summaryrefslogtreecommitdiffabout
Side-by-side diff
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--lib/basic_rp.cc2
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/basic_rp.cc b/lib/basic_rp.cc
index 9c7113b..bc1fb7f 100644
--- a/lib/basic_rp.cc
+++ b/lib/basic_rp.cc
@@ -244,84 +244,84 @@ namespace opkele {
} OPKELE_RETHROW
if(go_dumb) {
try {
string OP = o2
?om.get_field("op_endpoint")
:get_endpoint().uri;
check_authentication(OP,om);
}catch(failed_check_authentication& fca) {
throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");
} OPKELE_RETHROW
}
signed_part_message_proxy signeds(om);
if(o2) {
check_nonce(om.get_field("op_endpoint"),
om.get_field("response_nonce"));
static const char *mustsign[] = {
"op_endpoint", "return_to", "response_nonce", "assoc_handle",
"claimed_id", "identity" };
for(size_t ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {
if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms]))
throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs");
}
if( (
(om.has_field("claimed_id")?1:0)
^
(om.has_field("identity")?1:0)
)&1 )
throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent");
string turl = util::rfc_3986_normalize_uri(get_this_url());
util::strip_uri_fragment_part(turl);
string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to"));
util::strip_uri_fragment_part(rurl);
string::size_type
tq = turl.find('?'), rq = rurl.find('?');
if(
((tq==string::npos)?turl:turl.substr(0,tq))
!=
((rq==string::npos)?rurl:rurl.substr(0,rq))
)
throw id_res_bad_return_to(OPKELE_CP_ "return_to url doesn't match request url");
map<string,string> tp; parse_query(turl,tq,tp);
map<string,string> rp; parse_query(rurl,rq,rp);
for(map<string,string>::const_iterator rpi=rp.begin();rpi!=rp.end();++rpi) {
map<string,string>::const_iterator tpi = tp.find(rpi->first);
if(tpi==tp.end())
throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request");
if(tpi->second!=rpi->second)
- throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't matche the request");
+ throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't match the request");
}
if(om.has_field("claimed_id")) {
claimed_id = om.get_field("claimed_id");
identity = om.get_field("identity");
verify_OP(
om.get_field("op_endpoint"),
claimed_id, identity );
}
}else{
claimed_id = get_endpoint().claimed_id;
/* TODO: check if this is the identity we asked for */
identity = om.get_field("identity");
}
if(ext) ext->rp_id_res_hook(om,signeds);
}
void basic_RP::check_authentication(const string& OP,
const basic_openid_message& om){
openid_message_t res;
static const string checkauthmode = "check_authentication";
direct_request(res,util::change_mode_message_proxy(om,checkauthmode),OP);
if(res.has_field("is_valid")) {
if(res.get_field("is_valid")=="true") {
if(res.has_field("invalidate_handle"))
invalidate_assoc(OP,res.get_field("invalidate_handle"));
return;
}
}
throw failed_check_authentication(
OPKELE_CP_ "failed to verify response");
}
}