Home » Download » Modules » OpenID Provider » Issues

associate requests with session type "no-encryption" fail

Chris Johnson - November 11, 2008 - 03:37
Project:OpenID Provider
Version:6.x-1.x-dev
Component:Code
Category:bug report
Priority:critical
Assigned:Chris Johnson
Status:closed
Issue tags:dc2009 code sprint
Description

When an RP requests an association with session type "no-encryption" then future RP requests for checkid_setup or checkid_immediate for the same association fail with signature mismatch.

Hint: 4.7 code fails the same way.

» Login or register to post comments

#1

Chris Johnson - January 22, 2009 - 02:48
Assigned to:Anonymous» Chris Johnson
Status:active» reviewed & tested by the community

Here's the fix:

Index: /trunk/drupal/6/modules/openid_provider/openid_provider.inc
===================================================================
--- /trunk/drupal/6/modules/openid_provider/openid_provider.inc (revision 6654)
+++ /trunk/drupal/6/modules/openid_provider/openid_provider.inc (revision 6967)
@@ -44,5 +44,5 @@
$secret = _openid_get_bytes($num_bytes);
if ($session_type == '' || $session_type == 'no-encryption') {
- $mac_key = hash_hmac($algo, $response['assoc_handle'], $secret, true);
+ $mac_key = base64_encode(hash_hmac($algo, $response['assoc_handle'], $secret, true));
$response['mac_key'] = $mac_key;
}

Login or register to post comments

#2

walkah - March 7, 2009 - 16:46
Status:reviewed & tested by the community» fixed

committed, thanks :-)

Login or register to post comments

#3

wundo - March 7, 2009 - 16:56
Status:fixed» closed
Login or register to post comments

#4

wundo - March 7, 2009 - 16:58
Status:closed» fixed
Login or register to post comments

#5

System Message - March 21, 2009 - 17:00
Status:fixed» closed

Automatically closed -- issue fixed for 2 weeks with no activity.

Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.