summaryrefslogtreecommitdiffabout
authorMichael Krelin <hacker@klever.net>2008-11-23 00:43:59 (UTC)
committer Michael Krelin <hacker@klever.net>2009-04-11 15:08:59 (UTC)
commit381bfb49bfbfc569e6b5aa8e58a933de4397b053 (patch) (unidiff)
tree19f5d884250e83f43094d8bf64b52704417ff265
parenta5804c83e1ff21fcbf3acb8b1ff952b8dc94adc1 (diff)
downloadlibopkele-381bfb49bfbfc569e6b5aa8e58a933de4397b053.zip
libopkele-381bfb49bfbfc569e6b5aa8e58a933de4397b053.tar.gz
libopkele-381bfb49bfbfc569e6b5aa8e58a933de4397b053.tar.bz2
workaround for livejournal.com breaking specs
just don't treat those who supply empty op_endpoint as OpenID 2.0 providers Signed-off-by: Michael Krelin <hacker@klever.net>
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--lib/basic_rp.cc2
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/basic_rp.cc b/lib/basic_rp.cc
index 3cad71c..8125aa7 100644
--- a/lib/basic_rp.cc
+++ b/lib/basic_rp.cc
@@ -1,326 +1,326 @@
1#include <sys/types.h> 1#include <sys/types.h>
2#include <cassert> 2#include <cassert>
3#include <openssl/sha.h> 3#include <openssl/sha.h>
4#include <openssl/hmac.h> 4#include <openssl/hmac.h>
5#include <opkele/basic_rp.h> 5#include <opkele/basic_rp.h>
6#include <opkele/exception.h> 6#include <opkele/exception.h>
7#include <opkele/uris.h> 7#include <opkele/uris.h>
8#include <opkele/data.h> 8#include <opkele/data.h>
9#include <opkele/util.h> 9#include <opkele/util.h>
10#include <opkele/util-internal.h> 10#include <opkele/util-internal.h>
11#include <opkele/curl.h> 11#include <opkele/curl.h>
12#include <opkele/debug.h> 12#include <opkele/debug.h>
13 13
14namespace opkele { 14namespace opkele {
15 15
16 void basic_RP::reset_vars() { 16 void basic_RP::reset_vars() {
17 claimed_id.clear(); identity.clear(); 17 claimed_id.clear(); identity.clear();
18 } 18 }
19 19
20 const string& basic_RP::get_claimed_id() const { 20 const string& basic_RP::get_claimed_id() const {
21 if(claimed_id.empty()) 21 if(claimed_id.empty())
22 throw non_identity(OPKELE_CP_ "attempting to retreive claimed_id of non-identity assertion"); 22 throw non_identity(OPKELE_CP_ "attempting to retreive claimed_id of non-identity assertion");
23 assert(!identity.empty()); 23 assert(!identity.empty());
24 return claimed_id; 24 return claimed_id;
25 } 25 }
26 26
27 const string& basic_RP::get_identity() const { 27 const string& basic_RP::get_identity() const {
28 if(identity.empty()) 28 if(identity.empty())
29 throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related assertion"); 29 throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related assertion");
30 assert(!claimed_id.empty()); 30 assert(!claimed_id.empty());
31 return identity; 31 return identity;
32 } 32 }
33 33
34 static void dh_get_secret( 34 static void dh_get_secret(
35 secret_t& secret, const basic_openid_message& om, 35 secret_t& secret, const basic_openid_message& om,
36 const char *exp_assoc, const char *exp_sess, 36 const char *exp_assoc, const char *exp_sess,
37 util::dh_t& dh, 37 util::dh_t& dh,
38 size_t d_len, unsigned char *(*d_fun)(const unsigned char*,size_t,unsigned char*), 38 size_t d_len, unsigned char *(*d_fun)(const unsigned char*,size_t,unsigned char*),
39 size_t exp_s_len) try { 39 size_t exp_s_len) try {
40 if(om.get_field("assoc_type")!=exp_assoc || om.get_field("session_type")!=exp_sess) 40 if(om.get_field("assoc_type")!=exp_assoc || om.get_field("session_type")!=exp_sess)
41 throw bad_input(OPKELE_CP_ "Unexpected associate response"); 41 throw bad_input(OPKELE_CP_ "Unexpected associate response");
42 util::bignum_t s_pub = util::base64_to_bignum(om.get_field("dh_server_public")); 42 util::bignum_t s_pub = util::base64_to_bignum(om.get_field("dh_server_public"));
43 vector<unsigned char> ck(DH_size(dh)+1); 43 vector<unsigned char> ck(DH_size(dh)+1);
44 unsigned char *ckptr = &(ck.front())+1; 44 unsigned char *ckptr = &(ck.front())+1;
45 int cklen = DH_compute_key(ckptr,s_pub,dh); 45 int cklen = DH_compute_key(ckptr,s_pub,dh);
46 if(cklen<0) 46 if(cklen<0)
47 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); 47 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
48 if(cklen && (*ckptr)&0x80) { 48 if(cklen && (*ckptr)&0x80) {
49 (*(--ckptr))=0; ++cklen; } 49 (*(--ckptr))=0; ++cklen; }
50 assert(d_len<=SHA256_DIGEST_LENGTH); 50 assert(d_len<=SHA256_DIGEST_LENGTH);
51 unsigned char key_digest[SHA256_DIGEST_LENGTH]; 51 unsigned char key_digest[SHA256_DIGEST_LENGTH];
52 secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key")); 52 secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key"));
53 if(secret.size()!=exp_s_len) 53 if(secret.size()!=exp_s_len)
54 throw bad_input(OPKELE_CP_ "Secret length isn't consistent with association type"); 54 throw bad_input(OPKELE_CP_ "Secret length isn't consistent with association type");
55 }catch(opkele::failed_lookup& ofl) { 55 }catch(opkele::failed_lookup& ofl) {
56 throw bad_input(OPKELE_CP_ "Incoherent response from OP"); 56 throw bad_input(OPKELE_CP_ "Incoherent response from OP");
57 } OPKELE_RETHROW 57 } OPKELE_RETHROW
58 58
59 static void direct_request(basic_openid_message& oum,const basic_openid_message& inm,const string& OP) { 59 static void direct_request(basic_openid_message& oum,const basic_openid_message& inm,const string& OP) {
60 util::curl_pick_t curl = util::curl_pick_t::easy_init(); 60 util::curl_pick_t curl = util::curl_pick_t::easy_init();
61 if(!curl) 61 if(!curl)
62 throw exception_curl(OPKELE_CP_ "failed to initialize curl"); 62 throw exception_curl(OPKELE_CP_ "failed to initialize curl");
63 string request = inm.query_string(); 63 string request = inm.query_string();
64 CURLcode r; 64 CURLcode r;
65 (r=curl.misc_sets()) 65 (r=curl.misc_sets())
66 || (r=curl.easy_setopt(CURLOPT_URL,OP.c_str())) 66 || (r=curl.easy_setopt(CURLOPT_URL,OP.c_str()))
67 || (r=curl.easy_setopt(CURLOPT_POST,1)) 67 || (r=curl.easy_setopt(CURLOPT_POST,1))
68 || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data())) 68 || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data()))
69 || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length())) 69 || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length()))
70 || (r=curl.set_write()); 70 || (r=curl.set_write());
71 if(r) 71 if(r)
72 throw exception_curl(OPKELE_CP_ "failed to set curly options",r); 72 throw exception_curl(OPKELE_CP_ "failed to set curly options",r);
73 if( (r=curl.easy_perform()) ) 73 if( (r=curl.easy_perform()) )
74 throw exception_curl(OPKELE_CP_ "failed to perform curly request",r); 74 throw exception_curl(OPKELE_CP_ "failed to perform curly request",r);
75 oum.from_keyvalues(curl.response); 75 oum.from_keyvalues(curl.response);
76 } 76 }
77 77
78 78
79 assoc_t basic_RP::associate(const string& OP) { 79 assoc_t basic_RP::associate(const string& OP) {
80 util::dh_t dh = DH_new(); 80 util::dh_t dh = DH_new();
81 if(!dh) 81 if(!dh)
82 throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); 82 throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
83 dh->p = util::dec_to_bignum(data::_default_p); 83 dh->p = util::dec_to_bignum(data::_default_p);
84 dh->g = util::dec_to_bignum(data::_default_g); 84 dh->g = util::dec_to_bignum(data::_default_g);
85 if(!DH_generate_key(dh)) 85 if(!DH_generate_key(dh))
86 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); 86 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
87 openid_message_t req; 87 openid_message_t req;
88 req.set_field("ns",OIURI_OPENID20); 88 req.set_field("ns",OIURI_OPENID20);
89 req.set_field("mode","associate"); 89 req.set_field("mode","associate");
90 req.set_field("dh_modulus",util::bignum_to_base64(dh->p)); 90 req.set_field("dh_modulus",util::bignum_to_base64(dh->p));
91 req.set_field("dh_gen",util::bignum_to_base64(dh->g)); 91 req.set_field("dh_gen",util::bignum_to_base64(dh->g));
92 req.set_field("dh_consumer_public",util::bignum_to_base64(dh->pub_key)); 92 req.set_field("dh_consumer_public",util::bignum_to_base64(dh->pub_key));
93 openid_message_t res; 93 openid_message_t res;
94 req.set_field("assoc_type","HMAC-SHA256"); 94 req.set_field("assoc_type","HMAC-SHA256");
95 req.set_field("session_type","DH-SHA256"); 95 req.set_field("session_type","DH-SHA256");
96 secret_t secret; 96 secret_t secret;
97 int expires_in; 97 int expires_in;
98 try { 98 try {
99 direct_request(res,req,OP); 99 direct_request(res,req,OP);
100 dh_get_secret( secret, res, 100 dh_get_secret( secret, res,
101 "HMAC-SHA256", "DH-SHA256", 101 "HMAC-SHA256", "DH-SHA256",
102 dh, SHA256_DIGEST_LENGTH, SHA256, SHA256_DIGEST_LENGTH ); 102 dh, SHA256_DIGEST_LENGTH, SHA256, SHA256_DIGEST_LENGTH );
103 expires_in = util::string_to_long(res.get_field("expires_in")); 103 expires_in = util::string_to_long(res.get_field("expires_in"));
104 }catch(exception&) { 104 }catch(exception&) {
105 try { 105 try {
106 req.set_field("assoc_type","HMAC-SHA1"); 106 req.set_field("assoc_type","HMAC-SHA1");
107 req.set_field("session_type","DH-SHA1"); 107 req.set_field("session_type","DH-SHA1");
108 direct_request(res,req,OP); 108 direct_request(res,req,OP);
109 dh_get_secret( secret, res, 109 dh_get_secret( secret, res,
110 "HMAC-SHA1", "DH-SHA1", 110 "HMAC-SHA1", "DH-SHA1",
111 dh, SHA_DIGEST_LENGTH, SHA1, SHA_DIGEST_LENGTH ); 111 dh, SHA_DIGEST_LENGTH, SHA1, SHA_DIGEST_LENGTH );
112 expires_in = util::string_to_long(res.get_field("expires_in")); 112 expires_in = util::string_to_long(res.get_field("expires_in"));
113 }catch(bad_input&) { 113 }catch(bad_input&) {
114 throw dumb_RP(OPKELE_CP_ "OP failed to supply an association"); 114 throw dumb_RP(OPKELE_CP_ "OP failed to supply an association");
115 } 115 }
116 } 116 }
117 return store_assoc( 117 return store_assoc(
118 OP, res.get_field("assoc_handle"), 118 OP, res.get_field("assoc_handle"),
119 res.get_field("assoc_type"), secret, 119 res.get_field("assoc_type"), secret,
120 expires_in ); 120 expires_in );
121 } 121 }
122 122
123 basic_openid_message& basic_RP::checkid_( 123 basic_openid_message& basic_RP::checkid_(
124 basic_openid_message& rv, 124 basic_openid_message& rv,
125 mode_t mode, 125 mode_t mode,
126 const string& return_to,const string& realm, 126 const string& return_to,const string& realm,
127 extension_t *ext) { 127 extension_t *ext) {
128 rv.reset_fields(); 128 rv.reset_fields();
129 rv.set_field("ns",OIURI_OPENID20); 129 rv.set_field("ns",OIURI_OPENID20);
130 if(mode==mode_checkid_immediate) 130 if(mode==mode_checkid_immediate)
131 rv.set_field("mode","checkid_immediate"); 131 rv.set_field("mode","checkid_immediate");
132 else if(mode==mode_checkid_setup) 132 else if(mode==mode_checkid_setup)
133 rv.set_field("mode","checkid_setup"); 133 rv.set_field("mode","checkid_setup");
134 else 134 else
135 throw bad_input(OPKELE_CP_ "unknown checkid_* mode"); 135 throw bad_input(OPKELE_CP_ "unknown checkid_* mode");
136 if(realm.empty() && return_to.empty()) 136 if(realm.empty() && return_to.empty())
137 throw bad_input(OPKELE_CP_ "At least one of realm and return_to must be non-empty"); 137 throw bad_input(OPKELE_CP_ "At least one of realm and return_to must be non-empty");
138 if(!realm.empty()) { 138 if(!realm.empty()) {
139 rv.set_field("realm",realm); 139 rv.set_field("realm",realm);
140 rv.set_field("trust_root",realm); 140 rv.set_field("trust_root",realm);
141 } 141 }
142 if(!return_to.empty()) 142 if(!return_to.empty())
143 rv.set_field("return_to",return_to); 143 rv.set_field("return_to",return_to);
144 const openid_endpoint_t& ep = get_endpoint(); 144 const openid_endpoint_t& ep = get_endpoint();
145 rv.set_field("claimed_id",ep.claimed_id); 145 rv.set_field("claimed_id",ep.claimed_id);
146 rv.set_field("identity",ep.local_id); 146 rv.set_field("identity",ep.local_id);
147 try { 147 try {
148 rv.set_field("assoc_handle",find_assoc(ep.uri)->handle()); 148 rv.set_field("assoc_handle",find_assoc(ep.uri)->handle());
149 }catch(dumb_RP& drp) { 149 }catch(dumb_RP& drp) {
150 }catch(failed_lookup& fl) { 150 }catch(failed_lookup& fl) {
151 try { 151 try {
152 rv.set_field("assoc_handle",associate(ep.uri)->handle()); 152 rv.set_field("assoc_handle",associate(ep.uri)->handle());
153 }catch(dumb_RP& drp) { } 153 }catch(dumb_RP& drp) { }
154 } OPKELE_RETHROW 154 } OPKELE_RETHROW
155 if(ext) ext->rp_checkid_hook(rv); 155 if(ext) ext->rp_checkid_hook(rv);
156 return rv; 156 return rv;
157 } 157 }
158 158
159 class signed_part_message_proxy : public basic_openid_message { 159 class signed_part_message_proxy : public basic_openid_message {
160 public: 160 public:
161 const basic_openid_message& x; 161 const basic_openid_message& x;
162 set<string> signeds; 162 set<string> signeds;
163 163
164 signed_part_message_proxy(const basic_openid_message& xx) : x(xx) { 164 signed_part_message_proxy(const basic_openid_message& xx) : x(xx) {
165 const string& slist = x.get_field("signed"); 165 const string& slist = x.get_field("signed");
166 string::size_type p = 0; 166 string::size_type p = 0;
167 while(true) { 167 while(true) {
168 string::size_type co = slist.find(',',p); 168 string::size_type co = slist.find(',',p);
169 string f = (co==string::npos) 169 string f = (co==string::npos)
170 ?slist.substr(p):slist.substr(p,co-p); 170 ?slist.substr(p):slist.substr(p,co-p);
171 signeds.insert(f); 171 signeds.insert(f);
172 if(co==string::npos) break; 172 if(co==string::npos) break;
173 p = co+1; 173 p = co+1;
174 } 174 }
175 } 175 }
176 176
177 bool has_field(const string& n) const { 177 bool has_field(const string& n) const {
178 return signeds.find(n)!=signeds.end() && x.has_field(n); } 178 return signeds.find(n)!=signeds.end() && x.has_field(n); }
179 const string& get_field(const string& n) const { 179 const string& get_field(const string& n) const {
180 if(signeds.find(n)==signeds.end()) 180 if(signeds.find(n)==signeds.end())
181 throw failed_lookup(OPKELE_CP_ "The field isn't known to be signed"); 181 throw failed_lookup(OPKELE_CP_ "The field isn't known to be signed");
182 return x.get_field(n); } 182 return x.get_field(n); }
183 183
184 fields_iterator fields_begin() const { 184 fields_iterator fields_begin() const {
185 return signeds.begin(); } 185 return signeds.begin(); }
186 fields_iterator fields_end() const { 186 fields_iterator fields_end() const {
187 return signeds.end(); } 187 return signeds.end(); }
188 }; 188 };
189 189
190 static void parse_query(const string& u,string::size_type q, 190 static void parse_query(const string& u,string::size_type q,
191 map<string,string>& p) { 191 map<string,string>& p) {
192 if(q==string::npos) 192 if(q==string::npos)
193 return; 193 return;
194 assert(u[q]=='?'); 194 assert(u[q]=='?');
195 ++q; 195 ++q;
196 string::size_type l = u.size(); 196 string::size_type l = u.size();
197 while(q<l) { 197 while(q<l) {
198 string::size_type eq = u.find('=',q); 198 string::size_type eq = u.find('=',q);
199 string::size_type am = u.find('&',q); 199 string::size_type am = u.find('&',q);
200 if(am==string::npos) { 200 if(am==string::npos) {
201 if(eq==string::npos) { 201 if(eq==string::npos) {
202 p[""] = u.substr(q); 202 p[""] = u.substr(q);
203 }else{ 203 }else{
204 p[u.substr(q,eq-q)] = u.substr(eq+1); 204 p[u.substr(q,eq-q)] = u.substr(eq+1);
205 } 205 }
206 break; 206 break;
207 }else{ 207 }else{
208 if(eq==string::npos || eq>am) { 208 if(eq==string::npos || eq>am) {
209 p[""] = u.substr(q,eq-q); 209 p[""] = u.substr(q,eq-q);
210 }else{ 210 }else{
211 p[u.substr(q,eq-q)] = u.substr(eq+1,am-eq-1); 211 p[u.substr(q,eq-q)] = u.substr(eq+1,am-eq-1);
212 } 212 }
213 q = ++am; 213 q = ++am;
214 } 214 }
215 } 215 }
216 } 216 }
217 217
218 void basic_RP::id_res(const basic_openid_message& om,extension_t *ext) { 218 void basic_RP::id_res(const basic_openid_message& om,extension_t *ext) {
219 reset_vars(); 219 reset_vars();
220 bool o2 = om.has_field("ns") 220 bool o2 = om.has_field("ns")
221 && om.get_field("ns")==OIURI_OPENID20; 221 && om.get_field("ns")==OIURI_OPENID20 && !om.get_field("op_endpoint").empty();
222 if( (!o2) && om.has_field("user_setup_url")) 222 if( (!o2) && om.has_field("user_setup_url"))
223 throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided", 223 throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",
224 om.get_field("user_setup_url")); 224 om.get_field("user_setup_url"));
225 string m = om.get_field("mode"); 225 string m = om.get_field("mode");
226 if(o2 && m=="setup_needed") 226 if(o2 && m=="setup_needed")
227 throw id_res_setup(OPKELE_CP_ "setup needed, no setup url provided"); 227 throw id_res_setup(OPKELE_CP_ "setup needed, no setup url provided");
228 if(m=="cancel") 228 if(m=="cancel")
229 throw id_res_cancel(OPKELE_CP_ "authentication cancelled"); 229 throw id_res_cancel(OPKELE_CP_ "authentication cancelled");
230 bool go_dumb=false; 230 bool go_dumb=false;
231 try { 231 try {
232 string OP = o2 232 string OP = o2
233 ?om.get_field("op_endpoint") 233 ?om.get_field("op_endpoint")
234 :get_endpoint().uri; 234 :get_endpoint().uri;
235 assoc_t assoc = retrieve_assoc( 235 assoc_t assoc = retrieve_assoc(
236 OP,om.get_field("assoc_handle")); 236 OP,om.get_field("assoc_handle"));
237 if(om.get_field("sig")!=util::base64_signature(assoc,om)) 237 if(om.get_field("sig")!=util::base64_signature(assoc,om))
238 throw id_res_mismatch(OPKELE_CP_ "signature mismatch"); 238 throw id_res_mismatch(OPKELE_CP_ "signature mismatch");
239 }catch(dumb_RP& drp) { 239 }catch(dumb_RP& drp) {
240 go_dumb=true; 240 go_dumb=true;
241 }catch(failed_lookup& e) { 241 }catch(failed_lookup& e) {
242 go_dumb=true; 242 go_dumb=true;
243 } OPKELE_RETHROW 243 } OPKELE_RETHROW
244 if(go_dumb) { 244 if(go_dumb) {
245 try { 245 try {
246 string OP = o2 246 string OP = o2
247 ?om.get_field("op_endpoint") 247 ?om.get_field("op_endpoint")
248 :get_endpoint().uri; 248 :get_endpoint().uri;
249 check_authentication(OP,om); 249 check_authentication(OP,om);
250 }catch(failed_check_authentication& fca) { 250 }catch(failed_check_authentication& fca) {
251 throw id_res_failed(OPKELE_CP_ "failed to check_authentication()"); 251 throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");
252 } OPKELE_RETHROW 252 } OPKELE_RETHROW
253 } 253 }
254 signed_part_message_proxy signeds(om); 254 signed_part_message_proxy signeds(om);
255 if(o2) { 255 if(o2) {
256 check_nonce(om.get_field("op_endpoint"), 256 check_nonce(om.get_field("op_endpoint"),
257 om.get_field("response_nonce")); 257 om.get_field("response_nonce"));
258 static const char *mustsign[] = { 258 static const char *mustsign[] = {
259 "op_endpoint", "return_to", "response_nonce", "assoc_handle", 259 "op_endpoint", "return_to", "response_nonce", "assoc_handle",
260 "claimed_id", "identity" }; 260 "claimed_id", "identity" };
261 for(size_t ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) { 261 for(size_t ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {
262 if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms])) 262 if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms]))
263 throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs"); 263 throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs");
264 } 264 }
265 if( ( 265 if( (
266 (om.has_field("claimed_id")?1:0) 266 (om.has_field("claimed_id")?1:0)
267 ^ 267 ^
268 (om.has_field("identity")?1:0) 268 (om.has_field("identity")?1:0)
269 )&1 ) 269 )&1 )
270 throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent"); 270 throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent");
271 271
272 string turl = util::rfc_3986_normalize_uri(get_this_url()); 272 string turl = util::rfc_3986_normalize_uri(get_this_url());
273 util::strip_uri_fragment_part(turl); 273 util::strip_uri_fragment_part(turl);
274 string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to")); 274 string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to"));
275 util::strip_uri_fragment_part(rurl); 275 util::strip_uri_fragment_part(rurl);
276 string::size_type 276 string::size_type
277 tq = turl.find('?'), rq = rurl.find('?'); 277 tq = turl.find('?'), rq = rurl.find('?');
278 if( 278 if(
279 ((tq==string::npos)?turl:turl.substr(0,tq)) 279 ((tq==string::npos)?turl:turl.substr(0,tq))
280 != 280 !=
281 ((rq==string::npos)?rurl:rurl.substr(0,rq)) 281 ((rq==string::npos)?rurl:rurl.substr(0,rq))
282 ) 282 )
283 throw id_res_bad_return_to(OPKELE_CP_ "return_to url doesn't match request url"); 283 throw id_res_bad_return_to(OPKELE_CP_ "return_to url doesn't match request url");
284 map<string,string> tp; parse_query(turl,tq,tp); 284 map<string,string> tp; parse_query(turl,tq,tp);
285 map<string,string> rp; parse_query(rurl,rq,rp); 285 map<string,string> rp; parse_query(rurl,rq,rp);
286 for(map<string,string>::const_iterator rpi=rp.begin();rpi!=rp.end();++rpi) { 286 for(map<string,string>::const_iterator rpi=rp.begin();rpi!=rp.end();++rpi) {
287 map<string,string>::const_iterator tpi = tp.find(rpi->first); 287 map<string,string>::const_iterator tpi = tp.find(rpi->first);
288 if(tpi==tp.end()) 288 if(tpi==tp.end())
289 throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request"); 289 throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request");
290 if(tpi->second!=rpi->second) 290 if(tpi->second!=rpi->second)
291 throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't matche the request"); 291 throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't matche the request");
292 } 292 }
293 293
294 if(om.has_field("claimed_id")) { 294 if(om.has_field("claimed_id")) {
295 claimed_id = om.get_field("claimed_id"); 295 claimed_id = om.get_field("claimed_id");
296 identity = om.get_field("identity"); 296 identity = om.get_field("identity");
297 verify_OP( 297 verify_OP(
298 om.get_field("op_endpoint"), 298 om.get_field("op_endpoint"),
299 claimed_id, identity ); 299 claimed_id, identity );
300 } 300 }
301 301
302 }else{ 302 }else{
303 claimed_id = get_endpoint().claimed_id; 303 claimed_id = get_endpoint().claimed_id;
304 /* TODO: check if this is the identity we asked for */ 304 /* TODO: check if this is the identity we asked for */
305 identity = om.get_field("identity"); 305 identity = om.get_field("identity");
306 } 306 }
307 if(ext) ext->rp_id_res_hook(om,signeds); 307 if(ext) ext->rp_id_res_hook(om,signeds);
308 } 308 }
309 309
310 void basic_RP::check_authentication(const string& OP, 310 void basic_RP::check_authentication(const string& OP,
311 const basic_openid_message& om){ 311 const basic_openid_message& om){
312 openid_message_t res; 312 openid_message_t res;
313 static const string checkauthmode = "check_authentication"; 313 static const string checkauthmode = "check_authentication";
314 direct_request(res,util::change_mode_message_proxy(om,checkauthmode),OP); 314 direct_request(res,util::change_mode_message_proxy(om,checkauthmode),OP);
315 if(res.has_field("is_valid")) { 315 if(res.has_field("is_valid")) {
316 if(res.get_field("is_valid")=="true") { 316 if(res.get_field("is_valid")=="true") {
317 if(res.has_field("invalidate_handle")) 317 if(res.has_field("invalidate_handle"))
318 invalidate_assoc(OP,res.get_field("invalidate_handle")); 318 invalidate_assoc(OP,res.get_field("invalidate_handle"));
319 return; 319 return;
320 } 320 }
321 } 321 }
322 throw failed_check_authentication( 322 throw failed_check_authentication(
323 OPKELE_CP_ "failed to verify response"); 323 OPKELE_CP_ "failed to verify response");
324 } 324 }
325 325
326} 326}