summaryrefslogtreecommitdiffabout
path: root/lib/basic_rp.cc
authorMichael Krelin <hacker@klever.net>2009-09-01 19:06:28 (UTC)
committer Michael Krelin <hacker@klever.net>2009-09-01 19:06:28 (UTC)
commitf5fa75f3fc446482232c847c1ddea5808bee2c25 (patch) (unidiff)
treefe76859da31d6d8b4b4416b8cb5372646a9fa098 /lib/basic_rp.cc
parent7b0ce50f7d61966b52f530b4bfbab1b91346b526 (diff)
downloadlibopkele-f5fa75f3fc446482232c847c1ddea5808bee2c25.zip
libopkele-f5fa75f3fc446482232c847c1ddea5808bee2c25.tar.gz
libopkele-f5fa75f3fc446482232c847c1ddea5808bee2c25.tar.bz2
corrected typo
Signed-off-by: Michael Krelin <hacker@klever.net>
Diffstat (limited to 'lib/basic_rp.cc') (more/less context) (ignore whitespace changes)
-rw-r--r--lib/basic_rp.cc2
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/basic_rp.cc b/lib/basic_rp.cc
index 9c7113b..bc1fb7f 100644
--- a/lib/basic_rp.cc
+++ b/lib/basic_rp.cc
@@ -1,327 +1,327 @@
1#include <sys/types.h> 1#include <sys/types.h>
2#include <cassert> 2#include <cassert>
3#include <openssl/sha.h> 3#include <openssl/sha.h>
4#include <openssl/hmac.h> 4#include <openssl/hmac.h>
5#include <opkele/basic_rp.h> 5#include <opkele/basic_rp.h>
6#include <opkele/exception.h> 6#include <opkele/exception.h>
7#include <opkele/uris.h> 7#include <opkele/uris.h>
8#include <opkele/data.h> 8#include <opkele/data.h>
9#include <opkele/util.h> 9#include <opkele/util.h>
10#include <opkele/util-internal.h> 10#include <opkele/util-internal.h>
11#include <opkele/curl.h> 11#include <opkele/curl.h>
12#include <opkele/debug.h> 12#include <opkele/debug.h>
13 13
14namespace opkele { 14namespace opkele {
15 15
16 void basic_RP::reset_vars() { 16 void basic_RP::reset_vars() {
17 claimed_id.clear(); identity.clear(); 17 claimed_id.clear(); identity.clear();
18 } 18 }
19 19
20 const string& basic_RP::get_claimed_id() const { 20 const string& basic_RP::get_claimed_id() const {
21 if(claimed_id.empty()) 21 if(claimed_id.empty())
22 throw non_identity(OPKELE_CP_ "attempting to retreive claimed_id of non-identity assertion"); 22 throw non_identity(OPKELE_CP_ "attempting to retreive claimed_id of non-identity assertion");
23 assert(!identity.empty()); 23 assert(!identity.empty());
24 return claimed_id; 24 return claimed_id;
25 } 25 }
26 26
27 const string& basic_RP::get_identity() const { 27 const string& basic_RP::get_identity() const {
28 if(identity.empty()) 28 if(identity.empty())
29 throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related assertion"); 29 throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related assertion");
30 assert(!claimed_id.empty()); 30 assert(!claimed_id.empty());
31 return identity; 31 return identity;
32 } 32 }
33 33
34 static void dh_get_secret( 34 static void dh_get_secret(
35 secret_t& secret, const basic_openid_message& om, 35 secret_t& secret, const basic_openid_message& om,
36 const char *exp_assoc, const char *exp_sess, 36 const char *exp_assoc, const char *exp_sess,
37 util::dh_t& dh, 37 util::dh_t& dh,
38 size_t d_len, unsigned char *(*d_fun)(const unsigned char*,size_t,unsigned char*), 38 size_t d_len, unsigned char *(*d_fun)(const unsigned char*,size_t,unsigned char*),
39 size_t exp_s_len) try { 39 size_t exp_s_len) try {
40 if(om.get_field("assoc_type")!=exp_assoc || om.get_field("session_type")!=exp_sess) 40 if(om.get_field("assoc_type")!=exp_assoc || om.get_field("session_type")!=exp_sess)
41 throw bad_input(OPKELE_CP_ "Unexpected associate response"); 41 throw bad_input(OPKELE_CP_ "Unexpected associate response");
42 util::bignum_t s_pub = util::base64_to_bignum(om.get_field("dh_server_public")); 42 util::bignum_t s_pub = util::base64_to_bignum(om.get_field("dh_server_public"));
43 vector<unsigned char> ck(DH_size(dh)+1); 43 vector<unsigned char> ck(DH_size(dh)+1);
44 unsigned char *ckptr = &(ck.front())+1; 44 unsigned char *ckptr = &(ck.front())+1;
45 int cklen = DH_compute_key(ckptr,s_pub,dh); 45 int cklen = DH_compute_key(ckptr,s_pub,dh);
46 if(cklen<0) 46 if(cklen<0)
47 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); 47 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
48 if(cklen && (*ckptr)&0x80) { 48 if(cklen && (*ckptr)&0x80) {
49 (*(--ckptr))=0; ++cklen; } 49 (*(--ckptr))=0; ++cklen; }
50 assert(d_len<=SHA256_DIGEST_LENGTH); 50 assert(d_len<=SHA256_DIGEST_LENGTH);
51 unsigned char key_digest[SHA256_DIGEST_LENGTH]; 51 unsigned char key_digest[SHA256_DIGEST_LENGTH];
52 secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key")); 52 secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key"));
53 if(secret.size()!=exp_s_len) 53 if(secret.size()!=exp_s_len)
54 throw bad_input(OPKELE_CP_ "Secret length isn't consistent with association type"); 54 throw bad_input(OPKELE_CP_ "Secret length isn't consistent with association type");
55 }catch(opkele::failed_lookup& ofl) { 55 }catch(opkele::failed_lookup& ofl) {
56 throw bad_input(OPKELE_CP_ "Incoherent response from OP"); 56 throw bad_input(OPKELE_CP_ "Incoherent response from OP");
57 } OPKELE_RETHROW 57 } OPKELE_RETHROW
58 58
59 static void direct_request(basic_openid_message& oum,const basic_openid_message& inm,const string& OP) { 59 static void direct_request(basic_openid_message& oum,const basic_openid_message& inm,const string& OP) {
60 util::curl_pick_t curl = util::curl_pick_t::easy_init(); 60 util::curl_pick_t curl = util::curl_pick_t::easy_init();
61 if(!curl) 61 if(!curl)
62 throw exception_curl(OPKELE_CP_ "failed to initialize curl"); 62 throw exception_curl(OPKELE_CP_ "failed to initialize curl");
63 string request = inm.query_string(); 63 string request = inm.query_string();
64 CURLcode r; 64 CURLcode r;
65 (r=curl.misc_sets()) 65 (r=curl.misc_sets())
66 || (r=curl.easy_setopt(CURLOPT_URL,OP.c_str())) 66 || (r=curl.easy_setopt(CURLOPT_URL,OP.c_str()))
67 || (r=curl.easy_setopt(CURLOPT_POST,1)) 67 || (r=curl.easy_setopt(CURLOPT_POST,1))
68 || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data())) 68 || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data()))
69 || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length())) 69 || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length()))
70 || (r=curl.set_write()); 70 || (r=curl.set_write());
71 if(r) 71 if(r)
72 throw exception_curl(OPKELE_CP_ "failed to set curly options",r); 72 throw exception_curl(OPKELE_CP_ "failed to set curly options",r);
73 if( (r=curl.easy_perform()) ) 73 if( (r=curl.easy_perform()) )
74 throw exception_curl(OPKELE_CP_ "failed to perform curly request",r); 74 throw exception_curl(OPKELE_CP_ "failed to perform curly request",r);
75 oum.from_keyvalues(curl.response); 75 oum.from_keyvalues(curl.response);
76 } 76 }
77 77
78 78
79 assoc_t basic_RP::associate(const string& OP) { 79 assoc_t basic_RP::associate(const string& OP) {
80 util::dh_t dh = DH_new(); 80 util::dh_t dh = DH_new();
81 if(!dh) 81 if(!dh)
82 throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); 82 throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
83 dh->p = util::dec_to_bignum(data::_default_p); 83 dh->p = util::dec_to_bignum(data::_default_p);
84 dh->g = util::dec_to_bignum(data::_default_g); 84 dh->g = util::dec_to_bignum(data::_default_g);
85 if(!DH_generate_key(dh)) 85 if(!DH_generate_key(dh))
86 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); 86 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
87 openid_message_t req; 87 openid_message_t req;
88 req.set_field("ns",OIURI_OPENID20); 88 req.set_field("ns",OIURI_OPENID20);
89 req.set_field("mode","associate"); 89 req.set_field("mode","associate");
90 req.set_field("dh_modulus",util::bignum_to_base64(dh->p)); 90 req.set_field("dh_modulus",util::bignum_to_base64(dh->p));
91 req.set_field("dh_gen",util::bignum_to_base64(dh->g)); 91 req.set_field("dh_gen",util::bignum_to_base64(dh->g));
92 req.set_field("dh_consumer_public",util::bignum_to_base64(dh->pub_key)); 92 req.set_field("dh_consumer_public",util::bignum_to_base64(dh->pub_key));
93 openid_message_t res; 93 openid_message_t res;
94 req.set_field("assoc_type","HMAC-SHA256"); 94 req.set_field("assoc_type","HMAC-SHA256");
95 req.set_field("session_type","DH-SHA256"); 95 req.set_field("session_type","DH-SHA256");
96 secret_t secret; 96 secret_t secret;
97 int expires_in; 97 int expires_in;
98 try { 98 try {
99 direct_request(res,req,OP); 99 direct_request(res,req,OP);
100 dh_get_secret( secret, res, 100 dh_get_secret( secret, res,
101 "HMAC-SHA256", "DH-SHA256", 101 "HMAC-SHA256", "DH-SHA256",
102 dh, SHA256_DIGEST_LENGTH, SHA256, SHA256_DIGEST_LENGTH ); 102 dh, SHA256_DIGEST_LENGTH, SHA256, SHA256_DIGEST_LENGTH );
103 expires_in = util::string_to_long(res.get_field("expires_in")); 103 expires_in = util::string_to_long(res.get_field("expires_in"));
104 }catch(exception&) { 104 }catch(exception&) {
105 try { 105 try {
106 req.set_field("assoc_type","HMAC-SHA1"); 106 req.set_field("assoc_type","HMAC-SHA1");
107 req.set_field("session_type","DH-SHA1"); 107 req.set_field("session_type","DH-SHA1");
108 direct_request(res,req,OP); 108 direct_request(res,req,OP);
109 dh_get_secret( secret, res, 109 dh_get_secret( secret, res,
110 "HMAC-SHA1", "DH-SHA1", 110 "HMAC-SHA1", "DH-SHA1",
111 dh, SHA_DIGEST_LENGTH, SHA1, SHA_DIGEST_LENGTH ); 111 dh, SHA_DIGEST_LENGTH, SHA1, SHA_DIGEST_LENGTH );
112 expires_in = util::string_to_long(res.get_field("expires_in")); 112 expires_in = util::string_to_long(res.get_field("expires_in"));
113 }catch(bad_input&) { 113 }catch(bad_input&) {
114 throw dumb_RP(OPKELE_CP_ "OP failed to supply an association"); 114 throw dumb_RP(OPKELE_CP_ "OP failed to supply an association");
115 } 115 }
116 } 116 }
117 return store_assoc( 117 return store_assoc(
118 OP, res.get_field("assoc_handle"), 118 OP, res.get_field("assoc_handle"),
119 res.get_field("assoc_type"), secret, 119 res.get_field("assoc_type"), secret,
120 expires_in ); 120 expires_in );
121 } 121 }
122 122
123 basic_openid_message& basic_RP::checkid_( 123 basic_openid_message& basic_RP::checkid_(
124 basic_openid_message& rv, 124 basic_openid_message& rv,
125 mode_t mode, 125 mode_t mode,
126 const string& return_to,const string& realm, 126 const string& return_to,const string& realm,
127 extension_t *ext) { 127 extension_t *ext) {
128 rv.reset_fields(); 128 rv.reset_fields();
129 rv.set_field("ns",OIURI_OPENID20); 129 rv.set_field("ns",OIURI_OPENID20);
130 if(mode==mode_checkid_immediate) 130 if(mode==mode_checkid_immediate)
131 rv.set_field("mode","checkid_immediate"); 131 rv.set_field("mode","checkid_immediate");
132 else if(mode==mode_checkid_setup) 132 else if(mode==mode_checkid_setup)
133 rv.set_field("mode","checkid_setup"); 133 rv.set_field("mode","checkid_setup");
134 else 134 else
135 throw bad_input(OPKELE_CP_ "unknown checkid_* mode"); 135 throw bad_input(OPKELE_CP_ "unknown checkid_* mode");
136 if(realm.empty() && return_to.empty()) 136 if(realm.empty() && return_to.empty())
137 throw bad_input(OPKELE_CP_ "At least one of realm and return_to must be non-empty"); 137 throw bad_input(OPKELE_CP_ "At least one of realm and return_to must be non-empty");
138 if(!realm.empty()) { 138 if(!realm.empty()) {
139 rv.set_field("realm",realm); 139 rv.set_field("realm",realm);
140 rv.set_field("trust_root",realm); 140 rv.set_field("trust_root",realm);
141 } 141 }
142 if(!return_to.empty()) 142 if(!return_to.empty())
143 rv.set_field("return_to",return_to); 143 rv.set_field("return_to",return_to);
144 const openid_endpoint_t& ep = get_endpoint(); 144 const openid_endpoint_t& ep = get_endpoint();
145 rv.set_field("claimed_id",ep.claimed_id); 145 rv.set_field("claimed_id",ep.claimed_id);
146 rv.set_field("identity",ep.local_id); 146 rv.set_field("identity",ep.local_id);
147 try { 147 try {
148 rv.set_field("assoc_handle",find_assoc(ep.uri)->handle()); 148 rv.set_field("assoc_handle",find_assoc(ep.uri)->handle());
149 }catch(dumb_RP& drp) { 149 }catch(dumb_RP& drp) {
150 }catch(failed_lookup& fl) { 150 }catch(failed_lookup& fl) {
151 try { 151 try {
152 rv.set_field("assoc_handle",associate(ep.uri)->handle()); 152 rv.set_field("assoc_handle",associate(ep.uri)->handle());
153 }catch(dumb_RP& drp) { } 153 }catch(dumb_RP& drp) { }
154 } OPKELE_RETHROW 154 } OPKELE_RETHROW
155 if(ext) ext->rp_checkid_hook(rv); 155 if(ext) ext->rp_checkid_hook(rv);
156 return rv; 156 return rv;
157 } 157 }
158 158
159 class signed_part_message_proxy : public basic_openid_message { 159 class signed_part_message_proxy : public basic_openid_message {
160 public: 160 public:
161 const basic_openid_message& x; 161 const basic_openid_message& x;
162 set<string> signeds; 162 set<string> signeds;
163 163
164 signed_part_message_proxy(const basic_openid_message& xx) : x(xx) { 164 signed_part_message_proxy(const basic_openid_message& xx) : x(xx) {
165 const string& slist = x.get_field("signed"); 165 const string& slist = x.get_field("signed");
166 string::size_type p = 0; 166 string::size_type p = 0;
167 while(true) { 167 while(true) {
168 string::size_type co = slist.find(',',p); 168 string::size_type co = slist.find(',',p);
169 string f = (co==string::npos) 169 string f = (co==string::npos)
170 ?slist.substr(p):slist.substr(p,co-p); 170 ?slist.substr(p):slist.substr(p,co-p);
171 signeds.insert(f); 171 signeds.insert(f);
172 if(co==string::npos) break; 172 if(co==string::npos) break;
173 p = co+1; 173 p = co+1;
174 } 174 }
175 } 175 }
176 176
177 bool has_field(const string& n) const { 177 bool has_field(const string& n) const {
178 return signeds.find(n)!=signeds.end() && x.has_field(n); } 178 return signeds.find(n)!=signeds.end() && x.has_field(n); }
179 const string& get_field(const string& n) const { 179 const string& get_field(const string& n) const {
180 if(signeds.find(n)==signeds.end()) 180 if(signeds.find(n)==signeds.end())
181 throw failed_lookup(OPKELE_CP_ "The field isn't known to be signed"); 181 throw failed_lookup(OPKELE_CP_ "The field isn't known to be signed");
182 return x.get_field(n); } 182 return x.get_field(n); }
183 183
184 fields_iterator fields_begin() const { 184 fields_iterator fields_begin() const {
185 return signeds.begin(); } 185 return signeds.begin(); }
186 fields_iterator fields_end() const { 186 fields_iterator fields_end() const {
187 return signeds.end(); } 187 return signeds.end(); }
188 }; 188 };
189 189
190 static void parse_query(const string& u,string::size_type q, 190 static void parse_query(const string& u,string::size_type q,
191 map<string,string>& p) { 191 map<string,string>& p) {
192 if(q==string::npos) 192 if(q==string::npos)
193 return; 193 return;
194 assert(u[q]=='?'); 194 assert(u[q]=='?');
195 ++q; 195 ++q;
196 string::size_type l = u.size(); 196 string::size_type l = u.size();
197 while(q<l) { 197 while(q<l) {
198 string::size_type eq = u.find('=',q); 198 string::size_type eq = u.find('=',q);
199 string::size_type am = u.find('&',q); 199 string::size_type am = u.find('&',q);
200 if(am==string::npos) { 200 if(am==string::npos) {
201 if(eq==string::npos) { 201 if(eq==string::npos) {
202 p[""] = u.substr(q); 202 p[""] = u.substr(q);
203 }else{ 203 }else{
204 p[u.substr(q,eq-q)] = u.substr(eq+1); 204 p[u.substr(q,eq-q)] = u.substr(eq+1);
205 } 205 }
206 break; 206 break;
207 }else{ 207 }else{
208 if(eq==string::npos || eq>am) { 208 if(eq==string::npos || eq>am) {
209 p[""] = u.substr(q,eq-q); 209 p[""] = u.substr(q,eq-q);
210 }else{ 210 }else{
211 p[u.substr(q,eq-q)] = u.substr(eq+1,am-eq-1); 211 p[u.substr(q,eq-q)] = u.substr(eq+1,am-eq-1);
212 } 212 }
213 q = ++am; 213 q = ++am;
214 } 214 }
215 } 215 }
216 } 216 }
217 217
218 void basic_RP::id_res(const basic_openid_message& om,extension_t *ext) { 218 void basic_RP::id_res(const basic_openid_message& om,extension_t *ext) {
219 reset_vars(); 219 reset_vars();
220 bool o2 = om.has_field("ns") 220 bool o2 = om.has_field("ns")
221 && om.get_field("ns")==OIURI_OPENID20 221 && om.get_field("ns")==OIURI_OPENID20
222 && om.has_field("op_endpoint") && !om.get_field("op_endpoint").empty(); 222 && om.has_field("op_endpoint") && !om.get_field("op_endpoint").empty();
223 if( (!o2) && om.has_field("user_setup_url")) 223 if( (!o2) && om.has_field("user_setup_url"))
224 throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided", 224 throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",
225 om.get_field("user_setup_url")); 225 om.get_field("user_setup_url"));
226 string m = om.get_field("mode"); 226 string m = om.get_field("mode");
227 if(o2 && m=="setup_needed") 227 if(o2 && m=="setup_needed")
228 throw id_res_setup(OPKELE_CP_ "setup needed, no setup url provided"); 228 throw id_res_setup(OPKELE_CP_ "setup needed, no setup url provided");
229 if(m=="cancel") 229 if(m=="cancel")
230 throw id_res_cancel(OPKELE_CP_ "authentication cancelled"); 230 throw id_res_cancel(OPKELE_CP_ "authentication cancelled");
231 bool go_dumb=false; 231 bool go_dumb=false;
232 try { 232 try {
233 string OP = o2 233 string OP = o2
234 ?om.get_field("op_endpoint") 234 ?om.get_field("op_endpoint")
235 :get_endpoint().uri; 235 :get_endpoint().uri;
236 assoc_t assoc = retrieve_assoc( 236 assoc_t assoc = retrieve_assoc(
237 OP,om.get_field("assoc_handle")); 237 OP,om.get_field("assoc_handle"));
238 if(om.get_field("sig")!=util::base64_signature(assoc,om)) 238 if(om.get_field("sig")!=util::base64_signature(assoc,om))
239 throw id_res_mismatch(OPKELE_CP_ "signature mismatch"); 239 throw id_res_mismatch(OPKELE_CP_ "signature mismatch");
240 }catch(dumb_RP& drp) { 240 }catch(dumb_RP& drp) {
241 go_dumb=true; 241 go_dumb=true;
242 }catch(failed_lookup& e) { 242 }catch(failed_lookup& e) {
243 go_dumb=true; 243 go_dumb=true;
244 } OPKELE_RETHROW 244 } OPKELE_RETHROW
245 if(go_dumb) { 245 if(go_dumb) {
246 try { 246 try {
247 string OP = o2 247 string OP = o2
248 ?om.get_field("op_endpoint") 248 ?om.get_field("op_endpoint")
249 :get_endpoint().uri; 249 :get_endpoint().uri;
250 check_authentication(OP,om); 250 check_authentication(OP,om);
251 }catch(failed_check_authentication& fca) { 251 }catch(failed_check_authentication& fca) {
252 throw id_res_failed(OPKELE_CP_ "failed to check_authentication()"); 252 throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");
253 } OPKELE_RETHROW 253 } OPKELE_RETHROW
254 } 254 }
255 signed_part_message_proxy signeds(om); 255 signed_part_message_proxy signeds(om);
256 if(o2) { 256 if(o2) {
257 check_nonce(om.get_field("op_endpoint"), 257 check_nonce(om.get_field("op_endpoint"),
258 om.get_field("response_nonce")); 258 om.get_field("response_nonce"));
259 static const char *mustsign[] = { 259 static const char *mustsign[] = {
260 "op_endpoint", "return_to", "response_nonce", "assoc_handle", 260 "op_endpoint", "return_to", "response_nonce", "assoc_handle",
261 "claimed_id", "identity" }; 261 "claimed_id", "identity" };
262 for(size_t ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) { 262 for(size_t ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {
263 if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms])) 263 if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms]))
264 throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs"); 264 throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs");
265 } 265 }
266 if( ( 266 if( (
267 (om.has_field("claimed_id")?1:0) 267 (om.has_field("claimed_id")?1:0)
268 ^ 268 ^
269 (om.has_field("identity")?1:0) 269 (om.has_field("identity")?1:0)
270 )&1 ) 270 )&1 )
271 throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent"); 271 throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent");
272 272
273 string turl = util::rfc_3986_normalize_uri(get_this_url()); 273 string turl = util::rfc_3986_normalize_uri(get_this_url());
274 util::strip_uri_fragment_part(turl); 274 util::strip_uri_fragment_part(turl);
275 string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to")); 275 string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to"));
276 util::strip_uri_fragment_part(rurl); 276 util::strip_uri_fragment_part(rurl);
277 string::size_type 277 string::size_type
278 tq = turl.find('?'), rq = rurl.find('?'); 278 tq = turl.find('?'), rq = rurl.find('?');
279 if( 279 if(
280 ((tq==string::npos)?turl:turl.substr(0,tq)) 280 ((tq==string::npos)?turl:turl.substr(0,tq))
281 != 281 !=
282 ((rq==string::npos)?rurl:rurl.substr(0,rq)) 282 ((rq==string::npos)?rurl:rurl.substr(0,rq))
283 ) 283 )
284 throw id_res_bad_return_to(OPKELE_CP_ "return_to url doesn't match request url"); 284 throw id_res_bad_return_to(OPKELE_CP_ "return_to url doesn't match request url");
285 map<string,string> tp; parse_query(turl,tq,tp); 285 map<string,string> tp; parse_query(turl,tq,tp);
286 map<string,string> rp; parse_query(rurl,rq,rp); 286 map<string,string> rp; parse_query(rurl,rq,rp);
287 for(map<string,string>::const_iterator rpi=rp.begin();rpi!=rp.end();++rpi) { 287 for(map<string,string>::const_iterator rpi=rp.begin();rpi!=rp.end();++rpi) {
288 map<string,string>::const_iterator tpi = tp.find(rpi->first); 288 map<string,string>::const_iterator tpi = tp.find(rpi->first);
289 if(tpi==tp.end()) 289 if(tpi==tp.end())
290 throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request"); 290 throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request");
291 if(tpi->second!=rpi->second) 291 if(tpi->second!=rpi->second)
292 throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't matche the request"); 292 throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't match the request");
293 } 293 }
294 294
295 if(om.has_field("claimed_id")) { 295 if(om.has_field("claimed_id")) {
296 claimed_id = om.get_field("claimed_id"); 296 claimed_id = om.get_field("claimed_id");
297 identity = om.get_field("identity"); 297 identity = om.get_field("identity");
298 verify_OP( 298 verify_OP(
299 om.get_field("op_endpoint"), 299 om.get_field("op_endpoint"),
300 claimed_id, identity ); 300 claimed_id, identity );
301 } 301 }
302 302
303 }else{ 303 }else{
304 claimed_id = get_endpoint().claimed_id; 304 claimed_id = get_endpoint().claimed_id;
305 /* TODO: check if this is the identity we asked for */ 305 /* TODO: check if this is the identity we asked for */
306 identity = om.get_field("identity"); 306 identity = om.get_field("identity");
307 } 307 }
308 if(ext) ext->rp_id_res_hook(om,signeds); 308 if(ext) ext->rp_id_res_hook(om,signeds);
309 } 309 }
310 310
311 void basic_RP::check_authentication(const string& OP, 311 void basic_RP::check_authentication(const string& OP,
312 const basic_openid_message& om){ 312 const basic_openid_message& om){
313 openid_message_t res; 313 openid_message_t res;
314 static const string checkauthmode = "check_authentication"; 314 static const string checkauthmode = "check_authentication";
315 direct_request(res,util::change_mode_message_proxy(om,checkauthmode),OP); 315 direct_request(res,util::change_mode_message_proxy(om,checkauthmode),OP);
316 if(res.has_field("is_valid")) { 316 if(res.has_field("is_valid")) {
317 if(res.get_field("is_valid")=="true") { 317 if(res.get_field("is_valid")=="true") {
318 if(res.has_field("invalidate_handle")) 318 if(res.has_field("invalidate_handle"))
319 invalidate_assoc(OP,res.get_field("invalidate_handle")); 319 invalidate_assoc(OP,res.get_field("invalidate_handle"));
320 return; 320 return;
321 } 321 }
322 } 322 }
323 throw failed_check_authentication( 323 throw failed_check_authentication(
324 OPKELE_CP_ "failed to verify response"); 324 OPKELE_CP_ "failed to verify response");
325 } 325 }
326 326
327} 327}