commit 155a5ad0e36d0465ead04185628bab8a77cbb854
parent a43df1b23aa7843ab7770176328c9d5881d667c0
Author: Bohdan Potuzhnyi <potub1@bfh.ch>
Date: Sun, 15 Sep 2024 20:01:42 +0000
code updated to the usage of enum instead of string for code_challenge_method
Diffstat:
9 files changed, 66 insertions(+), 48 deletions(-)
diff --git a/src/challenger/Makefile.am b/src/challenger/Makefile.am
@@ -37,6 +37,7 @@ challenger_admin_LDADD = \
$(XLIB)
challenger_httpd_SOURCES = \
+ src/challenger_cm_enums.c src/challenger_cm_enums.h \
challenger-httpd.c challenger-httpd.h \
challenger-httpd_agpl.c challenger-httpd_agpl.h \
challenger-httpd_spa.c challenger-httpd_spa.h \
diff --git a/src/challenger/challenger-httpd_authorize.c b/src/challenger/challenger-httpd_authorize.c
@@ -25,7 +25,7 @@
#include "challenger-httpd_authorize.h"
#include "challenger-httpd_common.h"
#include "challenger-httpd_spa.h"
-
+#include "src/challenger_cm_enums.h"
/**
* Generate error reply in the format requested by
@@ -152,10 +152,22 @@ CH_handler_authorize (struct CH_HandlerContext *hc,
code_challenge_method = MHD_lookup_connection_value(hc->connection,
MHD_GET_ARGUMENT_KIND,
"code_challenge_method");
+
+ enum CHALLENGER_CM code_challenge_method_enum = CHALLENGER_cm_from_string(code_challenge_method);
+
+ if (CHALLENGER_CM_UNKNOWN == code_challenge_method_enum)
+ {
+ return reply_error(hc,
+ "invalid-request",
+ MHD_HTTP_BAD_REQUEST,
+ TALER_EC_GENERIC_PARAMETER_MALFORMED,
+ "Unsupported code_challenge_method, supported only \"plain\", \"S256\".");
+ }
+
if (NULL != code_challenge)
{
if (NULL == code_challenge_method)
- code_challenge_method = "plain";
+ code_challenge_method_enum = CHALLENGER_CM_PLAIN;
}
/**
@@ -168,7 +180,7 @@ CH_handler_authorize (struct CH_HandlerContext *hc,
(0 != strncmp (redirect_uri,
"https://",
strlen ("https://"))) &&
- ( code_challenge_method == NULL || (0 == strcmp(code_challenge_method, "plain")) ) )
+ ( CHALLENGER_CM_EMPTY == code_challenge_method_enum || CHALLENGER_CM_PLAIN == code_challenge_method_enum ) )
{
GNUNET_break_op (0);
return reply_error (
@@ -209,7 +221,7 @@ CH_handler_authorize (struct CH_HandlerContext *hc,
state,
redirect_uri,
code_challenge,
- code_challenge_method,
+ (uint32_t) code_challenge_method_enum,
&last_address,
&address_attempts_left,
&pin_transmissions_left,
diff --git a/src/challenger/challenger-httpd_token.c b/src/challenger/challenger-httpd_token.c
@@ -25,6 +25,7 @@
#include "challenger-httpd_common.h"
#include <taler/taler_json_lib.h>
#include <taler/taler_signatures.h>
+#include "src/challenger_cm_enums.h"
/**
* Context for a /token operation.
*/
@@ -365,7 +366,7 @@ CH_handler_token (struct CH_HandlerContext *hc,
char *client_state;
char *client_redirect_uri;
char *code_challenge;
- char *code_challenge_method;
+ uint32_t code_challenge_method;
enum GNUNET_DB_QueryStatus qs;
char *code;
@@ -402,10 +403,21 @@ CH_handler_token (struct CH_HandlerContext *hc,
break;
}
+ enum CHALLENGER_CM code_challenge_method_enum = CHALLENGER_cm_from_int(code_challenge_method);
+
+ if (CHALLENGER_CM_UNKNOWN == code_challenge_method_enum)
+ {
+ return TALER_MHD_reply_with_error(
+ hc->connection,
+ MHD_HTTP_INTERNAL_SERVER_ERROR,
+ TALER_EC_GENERIC_PARAMETER_MALFORMED,
+ "Invalid code_challenge_method");
+ }
+
/* Verify the code_challenge if present*/
- if (code_challenge != NULL)
+ if (NULL != code_challenge)
{
- if (bc->code_verifier == NULL)
+ if (NULL == bc->code_verifier)
{
GNUNET_break_op (0);
GNUNET_free (client_scope);
@@ -413,7 +425,6 @@ CH_handler_token (struct CH_HandlerContext *hc,
GNUNET_free (client_redirect_uri);
GNUNET_free (client_state);
GNUNET_free (code_challenge);
- GNUNET_free (code_challenge_method);
return TALER_MHD_reply_with_oauth_error (
hc->connection,
MHD_HTTP_UNAUTHORIZED,
@@ -422,7 +433,7 @@ CH_handler_token (struct CH_HandlerContext *hc,
"code_verifier is missing");
}
- if (0 == strcmp (code_challenge_method, "S256"))
+ if (CHALLENGER_CM_S256 == code_challenge_method_enum)
{
gcry_md_hd_t hd;
unsigned char hash[32];
@@ -437,7 +448,6 @@ CH_handler_token (struct CH_HandlerContext *hc,
GNUNET_free(client_redirect_uri);
GNUNET_free(client_state);
GNUNET_free(code_challenge);
- GNUNET_free(code_challenge_method);
return TALER_MHD_reply_with_oauth_error(
hc->connection,
MHD_HTTP_INTERNAL_SERVER_ERROR,
@@ -460,7 +470,6 @@ CH_handler_token (struct CH_HandlerContext *hc,
GNUNET_free(client_redirect_uri);
GNUNET_free(client_state);
GNUNET_free(code_challenge);
- GNUNET_free(code_challenge_method);
return TALER_MHD_reply_with_oauth_error(
hc->connection,
MHD_HTTP_INTERNAL_SERVER_ERROR,
@@ -477,7 +486,6 @@ CH_handler_token (struct CH_HandlerContext *hc,
GNUNET_free(client_redirect_uri);
GNUNET_free(client_state);
GNUNET_free(code_challenge);
- GNUNET_free(code_challenge_method);
return TALER_MHD_reply_with_oauth_error(
hc->connection,
MHD_HTTP_UNAUTHORIZED,
@@ -486,7 +494,7 @@ CH_handler_token (struct CH_HandlerContext *hc,
"code_verifier does not match code_challenge");
}
}
- else if (0 == strcmp (code_challenge_method, "plain"))
+ else if (CHALLENGER_CM_PLAIN == code_challenge_method_enum)
{
if (0 != strcmp (bc->code_verifier, code_challenge))
{
@@ -496,7 +504,6 @@ CH_handler_token (struct CH_HandlerContext *hc,
GNUNET_free (client_redirect_uri);
GNUNET_free (client_state);
GNUNET_free (code_challenge);
- GNUNET_free (code_challenge_method);
return TALER_MHD_reply_with_oauth_error (
hc->connection,
MHD_HTTP_UNAUTHORIZED,
@@ -515,7 +522,6 @@ CH_handler_token (struct CH_HandlerContext *hc,
GNUNET_free (client_redirect_uri);
GNUNET_free (client_state);
GNUNET_free (code_challenge);
- GNUNET_free (code_challenge_method);
return TALER_MHD_reply_with_oauth_error (
hc->connection,
MHD_HTTP_CONFLICT,
diff --git a/src/challengerdb/challenger-0001.sql b/src/challengerdb/challenger-0001.sql
@@ -64,7 +64,7 @@ CREATE TABLE IF NOT EXISTS validations
-- Add columns for PKCE (RFC 7636)
ALTER TABLE validations
ADD COLUMN IF NOT EXISTS code_challenge VARCHAR,
-ADD COLUMN IF NOT EXISTS code_challenge_method VARCHAR;
+ADD COLUMN IF NOT EXISTS code_challenge_method INT4 DEFAULT(0);
COMMENT ON TABLE validations
IS 'Active validations where we send a challenge to an address of a user';
diff --git a/src/challengerdb/pg_authorize_start.c b/src/challengerdb/pg_authorize_start.c
@@ -36,7 +36,7 @@ CH_PG_authorize_start (void *cls,
const char *client_state,
const char *client_redirect_uri,
const char *code_challenge,
- const char *code_challenge_method,
+ uint32_t code_challenge_method,
json_t **last_address,
uint32_t *address_attempts_left,
uint32_t *pin_transmissions_left,
@@ -58,9 +58,7 @@ CH_PG_authorize_start (void *cls,
NULL != code_challenge
? GNUNET_PQ_query_param_string (code_challenge)
: GNUNET_PQ_query_param_null (),
- NULL != code_challenge_method
- ? GNUNET_PQ_query_param_string (code_challenge_method)
- : GNUNET_PQ_query_param_null (),
+ GNUNET_PQ_query_param_uint32 (&code_challenge_method),
GNUNET_PQ_query_param_end
};
struct GNUNET_PQ_ResultSpec rs[] = {
@@ -104,4 +102,4 @@ CH_PG_authorize_start (void *cls,
"authorize_start_validation",
params,
rs);
-}
+}
+\ No newline at end of file
diff --git a/src/challengerdb/pg_authorize_start.h b/src/challengerdb/pg_authorize_start.h
@@ -41,7 +41,7 @@
* @param client_state state of the client
* @param client_redirect_uri where to redirect at the end, NULL to use a unique one registered for the client
* @param code_challenge PKCE code challenge
- * @param code_challenge_method PKCE code challenge method
+ * @param code_challenge_method PKCE code challenge method enum
* @param[out] last_address set to the last address used
* @param[out] address_attempts_left set to number of address changing attempts left for this address
* @param[out] pin_transmissions_left set to number of times the PIN can still be re-requested
@@ -61,7 +61,7 @@ CH_PG_authorize_start (void *cls,
const char *client_state,
const char *client_redirect_uri,
const char *code_challenge,
- const char *code_challenge_method,
+ uint32_t code_challenge_method,
json_t **last_address,
uint32_t *address_attempts_left,
uint32_t *pin_transmissions_left,
diff --git a/src/challengerdb/pg_validation_get_pkce.c b/src/challengerdb/pg_validation_get_pkce.c
@@ -35,7 +35,7 @@ CH_PG_validation_get_pkce (void *cls,
char **client_state,
char **client_redirect_uri,
char **code_challenge,
- char **code_challenge_method)
+ uint32_t *code_challenge_method)
{
struct PostgresClosure *pg = cls;
struct GNUNET_PQ_QueryParam params[] = {
@@ -64,7 +64,7 @@ CH_PG_validation_get_pkce (void *cls,
code_challenge),
NULL),
GNUNET_PQ_result_spec_allow_null (
- GNUNET_PQ_result_spec_string ("code_challenge_method",
+ GNUNET_PQ_result_spec_uint32 ("code_challenge_method",
code_challenge_method),
NULL),
GNUNET_PQ_result_spec_end
diff --git a/src/challengerdb/pg_validation_get_pkce.h b/src/challengerdb/pg_validation_get_pkce.h
@@ -40,7 +40,7 @@
* @param[out] client_state set to client state
* @param[out] client_redirect_uri set to client redirect URL
* @param[out] code_challenge set to PKCE code challenge
- * @param[out] code_challenge_method set to PKCE code challenge method
+ * @param[out] code_challenge_method set to PKCE code challenge method enum
* @return transaction status:
* #GNUNET_DB_STATUS_SUCCESS_ONE_RESULT if the nonce was found
* #GNUNET_DB_STATUS_SUCCESS_NO_RESULTS if we do not know the nonce
@@ -55,6 +55,6 @@ CH_PG_validation_get_pkce (void *cls,
char **client_state,
char **client_redirect_uri,
char **code_challenge,
- char **code_challenge_method);
+ uint32_t *code_challenge_method);
#endif
diff --git a/src/include/challenger_database_plugin.h b/src/include/challenger_database_plugin.h
@@ -260,19 +260,19 @@ struct CHALLENGER_DatabasePlugin
*/
enum GNUNET_DB_QueryStatus
(*authorize_start)(void *cls,
- const struct CHALLENGER_ValidationNonceP *nonce,
- uint64_t client_id,
- const char *client_scope,
- const char *client_state,
- const char *client_redirect_uri,
- const char *code_challenge,
- const char *code_challenge_method,
- json_t **last_address,
- uint32_t *address_attempts_left,
- uint32_t *pin_transmissions_left,
- uint32_t *auth_attempts_left,
- bool *solved,
- struct GNUNET_TIME_Absolute *last_tx_time);
+ const struct CHALLENGER_ValidationNonceP *nonce,
+ uint64_t client_id,
+ const char *client_scope,
+ const char *client_state,
+ const char *client_redirect_uri,
+ const char *code_challenge,
+ uint32_t code_challenge_method,
+ json_t **last_address,
+ uint32_t *address_attempts_left,
+ uint32_t *pin_transmissions_left,
+ uint32_t *auth_attempts_left,
+ bool *solved,
+ struct GNUNET_TIME_Absolute *last_tx_time);
/**
* Set the user-provided address in a validation process. Updates
@@ -393,14 +393,14 @@ struct CHALLENGER_DatabasePlugin
*/
enum GNUNET_DB_QueryStatus
(*validation_get_pkce)(void *cls,
- const struct CHALLENGER_ValidationNonceP *nonce,
- char **client_secret,
- json_t **address,
- char **client_scope,
- char **client_state,
- char **client_redirect_uri,
- char **code_challenge,
- char **code_challenge_method);
+ const struct CHALLENGER_ValidationNonceP *nonce,
+ char **client_secret,
+ json_t **address,
+ char **client_scope,
+ char **client_state,
+ char **client_redirect_uri,
+ char **code_challenge,
+ uint32_t *code_challenge_method);
/**
* Add access @a grant to address under @a nonce.
