aboutsummaryrefslogtreecommitdiff
path: root/src/reclaim/plugin_rest_openid_connect.c
diff options
context:
space:
mode:
authorSchanzenbach, Martin <mschanzenbach@posteo.de>2019-06-03 21:22:50 +0200
committerSchanzenbach, Martin <mschanzenbach@posteo.de>2019-06-03 21:22:50 +0200
commita00a49bf58c502ab860adaa6b01541c0e7e3e645 (patch)
treee9ece2ebffd1d0df735763fe5ebdfb2d334a496f /src/reclaim/plugin_rest_openid_connect.c
parent34c8bfb80b82a1a7f7d3db3c41e705b09a1fad7e (diff)
downloadgnunet-a00a49bf58c502ab860adaa6b01541c0e7e3e645.tar.gz
gnunet-a00a49bf58c502ab860adaa6b01541c0e7e3e645.zip
RECLAIM: Various fixes (coverity)
Diffstat (limited to 'src/reclaim/plugin_rest_openid_connect.c')
-rw-r--r--src/reclaim/plugin_rest_openid_connect.c97
1 files changed, 58 insertions, 39 deletions
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c
index 93e5ac864..e8561aed4 100644
--- a/src/reclaim/plugin_rest_openid_connect.c
+++ b/src/reclaim/plugin_rest_openid_connect.c
@@ -209,12 +209,12 @@
209 * OIDC ignored parameter array 209 * OIDC ignored parameter array
210 */ 210 */
211static char *OIDC_ignored_parameter_array[] = {"display", 211static char *OIDC_ignored_parameter_array[] = {"display",
212 "prompt", 212 "prompt",
213 "ui_locales", 213 "ui_locales",
214 "response_mode", 214 "response_mode",
215 "id_token_hint", 215 "id_token_hint",
216 "login_hint", 216 "login_hint",
217 "acr_values"}; 217 "acr_values"};
218 218
219/** 219/**
220 * OIDC Hash map that keeps track of issued cookies 220 * OIDC Hash map that keeps track of issued cookies
@@ -724,7 +724,7 @@ cookie_identity_interpretation (struct RequestHandle *handle)
724 strlen (OIDC_COOKIE_HEADER_KEY), 724 strlen (OIDC_COOKIE_HEADER_KEY),
725 &cache_key); 725 &cache_key);
726 if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle 726 if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle
727 ->header_param_map, 727 ->header_param_map,
728 &cache_key)) 728 &cache_key))
729 { 729 {
730 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "No cookie found\n"); 730 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "No cookie found\n");
@@ -772,9 +772,9 @@ cookie_identity_interpretation (struct RequestHandle *handle)
772 GNUNET_CONTAINER_multihashmap_contains (OIDC_cookie_jar_map, &cache_key)) 772 GNUNET_CONTAINER_multihashmap_contains (OIDC_cookie_jar_map, &cache_key))
773 { 773 {
774 GNUNET_log ( 774 GNUNET_log (
775 GNUNET_ERROR_TYPE_WARNING, 775 GNUNET_ERROR_TYPE_WARNING,
776 "Found cookie `%s', but no corresponding expiration entry present...\n", 776 "Found cookie `%s', but no corresponding expiration entry present...\n",
777 token); 777 token);
778 GNUNET_free (cookies); 778 GNUNET_free (cookies);
779 return; 779 return;
780 } 780 }
@@ -793,6 +793,7 @@ cookie_identity_interpretation (struct RequestHandle *handle)
793 value = strtok (token, OIDC_COOKIE_HEADER_INFORMATION_KEY); 793 value = strtok (token, OIDC_COOKIE_HEADER_INFORMATION_KEY);
794 GNUNET_assert (NULL != value); 794 GNUNET_assert (NULL != value);
795 handle->oidc->login_identity = GNUNET_strdup (value); 795 handle->oidc->login_identity = GNUNET_strdup (value);
796 GNUNET_free (cookies);
796} 797}
797 798
798/** 799/**
@@ -1020,10 +1021,10 @@ code_redirect (void *cls)
1020 { 1021 {
1021 if (GNUNET_OK != 1022 if (GNUNET_OK !=
1022 GNUNET_CRYPTO_ecdsa_public_key_from_string (handle->oidc 1023 GNUNET_CRYPTO_ecdsa_public_key_from_string (handle->oidc
1023 ->login_identity, 1024 ->login_identity,
1024 strlen ( 1025 strlen (
1025 handle->oidc 1026 handle->oidc
1026 ->login_identity), 1027 ->login_identity),
1027 &pubkey)) 1028 &pubkey))
1028 { 1029 {
1029 handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_COOKIE); 1030 handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_COOKIE);
@@ -1134,18 +1135,31 @@ lookup_redirect_uri_result (void *cls,
1134 if (NULL == strstr (tmp, handle->oidc->client_id)) 1135 if (NULL == strstr (tmp, handle->oidc->client_id))
1135 { 1136 {
1136 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, 1137 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1137 "Redirect uri %s does not contain client_id %s", 1138 "Redirect uri %s does not contain client_id %s\n",
1138 tmp, 1139 tmp,
1139 handle->oidc->client_id); 1140 handle->oidc->client_id);
1140 } 1141 }
1141 else 1142 else
1142 { 1143 {
1143
1144 pos = strrchr (tmp, (unsigned char) '.'); 1144 pos = strrchr (tmp, (unsigned char) '.');
1145 if (NULL == pos)
1146 {
1147 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1148 "Redirect uri %s contains client_id but is malformed\n",
1149 tmp);
1150 continue;
1151 }
1145 *pos = '\0'; 1152 *pos = '\0';
1146 handle->redirect_prefix = GNUNET_strdup (tmp); 1153 handle->redirect_prefix = GNUNET_strdup (tmp);
1147 tmp_key_str = pos + 1; 1154 tmp_key_str = pos + 1;
1148 pos = strchr (tmp_key_str, (unsigned char) '/'); 1155 pos = strchr (tmp_key_str, (unsigned char) '/');
1156 if (NULL == pos)
1157 {
1158 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1159 "Redirect uri %s contains client_id but is malformed\n",
1160 tmp);
1161 continue;
1162 }
1149 *pos = '\0'; 1163 *pos = '\0';
1150 handle->redirect_suffix = GNUNET_strdup (pos + 1); 1164 handle->redirect_suffix = GNUNET_strdup (pos + 1);
1151 1165
@@ -1191,7 +1205,7 @@ get_url_parameter_copy (const struct RequestHandle *handle, const char *key)
1191 char *value; 1205 char *value;
1192 GNUNET_CRYPTO_hash (key, strlen (key), &hc); 1206 GNUNET_CRYPTO_hash (key, strlen (key), &hc);
1193 if (GNUNET_YES != GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle 1207 if (GNUNET_YES != GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle
1194 ->url_param_map, 1208 ->url_param_map,
1195 &hc)) 1209 &hc))
1196 return NULL; 1210 return NULL;
1197 value = 1211 value =
@@ -1264,7 +1278,7 @@ build_authz_response (void *cls)
1264 &cache_key); 1278 &cache_key);
1265 if (GNUNET_YES == 1279 if (GNUNET_YES ==
1266 GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle 1280 GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle
1267 ->url_param_map, 1281 ->url_param_map,
1268 &cache_key)) 1282 &cache_key))
1269 { 1283 {
1270 handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_ACCESS_DENIED); 1284 handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_ACCESS_DENIED);
@@ -1370,7 +1384,7 @@ authorize_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
1370 if (GNUNET_OK != 1384 if (GNUNET_OK !=
1371 GNUNET_CRYPTO_ecdsa_public_key_from_string (handle->oidc->client_id, 1385 GNUNET_CRYPTO_ecdsa_public_key_from_string (handle->oidc->client_id,
1372 strlen ( 1386 strlen (
1373 handle->oidc->client_id), 1387 handle->oidc->client_id),
1374 &handle->oidc->client_pkey)) 1388 &handle->oidc->client_pkey))
1375 { 1389 {
1376 handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_UNAUTHORIZED_CLIENT); 1390 handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_UNAUTHORIZED_CLIENT);
@@ -1455,8 +1469,8 @@ login_cont (struct GNUNET_REST_RequestHandle *con_handle,
1455 { 1469 {
1456 current_time = GNUNET_new (struct GNUNET_TIME_Absolute); 1470 current_time = GNUNET_new (struct GNUNET_TIME_Absolute);
1457 *current_time = GNUNET_TIME_relative_to_absolute ( 1471 *current_time = GNUNET_TIME_relative_to_absolute (
1458 GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_second_ (), 1472 GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_second_ (),
1459 OIDC_COOKIE_EXPIRATION)); 1473 OIDC_COOKIE_EXPIRATION));
1460 last_time = 1474 last_time =
1461 GNUNET_CONTAINER_multihashmap_get (OIDC_cookie_jar_map, &cache_key); 1475 GNUNET_CONTAINER_multihashmap_get (OIDC_cookie_jar_map, &cache_key);
1462 GNUNET_free_non_null (last_time); 1476 GNUNET_free_non_null (last_time);
@@ -1488,7 +1502,7 @@ check_authorization (struct RequestHandle *handle,
1488 strlen (OIDC_AUTHORIZATION_HEADER_KEY), 1502 strlen (OIDC_AUTHORIZATION_HEADER_KEY),
1489 &cache_key); 1503 &cache_key);
1490 if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle 1504 if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle
1491 ->header_param_map, 1505 ->header_param_map,
1492 &cache_key)) 1506 &cache_key))
1493 { 1507 {
1494 handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_CLIENT); 1508 handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_CLIENT);
@@ -1502,7 +1516,7 @@ check_authorization (struct RequestHandle *handle,
1502 1516
1503 // split header in "Basic" and [content] 1517 // split header in "Basic" and [content]
1504 credentials = strtok (authorization, " "); 1518 credentials = strtok (authorization, " ");
1505 if (0 != strcmp ("Basic", credentials)) 1519 if ((NULL == credentials) || (0 != strcmp ("Basic", credentials)))
1506 { 1520 {
1507 handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_CLIENT); 1521 handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_CLIENT);
1508 handle->response_code = MHD_HTTP_UNAUTHORIZED; 1522 handle->response_code = MHD_HTTP_UNAUTHORIZED;
@@ -1568,8 +1582,7 @@ check_authorization (struct RequestHandle *handle,
1568 } 1582 }
1569 1583
1570 // check client_id 1584 // check client_id
1571 for (handle->ego_entry = handle->ego_head; 1585 for (handle->ego_entry = handle->ego_head; NULL != handle->ego_entry;
1572 NULL != handle->ego_entry;
1573 handle->ego_entry = handle->ego_entry->next) 1586 handle->ego_entry = handle->ego_entry->next)
1574 { 1587 {
1575 if (0 == strcmp (handle->ego_entry->keystring, client_id)) 1588 if (0 == strcmp (handle->ego_entry->keystring, client_id))
@@ -1619,11 +1632,12 @@ persist_access_token (const struct RequestHandle *handle,
1619 GNUNET_CRYPTO_hash (access_token, strlen (access_token), &hc); 1632 GNUNET_CRYPTO_hash (access_token, strlen (access_token), &hc);
1620 ticketbuf = GNUNET_new (struct GNUNET_RECLAIM_Ticket); 1633 ticketbuf = GNUNET_new (struct GNUNET_RECLAIM_Ticket);
1621 *ticketbuf = *ticket; 1634 *ticketbuf = *ticket;
1622 GNUNET_CONTAINER_multihashmap_put ( 1635 GNUNET_assert (GNUNET_SYSERR !=
1623 OIDC_access_token_map, 1636 GNUNET_CONTAINER_multihashmap_put (
1624 &hc, 1637 OIDC_access_token_map,
1625 ticketbuf, 1638 &hc,
1626 GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY); 1639 ticketbuf,
1640 GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
1627} 1641}
1628 1642
1629/** 1643/**
@@ -1690,10 +1704,11 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
1690 { 1704 {
1691 handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_UNSUPPORTED_GRANT_TYPE); 1705 handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_UNSUPPORTED_GRANT_TYPE);
1692 handle->response_code = MHD_HTTP_BAD_REQUEST; 1706 handle->response_code = MHD_HTTP_BAD_REQUEST;
1707 GNUNET_free (grant_type);
1693 GNUNET_SCHEDULER_add_now (&do_error, handle); 1708 GNUNET_SCHEDULER_add_now (&do_error, handle);
1694 return; 1709 return;
1695 } 1710 }
1696 1711 GNUNET_free (grant_type);
1697 // REQUIRED code 1712 // REQUIRED code
1698 code = get_url_parameter_copy (handle, OIDC_CODE_KEY); 1713 code = get_url_parameter_copy (handle, OIDC_CODE_KEY);
1699 if (NULL == code) 1714 if (NULL == code)
@@ -1710,7 +1725,9 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
1710 handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST); 1725 handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);
1711 handle->edesc = GNUNET_strdup ("Unknown client"); 1726 handle->edesc = GNUNET_strdup ("Unknown client");
1712 handle->response_code = MHD_HTTP_BAD_REQUEST; 1727 handle->response_code = MHD_HTTP_BAD_REQUEST;
1728 GNUNET_free (code);
1713 GNUNET_SCHEDULER_add_now (&do_error, handle); 1729 GNUNET_SCHEDULER_add_now (&do_error, handle);
1730 return;
1714 } 1731 }
1715 privkey = GNUNET_IDENTITY_ego_get_private_key (ego_entry->ego); 1732 privkey = GNUNET_IDENTITY_ego_get_private_key (ego_entry->ego);
1716 // decode code 1733 // decode code
@@ -1719,9 +1736,11 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
1719 handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST); 1736 handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);
1720 handle->edesc = GNUNET_strdup ("invalid code"); 1737 handle->edesc = GNUNET_strdup ("invalid code");
1721 handle->response_code = MHD_HTTP_BAD_REQUEST; 1738 handle->response_code = MHD_HTTP_BAD_REQUEST;
1739 GNUNET_free (code);
1722 GNUNET_SCHEDULER_add_now (&do_error, handle); 1740 GNUNET_SCHEDULER_add_now (&do_error, handle);
1723 return; 1741 return;
1724 } 1742 }
1743 GNUNET_free (code);
1725 1744
1726 // create jwt 1745 // create jwt
1727 if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_time (cfg, 1746 if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_time (cfg,
@@ -1826,7 +1845,7 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
1826 strlen (OIDC_AUTHORIZATION_HEADER_KEY), 1845 strlen (OIDC_AUTHORIZATION_HEADER_KEY),
1827 &cache_key); 1846 &cache_key);
1828 if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle 1847 if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle
1829 ->header_param_map, 1848 ->header_param_map,
1830 &cache_key)) 1849 &cache_key))
1831 { 1850 {
1832 handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_TOKEN); 1851 handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_TOKEN);
@@ -1915,16 +1934,16 @@ init_cont (struct RequestHandle *handle)
1915{ 1934{
1916 struct GNUNET_REST_RequestHandlerError err; 1935 struct GNUNET_REST_RequestHandlerError err;
1917 static const struct GNUNET_REST_RequestHandler handlers[] = 1936 static const struct GNUNET_REST_RequestHandler handlers[] =
1918 {{MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_AUTHORIZE, &authorize_endpoint}, 1937 {{MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_AUTHORIZE, &authorize_endpoint},
1919 {MHD_HTTP_METHOD_POST, 1938 {MHD_HTTP_METHOD_POST,
1920 GNUNET_REST_API_NS_AUTHORIZE, 1939 GNUNET_REST_API_NS_AUTHORIZE,
1921 &authorize_endpoint}, // url-encoded 1940 &authorize_endpoint}, // url-encoded
1922 {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_LOGIN, &login_cont}, 1941 {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_LOGIN, &login_cont},
1923 {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_TOKEN, &token_endpoint}, 1942 {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_TOKEN, &token_endpoint},
1924 {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_USERINFO, &userinfo_endpoint}, 1943 {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_USERINFO, &userinfo_endpoint},
1925 {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_USERINFO, &userinfo_endpoint}, 1944 {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_USERINFO, &userinfo_endpoint},
1926 {MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_OIDC, &options_cont}, 1945 {MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_OIDC, &options_cont},
1927 GNUNET_REST_HANDLER_END}; 1946 GNUNET_REST_HANDLER_END};
1928 1947
1929 if (GNUNET_NO == 1948 if (GNUNET_NO ==
1930 GNUNET_REST_handle_request (handle->rest_handle, handlers, &err, handle)) 1949 GNUNET_REST_handle_request (handle->rest_handle, handlers, &err, handle))