From 721a664e66f9ec0f860ea010b9f772e31ab0e9dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vlastimil=20Z=C3=ADma?= <vlastimil.zima@nic.cz>
Date: Tue, 15 May 2018 14:08:24 +0200
Subject: Prefer stronger association methods

---
 openid/association.py        | 10 +++++-----
 openid/consumer/consumer.py  |  2 +-
 openid/test/test_consumer.py | 35 +++++++++++++++++------------------
 3 files changed, 23 insertions(+), 24 deletions(-)

diff --git a/openid/association.py b/openid/association.py
index 5baf06f..de607f4 100644
--- a/openid/association.py
+++ b/openid/association.py
@@ -43,28 +43,28 @@ __all__ = [
 
 
 all_association_types = [
-    'HMAC-SHA1',
     'HMAC-SHA256',
+    'HMAC-SHA1',
 ]
 
 default_association_order = [
-    ('HMAC-SHA1', 'DH-SHA1'),
-    ('HMAC-SHA1', 'no-encryption'),
     ('HMAC-SHA256', 'DH-SHA256'),
     ('HMAC-SHA256', 'no-encryption'),
+    ('HMAC-SHA1', 'DH-SHA1'),
+    ('HMAC-SHA1', 'no-encryption'),
 ]
 
 only_encrypted_association_order = [
-    ('HMAC-SHA1', 'DH-SHA1'),
     ('HMAC-SHA256', 'DH-SHA256'),
+    ('HMAC-SHA1', 'DH-SHA1'),
 ]
 
 
 def getSessionTypes(assoc_type):
     """Return the allowed session types for a given association type"""
     assoc_to_session = {
-        'HMAC-SHA1': ['DH-SHA1', 'no-encryption'],
         'HMAC-SHA256': ['DH-SHA256', 'no-encryption'],
+        'HMAC-SHA1': ['DH-SHA1', 'no-encryption'],
     }
     return assoc_to_session.get(assoc_type, [])
 
diff --git a/openid/consumer/consumer.py b/openid/consumer/consumer.py
index 65c9fe6..5508c45 100644
--- a/openid/consumer/consumer.py
+++ b/openid/consumer/consumer.py
@@ -579,8 +579,8 @@ class GenericConsumer(object):
     openid1_return_to_identifier_name = 'openid1_claimed_id'
 
     session_types = {
-        'DH-SHA1': DiffieHellmanSHA1ConsumerSession,
         'DH-SHA256': DiffieHellmanSHA256ConsumerSession,
+        'DH-SHA1': DiffieHellmanSHA1ConsumerSession,
         'no-encryption': PlainTextConsumerSession,
     }
 
diff --git a/openid/test/test_consumer.py b/openid/test/test_consumer.py
index 950bad9..1ac1e16 100644
--- a/openid/test/test_consumer.py
+++ b/openid/test/test_consumer.py
@@ -2,6 +2,7 @@ from __future__ import unicode_literals
 
 import time
 import unittest
+from functools import partial
 
 import six
 from six.moves.urllib.parse import parse_qsl, urlparse
@@ -18,7 +19,7 @@ from openid.dh import DiffieHellman
 from openid.extension import Extension
 from openid.fetchers import HTTPFetchingError, HTTPResponse
 from openid.message import BARE_NS, IDENTIFIER_SELECT, OPENID1_NS, OPENID2_NS, OPENID_NS, Message
-from openid.server.server import DiffieHellmanSHA1ServerSession, PlainTextServerSession
+from openid.server.server import DiffieHellmanSHA256ServerSession
 from openid.store import memstore
 from openid.store.nonce import mkNonce, split as splitNonce
 from openid.yadis.discover import DiscoveryFailure
@@ -26,8 +27,8 @@ from openid.yadis.manager import Discovery
 
 assocs = [
     # (secret, handle)
-    (b'another 20-byte key.', 'Snarky'),
-    (b'\x00' * 20, 'Zeros'),
+    (b'another 32-byte very secret key.', 'Snarky'),
+    (b'\x00' * 32, 'Zeros'),
 ]
 
 
@@ -51,22 +52,18 @@ def associate(qs, assoc_secret, assoc_handle):
     secret and handle."""
     q = parseQuery(qs)
     assert q['openid.mode'] == 'associate'
-    assert q['openid.assoc_type'] == 'HMAC-SHA1'
+    assert q['openid.assoc_type'] == 'HMAC-SHA256'
     reply_dict = {
-        'assoc_type': 'HMAC-SHA1',
+        'assoc_type': 'HMAC-SHA256',
         'assoc_handle': assoc_handle,
         'expires_in': '600',
     }
 
-    if q.get('openid.session_type') == 'DH-SHA1':
-        assert len(q) == 6 or len(q) == 4
-        message = Message.fromPostArgs(q)
-        session = DiffieHellmanSHA1ServerSession.fromMessage(message)
-        reply_dict['session_type'] = 'DH-SHA1'
-    else:
-        assert len(q) == 2
-        session = PlainTextServerSession.fromQuery(q)
-
+    assert q.get('openid.session_type') == 'DH-SHA256'
+    assert len(q) == 6 or len(q) == 4
+    message = Message.fromPostArgs(q)
+    session = DiffieHellmanSHA256ServerSession.fromMessage(message)
+    reply_dict['session_type'] = 'DH-SHA256'
     reply_dict.update(session.answer(assoc_secret))
     return kvform.dictToKV(reply_dict)
 
@@ -112,7 +109,7 @@ class TestFetcher(object):
             except ValueError:
                 pass  # fall through
             else:
-                assert body.find('DH-SHA1') != -1
+                assert body.find('DH-SHA256') != -1
                 response = associate(
                     body, self.assoc_secret, self.assoc_handle)
                 self.num_assocs += 1
@@ -121,16 +118,18 @@ class TestFetcher(object):
         return self.response(url, 404, 'Not found')
 
 
-def makeFastConsumerSession():
+def makeFastConsumerSession(consumer_session_cls=DiffieHellmanSHA256ConsumerSession):
     """
     Create custom DH object so tests run quickly.
     """
     dh = DiffieHellman(100389557, 2)
-    return DiffieHellmanSHA1ConsumerSession(dh)
+    return consumer_session_cls(dh)
 
 
 def setConsumerSession(con):
-    con.session_types = {'DH-SHA1': makeFastConsumerSession}
+    con.session_types = {
+        'DH-SHA256': makeFastConsumerSession,
+        'DH-SHA1': partial(makeFastConsumerSession, consumer_session_cls=DiffieHellmanSHA1ConsumerSession)}
 
 
 def _test_success(server_url, user_url, delegate_url, links, immediate=False):
-- 
cgit v1.2.1