challenger

OAuth 2.0-based authentication service that validates user can receive messages at a certain address
Log | Files | Refs | Submodules | README | LICENSE

commit 2bbdd4f7980b23c8caba508cbc3460f7d5e81564
parent 702f06d3b550775bb0df0f7511db74f7f53bc82b
Author: Christian Grothoff <grothoff@gnunet.org>
Date:   Thu,  9 Jul 2026 22:00:37 +0200

check code_verifier syntax

Diffstat:
Msrc/challenger/challenger-admin.c | 7+++++++
Msrc/challenger/challenger-httpd_token.c | 43+++++++++++++++++++++++++++++++++++++++++++
2 files changed, 50 insertions(+), 0 deletions(-)

diff --git a/src/challenger/challenger-admin.c b/src/challenger/challenger-admin.c @@ -125,6 +125,13 @@ run (void *cls, global_ret = EXIT_INVALIDARGUMENT; goto cleanup; } + if (NULL != client_secret) + { + fprintf (stderr, + "'-a' and '-d' options cannot be used at the same time\n"); + global_ret = EXIT_INVALIDARGUMENT; + goto cleanup; + } qs = CHALLENGERDB_client_delete (db, redirect_uri); switch (qs) diff --git a/src/challenger/challenger-httpd_token.c b/src/challenger/challenger-httpd_token.c @@ -486,6 +486,49 @@ CH_handler_token (struct CH_HandlerContext *hc, "code_verifier is missing"); } + /* RFC 7636 ยง4.1: code_verifier must be 43-128 unreserved chars */ + { + size_t cv_len = strlen (bc->code_verifier); + + if ( (cv_len < 43) || + (cv_len > 128) ) + { + GNUNET_break_op (0); + json_decref (address); + GNUNET_free (client_scope); + GNUNET_free (client_secret); + GNUNET_free (client_redirect_uri); + GNUNET_free (client_state); + GNUNET_free (code_challenge); + return CH_reply_with_oauth_error ( + hc->connection, + MHD_HTTP_BAD_REQUEST, + "invalid_request", + TALER_EC_GENERIC_PARAMETER_MALFORMED, + "code_verifier length must be between 43 and 128 characters"); + } + for (size_t i = 0; i < cv_len; i++) + { + char c = bc->code_verifier[i]; + + if (! TALER_url_is_reserved (c)) + continue; + GNUNET_break_op (0); + json_decref (address); + GNUNET_free (client_scope); + GNUNET_free (client_secret); + GNUNET_free (client_redirect_uri); + GNUNET_free (client_state); + GNUNET_free (code_challenge); + return CH_reply_with_oauth_error ( + hc->connection, + MHD_HTTP_BAD_REQUEST, + "invalid_request", + TALER_EC_GENERIC_PARAMETER_MALFORMED, + "code_verifier contains invalid character"); + } + } + switch (code_challenge_method_enum) { case CHALLENGER_CM_S256: