From 74c328220897196de3d93710e74666230a57cfee Mon Sep 17 00:00:00 2001 From: "Schanzenbach, Martin" Date: Thu, 5 Sep 2019 08:22:51 +0200 Subject: [PATCH] attempt to make PKCE optional --- src/reclaim/oidc_helper.c | 67 +++++++++++++----------- src/reclaim/plugin_rest_openid_connect.c | 13 ++--- 2 files changed, 40 insertions(+), 40 deletions(-) diff --git a/src/reclaim/oidc_helper.c b/src/reclaim/oidc_helper.c index cbf0d1a1d..4769ed2d1 100644 --- a/src/reclaim/oidc_helper.c +++ b/src/reclaim/oidc_helper.c @@ -460,6 +460,7 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, size_t payload_len; size_t code_payload_len; size_t attr_list_len = 0; + size_t code_challenge_len = 0; uint32_t nonce; uint32_t nonce_tmp; struct GNUNET_CRYPTO_EccSignaturePurpose *purpose; @@ -489,14 +490,10 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, nonce_tmp = htonl (nonce); params.nonce = nonce_tmp; // Assign code challenge - if (NULL == code_challenge || strcmp ("", code_challenge) == 0) - { - GNUNET_break (0); - GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "PKCE: Code challenge missing"); - return NULL; - } - payload_len += strlen (code_challenge); - params.code_challenge_len = htonl (strlen (code_challenge)); + if (NULL != code_challenge) + code_challenge_len = strlen (code_challenge); + payload_len += code_challenge_len; + params.code_challenge_len = htonl (code_challenge_len); // Assign attributes if (NULL != attrs) { @@ -513,8 +510,11 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, payload = GNUNET_malloc (payload_len); memcpy (payload, ¶ms, sizeof (params)); tmp = payload + sizeof (params); - memcpy (tmp, code_challenge, strlen (code_challenge)); - tmp += strlen (code_challenge); + if (0 < code_challenge_len) + { + memcpy (tmp, code_challenge, code_challenge_len); + tmp += code_challenge_len; + } if (0 < attr_list_len) GNUNET_RECLAIM_ATTRIBUTE_list_serialize (attrs, tmp); /** END **/ @@ -633,35 +633,38 @@ OIDC_parse_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *ecdsa_priv, decrypt_payload (ecdsa_priv, ecdh_pub, ptr, plaintext_len, plaintext); //ptr = plaintext; ptr += plaintext_len; - signature = (struct GNUNET_CRYPTO_EcdsaSignature*) ptr; + signature = (struct GNUNET_CRYPTO_EcdsaSignature *) ptr; params = (struct OIDC_Parameters *) plaintext; // cmp code_challenge code_verifier - code_verifier_hash = GNUNET_malloc (256 / 8); - // hash code verifier - gcry_md_hash_buffer (GCRY_MD_SHA256, - code_verifier_hash, - code_verifier, - strlen (code_verifier)); - // encode code verifier - expected_code_challenge = base64url_encode (code_verifier_hash, 256 / 8); - code_challenge = (char *) ¶ms[1]; code_challenge_len = ntohl (params->code_challenge_len); - GNUNET_free (code_verifier_hash); - if ((strlen (expected_code_challenge) != code_challenge_len) || - (0 != - strncmp (expected_code_challenge, code_challenge, code_challenge_len))) + if (0 != code_challenge_len) /* Only check if this code requires a CV */ { - GNUNET_log (GNUNET_ERROR_TYPE_ERROR, - "Invalid code verifier! Expected: %s, Got: %.*s\n", - expected_code_challenge, - code_challenge_len, - code_challenge); - GNUNET_free_non_null (code_payload); + code_verifier_hash = GNUNET_malloc (256 / 8); + // hash code verifier + gcry_md_hash_buffer (GCRY_MD_SHA256, + code_verifier_hash, + code_verifier, + strlen (code_verifier)); + // encode code verifier + expected_code_challenge = base64url_encode (code_verifier_hash, 256 / 8); + code_challenge = (char *) ¶ms[1]; + GNUNET_free (code_verifier_hash); + if ((strlen (expected_code_challenge) != code_challenge_len) || + (0 != + strncmp (expected_code_challenge, code_challenge, code_challenge_len))) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "Invalid code verifier! Expected: %s, Got: %.*s\n", + expected_code_challenge, + code_challenge_len, + code_challenge); + GNUNET_free_non_null (code_payload); + GNUNET_free (expected_code_challenge); + return GNUNET_SYSERR; + } GNUNET_free (expected_code_challenge); - return GNUNET_SYSERR; } - GNUNET_free (expected_code_challenge); // Ticket memcpy (ticket, ¶ms->ticket, sizeof (params->ticket)); // Nonce diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c index a16e6592c..bf1e950da 100644 --- a/src/reclaim/plugin_rest_openid_connect.c +++ b/src/reclaim/plugin_rest_openid_connect.c @@ -1405,15 +1405,12 @@ authorize_endpoint (struct GNUNET_REST_RequestHandle *con_handle, return; } - // REQUIRED value: code_challenge + // OPTIONAL value: code_challenge handle->oidc->code_challenge = get_url_parameter_copy (handle, OIDC_CODE_CHALLENGE_KEY); if (NULL == handle->oidc->code_challenge) { - handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST); - handle->edesc = GNUNET_strdup ("missing parameter code_challenge"); - handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; - GNUNET_SCHEDULER_add_now (&do_error, handle); - return; + GNUNET_log (GNUNET_ERROR_TYPE_WARNING, + "OAuth authorization request does not contain PKCE parameters!\n"); } if (GNUNET_OK != @@ -1762,7 +1759,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, return; } privkey = GNUNET_IDENTITY_ego_get_private_key (ego_entry->ego); - + // REQUIRED code verifier code_verifier = get_url_parameter_copy (handle, OIDC_CODE_VERIFIER_KEY); if (NULL == code_verifier) @@ -2049,7 +2046,7 @@ list_ego (void *cls, } GNUNET_assert (NULL != ego); if (ID_REST_STATE_INIT == handle->state) - + { ego_entry = GNUNET_new (struct EgoEntry); GNUNET_IDENTITY_ego_get_public_key (ego, &pk); -- 2.25.1