void/ZeroTierOne
2
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-06-07 04:53:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix hash verification on refresh

Browse source
This commit is contained in:
Grant Limberg 2021-12-16 19:49:15 -08:00
parent 8fccf3136c
commit a69e91c541
No known key found for this signature in database
GPG key ID: 2BA62CCABBB4095A
1 changed files with 115 additions and 85 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

200
zeroidc/src/lib.rs
View file

@ -159,6 +159,10 @@ impl ZeroIDC {
(*inner_local.lock().unwrap()).running = true; (*inner_local.lock().unwrap()).running = true;
let mut running = true; let mut running = true;
// Keep a copy of the initial nonce used to get the tokens
// Will be needed later when verifying the responses from refresh tokens
let nonce = (*inner_local.lock().unwrap()).nonce.clone();
while running { while running {
let exp = UNIX_EPOCH + Duration::from_secs((*inner_local.lock().unwrap()).exp_time); let exp = UNIX_EPOCH + Duration::from_secs((*inner_local.lock().unwrap()).exp_time);
let now = SystemTime::now(); let now = SystemTime::now();
@ -169,121 +173,147 @@ impl ZeroIDC {
let refresh_token = (*inner_local.lock().unwrap()).refresh_token.clone(); let refresh_token = (*inner_local.lock().unwrap()).refresh_token.clone();
if let Some(refresh_token) = refresh_token { if let Some(refresh_token) = refresh_token {
if now >= (exp - Duration::from_secs(30)) { if now >= (exp - Duration::from_secs(30)) {
let nonce = (*inner_local.lock().unwrap()).nonce.clone();
let token_response = (*inner_local.lock().unwrap()).oidc_client.as_ref().map(|c| { let token_response = (*inner_local.lock().unwrap()).oidc_client.as_ref().map(|c| {
let res = c.exchange_refresh_token(&refresh_token) let res = c.exchange_refresh_token(&refresh_token)
.request(http_client); .request(http_client);
res
});
if let Some(res) = token_response {
match res { match res {
Ok(res) => { Ok(res) => {
let n = match nonce {
let n = match nonce.clone() {
Some(n) => n, Some(n) => n,
None => { None => {
return None; println!("err: no nonce");
continue;
} }
}; };
let id = match res.id_token() { let id = match res.id_token() {
Some(t) => t, Some(t) => t,
None => { None => {
return None; println!("err: no id_token");
continue;
} }
}; };
let claims = match id.claims(&c.id_token_verifier(), &n) { let verified = (*inner_local.lock().unwrap()).oidc_client.as_ref().map(|c| {
Ok(c) => c, let claims = match id.claims(&c.id_token_verifier(), &n) {
Err(_e) => { Ok(c) => c,
return None;
}
};
let signing_algo = match id.signing_alg() {
Ok(s) => s,
Err(_) => {
return None;
}
};
if let Some(expected_hash) = claims.access_token_hash() {
let actual_hash = match AccessTokenHash::from_token(res.access_token(), &signing_algo) {
Ok(h) => h,
Err(e) => { Err(e) => {
println!("Error hashing access token: {}", e); println!("claims err: {}", e);
return None; return false;
} }
}; };
if actual_hash != *expected_hash { let signing_algo = match id.signing_alg() {
println!("token hash error"); Ok(s) => s,
return None; Err(e) => {
println!("alg err: {}", e);
return false;
}
};
if let Some(expected_hash) = claims.access_token_hash() {
let actual_hash = match AccessTokenHash::from_token(res.access_token(), &signing_algo) {
Ok(h) => h,
Err(e) => {
println!("Error hashing access token: {}", e);
return false;
}
};
if actual_hash != *expected_hash {
println!("token hash error");
return false;
}
} }
} return true;
return Some(res); });
},
Err(_e) => { match verified {
return None; Some(verified) => {
} if !verified {
}; println!("not verified.");
});
if let Some(Some(res)) = token_response{
match res.id_token() {
Some(id_token) => {
let params = [("id_token", id_token.to_string()),("state", "refresh".to_string())];
#[cfg(debug_assertions)] {
println!("New ID token: {}", id_token.to_string());
}
let client = reqwest::blocking::Client::new();
let r = client.post((*inner_local.lock().unwrap()).auth_endpoint.clone())
.form(&params)
.send();
match r {
Ok(r) => {
if r.status().is_success() {
#[cfg(debug_assertions)] {
println!("hit url: {}", r.url().as_str());
println!("status: {}", r.status());
}
let access_token = res.access_token();
let at = access_token.secret();
let exp = dangerous_insecure_decode::<Exp>(&at);
if let Ok(e) = exp {
(*inner_local.lock().unwrap()).exp_time = e.claims.exp
}
(*inner_local.lock().unwrap()).access_token = Some(access_token.clone());
if let Some(t) = res.refresh_token() {
// println!("New Refresh Token: {}", t.secret());
(*inner_local.lock().unwrap()).refresh_token = Some(t.clone());
}
#[cfg(debug_assertions)] {
println!("Central post succeeded");
}
} else {
println!("Central post failed: {}", r.status().to_string());
println!("hit url: {}", r.url().as_str());
println!("Status: {}", r.status());
(*inner_local.lock().unwrap()).exp_time = 0;
(*inner_local.lock().unwrap()).running = false; (*inner_local.lock().unwrap()).running = false;
break;
} }
}, },
Err(e) => { None => {
println!("no verification performed?");
println!("Central post failed: {}", e.to_string());
println!("hit url: {}", e.url().unwrap().as_str());
println!("Status: {}", e.status().unwrap());
(*inner_local.lock().unwrap()).exp_time = 0;
(*inner_local.lock().unwrap()).running = false; (*inner_local.lock().unwrap()).running = false;
break;
}
}
match res.id_token() {
Some(id_token) => {
let params = [("id_token", id_token.to_string()),("state", "refresh".to_string())];
#[cfg(debug_assertions)] {
println!("New ID token: {}", id_token.to_string());
}
let client = reqwest::blocking::Client::new();
let r = client.post((*inner_local.lock().unwrap()).auth_endpoint.clone())
.form(&params)
.send();
match r {
Ok(r) => {
if r.status().is_success() {
#[cfg(debug_assertions)] {
println!("hit url: {}", r.url().as_str());
println!("status: {}", r.status());
}
let access_token = res.access_token();
let at = access_token.secret();
let exp = dangerous_insecure_decode::<Exp>(&at);
if let Ok(e) = exp {
(*inner_local.lock().unwrap()).exp_time = e.claims.exp
}
(*inner_local.lock().unwrap()).access_token = Some(access_token.clone());
if let Some(t) = res.refresh_token() {
// println!("New Refresh Token: {}", t.secret());
(*inner_local.lock().unwrap()).refresh_token = Some(t.clone());
}
#[cfg(debug_assertions)] {
println!("Central post succeeded");
}
} else {
println!("Central post failed: {}", r.status().to_string());
println!("hit url: {}", r.url().as_str());
println!("Status: {}", r.status());
(*inner_local.lock().unwrap()).exp_time = 0;
(*inner_local.lock().unwrap()).running = false;
}
},
Err(e) => {
println!("Central post failed: {}", e.to_string());
println!("hit url: {}", e.url().unwrap().as_str());
println!("Status: {}", e.status().unwrap());
(*inner_local.lock().unwrap()).exp_time = 0;
(*inner_local.lock().unwrap()).running = false;
}
}
},
None => {
println!("no id token?!?");
} }
} }
}, },
None => { Err(e) => {
println!("no id token?!?"); println!("token error: {}", e);
} }
} }
} else {
println!("token response??");
} }
} else { } else {
println!("waiting to refresh"); println!("waiting to refresh");