1 files changed, 6 insertions, 4 deletions

diff --git a/lib/basic_rp.cc b/lib/basic_rp.cc
index bd45d99..a0ad130 100644
--- a/lib/basic_rp.cc
+++ b/lib/basic_rp.cc
@@ -1,6 +1,7 @@
+#include <cassert>
 #include <openssl/sha.h>
 #include <openssl/hmac.h>
 #include <opkele/basic_rp.h>
 #include <opkele/exception.h>
 #include <opkele/uris.h>
 #include <opkele/data.h>
@@ -22,13 +23,14 @@ namespace opkele {
         unsigned char *ckptr = &(ck.front())+1;
         int cklen = DH_compute_key(ckptr,s_pub,dh);
         if(cklen<0)
             throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
         if(cklen && (*ckptr)&0x80) {
             (*(--ckptr))=0; ++cklen; }
-        unsigned char key_digest[d_len];
+        assert(d_len<=SHA256_DIGEST_LENGTH);
+        unsigned char key_digest[SHA256_DIGEST_LENGTH];
         secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key"));
         if(secret.size()!=exp_s_len)
             throw bad_input(OPKELE_CP_ "Secret length isn't consistent with association type");
     }catch(opkele::failed_lookup& ofl) {
         throw bad_input(OPKELE_CP_ "Incoherent response from OP");
     } OPKELE_RETHROW
@@ -75,22 +77,22 @@ namespace opkele {
         try {
             direct_request(res,req,OP);
             dh_get_secret( secret, res,
                     "HMAC-SHA256", "DH-SHA256",
                     dh, SHA256_DIGEST_LENGTH, SHA256, SHA256_DIGEST_LENGTH );
             expires_in = util::string_to_long(res.get_field("expires_in"));
-        }catch(exception& e) {
+        }catch(exception&) {
             try {
                 req.set_field("assoc_type","HMAC-SHA1");
                 req.set_field("session_type","DH-SHA1");
                 direct_request(res,req,OP);
                 dh_get_secret( secret, res,
                         "HMAC-SHA1", "DH-SHA1",
                         dh, SHA_DIGEST_LENGTH, SHA1, SHA_DIGEST_LENGTH );
                 expires_in = util::string_to_long(res.get_field("expires_in"));
-            }catch(bad_input& e) {
+            }catch(bad_input&) {
                 throw dumb_RP(OPKELE_CP_ "OP failed to supply an association");
             }
         }
         return store_assoc(
                 OP, res.get_field("assoc_handle"),
                 res.get_field("assoc_type"), secret,
@@ -231,13 +233,13 @@ namespace opkele {
         if(o2) {
             check_nonce(om.get_field("op_endpoint"),
                     om.get_field("response_nonce"));
             static const char *mustsign[] = {
                 "op_endpoint", "return_to", "response_nonce", "assoc_handle",
                 "claimed_id", "identity" };
-            for(int ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {
+            for(size_t ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {
                 if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms]))
                     throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs");
             }
             if( (
                     (om.has_field("claimed_id")?1:0)
                     ^