1 files changed, 6 insertions, 4 deletions

diff --git a/lib/basic_rp.cc b/lib/basic_rp.cc
index bd45d99..a0ad130 100644
--- a/lib/basic_rp.cc
+++ b/lib/basic_rp.cc
@@ -1,44 +1,46 @@
+#include <cassert>
 #include <openssl/sha.h>
 #include <openssl/hmac.h>
 #include <opkele/basic_rp.h>
 #include <opkele/exception.h>
 #include <opkele/uris.h>
 #include <opkele/data.h>
 #include <opkele/util.h>
 #include <opkele/curl.h>
 
 namespace opkele {
 
     static void dh_get_secret(
 	    secret_t& secret, const basic_openid_message& om,
 	    const char *exp_assoc, const char *exp_sess,
 	    util::dh_t& dh,
 	    size_t d_len, unsigned char *(*d_fun)(const unsigned char*,size_t,unsigned char*),
 	    size_t exp_s_len) try {
 	if(om.get_field("assoc_type")!=exp_assoc || om.get_field("session_type")!=exp_sess)
 	    throw bad_input(OPKELE_CP_ "Unexpected associate response");
 	util::bignum_t s_pub = util::base64_to_bignum(om.get_field("dh_server_public"));
 	vector<unsigned char> ck(DH_size(dh)+1);
 	unsigned char *ckptr = &(ck.front())+1;
 	int cklen = DH_compute_key(ckptr,s_pub,dh);
 	if(cklen<0)
 	    throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
 	if(cklen && (*ckptr)&0x80) {
 	    (*(--ckptr))=0; ++cklen; }
-	unsigned char key_digest[d_len];
+	assert(d_len<=SHA256_DIGEST_LENGTH);
+	unsigned char key_digest[SHA256_DIGEST_LENGTH];
 	secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key"));
 	if(secret.size()!=exp_s_len)
 	    throw bad_input(OPKELE_CP_ "Secret length isn't consistent with association type");
     }catch(opkele::failed_lookup& ofl) {
 	throw bad_input(OPKELE_CP_ "Incoherent response from OP");
     } OPKELE_RETHROW
 
     static void direct_request(basic_openid_message& oum,const basic_openid_message& inm,const string& OP) {
 	util::curl_pick_t curl = util::curl_pick_t::easy_init();
 	if(!curl)
 	    throw exception_curl(OPKELE_CP_ "failed to initialize curl");
 	string request = inm.query_string();
 	CURLcode r;
 	(r=curl.misc_sets())
 	    || (r=curl.easy_setopt(CURLOPT_URL,OP.c_str()))
 	    || (r=curl.easy_setopt(CURLOPT_POST,1))
@@ -65,42 +67,42 @@ namespace opkele {
 	req.set_field("ns",OIURI_OPENID20);
 	req.set_field("mode","associate");
 	req.set_field("dh_modulus",util::bignum_to_base64(dh->p));
 	req.set_field("dh_gen",util::bignum_to_base64(dh->g));
 	req.set_field("dh_consumer_public",util::bignum_to_base64(dh->pub_key));
 	openid_message_t res;
 	req.set_field("assoc_type","HMAC-SHA256");
 	req.set_field("session_type","DH-SHA256");
 	secret_t secret;
 	int expires_in;
 	try {
 	    direct_request(res,req,OP);
 	    dh_get_secret( secret, res,
 		    "HMAC-SHA256", "DH-SHA256",
 		    dh, SHA256_DIGEST_LENGTH, SHA256, SHA256_DIGEST_LENGTH );
 	    expires_in = util::string_to_long(res.get_field("expires_in"));
-	}catch(exception& e) {
+	}catch(exception&) {
 	    try {
 		req.set_field("assoc_type","HMAC-SHA1");
 		req.set_field("session_type","DH-SHA1");
 		direct_request(res,req,OP);
 		dh_get_secret( secret, res,
 			"HMAC-SHA1", "DH-SHA1",
 			dh, SHA_DIGEST_LENGTH, SHA1, SHA_DIGEST_LENGTH );
 		expires_in = util::string_to_long(res.get_field("expires_in"));
-	    }catch(bad_input& e) {
+	    }catch(bad_input&) {
 		throw dumb_RP(OPKELE_CP_ "OP failed to supply an association");
 	    }
 	}
 	return store_assoc(
 		OP, res.get_field("assoc_handle"),
 		res.get_field("assoc_type"), secret,
 		expires_in );
     }
 
     basic_openid_message& basic_RP::checkid_(
 	    basic_openid_message& rv,
 	    mode_t mode,
 	    const string& return_to,const string& realm,
 	    extension_t *ext) {
 	rv.reset_fields();
 	rv.set_field("ns",OIURI_OPENID20);
@@ -221,33 +223,33 @@ namespace opkele {
 	    try {
 		string OP = o2
 		    ?om.get_field("op_endpoint")
 		    :get_endpoint().uri;
 		check_authentication(OP,om);
 	    }catch(failed_check_authentication& fca) {
 		throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");
 	    } OPKELE_RETHROW
 	}
 	signed_part_message_proxy signeds(om);
 	if(o2) {
 	    check_nonce(om.get_field("op_endpoint"),
 		    om.get_field("response_nonce"));
 	    static const char *mustsign[] = {
 		"op_endpoint", "return_to", "response_nonce", "assoc_handle",
 		"claimed_id", "identity" };
-	    for(int ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {
+	    for(size_t ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {
 		if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms]))
 		    throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs");
 	    }
 	    if( (
 		    (om.has_field("claimed_id")?1:0)
 		    ^
 		    (om.has_field("identity")?1:0)
 		)&1 )
 		throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent");
 
 	    string turl = util::rfc_3986_normalize_uri(get_this_url());
 	    util::strip_uri_fragment_part(turl);
 	    string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to"));
 	    util::strip_uri_fragment_part(rurl);
 	    string::size_type
 		tq = turl.find('?'), rq = rurl.find('?');