| -rw-r--r-- | lib/basic_rp.cc | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/basic_rp.cc b/lib/basic_rp.cc index 3357d0b..3cad71c 100644 --- a/lib/basic_rp.cc +++ b/lib/basic_rp.cc | |||
| @@ -1,64 +1,65 @@ | |||
| 1 | #include <sys/types.h> | ||
| 1 | #include <cassert> | 2 | #include <cassert> |
| 2 | #include <openssl/sha.h> | 3 | #include <openssl/sha.h> |
| 3 | #include <openssl/hmac.h> | 4 | #include <openssl/hmac.h> |
| 4 | #include <opkele/basic_rp.h> | 5 | #include <opkele/basic_rp.h> |
| 5 | #include <opkele/exception.h> | 6 | #include <opkele/exception.h> |
| 6 | #include <opkele/uris.h> | 7 | #include <opkele/uris.h> |
| 7 | #include <opkele/data.h> | 8 | #include <opkele/data.h> |
| 8 | #include <opkele/util.h> | 9 | #include <opkele/util.h> |
| 9 | #include <opkele/util-internal.h> | 10 | #include <opkele/util-internal.h> |
| 10 | #include <opkele/curl.h> | 11 | #include <opkele/curl.h> |
| 11 | #include <opkele/debug.h> | 12 | #include <opkele/debug.h> |
| 12 | 13 | ||
| 13 | namespace opkele { | 14 | namespace opkele { |
| 14 | 15 | ||
| 15 | void basic_RP::reset_vars() { | 16 | void basic_RP::reset_vars() { |
| 16 | claimed_id.clear(); identity.clear(); | 17 | claimed_id.clear(); identity.clear(); |
| 17 | } | 18 | } |
| 18 | 19 | ||
| 19 | const string& basic_RP::get_claimed_id() const { | 20 | const string& basic_RP::get_claimed_id() const { |
| 20 | if(claimed_id.empty()) | 21 | if(claimed_id.empty()) |
| 21 | throw non_identity(OPKELE_CP_ "attempting to retreive claimed_id of non-identity assertion"); | 22 | throw non_identity(OPKELE_CP_ "attempting to retreive claimed_id of non-identity assertion"); |
| 22 | assert(!identity.empty()); | 23 | assert(!identity.empty()); |
| 23 | return claimed_id; | 24 | return claimed_id; |
| 24 | } | 25 | } |
| 25 | 26 | ||
| 26 | const string& basic_RP::get_identity() const { | 27 | const string& basic_RP::get_identity() const { |
| 27 | if(identity.empty()) | 28 | if(identity.empty()) |
| 28 | throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related assertion"); | 29 | throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related assertion"); |
| 29 | assert(!claimed_id.empty()); | 30 | assert(!claimed_id.empty()); |
| 30 | return identity; | 31 | return identity; |
| 31 | } | 32 | } |
| 32 | 33 | ||
| 33 | static void dh_get_secret( | 34 | static void dh_get_secret( |
| 34 | secret_t& secret, const basic_openid_message& om, | 35 | secret_t& secret, const basic_openid_message& om, |
| 35 | const char *exp_assoc, const char *exp_sess, | 36 | const char *exp_assoc, const char *exp_sess, |
| 36 | util::dh_t& dh, | 37 | util::dh_t& dh, |
| 37 | size_t d_len, unsigned char *(*d_fun)(const unsigned char*,size_t,unsigned char*), | 38 | size_t d_len, unsigned char *(*d_fun)(const unsigned char*,size_t,unsigned char*), |
| 38 | size_t exp_s_len) try { | 39 | size_t exp_s_len) try { |
| 39 | if(om.get_field("assoc_type")!=exp_assoc || om.get_field("session_type")!=exp_sess) | 40 | if(om.get_field("assoc_type")!=exp_assoc || om.get_field("session_type")!=exp_sess) |
| 40 | throw bad_input(OPKELE_CP_ "Unexpected associate response"); | 41 | throw bad_input(OPKELE_CP_ "Unexpected associate response"); |
| 41 | util::bignum_t s_pub = util::base64_to_bignum(om.get_field("dh_server_public")); | 42 | util::bignum_t s_pub = util::base64_to_bignum(om.get_field("dh_server_public")); |
| 42 | vector<unsigned char> ck(DH_size(dh)+1); | 43 | vector<unsigned char> ck(DH_size(dh)+1); |
| 43 | unsigned char *ckptr = &(ck.front())+1; | 44 | unsigned char *ckptr = &(ck.front())+1; |
| 44 | int cklen = DH_compute_key(ckptr,s_pub,dh); | 45 | int cklen = DH_compute_key(ckptr,s_pub,dh); |
| 45 | if(cklen<0) | 46 | if(cklen<0) |
| 46 | throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); | 47 | throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); |
| 47 | if(cklen && (*ckptr)&0x80) { | 48 | if(cklen && (*ckptr)&0x80) { |
| 48 | (*(--ckptr))=0; ++cklen; } | 49 | (*(--ckptr))=0; ++cklen; } |
| 49 | assert(d_len<=SHA256_DIGEST_LENGTH); | 50 | assert(d_len<=SHA256_DIGEST_LENGTH); |
| 50 | unsigned char key_digest[SHA256_DIGEST_LENGTH]; | 51 | unsigned char key_digest[SHA256_DIGEST_LENGTH]; |
| 51 | secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key")); | 52 | secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key")); |
| 52 | if(secret.size()!=exp_s_len) | 53 | if(secret.size()!=exp_s_len) |
| 53 | throw bad_input(OPKELE_CP_ "Secret length isn't consistent with association type"); | 54 | throw bad_input(OPKELE_CP_ "Secret length isn't consistent with association type"); |
| 54 | }catch(opkele::failed_lookup& ofl) { | 55 | }catch(opkele::failed_lookup& ofl) { |
| 55 | throw bad_input(OPKELE_CP_ "Incoherent response from OP"); | 56 | throw bad_input(OPKELE_CP_ "Incoherent response from OP"); |
| 56 | } OPKELE_RETHROW | 57 | } OPKELE_RETHROW |
| 57 | 58 | ||
| 58 | static void direct_request(basic_openid_message& oum,const basic_openid_message& inm,const string& OP) { | 59 | static void direct_request(basic_openid_message& oum,const basic_openid_message& inm,const string& OP) { |
| 59 | util::curl_pick_t curl = util::curl_pick_t::easy_init(); | 60 | util::curl_pick_t curl = util::curl_pick_t::easy_init(); |
| 60 | if(!curl) | 61 | if(!curl) |
| 61 | throw exception_curl(OPKELE_CP_ "failed to initialize curl"); | 62 | throw exception_curl(OPKELE_CP_ "failed to initialize curl"); |
| 62 | string request = inm.query_string(); | 63 | string request = inm.query_string(); |
| 63 | CURLcode r; | 64 | CURLcode r; |
| 64 | (r=curl.misc_sets()) | 65 | (r=curl.misc_sets()) |