From 8b67e9b5f905ff80ee73300bbb278c00e36b9bca Mon Sep 17 00:00:00 2001 From: "Schanzenbach, Martin" Date: Sun, 22 Jul 2018 18:01:50 +0200 Subject: ensure ticket contains client id --- src/reclaim/plugin_rest_openid_connect.c | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) (limited to 'src/reclaim') diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c index a2d32e126..876e221b5 100644 --- a/src/reclaim/plugin_rest_openid_connect.c +++ b/src/reclaim/plugin_rest_openid_connect.c @@ -795,7 +795,8 @@ oidc_iteration_error (void *cls) } static int -parse_authz_code (const char* code, +parse_authz_code (const struct GNUNET_CRYPTO_EcdsaPublicKey *audience, + const char* code, struct GNUNET_RECLAIM_Ticket **ticket, char **nonce) { @@ -868,6 +869,19 @@ parse_authz_code (const char* code, memcpy (*ticket, &purpose[1], sizeof (struct GNUNET_RECLAIM_Ticket)); + if (0 != memcmp (audience, + &(*ticket)->audience, + sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey))) + { + GNUNET_free (purpose); + GNUNET_free (*ticket); + json_decref (code_json); + *ticket = NULL; + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "Audience in ticket does not match client!\n"); + return GNUNET_SYSERR; + + } if (NULL != nonce_str) memcpy (&purpose[1] + sizeof (struct GNUNET_RECLAIM_Ticket), nonce_str, @@ -1669,8 +1683,14 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, } //decode code + struct GNUNET_CRYPTO_EcdsaPublicKey cid; + GNUNET_STRINGS_string_to_data (client_id, + strlen(client_id), + &cid, + sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); struct GNUNET_RECLAIM_Ticket *ticket; - if(GNUNET_OK != parse_authz_code (code, + if(GNUNET_OK != parse_authz_code (&cid, + code, &ticket, &nonce)) { -- cgit v1.2.3