0001-Fix-ECP-signature-not-found-error-when-only-assertio.patch

Updated patch with MIT license tag - John Dennis, 10 janvier 2019 15:53

Voir les différences: en ligne côte à côte

Subject: [PATCH] Fix ECP signature not found error when only assertion is
 signed
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

With a SAML Authn Response either the message or the assertion
contained in the response message or both can be signed. Most IdP's
sign the message. This fixes a bug when processing an ECP authn
response when only the assertion is signed.

lasso_saml20_profile_process_soap_response_with_headers() performs a
signature check on the SAML message. A signature can also appear on
the assertion which is checked by
lasso_saml20_login_process_response_status_and_assertion() The problem
occurred when the message was not signed and
lasso_saml20_profile_process_soap_response_with_headers() returned
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND as an error code which is not
actually an error because we haven't checked the signature on the
assertion yet. We were returning the first
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND error when in fact the subsequent
signature check in
lasso_saml20_login_process_response_status_and_assertion() succeeded.

The ECP unit tests were enhanced to cover these cases.

The enhanced unit test revealed a problem in two switch statements
operating on the return value of
lasso_profile_get_signature_verify_hint() which were missing a case
statement for LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE which caused
an abort due to an unknown enumeration value.

Fixes Bug: 26828
License: MIT
Signed-off-by: John Dennis <jdennis@redhat.com>

 lasso/saml-2.0/login.c    | 29 ++++++++++------
 lasso/saml-2.0/profile.c  |  2 ++
 tests/login_tests_saml2.c | 69 ++++++++++++++++++++++++++++++++++-----
 3 files changed, 81 insertions(+), 19 deletions(-)

+    {
     	LassoSoapHeader *header = NULL;
     	LassoProfile *profile;
     	int rc1, rc2;
     	int rc;
     	lasso_null_param(msg);
     	profile = LASSO_PROFILE(login);
     	rc1 = lasso_saml20_profile_process_soap_response_with_headers(profile, msg, &header);
             /*
              * lasso_saml20_profile_process_soap_response_with_headers()
              * performs a signature check on the SAML message. A signature
              * can also appear on the assertion which is checked by
              * lasso_saml20_login_process_response_status_and_assertion()
              * (below). Therefore if the error is SIGNATURE_NOT_FOUND we
              * proceed because
              * lasso_saml20_login_process_response_status_and_assertion()
              * will test the signature on the assertion.
              */
     	rc = lasso_saml20_profile_process_soap_response_with_headers(profile, msg, &header);
             if (rc != 0 && rc != LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) {
                 return rc;
+            }
     	/*
     	 * If the SOAP message contained a header check for the optional
          * paos:Response and ecp:RelayState elements, if they exist extract their
          * values into the profile.
     	 * paos:Response and ecp:RelayState elements, if they exist extract their
     	 * values into the profile.
     	 */
     	if (header) {
     		GList *i = NULL;
-...
     		lasso_release_gobject(header);
+    	}
     	rc2 = lasso_saml20_login_process_response_status_and_assertion(login);
     	if (rc1) {
     		return rc1;
+    	}
     	return rc2;
     	rc = lasso_saml20_login_process_response_status_and_assertion(login);
     	return rc;
+    }
     /**

     	switch (lasso_profile_get_signature_verify_hint(profile)) {
     		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
     		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
     			rc = profile->signature_status;
     			break;
     		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE:
-...
     			remote_provider, response_msg, "ID", LASSO_MESSAGE_FORMAT_SOAP);
     	switch (lasso_profile_get_signature_verify_hint(profile)) {
     		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
     		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
     			rc = profile->signature_status;
     			break;
     		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE:

     	check_str_equals((char*)g_list_nth(ecp->known_idp_entity_ids_supporting_ecp, 0)->data, "http://idp5/metadata");
+    }
     void test_ecp(EcpIdpListVariant ecpIDPListVariant)
     void test_ecp(EcpIdpListVariant ecpIDPListVariant,
                   LassoProfileSignatureHint signature_hint,
                   LassoProfileSignatureVerifyHint signature_verify_hint)
+    {
     	char *serviceProviderContextDump = NULL, *identityProviderContextDump = NULL;
     	LassoServer *spContext = NULL, *ecpContext=NULL, *idpContext = NULL;
-...
     	LassoEcp *ecp = NULL;
     	LassoSamlp2AuthnRequest *request = NULL;
     	gboolean is_passive = FALSE;
         char *provider_name = NULL;
     	char *provider_name = NULL;
     	char *relayState = NULL;
     	char *messageID = NULL;
     	char *extracted_messageID = NULL;
-...
     	char *ecpPaosResponseMsg = NULL;
     	char *spLoginDump = NULL;
     	LassoSaml2Assertion *assertion;
         LassoSamlp2IDPList *idp_list = NULL;
     	LassoSamlp2IDPList *idp_list = NULL;
     	/*
     	 * SAML2 Profile for ECP (Section 4.2) defines these steps for an ECP
-...
     	spContext = lasso_server_new_from_dump(serviceProviderContextDump);
     	spLoginContext = lasso_login_new(spContext);
     	check_not_null(spLoginContext);
     	lasso_profile_set_signature_hint(LASSO_PROFILE(spLoginContext), signature_hint);
     	lasso_profile_set_signature_verify_hint(LASSO_PROFILE(spLoginContext), signature_verify_hint);
     	check_good_rc(lasso_login_init_authn_request(spLoginContext, "http://idp5/metadata",
     												 LASSO_HTTP_METHOD_PAOS));
-...
     	idpContext = lasso_server_new_from_dump(identityProviderContextDump);
     	idpLoginContext = lasso_login_new(idpContext);
     	check_not_null(idpLoginContext);
     	lasso_profile_set_signature_hint(LASSO_PROFILE(idpLoginContext), signature_hint);
     	lasso_profile_set_signature_verify_hint(LASSO_PROFILE(idpLoginContext), signature_verify_hint);
     	/* Parse the ecpSoapRequestMsg */
     	check_good_rc(lasso_login_process_authn_request_msg(idpLoginContext, ecpSoapRequestMsg));
-...
     	check_str_equals(ecp->relaystate, relayState);
     	check_str_equals(ecp->issuer->content, "http://sp5/metadata");
     	check_str_equals(ecp->provider_name, provider_name);
         check_equals(ecp->is_passive, is_passive);
     	check_equals(ecp->is_passive, is_passive);
     	/* Validate ECP IdP list info */
     	validate_idp_list(ecp, ecpIDPListVariant, idp_list);
-...
     	spContext = lasso_server_new_from_dump(serviceProviderContextDump);
     	spLoginContext = lasso_login_new(spContext);
     	check_not_null(spLoginContext);
     	lasso_profile_set_signature_hint(LASSO_PROFILE(spLoginContext), signature_hint);
     	lasso_profile_set_signature_verify_hint(LASSO_PROFILE(spLoginContext), signature_verify_hint);
     	/* Parse the ecpPaosResponseMsg */
     	check_good_rc(lasso_login_process_paos_response_msg(spLoginContext, ecpPaosResponseMsg));
-...
     START_TEST(test09_ecp)
+    {
     	test_ecp(ECP_IDP_LIST_NONE);
     	test_ecp(ECP_IDP_LIST_NONE,
     		 LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
     		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
+    }
     END_TEST
     START_TEST(test10_ecp)
+    {
     	test_ecp(ECP_IDP_LIST_ECP);
     	test_ecp(ECP_IDP_LIST_ECP,
     		 LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
     		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
+    }
     END_TEST
     START_TEST(test11_ecp)
+    {
     	test_ecp(ECP_IDP_LIST_BOGUS);
     	test_ecp(ECP_IDP_LIST_BOGUS,
     		 LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
     		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
+    }
     END_TEST
     START_TEST(test12_ecp)
+    {
     	/* Maybe Sign */
     	test_ecp(ECP_IDP_LIST_NONE,
     		 LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
     		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
     	test_ecp(ECP_IDP_LIST_NONE,
     		 LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
     		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE);
     	test_ecp(ECP_IDP_LIST_NONE,
     		 LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
     		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE);
     	/* Force Sign */
     	test_ecp(ECP_IDP_LIST_NONE,
     		 LASSO_PROFILE_SIGNATURE_HINT_FORCE,
     		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
     	test_ecp(ECP_IDP_LIST_NONE,
     		 LASSO_PROFILE_SIGNATURE_HINT_FORCE,
     		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE);
     	test_ecp(ECP_IDP_LIST_NONE,
     		 LASSO_PROFILE_SIGNATURE_HINT_FORCE,
     		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE);
     	/* Forbid Sign */
     	test_ecp(ECP_IDP_LIST_NONE,
     		 LASSO_PROFILE_SIGNATURE_HINT_FORBID,
     		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE);
+    }
     END_TEST
-...
     	lasso_release_string(dump)
+    }
     START_TEST(test12_sso_sp_with_rsa_sha256_signatures)
     START_TEST(test13_sso_sp_with_rsa_sha256_signatures)
+    {
     	LassoServer *idp_context = NULL;
     	LassoServer *sp_context = NULL;
-...
     	tcase_add_test(tc_ecp, test09_ecp);
     	tcase_add_test(tc_ecp, test10_ecp);
     	tcase_add_test(tc_ecp, test11_ecp);
     	tcase_add_test(tc_spLogin, test12_sso_sp_with_rsa_sha256_signatures);
     	tcase_add_test(tc_ecp, test12_ecp);
     	tcase_add_test(tc_spLogin, test13_sso_sp_with_rsa_sha256_signatures);
     	return s;
+    }
+    -

Projet

Général

Profil

Produits Entr'ouvert » Lasso

0001-Fix-ECP-signature-not-found-error-when-only-assertio.patch