}
static int oauth2_lookup_hmac_key(const struct oauth2_settings *set,
- const char *algo, const char *key_id,
+ const char *alg, const char *key_id,
const buffer_t **hmac_key_r,
const char **error_r)
{
const char *base64_key;
- const char *cache_key_id = t_strconcat(key_id, ".", algo, NULL);
+ const char *cache_key_id = t_strconcat(key_id, ".", alg, NULL);
if (oauth2_validation_key_cache_lookup_hmac_key(set->key_cache, cache_key_id,
hmac_key_r) == 0)
return 0;
int ret;
- const char *lookup_key = t_strconcat(DICT_PATH_SHARED, algo, "/", key_id, NULL);
+ const char *lookup_key = t_strconcat(DICT_PATH_SHARED, alg, "/", key_id, NULL);
/* do a synchronous dict lookup */
if ((ret = dict_lookup(set->key_dict, pool_datastack_create(),
lookup_key, &base64_key, error_r)) < 0) {
return -1;
} else if (ret == 0) {
- *error_r = t_strdup_printf("%s key '%s' not found", algo, key_id);
+ *error_r = t_strdup_printf("%s key '%s' not found", alg, key_id);
return -1;
}
}
static int oauth2_validate_hmac(const struct oauth2_settings *set,
- const char *algo, const char *key_id,
+ const char *alg, const char *key_id,
const char *const *blobs, const char **error_r)
{
const struct hash_method *method;
- if (strcmp(algo, "HS256") == 0)
+ if (strcmp(alg, "HS256") == 0)
method = hash_method_lookup("sha256");
- else if (strcmp(algo, "HS384") == 0)
+ else if (strcmp(alg, "HS384") == 0)
method = hash_method_lookup("sha384");
- else if (strcmp(algo, "HS512") == 0)
+ else if (strcmp(alg, "HS512") == 0)
method = hash_method_lookup("sha512");
else {
- *error_r = t_strdup_printf("unsupported algorithm '%s'", algo);
+ *error_r = t_strdup_printf("unsupported algorithm '%s'", alg);
return -1;
}
const buffer_t *key;
- if (oauth2_lookup_hmac_key(set, algo, key_id, &key, error_r) < 0)
+ if (oauth2_lookup_hmac_key(set, alg, key_id, &key, error_r) < 0)
return -1;
struct hmac_context ctx;
hmac_init(&ctx, key->data, key->used, method);
}
static int oauth2_lookup_pubkey(const struct oauth2_settings *set,
- const char *algo, const char *key_id,
+ const char *alg, const char *key_id,
struct dcrypt_public_key **key_r,
const char **error_r)
{
const char *key_str;
- const char *cache_key_id = t_strconcat(key_id, ".", algo, NULL);
+ const char *cache_key_id = t_strconcat(key_id, ".", alg, NULL);
if (oauth2_validation_key_cache_lookup_pubkey(set->key_cache, cache_key_id, key_r) == 0)
return 0;
int ret;
- const char *lookup_key = t_strconcat(DICT_PATH_SHARED, algo, "/", key_id, NULL);
+ const char *lookup_key = t_strconcat(DICT_PATH_SHARED, alg, "/", key_id, NULL);
/* do a synchronous dict lookup */
if ((ret = dict_lookup(set->key_dict, pool_datastack_create(),
lookup_key, &key_str, error_r)) < 0) {
return -1;
} else if (ret == 0) {
- *error_r = t_strdup_printf("%s key '%s' not found", algo, key_id);
+ *error_r = t_strdup_printf("%s key '%s' not found", alg, key_id);
return -1;
}
}
static int oauth2_validate_rsa_ecdsa(const struct oauth2_settings *set,
- const char *algo, const char *key_id,
+ const char *alg, const char *key_id,
const char *const *blobs, const char **error_r)
{
const char *method;
return -1;
}
- if (str_begins(algo, "RS")) {
+ if (str_begins(alg, "RS")) {
padding = DCRYPT_PADDING_RSA_PKCS1;
sig_format = DCRYPT_SIGNATURE_FORMAT_DSS;
- } else if (str_begins(algo, "PS")) {
+ } else if (str_begins(alg, "PS")) {
padding = DCRYPT_PADDING_RSA_PKCS1_PSS;
sig_format = DCRYPT_SIGNATURE_FORMAT_DSS;
- } else if (str_begins(algo, "ES")) {
+ } else if (str_begins(alg, "ES")) {
padding = DCRYPT_PADDING_DEFAULT;
sig_format = DCRYPT_SIGNATURE_FORMAT_X962;
} else {
i_unreached();
}
- if (strcmp(algo+2, "256") == 0) {
+ if (strcmp(alg+2, "256") == 0) {
method = "sha256";
- } else if (strcmp(algo+2, "384") == 0) {
+ } else if (strcmp(alg+2, "384") == 0) {
method = "sha384";
- } else if (strcmp(algo+2, "512") == 0) {
+ } else if (strcmp(alg+2, "512") == 0) {
method = "sha512";
} else {
- *error_r = t_strdup_printf("Unsupported algorithm '%s'", algo);
+ *error_r = t_strdup_printf("Unsupported algorithm '%s'", alg);
return -1;
}
t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]);
struct dcrypt_public_key *pubkey;
- if (oauth2_lookup_pubkey(set, algo, key_id, &pubkey, error_r) < 0)
+ if (oauth2_lookup_pubkey(set, alg, key_id, &pubkey, error_r) < 0)
return -1;
/* data to verify */
}
static int oauth2_validate_signature(const struct oauth2_settings *set,
- const char *algo, const char *key_id,
+ const char *alg, const char *key_id,
const char *const *blobs, const char **error_r)
{
- if (str_begins(algo, "HS"))
- return oauth2_validate_hmac(set, algo, key_id, blobs, error_r);
- else if (str_begins(algo, "RS") || str_begins(algo, "PS") ||
- str_begins(algo, "ES"))
- return oauth2_validate_rsa_ecdsa(set, algo, key_id, blobs, error_r);
+ if (str_begins(alg, "HS"))
+ return oauth2_validate_hmac(set, alg, key_id, blobs, error_r);
+ else if (str_begins(alg, "RS") || str_begins(alg, "PS") ||
+ str_begins(alg, "ES"))
+ return oauth2_validate_rsa_ecdsa(set, alg, key_id, blobs, error_r);
- *error_r = t_strdup_printf("Unsupported algorithm '%s'", algo);
+ *error_r = t_strdup_printf("Unsupported algorithm '%s'", alg);
return -1;
}
const char **kid_r, const char **error_r)
{
const char *typ = get_field(tree, "typ");
- const char *algo = get_field(tree, "alg");
+ const char *alg = get_field(tree, "alg");
const char *kid = get_field(tree, "kid");
if (null_strcmp(typ, "JWT") != 0) {
return -1;
}
- if (algo == NULL) {
+ if (alg == NULL) {
*error_r = "Cannot find 'alg' field";
return -1;
}
/* These are lost when tree is deinitialized.
Make sure algorithm is uppercased. */
- *alg_r = t_str_ucase(algo);
+ *alg_r = t_str_ucase(alg);
*kid_r = t_strdup(kid);
return 0;
}
if (oauth2_json_tree_build(header, &header_tree, error_r) < 0)
return -1;
- const char *algo, *kid;
- ret = oauth2_jwt_header_process(header_tree, &algo, &kid, error_r);
+ const char *alg, *kid;
+ ret = oauth2_jwt_header_process(header_tree, &alg, &kid, error_r);
json_tree_deinit(&header_tree);
if (ret < 0)
return -1;
}
/* from now on, this is considered a JWT token. try to validate signature. */
- if (oauth2_validate_signature(set, algo, kid, blobs, error_r) < 0)
+ if (oauth2_validate_signature(set, alg, kid, blobs, error_r) < 0)
return -1;
/* then parse the actual body */
projects / thirdparty / dovecot / core.git / commitdiff
