diff options
author | Schanzenbach, Martin <mschanzenbach@posteo.de> | 2019-09-05 08:22:51 +0200 |
---|---|---|
committer | Schanzenbach, Martin <mschanzenbach@posteo.de> | 2019-09-05 08:22:51 +0200 |
commit | 74c328220897196de3d93710e74666230a57cfee (patch) | |
tree | f8b63e77c3f1036a67e8ac5651349a3ab268a231 /src/reclaim/oidc_helper.c | |
parent | d9a37dee7a3f425b0846a8dd1b6089dc7f27d723 (diff) | |
download | gnunet-74c328220897196de3d93710e74666230a57cfee.tar.gz gnunet-74c328220897196de3d93710e74666230a57cfee.zip |
attempt to make PKCE optional
Diffstat (limited to 'src/reclaim/oidc_helper.c')
-rw-r--r-- | src/reclaim/oidc_helper.c | 67 |
1 files changed, 35 insertions, 32 deletions
diff --git a/src/reclaim/oidc_helper.c b/src/reclaim/oidc_helper.c index cbf0d1a1d..4769ed2d1 100644 --- a/src/reclaim/oidc_helper.c +++ b/src/reclaim/oidc_helper.c | |||
@@ -460,6 +460,7 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, | |||
460 | size_t payload_len; | 460 | size_t payload_len; |
461 | size_t code_payload_len; | 461 | size_t code_payload_len; |
462 | size_t attr_list_len = 0; | 462 | size_t attr_list_len = 0; |
463 | size_t code_challenge_len = 0; | ||
463 | uint32_t nonce; | 464 | uint32_t nonce; |
464 | uint32_t nonce_tmp; | 465 | uint32_t nonce_tmp; |
465 | struct GNUNET_CRYPTO_EccSignaturePurpose *purpose; | 466 | struct GNUNET_CRYPTO_EccSignaturePurpose *purpose; |
@@ -489,14 +490,10 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, | |||
489 | nonce_tmp = htonl (nonce); | 490 | nonce_tmp = htonl (nonce); |
490 | params.nonce = nonce_tmp; | 491 | params.nonce = nonce_tmp; |
491 | // Assign code challenge | 492 | // Assign code challenge |
492 | if (NULL == code_challenge || strcmp ("", code_challenge) == 0) | 493 | if (NULL != code_challenge) |
493 | { | 494 | code_challenge_len = strlen (code_challenge); |
494 | GNUNET_break (0); | 495 | payload_len += code_challenge_len; |
495 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "PKCE: Code challenge missing"); | 496 | params.code_challenge_len = htonl (code_challenge_len); |
496 | return NULL; | ||
497 | } | ||
498 | payload_len += strlen (code_challenge); | ||
499 | params.code_challenge_len = htonl (strlen (code_challenge)); | ||
500 | // Assign attributes | 497 | // Assign attributes |
501 | if (NULL != attrs) | 498 | if (NULL != attrs) |
502 | { | 499 | { |
@@ -513,8 +510,11 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, | |||
513 | payload = GNUNET_malloc (payload_len); | 510 | payload = GNUNET_malloc (payload_len); |
514 | memcpy (payload, ¶ms, sizeof (params)); | 511 | memcpy (payload, ¶ms, sizeof (params)); |
515 | tmp = payload + sizeof (params); | 512 | tmp = payload + sizeof (params); |
516 | memcpy (tmp, code_challenge, strlen (code_challenge)); | 513 | if (0 < code_challenge_len) |
517 | tmp += strlen (code_challenge); | 514 | { |
515 | memcpy (tmp, code_challenge, code_challenge_len); | ||
516 | tmp += code_challenge_len; | ||
517 | } | ||
518 | if (0 < attr_list_len) | 518 | if (0 < attr_list_len) |
519 | GNUNET_RECLAIM_ATTRIBUTE_list_serialize (attrs, tmp); | 519 | GNUNET_RECLAIM_ATTRIBUTE_list_serialize (attrs, tmp); |
520 | /** END **/ | 520 | /** END **/ |
@@ -633,35 +633,38 @@ OIDC_parse_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *ecdsa_priv, | |||
633 | decrypt_payload (ecdsa_priv, ecdh_pub, ptr, plaintext_len, plaintext); | 633 | decrypt_payload (ecdsa_priv, ecdh_pub, ptr, plaintext_len, plaintext); |
634 | //ptr = plaintext; | 634 | //ptr = plaintext; |
635 | ptr += plaintext_len; | 635 | ptr += plaintext_len; |
636 | signature = (struct GNUNET_CRYPTO_EcdsaSignature*) ptr; | 636 | signature = (struct GNUNET_CRYPTO_EcdsaSignature *) ptr; |
637 | params = (struct OIDC_Parameters *) plaintext; | 637 | params = (struct OIDC_Parameters *) plaintext; |
638 | 638 | ||
639 | // cmp code_challenge code_verifier | 639 | // cmp code_challenge code_verifier |
640 | code_verifier_hash = GNUNET_malloc (256 / 8); | ||
641 | // hash code verifier | ||
642 | gcry_md_hash_buffer (GCRY_MD_SHA256, | ||
643 | code_verifier_hash, | ||
644 | code_verifier, | ||
645 | strlen (code_verifier)); | ||
646 | // encode code verifier | ||
647 | expected_code_challenge = base64url_encode (code_verifier_hash, 256 / 8); | ||
648 | code_challenge = (char *) ¶ms[1]; | ||
649 | code_challenge_len = ntohl (params->code_challenge_len); | 640 | code_challenge_len = ntohl (params->code_challenge_len); |
650 | GNUNET_free (code_verifier_hash); | 641 | if (0 != code_challenge_len) /* Only check if this code requires a CV */ |
651 | if ((strlen (expected_code_challenge) != code_challenge_len) || | ||
652 | (0 != | ||
653 | strncmp (expected_code_challenge, code_challenge, code_challenge_len))) | ||
654 | { | 642 | { |
655 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | 643 | code_verifier_hash = GNUNET_malloc (256 / 8); |
656 | "Invalid code verifier! Expected: %s, Got: %.*s\n", | 644 | // hash code verifier |
657 | expected_code_challenge, | 645 | gcry_md_hash_buffer (GCRY_MD_SHA256, |
658 | code_challenge_len, | 646 | code_verifier_hash, |
659 | code_challenge); | 647 | code_verifier, |
660 | GNUNET_free_non_null (code_payload); | 648 | strlen (code_verifier)); |
649 | // encode code verifier | ||
650 | expected_code_challenge = base64url_encode (code_verifier_hash, 256 / 8); | ||
651 | code_challenge = (char *) ¶ms[1]; | ||
652 | GNUNET_free (code_verifier_hash); | ||
653 | if ((strlen (expected_code_challenge) != code_challenge_len) || | ||
654 | (0 != | ||
655 | strncmp (expected_code_challenge, code_challenge, code_challenge_len))) | ||
656 | { | ||
657 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
658 | "Invalid code verifier! Expected: %s, Got: %.*s\n", | ||
659 | expected_code_challenge, | ||
660 | code_challenge_len, | ||
661 | code_challenge); | ||
662 | GNUNET_free_non_null (code_payload); | ||
663 | GNUNET_free (expected_code_challenge); | ||
664 | return GNUNET_SYSERR; | ||
665 | } | ||
661 | GNUNET_free (expected_code_challenge); | 666 | GNUNET_free (expected_code_challenge); |
662 | return GNUNET_SYSERR; | ||
663 | } | 667 | } |
664 | GNUNET_free (expected_code_challenge); | ||
665 | // Ticket | 668 | // Ticket |
666 | memcpy (ticket, ¶ms->ticket, sizeof (params->ticket)); | 669 | memcpy (ticket, ¶ms->ticket, sizeof (params->ticket)); |
667 | // Nonce | 670 | // Nonce |