1. Martin von Löwis
  2. openid2rp

Commits

Martin von Löwis  committed db3b16e

Protect against providers who don't implement DH-SHA1 correctly.

  • Participants
  • Parent commits dcbd245
  • Branches default

Comments (0)

Files changed (2)

File openid2rp.py

View file
     if 'error' in data:
         raise ValueError, "associate failed: "+data['error']
     if url.startswith('http:'):
+        enc_mac_key = data.get('enc_mac_key')
+        if not enc_mac_key:
+            raise ValueError, "Provider protocol error: not using DH-SHA1"
         enc_mac_key = base64.b64decode(data['enc_mac_key'])
         dh_server_public = unbtwoc(base64.b64decode(data['dh_server_public']))
         # shared secret: sha1(2^(server_priv*priv) mod prime) xor enc_mac_key

File testapp.py

View file
                     return self.not_found()
                 prov = prov[0]
                 services, url, op_local = discover(prov[2])
-                session = associate(services, url)
+                try:
+                    session = associate(services, url)
+                except ValueError, e:
+                    return self.error(str(e))
                 sessions.append(session)
                 self.send_response(307) # temporary redirect - do not cache
                 self.send_header("Location", request_authentication
                 if res is None:
                     return self.error('Discovery failed')
                 services, url, op_local = res
-                session = associate(services, url)
+                try:
+                    session = associate(services, url)
+                except ValueError, e:
+                    return self.error(str(e))
                 sessions.append(session)
                 self.send_response(307)
                 self.send_header("Location", request_authentication