23 April, 2012

OpenID for Node.js v0.4.2 released

The v0.4.2 release of OpenID for Node.js fixes a bug in DH response decoding and signature calculation which caused (seemingly random) failures in the shared secret computation. This again caused some valid authentications to be rejected as invalid by OpenID for Node.js. Please upgrade to the latest version of OpenID for Node.js to avoid potentially rejecting valid authentications for your users.

Details
The bug revealed two issues in the OpenID for Node.js library:

  • The `unbtwoc` routine which converts a received binary two's complement number was flawed
  • The computed shared secret was not converted to binary two's complement form before it was used to compute the signature


These two issues together caused some authentication attempts to be rejected.

No comments:

Post a Comment