commit 2bbdd4f7980b23c8caba508cbc3460f7d5e81564
parent 702f06d3b550775bb0df0f7511db74f7f53bc82b
Author: Christian Grothoff <grothoff@gnunet.org>
Date: Thu, 9 Jul 2026 22:00:37 +0200
check code_verifier syntax
Diffstat:
2 files changed, 50 insertions(+), 0 deletions(-)
diff --git a/src/challenger/challenger-admin.c b/src/challenger/challenger-admin.c
@@ -125,6 +125,13 @@ run (void *cls,
global_ret = EXIT_INVALIDARGUMENT;
goto cleanup;
}
+ if (NULL != client_secret)
+ {
+ fprintf (stderr,
+ "'-a' and '-d' options cannot be used at the same time\n");
+ global_ret = EXIT_INVALIDARGUMENT;
+ goto cleanup;
+ }
qs = CHALLENGERDB_client_delete (db,
redirect_uri);
switch (qs)
diff --git a/src/challenger/challenger-httpd_token.c b/src/challenger/challenger-httpd_token.c
@@ -486,6 +486,49 @@ CH_handler_token (struct CH_HandlerContext *hc,
"code_verifier is missing");
}
+ /* RFC 7636 ยง4.1: code_verifier must be 43-128 unreserved chars */
+ {
+ size_t cv_len = strlen (bc->code_verifier);
+
+ if ( (cv_len < 43) ||
+ (cv_len > 128) )
+ {
+ GNUNET_break_op (0);
+ json_decref (address);
+ GNUNET_free (client_scope);
+ GNUNET_free (client_secret);
+ GNUNET_free (client_redirect_uri);
+ GNUNET_free (client_state);
+ GNUNET_free (code_challenge);
+ return CH_reply_with_oauth_error (
+ hc->connection,
+ MHD_HTTP_BAD_REQUEST,
+ "invalid_request",
+ TALER_EC_GENERIC_PARAMETER_MALFORMED,
+ "code_verifier length must be between 43 and 128 characters");
+ }
+ for (size_t i = 0; i < cv_len; i++)
+ {
+ char c = bc->code_verifier[i];
+
+ if (! TALER_url_is_reserved (c))
+ continue;
+ GNUNET_break_op (0);
+ json_decref (address);
+ GNUNET_free (client_scope);
+ GNUNET_free (client_secret);
+ GNUNET_free (client_redirect_uri);
+ GNUNET_free (client_state);
+ GNUNET_free (code_challenge);
+ return CH_reply_with_oauth_error (
+ hc->connection,
+ MHD_HTTP_BAD_REQUEST,
+ "invalid_request",
+ TALER_EC_GENERIC_PARAMETER_MALFORMED,
+ "code_verifier contains invalid character");
+ }
+ }
+
switch (code_challenge_method_enum)
{
case CHALLENGER_CM_S256: