summaryrefslogtreecommitdiffabout
Unidiff
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--lib/basic_op.cc6
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/basic_op.cc b/lib/basic_op.cc
index fa659ac..511b51a 100644
--- a/lib/basic_op.cc
+++ b/lib/basic_op.cc
@@ -107,109 +107,115 @@ namespace opkele {
107 oum.set_field("ns",OIURI_OPENID20); 107 oum.set_field("ns",OIURI_OPENID20);
108 oum.set_field("assoc_type",a->assoc_type()); 108 oum.set_field("assoc_type",a->assoc_type());
109 oum.set_field("assoc_handle",a->handle()); 109 oum.set_field("assoc_handle",a->handle());
110 oum.set_field("expires_in",util::long_to_string(a->expires_in())); 110 oum.set_field("expires_in",util::long_to_string(a->expires_in()));
111 secret_t secret = a->secret(); 111 secret_t secret = a->secret();
112 if(sts=="DH-SHA1" || sts=="DH-SHA256") { 112 if(sts=="DH-SHA1" || sts=="DH-SHA256") {
113 if(d_len != secret.size()) 113 if(d_len != secret.size())
114 throw bad_input(OPKELE_CP_ "Association secret and session MAC are not of the same size"); 114 throw bad_input(OPKELE_CP_ "Association secret and session MAC are not of the same size");
115 oum.set_field("session_type",sts); 115 oum.set_field("session_type",sts);
116 oum.set_field("dh_server_public",util::bignum_to_base64(dh->pub_key)); 116 oum.set_field("dh_server_public",util::bignum_to_base64(dh->pub_key));
117 string b64; secret.enxor_to_base64(key_digest,b64); 117 string b64; secret.enxor_to_base64(key_digest,b64);
118 oum.set_field("enc_mac_key",b64); 118 oum.set_field("enc_mac_key",b64);
119 }else /* TODO: support cleartext over encrypted connection */ 119 }else /* TODO: support cleartext over encrypted connection */
120 throw unsupported(OPKELE_CP_ "Unsupported session type"); 120 throw unsupported(OPKELE_CP_ "Unsupported session type");
121 return oum; 121 return oum;
122 } catch(unsupported& u) { 122 } catch(unsupported& u) {
123 oum.reset_fields(); 123 oum.reset_fields();
124 oum.set_field("ns",OIURI_OPENID20); 124 oum.set_field("ns",OIURI_OPENID20);
125 oum.set_field("error",u.what()); 125 oum.set_field("error",u.what());
126 oum.set_field("error_code","unsupported-type"); 126 oum.set_field("error_code","unsupported-type");
127 oum.set_field("session_type","DH-SHA256"); 127 oum.set_field("session_type","DH-SHA256");
128 oum.set_field("assoc_type","HMAC-SHA256"); 128 oum.set_field("assoc_type","HMAC-SHA256");
129 return oum; 129 return oum;
130 } 130 }
131 131
132 void basic_OP::checkid_(const basic_openid_message& inm, 132 void basic_OP::checkid_(const basic_openid_message& inm,
133 extension_t *ext) { 133 extension_t *ext) {
134 reset_vars(); 134 reset_vars();
135 string modestr = inm.get_field("mode"); 135 string modestr = inm.get_field("mode");
136 if(modestr=="checkid_setup") 136 if(modestr=="checkid_setup")
137 mode = mode_checkid_setup; 137 mode = mode_checkid_setup;
138 else if(modestr=="checkid_immediate") 138 else if(modestr=="checkid_immediate")
139 mode = mode_checkid_immediate; 139 mode = mode_checkid_immediate;
140 else 140 else
141 throw bad_input(OPKELE_CP_ "Invalid checkid_* mode"); 141 throw bad_input(OPKELE_CP_ "Invalid checkid_* mode");
142 try { 142 try {
143 assoc = retrieve_assoc(invalidate_handle=inm.get_field("assoc_handle")); 143 assoc = retrieve_assoc(invalidate_handle=inm.get_field("assoc_handle"));
144 invalidate_handle.clear(); 144 invalidate_handle.clear();
145 }catch(failed_lookup&) { } 145 }catch(failed_lookup&) { }
146 try { 146 try {
147 openid2 = (inm.get_field("ns")==OIURI_OPENID20); 147 openid2 = (inm.get_field("ns")==OIURI_OPENID20);
148 }catch(failed_lookup&) { openid2 = false; } 148 }catch(failed_lookup&) { openid2 = false; }
149 try { 149 try {
150 return_to = inm.get_field("return_to"); 150 return_to = inm.get_field("return_to");
151 }catch(failed_lookup&) { } 151 }catch(failed_lookup&) { }
152 if(openid2) { 152 if(openid2) {
153 try { 153 try {
154 realm = inm.get_field("realm"); 154 realm = inm.get_field("realm");
155 if(realm.empty())
156 throw failed_lookup(OPKELE_CP_ "Empty realm doesn't count");
155 }catch(failed_lookup&) { 157 }catch(failed_lookup&) {
156 try { 158 try {
157 realm = inm.get_field("trust_root"); 159 realm = inm.get_field("trust_root");
160 if(realm.empty())
161 throw failed_lookup(OPKELE_CP_ "Empty trust_root doesn't count");
158 }catch(failed_lookup&) { 162 }catch(failed_lookup&) {
159 if(return_to.empty()) 163 if(return_to.empty())
160 throw bad_input(OPKELE_CP_ 164 throw bad_input(OPKELE_CP_
161 "Both realm and return_to are unset"); 165 "Both realm and return_to are unset");
162 realm = return_to; 166 realm = return_to;
163 } 167 }
164 } 168 }
165 }else{ 169 }else{
166 try { 170 try {
167 realm = inm.get_field("trust_root"); 171 realm = inm.get_field("trust_root");
172 if(realm.empty())
173 throw failed_lookup(OPKELE_CP_ "Empty trust_root doesn't count");
168 }catch(failed_lookup&) { 174 }catch(failed_lookup&) {
169 if(return_to.empty()) 175 if(return_to.empty())
170 throw bad_input(OPKELE_CP_ 176 throw bad_input(OPKELE_CP_
171 "Both realm and return_to are unset"); 177 "Both realm and return_to are unset");
172 realm = return_to; 178 realm = return_to;
173 } 179 }
174 } 180 }
175 try { 181 try {
176 identity = inm.get_field("identity"); 182 identity = inm.get_field("identity");
177 try { 183 try {
178 claimed_id = inm.get_field("claimed_id"); 184 claimed_id = inm.get_field("claimed_id");
179 }catch(failed_lookup&) { 185 }catch(failed_lookup&) {
180 if(openid2) 186 if(openid2)
181 throw bad_input(OPKELE_CP_ 187 throw bad_input(OPKELE_CP_
182 "claimed_id and identity must be either both present or both absent"); 188 "claimed_id and identity must be either both present or both absent");
183 claimed_id = identity; 189 claimed_id = identity;
184 } 190 }
185 }catch(failed_lookup&) { 191 }catch(failed_lookup&) {
186 if(openid2 && inm.has_field("claimed_id")) 192 if(openid2 && inm.has_field("claimed_id"))
187 throw bad_input(OPKELE_CP_ 193 throw bad_input(OPKELE_CP_
188 "claimed_id and identity must be either both present or both absent"); 194 "claimed_id and identity must be either both present or both absent");
189 } 195 }
190 verify_return_to(); 196 verify_return_to();
191 if(ext) ext->op_checkid_hook(inm); 197 if(ext) ext->op_checkid_hook(inm);
192 } 198 }
193 199
194 basic_openid_message& basic_OP::id_res(basic_openid_message& om, 200 basic_openid_message& basic_OP::id_res(basic_openid_message& om,
195 extension_t *ext) { 201 extension_t *ext) {
196 assert(!return_to.empty()); 202 assert(!return_to.empty());
197 assert(!is_id_select()); 203 assert(!is_id_select());
198 if(!assoc) { 204 if(!assoc) {
199 assoc = alloc_assoc("HMAC-SHA256",SHA256_DIGEST_LENGTH,true); 205 assoc = alloc_assoc("HMAC-SHA256",SHA256_DIGEST_LENGTH,true);
200 } 206 }
201 time_t now = time(0); 207 time_t now = time(0);
202 struct tm gmt; gmtime_r(&now,&gmt); 208 struct tm gmt; gmtime_r(&now,&gmt);
203 char w3timestr[24]; 209 char w3timestr[24];
204 if(!strftime(w3timestr,sizeof(w3timestr),"%Y-%m-%dT%H:%M:%SZ",&gmt)) 210 if(!strftime(w3timestr,sizeof(w3timestr),"%Y-%m-%dT%H:%M:%SZ",&gmt))
205 throw failed_conversion(OPKELE_CP_ 211 throw failed_conversion(OPKELE_CP_
206 "Failed to build time string for nonce" ); 212 "Failed to build time string for nonce" );
207 om.set_field("ns",OIURI_OPENID20); 213 om.set_field("ns",OIURI_OPENID20);
208 om.set_field("mode","id_res"); 214 om.set_field("mode","id_res");
209 om.set_field("op_endpoint",get_op_endpoint()); 215 om.set_field("op_endpoint",get_op_endpoint());
210 string ats = "ns,mode,op_endpoint,return_to,response_nonce," 216 string ats = "ns,mode,op_endpoint,return_to,response_nonce,"
211 "assoc_handle,signed"; 217 "assoc_handle,signed";
212 if(!identity.empty()) { 218 if(!identity.empty()) {
213 om.set_field("identity",identity); 219 om.set_field("identity",identity);
214 om.set_field("claimed_id",claimed_id); 220 om.set_field("claimed_id",claimed_id);
215 ats += ",identity,claimed_id"; 221 ats += ",identity,claimed_id";