1 files changed, 3 insertions, 3 deletions
diff --git a/lib/basic_op.cc b/lib/basic_op.cc
index 2d82147..c247493 100644
--- a/lib/basic_op.cc
+++ b/lib/basic_op.cc
@@ -36,138 +36,138 @@ namespace opkele {
    }
    const string& basic_OP::get_claimed_id() const {
        if(claimed_id.empty())
            throw non_identity(OPKELE_CP_ "attempting to retrieve claimed_id of non-identity related request");
        assert(!identity.empty());
        return claimed_id;
    }
    const string& basic_OP::get_identity() const {
        if(identity.empty())
            throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related request");
        assert(!claimed_id.empty());
        return identity;
    }
    bool basic_OP::is_id_select() const {
        return identity==IDURI_SELECT20;
    }
    void basic_OP::select_identity(const string& c,const string& i) {
        claimed_id = c; identity = i;
    }
    void basic_OP::set_claimed_id(const string& c) {
        claimed_id = c;
    }
    basic_openid_message& basic_OP::associate(
            basic_openid_message& oum,
            const basic_openid_message& inm) try {
        assert(inm.get_field("mode")=="associate");
        util::dh_t dh;
        util::bignum_t c_pub;
        unsigned char key_digest[SHA256_DIGEST_LENGTH];
        size_t d_len = 0;
        string sts = inm.get_field("session_type");
        string ats = inm.get_field("assoc_type");
        if(sts=="DH-SHA1" || sts=="DH-SHA256") {
            if(!(dh = DH_new()))
                throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
            c_pub = util::base64_to_bignum(inm.get_field("dh_consumer_public"));
            try { dh->p = util::base64_to_bignum(inm.get_field("dh_modulus"));
            }catch(failed_lookup&) {
                dh->p = util::dec_to_bignum(data::_default_p); }
            try { dh->g = util::base64_to_bignum(inm.get_field("dh_gen"));
            }catch(failed_lookup&) {
                dh->g = util::dec_to_bignum(data::_default_g); }
            if(!DH_generate_key(dh))
                throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
            vector<unsigned char> ck(DH_size(dh)+1);
            unsigned char *ckptr = &(ck.front())+1;
            int cklen = DH_compute_key(ckptr,c_pub,dh);
            if(cklen<0)
                throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
            if(cklen && (*ckptr)&0x80) {
                (*(--ckptr)) = 0; ++cklen; }
            if(sts=="DH-SHA1") {
                SHA1(ckptr,cklen,key_digest); d_len = SHA_DIGEST_LENGTH;
            }else if(sts=="DH-SHA256") {
                SHA256(ckptr,cklen,key_digest); d_len = SHA256_DIGEST_LENGTH;
            }else
                throw internal_error(OPKELE_CP_ "I thought I knew the session type");
        }else
            throw unsupported(OPKELE_CP_ "Unsupported session_type");
        assoc_t a;
        if(ats=="HMAC-SHA1")
-            a = alloc_assoc(ats,SHA_DIGEST_LENGTH,true);
+            a = alloc_assoc(ats,SHA_DIGEST_LENGTH,false);
        else if(ats=="HMAC-SHA256")
-            a = alloc_assoc(ats,SHA256_DIGEST_LENGTH,true);
+            a = alloc_assoc(ats,SHA256_DIGEST_LENGTH,false);
        else
            throw unsupported(OPKELE_CP_ "Unsupported assoc_type");
        oum.reset_fields();
        oum.set_field("ns",OIURI_OPENID20);
        oum.set_field("assoc_type",a->assoc_type());
        oum.set_field("assoc_handle",a->handle());
-        oum.set_field("expires_in",util::long_to_string(assoc->expires_in()));
+        oum.set_field("expires_in",util::long_to_string(a->expires_in()));
        secret_t secret = a->secret();
        if(sts=="DH-SHA1" || sts=="DH-SHA256") {
            if(d_len != secret.size())
                throw bad_input(OPKELE_CP_ "Association secret and session MAC are not of the same size");
            oum.set_field("session_type",sts);
            oum.set_field("dh_server_public",util::bignum_to_base64(dh->pub_key));
            string b64; secret.enxor_to_base64(key_digest,b64);
            oum.set_field("enc_mac_key",b64);
        }else /* TODO: support cleartext over encrypted connection */
            throw unsupported(OPKELE_CP_ "Unsupported session type");
        return oum;
    } catch(unsupported& u) {
        oum.reset_fields();
        oum.set_field("ns",OIURI_OPENID20);
        oum.set_field("error",u.what());
        oum.set_field("error_code","unsupported-type");
        oum.set_field("session_type","DH-SHA256");
        oum.set_field("assoc_type","HMAC-SHA256");
        return oum;
    }
    void basic_OP::checkid_(const basic_openid_message& inm,
            extension_t *ext) {
        reset_vars();
        string modestr = inm.get_field("mode");
        if(modestr=="checkid_setup")
            mode = mode_checkid_setup;
        else if(modestr=="checkid_immediate")
            mode = mode_checkid_immediate;
        else
            throw bad_input(OPKELE_CP_ "Invalid checkid_* mode");
        try {
            assoc = retrieve_assoc(invalidate_handle=inm.get_field("assoc_handle"));
            invalidate_handle.clear();
        }catch(failed_lookup&) { }
        try {
            openid2 = (inm.get_field("ns")==OIURI_OPENID20);
        }catch(failed_lookup&) { openid2 = false; }
        try {
            return_to = inm.get_field("return_to");
        }catch(failed_lookup&) { }
        if(openid2) {
            try {
                realm = inm.get_field("realm");
            }catch(failed_lookup&) {
                try {
                    realm = inm.get_field("trust_root");
                }catch(failed_lookup&) {
                    if(return_to.empty())
                        throw bad_input(OPKELE_CP_
                                "Both realm and return_to are unset");
                    realm = return_to;
                }
            }
        }else{
            try {
                realm = inm.get_field("trust_root");
            }catch(failed_lookup&) {
                if(return_to.empty())
                    throw bad_input(OPKELE_CP_
                            "Both realm and return_to are unset");
                realm = return_to;
            }
        }

diff --git a/lib/basic_op.cc b/lib/basic_op.cc index 2d82147..c247493 100644 --- a/lib/basic_op.cc +++ b/lib/basic_op.cc
@@ -36,138 +36,138 @@ namespace opkele {
36	}	36	}
37	const string& basic_OP::get_claimed_id() const {	37	const string& basic_OP::get_claimed_id() const {
38	if(claimed_id.empty())	38	if(claimed_id.empty())
39	throw non_identity(OPKELE_CP_ "attempting to retrieve claimed_id of non-identity related request");	39	throw non_identity(OPKELE_CP_ "attempting to retrieve claimed_id of non-identity related request");
40	assert(!identity.empty());	40	assert(!identity.empty());
41	return claimed_id;	41	return claimed_id;
42	}	42	}
43	const string& basic_OP::get_identity() const {	43	const string& basic_OP::get_identity() const {
44	if(identity.empty())	44	if(identity.empty())
45	throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related request");	45	throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related request");
46	assert(!claimed_id.empty());	46	assert(!claimed_id.empty());
47	return identity;	47	return identity;
48	}	48	}
49		49
50	bool basic_OP::is_id_select() const {	50	bool basic_OP::is_id_select() const {
51	return identity==IDURI_SELECT20;	51	return identity==IDURI_SELECT20;
52	}	52	}
53		53
54	void basic_OP::select_identity(const string& c,const string& i) {	54	void basic_OP::select_identity(const string& c,const string& i) {
55	claimed_id = c; identity = i;	55	claimed_id = c; identity = i;
56	}	56	}
57	void basic_OP::set_claimed_id(const string& c) {	57	void basic_OP::set_claimed_id(const string& c) {
58	claimed_id = c;	58	claimed_id = c;
59	}	59	}
60		60
61	basic_openid_message& basic_OP::associate(	61	basic_openid_message& basic_OP::associate(
62	basic_openid_message& oum,	62	basic_openid_message& oum,
63	const basic_openid_message& inm) try {	63	const basic_openid_message& inm) try {
64	assert(inm.get_field("mode")=="associate");	64	assert(inm.get_field("mode")=="associate");
65	util::dh_t dh;	65	util::dh_t dh;
66	util::bignum_t c_pub;	66	util::bignum_t c_pub;
67	unsigned char key_digest[SHA256_DIGEST_LENGTH];	67	unsigned char key_digest[SHA256_DIGEST_LENGTH];
68	size_t d_len = 0;	68	size_t d_len = 0;
69	string sts = inm.get_field("session_type");	69	string sts = inm.get_field("session_type");
70	string ats = inm.get_field("assoc_type");	70	string ats = inm.get_field("assoc_type");
71	if(sts=="DH-SHA1" \|\| sts=="DH-SHA256") {	71	if(sts=="DH-SHA1" \|\| sts=="DH-SHA256") {
72	if(!(dh = DH_new()))	72	if(!(dh = DH_new()))
73	throw exception_openssl(OPKELE_CP_ "failed to DH_new()");	73	throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
74	c_pub = util::base64_to_bignum(inm.get_field("dh_consumer_public"));	74	c_pub = util::base64_to_bignum(inm.get_field("dh_consumer_public"));
75	try { dh->p = util::base64_to_bignum(inm.get_field("dh_modulus"));	75	try { dh->p = util::base64_to_bignum(inm.get_field("dh_modulus"));
76	}catch(failed_lookup&) {	76	}catch(failed_lookup&) {
77	dh->p = util::dec_to_bignum(data::_default_p); }	77	dh->p = util::dec_to_bignum(data::_default_p); }
78	try { dh->g = util::base64_to_bignum(inm.get_field("dh_gen"));	78	try { dh->g = util::base64_to_bignum(inm.get_field("dh_gen"));
79	}catch(failed_lookup&) {	79	}catch(failed_lookup&) {
80	dh->g = util::dec_to_bignum(data::_default_g); }	80	dh->g = util::dec_to_bignum(data::_default_g); }
81	if(!DH_generate_key(dh))	81	if(!DH_generate_key(dh))
82	throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");	82	throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
83	vector<unsigned char> ck(DH_size(dh)+1);	83	vector<unsigned char> ck(DH_size(dh)+1);
84	unsigned char *ckptr = &(ck.front())+1;	84	unsigned char *ckptr = &(ck.front())+1;
85	int cklen = DH_compute_key(ckptr,c_pub,dh);	85	int cklen = DH_compute_key(ckptr,c_pub,dh);
86	if(cklen<0)	86	if(cklen<0)
87	throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");	87	throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
88	if(cklen && (*ckptr)&0x80) {	88	if(cklen && (*ckptr)&0x80) {
89	(*(--ckptr)) = 0; ++cklen; }	89	(*(--ckptr)) = 0; ++cklen; }
90	if(sts=="DH-SHA1") {	90	if(sts=="DH-SHA1") {
91	SHA1(ckptr,cklen,key_digest); d_len = SHA_DIGEST_LENGTH;	91	SHA1(ckptr,cklen,key_digest); d_len = SHA_DIGEST_LENGTH;
92	}else if(sts=="DH-SHA256") {	92	}else if(sts=="DH-SHA256") {
93	SHA256(ckptr,cklen,key_digest); d_len = SHA256_DIGEST_LENGTH;	93	SHA256(ckptr,cklen,key_digest); d_len = SHA256_DIGEST_LENGTH;
94	}else	94	}else
95	throw internal_error(OPKELE_CP_ "I thought I knew the session type");	95	throw internal_error(OPKELE_CP_ "I thought I knew the session type");
96	}else	96	}else
97	throw unsupported(OPKELE_CP_ "Unsupported session_type");	97	throw unsupported(OPKELE_CP_ "Unsupported session_type");
98	assoc_t a;	98	assoc_t a;
99	if(ats=="HMAC-SHA1")	99	if(ats=="HMAC-SHA1")
100	a = alloc_assoc(ats,SHA_DIGEST_LENGTH,true);	100	a = alloc_assoc(ats,SHA_DIGEST_LENGTH,false);
101	else if(ats=="HMAC-SHA256")	101	else if(ats=="HMAC-SHA256")
102	a = alloc_assoc(ats,SHA256_DIGEST_LENGTH,true);	102	a = alloc_assoc(ats,SHA256_DIGEST_LENGTH,false);
103	else	103	else
104	throw unsupported(OPKELE_CP_ "Unsupported assoc_type");	104	throw unsupported(OPKELE_CP_ "Unsupported assoc_type");
105	oum.reset_fields();	105	oum.reset_fields();
106	oum.set_field("ns",OIURI_OPENID20);	106	oum.set_field("ns",OIURI_OPENID20);
107	oum.set_field("assoc_type",a->assoc_type());	107	oum.set_field("assoc_type",a->assoc_type());
108	oum.set_field("assoc_handle",a->handle());	108	oum.set_field("assoc_handle",a->handle());
109	oum.set_field("expires_in",util::long_to_string(assoc->expires_in()));	109	oum.set_field("expires_in",util::long_to_string(a->expires_in()));
110	secret_t secret = a->secret();	110	secret_t secret = a->secret();
111	if(sts=="DH-SHA1" \|\| sts=="DH-SHA256") {	111	if(sts=="DH-SHA1" \|\| sts=="DH-SHA256") {
112	if(d_len != secret.size())	112	if(d_len != secret.size())
113	throw bad_input(OPKELE_CP_ "Association secret and session MAC are not of the same size");	113	throw bad_input(OPKELE_CP_ "Association secret and session MAC are not of the same size");
114	oum.set_field("session_type",sts);	114	oum.set_field("session_type",sts);
115	oum.set_field("dh_server_public",util::bignum_to_base64(dh->pub_key));	115	oum.set_field("dh_server_public",util::bignum_to_base64(dh->pub_key));
116	string b64; secret.enxor_to_base64(key_digest,b64);	116	string b64; secret.enxor_to_base64(key_digest,b64);
117	oum.set_field("enc_mac_key",b64);	117	oum.set_field("enc_mac_key",b64);
118	}else /* TODO: support cleartext over encrypted connection */	118	}else /* TODO: support cleartext over encrypted connection */
119	throw unsupported(OPKELE_CP_ "Unsupported session type");	119	throw unsupported(OPKELE_CP_ "Unsupported session type");
120	return oum;	120	return oum;
121	} catch(unsupported& u) {	121	} catch(unsupported& u) {
122	oum.reset_fields();	122	oum.reset_fields();
123	oum.set_field("ns",OIURI_OPENID20);	123	oum.set_field("ns",OIURI_OPENID20);
124	oum.set_field("error",u.what());	124	oum.set_field("error",u.what());
125	oum.set_field("error_code","unsupported-type");	125	oum.set_field("error_code","unsupported-type");
126	oum.set_field("session_type","DH-SHA256");	126	oum.set_field("session_type","DH-SHA256");
127	oum.set_field("assoc_type","HMAC-SHA256");	127	oum.set_field("assoc_type","HMAC-SHA256");
128	return oum;	128	return oum;
129	}	129	}
130		130
131	void basic_OP::checkid_(const basic_openid_message& inm,	131	void basic_OP::checkid_(const basic_openid_message& inm,
132	extension_t *ext) {	132	extension_t *ext) {
133	reset_vars();	133	reset_vars();
134	string modestr = inm.get_field("mode");	134	string modestr = inm.get_field("mode");
135	if(modestr=="checkid_setup")	135	if(modestr=="checkid_setup")
136	mode = mode_checkid_setup;	136	mode = mode_checkid_setup;
137	else if(modestr=="checkid_immediate")	137	else if(modestr=="checkid_immediate")
138	mode = mode_checkid_immediate;	138	mode = mode_checkid_immediate;
139	else	139	else
140	throw bad_input(OPKELE_CP_ "Invalid checkid_* mode");	140	throw bad_input(OPKELE_CP_ "Invalid checkid_* mode");
141	try {	141	try {
142	assoc = retrieve_assoc(invalidate_handle=inm.get_field("assoc_handle"));	142	assoc = retrieve_assoc(invalidate_handle=inm.get_field("assoc_handle"));
143	invalidate_handle.clear();	143	invalidate_handle.clear();
144	}catch(failed_lookup&) { }	144	}catch(failed_lookup&) { }
145	try {	145	try {
146	openid2 = (inm.get_field("ns")==OIURI_OPENID20);	146	openid2 = (inm.get_field("ns")==OIURI_OPENID20);
147	}catch(failed_lookup&) { openid2 = false; }	147	}catch(failed_lookup&) { openid2 = false; }
148	try {	148	try {
149	return_to = inm.get_field("return_to");	149	return_to = inm.get_field("return_to");
150	}catch(failed_lookup&) { }	150	}catch(failed_lookup&) { }
151	if(openid2) {	151	if(openid2) {
152	try {	152	try {
153	realm = inm.get_field("realm");	153	realm = inm.get_field("realm");
154	}catch(failed_lookup&) {	154	}catch(failed_lookup&) {
155	try {	155	try {
156	realm = inm.get_field("trust_root");	156	realm = inm.get_field("trust_root");
157	}catch(failed_lookup&) {	157	}catch(failed_lookup&) {
158	if(return_to.empty())	158	if(return_to.empty())
159	throw bad_input(OPKELE_CP_	159	throw bad_input(OPKELE_CP_
160	"Both realm and return_to are unset");	160	"Both realm and return_to are unset");
161	realm = return_to;	161	realm = return_to;
162	}	162	}
163	}	163	}
164	}else{	164	}else{
165	try {	165	try {
166	realm = inm.get_field("trust_root");	166	realm = inm.get_field("trust_root");
167	}catch(failed_lookup&) {	167	}catch(failed_lookup&) {
168	if(return_to.empty())	168	if(return_to.empty())
169	throw bad_input(OPKELE_CP_	169	throw bad_input(OPKELE_CP_
170	"Both realm and return_to are unset");	170	"Both realm and return_to are unset");
171	realm = return_to;	171	realm = return_to;
172	}	172	}
173	}	173	}