[GNUnet-SVN] [gnunet] branch master updated: attempt to make PKCE option

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-SVN] [gnunet] branch master updated: attempt to make PKCE option

From:	gnunet
Subject:	[GNUnet-SVN] [gnunet] branch master updated: attempt to make PKCE optional
Date:	Thu, 05 Sep 2019 08:24:52 +0200

This is an automated email from the git hooks/post-receive script.

martin-schanzenbach pushed a commit to branch master
in repository gnunet.

The following commit(s) were added to refs/heads/master by this push:
     new 74c328220 attempt to make PKCE optional
74c328220 is described below

commit 74c328220897196de3d93710e74666230a57cfee
Author: Schanzenbach, Martin <address@hidden>
AuthorDate: Thu Sep 5 08:22:51 2019 +0200

    attempt to make PKCE optional
---
 src/reclaim/oidc_helper.c                | 67 +++++++++++++++++---------------
 src/reclaim/plugin_rest_openid_connect.c | 13 +++----
 2 files changed, 40 insertions(+), 40 deletions(-)

diff --git a/src/reclaim/oidc_helper.c b/src/reclaim/oidc_helper.c
index cbf0d1a1d..4769ed2d1 100644
--- a/src/reclaim/oidc_helper.c
+++ b/src/reclaim/oidc_helper.c
@@ -460,6 +460,7 @@ OIDC_build_authz_code (const struct 
GNUNET_CRYPTO_EcdsaPrivateKey *issuer,
   size_t payload_len;
   size_t code_payload_len;
   size_t attr_list_len = 0;
+  size_t code_challenge_len = 0;
   uint32_t nonce;
   uint32_t nonce_tmp;
   struct GNUNET_CRYPTO_EccSignaturePurpose *purpose;
@@ -489,14 +490,10 @@ OIDC_build_authz_code (const struct 
GNUNET_CRYPTO_EcdsaPrivateKey *issuer,
   nonce_tmp = htonl (nonce);
   params.nonce = nonce_tmp;
   // Assign code challenge
-  if (NULL == code_challenge || strcmp ("", code_challenge) == 0)
-  {
-    GNUNET_break (0);
-    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "PKCE: Code challenge missing");
-    return NULL;
-  }
-  payload_len += strlen (code_challenge);
-  params.code_challenge_len = htonl (strlen (code_challenge));
+  if (NULL != code_challenge)
+    code_challenge_len = strlen (code_challenge);
+  payload_len += code_challenge_len;
+  params.code_challenge_len = htonl (code_challenge_len);
   // Assign attributes
   if (NULL != attrs)
   {
@@ -513,8 +510,11 @@ OIDC_build_authz_code (const struct 
GNUNET_CRYPTO_EcdsaPrivateKey *issuer,
   payload = GNUNET_malloc (payload_len);
   memcpy (payload, &params, sizeof (params));
   tmp = payload + sizeof (params);
-  memcpy (tmp, code_challenge, strlen (code_challenge));
-  tmp += strlen (code_challenge);
+  if (0 < code_challenge_len)
+  {
+    memcpy (tmp, code_challenge, code_challenge_len);
+    tmp += code_challenge_len;
+  }
   if (0 < attr_list_len)
     GNUNET_RECLAIM_ATTRIBUTE_list_serialize (attrs, tmp);
   /** END **/
@@ -633,35 +633,38 @@ OIDC_parse_authz_code (const struct 
GNUNET_CRYPTO_EcdsaPrivateKey *ecdsa_priv,
   decrypt_payload (ecdsa_priv, ecdh_pub, ptr, plaintext_len, plaintext);
   //ptr = plaintext;
   ptr += plaintext_len;
-  signature = (struct GNUNET_CRYPTO_EcdsaSignature*) ptr;
+  signature = (struct GNUNET_CRYPTO_EcdsaSignature *) ptr;
   params = (struct OIDC_Parameters *) plaintext;
 
   // cmp code_challenge code_verifier
-  code_verifier_hash = GNUNET_malloc (256 / 8);
-  // hash code verifier
-  gcry_md_hash_buffer (GCRY_MD_SHA256,
-                       code_verifier_hash,
-                       code_verifier,
-                       strlen (code_verifier));
-  // encode code verifier
-  expected_code_challenge = base64url_encode (code_verifier_hash, 256 / 8);
-  code_challenge = (char *) &params[1];
   code_challenge_len = ntohl (params->code_challenge_len);
-  GNUNET_free (code_verifier_hash);
-  if ((strlen (expected_code_challenge) != code_challenge_len) ||
-      (0 !=
-       strncmp (expected_code_challenge, code_challenge, code_challenge_len)))
+  if (0 != code_challenge_len) /* Only check if this code requires a CV */
   {
-    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
-                "Invalid code verifier! Expected: %s, Got: %.*s\n",
-                expected_code_challenge,
-                code_challenge_len,
-                code_challenge);
-    GNUNET_free_non_null (code_payload);
+    code_verifier_hash = GNUNET_malloc (256 / 8);
+    // hash code verifier
+    gcry_md_hash_buffer (GCRY_MD_SHA256,
+                         code_verifier_hash,
+                         code_verifier,
+                         strlen (code_verifier));
+    // encode code verifier
+    expected_code_challenge = base64url_encode (code_verifier_hash, 256 / 8);
+    code_challenge = (char *) &params[1];
+    GNUNET_free (code_verifier_hash);
+    if ((strlen (expected_code_challenge) != code_challenge_len) ||
+        (0 !=
+         strncmp (expected_code_challenge, code_challenge, 
code_challenge_len)))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  "Invalid code verifier! Expected: %s, Got: %.*s\n",
+                  expected_code_challenge,
+                  code_challenge_len,
+                  code_challenge);
+      GNUNET_free_non_null (code_payload);
+      GNUNET_free (expected_code_challenge);
+      return GNUNET_SYSERR;
+    }
     GNUNET_free (expected_code_challenge);
-    return GNUNET_SYSERR;
   }
-  GNUNET_free (expected_code_challenge);
   // Ticket
   memcpy (ticket, &params->ticket, sizeof (params->ticket));
   // Nonce
diff --git a/src/reclaim/plugin_rest_openid_connect.c 
b/src/reclaim/plugin_rest_openid_connect.c
index a16e6592c..bf1e950da 100644
--- a/src/reclaim/plugin_rest_openid_connect.c
+++ b/src/reclaim/plugin_rest_openid_connect.c
@@ -1405,15 +1405,12 @@ authorize_endpoint (struct GNUNET_REST_RequestHandle 
*con_handle,
     return;
   }
 
-  // REQUIRED value: code_challenge 
+  // OPTIONAL value: code_challenge
   handle->oidc->code_challenge = get_url_parameter_copy (handle, 
OIDC_CODE_CHALLENGE_KEY);
   if (NULL == handle->oidc->code_challenge)
   {
-    handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);
-    handle->edesc = GNUNET_strdup ("missing parameter code_challenge");
-    handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
-    GNUNET_SCHEDULER_add_now (&do_error, handle);
-    return; 
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+        "OAuth authorization request does not contain PKCE parameters!\n");
   }
 
   if (GNUNET_OK !=
@@ -1762,7 +1759,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle 
*con_handle,
     return;
   }
   privkey = GNUNET_IDENTITY_ego_get_private_key (ego_entry->ego);
-  
+
   // REQUIRED code verifier
   code_verifier = get_url_parameter_copy (handle, OIDC_CODE_VERIFIER_KEY);
   if (NULL == code_verifier)
@@ -2049,7 +2046,7 @@ list_ego (void *cls,
   }
   GNUNET_assert (NULL != ego);
   if (ID_REST_STATE_INIT == handle->state)
- 
+
   {
     ego_entry = GNUNET_new (struct EgoEntry);
     GNUNET_IDENTITY_ego_get_public_key (ego, &pk);

-- 
To stop receiving notification emails like this one, please contact
address@hidden.

[Prev in Thread]

Current Thread

[Next in Thread]

[GNUnet-SVN] [gnunet] branch master updated: attempt to make PKCE optional, gnunet <=

Prev by Date: [GNUnet-SVN] [taler-exchange] branch master updated: add test 14
Next by Date: [GNUnet-SVN] [taler-exchange] branch master updated: more auditor tests
Previous by thread: [GNUnet-SVN] [taler-exchange] branch master updated: add test 14
Next by thread: [GNUnet-SVN] [taler-exchange] branch master updated: more auditor tests
Index(es):
- Date
- Thread