diff options
author | Schanzenbach, Martin <mschanzenbach@posteo.de> | 2019-06-03 21:22:50 +0200 |
---|---|---|
committer | Schanzenbach, Martin <mschanzenbach@posteo.de> | 2019-06-03 21:22:50 +0200 |
commit | a00a49bf58c502ab860adaa6b01541c0e7e3e645 (patch) | |
tree | e9ece2ebffd1d0df735763fe5ebdfb2d334a496f /src/reclaim/plugin_rest_openid_connect.c | |
parent | 34c8bfb80b82a1a7f7d3db3c41e705b09a1fad7e (diff) | |
download | gnunet-a00a49bf58c502ab860adaa6b01541c0e7e3e645.tar.gz gnunet-a00a49bf58c502ab860adaa6b01541c0e7e3e645.zip |
RECLAIM: Various fixes (coverity)
Diffstat (limited to 'src/reclaim/plugin_rest_openid_connect.c')
-rw-r--r-- | src/reclaim/plugin_rest_openid_connect.c | 97 |
1 files changed, 58 insertions, 39 deletions
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c index 93e5ac864..e8561aed4 100644 --- a/src/reclaim/plugin_rest_openid_connect.c +++ b/src/reclaim/plugin_rest_openid_connect.c | |||
@@ -209,12 +209,12 @@ | |||
209 | * OIDC ignored parameter array | 209 | * OIDC ignored parameter array |
210 | */ | 210 | */ |
211 | static char *OIDC_ignored_parameter_array[] = {"display", | 211 | static char *OIDC_ignored_parameter_array[] = {"display", |
212 | "prompt", | 212 | "prompt", |
213 | "ui_locales", | 213 | "ui_locales", |
214 | "response_mode", | 214 | "response_mode", |
215 | "id_token_hint", | 215 | "id_token_hint", |
216 | "login_hint", | 216 | "login_hint", |
217 | "acr_values"}; | 217 | "acr_values"}; |
218 | 218 | ||
219 | /** | 219 | /** |
220 | * OIDC Hash map that keeps track of issued cookies | 220 | * OIDC Hash map that keeps track of issued cookies |
@@ -724,7 +724,7 @@ cookie_identity_interpretation (struct RequestHandle *handle) | |||
724 | strlen (OIDC_COOKIE_HEADER_KEY), | 724 | strlen (OIDC_COOKIE_HEADER_KEY), |
725 | &cache_key); | 725 | &cache_key); |
726 | if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle | 726 | if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle |
727 | ->header_param_map, | 727 | ->header_param_map, |
728 | &cache_key)) | 728 | &cache_key)) |
729 | { | 729 | { |
730 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "No cookie found\n"); | 730 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "No cookie found\n"); |
@@ -772,9 +772,9 @@ cookie_identity_interpretation (struct RequestHandle *handle) | |||
772 | GNUNET_CONTAINER_multihashmap_contains (OIDC_cookie_jar_map, &cache_key)) | 772 | GNUNET_CONTAINER_multihashmap_contains (OIDC_cookie_jar_map, &cache_key)) |
773 | { | 773 | { |
774 | GNUNET_log ( | 774 | GNUNET_log ( |
775 | GNUNET_ERROR_TYPE_WARNING, | 775 | GNUNET_ERROR_TYPE_WARNING, |
776 | "Found cookie `%s', but no corresponding expiration entry present...\n", | 776 | "Found cookie `%s', but no corresponding expiration entry present...\n", |
777 | token); | 777 | token); |
778 | GNUNET_free (cookies); | 778 | GNUNET_free (cookies); |
779 | return; | 779 | return; |
780 | } | 780 | } |
@@ -793,6 +793,7 @@ cookie_identity_interpretation (struct RequestHandle *handle) | |||
793 | value = strtok (token, OIDC_COOKIE_HEADER_INFORMATION_KEY); | 793 | value = strtok (token, OIDC_COOKIE_HEADER_INFORMATION_KEY); |
794 | GNUNET_assert (NULL != value); | 794 | GNUNET_assert (NULL != value); |
795 | handle->oidc->login_identity = GNUNET_strdup (value); | 795 | handle->oidc->login_identity = GNUNET_strdup (value); |
796 | GNUNET_free (cookies); | ||
796 | } | 797 | } |
797 | 798 | ||
798 | /** | 799 | /** |
@@ -1020,10 +1021,10 @@ code_redirect (void *cls) | |||
1020 | { | 1021 | { |
1021 | if (GNUNET_OK != | 1022 | if (GNUNET_OK != |
1022 | GNUNET_CRYPTO_ecdsa_public_key_from_string (handle->oidc | 1023 | GNUNET_CRYPTO_ecdsa_public_key_from_string (handle->oidc |
1023 | ->login_identity, | 1024 | ->login_identity, |
1024 | strlen ( | 1025 | strlen ( |
1025 | handle->oidc | 1026 | handle->oidc |
1026 | ->login_identity), | 1027 | ->login_identity), |
1027 | &pubkey)) | 1028 | &pubkey)) |
1028 | { | 1029 | { |
1029 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_COOKIE); | 1030 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_COOKIE); |
@@ -1134,18 +1135,31 @@ lookup_redirect_uri_result (void *cls, | |||
1134 | if (NULL == strstr (tmp, handle->oidc->client_id)) | 1135 | if (NULL == strstr (tmp, handle->oidc->client_id)) |
1135 | { | 1136 | { |
1136 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, | 1137 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, |
1137 | "Redirect uri %s does not contain client_id %s", | 1138 | "Redirect uri %s does not contain client_id %s\n", |
1138 | tmp, | 1139 | tmp, |
1139 | handle->oidc->client_id); | 1140 | handle->oidc->client_id); |
1140 | } | 1141 | } |
1141 | else | 1142 | else |
1142 | { | 1143 | { |
1143 | |||
1144 | pos = strrchr (tmp, (unsigned char) '.'); | 1144 | pos = strrchr (tmp, (unsigned char) '.'); |
1145 | if (NULL == pos) | ||
1146 | { | ||
1147 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
1148 | "Redirect uri %s contains client_id but is malformed\n", | ||
1149 | tmp); | ||
1150 | continue; | ||
1151 | } | ||
1145 | *pos = '\0'; | 1152 | *pos = '\0'; |
1146 | handle->redirect_prefix = GNUNET_strdup (tmp); | 1153 | handle->redirect_prefix = GNUNET_strdup (tmp); |
1147 | tmp_key_str = pos + 1; | 1154 | tmp_key_str = pos + 1; |
1148 | pos = strchr (tmp_key_str, (unsigned char) '/'); | 1155 | pos = strchr (tmp_key_str, (unsigned char) '/'); |
1156 | if (NULL == pos) | ||
1157 | { | ||
1158 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
1159 | "Redirect uri %s contains client_id but is malformed\n", | ||
1160 | tmp); | ||
1161 | continue; | ||
1162 | } | ||
1149 | *pos = '\0'; | 1163 | *pos = '\0'; |
1150 | handle->redirect_suffix = GNUNET_strdup (pos + 1); | 1164 | handle->redirect_suffix = GNUNET_strdup (pos + 1); |
1151 | 1165 | ||
@@ -1191,7 +1205,7 @@ get_url_parameter_copy (const struct RequestHandle *handle, const char *key) | |||
1191 | char *value; | 1205 | char *value; |
1192 | GNUNET_CRYPTO_hash (key, strlen (key), &hc); | 1206 | GNUNET_CRYPTO_hash (key, strlen (key), &hc); |
1193 | if (GNUNET_YES != GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle | 1207 | if (GNUNET_YES != GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle |
1194 | ->url_param_map, | 1208 | ->url_param_map, |
1195 | &hc)) | 1209 | &hc)) |
1196 | return NULL; | 1210 | return NULL; |
1197 | value = | 1211 | value = |
@@ -1264,7 +1278,7 @@ build_authz_response (void *cls) | |||
1264 | &cache_key); | 1278 | &cache_key); |
1265 | if (GNUNET_YES == | 1279 | if (GNUNET_YES == |
1266 | GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle | 1280 | GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle |
1267 | ->url_param_map, | 1281 | ->url_param_map, |
1268 | &cache_key)) | 1282 | &cache_key)) |
1269 | { | 1283 | { |
1270 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_ACCESS_DENIED); | 1284 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_ACCESS_DENIED); |
@@ -1370,7 +1384,7 @@ authorize_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1370 | if (GNUNET_OK != | 1384 | if (GNUNET_OK != |
1371 | GNUNET_CRYPTO_ecdsa_public_key_from_string (handle->oidc->client_id, | 1385 | GNUNET_CRYPTO_ecdsa_public_key_from_string (handle->oidc->client_id, |
1372 | strlen ( | 1386 | strlen ( |
1373 | handle->oidc->client_id), | 1387 | handle->oidc->client_id), |
1374 | &handle->oidc->client_pkey)) | 1388 | &handle->oidc->client_pkey)) |
1375 | { | 1389 | { |
1376 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_UNAUTHORIZED_CLIENT); | 1390 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_UNAUTHORIZED_CLIENT); |
@@ -1455,8 +1469,8 @@ login_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
1455 | { | 1469 | { |
1456 | current_time = GNUNET_new (struct GNUNET_TIME_Absolute); | 1470 | current_time = GNUNET_new (struct GNUNET_TIME_Absolute); |
1457 | *current_time = GNUNET_TIME_relative_to_absolute ( | 1471 | *current_time = GNUNET_TIME_relative_to_absolute ( |
1458 | GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_second_ (), | 1472 | GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_second_ (), |
1459 | OIDC_COOKIE_EXPIRATION)); | 1473 | OIDC_COOKIE_EXPIRATION)); |
1460 | last_time = | 1474 | last_time = |
1461 | GNUNET_CONTAINER_multihashmap_get (OIDC_cookie_jar_map, &cache_key); | 1475 | GNUNET_CONTAINER_multihashmap_get (OIDC_cookie_jar_map, &cache_key); |
1462 | GNUNET_free_non_null (last_time); | 1476 | GNUNET_free_non_null (last_time); |
@@ -1488,7 +1502,7 @@ check_authorization (struct RequestHandle *handle, | |||
1488 | strlen (OIDC_AUTHORIZATION_HEADER_KEY), | 1502 | strlen (OIDC_AUTHORIZATION_HEADER_KEY), |
1489 | &cache_key); | 1503 | &cache_key); |
1490 | if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle | 1504 | if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle |
1491 | ->header_param_map, | 1505 | ->header_param_map, |
1492 | &cache_key)) | 1506 | &cache_key)) |
1493 | { | 1507 | { |
1494 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_CLIENT); | 1508 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_CLIENT); |
@@ -1502,7 +1516,7 @@ check_authorization (struct RequestHandle *handle, | |||
1502 | 1516 | ||
1503 | // split header in "Basic" and [content] | 1517 | // split header in "Basic" and [content] |
1504 | credentials = strtok (authorization, " "); | 1518 | credentials = strtok (authorization, " "); |
1505 | if (0 != strcmp ("Basic", credentials)) | 1519 | if ((NULL == credentials) || (0 != strcmp ("Basic", credentials))) |
1506 | { | 1520 | { |
1507 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_CLIENT); | 1521 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_CLIENT); |
1508 | handle->response_code = MHD_HTTP_UNAUTHORIZED; | 1522 | handle->response_code = MHD_HTTP_UNAUTHORIZED; |
@@ -1568,8 +1582,7 @@ check_authorization (struct RequestHandle *handle, | |||
1568 | } | 1582 | } |
1569 | 1583 | ||
1570 | // check client_id | 1584 | // check client_id |
1571 | for (handle->ego_entry = handle->ego_head; | 1585 | for (handle->ego_entry = handle->ego_head; NULL != handle->ego_entry; |
1572 | NULL != handle->ego_entry; | ||
1573 | handle->ego_entry = handle->ego_entry->next) | 1586 | handle->ego_entry = handle->ego_entry->next) |
1574 | { | 1587 | { |
1575 | if (0 == strcmp (handle->ego_entry->keystring, client_id)) | 1588 | if (0 == strcmp (handle->ego_entry->keystring, client_id)) |
@@ -1619,11 +1632,12 @@ persist_access_token (const struct RequestHandle *handle, | |||
1619 | GNUNET_CRYPTO_hash (access_token, strlen (access_token), &hc); | 1632 | GNUNET_CRYPTO_hash (access_token, strlen (access_token), &hc); |
1620 | ticketbuf = GNUNET_new (struct GNUNET_RECLAIM_Ticket); | 1633 | ticketbuf = GNUNET_new (struct GNUNET_RECLAIM_Ticket); |
1621 | *ticketbuf = *ticket; | 1634 | *ticketbuf = *ticket; |
1622 | GNUNET_CONTAINER_multihashmap_put ( | 1635 | GNUNET_assert (GNUNET_SYSERR != |
1623 | OIDC_access_token_map, | 1636 | GNUNET_CONTAINER_multihashmap_put ( |
1624 | &hc, | 1637 | OIDC_access_token_map, |
1625 | ticketbuf, | 1638 | &hc, |
1626 | GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY); | 1639 | ticketbuf, |
1640 | GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY)); | ||
1627 | } | 1641 | } |
1628 | 1642 | ||
1629 | /** | 1643 | /** |
@@ -1690,10 +1704,11 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1690 | { | 1704 | { |
1691 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_UNSUPPORTED_GRANT_TYPE); | 1705 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_UNSUPPORTED_GRANT_TYPE); |
1692 | handle->response_code = MHD_HTTP_BAD_REQUEST; | 1706 | handle->response_code = MHD_HTTP_BAD_REQUEST; |
1707 | GNUNET_free (grant_type); | ||
1693 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 1708 | GNUNET_SCHEDULER_add_now (&do_error, handle); |
1694 | return; | 1709 | return; |
1695 | } | 1710 | } |
1696 | 1711 | GNUNET_free (grant_type); | |
1697 | // REQUIRED code | 1712 | // REQUIRED code |
1698 | code = get_url_parameter_copy (handle, OIDC_CODE_KEY); | 1713 | code = get_url_parameter_copy (handle, OIDC_CODE_KEY); |
1699 | if (NULL == code) | 1714 | if (NULL == code) |
@@ -1710,7 +1725,9 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1710 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST); | 1725 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST); |
1711 | handle->edesc = GNUNET_strdup ("Unknown client"); | 1726 | handle->edesc = GNUNET_strdup ("Unknown client"); |
1712 | handle->response_code = MHD_HTTP_BAD_REQUEST; | 1727 | handle->response_code = MHD_HTTP_BAD_REQUEST; |
1728 | GNUNET_free (code); | ||
1713 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 1729 | GNUNET_SCHEDULER_add_now (&do_error, handle); |
1730 | return; | ||
1714 | } | 1731 | } |
1715 | privkey = GNUNET_IDENTITY_ego_get_private_key (ego_entry->ego); | 1732 | privkey = GNUNET_IDENTITY_ego_get_private_key (ego_entry->ego); |
1716 | // decode code | 1733 | // decode code |
@@ -1719,9 +1736,11 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1719 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST); | 1736 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST); |
1720 | handle->edesc = GNUNET_strdup ("invalid code"); | 1737 | handle->edesc = GNUNET_strdup ("invalid code"); |
1721 | handle->response_code = MHD_HTTP_BAD_REQUEST; | 1738 | handle->response_code = MHD_HTTP_BAD_REQUEST; |
1739 | GNUNET_free (code); | ||
1722 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 1740 | GNUNET_SCHEDULER_add_now (&do_error, handle); |
1723 | return; | 1741 | return; |
1724 | } | 1742 | } |
1743 | GNUNET_free (code); | ||
1725 | 1744 | ||
1726 | // create jwt | 1745 | // create jwt |
1727 | if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_time (cfg, | 1746 | if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_time (cfg, |
@@ -1826,7 +1845,7 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1826 | strlen (OIDC_AUTHORIZATION_HEADER_KEY), | 1845 | strlen (OIDC_AUTHORIZATION_HEADER_KEY), |
1827 | &cache_key); | 1846 | &cache_key); |
1828 | if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle | 1847 | if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle |
1829 | ->header_param_map, | 1848 | ->header_param_map, |
1830 | &cache_key)) | 1849 | &cache_key)) |
1831 | { | 1850 | { |
1832 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_TOKEN); | 1851 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_TOKEN); |
@@ -1915,16 +1934,16 @@ init_cont (struct RequestHandle *handle) | |||
1915 | { | 1934 | { |
1916 | struct GNUNET_REST_RequestHandlerError err; | 1935 | struct GNUNET_REST_RequestHandlerError err; |
1917 | static const struct GNUNET_REST_RequestHandler handlers[] = | 1936 | static const struct GNUNET_REST_RequestHandler handlers[] = |
1918 | {{MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_AUTHORIZE, &authorize_endpoint}, | 1937 | {{MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_AUTHORIZE, &authorize_endpoint}, |
1919 | {MHD_HTTP_METHOD_POST, | 1938 | {MHD_HTTP_METHOD_POST, |
1920 | GNUNET_REST_API_NS_AUTHORIZE, | 1939 | GNUNET_REST_API_NS_AUTHORIZE, |
1921 | &authorize_endpoint}, // url-encoded | 1940 | &authorize_endpoint}, // url-encoded |
1922 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_LOGIN, &login_cont}, | 1941 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_LOGIN, &login_cont}, |
1923 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_TOKEN, &token_endpoint}, | 1942 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_TOKEN, &token_endpoint}, |
1924 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_USERINFO, &userinfo_endpoint}, | 1943 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_USERINFO, &userinfo_endpoint}, |
1925 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_USERINFO, &userinfo_endpoint}, | 1944 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_USERINFO, &userinfo_endpoint}, |
1926 | {MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_OIDC, &options_cont}, | 1945 | {MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_OIDC, &options_cont}, |
1927 | GNUNET_REST_HANDLER_END}; | 1946 | GNUNET_REST_HANDLER_END}; |
1928 | 1947 | ||
1929 | if (GNUNET_NO == | 1948 | if (GNUNET_NO == |
1930 | GNUNET_REST_handle_request (handle->rest_handle, handlers, &err, handle)) | 1949 | GNUNET_REST_handle_request (handle->rest_handle, handlers, &err, handle)) |