summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorSchanzenbach, Martin <mschanzenbach@posteo.de>2019-09-05 08:22:51 +0200
committerSchanzenbach, Martin <mschanzenbach@posteo.de>2019-09-05 08:22:51 +0200
commit74c328220897196de3d93710e74666230a57cfee (patch)
treef8b63e77c3f1036a67e8ac5651349a3ab268a231 /src
parentd9a37dee7a3f425b0846a8dd1b6089dc7f27d723 (diff)
attempt to make PKCE optional
Diffstat (limited to 'src')
-rw-r--r--src/reclaim/oidc_helper.c67
-rw-r--r--src/reclaim/plugin_rest_openid_connect.c13
2 files changed, 40 insertions, 40 deletions
diff --git a/src/reclaim/oidc_helper.c b/src/reclaim/oidc_helper.c
index cbf0d1a1d..4769ed2d1 100644
--- a/src/reclaim/oidc_helper.c
+++ b/src/reclaim/oidc_helper.c
@@ -460,6 +460,7 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer,
size_t payload_len;
size_t code_payload_len;
size_t attr_list_len = 0;
+ size_t code_challenge_len = 0;
uint32_t nonce;
uint32_t nonce_tmp;
struct GNUNET_CRYPTO_EccSignaturePurpose *purpose;
@@ -489,14 +490,10 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer,
nonce_tmp = htonl (nonce);
params.nonce = nonce_tmp;
// Assign code challenge
- if (NULL == code_challenge || strcmp ("", code_challenge) == 0)
- {
- GNUNET_break (0);
- GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "PKCE: Code challenge missing");
- return NULL;
- }
- payload_len += strlen (code_challenge);
- params.code_challenge_len = htonl (strlen (code_challenge));
+ if (NULL != code_challenge)
+ code_challenge_len = strlen (code_challenge);
+ payload_len += code_challenge_len;
+ params.code_challenge_len = htonl (code_challenge_len);
// Assign attributes
if (NULL != attrs)
{
@@ -513,8 +510,11 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer,
payload = GNUNET_malloc (payload_len);
memcpy (payload, &params, sizeof (params));
tmp = payload + sizeof (params);
- memcpy (tmp, code_challenge, strlen (code_challenge));
- tmp += strlen (code_challenge);
+ if (0 < code_challenge_len)
+ {
+ memcpy (tmp, code_challenge, code_challenge_len);
+ tmp += code_challenge_len;
+ }
if (0 < attr_list_len)
GNUNET_RECLAIM_ATTRIBUTE_list_serialize (attrs, tmp);
/** END **/
@@ -633,35 +633,38 @@ OIDC_parse_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *ecdsa_priv,
decrypt_payload (ecdsa_priv, ecdh_pub, ptr, plaintext_len, plaintext);
//ptr = plaintext;
ptr += plaintext_len;
- signature = (struct GNUNET_CRYPTO_EcdsaSignature*) ptr;
+ signature = (struct GNUNET_CRYPTO_EcdsaSignature *) ptr;
params = (struct OIDC_Parameters *) plaintext;
// cmp code_challenge code_verifier
- code_verifier_hash = GNUNET_malloc (256 / 8);
- // hash code verifier
- gcry_md_hash_buffer (GCRY_MD_SHA256,
- code_verifier_hash,
- code_verifier,
- strlen (code_verifier));
- // encode code verifier
- expected_code_challenge = base64url_encode (code_verifier_hash, 256 / 8);
- code_challenge = (char *) &params[1];
code_challenge_len = ntohl (params->code_challenge_len);
- GNUNET_free (code_verifier_hash);
- if ((strlen (expected_code_challenge) != code_challenge_len) ||
- (0 !=
- strncmp (expected_code_challenge, code_challenge, code_challenge_len)))
+ if (0 != code_challenge_len) /* Only check if this code requires a CV */
{
- GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
- "Invalid code verifier! Expected: %s, Got: %.*s\n",
- expected_code_challenge,
- code_challenge_len,
- code_challenge);
- GNUNET_free_non_null (code_payload);
+ code_verifier_hash = GNUNET_malloc (256 / 8);
+ // hash code verifier
+ gcry_md_hash_buffer (GCRY_MD_SHA256,
+ code_verifier_hash,
+ code_verifier,
+ strlen (code_verifier));
+ // encode code verifier
+ expected_code_challenge = base64url_encode (code_verifier_hash, 256 / 8);
+ code_challenge = (char *) &params[1];
+ GNUNET_free (code_verifier_hash);
+ if ((strlen (expected_code_challenge) != code_challenge_len) ||
+ (0 !=
+ strncmp (expected_code_challenge, code_challenge, code_challenge_len)))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ "Invalid code verifier! Expected: %s, Got: %.*s\n",
+ expected_code_challenge,
+ code_challenge_len,
+ code_challenge);
+ GNUNET_free_non_null (code_payload);
+ GNUNET_free (expected_code_challenge);
+ return GNUNET_SYSERR;
+ }
GNUNET_free (expected_code_challenge);
- return GNUNET_SYSERR;
}
- GNUNET_free (expected_code_challenge);
// Ticket
memcpy (ticket, &params->ticket, sizeof (params->ticket));
// Nonce
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c
index a16e6592c..bf1e950da 100644
--- a/src/reclaim/plugin_rest_openid_connect.c
+++ b/src/reclaim/plugin_rest_openid_connect.c
@@ -1405,15 +1405,12 @@ authorize_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
return;
}
- // REQUIRED value: code_challenge
+ // OPTIONAL value: code_challenge
handle->oidc->code_challenge = get_url_parameter_copy (handle, OIDC_CODE_CHALLENGE_KEY);
if (NULL == handle->oidc->code_challenge)
{
- handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);
- handle->edesc = GNUNET_strdup ("missing parameter code_challenge");
- handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
- GNUNET_SCHEDULER_add_now (&do_error, handle);
- return;
+ GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+ "OAuth authorization request does not contain PKCE parameters!\n");
}
if (GNUNET_OK !=
@@ -1762,7 +1759,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
return;
}
privkey = GNUNET_IDENTITY_ego_get_private_key (ego_entry->ego);
-
+
// REQUIRED code verifier
code_verifier = get_url_parameter_copy (handle, OIDC_CODE_VERIFIER_KEY);
if (NULL == code_verifier)
@@ -2049,7 +2046,7 @@ list_ego (void *cls,
}
GNUNET_assert (NULL != ego);
if (ID_REST_STATE_INIT == handle->state)
-
+
{
ego_entry = GNUNET_new (struct EgoEntry);
GNUNET_IDENTITY_ego_get_public_key (ego, &pk);