0003-Make-the-default-signature-method-and-the-minimal-ha.patch

Jakub Hrozek, 16 juin 2021 14:19

Voir les différences: en ligne côte à côte

Subject: [PATCH 3/6] Make the default signature method and the minimal hash
 strength configurable

Adds two new configure options:
    --with-default-sign-algo
    --min-hash-algo

--with-default-sign-algo sets the default signing algorithm and defaults
to rsa-sha1. At the moment, two algorithms are supported: rsa-sha1 and
rsa-sha256.

--min-hash-algo sets the minimum hash algorithm to be accepted. The
default is sha1 for backwards compatibility as well.

Related:
https://dev.entrouvert.org/issues/54037

 configure.ac         | 42 ++++++++++++++++++++++++++++++++++++
 lasso/id-ff/server.c |  2 +-
 lasso/id-ff/server.h |  2 ++
 lasso/lasso.c        | 51 ++++++++++++++++++++++++++++++++++++++++++++
 lasso/xml/xml.c      | 24 +++++++++++++++++++++
 lasso/xml/xml.h      |  9 ++++++++
 tests/random_tests.c |  6 +++---
 7 files changed, 132 insertions(+), 4 deletions(-)

         AC_MSG_RESULT(no)
     fi
     AC_ARG_WITH([default-sign-algo],
                 [AS_HELP_STRING([--with-default-sign-algo=[rsa-sha1|rsa-sha256]],
                                 [Default signing algorithm (rsa-sha1)]
+                               )
+                ]
+    )
     SIGNING_ALGO=rsa-sha1
     if test x"$with_default_sign_algo" != x; then
         if test ! "$with_default_sign_algo" = "rsa-sha1" -a ! "$with_default_sign_algo" = "rsa-sha256"; then
     	AC_MSG_ERROR("Default signing algorithm must be either rsa-sha1 or rsa-sha256")
         else
     	SIGNING_ALGO=$with_default_sign_algo
         fi
     fi
     AC_DEFINE_UNQUOTED(DEFAULT_SIGNING_ALGO, "$SIGNING_ALGO", ["The default signing algorithm"])
     AC_ARG_WITH([min-hash-algo],
                 [AS_HELP_STRING([--with-min-hash-algo=[sha1|sha256|sha384|sha512]],
                                 [Minimal allowed hash algorithm (rsa-sha1)]
+                               )
+                ]
+    )
     MIN_HASH_ALGO=sha1
     if test x"$with_min_hash_algo" != x; then
         if test ! "$with_min_hash_algo" = "sha1" -a ! "$with_min_hash_algo" = "sha256" -a ! "$with_min_hash_algo" = "sha384" -a ! "$with_min_hash_algo" = "sha512"; then
     	AC_MSG_ERROR("Minimal allowed hash algorithm must be one of sha1, sha256, sha384 or sha512)
         else
     	MIN_HASH_ALGO=$with_min_hash_algo
         fi
     fi
     AC_DEFINE_UNQUOTED(MIN_HASH_ALGO, "$MIN_HASH_ALGO", ["The minimal hash algorithm"])
     dnl ==========================================================================
     dnl Pedantic compilation
     dnl ==========================================================================
-...
     C API references:       ${enable_gtk_doc}
     Tests suite:            ${enable_tests}
     Crypto settings
     ---------------
     Default signature:      ${SIGNING_ALGO}
     Minimal accepted hash:  ${MIN_HASH_ALGO}
+    )

     	server->private_key = NULL;
     	server->private_key_password = NULL;
     	server->certificate = NULL;
     	server->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
     	server->signature_method = lasso_get_default_signature_method();
     	server->services = g_hash_table_new_full(g_str_hash, g_str_equal,
     			(GDestroyNotify)g_free,

     LASSO_EXPORT GList *lasso_server_get_filtered_provider_list(const LassoServer *server,
     	LassoProviderRole role, LassoMdProtocolType protocol_type, LassoHttpMethod http_method);
     LASSO_EXPORT LassoSignatureMethod lasso_get_default_signature_method();
     void lasso_set_default_signature_method(LassoSignatureMethod meth);
     #ifdef __cplusplus
+    }

     	g_log("libxmlsec", G_LOG_LEVEL_DEBUG, "libxmlsec: %s:%d:%s:%s:%s:%s:%s", file, line, func, errorObject, errorSubject, xmlSecErrorsGetMsg(reason), msg);
+    }
     static int
     set_default_signature_method()
+    {
     	int rv = LASSO_ERROR_UNDEFINED;
     	if (lasso_strisequal(DEFAULT_SIGNING_ALGO, "rsa-sha256")) {
     		lasso_set_default_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA256);
     		rv = 0;
     	} else if (lasso_strisequal(DEFAULT_SIGNING_ALGO, "rsa-sha1")) {
     		lasso_set_default_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA1);
     		rv = 0;
+    	}
     	return rv;
+    }
     static int
     set_min_allowed_hash_algo()
+    {
     	int rv = LASSO_ERROR_UNDEFINED;
     	if (lasso_strisequal(MIN_HASH_ALGO, "sha1")) {
     		lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA1);
     		rv = 0;
     	} else if (lasso_strisequal(MIN_HASH_ALGO, "sha256")) {
     		lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA256);
     		rv = 0;
     	} else if (lasso_strisequal(MIN_HASH_ALGO, "sha384")) {
     		lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA384);
     		rv = 0;
     	} else if (lasso_strisequal(MIN_HASH_ALGO, "sha512")) {
     		lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA512);
     		rv = 0;
+    	}
     	return rv;
+    }
     /**
      * lasso_init:
+     *
-...
     	g_type_init();
     #endif
     	/* Set the default hash algo */
     	if (set_default_signature_method() != 0) {
     		message(G_LOG_LEVEL_CRITICAL, "Unsupported signature "
     			"algorithm "DEFAULT_SIGNING_ALGO" configured");
     		return LASSO_ERROR_UNDEFINED;
+    	}
     	if (set_min_allowed_hash_algo() != 0) {
     		message(G_LOG_LEVEL_CRITICAL, "Unsupported hash algorithm "
     			"algorithm "MIN_HASH_ALGO" configured");
     		return LASSO_ERROR_UNDEFINED;
+    	}
     	/* Init Lasso classes */
     	for (i=0; functions[i]; i++)
     		functions[i]();

     GHashTable *idwsf2_dst_services_by_href = NULL; /* ID-WSF 2 DST services, indexed on href */
     GHashTable *idwsf2_dst_services_by_prefix = NULL; /* ID-WSF 2 DST services, indexed on prefix */
     static LassoSignatureMethod default_signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
     static LassoSignatureMethod min_signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
     /*****************************************************************************/
     /* global methods                                                            */
     /*****************************************************************************/
-...
     cleanup:
     	return result;
+    }
     LassoSignatureMethod
     lasso_get_default_signature_method() {
     	return default_signature_method;
+    }
     void
     lasso_set_default_signature_method(LassoSignatureMethod meth) {
     	default_signature_method = meth;
+    }
     LassoSignatureMethod
     lasso_get_min_signature_method() {
     	return min_signature_method;
+    }
     void
     lasso_set_min_signature_method(LassoSignatureMethod meth) {
     	min_signature_method = meth;
+    }

     	LASSO_SIGNATURE_METHOD_LAST
     } LassoSignatureMethod;
     /* signature method and hash strength */
     LassoSignatureMethod lasso_get_default_signature_method();
     void lasso_set_default_signature_method(LassoSignatureMethod meth);
     LassoSignatureMethod lasso_get_min_signature_method();
     void lasso_set_min_signature_method(LassoSignatureMethod meth);
     static inline gboolean
     lasso_validate_signature_method(LassoSignatureMethod signature_method)
+    {

     	fail_unless(server->private_key != NULL);
     	fail_unless(server->private_key_password == NULL);
     	fail_unless(server->certificate != NULL);
     	fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
     	fail_unless(server->signature_method == lasso_get_default_signature_method());
     	fail_unless(provider->ProviderID != NULL);
     	fail_unless(provider->role == 0);
     	fail_unless(g_file_get_contents(TESTSDATADIR "/idp1-la/metadata.xml", &content, &len, NULL));
-...
     	fail_unless(server->private_key != NULL);
     	fail_unless(server->private_key_password == NULL);
     	fail_unless(server->certificate != NULL);
     	fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
     	fail_unless(server->signature_method == lasso_get_default_signature_method());
     	fail_unless(server->providers != NULL);
     	fail_unless(provider->ProviderID != NULL);
     	fail_unless(provider->role == 0, "provider->role != 0 => provider :=  %d", provider->role);
-...
     	fail_unless(server->private_key != NULL);
     	fail_unless(! server->private_key_password);
     	fail_unless(server->certificate != NULL);
     	fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
     	fail_unless(server->signature_method == lasso_get_default_signature_method());
     	fail_unless(server->providers != NULL);
     	lasso_server_add_provider(
     			server,
+    -

Projet

Général

Profil

Produits Entr'ouvert » Lasso

0003-Make-the-default-signature-method-and-the-minimal-ha.patch