| author | Michael Krelin <hacker@klever.net> | 2008-04-05 13:36:58 (UTC) |
|---|---|---|
| committer | Michael Krelin <hacker@klever.net> | 2008-04-06 09:14:41 (UTC) |
| commit | c56867c814a70505e27501c8f02768a594d8e42d (patch) (side-by-side diff) | |
| tree | 409a7cae6a4768e09a0217f21c05fbb7d4db26fa /lib/basic_op.cc | |
| parent | 0182b9dee269f1a8f3fc0794bfdf4a143fa1b5be (diff) | |
| download | libopkele-c56867c814a70505e27501c8f02768a594d8e42d.zip libopkele-c56867c814a70505e27501c8f02768a594d8e42d.tar.gz libopkele-c56867c814a70505e27501c8f02768a594d8e42d.tar.bz2 | |
empty trust_root is no trust root.
work around some thoughtful and considerate RPs that take the pain of sending
the trust_root parameter, but do not go into as much trouble as setting it to
anything but an empty string.
Signed-off-by: Michael Krelin <hacker@klever.net>
| -rw-r--r-- | lib/basic_op.cc | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/basic_op.cc b/lib/basic_op.cc index fa659ac..511b51a 100644 --- a/lib/basic_op.cc +++ b/lib/basic_op.cc @@ -123,77 +123,83 @@ namespace opkele { oum.reset_fields(); oum.set_field("ns",OIURI_OPENID20); oum.set_field("error",u.what()); oum.set_field("error_code","unsupported-type"); oum.set_field("session_type","DH-SHA256"); oum.set_field("assoc_type","HMAC-SHA256"); return oum; } void basic_OP::checkid_(const basic_openid_message& inm, extension_t *ext) { reset_vars(); string modestr = inm.get_field("mode"); if(modestr=="checkid_setup") mode = mode_checkid_setup; else if(modestr=="checkid_immediate") mode = mode_checkid_immediate; else throw bad_input(OPKELE_CP_ "Invalid checkid_* mode"); try { assoc = retrieve_assoc(invalidate_handle=inm.get_field("assoc_handle")); invalidate_handle.clear(); }catch(failed_lookup&) { } try { openid2 = (inm.get_field("ns")==OIURI_OPENID20); }catch(failed_lookup&) { openid2 = false; } try { return_to = inm.get_field("return_to"); }catch(failed_lookup&) { } if(openid2) { try { realm = inm.get_field("realm"); + if(realm.empty()) + throw failed_lookup(OPKELE_CP_ "Empty realm doesn't count"); }catch(failed_lookup&) { try { realm = inm.get_field("trust_root"); + if(realm.empty()) + throw failed_lookup(OPKELE_CP_ "Empty trust_root doesn't count"); }catch(failed_lookup&) { if(return_to.empty()) throw bad_input(OPKELE_CP_ "Both realm and return_to are unset"); realm = return_to; } } }else{ try { realm = inm.get_field("trust_root"); + if(realm.empty()) + throw failed_lookup(OPKELE_CP_ "Empty trust_root doesn't count"); }catch(failed_lookup&) { if(return_to.empty()) throw bad_input(OPKELE_CP_ "Both realm and return_to are unset"); realm = return_to; } } try { identity = inm.get_field("identity"); try { claimed_id = inm.get_field("claimed_id"); }catch(failed_lookup&) { if(openid2) throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent"); claimed_id = identity; } }catch(failed_lookup&) { if(openid2 && inm.has_field("claimed_id")) throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent"); } verify_return_to(); if(ext) ext->op_checkid_hook(inm); } basic_openid_message& basic_OP::id_res(basic_openid_message& om, extension_t *ext) { assert(!return_to.empty()); assert(!is_id_select()); if(!assoc) { assoc = alloc_assoc("HMAC-SHA256",SHA256_DIGEST_LENGTH,true); |