diff options
| author | Vlastimil Zíma <vlastimil.zima@nic.cz> | 2018-05-15 14:08:24 +0200 |
|---|---|---|
| committer | Vlastimil Zíma <vlastimil.zima@nic.cz> | 2018-05-16 08:37:39 +0200 |
| commit | 721a664e66f9ec0f860ea010b9f772e31ab0e9dd (patch) | |
| tree | a4829d880cdc057bd976356a8fb1555758ac3c8b /openid | |
| parent | 6524ae53468c7e786eb13d9db4c6b2107d3071c6 (diff) | |
| download | openid-721a664e66f9ec0f860ea010b9f772e31ab0e9dd.tar.gz | |
Prefer stronger association methods
Diffstat (limited to 'openid')
| -rw-r--r-- | openid/association.py | 10 | ||||
| -rw-r--r-- | openid/consumer/consumer.py | 2 | ||||
| -rw-r--r-- | openid/test/test_consumer.py | 35 |
3 files changed, 23 insertions, 24 deletions
diff --git a/openid/association.py b/openid/association.py index 5baf06f..de607f4 100644 --- a/openid/association.py +++ b/openid/association.py @@ -43,28 +43,28 @@ __all__ = [ all_association_types = [ - 'HMAC-SHA1', 'HMAC-SHA256', + 'HMAC-SHA1', ] default_association_order = [ - ('HMAC-SHA1', 'DH-SHA1'), - ('HMAC-SHA1', 'no-encryption'), ('HMAC-SHA256', 'DH-SHA256'), ('HMAC-SHA256', 'no-encryption'), + ('HMAC-SHA1', 'DH-SHA1'), + ('HMAC-SHA1', 'no-encryption'), ] only_encrypted_association_order = [ - ('HMAC-SHA1', 'DH-SHA1'), ('HMAC-SHA256', 'DH-SHA256'), + ('HMAC-SHA1', 'DH-SHA1'), ] def getSessionTypes(assoc_type): """Return the allowed session types for a given association type""" assoc_to_session = { - 'HMAC-SHA1': ['DH-SHA1', 'no-encryption'], 'HMAC-SHA256': ['DH-SHA256', 'no-encryption'], + 'HMAC-SHA1': ['DH-SHA1', 'no-encryption'], } return assoc_to_session.get(assoc_type, []) diff --git a/openid/consumer/consumer.py b/openid/consumer/consumer.py index 65c9fe6..5508c45 100644 --- a/openid/consumer/consumer.py +++ b/openid/consumer/consumer.py @@ -579,8 +579,8 @@ class GenericConsumer(object): openid1_return_to_identifier_name = 'openid1_claimed_id' session_types = { - 'DH-SHA1': DiffieHellmanSHA1ConsumerSession, 'DH-SHA256': DiffieHellmanSHA256ConsumerSession, + 'DH-SHA1': DiffieHellmanSHA1ConsumerSession, 'no-encryption': PlainTextConsumerSession, } diff --git a/openid/test/test_consumer.py b/openid/test/test_consumer.py index 950bad9..1ac1e16 100644 --- a/openid/test/test_consumer.py +++ b/openid/test/test_consumer.py @@ -2,6 +2,7 @@ from __future__ import unicode_literals import time import unittest +from functools import partial import six from six.moves.urllib.parse import parse_qsl, urlparse @@ -18,7 +19,7 @@ from openid.dh import DiffieHellman from openid.extension import Extension from openid.fetchers import HTTPFetchingError, HTTPResponse from openid.message import BARE_NS, IDENTIFIER_SELECT, OPENID1_NS, OPENID2_NS, OPENID_NS, Message -from openid.server.server import DiffieHellmanSHA1ServerSession, PlainTextServerSession +from openid.server.server import DiffieHellmanSHA256ServerSession from openid.store import memstore from openid.store.nonce import mkNonce, split as splitNonce from openid.yadis.discover import DiscoveryFailure @@ -26,8 +27,8 @@ from openid.yadis.manager import Discovery assocs = [ # (secret, handle) - (b'another 20-byte key.', 'Snarky'), - (b'\x00' * 20, 'Zeros'), + (b'another 32-byte very secret key.', 'Snarky'), + (b'\x00' * 32, 'Zeros'), ] @@ -51,22 +52,18 @@ def associate(qs, assoc_secret, assoc_handle): secret and handle.""" q = parseQuery(qs) assert q['openid.mode'] == 'associate' - assert q['openid.assoc_type'] == 'HMAC-SHA1' + assert q['openid.assoc_type'] == 'HMAC-SHA256' reply_dict = { - 'assoc_type': 'HMAC-SHA1', + 'assoc_type': 'HMAC-SHA256', 'assoc_handle': assoc_handle, 'expires_in': '600', } - if q.get('openid.session_type') == 'DH-SHA1': - assert len(q) == 6 or len(q) == 4 - message = Message.fromPostArgs(q) - session = DiffieHellmanSHA1ServerSession.fromMessage(message) - reply_dict['session_type'] = 'DH-SHA1' - else: - assert len(q) == 2 - session = PlainTextServerSession.fromQuery(q) - + assert q.get('openid.session_type') == 'DH-SHA256' + assert len(q) == 6 or len(q) == 4 + message = Message.fromPostArgs(q) + session = DiffieHellmanSHA256ServerSession.fromMessage(message) + reply_dict['session_type'] = 'DH-SHA256' reply_dict.update(session.answer(assoc_secret)) return kvform.dictToKV(reply_dict) @@ -112,7 +109,7 @@ class TestFetcher(object): except ValueError: pass # fall through else: - assert body.find('DH-SHA1') != -1 + assert body.find('DH-SHA256') != -1 response = associate( body, self.assoc_secret, self.assoc_handle) self.num_assocs += 1 @@ -121,16 +118,18 @@ class TestFetcher(object): return self.response(url, 404, 'Not found') -def makeFastConsumerSession(): +def makeFastConsumerSession(consumer_session_cls=DiffieHellmanSHA256ConsumerSession): """ Create custom DH object so tests run quickly. """ dh = DiffieHellman(100389557, 2) - return DiffieHellmanSHA1ConsumerSession(dh) + return consumer_session_cls(dh) def setConsumerSession(con): - con.session_types = {'DH-SHA1': makeFastConsumerSession} + con.session_types = { + 'DH-SHA256': makeFastConsumerSession, + 'DH-SHA1': partial(makeFastConsumerSession, consumer_session_cls=DiffieHellmanSHA1ConsumerSession)} def _test_success(server_url, user_url, delegate_url, links, immediate=False): |