 oum.set_field("ns",OIURI_OPENID20); 107 oum.set_field("ns",OIURI_OPENID20);
107 oum.set_field("assoc_type",a->assoc_type()); 108 oum.set_field("assoc_type",a->assoc_type());
108 oum.set_field("assoc_handle",a->handle()); 109 oum.set_field("assoc_handle",a->handle());
109 oum.set_field("expires_in",util::long_to_string(a->expires_in())); 110 oum.set_field("expires_in",util::long_to_string(a->expires_in()));
110 secret_t secret = a->secret(); 111 secret_t secret = a->secret();
111 if(sts=="DH-SHA1" || sts=="DH-SHA256") { 112 if(sts=="DH-SHA1" || sts=="DH-SHA256") {
112 if(d_len != secret.size()) 113 if(d_len != secret.size())
113 throw bad_input(OPKELE_CP_ "Association secret and session MAC are not of the same size"); 114 throw bad_input(OPKELE_CP_ "Association secret and session MAC are not of the same size");
114 oum.set_field("session_type",sts); 115 oum.set_field("session_type",sts);
115 oum.set_field("dh_server_public",util::bignum_to_base64(dh->pub_key)); 116 oum.set_field("dh_server_public",util::bignum_to_base64(dh->pub_key));
116 string b64; secret.enxor_to_base64(key_digest,b64); 117 string b64; secret.enxor_to_base64(key_digest,b64);
117 oum.set_field("enc_mac_key",b64); 118 oum.set_field("enc_mac_key",b64);
118 }else /* TODO: support cleartext over encrypted connection */ 119 }else /* TODO: support cleartext over encrypted connection */
119 throw unsupported(OPKELE_CP_ "Unsupported session type"); 120 throw unsupported(OPKELE_CP_ "Unsupported session type");
120 return oum; 121 return oum;
121 } catch(unsupported& u) { 122 } catch(unsupported& u) {
122 oum.reset_fields(); 123 oum.reset_fields();
123 oum.set_field("ns",OIURI_OPENID20); 124 oum.set_field("ns",OIURI_OPENID20);
124 oum.set_field("error",u.what()); 125 oum.set_field("error",u.what());
125 oum.set_field("error_code","unsupported-type"); 126 oum.set_field("error_code","unsupported-type");
126 oum.set_field("session_type","DH-SHA256"); 127 oum.set_field("session_type","DH-SHA256");
127 oum.set_field("assoc_type","HMAC-SHA256"); 128 oum.set_field("assoc_type","HMAC-SHA256");
128 return oum; 129 return oum;
129 } 130 }
130 131
131 void basic_OP::checkid_(const basic_openid_message& inm, 132 void basic_OP::checkid_(const basic_openid_message& inm,
132 extension_t *ext) { 133 extension_t *ext) {
133 reset_vars(); 134 reset_vars();
134 string modestr = inm.get_field("mode"); 135 string modestr = inm.get_field("mode");
135 if(modestr=="checkid_setup") 136 if(modestr=="checkid_setup")
136 mode = mode_checkid_setup; 137 mode = mode_checkid_setup;
137 else if(modestr=="checkid_immediate") 138 else if(modestr=="checkid_immediate")
138 mode = mode_checkid_immediate; 139 mode = mode_checkid_immediate;
139 else 140 else
140 throw bad_input(OPKELE_CP_ "Invalid checkid_* mode"); 141 throw bad_input(OPKELE_CP_ "Invalid checkid_* mode");
141 try { 142 try {
142 assoc = retrieve_assoc(invalidate_handle=inm.get_field("assoc_handle")); 143 assoc = retrieve_assoc(invalidate_handle=inm.get_field("assoc_handle"));
143 invalidate_handle.clear(); 144 invalidate_handle.clear();
144 }catch(failed_lookup&) { } 145 }catch(failed_lookup&) { }
145 try { 146 try {
146 openid2 = (inm.get_field("ns")==OIURI_OPENID20); 147 openid2 = (inm.get_field("ns")==OIURI_OPENID20);
147 }catch(failed_lookup&) { openid2 = false; } 148 }catch(failed_lookup&) { openid2 = false; }
148 try { 149 try {
149 return_to = inm.get_field("return_to"); 150 return_to = inm.get_field("return_to");
150 }catch(failed_lookup&) { } 151 }catch(failed_lookup&) { }
151 if(openid2) { 152 if(openid2) {
152 try { 153 try {
153 realm = inm.get_field("realm"); 154 realm = inm.get_field("realm");
154 }catch(failed_lookup&) { 155 }catch(failed_lookup&) {
155 try { 156 try {
156 realm = inm.get_field("trust_root"); 157 realm = inm.get_field("trust_root");
157 }catch(failed_lookup&) { 158 }catch(failed_lookup&) {
158 if(return_to.empty()) 159 if(return_to.empty())
159 throw bad_input(OPKELE_CP_ 160 throw bad_input(OPKELE_CP_
160 "Both realm and return_to are unset"); 161 "Both realm and return_to are unset");
161 realm = return_to; 162 realm = return_to;
162 } 163 }
163 } 164 }
164 }else{ 165 }else{
165 try { 166 try {
166 realm = inm.get_field("trust_root"); 167 realm = inm.get_field("trust_root");
167 }catch(failed_lookup&) { 168 }catch(failed_lookup&) {
168 if(return_to.empty()) 169 if(return_to.empty())
169 throw bad_input(OPKELE_CP_ 170 throw bad_input(OPKELE_CP_
170 "Both realm and return_to are unset"); 171 "Both realm and return_to are unset");
171 realm = return_to; 172 realm = return_to;
172 } 173 }
173 } 174 }
174 try { 175 try {
175 identity = inm.get_field("identity"); 176 identity = inm.get_field("identity");
176 try { 177 try {
177 claimed_id = inm.get_field("claimed_id"); 178 claimed_id = inm.get_field("claimed_id");
178 }catch(failed_lookup&) { 179 }catch(failed_lookup&) {
179 if(openid2) 180 if(openid2)
180 throw bad_input(OPKELE_CP_ 181 throw bad_input(OPKELE_CP_
181 "claimed_id and identity must be either both present or both absent"); 182 "claimed_id and identity must be either both present or both absent");
182 claimed_id = identity; 183 claimed_id = identity;
183 } 184 }
184 }catch(failed_lookup&) { 185 }catch(failed_lookup&) {
185 if(openid2 && inm.has_field("claimed_id")) 186 if(openid2 && inm.has_field("claimed_id"))
186 throw bad_input(OPKELE_CP_ 187 throw bad_input(OPKELE_CP_
187 "claimed_id and identity must be either both present or both absent"); 188 "claimed_id and identity must be either both present or both absent");
188 } 189 }
189 verify_return_to(); 190 verify_return_to();
190 if(ext) ext->op_checkid_hook(inm); 191 if(ext) ext->op_checkid_hook(inm);
191 } 192 }
192 193
193 basic_openid_message& basic_OP::id_res(basic_openid_message& om, 194 basic_openid_message& basic_OP::id_res(basic_openid_message& om,
194 extension_t *ext) { 195 extension_t *ext) {
195 assert(!return_to.empty()); 196 assert(!return_to.empty());
196 assert(!is_id_select()); 197 assert(!is_id_select());
197 if(!assoc) { 198 if(!assoc) {
198 assoc = alloc_assoc("HMAC-SHA256",SHA256_DIGEST_LENGTH,true); 199 assoc = alloc_assoc("HMAC-SHA256",SHA256_DIGEST_LENGTH,true);
199 } 200 }
200 time_t now = time(0); 201 time_t now = time(0);