minor fixes and making compiler a bit happier

Signed-off-by: Michael Krelin <hacker@klever.net>

1 files changed, 6 insertions, 4 deletions

diff --git a/lib/basic_rp.cc b/lib/basic_rp.cc
index bd45d99..a0ad130 100644
--- a/lib/basic_rp.cc
+++ b/lib/basic_rp.cc
@@ -1,52 +1,54 @@
+#include <cassert>
 #include <openssl/sha.h>
 #include <openssl/hmac.h>
 #include <opkele/basic_rp.h>
 #include <opkele/exception.h>
 #include <opkele/uris.h>
 #include <opkele/data.h>
 #include <opkele/util.h>
 #include <opkele/curl.h>
 
 namespace opkele {
 
     static void dh_get_secret(
             secret_t& secret, const basic_openid_message& om,
             const char *exp_assoc, const char *exp_sess,
             util::dh_t& dh,
             size_t d_len, unsigned char *(*d_fun)(const unsigned char*,size_t,unsigned char*),
             size_t exp_s_len) try {
         if(om.get_field("assoc_type")!=exp_assoc || om.get_field("session_type")!=exp_sess)
             throw bad_input(OPKELE_CP_ "Unexpected associate response");
         util::bignum_t s_pub = util::base64_to_bignum(om.get_field("dh_server_public"));
         vector<unsigned char> ck(DH_size(dh)+1);
         unsigned char *ckptr = &(ck.front())+1;
         int cklen = DH_compute_key(ckptr,s_pub,dh);
         if(cklen<0)
             throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
         if(cklen && (*ckptr)&0x80) {
             (*(--ckptr))=0; ++cklen; }
-        unsigned char key_digest[d_len];
+        assert(d_len<=SHA256_DIGEST_LENGTH);
+        unsigned char key_digest[SHA256_DIGEST_LENGTH];
         secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key"));
         if(secret.size()!=exp_s_len)
             throw bad_input(OPKELE_CP_ "Secret length isn't consistent with association type");
     }catch(opkele::failed_lookup& ofl) {
         throw bad_input(OPKELE_CP_ "Incoherent response from OP");
     } OPKELE_RETHROW
 
     static void direct_request(basic_openid_message& oum,const basic_openid_message& inm,const string& OP) {
         util::curl_pick_t curl = util::curl_pick_t::easy_init();
         if(!curl)
             throw exception_curl(OPKELE_CP_ "failed to initialize curl");
         string request = inm.query_string();
         CURLcode r;
         (r=curl.misc_sets())
             || (r=curl.easy_setopt(CURLOPT_URL,OP.c_str()))
             || (r=curl.easy_setopt(CURLOPT_POST,1))
             || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data()))
             || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length()))
             || (r=curl.set_write());
         if(r)
             throw exception_curl(OPKELE_CP_ "failed to set curly options",r);
         if( (r=curl.easy_perform()) )
             throw exception_curl(OPKELE_CP_ "failed to perform curly request",r);
         oum.from_keyvalues(curl.response);
@@ -57,58 +59,58 @@ namespace opkele {
         util::dh_t dh = DH_new();
         if(!dh)
             throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
         dh->p = util::dec_to_bignum(data::_default_p);
         dh->g = util::dec_to_bignum(data::_default_g);
         if(!DH_generate_key(dh))
             throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
         openid_message_t req;
         req.set_field("ns",OIURI_OPENID20);
         req.set_field("mode","associate");
         req.set_field("dh_modulus",util::bignum_to_base64(dh->p));
         req.set_field("dh_gen",util::bignum_to_base64(dh->g));
         req.set_field("dh_consumer_public",util::bignum_to_base64(dh->pub_key));
         openid_message_t res;
         req.set_field("assoc_type","HMAC-SHA256");
         req.set_field("session_type","DH-SHA256");
         secret_t secret;
         int expires_in;
         try {
             direct_request(res,req,OP);
             dh_get_secret( secret, res,
                     "HMAC-SHA256", "DH-SHA256",
                     dh, SHA256_DIGEST_LENGTH, SHA256, SHA256_DIGEST_LENGTH );
             expires_in = util::string_to_long(res.get_field("expires_in"));
-        }catch(exception& e) {
+        }catch(exception&) {
             try {
                 req.set_field("assoc_type","HMAC-SHA1");
                 req.set_field("session_type","DH-SHA1");
                 direct_request(res,req,OP);
                 dh_get_secret( secret, res,
                         "HMAC-SHA1", "DH-SHA1",
                         dh, SHA_DIGEST_LENGTH, SHA1, SHA_DIGEST_LENGTH );
                 expires_in = util::string_to_long(res.get_field("expires_in"));
-            }catch(bad_input& e) {
+            }catch(bad_input&) {
                 throw dumb_RP(OPKELE_CP_ "OP failed to supply an association");
             }
         }
         return store_assoc(
                 OP, res.get_field("assoc_handle"),
                 res.get_field("assoc_type"), secret,
                 expires_in );
     }
 
     basic_openid_message& basic_RP::checkid_(
             basic_openid_message& rv,
             mode_t mode,
             const string& return_to,const string& realm,
             extension_t *ext) {
         rv.reset_fields();
         rv.set_field("ns",OIURI_OPENID20);
         if(mode==mode_checkid_immediate)
             rv.set_field("mode","checkid_immediate");
         else if(mode==mode_checkid_setup)
             rv.set_field("mode","checkid_setup");
         else
             throw bad_input(OPKELE_CP_ "unknown checkid_* mode");
         if(realm.empty() && return_to.empty())
             throw bad_input(OPKELE_CP_ "At least one of realm and return_to must be non-empty");
@@ -213,49 +215,49 @@ namespace opkele {
             if(om.get_field("sig")!=util::base64_signature(assoc,om))
                 throw id_res_mismatch(OPKELE_CP_ "signature mismatch");
         }catch(dumb_RP& drp) {
             go_dumb=true;
         }catch(failed_lookup& e) {
             go_dumb=true;
         } OPKELE_RETHROW
         if(go_dumb) {
             try {
                 string OP = o2
                     ?om.get_field("op_endpoint")
                     :get_endpoint().uri;
                 check_authentication(OP,om);
             }catch(failed_check_authentication& fca) {
                 throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");
             } OPKELE_RETHROW
         }
         signed_part_message_proxy signeds(om);
         if(o2) {
             check_nonce(om.get_field("op_endpoint"),
                     om.get_field("response_nonce"));
             static const char *mustsign[] = {
                 "op_endpoint", "return_to", "response_nonce", "assoc_handle",
                 "claimed_id", "identity" };
-            for(int ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {
+            for(size_t ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {
                 if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms]))
                     throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs");
             }
             if( (
                     (om.has_field("claimed_id")?1:0)
                     ^
                     (om.has_field("identity")?1:0)
                 )&1 )
                 throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent");
 
             string turl = util::rfc_3986_normalize_uri(get_this_url());
             util::strip_uri_fragment_part(turl);
             string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to"));
             util::strip_uri_fragment_part(rurl);
             string::size_type
                 tq = turl.find('?'), rq = rurl.find('?');
             if(
                     ((tq==string::npos)?turl:turl.substr(0,tq))
                     !=
                     ((rq==string::npos)?rurl:rurl.substr(0,rq))
               )
                 throw id_res_bad_return_to(OPKELE_CP_ "return_to url doesn't match request url");
             map<string,string> tp; parse_query(turl,tq,tp);
             map<string,string> rp; parse_query(rurl,rq,rp);