1 files changed, 2 insertions, 2 deletions
diff --git a/lib/basic_rp.cc b/lib/basic_rp.cc
index a884583..bd45d99 100644
--- a/lib/basic_rp.cc
+++ b/lib/basic_rp.cc
@@ -1,297 +1,297 @@
 #include <openssl/sha.h>
 #include <openssl/hmac.h>
 #include <opkele/basic_rp.h>
 #include <opkele/exception.h>
 #include <opkele/uris.h>
 #include <opkele/data.h>
 #include <opkele/util.h>
 #include <opkele/curl.h>
 namespace opkele {
    static void dh_get_secret(
            secret_t& secret, const basic_openid_message& om,
            const char *exp_assoc, const char *exp_sess,
            util::dh_t& dh,
            size_t d_len, unsigned char *(*d_fun)(const unsigned char*,size_t,unsigned char*),
            size_t exp_s_len) try {
        if(om.get_field("assoc_type")!=exp_assoc || om.get_field("session_type")!=exp_sess)
            throw bad_input(OPKELE_CP_ "Unexpected associate response");
        util::bignum_t s_pub = util::base64_to_bignum(om.get_field("dh_server_public"));
        vector<unsigned char> ck(DH_size(dh)+1);
        unsigned char *ckptr = &(ck.front())+1;
        int cklen = DH_compute_key(ckptr,s_pub,dh);
        if(cklen<0)
            throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
        if(cklen && (*ckptr)&0x80) {
            (*(--ckptr))=0; ++cklen; }
        unsigned char key_digest[d_len];
        secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key"));
        if(secret.size()!=exp_s_len)
            throw bad_input(OPKELE_CP_ "Secret length isn't consistent with association type");
    }catch(opkele::failed_lookup& ofl) {
        throw bad_input(OPKELE_CP_ "Incoherent response from OP");
    } OPKELE_RETHROW
    static void direct_request(basic_openid_message& oum,const basic_openid_message& inm,const string& OP) {
        util::curl_pick_t curl = util::curl_pick_t::easy_init();
        if(!curl)
            throw exception_curl(OPKELE_CP_ "failed to initialize curl");
        string request = inm.query_string();
        CURLcode r;
        (r=curl.misc_sets())
            || (r=curl.easy_setopt(CURLOPT_URL,OP.c_str()))
            || (r=curl.easy_setopt(CURLOPT_POST,1))
            || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data()))
            || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length()))
            || (r=curl.set_write());
        if(r)
            throw exception_curl(OPKELE_CP_ "failed to set curly options",r);
        if( (r=curl.easy_perform()) )
            throw exception_curl(OPKELE_CP_ "failed to perform curly request",r);
        oum.from_keyvalues(curl.response);
    }
    assoc_t basic_RP::associate(const string& OP) {
        util::dh_t dh = DH_new();
        if(!dh)
            throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
        dh->p = util::dec_to_bignum(data::_default_p);
        dh->g = util::dec_to_bignum(data::_default_g);
        if(!DH_generate_key(dh))
            throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
        openid_message_t req;
        req.set_field("ns",OIURI_OPENID20);
        req.set_field("mode","associate");
        req.set_field("dh_modulus",util::bignum_to_base64(dh->p));
        req.set_field("dh_gen",util::bignum_to_base64(dh->g));
        req.set_field("dh_consumer_public",util::bignum_to_base64(dh->pub_key));
        openid_message_t res;
        req.set_field("assoc_type","HMAC-SHA256");
        req.set_field("session_type","DH-SHA256");
        secret_t secret;
        int expires_in;
        try {
            direct_request(res,req,OP);
            dh_get_secret( secret, res,
                    "HMAC-SHA256", "DH-SHA256",
                    dh, SHA256_DIGEST_LENGTH, SHA256, SHA256_DIGEST_LENGTH );
            expires_in = util::string_to_long(res.get_field("expires_in"));
        }catch(exception& e) {
            try {
                req.set_field("assoc_type","HMAC-SHA1");
                req.set_field("session_type","DH-SHA1");
                direct_request(res,req,OP);
                dh_get_secret( secret, res,
                        "HMAC-SHA1", "DH-SHA1",
                        dh, SHA_DIGEST_LENGTH, SHA1, SHA_DIGEST_LENGTH );
                expires_in = util::string_to_long(res.get_field("expires_in"));
            }catch(bad_input& e) {
                throw dumb_RP(OPKELE_CP_ "OP failed to supply an association");
            }
        }
        return store_assoc(
                OP, res.get_field("assoc_handle"),
                res.get_field("assoc_type"), secret,
                expires_in );
    }
    basic_openid_message& basic_RP::checkid_(
            basic_openid_message& rv,
            mode_t mode,
            const string& return_to,const string& realm,
            extension_t *ext) {
        rv.reset_fields();
        rv.set_field("ns",OIURI_OPENID20);
        if(mode==mode_checkid_immediate)
            rv.set_field("mode","checkid_immediate");
        else if(mode==mode_checkid_setup)
            rv.set_field("mode","checkid_setup");
        else
            throw bad_input(OPKELE_CP_ "unknown checkid_* mode");
        if(realm.empty() && return_to.empty())
            throw bad_input(OPKELE_CP_ "At least one of realm and return_to must be non-empty");
        if(!realm.empty()) {
            rv.set_field("realm",realm);
            rv.set_field("trust_root",realm);
        }
        if(!return_to.empty())
            rv.set_field("return_to",return_to);
        const openid_endpoint_t& ep = get_endpoint();
        rv.set_field("claimed_id",ep.claimed_id);
        rv.set_field("identity",ep.local_id);
        try {
            rv.set_field("assoc_handle",find_assoc(ep.uri)->handle());
        }catch(dumb_RP& drp) {
        }catch(failed_lookup& fl) {
            try {
                rv.set_field("assoc_handle",associate(ep.uri)->handle());
            }catch(dumb_RP& drp) { }
        } OPKELE_RETHROW
-        if(ext) ext->checkid_hook(rv);
+        if(ext) ext->rp_checkid_hook(rv);
        return rv;
    }
    class signed_part_message_proxy : public basic_openid_message {
        public:
            const basic_openid_message& x;
            set<string> signeds;
            signed_part_message_proxy(const basic_openid_message& xx) : x(xx) {
                const string& slist = x.get_field("signed");
                string::size_type p = 0;
                while(true) {
                    string::size_type co = slist.find(',',p);
                    string f = (co==string::npos)
                        ?slist.substr(p):slist.substr(p,co-p);
                    signeds.insert(f);
                    if(co==string::npos) break;
                    p = co+1;
                }
            }
            bool has_field(const string& n) const {
                return signeds.find(n)!=signeds.end() && x.has_field(n); }
            const string& get_field(const string& n) const {
                if(signeds.find(n)==signeds.end())
                    throw failed_lookup(OPKELE_CP_ "The field isn't known to be signed");
                return x.get_field(n); }
            fields_iterator fields_begin() const {
                return signeds.begin(); }
            fields_iterator fields_end() const {
                return signeds.end(); }
    };
    static void parse_query(const string& u,string::size_type q,
            map<string,string>& p) {
        if(q==string::npos)
            return;
        assert(u[q]=='?');
        ++q;
        string::size_type l = u.size();
        while(q<l) {
            string::size_type eq = u.find('=',q);
            string::size_type am = u.find('&',q);
            if(am==string::npos) {
                if(eq==string::npos) {
                    p[""] = u.substr(q);
                }else{
                    p[u.substr(q,eq-q)] = u.substr(eq+1);
                }
                break;
            }else{
                if(eq==string::npos || eq>am) {
                    p[""] = u.substr(q,eq-q);
                }else{
                    p[u.substr(q,eq-q)] = u.substr(eq+1,am-eq-1);
                }
                q = ++am;
            }
        }
    }
    void basic_RP::id_res(const basic_openid_message& om,extension_t *ext) {
        bool o2 = om.has_field("ns")
            && om.get_field("ns")==OIURI_OPENID20;
        if( (!o2) && om.has_field("user_setup_url"))
            throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",
                    om.get_field("user_setup_url"));
        string m = om.get_field("mode");
        if(o2 && m=="setup_needed")
            throw id_res_setup(OPKELE_CP_ "setup needed, no setup url provided");
        if(m=="cancel")
            throw id_res_cancel(OPKELE_CP_ "authentication cancelled");
        bool go_dumb=false;
        try {
            string OP = o2
                ?om.get_field("op_endpoint")
                :get_endpoint().uri;
            assoc_t assoc = retrieve_assoc(
                    OP,om.get_field("assoc_handle"));
            if(om.get_field("sig")!=util::base64_signature(assoc,om))
                throw id_res_mismatch(OPKELE_CP_ "signature mismatch");
        }catch(dumb_RP& drp) {
            go_dumb=true;
        }catch(failed_lookup& e) {
            go_dumb=true;
        } OPKELE_RETHROW
        if(go_dumb) {
            try {
                string OP = o2
                    ?om.get_field("op_endpoint")
                    :get_endpoint().uri;
                check_authentication(OP,om);
            }catch(failed_check_authentication& fca) {
                throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");
            } OPKELE_RETHROW
        }
        signed_part_message_proxy signeds(om);
        if(o2) {
            check_nonce(om.get_field("op_endpoint"),
                    om.get_field("response_nonce"));
            static const char *mustsign[] = {
                "op_endpoint", "return_to", "response_nonce", "assoc_handle",
                "claimed_id", "identity" };
            for(int ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {
                if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms]))
                    throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs");
            }
            if( (
                    (om.has_field("claimed_id")?1:0)
                    ^
                    (om.has_field("identity")?1:0)
                )&1 )
                throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent");
            string turl = util::rfc_3986_normalize_uri(get_this_url());
            util::strip_uri_fragment_part(turl);
            string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to"));
            util::strip_uri_fragment_part(rurl);
            string::size_type
                tq = turl.find('?'), rq = rurl.find('?');
            if(
                    ((tq==string::npos)?turl:turl.substr(0,tq))
                    !=
                    ((rq==string::npos)?rurl:rurl.substr(0,rq))
              )
                throw id_res_bad_return_to(OPKELE_CP_ "return_to url doesn't match request url");
            map<string,string> tp; parse_query(turl,tq,tp);
            map<string,string> rp; parse_query(rurl,rq,rp);
            for(map<string,string>::const_iterator rpi=rp.begin();rpi!=rp.end();++rpi) {
                map<string,string>::const_iterator tpi = tp.find(rpi->first);
                if(tpi==tp.end())
                    throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request");
                if(tpi->second!=rpi->second)
                    throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't matche the request");
            }
            if(om.has_field("claimed_id")) {
                verify_OP(
                        om.get_field("op_endpoint"),
                        om.get_field("claimed_id"),
                        om.get_field("identity") );
            }
        }
-        if(ext) ext->id_res_hook(om,signeds);
+        if(ext) ext->rp_id_res_hook(om,signeds);
    }
    void basic_RP::check_authentication(const string& OP,
            const basic_openid_message& om){
        openid_message_t res;
        static const string checkauthmode = "check_authentication";
        direct_request(res,util::change_mode_message_proxy(om,checkauthmode),OP);
        if(res.has_field("is_valid")) {
            if(res.get_field("is_valid")=="true") {
                if(res.has_field("invalidate_handle"))
                    invalidate_assoc(OP,res.get_field("invalidate_handle"));
                return;
            }
        }
        throw failed_check_authentication(
                OPKELE_CP_ "failed to verify response");
    }
 }

diff --git a/lib/basic_rp.cc b/lib/basic_rp.cc index a884583..bd45d99 100644 --- a/lib/basic_rp.cc +++ b/lib/basic_rp.cc
@@ -1,297 +1,297 @@
1	#include <openssl/sha.h>	1	#include <openssl/sha.h>
2	#include <openssl/hmac.h>	2	#include <openssl/hmac.h>
3	#include <opkele/basic_rp.h>	3	#include <opkele/basic_rp.h>
4	#include <opkele/exception.h>	4	#include <opkele/exception.h>
5	#include <opkele/uris.h>	5	#include <opkele/uris.h>
6	#include <opkele/data.h>	6	#include <opkele/data.h>
7	#include <opkele/util.h>	7	#include <opkele/util.h>
8	#include <opkele/curl.h>	8	#include <opkele/curl.h>
9		9
10	namespace opkele {	10	namespace opkele {
11		11
12	static void dh_get_secret(	12	static void dh_get_secret(
13	secret_t& secret, const basic_openid_message& om,	13	secret_t& secret, const basic_openid_message& om,
14	const char exp_assoc, const char exp_sess,	14	const char exp_assoc, const char exp_sess,
15	util::dh_t& dh,	15	util::dh_t& dh,
16	size_t d_len, unsigned char (d_fun)(const unsigned char,size_t,unsigned char),	16	size_t d_len, unsigned char (d_fun)(const unsigned char,size_t,unsigned char),
17	size_t exp_s_len) try {	17	size_t exp_s_len) try {
18	if(om.get_field("assoc_type")!=exp_assoc \|\| om.get_field("session_type")!=exp_sess)	18	if(om.get_field("assoc_type")!=exp_assoc \|\| om.get_field("session_type")!=exp_sess)
19	throw bad_input(OPKELE_CP_ "Unexpected associate response");	19	throw bad_input(OPKELE_CP_ "Unexpected associate response");
20	util::bignum_t s_pub = util::base64_to_bignum(om.get_field("dh_server_public"));	20	util::bignum_t s_pub = util::base64_to_bignum(om.get_field("dh_server_public"));
21	vector<unsigned char> ck(DH_size(dh)+1);	21	vector<unsigned char> ck(DH_size(dh)+1);
22	unsigned char *ckptr = &(ck.front())+1;	22	unsigned char *ckptr = &(ck.front())+1;
23	int cklen = DH_compute_key(ckptr,s_pub,dh);	23	int cklen = DH_compute_key(ckptr,s_pub,dh);
24	if(cklen<0)	24	if(cklen<0)
25	throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");	25	throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
26	if(cklen && (*ckptr)&0x80) {	26	if(cklen && (*ckptr)&0x80) {
27	(*(--ckptr))=0; ++cklen; }	27	(*(--ckptr))=0; ++cklen; }
28	unsigned char key_digest[d_len];	28	unsigned char key_digest[d_len];
29	secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key"));	29	secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key"));
30	if(secret.size()!=exp_s_len)	30	if(secret.size()!=exp_s_len)
31	throw bad_input(OPKELE_CP_ "Secret length isn't consistent with association type");	31	throw bad_input(OPKELE_CP_ "Secret length isn't consistent with association type");
32	}catch(opkele::failed_lookup& ofl) {	32	}catch(opkele::failed_lookup& ofl) {
33	throw bad_input(OPKELE_CP_ "Incoherent response from OP");	33	throw bad_input(OPKELE_CP_ "Incoherent response from OP");
34	} OPKELE_RETHROW	34	} OPKELE_RETHROW
35		35
36	static void direct_request(basic_openid_message& oum,const basic_openid_message& inm,const string& OP) {	36	static void direct_request(basic_openid_message& oum,const basic_openid_message& inm,const string& OP) {
37	util::curl_pick_t curl = util::curl_pick_t::easy_init();	37	util::curl_pick_t curl = util::curl_pick_t::easy_init();
38	if(!curl)	38	if(!curl)
39	throw exception_curl(OPKELE_CP_ "failed to initialize curl");	39	throw exception_curl(OPKELE_CP_ "failed to initialize curl");
40	string request = inm.query_string();	40	string request = inm.query_string();
41	CURLcode r;	41	CURLcode r;
42	(r=curl.misc_sets())	42	(r=curl.misc_sets())
43	\|\| (r=curl.easy_setopt(CURLOPT_URL,OP.c_str()))	43	\|\| (r=curl.easy_setopt(CURLOPT_URL,OP.c_str()))
44	\|\| (r=curl.easy_setopt(CURLOPT_POST,1))	44	\|\| (r=curl.easy_setopt(CURLOPT_POST,1))
45	\|\| (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data()))	45	\|\| (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data()))
46	\|\| (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length()))	46	\|\| (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length()))
47	\|\| (r=curl.set_write());	47	\|\| (r=curl.set_write());
48	if(r)	48	if(r)
49	throw exception_curl(OPKELE_CP_ "failed to set curly options",r);	49	throw exception_curl(OPKELE_CP_ "failed to set curly options",r);
50	if( (r=curl.easy_perform()) )	50	if( (r=curl.easy_perform()) )
51	throw exception_curl(OPKELE_CP_ "failed to perform curly request",r);	51	throw exception_curl(OPKELE_CP_ "failed to perform curly request",r);
52	oum.from_keyvalues(curl.response);	52	oum.from_keyvalues(curl.response);
53	}	53	}
54		54
55		55
56	assoc_t basic_RP::associate(const string& OP) {	56	assoc_t basic_RP::associate(const string& OP) {
57	util::dh_t dh = DH_new();	57	util::dh_t dh = DH_new();
58	if(!dh)	58	if(!dh)
59	throw exception_openssl(OPKELE_CP_ "failed to DH_new()");	59	throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
60	dh->p = util::dec_to_bignum(data::_default_p);	60	dh->p = util::dec_to_bignum(data::_default_p);
61	dh->g = util::dec_to_bignum(data::_default_g);	61	dh->g = util::dec_to_bignum(data::_default_g);
62	if(!DH_generate_key(dh))	62	if(!DH_generate_key(dh))
63	throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");	63	throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
64	openid_message_t req;	64	openid_message_t req;
65	req.set_field("ns",OIURI_OPENID20);	65	req.set_field("ns",OIURI_OPENID20);
66	req.set_field("mode","associate");	66	req.set_field("mode","associate");
67	req.set_field("dh_modulus",util::bignum_to_base64(dh->p));	67	req.set_field("dh_modulus",util::bignum_to_base64(dh->p));
68	req.set_field("dh_gen",util::bignum_to_base64(dh->g));	68	req.set_field("dh_gen",util::bignum_to_base64(dh->g));
69	req.set_field("dh_consumer_public",util::bignum_to_base64(dh->pub_key));	69	req.set_field("dh_consumer_public",util::bignum_to_base64(dh->pub_key));
70	openid_message_t res;	70	openid_message_t res;
71	req.set_field("assoc_type","HMAC-SHA256");	71	req.set_field("assoc_type","HMAC-SHA256");
72	req.set_field("session_type","DH-SHA256");	72	req.set_field("session_type","DH-SHA256");
73	secret_t secret;	73	secret_t secret;
74	int expires_in;	74	int expires_in;
75	try {	75	try {
76	direct_request(res,req,OP);	76	direct_request(res,req,OP);
77	dh_get_secret( secret, res,	77	dh_get_secret( secret, res,
78	"HMAC-SHA256", "DH-SHA256",	78	"HMAC-SHA256", "DH-SHA256",
79	dh, SHA256_DIGEST_LENGTH, SHA256, SHA256_DIGEST_LENGTH );	79	dh, SHA256_DIGEST_LENGTH, SHA256, SHA256_DIGEST_LENGTH );
80	expires_in = util::string_to_long(res.get_field("expires_in"));	80	expires_in = util::string_to_long(res.get_field("expires_in"));
81	}catch(exception& e) {	81	}catch(exception& e) {
82	try {	82	try {
83	req.set_field("assoc_type","HMAC-SHA1");	83	req.set_field("assoc_type","HMAC-SHA1");
84	req.set_field("session_type","DH-SHA1");	84	req.set_field("session_type","DH-SHA1");
85	direct_request(res,req,OP);	85	direct_request(res,req,OP);
86	dh_get_secret( secret, res,	86	dh_get_secret( secret, res,
87	"HMAC-SHA1", "DH-SHA1",	87	"HMAC-SHA1", "DH-SHA1",
88	dh, SHA_DIGEST_LENGTH, SHA1, SHA_DIGEST_LENGTH );	88	dh, SHA_DIGEST_LENGTH, SHA1, SHA_DIGEST_LENGTH );
89	expires_in = util::string_to_long(res.get_field("expires_in"));	89	expires_in = util::string_to_long(res.get_field("expires_in"));
90	}catch(bad_input& e) {	90	}catch(bad_input& e) {
91	throw dumb_RP(OPKELE_CP_ "OP failed to supply an association");	91	throw dumb_RP(OPKELE_CP_ "OP failed to supply an association");
92	}	92	}
93	}	93	}
94	return store_assoc(	94	return store_assoc(
95	OP, res.get_field("assoc_handle"),	95	OP, res.get_field("assoc_handle"),
96	res.get_field("assoc_type"), secret,	96	res.get_field("assoc_type"), secret,
97	expires_in );	97	expires_in );
98	}	98	}
99		99
100	basic_openid_message& basic_RP::checkid_(	100	basic_openid_message& basic_RP::checkid_(
101	basic_openid_message& rv,	101	basic_openid_message& rv,
102	mode_t mode,	102	mode_t mode,
103	const string& return_to,const string& realm,	103	const string& return_to,const string& realm,
104	extension_t *ext) {	104	extension_t *ext) {
105	rv.reset_fields();	105	rv.reset_fields();
106	rv.set_field("ns",OIURI_OPENID20);	106	rv.set_field("ns",OIURI_OPENID20);
107	if(mode==mode_checkid_immediate)	107	if(mode==mode_checkid_immediate)
108	rv.set_field("mode","checkid_immediate");	108	rv.set_field("mode","checkid_immediate");
109	else if(mode==mode_checkid_setup)	109	else if(mode==mode_checkid_setup)
110	rv.set_field("mode","checkid_setup");	110	rv.set_field("mode","checkid_setup");
111	else	111	else
112	throw bad_input(OPKELE_CP_ "unknown checkid_* mode");	112	throw bad_input(OPKELE_CP_ "unknown checkid_* mode");
113	if(realm.empty() && return_to.empty())	113	if(realm.empty() && return_to.empty())
114	throw bad_input(OPKELE_CP_ "At least one of realm and return_to must be non-empty");	114	throw bad_input(OPKELE_CP_ "At least one of realm and return_to must be non-empty");
115	if(!realm.empty()) {	115	if(!realm.empty()) {
116	rv.set_field("realm",realm);	116	rv.set_field("realm",realm);
117	rv.set_field("trust_root",realm);	117	rv.set_field("trust_root",realm);
118	}	118	}
119	if(!return_to.empty())	119	if(!return_to.empty())
120	rv.set_field("return_to",return_to);	120	rv.set_field("return_to",return_to);
121	const openid_endpoint_t& ep = get_endpoint();	121	const openid_endpoint_t& ep = get_endpoint();
122	rv.set_field("claimed_id",ep.claimed_id);	122	rv.set_field("claimed_id",ep.claimed_id);
123	rv.set_field("identity",ep.local_id);	123	rv.set_field("identity",ep.local_id);
124	try {	124	try {
125	rv.set_field("assoc_handle",find_assoc(ep.uri)->handle());	125	rv.set_field("assoc_handle",find_assoc(ep.uri)->handle());
126	}catch(dumb_RP& drp) {	126	}catch(dumb_RP& drp) {
127	}catch(failed_lookup& fl) {	127	}catch(failed_lookup& fl) {
128	try {	128	try {
129	rv.set_field("assoc_handle",associate(ep.uri)->handle());	129	rv.set_field("assoc_handle",associate(ep.uri)->handle());
130	}catch(dumb_RP& drp) { }	130	}catch(dumb_RP& drp) { }
131	} OPKELE_RETHROW	131	} OPKELE_RETHROW
132	if(ext) ext->checkid_hook(rv);	132	if(ext) ext->rp_checkid_hook(rv);
133	return rv;	133	return rv;
134	}	134	}
135		135
136	class signed_part_message_proxy : public basic_openid_message {	136	class signed_part_message_proxy : public basic_openid_message {
137	public:	137	public:
138	const basic_openid_message& x;	138	const basic_openid_message& x;
139	set<string> signeds;	139	set<string> signeds;
140		140
141	signed_part_message_proxy(const basic_openid_message& xx) : x(xx) {	141	signed_part_message_proxy(const basic_openid_message& xx) : x(xx) {
142	const string& slist = x.get_field("signed");	142	const string& slist = x.get_field("signed");
143	string::size_type p = 0;	143	string::size_type p = 0;
144	while(true) {	144	while(true) {
145	string::size_type co = slist.find(',',p);	145	string::size_type co = slist.find(',',p);
146	string f = (co==string::npos)	146	string f = (co==string::npos)
147	?slist.substr(p):slist.substr(p,co-p);	147	?slist.substr(p):slist.substr(p,co-p);
148	signeds.insert(f);	148	signeds.insert(f);
149	if(co==string::npos) break;	149	if(co==string::npos) break;
150	p = co+1;	150	p = co+1;
151	}	151	}
152	}	152	}
153		153
154	bool has_field(const string& n) const {	154	bool has_field(const string& n) const {
155	return signeds.find(n)!=signeds.end() && x.has_field(n); }	155	return signeds.find(n)!=signeds.end() && x.has_field(n); }
156	const string& get_field(const string& n) const {	156	const string& get_field(const string& n) const {
157	if(signeds.find(n)==signeds.end())	157	if(signeds.find(n)==signeds.end())
158	throw failed_lookup(OPKELE_CP_ "The field isn't known to be signed");	158	throw failed_lookup(OPKELE_CP_ "The field isn't known to be signed");
159	return x.get_field(n); }	159	return x.get_field(n); }
160		160
161	fields_iterator fields_begin() const {	161	fields_iterator fields_begin() const {
162	return signeds.begin(); }	162	return signeds.begin(); }
163	fields_iterator fields_end() const {	163	fields_iterator fields_end() const {
164	return signeds.end(); }	164	return signeds.end(); }
165	};	165	};
166		166
167	static void parse_query(const string& u,string::size_type q,	167	static void parse_query(const string& u,string::size_type q,
168	map<string,string>& p) {	168	map<string,string>& p) {
169	if(q==string::npos)	169	if(q==string::npos)
170	return;	170	return;
171	assert(u[q]=='?');	171	assert(u[q]=='?');
172	++q;	172	++q;
173	string::size_type l = u.size();	173	string::size_type l = u.size();
174	while(q<l) {	174	while(q<l) {
175	string::size_type eq = u.find('=',q);	175	string::size_type eq = u.find('=',q);
176	string::size_type am = u.find('&',q);	176	string::size_type am = u.find('&',q);
177	if(am==string::npos) {	177	if(am==string::npos) {
178	if(eq==string::npos) {	178	if(eq==string::npos) {
179	p[""] = u.substr(q);	179	p[""] = u.substr(q);
180	}else{	180	}else{
181	p[u.substr(q,eq-q)] = u.substr(eq+1);	181	p[u.substr(q,eq-q)] = u.substr(eq+1);
182	}	182	}
183	break;	183	break;
184	}else{	184	}else{
185	if(eq==string::npos \|\| eq>am) {	185	if(eq==string::npos \|\| eq>am) {
186	p[""] = u.substr(q,eq-q);	186	p[""] = u.substr(q,eq-q);
187	}else{	187	}else{
188	p[u.substr(q,eq-q)] = u.substr(eq+1,am-eq-1);	188	p[u.substr(q,eq-q)] = u.substr(eq+1,am-eq-1);
189	}	189	}
190	q = ++am;	190	q = ++am;
191	}	191	}
192	}	192	}
193	}	193	}
194		194
195	void basic_RP::id_res(const basic_openid_message& om,extension_t *ext) {	195	void basic_RP::id_res(const basic_openid_message& om,extension_t *ext) {
196	bool o2 = om.has_field("ns")	196	bool o2 = om.has_field("ns")
197	&& om.get_field("ns")==OIURI_OPENID20;	197	&& om.get_field("ns")==OIURI_OPENID20;
198	if( (!o2) && om.has_field("user_setup_url"))	198	if( (!o2) && om.has_field("user_setup_url"))
199	throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",	199	throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",
200	om.get_field("user_setup_url"));	200	om.get_field("user_setup_url"));
201	string m = om.get_field("mode");	201	string m = om.get_field("mode");
202	if(o2 && m=="setup_needed")	202	if(o2 && m=="setup_needed")
203	throw id_res_setup(OPKELE_CP_ "setup needed, no setup url provided");	203	throw id_res_setup(OPKELE_CP_ "setup needed, no setup url provided");
204	if(m=="cancel")	204	if(m=="cancel")
205	throw id_res_cancel(OPKELE_CP_ "authentication cancelled");	205	throw id_res_cancel(OPKELE_CP_ "authentication cancelled");
206	bool go_dumb=false;	206	bool go_dumb=false;
207	try {	207	try {
208	string OP = o2	208	string OP = o2
209	?om.get_field("op_endpoint")	209	?om.get_field("op_endpoint")
210	:get_endpoint().uri;	210	:get_endpoint().uri;
211	assoc_t assoc = retrieve_assoc(	211	assoc_t assoc = retrieve_assoc(
212	OP,om.get_field("assoc_handle"));	212	OP,om.get_field("assoc_handle"));
213	if(om.get_field("sig")!=util::base64_signature(assoc,om))	213	if(om.get_field("sig")!=util::base64_signature(assoc,om))
214	throw id_res_mismatch(OPKELE_CP_ "signature mismatch");	214	throw id_res_mismatch(OPKELE_CP_ "signature mismatch");
215	}catch(dumb_RP& drp) {	215	}catch(dumb_RP& drp) {
216	go_dumb=true;	216	go_dumb=true;
217	}catch(failed_lookup& e) {	217	}catch(failed_lookup& e) {
218	go_dumb=true;	218	go_dumb=true;
219	} OPKELE_RETHROW	219	} OPKELE_RETHROW
220	if(go_dumb) {	220	if(go_dumb) {
221	try {	221	try {
222	string OP = o2	222	string OP = o2
223	?om.get_field("op_endpoint")	223	?om.get_field("op_endpoint")
224	:get_endpoint().uri;	224	:get_endpoint().uri;
225	check_authentication(OP,om);	225	check_authentication(OP,om);
226	}catch(failed_check_authentication& fca) {	226	}catch(failed_check_authentication& fca) {
227	throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");	227	throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");
228	} OPKELE_RETHROW	228	} OPKELE_RETHROW
229	}	229	}
230	signed_part_message_proxy signeds(om);	230	signed_part_message_proxy signeds(om);
231	if(o2) {	231	if(o2) {
232	check_nonce(om.get_field("op_endpoint"),	232	check_nonce(om.get_field("op_endpoint"),
233	om.get_field("response_nonce"));	233	om.get_field("response_nonce"));
234	static const char *mustsign[] = {	234	static const char *mustsign[] = {
235	"op_endpoint", "return_to", "response_nonce", "assoc_handle",	235	"op_endpoint", "return_to", "response_nonce", "assoc_handle",
236	"claimed_id", "identity" };	236	"claimed_id", "identity" };
237	for(int ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {	237	for(int ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {
238	if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms]))	238	if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms]))
239	throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs");	239	throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs");
240	}	240	}
241	if( (	241	if( (
242	(om.has_field("claimed_id")?1:0)	242	(om.has_field("claimed_id")?1:0)
243	^	243	^
244	(om.has_field("identity")?1:0)	244	(om.has_field("identity")?1:0)
245	)&1 )	245	)&1 )
246	throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent");	246	throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent");
247		247
248	string turl = util::rfc_3986_normalize_uri(get_this_url());	248	string turl = util::rfc_3986_normalize_uri(get_this_url());
249	util::strip_uri_fragment_part(turl);	249	util::strip_uri_fragment_part(turl);
250	string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to"));	250	string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to"));
251	util::strip_uri_fragment_part(rurl);	251	util::strip_uri_fragment_part(rurl);
252	string::size_type	252	string::size_type
253	tq = turl.find('?'), rq = rurl.find('?');	253	tq = turl.find('?'), rq = rurl.find('?');
254	if(	254	if(
255	((tq==string::npos)?turl:turl.substr(0,tq))	255	((tq==string::npos)?turl:turl.substr(0,tq))
256	!=	256	!=
257	((rq==string::npos)?rurl:rurl.substr(0,rq))	257	((rq==string::npos)?rurl:rurl.substr(0,rq))
258	)	258	)
259	throw id_res_bad_return_to(OPKELE_CP_ "return_to url doesn't match request url");	259	throw id_res_bad_return_to(OPKELE_CP_ "return_to url doesn't match request url");
260	map<string,string> tp; parse_query(turl,tq,tp);	260	map<string,string> tp; parse_query(turl,tq,tp);
261	map<string,string> rp; parse_query(rurl,rq,rp);	261	map<string,string> rp; parse_query(rurl,rq,rp);
262	for(map<string,string>::const_iterator rpi=rp.begin();rpi!=rp.end();++rpi) {	262	for(map<string,string>::const_iterator rpi=rp.begin();rpi!=rp.end();++rpi) {
263	map<string,string>::const_iterator tpi = tp.find(rpi->first);	263	map<string,string>::const_iterator tpi = tp.find(rpi->first);
264	if(tpi==tp.end())	264	if(tpi==tp.end())
265	throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request");	265	throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request");
266	if(tpi->second!=rpi->second)	266	if(tpi->second!=rpi->second)
267	throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't matche the request");	267	throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't matche the request");
268	}	268	}
269		269
270	if(om.has_field("claimed_id")) {	270	if(om.has_field("claimed_id")) {
271	verify_OP(	271	verify_OP(
272	om.get_field("op_endpoint"),	272	om.get_field("op_endpoint"),
273	om.get_field("claimed_id"),	273	om.get_field("claimed_id"),
274	om.get_field("identity") );	274	om.get_field("identity") );
275	}	275	}
276		276
277	}	277	}
278	if(ext) ext->id_res_hook(om,signeds);	278	if(ext) ext->rp_id_res_hook(om,signeds);
279	}	279	}
280		280
281	void basic_RP::check_authentication(const string& OP,	281	void basic_RP::check_authentication(const string& OP,
282	const basic_openid_message& om){	282	const basic_openid_message& om){
283	openid_message_t res;	283	openid_message_t res;
284	static const string checkauthmode = "check_authentication";	284	static const string checkauthmode = "check_authentication";
285	direct_request(res,util::change_mode_message_proxy(om,checkauthmode),OP);	285	direct_request(res,util::change_mode_message_proxy(om,checkauthmode),OP);
286	if(res.has_field("is_valid")) {	286	if(res.has_field("is_valid")) {
287	if(res.get_field("is_valid")=="true") {	287	if(res.get_field("is_valid")=="true") {
288	if(res.has_field("invalidate_handle"))	288	if(res.has_field("invalidate_handle"))
289	invalidate_assoc(OP,res.get_field("invalidate_handle"));	289	invalidate_assoc(OP,res.get_field("invalidate_handle"));
290	return;	290	return;
291	}	291	}
292	}	292	}
293	throw failed_check_authentication(	293	throw failed_check_authentication(
294	OPKELE_CP_ "failed to verify response");	294	OPKELE_CP_ "failed to verify response");
295	}	295	}
296		296
297	}	297	}