Issues

ZF-3079: Zend_OpenId::bigNumToBin error

Description

the current Zend_OpenId::bigNumToBin() gmp code produces inconsistent association shared secret computations.

Comments

Dmitry, could you please review this issue? I believe Luke has a patch that may be suitable for immediately committing to trunk.

Luke, did you have a patch for this issue? If so, can you please attach it to this issue?

Luke, could you provide a test case for the bug. Some small piece of PHP code that produce invalid output (and the expected output).

Paul will be able to provide one I think but we're a bit busy recently so it might not be until next week.

This is a file which presents the problem with Zend_OpenId::bigNumToBin when used with the gmp library.

The integer described is outputed differently than it should be. I believe this to be a problem with the way gmp_strval() is interacting with pack(), but I'm not entirely positive. Substituting with a slightly slower mod+div option of reconstruction the bytes of the big num in a binary packed string works fine.

The way this surfaces in the existing consumer code is that a consumer will sporadically but often (like 50% of time or more) fail to associate properly with a IdP because it doesn't reconstruct the secret properly coming out of computeDhSecret.

Substituting the included gmp conversion code in Zend_OpenId_bigNumToBin2 has caused our associations to occur without problems.

A note about the code's provenance: I copied it over and adapted it from JanRain's code. They've given permission for it to be included in ZF, but their code is licensed under Apache 2.0, so I'm not sure about the compatibilities with ZF.

this is the code change Paul made to fix the issue with bigNumToBin

Thank you very much for catching this bug. I've fixed it with simpler patch.

Marking as fixed for next minor release pending merge of changes to release-1.5 branch.

Updating for the 1.6.0 release.