From 2f2a94fdbc2c109240ff62de5cbe4eb1671020b5 Mon Sep 17 00:00:00 2001
From: Art Cancro <ajc@uncensored.citadel.org>
Date: Wed, 30 Nov 2011 11:56:55 -0500
Subject: [PATCH] OpenID 2.0 authentication is working, but not validated

---
 citadel/modules/openid/serv_openid_rp.c | 36 ++++++++++++++++++++++---
 1 file changed, 33 insertions(+), 3 deletions(-)

diff --git a/citadel/modules/openid/serv_openid_rp.c b/citadel/modules/openid/serv_openid_rp.c
index e9bfcf199..93d2ca0ed 100644
--- a/citadel/modules/openid/serv_openid_rp.c
+++ b/citadel/modules/openid/serv_openid_rp.c
@@ -681,7 +681,7 @@ int parse_xrds_document(StrBuf *ReplyBuf) {
 	struct xrds xrds;
 	int return_value = 0;
 
-	//	syslog(LOG_DEBUG, "\033[32m --- XRDS DOCUMENT --- \n%s\033[0m", ChrPtr(ReplyBuf));
+	syslog(LOG_DEBUG, "\033[32m --- XRDS DOCUMENT --- \n%s\033[0m", ChrPtr(ReplyBuf));
 
 	memset(&xrds, 0, sizeof (struct xrds));
 	xrds.selected_service_priority = INT_MAX;
@@ -970,13 +970,42 @@ void cmd_oidf(char *argbuf) {
 
 	while (client_getln(buf, sizeof buf), strcmp(buf, "000")) {
 		len = extract_token(thiskey, buf, 0, '|', sizeof thiskey);
-		if (len < 0)
+		if (len < 0) {
 			len = sizeof(thiskey) - 1;
+		}
 		extract_token(thisdata, buf, 1, '|', sizeof thisdata);
 		syslog(LOG_DEBUG, "%s: ["SIZE_T_FMT"] %s", thiskey, strlen(thisdata), thisdata);
 		Put(keys, thiskey, len, strdup(thisdata), NULL);
 	}
 
+	/* Check to see if this is a correct response */
+
+	/* oooh, really bad juju here.  we're just accepting the assertion without validating it. */
+	oiddata->verified = 1;
+
+	char *openid_ns = NULL;
+	if (	(!GetHash(keys, "ns", 2, (void *) &openid_ns))
+		|| (strcasecmp(openid_ns, "http://specs.openid.net/auth/2.0"))
+	) {
+		syslog(LOG_DEBUG, "This is not an an OpenID assertion");
+		oiddata->verified = 0;
+	}
+
+	char *openid_mode = NULL;
+	if (	(!GetHash(keys, "mode", 4, (void *) &openid_mode))
+		|| (strcasecmp(openid_mode, "id_res"))
+	) {
+		oiddata->verified = 0;
+	}
+
+	char *openid_claimed_id = NULL;
+	if (GetHash(keys, "claimed_id", 10, (void *) &openid_claimed_id)) {
+		FreeStrBuf(&oiddata->claimed_id);
+		oiddata->claimed_id = NewStrBufPlain(openid_claimed_id, -1);
+		syslog(LOG_DEBUG, "Provider is asserting the Claimed ID '%s'", ChrPtr(oiddata->claimed_id));
+	}
+
+#if 0
 	/* Now that we have all of the parameters, we have to validate the signature against the server */
 	syslog(LOG_DEBUG, "Validating signature...");
 
@@ -1060,7 +1089,7 @@ void cmd_oidf(char *argbuf) {
 	curl_formfree(formpost);
 
 
-	syslog(LOG_DEBUG, "\033[36m --- VALIDATION REPLY ---\n%s\033[0m", ChrPtr(ReplyBuf));
+	// syslog(LOG_DEBUG, "\033[36m --- VALIDATION REPLY ---\n%s\033[0m", ChrPtr(ReplyBuf));
 
 
 	if (cbmstrcasestr(ChrPtr(ReplyBuf), "is_valid:true")) {
@@ -1069,6 +1098,7 @@ void cmd_oidf(char *argbuf) {
 	FreeStrBuf(&ReplyBuf);
 
 	syslog(LOG_DEBUG, "Authentication %s.", (oiddata->verified ? "succeeded" : "failed") );
+#endif
 
 	/* Respond to the client */
 
-- 
2.30.2