1 files changed, 320 insertions, 0 deletions
diff --git a/lib/basic_op.cc b/lib/basic_op.cc
new file mode 100644
index 0000000..22012bc
--- a/dev/null
+++ b/lib/basic_op.cc
@@ -0,0 +1,320 @@
+#include <time.h>
+#include <cassert>
+#include <openssl/sha.h>
+#include <openssl/hmac.h>
+#include <opkele/data.h>
+#include <opkele/basic_op.h>
+#include <opkele/exception.h>
+#include <opkele/util.h>
+#include <opkele/uris.h>
+namespace opkele {
+    void basic_op::reset_vars() {
+        assoc.reset();
+        return_to.clear(); realm.clear();
+        claimed_id.clear(); identity.clear();
+        invalidate_handle.clear();
+    }
+    bool basic_op::has_return_to() const {
+        return !return_to.empty();
+    }
+    const string& basic_op::get_return_to() const {
+        if(return_to.empty())
+            throw no_return_to(OPKELE_CP_ "No return_to URL provided with request");
+        return return_to;
+    }
+    const string& basic_op::get_realm() const {
+        assert(!realm.empty());
+        return realm;
+    }
+    bool basic_op::has_identity() const {
+        return !identity.empty();
+    }
+    const string& basic_op::get_claimed_id() const {
+        if(claimed_id.empty())
+            throw non_identity(OPKELE_CP_ "attempting to retrieve claimed_id of non-identity related request");
+        assert(!identity.empty());
+        return claimed_id;
+    }
+    const string& basic_op::get_identity() const {
+        if(identity.empty())
+            throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related request");
+        assert(!claimed_id.empty());
+        return identity;
+    }
+    bool basic_op::is_id_select() const {
+        return identity==IDURI_SELECT20;
+    }
+    void basic_op::select_identity(const string& c,const string& i) {
+        claimed_id = c; identity = i;
+    }
+    void basic_op::set_claimed_id(const string& c) {
+        claimed_id = c;
+    }
+    basic_openid_message& basic_op::associate(
+            basic_openid_message& oum,
+            const basic_openid_message& inm) try {
+        assert(inm.get_field("mode")=="associate");
+        util::dh_t dh;
+        util::bignum_t c_pub;
+        unsigned char key_digest[SHA256_DIGEST_LENGTH];
+        size_t d_len = 0;
+        enum {
+            sess_cleartext, sess_dh_sha1, sess_dh_sha256
+        } st = sess_cleartext;
+        string sts = inm.get_field("session_type");
+        string ats = inm.get_field("assoc_type");
+        if(sts=="DH-SHA1" || sts=="DH-SHA256") {
+            if(!(dh = DH_new()))
+                throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
+            c_pub = util::base64_to_bignum(inm.get_field("dh_consumer_public"));
+            try { dh->p = util::base64_to_bignum(inm.get_field("dh_modulus"));
+            }catch(failed_lookup&) {
+                dh->p = util::dec_to_bignum(data::_default_p); }
+            try { dh->g = util::base64_to_bignum(inm.get_field("dh_gen"));
+            }catch(failed_lookup&) {
+                dh->g = util::dec_to_bignum(data::_default_g); }
+            if(!DH_generate_key(dh))
+                throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
+            vector<unsigned char> ck(DH_size(dh)+1);
+            unsigned char *ckptr = &(ck.front())+1;
+            int cklen = DH_compute_key(ckptr,c_pub,dh);
+            if(cklen<0)
+                throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
+            if(cklen && (*ckptr)&0x80) {
+                (*(--ckptr)) = 0; ++cklen; }
+            if(sts=="DH-SHA1") {
+                SHA1(ckptr,cklen,key_digest); d_len = SHA_DIGEST_LENGTH;
+            }else if(sts=="DH-SHA256") {
+                SHA256(ckptr,cklen,key_digest); d_len = SHA256_DIGEST_LENGTH;
+            }else
+                throw internal_error(OPKELE_CP_ "I thought I knew the session type");
+        }else
+            throw unsupported(OPKELE_CP_ "Unsupported session_type");
+        assoc_t assoc;
+        if(ats=="HMAC-SHA1")
+            assoc = alloc_assoc(ats,SHA_DIGEST_LENGTH,true);
+        else if(ats=="HMAC-SHA256")
+            assoc = alloc_assoc(ats,SHA256_DIGEST_LENGTH,true);
+        else
+            throw unsupported(OPKELE_CP_ "Unsupported assoc_type");
+        oum.reset_fields();
+        oum.set_field("ns",OIURI_OPENID20);
+        oum.set_field("assoc_type",assoc->assoc_type());
+        oum.set_field("assoc_handle",assoc->handle());
+        oum.set_field("expires_in",util::long_to_string(assoc->expires_in()));
+        secret_t secret = assoc->secret();
+        if(sts=="DH-SHA1" || sts=="DH-SHA256") {
+            if(d_len != secret.size())
+                throw bad_input(OPKELE_CP_ "Association secret and session MAC are not of the same size");
+            oum.set_field("session_type",sts);
+            oum.set_field("dh_server_public",util::bignum_to_base64(dh->pub_key));
+            string b64; secret.enxor_to_base64(key_digest,b64);
+            oum.set_field("enc_mac_key",b64);
+        }else /* TODO: support cleartext over encrypted connection */
+            throw unsupported(OPKELE_CP_ "Unsupported session type");
+        return oum;
+    } catch(unsupported& u) {
+        oum.reset_fields();
+        oum.set_field("ns",OIURI_OPENID20);
+        oum.set_field("error",u.what());
+        oum.set_field("error_code","unsupported-type");
+        oum.set_field("session_type","DH-SHA256");
+        oum.set_field("assoc_type","HMAC-SHA256");
+        return oum;
+    }
+    void basic_op::checkid_(const basic_openid_message& inm,
+            extension_t *ext) {
+        reset_vars();
+        string mode = inm.get_field("mode");
+        if(mode=="checkid_setup")
+            mode = mode_checkid_setup;
+        else if(mode=="checkid_immediate")
+            mode = mode_checkid_immediate;
+        else
+            throw bad_input(OPKELE_CP_ "Invalid checkid_* mode");
+        try {
+            assoc = retrieve_assoc(invalidate_handle=inm.get_field("assoc_handle"));
+            invalidate_handle.clear();
+        }catch(failed_lookup&) {
+            // no handle specified or no valid assoc found, go dumb
+            assoc = alloc_assoc("HMAC-SHA256",SHA256_DIGEST_LENGTH,true);
+        }
+        try {
+            openid2 = (inm.get_field("ns")==OIURI_OPENID20);
+        }catch(failed_lookup&) { openid2 = false; }
+        try {
+            return_to = inm.get_field("return_to");
+        }catch(failed_lookup&) { }
+        if(openid2) {
+            try {
+                realm = inm.get_field("realm");
+            }catch(failed_lookup&) {
+                try {
+                    realm = inm.get_field("trust_root");
+                }catch(failed_lookup&) {
+                    if(return_to.empty())
+                        throw bad_input(OPKELE_CP_
+                                "Both realm and return_to are unset");
+                    realm = return_to;
+                }
+            }
+        }else{
+            try {
+                realm = inm.get_field("trust_root");
+            }catch(failed_lookup&) {
+                if(return_to.empty())
+                    throw bad_input(OPKELE_CP_
+                            "Both realm and return_to are unset");
+                realm = return_to;
+            }
+        }
+        try {
+            identity = inm.get_field("identity");
+            try {
+                claimed_id = inm.get_field("claimed_id");
+            }catch(failed_lookup&) {
+                if(openid2)
+                    throw bad_input(OPKELE_CP_
+                            "claimed_id and identity must be either both present or both absent");
+            }
+        }catch(failed_lookup&) {
+            if(openid2 && inm.has_field("claimed_id"))
+                throw bad_input(OPKELE_CP_
+                    "claimed_id and identity must be either both present or both absent");
+        }
+        verify_return_to();
+    }
+    basic_openid_message& basic_op::id_res(basic_openid_message& om) {
+        assert(assoc);
+        assert(!return_to.empty());
+        assert(!is_id_select());
+        time_t now = time(0);
+        struct tm gmt; gmtime_r(&now,&gmt);
+        char w3timestr[24];
+        if(!strftime(w3timestr,sizeof(w3timestr),"%Y-%m-%dT%H:%M:%SZ",&gmt))
+            throw failed_conversion(OPKELE_CP_
+                    "Failed to build time string for nonce" );
+        om.set_field("ns",OIURI_OPENID20);
+        om.set_field("mode","id_res");
+        om.set_field("op_endpoint",get_op_endpoint());
+        string ats = "ns,mode,op_endpoint,return_to,response_nonce,"
+            "assoc_handle,signed";
+        if(!identity.empty()) {
+            om.set_field("identity",identity);
+            om.set_field("claimed_id",claimed_id);
+            ats += ",identity,claimed_id";
+        }
+        om.set_field("return_to",return_to);
+        string nonce = w3timestr;
+        om.set_field("response_nonce",alloc_nonce(nonce,assoc->stateless()));
+        if(!invalidate_handle.empty()) {
+            om.set_field("invalidate_handle",invalidate_handle);
+            ats += ",invalidate_handle";
+        }
+        om.set_field("assoc_handle",assoc->handle());
+        om.add_to_signed(ats);
+        om.set_field("sig",util::base64_signature(assoc,om));
+        return om;
+    }
+    basic_openid_message& basic_op::cancel(basic_openid_message& om) {
+        assert(!return_to.empty());
+        om.set_field("ns",OIURI_OPENID20);
+        om.set_field("mode","cancel");
+        return om;
+    }
+    basic_openid_message& basic_op::error(basic_openid_message& om,
+            const string& error,const string& contact,
+            const string& reference ) {
+        assert(!return_to.empty());
+        om.set_field("ns",OIURI_OPENID20);
+        om.set_field("mode","error");
+        om.set_field("error",error);
+        om.set_field("contact",contact);
+        om.set_field("reference",reference);
+        return om;
+    }
+    basic_openid_message& basic_op::setup_needed(
+            basic_openid_message& oum,const basic_openid_message& inm) {
+        assert(mode==mode_checkid_immediate);
+        assert(!return_to.empty());
+        if(openid2) {
+            oum.set_field("ns",OIURI_OPENID20);
+            oum.set_field("mode","setup_needed");
+        }else{
+            oum.set_field("mode","id_res");
+            static const string setupmode = "checkid_setup";
+            oum.set_field("user_setup_url",
+                    util::change_mode_message_proxy(inm,setupmode)
+                    .append_query(get_op_endpoint()));
+        }
+        return oum;
+    }
+    basic_openid_message& basic_op::check_authentication(
+            basic_openid_message& oum,
+            const basic_openid_message& inm) try {
+        assert(inm.get_field("mode")=="check_authentication");
+        oum.reset_fields();
+        oum.set_field("ns",OIURI_OPENID20);
+        bool o2;
+        try {
+            o2 = (inm.get_field("ns")==OIURI_OPENID20);
+        }catch(failed_lookup&) { o2 = false; }
+        string nonce;
+        if(o2) {
+            try {
+                if(!check_nonce(nonce = inm.get_field("response_nonce")))
+                    throw failed_check_authentication(OPKELE_CP_ "Invalid nonce");
+            }catch(failed_lookup&) {
+                throw failed_check_authentication(OPKELE_CP_ "No nonce provided with check_authentication request");
+            }
+        }
+        try {
+            assoc = retrieve_assoc(inm.get_field("assoc_handle"));
+            if(!assoc->stateless())
+                throw failed_check_authentication(OPKELE_CP_ "Will not do check_authentication on a stateful handle");
+        }catch(failed_lookup&) {
+            throw failed_check_authentication(OPKELE_CP_ "No assoc_handle or invalid assoc_handle specified with check_authentication request");
+        }
+        static const string idresmode = "id_res";
+        try {
+            if(util::base64_signature(assoc,util::change_mode_message_proxy(inm,idresmode))!=inm.get_field("sig"))
+                throw failed_check_authentication(OPKELE_CP_ "Signature mismatch");
+        }catch(failed_lookup&) {
+            throw failed_check_authentication(OPKELE_CP_ "failed to calculate signature");
+        }
+        oum.set_field("is_valid","true");
+        try {
+            string h = inm.get_field("invalidate_handle");
+            try {
+                assoc_t ih = retrieve_assoc(h);
+            }catch(invalid_handle& ih) {
+                oum.set_field("invalidate_handle",h);
+            }catch(failed_lookup& ih) {
+                oum.set_field("invalidate_handle",h);
+            }
+        }catch(failed_lookup&) { }
+        if(o2) {
+            assert(!nonce.empty());
+            invalidate_nonce(nonce);
+        }
+        return oum;
+    }catch(failed_check_authentication& ) {
+        oum.set_field("is_valid","false");
+        return oum;
+    }
+}

diff --git a/lib/basic_op.cc b/lib/basic_op.cc new file mode 100644 index 0000000..22012bc --- a/dev/null +++ b/lib/basic_op.cc
@@ -0,0 +1,320 @@
	1	#include <time.h>
	2	#include <cassert>
	3	#include <openssl/sha.h>
	4	#include <openssl/hmac.h>
	5	#include <opkele/data.h>
	6	#include <opkele/basic_op.h>
	7	#include <opkele/exception.h>
	8	#include <opkele/util.h>
	9	#include <opkele/uris.h>
	10
	11	namespace opkele {
	12
	13	void basic_op::reset_vars() {
	14	assoc.reset();
	15	return_to.clear(); realm.clear();
	16	claimed_id.clear(); identity.clear();
	17	invalidate_handle.clear();
	18	}
	19
	20	bool basic_op::has_return_to() const {
	21	return !return_to.empty();
	22	}
	23	const string& basic_op::get_return_to() const {
	24	if(return_to.empty())
	25	throw no_return_to(OPKELE_CP_ "No return_to URL provided with request");
	26	return return_to;
	27	}
	28
	29	const string& basic_op::get_realm() const {
	30	assert(!realm.empty());
	31	return realm;
	32	}
	33
	34	bool basic_op::has_identity() const {
	35	return !identity.empty();
	36	}
	37	const string& basic_op::get_claimed_id() const {
	38	if(claimed_id.empty())
	39	throw non_identity(OPKELE_CP_ "attempting to retrieve claimed_id of non-identity related request");
	40	assert(!identity.empty());
	41	return claimed_id;
	42	}
	43	const string& basic_op::get_identity() const {
	44	if(identity.empty())
	45	throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related request");
	46	assert(!claimed_id.empty());
	47	return identity;
	48	}
	49
	50	bool basic_op::is_id_select() const {
	51	return identity==IDURI_SELECT20;
	52	}
	53
	54	void basic_op::select_identity(const string& c,const string& i) {
	55	claimed_id = c; identity = i;
	56	}
	57	void basic_op::set_claimed_id(const string& c) {
	58	claimed_id = c;
	59	}
	60
	61	basic_openid_message& basic_op::associate(
	62	basic_openid_message& oum,
	63	const basic_openid_message& inm) try {
	64	assert(inm.get_field("mode")=="associate");
	65	util::dh_t dh;
	66	util::bignum_t c_pub;
	67	unsigned char key_digest[SHA256_DIGEST_LENGTH];
	68	size_t d_len = 0;
	69	enum {
	70	sess_cleartext, sess_dh_sha1, sess_dh_sha256
	71	} st = sess_cleartext;
	72	string sts = inm.get_field("session_type");
	73	string ats = inm.get_field("assoc_type");
	74	if(sts=="DH-SHA1" \|\| sts=="DH-SHA256") {
	75	if(!(dh = DH_new()))
	76	throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
	77	c_pub = util::base64_to_bignum(inm.get_field("dh_consumer_public"));
	78	try { dh->p = util::base64_to_bignum(inm.get_field("dh_modulus"));
	79	}catch(failed_lookup&) {
	80	dh->p = util::dec_to_bignum(data::_default_p); }
	81	try { dh->g = util::base64_to_bignum(inm.get_field("dh_gen"));
	82	}catch(failed_lookup&) {
	83	dh->g = util::dec_to_bignum(data::_default_g); }
	84	if(!DH_generate_key(dh))
	85	throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
	86	vector<unsigned char> ck(DH_size(dh)+1);
	87	unsigned char *ckptr = &(ck.front())+1;
	88	int cklen = DH_compute_key(ckptr,c_pub,dh);
	89	if(cklen<0)
	90	throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
	91	if(cklen && (*ckptr)&0x80) {
	92	(*(--ckptr)) = 0; ++cklen; }
	93	if(sts=="DH-SHA1") {
	94	SHA1(ckptr,cklen,key_digest); d_len = SHA_DIGEST_LENGTH;
	95	}else if(sts=="DH-SHA256") {
	96	SHA256(ckptr,cklen,key_digest); d_len = SHA256_DIGEST_LENGTH;
	97	}else
	98	throw internal_error(OPKELE_CP_ "I thought I knew the session type");
	99	}else
	100	throw unsupported(OPKELE_CP_ "Unsupported session_type");
	101	assoc_t assoc;
	102	if(ats=="HMAC-SHA1")
	103	assoc = alloc_assoc(ats,SHA_DIGEST_LENGTH,true);
	104	else if(ats=="HMAC-SHA256")
	105	assoc = alloc_assoc(ats,SHA256_DIGEST_LENGTH,true);
	106	else
	107	throw unsupported(OPKELE_CP_ "Unsupported assoc_type");
	108	oum.reset_fields();
	109	oum.set_field("ns",OIURI_OPENID20);
	110	oum.set_field("assoc_type",assoc->assoc_type());
	111	oum.set_field("assoc_handle",assoc->handle());
	112	oum.set_field("expires_in",util::long_to_string(assoc->expires_in()));
	113	secret_t secret = assoc->secret();
	114	if(sts=="DH-SHA1" \|\| sts=="DH-SHA256") {
	115	if(d_len != secret.size())
	116	throw bad_input(OPKELE_CP_ "Association secret and session MAC are not of the same size");
	117	oum.set_field("session_type",sts);
	118	oum.set_field("dh_server_public",util::bignum_to_base64(dh->pub_key));
	119	string b64; secret.enxor_to_base64(key_digest,b64);
	120	oum.set_field("enc_mac_key",b64);
	121	}else /* TODO: support cleartext over encrypted connection */
	122	throw unsupported(OPKELE_CP_ "Unsupported session type");
	123	return oum;
	124	} catch(unsupported& u) {
	125	oum.reset_fields();
	126	oum.set_field("ns",OIURI_OPENID20);
	127	oum.set_field("error",u.what());
	128	oum.set_field("error_code","unsupported-type");
	129	oum.set_field("session_type","DH-SHA256");
	130	oum.set_field("assoc_type","HMAC-SHA256");
	131	return oum;
	132	}
	133
	134	void basic_op::checkid_(const basic_openid_message& inm,
	135	extension_t *ext) {
	136	reset_vars();
	137	string mode = inm.get_field("mode");
	138	if(mode=="checkid_setup")
	139	mode = mode_checkid_setup;
	140	else if(mode=="checkid_immediate")
	141	mode = mode_checkid_immediate;
	142	else
	143	throw bad_input(OPKELE_CP_ "Invalid checkid_* mode");
	144	try {
	145	assoc = retrieve_assoc(invalidate_handle=inm.get_field("assoc_handle"));
	146	invalidate_handle.clear();
	147	}catch(failed_lookup&) {
	148	// no handle specified or no valid assoc found, go dumb
	149	assoc = alloc_assoc("HMAC-SHA256",SHA256_DIGEST_LENGTH,true);
	150	}
	151	try {
	152	openid2 = (inm.get_field("ns")==OIURI_OPENID20);
	153	}catch(failed_lookup&) { openid2 = false; }
	154	try {
	155	return_to = inm.get_field("return_to");
	156	}catch(failed_lookup&) { }
	157	if(openid2) {
	158	try {
	159	realm = inm.get_field("realm");
	160	}catch(failed_lookup&) {
	161	try {
	162	realm = inm.get_field("trust_root");
	163	}catch(failed_lookup&) {
	164	if(return_to.empty())
	165	throw bad_input(OPKELE_CP_
	166	"Both realm and return_to are unset");
	167	realm = return_to;
	168	}
	169	}
	170	}else{
	171	try {
	172	realm = inm.get_field("trust_root");
	173	}catch(failed_lookup&) {
	174	if(return_to.empty())
	175	throw bad_input(OPKELE_CP_
	176	"Both realm and return_to are unset");
	177	realm = return_to;
	178	}
	179	}
	180	try {
	181	identity = inm.get_field("identity");
	182	try {
	183	claimed_id = inm.get_field("claimed_id");
	184	}catch(failed_lookup&) {
	185	if(openid2)
	186	throw bad_input(OPKELE_CP_
	187	"claimed_id and identity must be either both present or both absent");
	188	}
	189	}catch(failed_lookup&) {
	190	if(openid2 && inm.has_field("claimed_id"))
	191	throw bad_input(OPKELE_CP_
	192	"claimed_id and identity must be either both present or both absent");
	193	}
	194	verify_return_to();
	195	}
	196
	197	basic_openid_message& basic_op::id_res(basic_openid_message& om) {
	198	assert(assoc);
	199	assert(!return_to.empty());
	200	assert(!is_id_select());
	201	time_t now = time(0);
	202	struct tm gmt; gmtime_r(&now,&gmt);
	203	char w3timestr[24];
	204	if(!strftime(w3timestr,sizeof(w3timestr),"%Y-%m-%dT%H:%M:%SZ",&gmt))
	205	throw failed_conversion(OPKELE_CP_
	206	"Failed to build time string for nonce" );
	207	om.set_field("ns",OIURI_OPENID20);
	208	om.set_field("mode","id_res");
	209	om.set_field("op_endpoint",get_op_endpoint());
	210	string ats = "ns,mode,op_endpoint,return_to,response_nonce,"
	211	"assoc_handle,signed";
	212	if(!identity.empty()) {
	213	om.set_field("identity",identity);
	214	om.set_field("claimed_id",claimed_id);
	215	ats += ",identity,claimed_id";
	216	}
	217	om.set_field("return_to",return_to);
	218	string nonce = w3timestr;
	219	om.set_field("response_nonce",alloc_nonce(nonce,assoc->stateless()));
	220	if(!invalidate_handle.empty()) {
	221	om.set_field("invalidate_handle",invalidate_handle);
	222	ats += ",invalidate_handle";
	223	}
	224	om.set_field("assoc_handle",assoc->handle());
	225	om.add_to_signed(ats);
	226	om.set_field("sig",util::base64_signature(assoc,om));
	227	return om;
	228	}
	229
	230	basic_openid_message& basic_op::cancel(basic_openid_message& om) {
	231	assert(!return_to.empty());
	232	om.set_field("ns",OIURI_OPENID20);
	233	om.set_field("mode","cancel");
	234	return om;
	235	}
	236
	237	basic_openid_message& basic_op::error(basic_openid_message& om,
	238	const string& error,const string& contact,
	239	const string& reference ) {
	240	assert(!return_to.empty());
	241	om.set_field("ns",OIURI_OPENID20);
	242	om.set_field("mode","error");
	243	om.set_field("error",error);
	244	om.set_field("contact",contact);
	245	om.set_field("reference",reference);
	246	return om;
	247	}
	248
	249	basic_openid_message& basic_op::setup_needed(
	250	basic_openid_message& oum,const basic_openid_message& inm) {
	251	assert(mode==mode_checkid_immediate);
	252	assert(!return_to.empty());
	253	if(openid2) {
	254	oum.set_field("ns",OIURI_OPENID20);
	255	oum.set_field("mode","setup_needed");
	256	}else{
	257	oum.set_field("mode","id_res");
	258	static const string setupmode = "checkid_setup";
	259	oum.set_field("user_setup_url",
	260	util::change_mode_message_proxy(inm,setupmode)
	261	.append_query(get_op_endpoint()));
	262	}
	263	return oum;
	264	}
	265
	266	basic_openid_message& basic_op::check_authentication(
	267	basic_openid_message& oum,
	268	const basic_openid_message& inm) try {
	269	assert(inm.get_field("mode")=="check_authentication");
	270	oum.reset_fields();
	271	oum.set_field("ns",OIURI_OPENID20);
	272	bool o2;
	273	try {
	274	o2 = (inm.get_field("ns")==OIURI_OPENID20);
	275	}catch(failed_lookup&) { o2 = false; }
	276	string nonce;
	277	if(o2) {
	278	try {
	279	if(!check_nonce(nonce = inm.get_field("response_nonce")))
	280	throw failed_check_authentication(OPKELE_CP_ "Invalid nonce");
	281	}catch(failed_lookup&) {
	282	throw failed_check_authentication(OPKELE_CP_ "No nonce provided with check_authentication request");
	283	}
	284	}
	285	try {
	286	assoc = retrieve_assoc(inm.get_field("assoc_handle"));
	287	if(!assoc->stateless())
	288	throw failed_check_authentication(OPKELE_CP_ "Will not do check_authentication on a stateful handle");
	289	}catch(failed_lookup&) {
	290	throw failed_check_authentication(OPKELE_CP_ "No assoc_handle or invalid assoc_handle specified with check_authentication request");
	291	}
	292	static const string idresmode = "id_res";
	293	try {
	294	if(util::base64_signature(assoc,util::change_mode_message_proxy(inm,idresmode))!=inm.get_field("sig"))
	295	throw failed_check_authentication(OPKELE_CP_ "Signature mismatch");
	296	}catch(failed_lookup&) {
	297	throw failed_check_authentication(OPKELE_CP_ "failed to calculate signature");
	298	}
	299	oum.set_field("is_valid","true");
	300	try {
	301	string h = inm.get_field("invalidate_handle");
	302	try {
	303	assoc_t ih = retrieve_assoc(h);
	304	}catch(invalid_handle& ih) {
	305	oum.set_field("invalidate_handle",h);
	306	}catch(failed_lookup& ih) {
	307	oum.set_field("invalidate_handle",h);
	308	}
	309	}catch(failed_lookup&) { }
	310	if(o2) {
	311	assert(!nonce.empty());
	312	invalidate_nonce(nonce);
	313	}
	314	return oum;
	315	}catch(failed_check_authentication& ) {
	316	oum.set_field("is_valid","false");
	317	return oum;
	318	}
	319
	320	}