| -rw-r--r-- | lib/basic_rp.cc | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/lib/basic_rp.cc b/lib/basic_rp.cc index 763a391..2da8416 100644 --- a/lib/basic_rp.cc +++ b/lib/basic_rp.cc | |||
| @@ -12,9 +12,10 @@ namespace opkele { | |||
| 12 | static void dh_get_secret( | 12 | static void dh_get_secret( |
| 13 | secret_t& secret, const basic_openid_message& om, | 13 | secret_t& secret, const basic_openid_message& om, |
| 14 | const char *exp_assoc, const char *exp_sess, | 14 | const char *exp_assoc, const char *exp_sess, |
| 15 | util::dh_t& dh, | 15 | util::dh_t& dh, |
| 16 | size_t d_len, unsigned char *(*d_fun)(const unsigned char*,size_t,unsigned char*) ) try { | 16 | size_t d_len, unsigned char *(*d_fun)(const unsigned char*,size_t,unsigned char*), |
| 17 | size_t exp_s_len) try { | ||
| 17 | if(om.get_field("assoc_type")!=exp_assoc || om.get_field("session_type")!=exp_sess) | 18 | if(om.get_field("assoc_type")!=exp_assoc || om.get_field("session_type")!=exp_sess) |
| 18 | throw bad_input(OPKELE_CP_ "Unexpected associate response"); | 19 | throw bad_input(OPKELE_CP_ "Unexpected associate response"); |
| 19 | util::bignum_t s_pub = util::base64_to_bignum(om.get_field("dh_server_public")); | 20 | util::bignum_t s_pub = util::base64_to_bignum(om.get_field("dh_server_public")); |
| 20 | vector<unsigned char> ck(DH_size(dh)+1); | 21 | vector<unsigned char> ck(DH_size(dh)+1); |
| @@ -25,8 +26,10 @@ namespace opkele { | |||
| 25 | if(cklen && (*ckptr)&0x80) { | 26 | if(cklen && (*ckptr)&0x80) { |
| 26 | (*(--ckptr))=0; ++cklen; } | 27 | (*(--ckptr))=0; ++cklen; } |
| 27 | unsigned char key_digest[d_len]; | 28 | unsigned char key_digest[d_len]; |
| 28 | secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key")); | 29 | secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key")); |
| 30 | if(secret.size()!=exp_s_len) | ||
| 31 | throw bad_input(OPKELE_CP_ "Secret length isn't consistent with association type"); | ||
| 29 | }catch(opkele::failed_lookup& ofl) { | 32 | }catch(opkele::failed_lookup& ofl) { |
| 30 | throw bad_input(OPKELE_CP_ "Incoherent response from OP"); | 33 | throw bad_input(OPKELE_CP_ "Incoherent response from OP"); |
| 31 | } OPKELE_RETHROW | 34 | } OPKELE_RETHROW |
| 32 | 35 | ||
| @@ -72,18 +75,18 @@ namespace opkele { | |||
| 72 | try { | 75 | try { |
| 73 | direct_request(res,req,OP); | 76 | direct_request(res,req,OP); |
| 74 | dh_get_secret( secret, res, | 77 | dh_get_secret( secret, res, |
| 75 | "HMAC-SHA256", "DH-SHA256", | 78 | "HMAC-SHA256", "DH-SHA256", |
| 76 | dh, SHA256_DIGEST_LENGTH, SHA256 ); | 79 | dh, SHA256_DIGEST_LENGTH, SHA256, SHA256_DIGEST_LENGTH ); |
| 77 | expires_in = util::string_to_long(res.get_field("expires_in")); | 80 | expires_in = util::string_to_long(res.get_field("expires_in")); |
| 78 | }catch(exception& e) { | 81 | }catch(exception& e) { |
| 79 | try { | 82 | try { |
| 80 | req.set_field("assoc_type","HMAC-SHA1"); | 83 | req.set_field("assoc_type","HMAC-SHA1"); |
| 81 | req.set_field("session_type","DH-SHA1"); | 84 | req.set_field("session_type","DH-SHA1"); |
| 82 | direct_request(res,req,OP); | 85 | direct_request(res,req,OP); |
| 83 | dh_get_secret( secret, res, | 86 | dh_get_secret( secret, res, |
| 84 | "HMAC-SHA1", "DH-SHA1", | 87 | "HMAC-SHA1", "DH-SHA1", |
| 85 | dh, SHA_DIGEST_LENGTH, SHA1 ); | 88 | dh, SHA_DIGEST_LENGTH, SHA1, SHA_DIGEST_LENGTH ); |
| 86 | expires_in = util::string_to_long(res.get_field("expires_in")); | 89 | expires_in = util::string_to_long(res.get_field("expires_in")); |
| 87 | }catch(bad_input& e) { | 90 | }catch(bad_input& e) { |
| 88 | throw dumb_RP(OPKELE_CP_ "OP failed to supply an association"); | 91 | throw dumb_RP(OPKELE_CP_ "OP failed to supply an association"); |
| 89 | } | 92 | } |