-rw-r--r-- | lib/basic_rp.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/basic_rp.cc b/lib/basic_rp.cc index 8125aa7..9c7113b 100644 --- a/lib/basic_rp.cc +++ b/lib/basic_rp.cc | |||
@@ -1,326 +1,327 @@ | |||
1 | #include <sys/types.h> | 1 | #include <sys/types.h> |
2 | #include <cassert> | 2 | #include <cassert> |
3 | #include <openssl/sha.h> | 3 | #include <openssl/sha.h> |
4 | #include <openssl/hmac.h> | 4 | #include <openssl/hmac.h> |
5 | #include <opkele/basic_rp.h> | 5 | #include <opkele/basic_rp.h> |
6 | #include <opkele/exception.h> | 6 | #include <opkele/exception.h> |
7 | #include <opkele/uris.h> | 7 | #include <opkele/uris.h> |
8 | #include <opkele/data.h> | 8 | #include <opkele/data.h> |
9 | #include <opkele/util.h> | 9 | #include <opkele/util.h> |
10 | #include <opkele/util-internal.h> | 10 | #include <opkele/util-internal.h> |
11 | #include <opkele/curl.h> | 11 | #include <opkele/curl.h> |
12 | #include <opkele/debug.h> | 12 | #include <opkele/debug.h> |
13 | 13 | ||
14 | namespace opkele { | 14 | namespace opkele { |
15 | 15 | ||
16 | void basic_RP::reset_vars() { | 16 | void basic_RP::reset_vars() { |
17 | claimed_id.clear(); identity.clear(); | 17 | claimed_id.clear(); identity.clear(); |
18 | } | 18 | } |
19 | 19 | ||
20 | const string& basic_RP::get_claimed_id() const { | 20 | const string& basic_RP::get_claimed_id() const { |
21 | if(claimed_id.empty()) | 21 | if(claimed_id.empty()) |
22 | throw non_identity(OPKELE_CP_ "attempting to retreive claimed_id of non-identity assertion"); | 22 | throw non_identity(OPKELE_CP_ "attempting to retreive claimed_id of non-identity assertion"); |
23 | assert(!identity.empty()); | 23 | assert(!identity.empty()); |
24 | return claimed_id; | 24 | return claimed_id; |
25 | } | 25 | } |
26 | 26 | ||
27 | const string& basic_RP::get_identity() const { | 27 | const string& basic_RP::get_identity() const { |
28 | if(identity.empty()) | 28 | if(identity.empty()) |
29 | throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related assertion"); | 29 | throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related assertion"); |
30 | assert(!claimed_id.empty()); | 30 | assert(!claimed_id.empty()); |
31 | return identity; | 31 | return identity; |
32 | } | 32 | } |
33 | 33 | ||
34 | static void dh_get_secret( | 34 | static void dh_get_secret( |
35 | secret_t& secret, const basic_openid_message& om, | 35 | secret_t& secret, const basic_openid_message& om, |
36 | const char *exp_assoc, const char *exp_sess, | 36 | const char *exp_assoc, const char *exp_sess, |
37 | util::dh_t& dh, | 37 | util::dh_t& dh, |
38 | size_t d_len, unsigned char *(*d_fun)(const unsigned char*,size_t,unsigned char*), | 38 | size_t d_len, unsigned char *(*d_fun)(const unsigned char*,size_t,unsigned char*), |
39 | size_t exp_s_len) try { | 39 | size_t exp_s_len) try { |
40 | if(om.get_field("assoc_type")!=exp_assoc || om.get_field("session_type")!=exp_sess) | 40 | if(om.get_field("assoc_type")!=exp_assoc || om.get_field("session_type")!=exp_sess) |
41 | throw bad_input(OPKELE_CP_ "Unexpected associate response"); | 41 | throw bad_input(OPKELE_CP_ "Unexpected associate response"); |
42 | util::bignum_t s_pub = util::base64_to_bignum(om.get_field("dh_server_public")); | 42 | util::bignum_t s_pub = util::base64_to_bignum(om.get_field("dh_server_public")); |
43 | vector<unsigned char> ck(DH_size(dh)+1); | 43 | vector<unsigned char> ck(DH_size(dh)+1); |
44 | unsigned char *ckptr = &(ck.front())+1; | 44 | unsigned char *ckptr = &(ck.front())+1; |
45 | int cklen = DH_compute_key(ckptr,s_pub,dh); | 45 | int cklen = DH_compute_key(ckptr,s_pub,dh); |
46 | if(cklen<0) | 46 | if(cklen<0) |
47 | throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); | 47 | throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); |
48 | if(cklen && (*ckptr)&0x80) { | 48 | if(cklen && (*ckptr)&0x80) { |
49 | (*(--ckptr))=0; ++cklen; } | 49 | (*(--ckptr))=0; ++cklen; } |
50 | assert(d_len<=SHA256_DIGEST_LENGTH); | 50 | assert(d_len<=SHA256_DIGEST_LENGTH); |
51 | unsigned char key_digest[SHA256_DIGEST_LENGTH]; | 51 | unsigned char key_digest[SHA256_DIGEST_LENGTH]; |
52 | secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key")); | 52 | secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key")); |
53 | if(secret.size()!=exp_s_len) | 53 | if(secret.size()!=exp_s_len) |
54 | throw bad_input(OPKELE_CP_ "Secret length isn't consistent with association type"); | 54 | throw bad_input(OPKELE_CP_ "Secret length isn't consistent with association type"); |
55 | }catch(opkele::failed_lookup& ofl) { | 55 | }catch(opkele::failed_lookup& ofl) { |
56 | throw bad_input(OPKELE_CP_ "Incoherent response from OP"); | 56 | throw bad_input(OPKELE_CP_ "Incoherent response from OP"); |
57 | } OPKELE_RETHROW | 57 | } OPKELE_RETHROW |
58 | 58 | ||
59 | static void direct_request(basic_openid_message& oum,const basic_openid_message& inm,const string& OP) { | 59 | static void direct_request(basic_openid_message& oum,const basic_openid_message& inm,const string& OP) { |
60 | util::curl_pick_t curl = util::curl_pick_t::easy_init(); | 60 | util::curl_pick_t curl = util::curl_pick_t::easy_init(); |
61 | if(!curl) | 61 | if(!curl) |
62 | throw exception_curl(OPKELE_CP_ "failed to initialize curl"); | 62 | throw exception_curl(OPKELE_CP_ "failed to initialize curl"); |
63 | string request = inm.query_string(); | 63 | string request = inm.query_string(); |
64 | CURLcode r; | 64 | CURLcode r; |
65 | (r=curl.misc_sets()) | 65 | (r=curl.misc_sets()) |
66 | || (r=curl.easy_setopt(CURLOPT_URL,OP.c_str())) | 66 | || (r=curl.easy_setopt(CURLOPT_URL,OP.c_str())) |
67 | || (r=curl.easy_setopt(CURLOPT_POST,1)) | 67 | || (r=curl.easy_setopt(CURLOPT_POST,1)) |
68 | || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data())) | 68 | || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data())) |
69 | || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length())) | 69 | || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length())) |
70 | || (r=curl.set_write()); | 70 | || (r=curl.set_write()); |
71 | if(r) | 71 | if(r) |
72 | throw exception_curl(OPKELE_CP_ "failed to set curly options",r); | 72 | throw exception_curl(OPKELE_CP_ "failed to set curly options",r); |
73 | if( (r=curl.easy_perform()) ) | 73 | if( (r=curl.easy_perform()) ) |
74 | throw exception_curl(OPKELE_CP_ "failed to perform curly request",r); | 74 | throw exception_curl(OPKELE_CP_ "failed to perform curly request",r); |
75 | oum.from_keyvalues(curl.response); | 75 | oum.from_keyvalues(curl.response); |
76 | } | 76 | } |
77 | 77 | ||
78 | 78 | ||
79 | assoc_t basic_RP::associate(const string& OP) { | 79 | assoc_t basic_RP::associate(const string& OP) { |
80 | util::dh_t dh = DH_new(); | 80 | util::dh_t dh = DH_new(); |
81 | if(!dh) | 81 | if(!dh) |
82 | throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); | 82 | throw exception_openssl(OPKELE_CP_ "failed to DH_new()"); |
83 | dh->p = util::dec_to_bignum(data::_default_p); | 83 | dh->p = util::dec_to_bignum(data::_default_p); |
84 | dh->g = util::dec_to_bignum(data::_default_g); | 84 | dh->g = util::dec_to_bignum(data::_default_g); |
85 | if(!DH_generate_key(dh)) | 85 | if(!DH_generate_key(dh)) |
86 | throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); | 86 | throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()"); |
87 | openid_message_t req; | 87 | openid_message_t req; |
88 | req.set_field("ns",OIURI_OPENID20); | 88 | req.set_field("ns",OIURI_OPENID20); |
89 | req.set_field("mode","associate"); | 89 | req.set_field("mode","associate"); |
90 | req.set_field("dh_modulus",util::bignum_to_base64(dh->p)); | 90 | req.set_field("dh_modulus",util::bignum_to_base64(dh->p)); |
91 | req.set_field("dh_gen",util::bignum_to_base64(dh->g)); | 91 | req.set_field("dh_gen",util::bignum_to_base64(dh->g)); |
92 | req.set_field("dh_consumer_public",util::bignum_to_base64(dh->pub_key)); | 92 | req.set_field("dh_consumer_public",util::bignum_to_base64(dh->pub_key)); |
93 | openid_message_t res; | 93 | openid_message_t res; |
94 | req.set_field("assoc_type","HMAC-SHA256"); | 94 | req.set_field("assoc_type","HMAC-SHA256"); |
95 | req.set_field("session_type","DH-SHA256"); | 95 | req.set_field("session_type","DH-SHA256"); |
96 | secret_t secret; | 96 | secret_t secret; |
97 | int expires_in; | 97 | int expires_in; |
98 | try { | 98 | try { |
99 | direct_request(res,req,OP); | 99 | direct_request(res,req,OP); |
100 | dh_get_secret( secret, res, | 100 | dh_get_secret( secret, res, |
101 | "HMAC-SHA256", "DH-SHA256", | 101 | "HMAC-SHA256", "DH-SHA256", |
102 | dh, SHA256_DIGEST_LENGTH, SHA256, SHA256_DIGEST_LENGTH ); | 102 | dh, SHA256_DIGEST_LENGTH, SHA256, SHA256_DIGEST_LENGTH ); |
103 | expires_in = util::string_to_long(res.get_field("expires_in")); | 103 | expires_in = util::string_to_long(res.get_field("expires_in")); |
104 | }catch(exception&) { | 104 | }catch(exception&) { |
105 | try { | 105 | try { |
106 | req.set_field("assoc_type","HMAC-SHA1"); | 106 | req.set_field("assoc_type","HMAC-SHA1"); |
107 | req.set_field("session_type","DH-SHA1"); | 107 | req.set_field("session_type","DH-SHA1"); |
108 | direct_request(res,req,OP); | 108 | direct_request(res,req,OP); |
109 | dh_get_secret( secret, res, | 109 | dh_get_secret( secret, res, |
110 | "HMAC-SHA1", "DH-SHA1", | 110 | "HMAC-SHA1", "DH-SHA1", |
111 | dh, SHA_DIGEST_LENGTH, SHA1, SHA_DIGEST_LENGTH ); | 111 | dh, SHA_DIGEST_LENGTH, SHA1, SHA_DIGEST_LENGTH ); |
112 | expires_in = util::string_to_long(res.get_field("expires_in")); | 112 | expires_in = util::string_to_long(res.get_field("expires_in")); |
113 | }catch(bad_input&) { | 113 | }catch(bad_input&) { |
114 | throw dumb_RP(OPKELE_CP_ "OP failed to supply an association"); | 114 | throw dumb_RP(OPKELE_CP_ "OP failed to supply an association"); |
115 | } | 115 | } |
116 | } | 116 | } |
117 | return store_assoc( | 117 | return store_assoc( |
118 | OP, res.get_field("assoc_handle"), | 118 | OP, res.get_field("assoc_handle"), |
119 | res.get_field("assoc_type"), secret, | 119 | res.get_field("assoc_type"), secret, |
120 | expires_in ); | 120 | expires_in ); |
121 | } | 121 | } |
122 | 122 | ||
123 | basic_openid_message& basic_RP::checkid_( | 123 | basic_openid_message& basic_RP::checkid_( |
124 | basic_openid_message& rv, | 124 | basic_openid_message& rv, |
125 | mode_t mode, | 125 | mode_t mode, |
126 | const string& return_to,const string& realm, | 126 | const string& return_to,const string& realm, |
127 | extension_t *ext) { | 127 | extension_t *ext) { |
128 | rv.reset_fields(); | 128 | rv.reset_fields(); |
129 | rv.set_field("ns",OIURI_OPENID20); | 129 | rv.set_field("ns",OIURI_OPENID20); |
130 | if(mode==mode_checkid_immediate) | 130 | if(mode==mode_checkid_immediate) |
131 | rv.set_field("mode","checkid_immediate"); | 131 | rv.set_field("mode","checkid_immediate"); |
132 | else if(mode==mode_checkid_setup) | 132 | else if(mode==mode_checkid_setup) |
133 | rv.set_field("mode","checkid_setup"); | 133 | rv.set_field("mode","checkid_setup"); |
134 | else | 134 | else |
135 | throw bad_input(OPKELE_CP_ "unknown checkid_* mode"); | 135 | throw bad_input(OPKELE_CP_ "unknown checkid_* mode"); |
136 | if(realm.empty() && return_to.empty()) | 136 | if(realm.empty() && return_to.empty()) |
137 | throw bad_input(OPKELE_CP_ "At least one of realm and return_to must be non-empty"); | 137 | throw bad_input(OPKELE_CP_ "At least one of realm and return_to must be non-empty"); |
138 | if(!realm.empty()) { | 138 | if(!realm.empty()) { |
139 | rv.set_field("realm",realm); | 139 | rv.set_field("realm",realm); |
140 | rv.set_field("trust_root",realm); | 140 | rv.set_field("trust_root",realm); |
141 | } | 141 | } |
142 | if(!return_to.empty()) | 142 | if(!return_to.empty()) |
143 | rv.set_field("return_to",return_to); | 143 | rv.set_field("return_to",return_to); |
144 | const openid_endpoint_t& ep = get_endpoint(); | 144 | const openid_endpoint_t& ep = get_endpoint(); |
145 | rv.set_field("claimed_id",ep.claimed_id); | 145 | rv.set_field("claimed_id",ep.claimed_id); |
146 | rv.set_field("identity",ep.local_id); | 146 | rv.set_field("identity",ep.local_id); |
147 | try { | 147 | try { |
148 | rv.set_field("assoc_handle",find_assoc(ep.uri)->handle()); | 148 | rv.set_field("assoc_handle",find_assoc(ep.uri)->handle()); |
149 | }catch(dumb_RP& drp) { | 149 | }catch(dumb_RP& drp) { |
150 | }catch(failed_lookup& fl) { | 150 | }catch(failed_lookup& fl) { |
151 | try { | 151 | try { |
152 | rv.set_field("assoc_handle",associate(ep.uri)->handle()); | 152 | rv.set_field("assoc_handle",associate(ep.uri)->handle()); |
153 | }catch(dumb_RP& drp) { } | 153 | }catch(dumb_RP& drp) { } |
154 | } OPKELE_RETHROW | 154 | } OPKELE_RETHROW |
155 | if(ext) ext->rp_checkid_hook(rv); | 155 | if(ext) ext->rp_checkid_hook(rv); |
156 | return rv; | 156 | return rv; |
157 | } | 157 | } |
158 | 158 | ||
159 | class signed_part_message_proxy : public basic_openid_message { | 159 | class signed_part_message_proxy : public basic_openid_message { |
160 | public: | 160 | public: |
161 | const basic_openid_message& x; | 161 | const basic_openid_message& x; |
162 | set<string> signeds; | 162 | set<string> signeds; |
163 | 163 | ||
164 | signed_part_message_proxy(const basic_openid_message& xx) : x(xx) { | 164 | signed_part_message_proxy(const basic_openid_message& xx) : x(xx) { |
165 | const string& slist = x.get_field("signed"); | 165 | const string& slist = x.get_field("signed"); |
166 | string::size_type p = 0; | 166 | string::size_type p = 0; |
167 | while(true) { | 167 | while(true) { |
168 | string::size_type co = slist.find(',',p); | 168 | string::size_type co = slist.find(',',p); |
169 | string f = (co==string::npos) | 169 | string f = (co==string::npos) |
170 | ?slist.substr(p):slist.substr(p,co-p); | 170 | ?slist.substr(p):slist.substr(p,co-p); |
171 | signeds.insert(f); | 171 | signeds.insert(f); |
172 | if(co==string::npos) break; | 172 | if(co==string::npos) break; |
173 | p = co+1; | 173 | p = co+1; |
174 | } | 174 | } |
175 | } | 175 | } |
176 | 176 | ||
177 | bool has_field(const string& n) const { | 177 | bool has_field(const string& n) const { |
178 | return signeds.find(n)!=signeds.end() && x.has_field(n); } | 178 | return signeds.find(n)!=signeds.end() && x.has_field(n); } |
179 | const string& get_field(const string& n) const { | 179 | const string& get_field(const string& n) const { |
180 | if(signeds.find(n)==signeds.end()) | 180 | if(signeds.find(n)==signeds.end()) |
181 | throw failed_lookup(OPKELE_CP_ "The field isn't known to be signed"); | 181 | throw failed_lookup(OPKELE_CP_ "The field isn't known to be signed"); |
182 | return x.get_field(n); } | 182 | return x.get_field(n); } |
183 | 183 | ||
184 | fields_iterator fields_begin() const { | 184 | fields_iterator fields_begin() const { |
185 | return signeds.begin(); } | 185 | return signeds.begin(); } |
186 | fields_iterator fields_end() const { | 186 | fields_iterator fields_end() const { |
187 | return signeds.end(); } | 187 | return signeds.end(); } |
188 | }; | 188 | }; |
189 | 189 | ||
190 | static void parse_query(const string& u,string::size_type q, | 190 | static void parse_query(const string& u,string::size_type q, |
191 | map<string,string>& p) { | 191 | map<string,string>& p) { |
192 | if(q==string::npos) | 192 | if(q==string::npos) |
193 | return; | 193 | return; |
194 | assert(u[q]=='?'); | 194 | assert(u[q]=='?'); |
195 | ++q; | 195 | ++q; |
196 | string::size_type l = u.size(); | 196 | string::size_type l = u.size(); |
197 | while(q<l) { | 197 | while(q<l) { |
198 | string::size_type eq = u.find('=',q); | 198 | string::size_type eq = u.find('=',q); |
199 | string::size_type am = u.find('&',q); | 199 | string::size_type am = u.find('&',q); |
200 | if(am==string::npos) { | 200 | if(am==string::npos) { |
201 | if(eq==string::npos) { | 201 | if(eq==string::npos) { |
202 | p[""] = u.substr(q); | 202 | p[""] = u.substr(q); |
203 | }else{ | 203 | }else{ |
204 | p[u.substr(q,eq-q)] = u.substr(eq+1); | 204 | p[u.substr(q,eq-q)] = u.substr(eq+1); |
205 | } | 205 | } |
206 | break; | 206 | break; |
207 | }else{ | 207 | }else{ |
208 | if(eq==string::npos || eq>am) { | 208 | if(eq==string::npos || eq>am) { |
209 | p[""] = u.substr(q,eq-q); | 209 | p[""] = u.substr(q,eq-q); |
210 | }else{ | 210 | }else{ |
211 | p[u.substr(q,eq-q)] = u.substr(eq+1,am-eq-1); | 211 | p[u.substr(q,eq-q)] = u.substr(eq+1,am-eq-1); |
212 | } | 212 | } |
213 | q = ++am; | 213 | q = ++am; |
214 | } | 214 | } |
215 | } | 215 | } |
216 | } | 216 | } |
217 | 217 | ||
218 | void basic_RP::id_res(const basic_openid_message& om,extension_t *ext) { | 218 | void basic_RP::id_res(const basic_openid_message& om,extension_t *ext) { |
219 | reset_vars(); | 219 | reset_vars(); |
220 | bool o2 = om.has_field("ns") | 220 | bool o2 = om.has_field("ns") |
221 | && om.get_field("ns")==OIURI_OPENID20 && !om.get_field("op_endpoint").empty(); | 221 | && om.get_field("ns")==OIURI_OPENID20 |
222 | && om.has_field("op_endpoint") && !om.get_field("op_endpoint").empty(); | ||
222 | if( (!o2) && om.has_field("user_setup_url")) | 223 | if( (!o2) && om.has_field("user_setup_url")) |
223 | throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided", | 224 | throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided", |
224 | om.get_field("user_setup_url")); | 225 | om.get_field("user_setup_url")); |
225 | string m = om.get_field("mode"); | 226 | string m = om.get_field("mode"); |
226 | if(o2 && m=="setup_needed") | 227 | if(o2 && m=="setup_needed") |
227 | throw id_res_setup(OPKELE_CP_ "setup needed, no setup url provided"); | 228 | throw id_res_setup(OPKELE_CP_ "setup needed, no setup url provided"); |
228 | if(m=="cancel") | 229 | if(m=="cancel") |
229 | throw id_res_cancel(OPKELE_CP_ "authentication cancelled"); | 230 | throw id_res_cancel(OPKELE_CP_ "authentication cancelled"); |
230 | bool go_dumb=false; | 231 | bool go_dumb=false; |
231 | try { | 232 | try { |
232 | string OP = o2 | 233 | string OP = o2 |
233 | ?om.get_field("op_endpoint") | 234 | ?om.get_field("op_endpoint") |
234 | :get_endpoint().uri; | 235 | :get_endpoint().uri; |
235 | assoc_t assoc = retrieve_assoc( | 236 | assoc_t assoc = retrieve_assoc( |
236 | OP,om.get_field("assoc_handle")); | 237 | OP,om.get_field("assoc_handle")); |
237 | if(om.get_field("sig")!=util::base64_signature(assoc,om)) | 238 | if(om.get_field("sig")!=util::base64_signature(assoc,om)) |
238 | throw id_res_mismatch(OPKELE_CP_ "signature mismatch"); | 239 | throw id_res_mismatch(OPKELE_CP_ "signature mismatch"); |
239 | }catch(dumb_RP& drp) { | 240 | }catch(dumb_RP& drp) { |
240 | go_dumb=true; | 241 | go_dumb=true; |
241 | }catch(failed_lookup& e) { | 242 | }catch(failed_lookup& e) { |
242 | go_dumb=true; | 243 | go_dumb=true; |
243 | } OPKELE_RETHROW | 244 | } OPKELE_RETHROW |
244 | if(go_dumb) { | 245 | if(go_dumb) { |
245 | try { | 246 | try { |
246 | string OP = o2 | 247 | string OP = o2 |
247 | ?om.get_field("op_endpoint") | 248 | ?om.get_field("op_endpoint") |
248 | :get_endpoint().uri; | 249 | :get_endpoint().uri; |
249 | check_authentication(OP,om); | 250 | check_authentication(OP,om); |
250 | }catch(failed_check_authentication& fca) { | 251 | }catch(failed_check_authentication& fca) { |
251 | throw id_res_failed(OPKELE_CP_ "failed to check_authentication()"); | 252 | throw id_res_failed(OPKELE_CP_ "failed to check_authentication()"); |
252 | } OPKELE_RETHROW | 253 | } OPKELE_RETHROW |
253 | } | 254 | } |
254 | signed_part_message_proxy signeds(om); | 255 | signed_part_message_proxy signeds(om); |
255 | if(o2) { | 256 | if(o2) { |
256 | check_nonce(om.get_field("op_endpoint"), | 257 | check_nonce(om.get_field("op_endpoint"), |
257 | om.get_field("response_nonce")); | 258 | om.get_field("response_nonce")); |
258 | static const char *mustsign[] = { | 259 | static const char *mustsign[] = { |
259 | "op_endpoint", "return_to", "response_nonce", "assoc_handle", | 260 | "op_endpoint", "return_to", "response_nonce", "assoc_handle", |
260 | "claimed_id", "identity" }; | 261 | "claimed_id", "identity" }; |
261 | for(size_t ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) { | 262 | for(size_t ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) { |
262 | if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms])) | 263 | if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms])) |
263 | throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs"); | 264 | throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs"); |
264 | } | 265 | } |
265 | if( ( | 266 | if( ( |
266 | (om.has_field("claimed_id")?1:0) | 267 | (om.has_field("claimed_id")?1:0) |
267 | ^ | 268 | ^ |
268 | (om.has_field("identity")?1:0) | 269 | (om.has_field("identity")?1:0) |
269 | )&1 ) | 270 | )&1 ) |
270 | throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent"); | 271 | throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent"); |
271 | 272 | ||
272 | string turl = util::rfc_3986_normalize_uri(get_this_url()); | 273 | string turl = util::rfc_3986_normalize_uri(get_this_url()); |
273 | util::strip_uri_fragment_part(turl); | 274 | util::strip_uri_fragment_part(turl); |
274 | string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to")); | 275 | string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to")); |
275 | util::strip_uri_fragment_part(rurl); | 276 | util::strip_uri_fragment_part(rurl); |
276 | string::size_type | 277 | string::size_type |
277 | tq = turl.find('?'), rq = rurl.find('?'); | 278 | tq = turl.find('?'), rq = rurl.find('?'); |
278 | if( | 279 | if( |
279 | ((tq==string::npos)?turl:turl.substr(0,tq)) | 280 | ((tq==string::npos)?turl:turl.substr(0,tq)) |
280 | != | 281 | != |
281 | ((rq==string::npos)?rurl:rurl.substr(0,rq)) | 282 | ((rq==string::npos)?rurl:rurl.substr(0,rq)) |
282 | ) | 283 | ) |
283 | throw id_res_bad_return_to(OPKELE_CP_ "return_to url doesn't match request url"); | 284 | throw id_res_bad_return_to(OPKELE_CP_ "return_to url doesn't match request url"); |
284 | map<string,string> tp; parse_query(turl,tq,tp); | 285 | map<string,string> tp; parse_query(turl,tq,tp); |
285 | map<string,string> rp; parse_query(rurl,rq,rp); | 286 | map<string,string> rp; parse_query(rurl,rq,rp); |
286 | for(map<string,string>::const_iterator rpi=rp.begin();rpi!=rp.end();++rpi) { | 287 | for(map<string,string>::const_iterator rpi=rp.begin();rpi!=rp.end();++rpi) { |
287 | map<string,string>::const_iterator tpi = tp.find(rpi->first); | 288 | map<string,string>::const_iterator tpi = tp.find(rpi->first); |
288 | if(tpi==tp.end()) | 289 | if(tpi==tp.end()) |
289 | throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request"); | 290 | throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request"); |
290 | if(tpi->second!=rpi->second) | 291 | if(tpi->second!=rpi->second) |
291 | throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't matche the request"); | 292 | throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't matche the request"); |
292 | } | 293 | } |
293 | 294 | ||
294 | if(om.has_field("claimed_id")) { | 295 | if(om.has_field("claimed_id")) { |
295 | claimed_id = om.get_field("claimed_id"); | 296 | claimed_id = om.get_field("claimed_id"); |
296 | identity = om.get_field("identity"); | 297 | identity = om.get_field("identity"); |
297 | verify_OP( | 298 | verify_OP( |
298 | om.get_field("op_endpoint"), | 299 | om.get_field("op_endpoint"), |
299 | claimed_id, identity ); | 300 | claimed_id, identity ); |
300 | } | 301 | } |
301 | 302 | ||
302 | }else{ | 303 | }else{ |
303 | claimed_id = get_endpoint().claimed_id; | 304 | claimed_id = get_endpoint().claimed_id; |
304 | /* TODO: check if this is the identity we asked for */ | 305 | /* TODO: check if this is the identity we asked for */ |
305 | identity = om.get_field("identity"); | 306 | identity = om.get_field("identity"); |
306 | } | 307 | } |
307 | if(ext) ext->rp_id_res_hook(om,signeds); | 308 | if(ext) ext->rp_id_res_hook(om,signeds); |
308 | } | 309 | } |
309 | 310 | ||
310 | void basic_RP::check_authentication(const string& OP, | 311 | void basic_RP::check_authentication(const string& OP, |
311 | const basic_openid_message& om){ | 312 | const basic_openid_message& om){ |
312 | openid_message_t res; | 313 | openid_message_t res; |
313 | static const string checkauthmode = "check_authentication"; | 314 | static const string checkauthmode = "check_authentication"; |
314 | direct_request(res,util::change_mode_message_proxy(om,checkauthmode),OP); | 315 | direct_request(res,util::change_mode_message_proxy(om,checkauthmode),OP); |
315 | if(res.has_field("is_valid")) { | 316 | if(res.has_field("is_valid")) { |
316 | if(res.get_field("is_valid")=="true") { | 317 | if(res.get_field("is_valid")=="true") { |
317 | if(res.has_field("invalidate_handle")) | 318 | if(res.has_field("invalidate_handle")) |
318 | invalidate_assoc(OP,res.get_field("invalidate_handle")); | 319 | invalidate_assoc(OP,res.get_field("invalidate_handle")); |
319 | return; | 320 | return; |
320 | } | 321 | } |
321 | } | 322 | } |
322 | throw failed_check_authentication( | 323 | throw failed_check_authentication( |
323 | OPKELE_CP_ "failed to verify response"); | 324 | OPKELE_CP_ "failed to verify response"); |
324 | } | 325 | } |
325 | 326 | ||
326 | } | 327 | } |