summaryrefslogtreecommitdiff
path: root/src/reclaim/oidc_helper.c
diff options
context:
space:
mode:
authorSchanzenbach, Martin <mschanzenbach@posteo.de>2019-09-05 08:22:51 +0200
committerSchanzenbach, Martin <mschanzenbach@posteo.de>2019-09-05 08:22:51 +0200
commit74c328220897196de3d93710e74666230a57cfee (patch)
treef8b63e77c3f1036a67e8ac5651349a3ab268a231 /src/reclaim/oidc_helper.c
parentd9a37dee7a3f425b0846a8dd1b6089dc7f27d723 (diff)
downloadgnunet-74c328220897196de3d93710e74666230a57cfee.tar.gz
gnunet-74c328220897196de3d93710e74666230a57cfee.zip
attempt to make PKCE optional
Diffstat (limited to 'src/reclaim/oidc_helper.c')
-rw-r--r--src/reclaim/oidc_helper.c67
1 files changed, 35 insertions, 32 deletions
diff --git a/src/reclaim/oidc_helper.c b/src/reclaim/oidc_helper.c
index cbf0d1a1d..4769ed2d1 100644
--- a/src/reclaim/oidc_helper.c
+++ b/src/reclaim/oidc_helper.c
@@ -460,6 +460,7 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer,
460 size_t payload_len; 460 size_t payload_len;
461 size_t code_payload_len; 461 size_t code_payload_len;
462 size_t attr_list_len = 0; 462 size_t attr_list_len = 0;
463 size_t code_challenge_len = 0;
463 uint32_t nonce; 464 uint32_t nonce;
464 uint32_t nonce_tmp; 465 uint32_t nonce_tmp;
465 struct GNUNET_CRYPTO_EccSignaturePurpose *purpose; 466 struct GNUNET_CRYPTO_EccSignaturePurpose *purpose;
@@ -489,14 +490,10 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer,
489 nonce_tmp = htonl (nonce); 490 nonce_tmp = htonl (nonce);
490 params.nonce = nonce_tmp; 491 params.nonce = nonce_tmp;
491 // Assign code challenge 492 // Assign code challenge
492 if (NULL == code_challenge || strcmp ("", code_challenge) == 0) 493 if (NULL != code_challenge)
493 { 494 code_challenge_len = strlen (code_challenge);
494 GNUNET_break (0); 495 payload_len += code_challenge_len;
495 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "PKCE: Code challenge missing"); 496 params.code_challenge_len = htonl (code_challenge_len);
496 return NULL;
497 }
498 payload_len += strlen (code_challenge);
499 params.code_challenge_len = htonl (strlen (code_challenge));
500 // Assign attributes 497 // Assign attributes
501 if (NULL != attrs) 498 if (NULL != attrs)
502 { 499 {
@@ -513,8 +510,11 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer,
513 payload = GNUNET_malloc (payload_len); 510 payload = GNUNET_malloc (payload_len);
514 memcpy (payload, &params, sizeof (params)); 511 memcpy (payload, &params, sizeof (params));
515 tmp = payload + sizeof (params); 512 tmp = payload + sizeof (params);
516 memcpy (tmp, code_challenge, strlen (code_challenge)); 513 if (0 < code_challenge_len)
517 tmp += strlen (code_challenge); 514 {
515 memcpy (tmp, code_challenge, code_challenge_len);
516 tmp += code_challenge_len;
517 }
518 if (0 < attr_list_len) 518 if (0 < attr_list_len)
519 GNUNET_RECLAIM_ATTRIBUTE_list_serialize (attrs, tmp); 519 GNUNET_RECLAIM_ATTRIBUTE_list_serialize (attrs, tmp);
520 /** END **/ 520 /** END **/
@@ -633,35 +633,38 @@ OIDC_parse_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *ecdsa_priv,
633 decrypt_payload (ecdsa_priv, ecdh_pub, ptr, plaintext_len, plaintext); 633 decrypt_payload (ecdsa_priv, ecdh_pub, ptr, plaintext_len, plaintext);
634 //ptr = plaintext; 634 //ptr = plaintext;
635 ptr += plaintext_len; 635 ptr += plaintext_len;
636 signature = (struct GNUNET_CRYPTO_EcdsaSignature*) ptr; 636 signature = (struct GNUNET_CRYPTO_EcdsaSignature *) ptr;
637 params = (struct OIDC_Parameters *) plaintext; 637 params = (struct OIDC_Parameters *) plaintext;
638 638
639 // cmp code_challenge code_verifier 639 // cmp code_challenge code_verifier
640 code_verifier_hash = GNUNET_malloc (256 / 8);
641 // hash code verifier
642 gcry_md_hash_buffer (GCRY_MD_SHA256,
643 code_verifier_hash,
644 code_verifier,
645 strlen (code_verifier));
646 // encode code verifier
647 expected_code_challenge = base64url_encode (code_verifier_hash, 256 / 8);
648 code_challenge = (char *) &params[1];
649 code_challenge_len = ntohl (params->code_challenge_len); 640 code_challenge_len = ntohl (params->code_challenge_len);
650 GNUNET_free (code_verifier_hash); 641 if (0 != code_challenge_len) /* Only check if this code requires a CV */
651 if ((strlen (expected_code_challenge) != code_challenge_len) ||
652 (0 !=
653 strncmp (expected_code_challenge, code_challenge, code_challenge_len)))
654 { 642 {
655 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, 643 code_verifier_hash = GNUNET_malloc (256 / 8);
656 "Invalid code verifier! Expected: %s, Got: %.*s\n", 644 // hash code verifier
657 expected_code_challenge, 645 gcry_md_hash_buffer (GCRY_MD_SHA256,
658 code_challenge_len, 646 code_verifier_hash,
659 code_challenge); 647 code_verifier,
660 GNUNET_free_non_null (code_payload); 648 strlen (code_verifier));
649 // encode code verifier
650 expected_code_challenge = base64url_encode (code_verifier_hash, 256 / 8);
651 code_challenge = (char *) &params[1];
652 GNUNET_free (code_verifier_hash);
653 if ((strlen (expected_code_challenge) != code_challenge_len) ||
654 (0 !=
655 strncmp (expected_code_challenge, code_challenge, code_challenge_len)))
656 {
657 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
658 "Invalid code verifier! Expected: %s, Got: %.*s\n",
659 expected_code_challenge,
660 code_challenge_len,
661 code_challenge);
662 GNUNET_free_non_null (code_payload);
663 GNUNET_free (expected_code_challenge);
664 return GNUNET_SYSERR;
665 }
661 GNUNET_free (expected_code_challenge); 666 GNUNET_free (expected_code_challenge);
662 return GNUNET_SYSERR;
663 } 667 }
664 GNUNET_free (expected_code_challenge);
665 // Ticket 668 // Ticket
666 memcpy (ticket, &params->ticket, sizeof (params->ticket)); 669 memcpy (ticket, &params->ticket, sizeof (params->ticket));
667 // Nonce 670 // Nonce