ZF-11595: OpenId_Consumer handles/requires dh association improperly



    if (!$this->_associate($server, $version)) {
        $this->_setError("Association failed: " . $this->getError());
        return false;

It should not return false because association is not a mandatory part of openid authentication.

<a rel="nofollow" href="">;</a>

(3.4.1 paragraph 1): "It's RECOMMENDED that a Consumer first submit an associate request (associate) ..." "This shared secret SHOULD be used ..."

<a rel="nofollow" href="">;</a>

3.(optional) The Relying Party and the OP establish an association
(Establishing Associations) -- a shared secret established using
Diffie-Hellman Key Exchange...

This is important for the cases if DH key can not be created:

<a rel="nofollow" href=""></a>

"openssl extension does not get the DH parameters from DH key resource"

thus the Zend_OpenId::createDhKey() returns the wrong values in the array.

<a rel="nofollow" href=""></a>

Zend_OpenId_Consumer sends the assoc request without the DH parameters to the Net::OpenID::Server and receives the response without assoc_type. Zend_OpenId_Consumer::_associate()

        $params['openid.assoc_type'] != $ret['assoc_type']) {
        if ($params['openid.assoc_type'] != $ret['assoc_type']) {
            $this->_setError("The returned assoc_type differed from the supplied openid.assoc_type");
        } else {
            $this->_setError("Missing required data from provider (assoc_handle, expires_in, assoc_type are required)");
        return false;

returns false again despite the association is not necessary to authenticate.

Current workaround: disabling the openssl extension in php.


No comments to display