diff options
author | Schanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de> | 2018-07-20 08:39:06 +0200 |
---|---|---|
committer | Schanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de> | 2018-07-20 08:39:06 +0200 |
commit | f89b96d1a0ffe8359fbbda6ea3276a030a701e91 (patch) | |
tree | c26189923ed5697e282a3a26be7fa1356f23a88a | |
parent | 4fd677cec39e5621d16bc2c63926b803b31582e3 (diff) | |
download | gnunet-f89b96d1a0ffe8359fbbda6ea3276a030a701e91.tar.gz gnunet-f89b96d1a0ffe8359fbbda6ea3276a030a701e91.zip |
remove trust check; we don't need (and thus implicity may slighly deviate from rfc)
-rw-r--r-- | src/reclaim/plugin_rest_openid_connect.c | 111 |
1 files changed, 3 insertions, 108 deletions
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c index abb3f59f5..9b7cf0205 100644 --- a/src/reclaim/plugin_rest_openid_connect.c +++ b/src/reclaim/plugin_rest_openid_connect.c | |||
@@ -230,12 +230,6 @@ struct OIDC_Variables | |||
230 | char *client_id; | 230 | char *client_id; |
231 | 231 | ||
232 | /** | 232 | /** |
233 | * GNUNET_YES if there is a delegation to | ||
234 | * this RP or if it is a local identity | ||
235 | */ | ||
236 | int is_client_trusted; | ||
237 | |||
238 | /** | ||
239 | * The OIDC redirect uri | 233 | * The OIDC redirect uri |
240 | */ | 234 | */ |
241 | char *redirect_uri; | 235 | char *redirect_uri; |
@@ -1027,69 +1021,13 @@ login_check (void *cls) | |||
1027 | } | 1021 | } |
1028 | 1022 | ||
1029 | /** | 1023 | /** |
1030 | * Searches for client_id in namestore. If found trust status stored in handle | ||
1031 | * Else continues to search | ||
1032 | * | ||
1033 | * @param handle the RequestHandle | ||
1034 | */ | ||
1035 | static void | ||
1036 | namestore_iteration_callback ( | ||
1037 | void *cls, const struct GNUNET_CRYPTO_EcdsaPrivateKey *zone_key, | ||
1038 | const char *rname, unsigned int rd_len, | ||
1039 | const struct GNUNET_GNSRECORD_Data *rd) | ||
1040 | { | ||
1041 | struct RequestHandle *handle = cls; | ||
1042 | struct GNUNET_CRYPTO_EcdsaPublicKey login_identity_pkey; | ||
1043 | struct GNUNET_CRYPTO_EcdsaPublicKey current_zone_pkey; | ||
1044 | int i; | ||
1045 | |||
1046 | for (i = 0; i < rd_len; i++) | ||
1047 | { | ||
1048 | if ( GNUNET_GNSRECORD_TYPE_PKEY != rd[i].record_type ) | ||
1049 | continue; | ||
1050 | |||
1051 | if ( NULL != handle->oidc->login_identity ) | ||
1052 | { | ||
1053 | GNUNET_CRYPTO_ecdsa_public_key_from_string ( | ||
1054 | handle->oidc->login_identity, | ||
1055 | strlen (handle->oidc->login_identity), | ||
1056 | &login_identity_pkey); | ||
1057 | GNUNET_IDENTITY_ego_get_public_key (handle->ego_entry->ego, | ||
1058 | ¤t_zone_pkey); | ||
1059 | |||
1060 | if ( 0 == memcmp (rd[i].data, &handle->oidc->client_pkey, | ||
1061 | sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) | ||
1062 | { | ||
1063 | if ( 0 == memcmp (&login_identity_pkey, ¤t_zone_pkey, | ||
1064 | sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) | ||
1065 | { | ||
1066 | handle->oidc->is_client_trusted = GNUNET_YES; | ||
1067 | } | ||
1068 | } | ||
1069 | } | ||
1070 | else | ||
1071 | { | ||
1072 | if ( 0 == memcmp (rd[i].data, &handle->oidc->client_pkey, | ||
1073 | sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) | ||
1074 | { | ||
1075 | handle->oidc->is_client_trusted = GNUNET_YES; | ||
1076 | } | ||
1077 | } | ||
1078 | } | ||
1079 | |||
1080 | GNUNET_NAMESTORE_zone_iterator_next (handle->namestore_handle_it, | ||
1081 | 1); | ||
1082 | } | ||
1083 | |||
1084 | |||
1085 | /** | ||
1086 | * Iteration over all results finished, build final | 1024 | * Iteration over all results finished, build final |
1087 | * response. | 1025 | * response. |
1088 | * | 1026 | * |
1089 | * @param cls the `struct RequestHandle` | 1027 | * @param cls the `struct RequestHandle` |
1090 | */ | 1028 | */ |
1091 | static void | 1029 | static void |
1092 | namestore_iteration_finished (void *cls) | 1030 | build_authz_response (void *cls) |
1093 | { | 1031 | { |
1094 | struct RequestHandle *handle = cls; | 1032 | struct RequestHandle *handle = cls; |
1095 | struct GNUNET_HashCode cache_key; | 1033 | struct GNUNET_HashCode cache_key; |
@@ -1099,25 +1037,6 @@ namestore_iteration_finished (void *cls) | |||
1099 | int number_of_ignored_parameter, iterator; | 1037 | int number_of_ignored_parameter, iterator; |
1100 | 1038 | ||
1101 | 1039 | ||
1102 | handle->ego_entry = handle->ego_entry->next; | ||
1103 | |||
1104 | if(NULL != handle->ego_entry) | ||
1105 | { | ||
1106 | handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego); | ||
1107 | handle->namestore_handle_it = GNUNET_NAMESTORE_zone_iteration_start (handle->namestore_handle, &handle->priv_key, | ||
1108 | &oidc_iteration_error, handle, &namestore_iteration_callback, handle, | ||
1109 | &namestore_iteration_finished, handle); | ||
1110 | return; | ||
1111 | } | ||
1112 | if (GNUNET_NO == handle->oidc->is_client_trusted) | ||
1113 | { | ||
1114 | handle->emsg = GNUNET_strdup("unauthorized_client"); | ||
1115 | handle->edesc = GNUNET_strdup("The client is not authorized to request an " | ||
1116 | "authorization code using this method."); | ||
1117 | GNUNET_SCHEDULER_add_now (&do_error, handle); | ||
1118 | return; | ||
1119 | } | ||
1120 | |||
1121 | // REQUIRED value: redirect_uri | 1040 | // REQUIRED value: redirect_uri |
1122 | GNUNET_CRYPTO_hash (OIDC_REDIRECT_URI_KEY, strlen (OIDC_REDIRECT_URI_KEY), | 1041 | GNUNET_CRYPTO_hash (OIDC_REDIRECT_URI_KEY, strlen (OIDC_REDIRECT_URI_KEY), |
1123 | &cache_key); | 1042 | &cache_key); |
@@ -1246,9 +1165,6 @@ authorize_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1246 | { | 1165 | { |
1247 | struct RequestHandle *handle = cls; | 1166 | struct RequestHandle *handle = cls; |
1248 | struct GNUNET_HashCode cache_key; | 1167 | struct GNUNET_HashCode cache_key; |
1249 | struct EgoEntry *tmp_ego; | ||
1250 | struct GNUNET_CRYPTO_EcdsaPublicKey pkey; | ||
1251 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv_key; | ||
1252 | 1168 | ||
1253 | cookie_identity_interpretation(handle); | 1169 | cookie_identity_interpretation(handle); |
1254 | 1170 | ||
@@ -1302,29 +1218,8 @@ authorize_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1302 | 1218 | ||
1303 | handle->ego_entry = handle->ego_head; | 1219 | handle->ego_entry = handle->ego_head; |
1304 | handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key (handle->ego_head->ego); | 1220 | handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key (handle->ego_head->ego); |
1305 | handle->oidc->is_client_trusted = GNUNET_NO; | 1221 | |
1306 | 1222 | GNUNET_SCHEDULER_add_now (&build_authz_response, handle); | |
1307 | //First check if client_id is one of our egos; TODO: handle other TLD cases: Delegation, from config | ||
1308 | for (tmp_ego = handle->ego_head; NULL != tmp_ego; tmp_ego = tmp_ego->next) | ||
1309 | { | ||
1310 | priv_key = GNUNET_IDENTITY_ego_get_private_key (tmp_ego->ego); | ||
1311 | GNUNET_CRYPTO_ecdsa_key_get_public (priv_key, | ||
1312 | &pkey); | ||
1313 | if ( 0 == memcmp (&pkey, &handle->oidc->client_pkey, | ||
1314 | sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) | ||
1315 | { | ||
1316 | handle->tld = GNUNET_strdup (tmp_ego->identifier); | ||
1317 | handle->oidc->is_client_trusted = GNUNET_YES; | ||
1318 | handle->ego_entry = handle->ego_tail; | ||
1319 | } | ||
1320 | } | ||
1321 | |||
1322 | |||
1323 | // Checks if client_id is valid: | ||
1324 | handle->namestore_handle_it = GNUNET_NAMESTORE_zone_iteration_start ( | ||
1325 | handle->namestore_handle, &handle->priv_key, &oidc_iteration_error, | ||
1326 | handle, &namestore_iteration_callback, handle, | ||
1327 | &namestore_iteration_finished, handle); | ||
1328 | } | 1223 | } |
1329 | 1224 | ||
1330 | /** | 1225 | /** |