1 files changed, 3 insertions, 3 deletions
diff --git a/lib/basic_op.cc b/lib/basic_op.cc
index 2d82147..c247493 100644
--- a/lib/basic_op.cc
+++ b/lib/basic_op.cc
@@ -4,202 +4,202 @@
 #include <openssl/hmac.h>
 #include <opkele/data.h>
 #include <opkele/basic_op.h>
 #include <opkele/exception.h>
 #include <opkele/util.h>
 #include <opkele/uris.h>
 namespace opkele {
    void basic_OP::reset_vars() {
        assoc.reset();
        return_to.clear(); realm.clear();
        claimed_id.clear(); identity.clear();
        invalidate_handle.clear();
    }
    bool basic_OP::has_return_to() const {
        return !return_to.empty();
    }
    const string& basic_OP::get_return_to() const {
        if(return_to.empty())
            throw no_return_to(OPKELE_CP_ "No return_to URL provided with request");
        return return_to;
    }
    const string& basic_OP::get_realm() const {
        assert(!realm.empty());
        return realm;
    }
    bool basic_OP::has_identity() const {
        return !identity.empty();
    }
    const string& basic_OP::get_claimed_id() const {
        if(claimed_id.empty())
            throw non_identity(OPKELE_CP_ "attempting to retrieve claimed_id of non-identity related request");
        assert(!identity.empty());
        return claimed_id;
    }
    const string& basic_OP::get_identity() const {
        if(identity.empty())
            throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related request");
        assert(!claimed_id.empty());
        return identity;
    }
    bool basic_OP::is_id_select() const {
        return identity==IDURI_SELECT20;
    }
    void basic_OP::select_identity(const string& c,const string& i) {
        claimed_id = c; identity = i;
    }
    void basic_OP::set_claimed_id(const string& c) {
        claimed_id = c;
    }
    basic_openid_message& basic_OP::associate(
            basic_openid_message& oum,
            const basic_openid_message& inm) try {
        assert(inm.get_field("mode")=="associate");
        util::dh_t dh;
        util::bignum_t c_pub;
        unsigned char key_digest[SHA256_DIGEST_LENGTH];
        size_t d_len = 0;
        string sts = inm.get_field("session_type");
        string ats = inm.get_field("assoc_type");
        if(sts=="DH-SHA1" || sts=="DH-SHA256") {
            if(!(dh = DH_new()))
                throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
            c_pub = util::base64_to_bignum(inm.get_field("dh_consumer_public"));
            try { dh->p = util::base64_to_bignum(inm.get_field("dh_modulus"));
            }catch(failed_lookup&) {
                dh->p = util::dec_to_bignum(data::_default_p); }
            try { dh->g = util::base64_to_bignum(inm.get_field("dh_gen"));
            }catch(failed_lookup&) {
                dh->g = util::dec_to_bignum(data::_default_g); }
            if(!DH_generate_key(dh))
                throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
            vector<unsigned char> ck(DH_size(dh)+1);
            unsigned char *ckptr = &(ck.front())+1;
            int cklen = DH_compute_key(ckptr,c_pub,dh);
            if(cklen<0)
                throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
            if(cklen && (*ckptr)&0x80) {
                (*(--ckptr)) = 0; ++cklen; }
            if(sts=="DH-SHA1") {
                SHA1(ckptr,cklen,key_digest); d_len = SHA_DIGEST_LENGTH;
            }else if(sts=="DH-SHA256") {
                SHA256(ckptr,cklen,key_digest); d_len = SHA256_DIGEST_LENGTH;
            }else
                throw internal_error(OPKELE_CP_ "I thought I knew the session type");
        }else
            throw unsupported(OPKELE_CP_ "Unsupported session_type");
        assoc_t a;
        if(ats=="HMAC-SHA1")
-            a = alloc_assoc(ats,SHA_DIGEST_LENGTH,true);
+            a = alloc_assoc(ats,SHA_DIGEST_LENGTH,false);
        else if(ats=="HMAC-SHA256")
-            a = alloc_assoc(ats,SHA256_DIGEST_LENGTH,true);
+            a = alloc_assoc(ats,SHA256_DIGEST_LENGTH,false);
        else
            throw unsupported(OPKELE_CP_ "Unsupported assoc_type");
        oum.reset_fields();
        oum.set_field("ns",OIURI_OPENID20);
        oum.set_field("assoc_type",a->assoc_type());
        oum.set_field("assoc_handle",a->handle());
-        oum.set_field("expires_in",util::long_to_string(assoc->expires_in()));
+        oum.set_field("expires_in",util::long_to_string(a->expires_in()));
        secret_t secret = a->secret();
        if(sts=="DH-SHA1" || sts=="DH-SHA256") {
            if(d_len != secret.size())
                throw bad_input(OPKELE_CP_ "Association secret and session MAC are not of the same size");
            oum.set_field("session_type",sts);
            oum.set_field("dh_server_public",util::bignum_to_base64(dh->pub_key));
            string b64; secret.enxor_to_base64(key_digest,b64);
            oum.set_field("enc_mac_key",b64);
        }else /* TODO: support cleartext over encrypted connection */
            throw unsupported(OPKELE_CP_ "Unsupported session type");
        return oum;
    } catch(unsupported& u) {
        oum.reset_fields();
        oum.set_field("ns",OIURI_OPENID20);
        oum.set_field("error",u.what());
        oum.set_field("error_code","unsupported-type");
        oum.set_field("session_type","DH-SHA256");
        oum.set_field("assoc_type","HMAC-SHA256");
        return oum;
    }
    void basic_OP::checkid_(const basic_openid_message& inm,
            extension_t *ext) {
        reset_vars();
        string modestr = inm.get_field("mode");
        if(modestr=="checkid_setup")
            mode = mode_checkid_setup;
        else if(modestr=="checkid_immediate")
            mode = mode_checkid_immediate;
        else
            throw bad_input(OPKELE_CP_ "Invalid checkid_* mode");
        try {
            assoc = retrieve_assoc(invalidate_handle=inm.get_field("assoc_handle"));
            invalidate_handle.clear();
        }catch(failed_lookup&) { }
        try {
            openid2 = (inm.get_field("ns")==OIURI_OPENID20);
        }catch(failed_lookup&) { openid2 = false; }
        try {
            return_to = inm.get_field("return_to");
        }catch(failed_lookup&) { }
        if(openid2) {
            try {
                realm = inm.get_field("realm");
            }catch(failed_lookup&) {
                try {
                    realm = inm.get_field("trust_root");
                }catch(failed_lookup&) {
                    if(return_to.empty())
                        throw bad_input(OPKELE_CP_
                                "Both realm and return_to are unset");
                    realm = return_to;
                }
            }
        }else{
            try {
                realm = inm.get_field("trust_root");
            }catch(failed_lookup&) {
                if(return_to.empty())
                    throw bad_input(OPKELE_CP_
                            "Both realm and return_to are unset");
                realm = return_to;
            }
        }
        try {
            identity = inm.get_field("identity");
            try {
                claimed_id = inm.get_field("claimed_id");
            }catch(failed_lookup&) {
                if(openid2)
                    throw bad_input(OPKELE_CP_
                            "claimed_id and identity must be either both present or both absent");
                claimed_id = identity;
            }
        }catch(failed_lookup&) {
            if(openid2 && inm.has_field("claimed_id"))
                throw bad_input(OPKELE_CP_
                    "claimed_id and identity must be either both present or both absent");
        }
        verify_return_to();
        if(ext) ext->op_checkid_hook(inm);
    }
    basic_openid_message& basic_OP::id_res(basic_openid_message& om,
            extension_t *ext) {
        assert(!return_to.empty());
        assert(!is_id_select());
        if(!assoc) {
            assoc = alloc_assoc("HMAC-SHA256",SHA256_DIGEST_LENGTH,true);
        }
        time_t now = time(0);
        struct tm gmt; gmtime_r(&now,&gmt);
        char w3timestr[24];
        if(!strftime(w3timestr,sizeof(w3timestr),"%Y-%m-%dT%H:%M:%SZ",&gmt))
            throw failed_conversion(OPKELE_CP_
                    "Failed to build time string for nonce" );

diff --git a/lib/basic_op.cc b/lib/basic_op.cc index 2d82147..c247493 100644 --- a/lib/basic_op.cc +++ b/lib/basic_op.cc
@@ -4,202 +4,202 @@
4	#include <openssl/hmac.h>	4	#include <openssl/hmac.h>
5	#include <opkele/data.h>	5	#include <opkele/data.h>
6	#include <opkele/basic_op.h>	6	#include <opkele/basic_op.h>
7	#include <opkele/exception.h>	7	#include <opkele/exception.h>
8	#include <opkele/util.h>	8	#include <opkele/util.h>
9	#include <opkele/uris.h>	9	#include <opkele/uris.h>
10		10
11	namespace opkele {	11	namespace opkele {
12		12
13	void basic_OP::reset_vars() {	13	void basic_OP::reset_vars() {
14	assoc.reset();	14	assoc.reset();
15	return_to.clear(); realm.clear();	15	return_to.clear(); realm.clear();
16	claimed_id.clear(); identity.clear();	16	claimed_id.clear(); identity.clear();
17	invalidate_handle.clear();	17	invalidate_handle.clear();
18	}	18	}
19		19
20	bool basic_OP::has_return_to() const {	20	bool basic_OP::has_return_to() const {
21	return !return_to.empty();	21	return !return_to.empty();
22	}	22	}
23	const string& basic_OP::get_return_to() const {	23	const string& basic_OP::get_return_to() const {
24	if(return_to.empty())	24	if(return_to.empty())
25	throw no_return_to(OPKELE_CP_ "No return_to URL provided with request");	25	throw no_return_to(OPKELE_CP_ "No return_to URL provided with request");
26	return return_to;	26	return return_to;
27	}	27	}
28		28
29	const string& basic_OP::get_realm() const {	29	const string& basic_OP::get_realm() const {
30	assert(!realm.empty());	30	assert(!realm.empty());
31	return realm;	31	return realm;
32	}	32	}
33		33
34	bool basic_OP::has_identity() const {	34	bool basic_OP::has_identity() const {
35	return !identity.empty();	35	return !identity.empty();
36	}	36	}
37	const string& basic_OP::get_claimed_id() const {	37	const string& basic_OP::get_claimed_id() const {
38	if(claimed_id.empty())	38	if(claimed_id.empty())
39	throw non_identity(OPKELE_CP_ "attempting to retrieve claimed_id of non-identity related request");	39	throw non_identity(OPKELE_CP_ "attempting to retrieve claimed_id of non-identity related request");
40	assert(!identity.empty());	40	assert(!identity.empty());
41	return claimed_id;	41	return claimed_id;
42	}	42	}
43	const string& basic_OP::get_identity() const {	43	const string& basic_OP::get_identity() const {
44	if(identity.empty())	44	if(identity.empty())
45	throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related request");	45	throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related request");
46	assert(!claimed_id.empty());	46	assert(!claimed_id.empty());
47	return identity;	47	return identity;
48	}	48	}
49		49
50	bool basic_OP::is_id_select() const {	50	bool basic_OP::is_id_select() const {
51	return identity==IDURI_SELECT20;	51	return identity==IDURI_SELECT20;
52	}	52	}
53		53
54	void basic_OP::select_identity(const string& c,const string& i) {	54	void basic_OP::select_identity(const string& c,const string& i) {
55	claimed_id = c; identity = i;	55	claimed_id = c; identity = i;
56	}	56	}
57	void basic_OP::set_claimed_id(const string& c) {	57	void basic_OP::set_claimed_id(const string& c) {
58	claimed_id = c;	58	claimed_id = c;
59	}	59	}
60		60
61	basic_openid_message& basic_OP::associate(	61	basic_openid_message& basic_OP::associate(
62	basic_openid_message& oum,	62	basic_openid_message& oum,
63	const basic_openid_message& inm) try {	63	const basic_openid_message& inm) try {
64	assert(inm.get_field("mode")=="associate");	64	assert(inm.get_field("mode")=="associate");
65	util::dh_t dh;	65	util::dh_t dh;
66	util::bignum_t c_pub;	66	util::bignum_t c_pub;
67	unsigned char key_digest[SHA256_DIGEST_LENGTH];	67	unsigned char key_digest[SHA256_DIGEST_LENGTH];
68	size_t d_len = 0;	68	size_t d_len = 0;
69	string sts = inm.get_field("session_type");	69	string sts = inm.get_field("session_type");
70	string ats = inm.get_field("assoc_type");	70	string ats = inm.get_field("assoc_type");
71	if(sts=="DH-SHA1" \|\| sts=="DH-SHA256") {	71	if(sts=="DH-SHA1" \|\| sts=="DH-SHA256") {
72	if(!(dh = DH_new()))	72	if(!(dh = DH_new()))
73	throw exception_openssl(OPKELE_CP_ "failed to DH_new()");	73	throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
74	c_pub = util::base64_to_bignum(inm.get_field("dh_consumer_public"));	74	c_pub = util::base64_to_bignum(inm.get_field("dh_consumer_public"));
75	try { dh->p = util::base64_to_bignum(inm.get_field("dh_modulus"));	75	try { dh->p = util::base64_to_bignum(inm.get_field("dh_modulus"));
76	}catch(failed_lookup&) {	76	}catch(failed_lookup&) {
77	dh->p = util::dec_to_bignum(data::_default_p); }	77	dh->p = util::dec_to_bignum(data::_default_p); }
78	try { dh->g = util::base64_to_bignum(inm.get_field("dh_gen"));	78	try { dh->g = util::base64_to_bignum(inm.get_field("dh_gen"));
79	}catch(failed_lookup&) {	79	}catch(failed_lookup&) {
80	dh->g = util::dec_to_bignum(data::_default_g); }	80	dh->g = util::dec_to_bignum(data::_default_g); }
81	if(!DH_generate_key(dh))	81	if(!DH_generate_key(dh))
82	throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");	82	throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
83	vector<unsigned char> ck(DH_size(dh)+1);	83	vector<unsigned char> ck(DH_size(dh)+1);
84	unsigned char *ckptr = &(ck.front())+1;	84	unsigned char *ckptr = &(ck.front())+1;
85	int cklen = DH_compute_key(ckptr,c_pub,dh);	85	int cklen = DH_compute_key(ckptr,c_pub,dh);
86	if(cklen<0)	86	if(cklen<0)
87	throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");	87	throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
88	if(cklen && (*ckptr)&0x80) {	88	if(cklen && (*ckptr)&0x80) {
89	(*(--ckptr)) = 0; ++cklen; }	89	(*(--ckptr)) = 0; ++cklen; }
90	if(sts=="DH-SHA1") {	90	if(sts=="DH-SHA1") {
91	SHA1(ckptr,cklen,key_digest); d_len = SHA_DIGEST_LENGTH;	91	SHA1(ckptr,cklen,key_digest); d_len = SHA_DIGEST_LENGTH;
92	}else if(sts=="DH-SHA256") {	92	}else if(sts=="DH-SHA256") {
93	SHA256(ckptr,cklen,key_digest); d_len = SHA256_DIGEST_LENGTH;	93	SHA256(ckptr,cklen,key_digest); d_len = SHA256_DIGEST_LENGTH;
94	}else	94	}else
95	throw internal_error(OPKELE_CP_ "I thought I knew the session type");	95	throw internal_error(OPKELE_CP_ "I thought I knew the session type");
96	}else	96	}else
97	throw unsupported(OPKELE_CP_ "Unsupported session_type");	97	throw unsupported(OPKELE_CP_ "Unsupported session_type");
98	assoc_t a;	98	assoc_t a;
99	if(ats=="HMAC-SHA1")	99	if(ats=="HMAC-SHA1")
100	a = alloc_assoc(ats,SHA_DIGEST_LENGTH,true);	100	a = alloc_assoc(ats,SHA_DIGEST_LENGTH,false);
101	else if(ats=="HMAC-SHA256")	101	else if(ats=="HMAC-SHA256")
102	a = alloc_assoc(ats,SHA256_DIGEST_LENGTH,true);	102	a = alloc_assoc(ats,SHA256_DIGEST_LENGTH,false);
103	else	103	else
104	throw unsupported(OPKELE_CP_ "Unsupported assoc_type");	104	throw unsupported(OPKELE_CP_ "Unsupported assoc_type");
105	oum.reset_fields();	105	oum.reset_fields();
106	oum.set_field("ns",OIURI_OPENID20);	106	oum.set_field("ns",OIURI_OPENID20);
107	oum.set_field("assoc_type",a->assoc_type());	107	oum.set_field("assoc_type",a->assoc_type());
108	oum.set_field("assoc_handle",a->handle());	108	oum.set_field("assoc_handle",a->handle());
109	oum.set_field("expires_in",util::long_to_string(assoc->expires_in()));	109	oum.set_field("expires_in",util::long_to_string(a->expires_in()));
110	secret_t secret = a->secret();	110	secret_t secret = a->secret();
111	if(sts=="DH-SHA1" \|\| sts=="DH-SHA256") {	111	if(sts=="DH-SHA1" \|\| sts=="DH-SHA256") {
112	if(d_len != secret.size())	112	if(d_len != secret.size())
113	throw bad_input(OPKELE_CP_ "Association secret and session MAC are not of the same size");	113	throw bad_input(OPKELE_CP_ "Association secret and session MAC are not of the same size");
114	oum.set_field("session_type",sts);	114	oum.set_field("session_type",sts);
115	oum.set_field("dh_server_public",util::bignum_to_base64(dh->pub_key));	115	oum.set_field("dh_server_public",util::bignum_to_base64(dh->pub_key));
116	string b64; secret.enxor_to_base64(key_digest,b64);	116	string b64; secret.enxor_to_base64(key_digest,b64);
117	oum.set_field("enc_mac_key",b64);	117	oum.set_field("enc_mac_key",b64);
118	}else /* TODO: support cleartext over encrypted connection */	118	}else /* TODO: support cleartext over encrypted connection */
119	throw unsupported(OPKELE_CP_ "Unsupported session type");	119	throw unsupported(OPKELE_CP_ "Unsupported session type");
120	return oum;	120	return oum;
121	} catch(unsupported& u) {	121	} catch(unsupported& u) {
122	oum.reset_fields();	122	oum.reset_fields();
123	oum.set_field("ns",OIURI_OPENID20);	123	oum.set_field("ns",OIURI_OPENID20);
124	oum.set_field("error",u.what());	124	oum.set_field("error",u.what());
125	oum.set_field("error_code","unsupported-type");	125	oum.set_field("error_code","unsupported-type");
126	oum.set_field("session_type","DH-SHA256");	126	oum.set_field("session_type","DH-SHA256");
127	oum.set_field("assoc_type","HMAC-SHA256");	127	oum.set_field("assoc_type","HMAC-SHA256");
128	return oum;	128	return oum;
129	}	129	}
130		130
131	void basic_OP::checkid_(const basic_openid_message& inm,	131	void basic_OP::checkid_(const basic_openid_message& inm,
132	extension_t *ext) {	132	extension_t *ext) {
133	reset_vars();	133	reset_vars();
134	string modestr = inm.get_field("mode");	134	string modestr = inm.get_field("mode");
135	if(modestr=="checkid_setup")	135	if(modestr=="checkid_setup")
136	mode = mode_checkid_setup;	136	mode = mode_checkid_setup;
137	else if(modestr=="checkid_immediate")	137	else if(modestr=="checkid_immediate")
138	mode = mode_checkid_immediate;	138	mode = mode_checkid_immediate;
139	else	139	else
140	throw bad_input(OPKELE_CP_ "Invalid checkid_* mode");	140	throw bad_input(OPKELE_CP_ "Invalid checkid_* mode");
141	try {	141	try {
142	assoc = retrieve_assoc(invalidate_handle=inm.get_field("assoc_handle"));	142	assoc = retrieve_assoc(invalidate_handle=inm.get_field("assoc_handle"));
143	invalidate_handle.clear();	143	invalidate_handle.clear();
144	}catch(failed_lookup&) { }	144	}catch(failed_lookup&) { }
145	try {	145	try {
146	openid2 = (inm.get_field("ns")==OIURI_OPENID20);	146	openid2 = (inm.get_field("ns")==OIURI_OPENID20);
147	}catch(failed_lookup&) { openid2 = false; }	147	}catch(failed_lookup&) { openid2 = false; }
148	try {	148	try {
149	return_to = inm.get_field("return_to");	149	return_to = inm.get_field("return_to");
150	}catch(failed_lookup&) { }	150	}catch(failed_lookup&) { }
151	if(openid2) {	151	if(openid2) {
152	try {	152	try {
153	realm = inm.get_field("realm");	153	realm = inm.get_field("realm");
154	}catch(failed_lookup&) {	154	}catch(failed_lookup&) {
155	try {	155	try {
156	realm = inm.get_field("trust_root");	156	realm = inm.get_field("trust_root");
157	}catch(failed_lookup&) {	157	}catch(failed_lookup&) {
158	if(return_to.empty())	158	if(return_to.empty())
159	throw bad_input(OPKELE_CP_	159	throw bad_input(OPKELE_CP_
160	"Both realm and return_to are unset");	160	"Both realm and return_to are unset");
161	realm = return_to;	161	realm = return_to;
162	}	162	}
163	}	163	}
164	}else{	164	}else{
165	try {	165	try {
166	realm = inm.get_field("trust_root");	166	realm = inm.get_field("trust_root");
167	}catch(failed_lookup&) {	167	}catch(failed_lookup&) {
168	if(return_to.empty())	168	if(return_to.empty())
169	throw bad_input(OPKELE_CP_	169	throw bad_input(OPKELE_CP_
170	"Both realm and return_to are unset");	170	"Both realm and return_to are unset");
171	realm = return_to;	171	realm = return_to;
172	}	172	}
173	}	173	}
174	try {	174	try {
175	identity = inm.get_field("identity");	175	identity = inm.get_field("identity");
176	try {	176	try {
177	claimed_id = inm.get_field("claimed_id");	177	claimed_id = inm.get_field("claimed_id");
178	}catch(failed_lookup&) {	178	}catch(failed_lookup&) {
179	if(openid2)	179	if(openid2)
180	throw bad_input(OPKELE_CP_	180	throw bad_input(OPKELE_CP_
181	"claimed_id and identity must be either both present or both absent");	181	"claimed_id and identity must be either both present or both absent");
182	claimed_id = identity;	182	claimed_id = identity;
183	}	183	}
184	}catch(failed_lookup&) {	184	}catch(failed_lookup&) {
185	if(openid2 && inm.has_field("claimed_id"))	185	if(openid2 && inm.has_field("claimed_id"))
186	throw bad_input(OPKELE_CP_	186	throw bad_input(OPKELE_CP_
187	"claimed_id and identity must be either both present or both absent");	187	"claimed_id and identity must be either both present or both absent");
188	}	188	}
189	verify_return_to();	189	verify_return_to();
190	if(ext) ext->op_checkid_hook(inm);	190	if(ext) ext->op_checkid_hook(inm);
191	}	191	}
192		192
193	basic_openid_message& basic_OP::id_res(basic_openid_message& om,	193	basic_openid_message& basic_OP::id_res(basic_openid_message& om,
194	extension_t *ext) {	194	extension_t *ext) {
195	assert(!return_to.empty());	195	assert(!return_to.empty());
196	assert(!is_id_select());	196	assert(!is_id_select());
197	if(!assoc) {	197	if(!assoc) {
198	assoc = alloc_assoc("HMAC-SHA256",SHA256_DIGEST_LENGTH,true);	198	assoc = alloc_assoc("HMAC-SHA256",SHA256_DIGEST_LENGTH,true);
199	}	199	}
200	time_t now = time(0);	200	time_t now = time(0);
201	struct tm gmt; gmtime_r(&now,&gmt);	201	struct tm gmt; gmtime_r(&now,&gmt);
202	char w3timestr[24];	202	char w3timestr[24];
203	if(!strftime(w3timestr,sizeof(w3timestr),"%Y-%m-%dT%H:%M:%SZ",&gmt))	203	if(!strftime(w3timestr,sizeof(w3timestr),"%Y-%m-%dT%H:%M:%SZ",&gmt))
204	throw failed_conversion(OPKELE_CP_	204	throw failed_conversion(OPKELE_CP_
205	"Failed to build time string for nonce" );	205	"Failed to build time string for nonce" );