| -rw-r--r-- | lib/basic_op.cc | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/lib/basic_op.cc b/lib/basic_op.cc index 9e2ea5a..7a2dbd2 100644 --- a/lib/basic_op.cc +++ b/lib/basic_op.cc | |||
| @@ -99,153 +99,152 @@ namespace opkele { | |||
| 99 | }else | 99 | }else |
| 100 | throw unsupported(OPKELE_CP_ "Unsupported session_type"); | 100 | throw unsupported(OPKELE_CP_ "Unsupported session_type"); |
| 101 | assoc_t assoc; | 101 | assoc_t assoc; |
| 102 | if(ats=="HMAC-SHA1") | 102 | if(ats=="HMAC-SHA1") |
| 103 | assoc = alloc_assoc(ats,SHA_DIGEST_LENGTH,true); | 103 | assoc = alloc_assoc(ats,SHA_DIGEST_LENGTH,true); |
| 104 | else if(ats=="HMAC-SHA256") | 104 | else if(ats=="HMAC-SHA256") |
| 105 | assoc = alloc_assoc(ats,SHA256_DIGEST_LENGTH,true); | 105 | assoc = alloc_assoc(ats,SHA256_DIGEST_LENGTH,true); |
| 106 | else | 106 | else |
| 107 | throw unsupported(OPKELE_CP_ "Unsupported assoc_type"); | 107 | throw unsupported(OPKELE_CP_ "Unsupported assoc_type"); |
| 108 | oum.reset_fields(); | 108 | oum.reset_fields(); |
| 109 | oum.set_field("ns",OIURI_OPENID20); | 109 | oum.set_field("ns",OIURI_OPENID20); |
| 110 | oum.set_field("assoc_type",assoc->assoc_type()); | 110 | oum.set_field("assoc_type",assoc->assoc_type()); |
| 111 | oum.set_field("assoc_handle",assoc->handle()); | 111 | oum.set_field("assoc_handle",assoc->handle()); |
| 112 | oum.set_field("expires_in",util::long_to_string(assoc->expires_in())); | 112 | oum.set_field("expires_in",util::long_to_string(assoc->expires_in())); |
| 113 | secret_t secret = assoc->secret(); | 113 | secret_t secret = assoc->secret(); |
| 114 | if(sts=="DH-SHA1" || sts=="DH-SHA256") { | 114 | if(sts=="DH-SHA1" || sts=="DH-SHA256") { |
| 115 | if(d_len != secret.size()) | 115 | if(d_len != secret.size()) |
| 116 | throw bad_input(OPKELE_CP_ "Association secret and session MAC are not of the same size"); | 116 | throw bad_input(OPKELE_CP_ "Association secret and session MAC are not of the same size"); |
| 117 | oum.set_field("session_type",sts); | 117 | oum.set_field("session_type",sts); |
| 118 | oum.set_field("dh_server_public",util::bignum_to_base64(dh->pub_key)); | 118 | oum.set_field("dh_server_public",util::bignum_to_base64(dh->pub_key)); |
| 119 | string b64; secret.enxor_to_base64(key_digest,b64); | 119 | string b64; secret.enxor_to_base64(key_digest,b64); |
| 120 | oum.set_field("enc_mac_key",b64); | 120 | oum.set_field("enc_mac_key",b64); |
| 121 | }else /* TODO: support cleartext over encrypted connection */ | 121 | }else /* TODO: support cleartext over encrypted connection */ |
| 122 | throw unsupported(OPKELE_CP_ "Unsupported session type"); | 122 | throw unsupported(OPKELE_CP_ "Unsupported session type"); |
| 123 | return oum; | 123 | return oum; |
| 124 | } catch(unsupported& u) { | 124 | } catch(unsupported& u) { |
| 125 | oum.reset_fields(); | 125 | oum.reset_fields(); |
| 126 | oum.set_field("ns",OIURI_OPENID20); | 126 | oum.set_field("ns",OIURI_OPENID20); |
| 127 | oum.set_field("error",u.what()); | 127 | oum.set_field("error",u.what()); |
| 128 | oum.set_field("error_code","unsupported-type"); | 128 | oum.set_field("error_code","unsupported-type"); |
| 129 | oum.set_field("session_type","DH-SHA256"); | 129 | oum.set_field("session_type","DH-SHA256"); |
| 130 | oum.set_field("assoc_type","HMAC-SHA256"); | 130 | oum.set_field("assoc_type","HMAC-SHA256"); |
| 131 | return oum; | 131 | return oum; |
| 132 | } | 132 | } |
| 133 | 133 | ||
| 134 | void basic_op::checkid_(const basic_openid_message& inm, | 134 | void basic_op::checkid_(const basic_openid_message& inm, |
| 135 | extension_t *ext) { | 135 | extension_t *ext) { |
| 136 | reset_vars(); | 136 | reset_vars(); |
| 137 | string mode = inm.get_field("mode"); | 137 | string mode = inm.get_field("mode"); |
| 138 | if(mode=="checkid_setup") | 138 | if(mode=="checkid_setup") |
| 139 | mode = mode_checkid_setup; | 139 | mode = mode_checkid_setup; |
| 140 | else if(mode=="checkid_immediate") | 140 | else if(mode=="checkid_immediate") |
| 141 | mode = mode_checkid_immediate; | 141 | mode = mode_checkid_immediate; |
| 142 | else | 142 | else |
| 143 | throw bad_input(OPKELE_CP_ "Invalid checkid_* mode"); | 143 | throw bad_input(OPKELE_CP_ "Invalid checkid_* mode"); |
| 144 | try { | 144 | try { |
| 145 | assoc = retrieve_assoc(invalidate_handle=inm.get_field("assoc_handle")); | 145 | assoc = retrieve_assoc(invalidate_handle=inm.get_field("assoc_handle")); |
| 146 | invalidate_handle.clear(); | 146 | invalidate_handle.clear(); |
| 147 | }catch(failed_lookup&) { | 147 | }catch(failed_lookup&) { } |
| 148 | // no handle specified or no valid assoc found, go dumb | ||
| 149 | assoc = alloc_assoc("HMAC-SHA256",SHA256_DIGEST_LENGTH,true); | ||
| 150 | } | ||
| 151 | try { | 148 | try { |
| 152 | openid2 = (inm.get_field("ns")==OIURI_OPENID20); | 149 | openid2 = (inm.get_field("ns")==OIURI_OPENID20); |
| 153 | }catch(failed_lookup&) { openid2 = false; } | 150 | }catch(failed_lookup&) { openid2 = false; } |
| 154 | try { | 151 | try { |
| 155 | return_to = inm.get_field("return_to"); | 152 | return_to = inm.get_field("return_to"); |
| 156 | }catch(failed_lookup&) { } | 153 | }catch(failed_lookup&) { } |
| 157 | if(openid2) { | 154 | if(openid2) { |
| 158 | try { | 155 | try { |
| 159 | realm = inm.get_field("realm"); | 156 | realm = inm.get_field("realm"); |
| 160 | }catch(failed_lookup&) { | 157 | }catch(failed_lookup&) { |
| 161 | try { | 158 | try { |
| 162 | realm = inm.get_field("trust_root"); | 159 | realm = inm.get_field("trust_root"); |
| 163 | }catch(failed_lookup&) { | 160 | }catch(failed_lookup&) { |
| 164 | if(return_to.empty()) | 161 | if(return_to.empty()) |
| 165 | throw bad_input(OPKELE_CP_ | 162 | throw bad_input(OPKELE_CP_ |
| 166 | "Both realm and return_to are unset"); | 163 | "Both realm and return_to are unset"); |
| 167 | realm = return_to; | 164 | realm = return_to; |
| 168 | } | 165 | } |
| 169 | } | 166 | } |
| 170 | }else{ | 167 | }else{ |
| 171 | try { | 168 | try { |
| 172 | realm = inm.get_field("trust_root"); | 169 | realm = inm.get_field("trust_root"); |
| 173 | }catch(failed_lookup&) { | 170 | }catch(failed_lookup&) { |
| 174 | if(return_to.empty()) | 171 | if(return_to.empty()) |
| 175 | throw bad_input(OPKELE_CP_ | 172 | throw bad_input(OPKELE_CP_ |
| 176 | "Both realm and return_to are unset"); | 173 | "Both realm and return_to are unset"); |
| 177 | realm = return_to; | 174 | realm = return_to; |
| 178 | } | 175 | } |
| 179 | } | 176 | } |
| 180 | try { | 177 | try { |
| 181 | identity = inm.get_field("identity"); | 178 | identity = inm.get_field("identity"); |
| 182 | try { | 179 | try { |
| 183 | claimed_id = inm.get_field("claimed_id"); | 180 | claimed_id = inm.get_field("claimed_id"); |
| 184 | }catch(failed_lookup&) { | 181 | }catch(failed_lookup&) { |
| 185 | if(openid2) | 182 | if(openid2) |
| 186 | throw bad_input(OPKELE_CP_ | 183 | throw bad_input(OPKELE_CP_ |
| 187 | "claimed_id and identity must be either both present or both absent"); | 184 | "claimed_id and identity must be either both present or both absent"); |
| 188 | claimed_id = identity; | 185 | claimed_id = identity; |
| 189 | } | 186 | } |
| 190 | }catch(failed_lookup&) { | 187 | }catch(failed_lookup&) { |
| 191 | if(openid2 && inm.has_field("claimed_id")) | 188 | if(openid2 && inm.has_field("claimed_id")) |
| 192 | throw bad_input(OPKELE_CP_ | 189 | throw bad_input(OPKELE_CP_ |
| 193 | "claimed_id and identity must be either both present or both absent"); | 190 | "claimed_id and identity must be either both present or both absent"); |
| 194 | } | 191 | } |
| 195 | verify_return_to(); | 192 | verify_return_to(); |
| 196 | if(ext) ext->op_checkid_hook(inm); | 193 | if(ext) ext->op_checkid_hook(inm); |
| 197 | } | 194 | } |
| 198 | 195 | ||
| 199 | basic_openid_message& basic_op::id_res(basic_openid_message& om, | 196 | basic_openid_message& basic_op::id_res(basic_openid_message& om, |
| 200 | extension_t *ext) { | 197 | extension_t *ext) { |
| 201 | assert(assoc); | ||
| 202 | assert(!return_to.empty()); | 198 | assert(!return_to.empty()); |
| 203 | assert(!is_id_select()); | 199 | assert(!is_id_select()); |
| 200 | if(!assoc) { | ||
| 201 | assoc = alloc_assoc("HMAC-SHA256",SHA256_DIGEST_LENGTH,true); | ||
| 202 | } | ||
| 204 | time_t now = time(0); | 203 | time_t now = time(0); |
| 205 | struct tm gmt; gmtime_r(&now,&gmt); | 204 | struct tm gmt; gmtime_r(&now,&gmt); |
| 206 | char w3timestr[24]; | 205 | char w3timestr[24]; |
| 207 | if(!strftime(w3timestr,sizeof(w3timestr),"%Y-%m-%dT%H:%M:%SZ",&gmt)) | 206 | if(!strftime(w3timestr,sizeof(w3timestr),"%Y-%m-%dT%H:%M:%SZ",&gmt)) |
| 208 | throw failed_conversion(OPKELE_CP_ | 207 | throw failed_conversion(OPKELE_CP_ |
| 209 | "Failed to build time string for nonce" ); | 208 | "Failed to build time string for nonce" ); |
| 210 | om.set_field("ns",OIURI_OPENID20); | 209 | om.set_field("ns",OIURI_OPENID20); |
| 211 | om.set_field("mode","id_res"); | 210 | om.set_field("mode","id_res"); |
| 212 | om.set_field("op_endpoint",get_op_endpoint()); | 211 | om.set_field("op_endpoint",get_op_endpoint()); |
| 213 | string ats = "ns,mode,op_endpoint,return_to,response_nonce," | 212 | string ats = "ns,mode,op_endpoint,return_to,response_nonce," |
| 214 | "assoc_handle,signed"; | 213 | "assoc_handle,signed"; |
| 215 | if(!identity.empty()) { | 214 | if(!identity.empty()) { |
| 216 | om.set_field("identity",identity); | 215 | om.set_field("identity",identity); |
| 217 | om.set_field("claimed_id",claimed_id); | 216 | om.set_field("claimed_id",claimed_id); |
| 218 | ats += ",identity,claimed_id"; | 217 | ats += ",identity,claimed_id"; |
| 219 | } | 218 | } |
| 220 | om.set_field("return_to",return_to); | 219 | om.set_field("return_to",return_to); |
| 221 | string nonce = w3timestr; | 220 | string nonce = w3timestr; |
| 222 | om.set_field("response_nonce",alloc_nonce(nonce,assoc->stateless())); | 221 | om.set_field("response_nonce",alloc_nonce(nonce,assoc->stateless())); |
| 223 | if(!invalidate_handle.empty()) { | 222 | if(!invalidate_handle.empty()) { |
| 224 | om.set_field("invalidate_handle",invalidate_handle); | 223 | om.set_field("invalidate_handle",invalidate_handle); |
| 225 | ats += ",invalidate_handle"; | 224 | ats += ",invalidate_handle"; |
| 226 | } | 225 | } |
| 227 | om.set_field("assoc_handle",assoc->handle()); | 226 | om.set_field("assoc_handle",assoc->handle()); |
| 228 | om.add_to_signed(ats); | 227 | om.add_to_signed(ats); |
| 229 | if(ext) ext->op_id_res_hook(om); | 228 | if(ext) ext->op_id_res_hook(om); |
| 230 | om.set_field("sig",util::base64_signature(assoc,om)); | 229 | om.set_field("sig",util::base64_signature(assoc,om)); |
| 231 | return om; | 230 | return om; |
| 232 | } | 231 | } |
| 233 | 232 | ||
| 234 | basic_openid_message& basic_op::cancel(basic_openid_message& om) { | 233 | basic_openid_message& basic_op::cancel(basic_openid_message& om) { |
| 235 | assert(!return_to.empty()); | 234 | assert(!return_to.empty()); |
| 236 | om.set_field("ns",OIURI_OPENID20); | 235 | om.set_field("ns",OIURI_OPENID20); |
| 237 | om.set_field("mode","cancel"); | 236 | om.set_field("mode","cancel"); |
| 238 | return om; | 237 | return om; |
| 239 | } | 238 | } |
| 240 | 239 | ||
| 241 | basic_openid_message& basic_op::error(basic_openid_message& om, | 240 | basic_openid_message& basic_op::error(basic_openid_message& om, |
| 242 | const string& error,const string& contact, | 241 | const string& error,const string& contact, |
| 243 | const string& reference ) { | 242 | const string& reference ) { |
| 244 | assert(!return_to.empty()); | 243 | assert(!return_to.empty()); |
| 245 | om.set_field("ns",OIURI_OPENID20); | 244 | om.set_field("ns",OIURI_OPENID20); |
| 246 | om.set_field("mode","error"); | 245 | om.set_field("mode","error"); |
| 247 | om.set_field("error",error); | 246 | om.set_field("error",error); |
| 248 | om.set_field("contact",contact); | 247 | om.set_field("contact",contact); |
| 249 | om.set_field("reference",reference); | 248 | om.set_field("reference",reference); |
| 250 | return om; | 249 | return om; |
| 251 | } | 250 | } |