corrected typo

Signed-off-by: Michael Krelin <hacker@klever.net>
author: Michael Krelin <hacker@klever.net> 2009-09-01 19:06:28 (UTC)
committer: Michael Krelin <hacker@klever.net> 2009-09-01 19:06:28 (UTC)
commit: f5fa75f3fc446482232c847c1ddea5808bee2c25 (patch) (unidiff)
tree: fe76859da31d6d8b4b4416b8cb5372646a9fa098 /lib
parent: 7b0ce50f7d61966b52f530b4bfbab1b91346b526 (diff)
download: libopkele-f5fa75f3fc446482232c847c1ddea5808bee2c25.zip
libopkele-f5fa75f3fc446482232c847c1ddea5808bee2c25.tar.gz
libopkele-f5fa75f3fc446482232c847c1ddea5808bee2c25.tar.bz2
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/basic_rp.cc b/lib/basic_rp.cc
index 9c7113b..bc1fb7f 100644
--- a/lib/basic_rp.cc
+++ b/lib/basic_rp.cc
@@ -196,132 +196,132 @@ namespace opkele {
        string::size_type l = u.size();
        while(q<l) {
            string::size_type eq = u.find('=',q);
            string::size_type am = u.find('&',q);
            if(am==string::npos) {
                if(eq==string::npos) {
                    p[""] = u.substr(q);
                }else{
                    p[u.substr(q,eq-q)] = u.substr(eq+1);
                }
                break;
            }else{
                if(eq==string::npos || eq>am) {
                    p[""] = u.substr(q,eq-q);
                }else{
                    p[u.substr(q,eq-q)] = u.substr(eq+1,am-eq-1);
                }
                q = ++am;
            }
        }
    }
    void basic_RP::id_res(const basic_openid_message& om,extension_t *ext) {
        reset_vars();
        bool o2 = om.has_field("ns")
            && om.get_field("ns")==OIURI_OPENID20
            && om.has_field("op_endpoint") && !om.get_field("op_endpoint").empty();
        if( (!o2) && om.has_field("user_setup_url"))
            throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",
                    om.get_field("user_setup_url"));
        string m = om.get_field("mode");
        if(o2 && m=="setup_needed")
            throw id_res_setup(OPKELE_CP_ "setup needed, no setup url provided");
        if(m=="cancel")
            throw id_res_cancel(OPKELE_CP_ "authentication cancelled");
        bool go_dumb=false;
        try {
            string OP = o2
                ?om.get_field("op_endpoint")
                :get_endpoint().uri;
            assoc_t assoc = retrieve_assoc(
                    OP,om.get_field("assoc_handle"));
            if(om.get_field("sig")!=util::base64_signature(assoc,om))
                throw id_res_mismatch(OPKELE_CP_ "signature mismatch");
        }catch(dumb_RP& drp) {
            go_dumb=true;
        }catch(failed_lookup& e) {
            go_dumb=true;
        } OPKELE_RETHROW
        if(go_dumb) {
            try {
                string OP = o2
                    ?om.get_field("op_endpoint")
                    :get_endpoint().uri;
                check_authentication(OP,om);
            }catch(failed_check_authentication& fca) {
                throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");
            } OPKELE_RETHROW
        }
        signed_part_message_proxy signeds(om);
        if(o2) {
            check_nonce(om.get_field("op_endpoint"),
                    om.get_field("response_nonce"));
            static const char *mustsign[] = {
                "op_endpoint", "return_to", "response_nonce", "assoc_handle",
                "claimed_id", "identity" };
            for(size_t ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {
                if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms]))
                    throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs");
            }
            if( (
                    (om.has_field("claimed_id")?1:0)
                    ^
                    (om.has_field("identity")?1:0)
                )&1 )
                throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent");
            string turl = util::rfc_3986_normalize_uri(get_this_url());
            util::strip_uri_fragment_part(turl);
            string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to"));
            util::strip_uri_fragment_part(rurl);
            string::size_type
                tq = turl.find('?'), rq = rurl.find('?');
            if(
                    ((tq==string::npos)?turl:turl.substr(0,tq))
                    !=
                    ((rq==string::npos)?rurl:rurl.substr(0,rq))
              )
                throw id_res_bad_return_to(OPKELE_CP_ "return_to url doesn't match request url");
            map<string,string> tp; parse_query(turl,tq,tp);
            map<string,string> rp; parse_query(rurl,rq,rp);
            for(map<string,string>::const_iterator rpi=rp.begin();rpi!=rp.end();++rpi) {
                map<string,string>::const_iterator tpi = tp.find(rpi->first);
                if(tpi==tp.end())
                    throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request");
                if(tpi->second!=rpi->second)
-                    throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't matche the request");
+                    throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't match the request");
            }
            if(om.has_field("claimed_id")) {
                claimed_id = om.get_field("claimed_id");
                identity = om.get_field("identity");
                verify_OP(
                        om.get_field("op_endpoint"),
                        claimed_id, identity );
            }
        }else{
            claimed_id = get_endpoint().claimed_id;
            /* TODO: check if this is the identity we asked for */
            identity = om.get_field("identity");
        }
        if(ext) ext->rp_id_res_hook(om,signeds);
    }
    void basic_RP::check_authentication(const string& OP,
            const basic_openid_message& om){
        openid_message_t res;
        static const string checkauthmode = "check_authentication";
        direct_request(res,util::change_mode_message_proxy(om,checkauthmode),OP);
        if(res.has_field("is_valid")) {
            if(res.get_field("is_valid")=="true") {
                if(res.has_field("invalidate_handle"))
                    invalidate_assoc(OP,res.get_field("invalidate_handle"));
                return;
            }
        }
        throw failed_check_authentication(
                OPKELE_CP_ "failed to verify response");
    }
 }
author	Michael Krelin <hacker@klever.net>	2009-09-01 19:06:28 (UTC)
committer	Michael Krelin <hacker@klever.net>	2009-09-01 19:06:28 (UTC)
commit	f5fa75f3fc446482232c847c1ddea5808bee2c25 (patch) (unidiff)
tree	fe76859da31d6d8b4b4416b8cb5372646a9fa098 /lib
parent	7b0ce50f7d61966b52f530b4bfbab1b91346b526 (diff)
download	libopkele-f5fa75f3fc446482232c847c1ddea5808bee2c25.zip libopkele-f5fa75f3fc446482232c847c1ddea5808bee2c25.tar.gz libopkele-f5fa75f3fc446482232c847c1ddea5808bee2c25.tar.bz2

diff --git a/lib/basic_rp.cc b/lib/basic_rp.cc index 9c7113b..bc1fb7f 100644 --- a/lib/basic_rp.cc +++ b/lib/basic_rp.cc
@@ -196,132 +196,132 @@ namespace opkele {
196	string::size_type l = u.size();	196	string::size_type l = u.size();
197	while(q<l) {	197	while(q<l) {
198	string::size_type eq = u.find('=',q);	198	string::size_type eq = u.find('=',q);
199	string::size_type am = u.find('&',q);	199	string::size_type am = u.find('&',q);
200	if(am==string::npos) {	200	if(am==string::npos) {
201	if(eq==string::npos) {	201	if(eq==string::npos) {
202	p[""] = u.substr(q);	202	p[""] = u.substr(q);
203	}else{	203	}else{
204	p[u.substr(q,eq-q)] = u.substr(eq+1);	204	p[u.substr(q,eq-q)] = u.substr(eq+1);
205	}	205	}
206	break;	206	break;
207	}else{	207	}else{
208	if(eq==string::npos \|\| eq>am) {	208	if(eq==string::npos \|\| eq>am) {
209	p[""] = u.substr(q,eq-q);	209	p[""] = u.substr(q,eq-q);
210	}else{	210	}else{
211	p[u.substr(q,eq-q)] = u.substr(eq+1,am-eq-1);	211	p[u.substr(q,eq-q)] = u.substr(eq+1,am-eq-1);
212	}	212	}
213	q = ++am;	213	q = ++am;
214	}	214	}
215	}	215	}
216	}	216	}
217		217
218	void basic_RP::id_res(const basic_openid_message& om,extension_t *ext) {	218	void basic_RP::id_res(const basic_openid_message& om,extension_t *ext) {
219	reset_vars();	219	reset_vars();
220	bool o2 = om.has_field("ns")	220	bool o2 = om.has_field("ns")
221	&& om.get_field("ns")==OIURI_OPENID20	221	&& om.get_field("ns")==OIURI_OPENID20
222	&& om.has_field("op_endpoint") && !om.get_field("op_endpoint").empty();	222	&& om.has_field("op_endpoint") && !om.get_field("op_endpoint").empty();
223	if( (!o2) && om.has_field("user_setup_url"))	223	if( (!o2) && om.has_field("user_setup_url"))
224	throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",	224	throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",
225	om.get_field("user_setup_url"));	225	om.get_field("user_setup_url"));
226	string m = om.get_field("mode");	226	string m = om.get_field("mode");
227	if(o2 && m=="setup_needed")	227	if(o2 && m=="setup_needed")
228	throw id_res_setup(OPKELE_CP_ "setup needed, no setup url provided");	228	throw id_res_setup(OPKELE_CP_ "setup needed, no setup url provided");
229	if(m=="cancel")	229	if(m=="cancel")
230	throw id_res_cancel(OPKELE_CP_ "authentication cancelled");	230	throw id_res_cancel(OPKELE_CP_ "authentication cancelled");
231	bool go_dumb=false;	231	bool go_dumb=false;
232	try {	232	try {
233	string OP = o2	233	string OP = o2
234	?om.get_field("op_endpoint")	234	?om.get_field("op_endpoint")
235	:get_endpoint().uri;	235	:get_endpoint().uri;
236	assoc_t assoc = retrieve_assoc(	236	assoc_t assoc = retrieve_assoc(
237	OP,om.get_field("assoc_handle"));	237	OP,om.get_field("assoc_handle"));
238	if(om.get_field("sig")!=util::base64_signature(assoc,om))	238	if(om.get_field("sig")!=util::base64_signature(assoc,om))
239	throw id_res_mismatch(OPKELE_CP_ "signature mismatch");	239	throw id_res_mismatch(OPKELE_CP_ "signature mismatch");
240	}catch(dumb_RP& drp) {	240	}catch(dumb_RP& drp) {
241	go_dumb=true;	241	go_dumb=true;
242	}catch(failed_lookup& e) {	242	}catch(failed_lookup& e) {
243	go_dumb=true;	243	go_dumb=true;
244	} OPKELE_RETHROW	244	} OPKELE_RETHROW
245	if(go_dumb) {	245	if(go_dumb) {
246	try {	246	try {
247	string OP = o2	247	string OP = o2
248	?om.get_field("op_endpoint")	248	?om.get_field("op_endpoint")
249	:get_endpoint().uri;	249	:get_endpoint().uri;
250	check_authentication(OP,om);	250	check_authentication(OP,om);
251	}catch(failed_check_authentication& fca) {	251	}catch(failed_check_authentication& fca) {
252	throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");	252	throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");
253	} OPKELE_RETHROW	253	} OPKELE_RETHROW
254	}	254	}
255	signed_part_message_proxy signeds(om);	255	signed_part_message_proxy signeds(om);
256	if(o2) {	256	if(o2) {
257	check_nonce(om.get_field("op_endpoint"),	257	check_nonce(om.get_field("op_endpoint"),
258	om.get_field("response_nonce"));	258	om.get_field("response_nonce"));
259	static const char *mustsign[] = {	259	static const char *mustsign[] = {
260	"op_endpoint", "return_to", "response_nonce", "assoc_handle",	260	"op_endpoint", "return_to", "response_nonce", "assoc_handle",
261	"claimed_id", "identity" };	261	"claimed_id", "identity" };
262	for(size_t ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {	262	for(size_t ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {
263	if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms]))	263	if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms]))
264	throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs");	264	throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs");
265	}	265	}
266	if( (	266	if( (
267	(om.has_field("claimed_id")?1:0)	267	(om.has_field("claimed_id")?1:0)
268	^	268	^
269	(om.has_field("identity")?1:0)	269	(om.has_field("identity")?1:0)
270	)&1 )	270	)&1 )
271	throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent");	271	throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent");
272		272
273	string turl = util::rfc_3986_normalize_uri(get_this_url());	273	string turl = util::rfc_3986_normalize_uri(get_this_url());
274	util::strip_uri_fragment_part(turl);	274	util::strip_uri_fragment_part(turl);
275	string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to"));	275	string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to"));
276	util::strip_uri_fragment_part(rurl);	276	util::strip_uri_fragment_part(rurl);
277	string::size_type	277	string::size_type
278	tq = turl.find('?'), rq = rurl.find('?');	278	tq = turl.find('?'), rq = rurl.find('?');
279	if(	279	if(
280	((tq==string::npos)?turl:turl.substr(0,tq))	280	((tq==string::npos)?turl:turl.substr(0,tq))
281	!=	281	!=
282	((rq==string::npos)?rurl:rurl.substr(0,rq))	282	((rq==string::npos)?rurl:rurl.substr(0,rq))
283	)	283	)
284	throw id_res_bad_return_to(OPKELE_CP_ "return_to url doesn't match request url");	284	throw id_res_bad_return_to(OPKELE_CP_ "return_to url doesn't match request url");
285	map<string,string> tp; parse_query(turl,tq,tp);	285	map<string,string> tp; parse_query(turl,tq,tp);
286	map<string,string> rp; parse_query(rurl,rq,rp);	286	map<string,string> rp; parse_query(rurl,rq,rp);
287	for(map<string,string>::const_iterator rpi=rp.begin();rpi!=rp.end();++rpi) {	287	for(map<string,string>::const_iterator rpi=rp.begin();rpi!=rp.end();++rpi) {
288	map<string,string>::const_iterator tpi = tp.find(rpi->first);	288	map<string,string>::const_iterator tpi = tp.find(rpi->first);
289	if(tpi==tp.end())	289	if(tpi==tp.end())
290	throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request");	290	throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request");
291	if(tpi->second!=rpi->second)	291	if(tpi->second!=rpi->second)
292	throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't matche the request");	292	throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't match the request");
293	}	293	}
294		294
295	if(om.has_field("claimed_id")) {	295	if(om.has_field("claimed_id")) {
296	claimed_id = om.get_field("claimed_id");	296	claimed_id = om.get_field("claimed_id");
297	identity = om.get_field("identity");	297	identity = om.get_field("identity");
298	verify_OP(	298	verify_OP(
299	om.get_field("op_endpoint"),	299	om.get_field("op_endpoint"),
300	claimed_id, identity );	300	claimed_id, identity );
301	}	301	}
302		302
303	}else{	303	}else{
304	claimed_id = get_endpoint().claimed_id;	304	claimed_id = get_endpoint().claimed_id;
305	/* TODO: check if this is the identity we asked for */	305	/* TODO: check if this is the identity we asked for */
306	identity = om.get_field("identity");	306	identity = om.get_field("identity");
307	}	307	}
308	if(ext) ext->rp_id_res_hook(om,signeds);	308	if(ext) ext->rp_id_res_hook(om,signeds);
309	}	309	}
310		310
311	void basic_RP::check_authentication(const string& OP,	311	void basic_RP::check_authentication(const string& OP,
312	const basic_openid_message& om){	312	const basic_openid_message& om){
313	openid_message_t res;	313	openid_message_t res;
314	static const string checkauthmode = "check_authentication";	314	static const string checkauthmode = "check_authentication";
315	direct_request(res,util::change_mode_message_proxy(om,checkauthmode),OP);	315	direct_request(res,util::change_mode_message_proxy(om,checkauthmode),OP);
316	if(res.has_field("is_valid")) {	316	if(res.has_field("is_valid")) {
317	if(res.get_field("is_valid")=="true") {	317	if(res.get_field("is_valid")=="true") {
318	if(res.has_field("invalidate_handle"))	318	if(res.has_field("invalidate_handle"))
319	invalidate_assoc(OP,res.get_field("invalidate_handle"));	319	invalidate_assoc(OP,res.get_field("invalidate_handle"));
320	return;	320	return;
321	}	321	}
322	}	322	}
323	throw failed_check_authentication(	323	throw failed_check_authentication(
324	OPKELE_CP_ "failed to verify response");	324	OPKELE_CP_ "failed to verify response");
325	}	325	}
326		326
327	}	327	}