0001-lasso_saml20_login_process_response_status_and_asser.patch

Jakub Hrozek, 27 juillet 2021 14:12

Voir les différences: en ligne côte à côte

Subject: [PATCH] lasso_saml20_login_process_response_status_and_assertion:
 handle rc as per verify_hint

In case VERIFY_HINT was set to IGNORE and the login signature was
incorrect, lasso_saml20_login_process_response_status_and_assertion
would have jumped straight to the cleanup label which just returns the
return code. Let's jump to a new label handlerc instead which might set
the return code to 0 in case verify_hint is set to IGNORE.

Related: https://dev.entrouvert.org/issues/54689

 lasso/saml-2.0/login.c | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)

     	char *status_value;
     	lasso_error_t rc = 0;
     	lasso_error_t assertion_signature_status = 0;
     	LassoProfileSignatureVerifyHint verify_hint;
     	LassoProfileSignatureVerifyHint verify_hint = LASSO_PROFILE_SIGNATURE_VERIFY_HINT_LAST;
     	profile = &login->parent;
     	lasso_extract_node_or_fail(response, profile->response, SAMLP2_STATUS_RESPONSE,
-...
     		lasso_assign_gobject (login->private_data->saml2_assertion, last_assertion);
+    	}
     	switch (verify_hint) {
     		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
     		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
     			break;
     		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE:
     			/* ignore signature errors */
     			if (rc == LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE) {
     				rc = 0;
+    			}
     			break;
     		default:
     			g_assert(0);
+    	}
     cleanup:
     	if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE &&
     		rc == LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE) {
     	    profile->signature_status = rc;
     	    rc = 0;
+    	}
     	return rc;
+    }
+    -

Projet

Général

Profil

Produits Entr'ouvert » Lasso

0001-lasso_saml20_login_process_response_status_and_asser.patch