From 416bae72eaf3775341c91d6c53267d704881c236 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 17 May 2022 05:34:48 -0400 Subject: [PATCH] import lasso-2.7.0-8.el9 --- .gitignore | 1 + .lasso.metadata | 1 + ...uery_sign-HMAC-other-than-SHA1-54037.patch | 104 +++ ...8_lasso_key-and-test07_saml2_query_v.patch | 129 ++++ ...-signature-method-and-the-minimal-ha.patch | 363 +++++++++++ ...SO_SIGNATURE_METHOD_RSA_SHA1-with-la.patch | 162 +++++ ...nature-method-is-allowed-in-addition.patch | 160 +++++ ...DSA-key-test-unless-SHA-1-is-configu.patch | 30 + ...o_server_load_metadata-Don-t-verify-.patch | 41 ++ ...in_process_response_status_and_asser.patch | 59 ++ SOURCES/autogen.noconfig | 28 + SPECS/lasso.spec | 602 ++++++++++++++++++ 12 files changed, 1680 insertions(+) create mode 100644 .gitignore create mode 100644 .lasso.metadata create mode 100644 SOURCES/0001-Fix-lasso_query_sign-HMAC-other-than-SHA1-54037.patch create mode 100644 SOURCES/0002-tests-Move-test08_lasso_key-and-test07_saml2_query_v.patch create mode 100644 SOURCES/0003-Make-the-default-signature-method-and-the-minimal-ha.patch create mode 100644 SOURCES/0004-Mass-replace-LASSO_SIGNATURE_METHOD_RSA_SHA1-with-la.patch create mode 100644 SOURCES/0005-Check-if-the-signature-method-is-allowed-in-addition.patch create mode 100644 SOURCES/0006-python-Skip-the-DSA-key-test-unless-SHA-1-is-configu.patch create mode 100644 SOURCES/0007-test13_test_lasso_server_load_metadata-Don-t-verify-.patch create mode 100644 SOURCES/0009-lasso_saml20_login_process_response_status_and_asser.patch create mode 100644 SOURCES/autogen.noconfig create mode 100644 SPECS/lasso.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..01f0c19 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/lasso-2.7.0.tar.gz diff --git a/.lasso.metadata b/.lasso.metadata new file mode 100644 index 0000000..ea00b28 --- /dev/null +++ b/.lasso.metadata @@ -0,0 +1 @@ +7a4175eb925427504ac5d42bb3644a97fc188409 SOURCES/lasso-2.7.0.tar.gz diff --git a/SOURCES/0001-Fix-lasso_query_sign-HMAC-other-than-SHA1-54037.patch b/SOURCES/0001-Fix-lasso_query_sign-HMAC-other-than-SHA1-54037.patch new file mode 100644 index 0000000..2c9ff78 --- /dev/null +++ b/SOURCES/0001-Fix-lasso_query_sign-HMAC-other-than-SHA1-54037.patch @@ -0,0 +1,104 @@ +From 8b8fd22a168860c5034822472d1fb5745f8fa0f5 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 16 Jun 2021 10:18:30 +0200 +Subject: [PATCH] Fix lasso_query_sign HMAC other than SHA1 (#54037) + +The switch clause was using SHA1 digests for all digest types when +signing. This obviously breaks verifying the signatures if HMAC-SHAXXX +is used and XXX is something else than 1. +--- + lasso/xml/tools.c | 35 +++++++++++++++++++++++------------ + tests/login_tests_saml2.c | 6 +++--- + 2 files changed, 26 insertions(+), 15 deletions(-) + +diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c +index 96d88a2c4..290fd55f2 100644 +--- a/lasso/xml/tools.c ++++ b/lasso/xml/tools.c +@@ -594,22 +594,20 @@ lasso_query_sign(char *query, LassoSignatureContext context) + sigret_size = DSA_size(dsa); + break; + case LASSO_SIGNATURE_METHOD_HMAC_SHA1: ++ md = EVP_sha1(); ++ sigret_size = EVP_MD_size(md); ++ break; + case LASSO_SIGNATURE_METHOD_HMAC_SHA256: ++ md = EVP_sha256(); ++ sigret_size = EVP_MD_size(md); ++ break; + case LASSO_SIGNATURE_METHOD_HMAC_SHA384: ++ md = EVP_sha384(); ++ sigret_size = EVP_MD_size(md); ++ break; + case LASSO_SIGNATURE_METHOD_HMAC_SHA512: +- if ((rc = lasso_get_hmac_key(key, (void**)&hmac_key, +- &hmac_key_length))) { +- message(G_LOG_LEVEL_CRITICAL, "Failed to get hmac key (%s)", lasso_strerror(rc)); +- goto done; +- } +- g_assert(hmac_key); +- md = EVP_sha1(); ++ md = EVP_sha512(); + sigret_size = EVP_MD_size(md); +- /* key should be at least 128 bits long */ +- if (hmac_key_length < 16) { +- critical("HMAC key should be at least 128 bits long"); +- goto done; +- } + break; + default: + g_assert_not_reached(); +@@ -645,6 +643,19 @@ lasso_query_sign(char *query, LassoSignatureContext context) + case LASSO_SIGNATURE_METHOD_HMAC_SHA256: + case LASSO_SIGNATURE_METHOD_HMAC_SHA384: + case LASSO_SIGNATURE_METHOD_HMAC_SHA512: ++ if ((rc = lasso_get_hmac_key(key, (void**)&hmac_key, ++ &hmac_key_length))) { ++ message(G_LOG_LEVEL_CRITICAL, "Failed to get hmac key (%s)", lasso_strerror(rc)); ++ goto done; ++ } ++ g_assert(hmac_key); ++ ++ /* key should be at least 128 bits long */ ++ if (hmac_key_length < 16) { ++ critical("HMAC key should be at least 128 bits long"); ++ goto done; ++ } ++ + HMAC(md, hmac_key, hmac_key_length, (unsigned char *)new_query, + strlen(new_query), sigret, &siglen); + status = 1; +diff --git a/tests/login_tests_saml2.c b/tests/login_tests_saml2.c +index e331c07a7..e1d78b5b1 100644 +--- a/tests/login_tests_saml2.c ++++ b/tests/login_tests_saml2.c +@@ -981,7 +981,7 @@ sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context, SsoCallba + lasso_release_gobject(sp_login_context); + } + +-START_TEST(test07_sso_sp_with_hmac_sha1_signatures) ++START_TEST(test07_sso_sp_with_hmac_sha256_signatures) + { + LassoServer *idp_context = NULL; + LassoServer *sp_context = NULL; +@@ -990,7 +990,7 @@ START_TEST(test07_sso_sp_with_hmac_sha1_signatures) + + /* Create the shared key */ + key = lasso_key_new_for_signature_from_memory("xxxxxxxxxxxxxxxx", 16, +- NULL, LASSO_SIGNATURE_METHOD_HMAC_SHA1, NULL); ++ NULL, LASSO_SIGNATURE_METHOD_HMAC_SHA256, NULL); + check_true(LASSO_IS_KEY(key)); + + /* Create an IdP context for IdP initiated SSO with provider metadata 1 */ +@@ -1640,7 +1640,7 @@ login_saml2_suite() + tcase_add_test(tc_spSloSoap, test04_sso_then_slo_soap); + tcase_add_test(tc_idpKeyRollover, test05_sso_idp_with_key_rollover); + tcase_add_test(tc_spKeyRollover, test06_sso_sp_with_key_rollover); +- tcase_add_test(tc_hmacSignature, test07_sso_sp_with_hmac_sha1_signatures); ++ tcase_add_test(tc_hmacSignature, test07_sso_sp_with_hmac_sha256_signatures); + tcase_add_test(tc_spLogin, test08_test_authnrequest_flags); + tcase_add_test(tc_ecp, test09_ecp); + tcase_add_test(tc_ecp, test10_ecp); +-- +2.26.3 + diff --git a/SOURCES/0002-tests-Move-test08_lasso_key-and-test07_saml2_query_v.patch b/SOURCES/0002-tests-Move-test08_lasso_key-and-test07_saml2_query_v.patch new file mode 100644 index 0000000..0ec41cc --- /dev/null +++ b/SOURCES/0002-tests-Move-test08_lasso_key-and-test07_saml2_query_v.patch @@ -0,0 +1,129 @@ +From f625eaa007fa3a1f6c846be0d70d26de33887714 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 16 Jun 2021 10:28:53 +0200 +Subject: [PATCH 2/7] tests: Move test08_lasso_key and + test07_saml2_query_verify_signature to SHA256 (#54037) + +These tests use a hardcoded query and private key which makes it +unsuitable to make the tests use the configured default digest. Let's +just convert them to SHA256 unconditionally. +--- + tests/random_tests.c | 46 ++++++++++++++++++++++---------------------- + 1 file changed, 23 insertions(+), 23 deletions(-) + +diff --git a/tests/random_tests.c b/tests/random_tests.c +index c4fe85883..fa0367a3c 100644 +--- a/tests/random_tests.c ++++ b/tests/random_tests.c +@@ -287,11 +287,11 @@ extern int lasso_saml2_query_verify_signature(const char *query, const xmlSecKey + START_TEST(test07_saml2_query_verify_signature) + { + /* normal query as produces by Lasso */ +- const char query1[] = "SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&RelayState=fake%5B%5D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D"; ++ const char query1[] = "SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D&RelayState=fake&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=Zfz3DE1VMV3thaV4FWpH0fkWsBMzAFJcfvVWAbo0a3cY48Et%2BXUcbr1nvOJUJmhGoie0pQ4%2BcD9ToQlSk7BbJSBCct%2FQQgn2QNkX%2F1lk4v8RU8p5ptJRJ2iPLb8nC6WZhs81HoihQePSuj7Qe5bRUsDKvnWMq6OkD%2Fe6YO77dMXregTcfmnkrXqRb2T6TFfqyOz9i0%2FjmISsmj%2F3kEEfUzVA4LEbeEgiJDj1hec4XW26gQTih53v0sYukq4Eyb4zS2jVd3apUUxUrjn1NUpr7Z7dZ7w5MQlgZ8aw1xFDE8BkxymvIjwf8ciyx6sfTKbCRsoS9E0pQB1vxvh6OMt1Ww%3D%3D"; + /* SAMLRequest field was moved in the middle, Signature to the beginning and all & were + * changed to ; */ +- const char query2[] = "Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D;RelayState=fake%5B%5D;SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D;SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1"; +- const char query3[] = "RelayState=fake%5B%5D&SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TacCtwg%3D%3D"; ++ const char query2[] = "Signature=Zfz3DE1VMV3thaV4FWpH0fkWsBMzAFJcfvVWAbo0a3cY48Et%2BXUcbr1nvOJUJmhGoie0pQ4%2BcD9ToQlSk7BbJSBCct%2FQQgn2QNkX%2F1lk4v8RU8p5ptJRJ2iPLb8nC6WZhs81HoihQePSuj7Qe5bRUsDKvnWMq6OkD%2Fe6YO77dMXregTcfmnkrXqRb2T6TFfqyOz9i0%2FjmISsmj%2F3kEEfUzVA4LEbeEgiJDj1hec4XW26gQTih53v0sYukq4Eyb4zS2jVd3apUUxUrjn1NUpr7Z7dZ7w5MQlgZ8aw1xFDE8BkxymvIjwf8ciyx6sfTKbCRsoS9E0pQB1vxvh6OMt1Ww%3D%3D;SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D;RelayState=fake;SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256"; ++ const char query3[] = "SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D&RelayState=fake&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=rUJ%2B9wVSvdGSmZWGuGXgudAPV5KBxRfxRKraBWGIslBz2XreyNbQjSA47DhIfi%2Bxf0awIIGkKcieN3Qd5sqVn4wvFU8fsmfqrdtouYi46aKsj4W91N19TxJ%2BCgrP7ygVEGDaGdc%2BrCQC3%2FuoYTELXq0gYP7tHaXA%2FCaZHfx5Z159crpRxS6eabZ6BGf4ImxiKhE1FuYzKHeISEV1iSyvgx5%2FE8ydSO%2FSP6yA5Rck4JxVJWH6ImbswCVQ80qfqR4NoJ%2BxiZqilbDJnQaSKZggx%2FgjNVoX%2FMVW1FqEmgJNcZpSjNUQqy9u4veSllpxPc2aB%2FpiUjzpbq9XzyFDOQfkUQ%3D%3D"; + /* sp5-saml2 key */ + const char pkey[] = "-----BEGIN CERTIFICATE-----\n\ + MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP\n\ +@@ -317,7 +317,7 @@ LlTxKnCrWAXftSm1rNtewTsF\n\ + -----END CERTIFICATE-----"; + + xmlSecKeyPtr key = lasso_xmlsec_load_private_key_from_buffer(pkey, sizeof(pkey)-1, NULL, +- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL); ++ LASSO_SIGNATURE_METHOD_RSA_SHA256, NULL); + + fail_unless(key != NULL, "Cannot load public key"); + fail_unless(lasso_saml2_query_verify_signature(query1, key) == 0, "Signature was not validated"); +@@ -332,11 +332,11 @@ END_TEST + START_TEST(test08_lasso_key) + { + /* normal query as produces by Lasso */ +- const char query1[] = "SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&RelayState=fake%5B%5D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D"; ++ const char query1[] = "SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D&RelayState=fake&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=Zfz3DE1VMV3thaV4FWpH0fkWsBMzAFJcfvVWAbo0a3cY48Et%2BXUcbr1nvOJUJmhGoie0pQ4%2BcD9ToQlSk7BbJSBCct%2FQQgn2QNkX%2F1lk4v8RU8p5ptJRJ2iPLb8nC6WZhs81HoihQePSuj7Qe5bRUsDKvnWMq6OkD%2Fe6YO77dMXregTcfmnkrXqRb2T6TFfqyOz9i0%2FjmISsmj%2F3kEEfUzVA4LEbeEgiJDj1hec4XW26gQTih53v0sYukq4Eyb4zS2jVd3apUUxUrjn1NUpr7Z7dZ7w5MQlgZ8aw1xFDE8BkxymvIjwf8ciyx6sfTKbCRsoS9E0pQB1vxvh6OMt1Ww%3D%3D"; + /* SAMLRequest field was moved in the middle, Signature to the beginning and all & were + * changed to ; */ +- const char query2[] = "Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D;RelayState=fake%5B%5D;SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D;SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1"; +- const char query3[] = "RelayState=fake%5B%5D&SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TacCtwg%3D%3D"; ++ const char query2[] = "Signature=Zfz3DE1VMV3thaV4FWpH0fkWsBMzAFJcfvVWAbo0a3cY48Et%2BXUcbr1nvOJUJmhGoie0pQ4%2BcD9ToQlSk7BbJSBCct%2FQQgn2QNkX%2F1lk4v8RU8p5ptJRJ2iPLb8nC6WZhs81HoihQePSuj7Qe5bRUsDKvnWMq6OkD%2Fe6YO77dMXregTcfmnkrXqRb2T6TFfqyOz9i0%2FjmISsmj%2F3kEEfUzVA4LEbeEgiJDj1hec4XW26gQTih53v0sYukq4Eyb4zS2jVd3apUUxUrjn1NUpr7Z7dZ7w5MQlgZ8aw1xFDE8BkxymvIjwf8ciyx6sfTKbCRsoS9E0pQB1vxvh6OMt1Ww%3D%3D;SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D;RelayState=fake;SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256"; ++ const char query3[] = "SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D&RelayState=fake&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=rUJ%2B9wVSvdGSmZWGuGXgudAPV5KBxRfxRKraBWGIslBz2XreyNbQjSA47DhIfi%2Bxf0awIIGkKcieN3Qd5sqVn4wvFU8fsmfqrdtouYi46aKsj4W91N19TxJ%2BCgrP7ygVEGDaGdc%2BrCQC3%2FuoYTELXq0gYP7tHaXA%2FCaZHfx5Z159crpRxS6eabZ6BGf4ImxiKhE1FuYzKHeISEV1iSyvgx5%2FE8ydSO%2FSP6yA5Rck4JxVJWH6ImbswCVQ80qfqR4NoJ%2BxiZqilbDJnQaSKZggx%2FgjNVoX%2FMVW1FqEmgJNcZpSjNUQqy9u4veSllpxPc2aB%2FpiUjzpbq9XzyFDOQfkUQ%3D%3D"; + /* sp5-saml2 key */ + const char pkey[] = "-----BEGIN CERTIFICATE-----\n\ + MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP\n\ +@@ -361,29 +361,29 @@ NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR\n\ + LlTxKnCrWAXftSm1rNtewTsF\n\ + -----END CERTIFICATE-----"; + LassoKey *key = lasso_key_new_for_signature_from_memory(pkey, strlen(pkey), NULL, +- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL); ++ LASSO_SIGNATURE_METHOD_RSA_SHA256, NULL); + LassoKey *key2 = lasso_key_new_for_signature_from_file( + TESTSDATADIR "/sp5-saml2/private-key.pem", NULL, +- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL); +- char *message = "http://sp5/metadata\n\ ++ LASSO_SIGNATURE_METHOD_RSA_SHA256, NULL); ++ char *message = "http://sp5/metadata\n\ + \n\ + \n\ +-\n\ +-\n\ ++\n\ ++\n\ + \n\ + \n\ + \n\ + \n\ +-\n\ +-tMncKjklMJaJLbmB7bARmX14Fdg=\n\ ++\n\ ++1Xy/VevGqojdKIvLzkczdd9Mp3AFYvZfsakldADTuO4=\n\ + \n\ + \n\ +-VjAHErXE8rz5yQ/t9Ubws11E59PsU/tXPtL6eCMAVLQxV4Bv0dwyYkeHtge1DXDT\n\ +-usTy1c17+iuYCVqD3Db51+LMVsHchj0j44fhu/PXNQTmgiT2AuVfH97YhiBWykAs\n\ +-LwT8MiE9vNGiHQwsWVjhdzooVmU0M80m0Ij2DFMcYiKzmuMhE4M65qUO4tygQLiL\n\ +-YB5oPe0VYKEBJLfaTvuijLBTi4ecx6aU+HptAvuEOcCbcJZtGyv7jr2yuEDSq72S\n\ +-0hwOV0CIsQoSf/vL7R9RzTs2bpgYVGqgerhpWsz6dqo7YX0NSj9pMbXZiOyX/YzS\n\ +-uP3QSjow05NiPhy8ywKW8A==\n\ ++R5unK5JQ8no8VCokUKKw8zXglIsjggH16cQxnqKl2GpFeeFh8Tzi4KRXTzVNXi9c\n\ ++dID0FTAsFM2Ol5Sqg/j2TVasR93PyIg2pUOb00tNwx8D81xEi1lXdWThHfiinYI0\n\ ++2qJSFj1H8wt/ceULmnvC0F01ga78LQervkjMaSpqlvyKYrNNOEJEYo0SJSUnUE5p\n\ ++wlv30BjnUCyXWQl9i03MvpPSOTJkXrFLqbJB8rB/HNdS71lWAU3k8r56OAxzTXUn\n\ ++WXr73mrQrLGJzbofDjO1Lfz8JpZXRzsffAsMCxKfoL+VzrElPNW5aklrFm603w2w\n\ ++6/xQk0BsHvPP8k6V32RuXQ==\n\ + \n\ + \n\ + \n\ +@@ -401,7 +401,7 @@ AQAB\n\ + \n\ + \n\ + \n\ +-"; ++AAQAALQUO+cobSry7mQpUjWDhKkaePFoNDRBMDY3RDY3QjNFM0QzQzA1NzQ="; + xmlDoc *doc; + + doc = xmlParseDoc(BAD_CAST message); +@@ -411,7 +411,7 @@ AQAB\n\ + fail_unless(lasso_key_query_verify(key, query2) == 0, "Disordered signature was not validated"); + fail_unless(lasso_key_query_verify(key, query3) != 0, "Altered signature was validated"); + fail_unless(lasso_key_saml2_xml_verify(key, +- "_E3F8E9116EE08F0E2607CF9789649BB4", xmlDocGetRootElement(doc)) == 0, ++ "_5E4DB038BC15C020CE085F743D485443", xmlDocGetRootElement(doc)) == 0, + "XML Signature is not validated"); + g_object_unref(key); + fail_unless(key2 != NULL, "Cannot load public key2"); +@@ -420,7 +420,7 @@ AQAB\n\ + fail_unless(lasso_key_query_verify(key2, query2) == 0, "Disordered signature was not validated"); + fail_unless(lasso_key_query_verify(key2, query3) != 0, "Altered signature was validated"); + fail_unless(lasso_key_saml2_xml_verify(key2, +- "_E3F8E9116EE08F0E2607CF9789649BB4", xmlDocGetRootElement(doc)) == 0, ++ "_5E4DB038BC15C020CE085F743D485443", xmlDocGetRootElement(doc)) == 0, + "XML Signature is not validated"); + g_object_unref(key2); + lasso_release_doc(doc); +-- +2.26.3 + diff --git a/SOURCES/0003-Make-the-default-signature-method-and-the-minimal-ha.patch b/SOURCES/0003-Make-the-default-signature-method-and-the-minimal-ha.patch new file mode 100644 index 0000000..e3786e1 --- /dev/null +++ b/SOURCES/0003-Make-the-default-signature-method-and-the-minimal-ha.patch @@ -0,0 +1,363 @@ +From f095ac8f5740b6eee687cac97840bc7e72992999 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Mon, 7 Jun 2021 12:27:15 +0200 +Subject: [PATCH 3/7] Make the default signature method and the minimal hash + strength configurable (#54037) + +Adds two new configure options: + --with-default-sign-algo + --min-hash-algo + +--with-default-sign-algo sets the default signing algorithm and defaults +to rsa-sha1. At the moment, two algorithms are supported: rsa-sha1 and +rsa-sha256. + +--min-hash-algo sets the minimum hash algorithm to be accepted. The +default is sha1 for backwards compatibility as well. + +Related: +https://dev.entrouvert.org/issues/54037 +--- + configure.ac | 42 +++++++++++++++++++++++++++++ + lasso/id-ff/server.c | 2 +- + lasso/id-ff/server.h | 2 ++ + lasso/lasso.c | 51 +++++++++++++++++++++++++++++++++++ + lasso/xml/tools.c | 63 +++++++++++++++++++++++++++++++++++--------- + lasso/xml/xml.c | 24 +++++++++++++++++ + lasso/xml/xml.h | 9 +++++++ + tests/random_tests.c | 6 ++--- + 8 files changed, 182 insertions(+), 17 deletions(-) + +diff --git a/configure.ac b/configure.ac +index b527def43..2cdfbb149 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -795,6 +795,43 @@ else + AC_MSG_RESULT(no) + fi + ++AC_ARG_WITH([default-sign-algo], ++ [AS_HELP_STRING([--with-default-sign-algo=[rsa-sha1|rsa-sha256]], ++ [Default signing algorithm (rsa-sha1)] ++ ) ++ ] ++) ++ ++SIGNING_ALGO=rsa-sha1 ++if test x"$with_default_sign_algo" != x; then ++ if test ! "$with_default_sign_algo" = "rsa-sha1" -a ! "$with_default_sign_algo" = "rsa-sha256"; then ++ AC_MSG_ERROR("Default signing algorithm must be either rsa-sha1 or rsa-sha256") ++ else ++ SIGNING_ALGO=$with_default_sign_algo ++ fi ++fi ++ ++AC_DEFINE_UNQUOTED(DEFAULT_SIGNING_ALGO, "$SIGNING_ALGO", ["The default signing algorithm"]) ++ ++AC_ARG_WITH([min-hash-algo], ++ [AS_HELP_STRING([--with-min-hash-algo=[sha1|sha256|sha384|sha512]], ++ [Minimal allowed hash algorithm (rsa-sha1)] ++ ) ++ ] ++) ++ ++MIN_HASH_ALGO=sha1 ++if test x"$with_min_hash_algo" != x; then ++ if test ! "$with_min_hash_algo" = "sha1" -a ! "$with_min_hash_algo" = "sha256" -a ! "$with_min_hash_algo" = "sha384" -a ! "$with_min_hash_algo" = "sha512"; then ++ AC_MSG_ERROR("Minimal allowed hash algorithm must be one of sha1, sha256, sha384 or sha512) ++ else ++ MIN_HASH_ALGO=$with_min_hash_algo ++ fi ++fi ++ ++AC_DEFINE_UNQUOTED(MIN_HASH_ALGO, "$MIN_HASH_ALGO", ["The minimal hash algorithm"]) ++ ++ + dnl ========================================================================== + dnl Pedantic compilation + dnl ========================================================================== +@@ -939,4 +976,9 @@ Python binding: ${enable_python} + + C API references: ${enable_gtk_doc} + Tests suite: ${enable_tests} ++ ++Crypto settings ++--------------- ++Default signature: ${SIGNING_ALGO} ++Minimal accepted hash: ${MIN_HASH_ALGO} + ) +diff --git a/lasso/id-ff/server.c b/lasso/id-ff/server.c +index 08bbde833..2bf5b7a8c 100644 +--- a/lasso/id-ff/server.c ++++ b/lasso/id-ff/server.c +@@ -682,7 +682,7 @@ instance_init(LassoServer *server) + server->private_key = NULL; + server->private_key_password = NULL; + server->certificate = NULL; +- server->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1; ++ server->signature_method = lasso_get_default_signature_method(); + + server->services = g_hash_table_new_full(g_str_hash, g_str_equal, + (GDestroyNotify)g_free, +diff --git a/lasso/id-ff/server.h b/lasso/id-ff/server.h +index 8b4192793..5f9022e9d 100644 +--- a/lasso/id-ff/server.h ++++ b/lasso/id-ff/server.h +@@ -133,6 +133,8 @@ LASSO_EXPORT gchar *lasso_server_get_endpoint_url_by_id(const LassoServer *serve + LASSO_EXPORT GList *lasso_server_get_filtered_provider_list(const LassoServer *server, + LassoProviderRole role, LassoMdProtocolType protocol_type, LassoHttpMethod http_method); + ++LASSO_EXPORT LassoSignatureMethod lasso_get_default_signature_method(); ++void lasso_set_default_signature_method(LassoSignatureMethod meth); + + #ifdef __cplusplus + } +diff --git a/lasso/lasso.c b/lasso/lasso.c +index 087485998..67340317d 100644 +--- a/lasso/lasso.c ++++ b/lasso/lasso.c +@@ -149,6 +149,44 @@ lasso_xmlsec_errors_callback(const char *file G_GNUC_UNUSED, int line G_GNUC_UNU + g_log("libxmlsec", G_LOG_LEVEL_DEBUG, "libxmlsec: %s:%d:%s:%s:%s:%s:%s", file, line, func, errorObject, errorSubject, xmlSecErrorsGetMsg(reason), msg); + } + ++static int ++set_default_signature_method() ++{ ++ int rv = LASSO_ERROR_UNDEFINED; ++ ++ if (lasso_strisequal(DEFAULT_SIGNING_ALGO, "rsa-sha256")) { ++ lasso_set_default_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA256); ++ rv = 0; ++ } else if (lasso_strisequal(DEFAULT_SIGNING_ALGO, "rsa-sha1")) { ++ lasso_set_default_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA1); ++ rv = 0; ++ } ++ ++ return rv; ++} ++ ++static int ++set_min_allowed_hash_algo() ++{ ++ int rv = LASSO_ERROR_UNDEFINED; ++ ++ if (lasso_strisequal(MIN_HASH_ALGO, "sha1")) { ++ lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA1); ++ rv = 0; ++ } else if (lasso_strisequal(MIN_HASH_ALGO, "sha256")) { ++ lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA256); ++ rv = 0; ++ } else if (lasso_strisequal(MIN_HASH_ALGO, "sha384")) { ++ lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA384); ++ rv = 0; ++ } else if (lasso_strisequal(MIN_HASH_ALGO, "sha512")) { ++ lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA512); ++ rv = 0; ++ } ++ ++ return rv; ++} ++ + /** + * lasso_init: + * +@@ -164,6 +202,19 @@ int lasso_init() + g_type_init(); + #endif + ++ /* Set the default hash algo */ ++ if (set_default_signature_method() != 0) { ++ message(G_LOG_LEVEL_CRITICAL, "Unsupported signature " ++ "algorithm "DEFAULT_SIGNING_ALGO" configured"); ++ return LASSO_ERROR_UNDEFINED; ++ } ++ if (set_min_allowed_hash_algo() != 0) { ++ message(G_LOG_LEVEL_CRITICAL, "Unsupported hash algorithm " ++ "algorithm "MIN_HASH_ALGO" configured"); ++ return LASSO_ERROR_UNDEFINED; ++ } ++ ++ + /* Init Lasso classes */ + for (i=0; functions[i]; i++) + functions[i](); +diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c +index 290fd55f2..ce322ee1f 100644 +--- a/lasso/xml/tools.c ++++ b/lasso/xml/tools.c +@@ -1505,16 +1505,6 @@ lasso_saml_constrain_dsigctxt(xmlSecDSigCtxPtr dsigCtx) { + (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformExclC14NWithCommentsId) < 0) || + (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11Id) < 0) || + (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11WithCommentsId) < 0) || +- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha1Id) < 0) || +- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha1Id) < 0) || +- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformDsaSha1Id) < 0) || +- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha1Id) < 0) || +- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha256Id) < 0) || +- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha256Id) < 0) || +- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha256Id) < 0) || +- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha384Id) < 0) || +- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha384Id) < 0) || +- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha384Id) < 0) || + (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha512Id) < 0) || + (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha512Id) < 0) || + (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha512Id) < 0) +@@ -1523,15 +1513,62 @@ lasso_saml_constrain_dsigctxt(xmlSecDSigCtxPtr dsigCtx) { + message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed signature transforms"); + return FALSE; + } ++ ++ if (lasso_get_min_signature_method() <= LASSO_SIGNATURE_METHOD_RSA_SHA384) { ++ if ((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha384Id) < 0) || ++ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha384Id) < 0) || ++ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha384Id) < 0)) { ++ ++ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha384 signature transforms"); ++ return FALSE; ++ } ++ ++ if (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha384Id) < 0) { ++ ++ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha384 reference transforms"); ++ return FALSE; ++ } ++ } ++ ++ if (lasso_get_min_signature_method() <= LASSO_SIGNATURE_METHOD_RSA_SHA256) { ++ if ((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha256Id) < 0) || ++ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha256Id) < 0) || ++ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha256Id) < 0)) { ++ ++ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha256 signature transforms"); ++ return FALSE; ++ } ++ ++ if (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha256Id) < 0) { ++ ++ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha256 reference transforms"); ++ return FALSE; ++ } ++ } ++ ++ if (lasso_get_min_signature_method() <= LASSO_SIGNATURE_METHOD_RSA_SHA1) { ++ if ((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha1Id) < 0) || ++ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha1Id) < 0) || ++ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformDsaSha1Id) < 0) || ++ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha1Id) < 0)) { ++ ++ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha1 signature transforms"); ++ return FALSE; ++ } ++ ++ if (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha1Id) < 0) { ++ ++ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha1 reference transforms"); ++ return FALSE; ++ } ++ } ++ + if((xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformInclC14NId) < 0) || + (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformExclC14NId) < 0) || + (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14NWithCommentsId) < 0) || + (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformExclC14NWithCommentsId) < 0) || + (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11Id) < 0) || + (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11WithCommentsId) < 0) || +- (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha1Id) < 0) || +- (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha256Id) < 0) || +- (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha384Id) < 0) || + (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha512Id) < 0) || + (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformEnvelopedId) < 0)) { + +diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c +index 938844baf..f017ebbe3 100644 +--- a/lasso/xml/xml.c ++++ b/lasso/xml/xml.c +@@ -91,6 +91,10 @@ GHashTable *dst_services_by_prefix = NULL; /* ID-WSF 1 extra DST services, index + GHashTable *idwsf2_dst_services_by_href = NULL; /* ID-WSF 2 DST services, indexed on href */ + GHashTable *idwsf2_dst_services_by_prefix = NULL; /* ID-WSF 2 DST services, indexed on prefix */ + ++ ++static LassoSignatureMethod default_signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1; ++static LassoSignatureMethod min_signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1; ++ + /*****************************************************************************/ + /* global methods */ + /*****************************************************************************/ +@@ -3689,3 +3693,23 @@ lasso_node_new_from_saml2_query(const char *url_or_qs, const char *param_name, L + cleanup: + return result; + } ++ ++LassoSignatureMethod ++lasso_get_default_signature_method() { ++ return default_signature_method; ++} ++ ++void ++lasso_set_default_signature_method(LassoSignatureMethod meth) { ++ default_signature_method = meth; ++} ++ ++LassoSignatureMethod ++lasso_get_min_signature_method() { ++ return min_signature_method; ++} ++ ++void ++lasso_set_min_signature_method(LassoSignatureMethod meth) { ++ min_signature_method = meth; ++} +diff --git a/lasso/xml/xml.h b/lasso/xml/xml.h +index 7660a0647..d0d3e1b0d 100644 +--- a/lasso/xml/xml.h ++++ b/lasso/xml/xml.h +@@ -116,6 +116,15 @@ typedef enum { + LASSO_SIGNATURE_METHOD_LAST + } LassoSignatureMethod; + ++/* signature method and hash strength */ ++LassoSignatureMethod lasso_get_default_signature_method(); ++ ++void lasso_set_default_signature_method(LassoSignatureMethod meth); ++ ++LassoSignatureMethod lasso_get_min_signature_method(); ++ ++void lasso_set_min_signature_method(LassoSignatureMethod meth); ++ + static inline gboolean + lasso_validate_signature_method(LassoSignatureMethod signature_method) + { +diff --git a/tests/random_tests.c b/tests/random_tests.c +index fa0367a3c..cf112c7e2 100644 +--- a/tests/random_tests.c ++++ b/tests/random_tests.c +@@ -97,7 +97,7 @@ START_TEST(test01_server_new) + fail_unless(server->private_key != NULL); + fail_unless(server->private_key_password == NULL); + fail_unless(server->certificate != NULL); +- fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1); ++ fail_unless(server->signature_method == lasso_get_default_signature_method()); + fail_unless(provider->ProviderID != NULL); + fail_unless(provider->role == 0); + fail_unless(g_file_get_contents(TESTSDATADIR "/idp1-la/metadata.xml", &content, &len, NULL)); +@@ -115,7 +115,7 @@ START_TEST(test01_server_new) + fail_unless(server->private_key != NULL); + fail_unless(server->private_key_password == NULL); + fail_unless(server->certificate != NULL); +- fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1); ++ fail_unless(server->signature_method == lasso_get_default_signature_method()); + fail_unless(server->providers != NULL); + fail_unless(provider->ProviderID != NULL); + fail_unless(provider->role == 0, "provider->role != 0 => provider := %d", provider->role); +@@ -143,7 +143,7 @@ START_TEST(test02_server_add_provider) + fail_unless(server->private_key != NULL); + fail_unless(! server->private_key_password); + fail_unless(server->certificate != NULL); +- fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1); ++ fail_unless(server->signature_method == lasso_get_default_signature_method()); + fail_unless(server->providers != NULL); + lasso_server_add_provider( + server, +-- +2.26.3 + diff --git a/SOURCES/0004-Mass-replace-LASSO_SIGNATURE_METHOD_RSA_SHA1-with-la.patch b/SOURCES/0004-Mass-replace-LASSO_SIGNATURE_METHOD_RSA_SHA1-with-la.patch new file mode 100644 index 0000000..02ec907 --- /dev/null +++ b/SOURCES/0004-Mass-replace-LASSO_SIGNATURE_METHOD_RSA_SHA1-with-la.patch @@ -0,0 +1,162 @@ +From 0d34c97be1c761a9eb12692e4cc4eac58feb7d19 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 15 Jun 2021 14:45:14 +0200 +Subject: [PATCH 4/7] Mass-replace LASSO_SIGNATURE_METHOD_RSA_SHA1 with + lasso_get_default_signature_method() (#54037) + +This should be backwards-compatible but at the same time use the +selected default instead of RSA-SHA1. + +Related: +https://dev.entrouvert.org/issues/54037 +--- + lasso/id-ff/defederation.c | 2 +- + lasso/id-ff/logout.c | 6 +++--- + lasso/id-ff/name_identifier_mapping.c | 4 ++-- + lasso/id-ff/name_registration.c | 4 ++-- + lasso/id-ff/provider.c | 2 +- + lasso/xml/tools.c | 2 +- + tests/basic_tests.c | 6 +++--- + 7 files changed, 13 insertions(+), 13 deletions(-) + +diff --git a/lasso/id-ff/defederation.c b/lasso/id-ff/defederation.c +index d711e4eed..d2382f4ae 100644 +--- a/lasso/id-ff/defederation.c ++++ b/lasso/id-ff/defederation.c +@@ -251,7 +251,7 @@ lasso_defederation_init_notification(LassoDefederation *defederation, gchar *rem + nameIdentifier, + profile->server->certificate ? + LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE, +- LASSO_SIGNATURE_METHOD_RSA_SHA1); ++ lasso_get_default_signature_method()); + if (profile->msg_relayState) { + message(G_LOG_LEVEL_WARNING, + "RelayState was defined but can't be used "\ +diff --git a/lasso/id-ff/logout.c b/lasso/id-ff/logout.c +index 20d04ed82..d307db586 100644 +--- a/lasso/id-ff/logout.c ++++ b/lasso/id-ff/logout.c +@@ -396,7 +396,7 @@ lasso_logout_build_response_msg(LassoLogout *logout) + profile->server->certificate ? + LASSO_SIGNATURE_TYPE_WITHX509 : + LASSO_SIGNATURE_TYPE_SIMPLE, +- LASSO_SIGNATURE_METHOD_RSA_SHA1)); ++ lasso_get_default_signature_method())); + } else if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) { + lasso_assign_new_gobject(profile->response, + lasso_lib_logout_response_new_full( +@@ -608,7 +608,7 @@ lasso_logout_init_request(LassoLogout *logout, char *remote_providerID, + nameIdentifier, + profile->server->certificate ? + LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE, +- LASSO_SIGNATURE_METHOD_RSA_SHA1); ++ lasso_get_default_signature_method()); + } else { /* http_method == LASSO_HTTP_METHOD_REDIRECT */ + is_http_redirect_get_method = TRUE; + lib_logout_request = (LassoLibLogoutRequest*)lasso_lib_logout_request_new_full( +@@ -990,7 +990,7 @@ lasso_logout_validate_request(LassoLogout *logout) + logout_request, + profile->server->certificate ? + LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE, +- LASSO_SIGNATURE_METHOD_RSA_SHA1)); ++ lasso_get_default_signature_method())); + } + if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) { + lasso_assign_new_gobject(profile->response, lasso_lib_logout_response_new_full( +diff --git a/lasso/id-ff/name_identifier_mapping.c b/lasso/id-ff/name_identifier_mapping.c +index 80af6fec4..f84020eb6 100644 +--- a/lasso/id-ff/name_identifier_mapping.c ++++ b/lasso/id-ff/name_identifier_mapping.c +@@ -259,7 +259,7 @@ lasso_name_identifier_mapping_init_request(LassoNameIdentifierMapping *mapping, + targetNamespace, + profile->server->certificate ? + LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE, +- LASSO_SIGNATURE_METHOD_RSA_SHA1); ++ lasso_get_default_signature_method()); + if (LASSO_IS_LIB_NAME_IDENTIFIER_MAPPING_REQUEST(profile->request) == FALSE) { + return critical_error(LASSO_PROFILE_ERROR_BUILDING_REQUEST_FAILED); + } +@@ -458,7 +458,7 @@ lasso_name_identifier_mapping_validate_request(LassoNameIdentifierMapping *mappi + request, + profile->server->certificate ? + LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE, +- LASSO_SIGNATURE_METHOD_RSA_SHA1); ++ lasso_get_default_signature_method()); + + if (LASSO_IS_LIB_NAME_IDENTIFIER_MAPPING_RESPONSE(profile->response) == FALSE) { + return critical_error(LASSO_PROFILE_ERROR_BUILDING_RESPONSE_FAILED); +diff --git a/lasso/id-ff/name_registration.c b/lasso/id-ff/name_registration.c +index 11dbf24fe..076cf9624 100644 +--- a/lasso/id-ff/name_registration.c ++++ b/lasso/id-ff/name_registration.c +@@ -339,7 +339,7 @@ lasso_name_registration_init_request(LassoNameRegistration *name_registration, + idpNameIdentifier, spNameIdentifier, oldNameIdentifier, + profile->server->certificate ? + LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE, +- LASSO_SIGNATURE_METHOD_RSA_SHA1); ++ lasso_get_default_signature_method()); + if (profile->request == NULL) { + return critical_error(LASSO_PROFILE_ERROR_BUILDING_REQUEST_FAILED); + } +@@ -575,7 +575,7 @@ lasso_name_registration_validate_request(LassoNameRegistration *name_registratio + LASSO_LIB_REGISTER_NAME_IDENTIFIER_REQUEST(profile->request), + profile->server->certificate ? + LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE, +- LASSO_SIGNATURE_METHOD_RSA_SHA1); ++ lasso_get_default_signature_method()); + if (LASSO_IS_LIB_REGISTER_NAME_IDENTIFIER_RESPONSE(profile->response) == FALSE) { + return critical_error(LASSO_PROFILE_ERROR_BUILDING_RESPONSE_FAILED); + } +diff --git a/lasso/id-ff/provider.c b/lasso/id-ff/provider.c +index 32a907d43..961c3669d 100644 +--- a/lasso/id-ff/provider.c ++++ b/lasso/id-ff/provider.c +@@ -1274,7 +1274,7 @@ lasso_provider_load_public_key(LassoProvider *provider, LassoPublicKeyType publi + + if (public_key != NULL) { + xmlSecKey *key = lasso_xmlsec_load_private_key(public_key, NULL, +- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL); ++ lasso_get_default_signature_method(), NULL); + if (key) { + lasso_list_add_new_sec_key(keys, key); + } else { +diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c +index ce322ee1f..cf6dade09 100644 +--- a/lasso/xml/tools.c ++++ b/lasso/xml/tools.c +@@ -2746,7 +2746,7 @@ next: + content = xmlNodeGetContent(key_value); + if (content) { + result = lasso_xmlsec_load_private_key_from_buffer((char*)content, +- strlen((char*)content), NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL); ++ strlen((char*)content), NULL, lasso_get_default_signature_method(), NULL); + xmlFree(content); + } + } +diff --git a/tests/basic_tests.c b/tests/basic_tests.c +index f9cfef266..0652abc28 100644 +--- a/tests/basic_tests.c ++++ b/tests/basic_tests.c +@@ -2008,16 +2008,16 @@ START_TEST(test14_lasso_key) + + check_true(g_file_get_contents(TESTSDATADIR "sp1-la/private-key-raw.pem", &buffer, &length, NULL)); + check_not_null(key = lasso_key_new_for_signature_from_memory(buffer, +- length, NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1, ++ length, NULL, lasso_get_default_signature_method(), + NULL)); + lasso_release_gobject(key); + check_not_null(key = lasso_key_new_for_signature_from_file(TESTSDATADIR +- "sp1-la/private-key-raw.pem", NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1, ++ "sp1-la/private-key-raw.pem", NULL, lasso_get_default_signature_method(), + NULL)); + lasso_release_gobject(key); + base64_encoded = g_base64_encode(BAD_CAST buffer, length); + check_not_null(key = lasso_key_new_for_signature_from_base64_string(base64_encoded, NULL, +- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL)); ++ lasso_get_default_signature_method(), NULL)); + lasso_release_string(base64_encoded); + lasso_release_string(buffer); + lasso_release_gobject(key); +-- +2.26.3 + diff --git a/SOURCES/0005-Check-if-the-signature-method-is-allowed-in-addition.patch b/SOURCES/0005-Check-if-the-signature-method-is-allowed-in-addition.patch new file mode 100644 index 0000000..4c93fa9 --- /dev/null +++ b/SOURCES/0005-Check-if-the-signature-method-is-allowed-in-addition.patch @@ -0,0 +1,160 @@ +From f9a3aca0cb31a412faae25dd9fdbbf3fb61cb62f Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 15 Jun 2021 15:08:44 +0200 +Subject: [PATCH 5/7] Check if the signature method is allowed in addition to + being valid (#54037) + +Adds a new utility function lasso_allowed_signature_method() that checks +if the signature method is allowed. Previously, the code would only +check if the method was valid. + +This new function is used whenever lasso_validate_signature_method was +previously used through lasso_ok_signature_method() which wraps both +validate and allowed. + +lasso_allowed_signature_method() is also used on a couple of places, +notably lasso_query_verify_helper(). + +Related: +https://dev.entrouvert.org/issues/54037 +--- + lasso/id-ff/server.c | 4 ++-- + lasso/saml-2.0/profile.c | 4 ++-- + lasso/xml/tools.c | 11 ++++++++++- + lasso/xml/xml.c | 5 +++-- + lasso/xml/xml.h | 13 +++++++++++++ + 5 files changed, 30 insertions(+), 7 deletions(-) + +diff --git a/lasso/id-ff/server.c b/lasso/id-ff/server.c +index 2bf5b7a8c..98a6c0214 100644 +--- a/lasso/id-ff/server.c ++++ b/lasso/id-ff/server.c +@@ -909,7 +909,7 @@ lasso_server_get_signature_context_for_provider(LassoServer *server, + private_context = &provider->private_data->signature_context; + } + +- if (private_context && lasso_validate_signature_method(private_context->signature_method)) { ++ if (private_context && lasso_ok_signature_method(private_context->signature_method)) { + lasso_assign_signature_context(*signature_context, *private_context); + } else { + rc = lasso_server_get_signature_context(server, signature_context); +@@ -1014,7 +1014,7 @@ lasso_server_export_to_query_for_provider_by_name(LassoServer *server, const cha + provider_id, &context)); + query = lasso_node_build_query(node); + goto_cleanup_if_fail_with_rc(query, LASSO_PROFILE_ERROR_BUILDING_QUERY_FAILED); +- if (lasso_validate_signature_method(context.signature_method)) { ++ if (lasso_ok_signature_method(context.signature_method)) { + lasso_assign_new_string(query, lasso_query_sign(query, context)); + } + goto_cleanup_if_fail_with_rc(query, +diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c +index 85f535ae0..412c391a6 100644 +--- a/lasso/saml-2.0/profile.c ++++ b/lasso/saml-2.0/profile.c +@@ -1181,7 +1181,7 @@ lasso_saml20_profile_export_to_query(LassoProfile *profile, LassoNode *msg, char + "see #3.4.3 of saml-bindings-2.0-os"); + } + } +- if (lasso_validate_signature_method(context.signature_method)) { ++ if (lasso_ok_signature_method(context.signature_method)) { + result = lasso_query_sign(unsigned_query, context); + goto_cleanup_if_fail_with_rc(result != NULL, + LASSO_PROFILE_ERROR_BUILDING_QUERY_FAILED); +@@ -1219,7 +1219,7 @@ lasso_saml20_profile_build_http_redirect(LassoProfile *profile, + goto_cleanup_if_fail_with_rc (url != NULL, LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL); + /* if message is signed, remove XML signature, add query signature */ + lasso_assign_signature_context(context, lasso_node_get_signature(msg)); +- if (lasso_validate_signature_method(context.signature_method)) { ++ if (lasso_ok_signature_method(context.signature_method)) { + lasso_node_remove_signature(msg); + } + lasso_check_good_rc(lasso_saml20_profile_export_to_query(profile, msg, &query, context)); +diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c +index cf6dade09..077b1134d 100644 +--- a/lasso/xml/tools.c ++++ b/lasso/xml/tools.c +@@ -499,7 +499,7 @@ lasso_query_sign(char *query, LassoSignatureContext context) + lasso_error_t rc = 0; + + g_return_val_if_fail(query != NULL, NULL); +- g_return_val_if_fail(lasso_validate_signature_method(context.signature_method), NULL); ++ g_return_val_if_fail(lasso_ok_signature_method(context.signature_method), NULL); + + key = context.signature_key; + sign_method = context.signature_method; +@@ -804,6 +804,12 @@ lasso_query_verify_helper(const char *signed_content, const char *b64_signature, + } else { + goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGALG); + } ++ ++ /* is the signature algo allowed */ ++ goto_cleanup_if_fail_with_rc( ++ lasso_allowed_signature_method(method), ++ LASSO_DS_ERROR_INVALID_SIGALG); ++ + /* decode signature */ + signature = g_malloc(key_size+1); + goto_cleanup_if_fail_with_rc( +@@ -2434,6 +2440,9 @@ _lasso_xmlsec_load_key_from_buffer(const char *buffer, size_t length, const char + }; + xmlSecKey *private_key = NULL; + ++ /* is the signature algo allowed */ ++ goto_cleanup_if_fail(lasso_allowed_signature_method(signature_method)); ++ + xmlSecErrorsDefaultCallbackEnableOutput(FALSE); + switch (signature_method) { + case LASSO_SIGNATURE_METHOD_RSA_SHA1: +diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c +index f017ebbe3..49574de68 100644 +--- a/lasso/xml/xml.c ++++ b/lasso/xml/xml.c +@@ -824,7 +824,7 @@ lasso_legacy_extract_and_copy_signature_parameters(LassoNode *node, LassoNodeCla + node_data->sign_method_offset); + private_key_file = G_STRUCT_MEMBER(char *, node, node_data->private_key_file_offset); + certificate_file = G_STRUCT_MEMBER(char *, node, node_data->certificate_file_offset); +- if (! lasso_validate_signature_method(signature_method)) { ++ if (! lasso_ok_signature_method(signature_method)) { + return FALSE; + } + if (lasso_node_set_signature(node, +@@ -1873,10 +1873,11 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode) + int what; + if (! lasso_get_integer_attribute(xmlnode, LASSO_SIGNATURE_METHOD_ATTRIBUTE, + BAD_CAST LASSO_LIB_HREF, &what, +- LASSO_SIGNATURE_METHOD_RSA_SHA1, ++ lasso_get_min_signature_method(), + LASSO_SIGNATURE_METHOD_LAST)) + break; + method = what; ++ + if (! lasso_get_integer_attribute(xmlnode, LASSO_SIGNATURE_METHOD_ATTRIBUTE, + BAD_CAST LASSO_LIB_HREF, &what, LASSO_SIGNATURE_TYPE_NONE+1, + LASSO_SIGNATURE_TYPE_LAST)) +diff --git a/lasso/xml/xml.h b/lasso/xml/xml.h +index d0d3e1b0d..60c04eae5 100644 +--- a/lasso/xml/xml.h ++++ b/lasso/xml/xml.h +@@ -132,6 +132,19 @@ lasso_validate_signature_method(LassoSignatureMethod signature_method) + && signature_method < (LassoSignatureMethod)LASSO_SIGNATURE_METHOD_LAST; + } + ++static inline gboolean ++lasso_allowed_signature_method(LassoSignatureMethod signature_method) ++{ ++ return signature_method >= lasso_get_min_signature_method(); ++} ++ ++static inline gboolean ++lasso_ok_signature_method(LassoSignatureMethod signature_method) ++{ ++ return lasso_validate_signature_method(signature_method) \ ++ && lasso_allowed_signature_method(signature_method); ++} ++ + typedef struct _LassoNode LassoNode; + typedef struct _LassoNodeClass LassoNodeClass; + typedef struct _LassoNodeClassData LassoNodeClassData; +-- +2.26.3 + diff --git a/SOURCES/0006-python-Skip-the-DSA-key-test-unless-SHA-1-is-configu.patch b/SOURCES/0006-python-Skip-the-DSA-key-test-unless-SHA-1-is-configu.patch new file mode 100644 index 0000000..a2a98a5 --- /dev/null +++ b/SOURCES/0006-python-Skip-the-DSA-key-test-unless-SHA-1-is-configu.patch @@ -0,0 +1,30 @@ +From f70eee9ef7faa9ccfb6f815977431ae2e02260bc Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 16 Jun 2021 12:23:47 +0200 +Subject: [PATCH 6/7] python: Skip the DSA key test unless SHA-1 is configured + (#54037) + +lasso supports DSA-XXX only with SHA-1. The alternative is to use +DSA-SHA256. +--- + bindings/python/tests/profiles_tests.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/bindings/python/tests/profiles_tests.py b/bindings/python/tests/profiles_tests.py +index 6ec612077..501fd9199 100755 +--- a/bindings/python/tests/profiles_tests.py ++++ b/bindings/python/tests/profiles_tests.py +@@ -276,6 +276,10 @@ class LoginTestCase(unittest.TestCase): + + def test07(self): + '''SAMLv2 SSO with DSA key for the IdP''' ++ default_sign_meth = lasso.getDefaultSignatureMethod() ++ if default_sign_meth != lasso.SIGNATURE_METHOD_RSA_SHA1: ++ self.skipTest("This test requires that lasso is compiled with SHA1 as the default signature method") ++ + sp = lasso.Server( + os.path.join(dataDir, 'sp5-saml2/metadata.xml'), + os.path.join(dataDir, 'sp5-saml2/private-key.pem')) +-- +2.26.3 + diff --git a/SOURCES/0007-test13_test_lasso_server_load_metadata-Don-t-verify-.patch b/SOURCES/0007-test13_test_lasso_server_load_metadata-Don-t-verify-.patch new file mode 100644 index 0000000..cad68cc --- /dev/null +++ b/SOURCES/0007-test13_test_lasso_server_load_metadata-Don-t-verify-.patch @@ -0,0 +1,41 @@ +From 1b0000e0163edc9d831894bf4aac7503f0294062 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 18 Jun 2021 18:45:38 +0200 +Subject: [PATCH 7/7] test13_test_lasso_server_load_metadata: Don't verify + signature if lasso is not configured with sha-1 (#54037) + +--- + tests/basic_tests.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/tests/basic_tests.c b/tests/basic_tests.c +index 0652abc28..470d64fc6 100644 +--- a/tests/basic_tests.c ++++ b/tests/basic_tests.c +@@ -1974,6 +1974,14 @@ START_TEST(test13_test_lasso_server_load_metadata) + LassoServer *server = NULL; + GList *loaded_entity_ids = NULL; + GList blacklisted_1 = { .data = "https://identities.univ-jfc.fr/idp/prod", .next = NULL }; ++ const gchar *trusted_roots = TESTSDATADIR "/rootCA.crt"; ++ ++ /* The IDP metadata file is signed with rsa-sha1, so verifying it would ++ * fail incase sha1 is not available ++ */ ++ if (lasso_get_default_signature_method() != LASSO_SIGNATURE_METHOD_RSA_SHA1) { ++ trusted_roots = NULL; ++ } + + check_not_null(server = lasso_server_new( + TESTSDATADIR "/idp5-saml2/metadata.xml", +@@ -1983,7 +1991,7 @@ START_TEST(test13_test_lasso_server_load_metadata) + block_lasso_logs; + check_good_rc(lasso_server_load_metadata(server, LASSO_PROVIDER_ROLE_IDP, + TESTSDATADIR "/metadata/renater-metadata.xml", +- TESTSDATADIR "/rootCA.crt", ++ trusted_roots, + &blacklisted_1, &loaded_entity_ids, + LASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT)); + unblock_lasso_logs; +-- +2.26.3 + diff --git a/SOURCES/0009-lasso_saml20_login_process_response_status_and_asser.patch b/SOURCES/0009-lasso_saml20_login_process_response_status_and_asser.patch new file mode 100644 index 0000000..05f5bea --- /dev/null +++ b/SOURCES/0009-lasso_saml20_login_process_response_status_and_asser.patch @@ -0,0 +1,59 @@ +From 20f653f70818b85fe1b4de77a629fce352fb8cbd Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Mon, 26 Jul 2021 16:25:52 +0200 +Subject: [PATCH] lasso_saml20_login_process_response_status_and_assertion: + handle rc as per verify_hint + +In case VERIFY_HINT was set to IGNORE and the login signature was +incorrect, lasso_saml20_login_process_response_status_and_assertion +would have jumped straight to the cleanup label which just returns the +return code. Let's jump to a new label handlerc instead which might set +the return code to 0 in case verify_hint is set to IGNORE. + +Related: https://dev.entrouvert.org/issues/54689 +--- + lasso/saml-2.0/login.c | 20 ++++++-------------- + 1 file changed, 6 insertions(+), 14 deletions(-) + +diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c +index cf62c1cc9..1d5668b5b 100644 +--- a/lasso/saml-2.0/login.c ++++ b/lasso/saml-2.0/login.c +@@ -1371,7 +1371,7 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login) + char *status_value; + lasso_error_t rc = 0; + lasso_error_t assertion_signature_status = 0; +- LassoProfileSignatureVerifyHint verify_hint; ++ LassoProfileSignatureVerifyHint verify_hint = LASSO_PROFILE_SIGNATURE_VERIFY_HINT_LAST; + + profile = &login->parent; + lasso_extract_node_or_fail(response, profile->response, SAMLP2_STATUS_RESPONSE, +@@ -1492,20 +1492,12 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login) + lasso_assign_gobject (login->private_data->saml2_assertion, last_assertion); + } + +- switch (verify_hint) { +- case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE: +- case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE: +- break; +- case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE: +- /* ignore signature errors */ +- if (rc == LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE) { +- rc = 0; +- } +- break; +- default: +- g_assert(0); +- } + cleanup: ++ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE && ++ rc == LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE) { ++ profile->signature_status = rc; ++ rc = 0; ++ } + return rc; + } + +-- +2.26.3 + diff --git a/SOURCES/autogen.noconfig b/SOURCES/autogen.noconfig new file mode 100644 index 0000000..b12d05f --- /dev/null +++ b/SOURCES/autogen.noconfig @@ -0,0 +1,28 @@ +diff -up lasso-2.7.0/autogen.sh.noconfig lasso-2.7.0/autogen.sh +--- lasso-2.7.0/autogen.sh.noconfig 2021-06-28 22:39:00.473005330 +0200 ++++ lasso-2.7.0/autogen.sh 2021-06-28 22:39:43.028114738 +0200 +@@ -77,11 +77,6 @@ test $TEST_TYPE $FILE || { + exit 1 + } + +-if test "$#" = 0; then +- echo "I am going to run ./configure with no arguments - if you wish " +- echo "to pass any to it, please specify them on the $0 command line." +-fi +- + # to support timj aclocal setup we are shipping gnome-doc-utils.m4 + # and making sure automake picks it up ;) + # this is bad as -I prepends to the search path +@@ -107,12 +102,3 @@ autoconf || exit $? + + echo "* Running $AUTOMAKE" + $AUTOMAKE --add-missing -Wno-portability $am_opt || exit $? +- +-cd "$THEDIR" +- +-if [ "$1" != "noconfig" ]; then +- $srcdir/configure --enable-gtk-doc --enable-maintainer-mode "$@" || exit $? +-fi +- +-echo +-echo "Now type 'make install' to install $PROJECT." diff --git a/SPECS/lasso.spec b/SPECS/lasso.spec new file mode 100644 index 0000000..60c82ab --- /dev/null +++ b/SPECS/lasso.spec @@ -0,0 +1,602 @@ +%global with_java 0 +%global with_php 0 +%global with_perl 1 +# The Lasso build system requires python, especially the binding generators +%global with_python 1 +%global with_python2 0 +%global with_python3 0 +%global with_wsf 0 +%global obsolete_old_lang_subpackages 0 + +%if %{with_php} +%if "%{php_version}" < "5.6" +%global ini_name %{name}.ini +%else +%global ini_name 40-%{name}.ini +%endif +%endif + +%if (0%{?fedora} > 0 && 0%{?fedora} <= 29) || (0%{?rhel} > 0 && 0%{?rhel} <= 7) + %global obsolete_old_lang_subpackages 1 +%endif + +%if %{with_python} + %if (0%{?fedora} > 0 && 0%{?fedora} < 32) || (0%{?rhel} > 0 && 0%{?rhel} <= 7) + %global with_python2 1 + %endif + + %if 0%{?fedora} || 0%{?rhel} >= 8 + %global with_python3 1 + %endif +%endif + +%global configure_args %{nil} +%global configure_args %{configure_args} --with-default-sign-algo=rsa-sha256 --with-min-hash-algo=sha256 + +%if !%{with_java} + %global configure_args %{configure_args} --disable-java +%endif + +%if !%{with_perl} + %global configure_args %{configure_args} --disable-perl +%endif + +%if %{with_php} + %global configure_args %{configure_args} --enable-php5=yes --with-php5-config-dir=%{php_inidir} +%else + %global configure_args %{configure_args} --enable-php5=no +%endif + +%if %{with_wsf} + %global configure_args %{configure_args} --enable-wsf --with-sasl2=%{_prefix}/sasl2 +%endif + +%if !%{with_python} + %global configure_args %{configure_args} --disable-python +%endif + + +Summary: Liberty Alliance Single Sign On +Name: lasso +Version: 2.7.0 +Release: 8%{?dist} +License: GPLv2+ +URL: http://lasso.entrouvert.org/ +Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: check-devel +BuildRequires: glib2-devel +BuildRequires: gtk-doc +BuildRequires: libtool +BuildRequires: libtool-ltdl-devel +BuildRequires: libxml2-devel +BuildRequires: openssl-devel +BuildRequires: swig +BuildRequires: xmlsec1-devel +BuildRequires: xmlsec1-openssl-devel +BuildRequires: zlib-devel +%if %{with_wsf} +BuildRequires: cyrus-sasl-devel +%endif + +Requires: xmlsec1 + +# lasso upstream no longer supports java bindings +# see https://dev.entrouvert.org/issues/45876#change-289747 +# and https://dev.entrouvert.org/issues/51418 +Obsoletes: java-lasso < %{version}-%{release} + +Patch0001: 0001-Fix-lasso_query_sign-HMAC-other-than-SHA1-54037.patch +Patch0002: 0002-tests-Move-test08_lasso_key-and-test07_saml2_query_v.patch +Patch0003: 0003-Make-the-default-signature-method-and-the-minimal-ha.patch +Patch0004: 0004-Mass-replace-LASSO_SIGNATURE_METHOD_RSA_SHA1-with-la.patch +Patch0005: 0005-Check-if-the-signature-method-is-allowed-in-addition.patch +Patch0006: 0006-python-Skip-the-DSA-key-test-unless-SHA-1-is-configu.patch +Patch0007: 0007-test13_test_lasso_server_load_metadata-Don-t-verify-.patch +Patch0008: autogen.noconfig +Patch0009: 0009-lasso_saml20_login_process_response_status_and_asser.patch + +%description +Lasso is a library that implements the Liberty Alliance Single Sign On +standards, including the SAML and SAML2 specifications. It allows to handle +the whole life-cycle of SAML based Federations, and provides bindings +for multiple languages. + +%package devel +Summary: Lasso development headers and documentation +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +This package contains the header files, static libraries and development +documentation for Lasso. + +%if %{with_perl} +%package -n perl-%{name} +Summary: Liberty Alliance Single Sign On (lasso) Perl bindings +BuildRequires: perl-devel +BuildRequires: perl-generators +BuildRequires: perl(Error) +BuildRequires: perl(ExtUtils::MakeMaker) +BuildRequires: perl(strict) +BuildRequires: perl(Test::More) +BuildRequires: perl(warnings) +BuildRequires: perl(XSLoader) +Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description -n perl-%{name} +Perl language bindings for the lasso (Liberty Alliance Single Sign On) library. +%endif + +%if %{with_java} +%package -n java-%{name} +Summary: Liberty Alliance Single Sign On (lasso) Java bindings +Buildrequires: java-1.8.0-openjdk-devel +BuildRequires: jpackage-utils +Requires: java-headless +Requires: jpackage-utils +Requires: %{name}%{?_isa} = %{version}-%{release} +%if %{obsolete_old_lang_subpackages} +Provides: %{name}-java = %{version}-%{release} +Provides: %{name}-java%{?_isa} = %{version}-%{release} +Obsoletes: %{name}-java < %{version}-%{release} +%endif + +%description -n java-%{name} +Java language bindings for the lasso (Liberty Alliance Single Sign On) library. +%endif + +%if %{with_php} +%package -n php-%{name} +Summary: Liberty Alliance Single Sign On (lasso) PHP bindings +BuildRequires: expat-devel +BuildRequires: php-devel +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: php(zend-abi) = %{php_zend_api} +Requires: php(api) = %{php_core_api} + +%description -n php-%{name} +PHP language bindings for the lasso (Liberty Alliance Single Sign On) library. + +%endif + +%if %{with_python2} +%package -n python2-%{name} +%{?python_provide:%python_provide python2-%{name}} +Summary: Liberty Alliance Single Sign On (lasso) Python bindings +BuildRequires: python2 +BuildRequires: python2-devel +%if 0%{?rhel} && 0%{?rhel} <= 7 +BuildRequires: python-lxml +%else +BuildRequires: python2-lxml +%endif +BuildRequires: python2-six +Requires: python2 +Requires: %{name}%{?_isa} = %{version}-%{release} +%if %{obsolete_old_lang_subpackages} +Provides: %{name}-python = %{version}-%{release} +Provides: %{name}-python%{?_isa} = %{version}-%{release} +Obsoletes: %{name}-python < %{version}-%{release} +%endif + +%description -n python2-%{name} +Python language bindings for the lasso (Liberty Alliance Single Sign On) +library. +%endif + +%if %{with_python3} +%package -n python3-%{name} +%{?python_provide:%python_provide python3-%{name}} +Summary: Liberty Alliance Single Sign On (lasso) Python bindings +BuildRequires: python3 +BuildRequires: python3-devel +BuildRequires: python3-lxml +BuildRequires: python3-six +BuildRequires: make +Requires: python3 +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description -n python3-%{name} +Python language bindings for the lasso (Liberty Alliance Single Sign On) +library. +%endif + +%prep +%autosetup -p1 + +# Remove any python script shebang lines (unless they refer to python3) +sed -i -E -e '/^#![[:blank:]]*(\/usr\/bin\/env[[:blank:]]+python[^3]?\>)|(\/usr\/bin\/python[^3]?\>)/d' \ + `grep -r -l -E '^#![[:blank:]]*(/usr/bin/python[^3]?)|(/usr/bin/env[[:blank:]]+python[^3]?)' *` + +%build +export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk +./autogen.sh +%if 0%{?with_python2} + %configure %{configure_args} --with-python=%{__python2} + pushd lasso + make %{?_smp_mflags} CFLAGS="%{optflags}" + popd + pushd bindings/python + make %{?_smp_mflags} CFLAGS="%{optflags}" + make check CK_TIMEOUT_MULTIPLIER=5 + mkdir py2 + mv lasso.py .libs/_lasso.so py2 + popd + make clean +%endif + +%if 0%{?with_python3} + %configure %{configure_args} --with-python=%{__python3} +%else + %configure %{configure_args} +%endif +%make_build CFLAGS="%{optflags}" + +%check +make check CK_TIMEOUT_MULTIPLIER=10 VERBOSE=yes + +%install +#install -m 755 -d %{buildroot}%{_datadir}/gtk-doc/html + +make install exec_prefix=%{_prefix} DESTDIR=%{buildroot} +find %{buildroot} -type f -name '*.la' -exec rm -f {} \; +find %{buildroot} -type f -name '*.a' -exec rm -f {} \; + +%if 0%{?with_python2} + # Install Python 2 files saved from first build + install -d -m 0755 %{buildroot}/%{python2_sitearch} + install -m 0644 bindings/python/py2/lasso.py %{buildroot}/%{python2_sitearch} + install -m 0755 bindings/python/py2/_lasso.so %{buildroot}/%{python2_sitearch} +%endif + +# Perl subpackage +%if %{with_perl} +find %{buildroot} \( -name perllocal.pod -o -name .packlist \) -exec rm -v {} \; + +find %{buildroot}/usr/lib*/perl5 -type f -print | + sed "s@^%{buildroot}@@g" > %{name}-perl-filelist +if [ "$(cat %{name}-perl-filelist)X" = "X" ] ; then + echo "ERROR: EMPTY FILE LIST" + exit -1 +fi +%endif + +# PHP subpackage +%if %{with_php} +install -m 755 -d %{buildroot}%{_datadir}/php/%{name} +mv %{buildroot}%{_datadir}/php/lasso.php %{buildroot}%{_datadir}/php/%{name} + +# rename the PHP config file when needed (PHP 5.6+) +if [ "%{name}.ini" != "%{ini_name}" ]; then + mv %{buildroot}%{php_inidir}/%{name}.ini \ + %{buildroot}%{php_inidir}/%{ini_name} +fi +%endif + +# Remove bogus doc files +rm -fr %{buildroot}%{_defaultdocdir}/%{name} + +%ldconfig_scriptlets + +%files +%{_libdir}/liblasso.so.3* +%doc AUTHORS NEWS README +%license COPYING + +%files devel +%{_libdir}/liblasso.so +%{_libdir}/pkgconfig/lasso.pc +%{_includedir}/%{name} + +%if %{with_perl} +%files -n perl-%{name} -f %{name}-perl-filelist +%endif + +%if %{with_java} +%files -n java-%{name} +%{_libdir}/java/libjnilasso.so +%{_javadir}/lasso.jar +%endif + +%if %{with_php} +%files -n php-%{name} +%{php_extdir}/lasso.so +%config(noreplace) %{php_inidir}/%{ini_name} +%dir %{_datadir}/php/%{name} +%{_datadir}/php/%{name}/lasso.php +%endif + +%if %{with_python2} +%files -n python2-%{name} +%{python2_sitearch}/lasso.py* +%{python2_sitearch}/_lasso.so +%endif + +%if %{with_python3} +%files -n python3-%{name} +%{python3_sitearch}/lasso.py* +%{python3_sitearch}/_lasso.so +%{python3_sitearch}/__pycache__/* +%endif + +%changelog +* Mon Aug 09 2021 Mohan Boddu +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Mon Jun 28 2021 Jakub Hrozek - 2.7.0-7 +- Fix dead code issue +- Resolves: rhbz#1966606: CVE-2021-28091 lasso: XML signature wrapping + vulnerability when parsing SAML responses + +* Thu Jul 29 2021 Jakub Hrozek - 2.7.0-6 +- Resolves: rhbz#1984822 - lasso: FTBFS in test suite due to short test + timeout (potentially OpenSSL-related) + +* Mon Jun 28 2021 Jakub Hrozek - 2.7.0-5 +- Don't run configure twice +- Resolves: rhbz#1935987 - lasso implements and/or uses the deprecated + SHA-1 algorithm by default + +* Thu Jun 24 2021 Jakub Hrozek - 2.7.0-4 +- Resolves: rhbz#1935987 - lasso implements and/or uses the deprecated + SHA-1 algorithm by default + +* Wed Jun 16 2021 Mohan Boddu - 2.7.0-3 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Fri Jun 4 2021 Jakub Hrozek - 2.7.0-2 +- Rebuild with openssl3, presumably in a buildroot with xmlsec1 + linked against openssl3 +- Resolves: rhbz#1962052 - lasso: Port to OpenSSL 3.0 + +* Wed Jun 2 2021 Jakub Hrozek - 2.7.0-1 +- Lasso 2.7.0 +- Resolves: rhbz#1966606: CVE-2021-28091 lasso: XML signature wrapping + vulnerability when parsing SAML responses +- Remove java bindings + +* Fri Apr 16 2021 Mohan Boddu - 2.6.1-9 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Tue Jan 26 2021 Fedora Release Engineering - 2.6.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Aug 13 2020 Jakub Hrozek - 2.6.1-7 +- Temporarily build with OpenJDK 8 +- upstream ticket for OpenJDK11 support: https://dev.entrouvert.org/issues/45876 + +* Fri Aug 07 2020 Jeff Law - 2.6.1-6 +- Revert last change. I lost the patchfile and I can't reproduce the gcc-11 + problem which almost certainly prompted it + +* Fri Aug 07 2020 Jeff Law - 2.6.1-5 +- Fix format string problem + +* Sat Aug 01 2020 Fedora Release Engineering - 2.6.1-4 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 28 2020 Fedora Release Engineering - 2.6.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Fri Jul 10 2020 Jiri Vanek - 2.6.1-2 +- Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11 + +* Fri Jul 03 2020 Xavier Bachelot - 2.6.1-1 +- Update to 2.6.1 + +* Tue Jun 23 2020 Jitka Plesnikova - 2.6.0-23 +- Perl 5.32 rebuild + +* Tue May 26 2020 Miro Hrončok - 2.6.0-22 +- Rebuilt for Python 3.9 + +* Wed Jan 29 2020 Fedora Release Engineering - 2.6.0-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jan 17 2020 Jakub Hrozek +- Resolves: #1778645 - lasso-2.6.0-19.fc32 FTBFS: + non_regression_tests.c:240:51: error: initializer + element is not constant + +* Mon Sep 2 2019 Jakub Hrozek - 2.6.0-19 +- Resolves: #1730010 - lasso includes "Destination" attribute in SAML + AuthnRequest populated with SP + AssertionConsumerServiceURL when ECP workflow + is used which leads to IdP-side errors + +* Sun Sep 1 2019 Jakub Hrozek - 2.6.0-18 +- Let tests run longer +- Resolves: #1743888 - lasso unit tests time out on slower arches (e.g. arm) + +* Mon Aug 19 2019 Miro Hrončok - 2.6.0-17 +- Rebuilt for Python 3.8 + +* Thu Jul 25 2019 Fedora Release Engineering - 2.6.0-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon Jun 17 2019 Jakub Hrozek - 2.6.0-15 +- Use the upstream patch that uses a self-signed cert in tests +- Related: #1705700 - lasso FTBFS because an expired certificate is + used in the tests +- Resolves: #1634266 - ECP signature check fails with + LASSO_DS_ERROR_SIGNATURE_NOT_FOUND when assertion + signed instead of response + +* Tue Jun 04 2019 Jitka Plesnikova - 2.6.0-14 +- Perl 5.30 re-rebuild updated packages + +* Mon Jun 3 2019 Jakub Hrozek - 2.6.0-13 +- Don't use the expired certificate the tarball provides for tests +- Resolves: #1705700 - lasso FTBFS because an expired certificate is + used in the tests + +* Fri May 31 2019 Jitka Plesnikova - 2.6.0-12 +- Perl 5.30 rebuild + +* Fri Feb 01 2019 Fedora Release Engineering - 2.6.0-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Tue Dec 04 2018 Xavier Bachelot - 2.6.0-10 +- Specfile clean up: + - Consolidate BuildRequires + - Remove Group: tags + - Uppercase and move Url: tag + - Use %%license for COPYING + - Use %%make_build + - Use %%autosetup + - Don't glob soname to prevent unintentionnal soname bump + - Use %%ldconfig_scriptlets + - Specify all perl dependencies in BR:s + - Drop useless %%attr in php-lasso sub-package + +* Mon Dec 03 2018 Xavier Bachelot - 2.6.0-9 +- Generate perl requires/provides. + +* Tue Jul 17 2018 - 2.6.0-8 +- more py2/py3 build dependencies fixes + +* Fri Jul 13 2018 Fedora Release Engineering - 2.6.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Sat Jul 7 2018 - 2.6.0-6 +- Modify configure to search for versioned python +- Resolves: rhbz#1598047 + +* Wed Jul 04 2018 Petr Pisar - 2.6.0-5 +- Perl 5.28 rebuild + +* Mon Jul 02 2018 Miro Hrončok - 2.6.0-4 +- Rebuilt for Python 3.7 + +* Sat Jun 30 2018 Jitka Plesnikova - 2.6.0-3 +- Perl 5.28 rebuild + +* Wed Jun 27 2018 - 2.6.0-2 +- fix language bindings package names to comply with guidelines, + instead of %%{name}-lang use lang-%%{name} +- fix conditional logic used to build on rhel + +* Tue Jun 26 2018 - 2.6.0-1 +- Upgrade to latest upstream +- Build using Python3, add python3 subpackage +- Resolves: rhbz#1592416 Enable perl subpackage + +* Wed May 2 2018 John Dennis - 2.5.1-13 +- add xmlsec1 version dependency + +* Tue May 1 2018 John Dennis - 2.5.1-12 +- Resolves: rhbz#1542126, rhbz#1556016 +- xmlsec removed SOAP support, reimplement missing xmlSecSoap* in Lasso + +* Wed Feb 07 2018 Fedora Release Engineering - 2.5.1-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Jan 05 2018 Iryna Shcherbina - 2.5.1-10 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Sun Aug 20 2017 Zbigniew Jędrzejewski-Szmek - 2.5.1-9 +- Add Provides for the old name without %%_isa + +* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek - 2.5.1-8 +- Python 2 binary package renamed to python2-lasso + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + +* Thu Aug 03 2017 Fedora Release Engineering - 2.5.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 2.5.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 2.5.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Jul 19 2016 Fedora Release Engineering - 2.5.1-4 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Thu Jun 30 2016 John Dennis - 2.5.1-3 +- disbable PHP binding because PHP-7 is now the default and lasso + only knows how to build with PHP-5 + +* Wed Jun 15 2016 John Dennis - 2.5.1-2 +- fix CFLAGS override in configure + +* Mon Feb 22 2016 John Dennis - 2.5.1-1 +- Upgrade to upstream 2.5.1 release + See Changelog for details, mostly bugs fixes, + most signficant is proper support of SHA-2 + Resolves: #1295472 + Resolves: #1303573 +- Add java_binding_lasso_log.patch to fix "make check" failure during rpmbuild + upstream commit d8e3ae8 + +* Thu Feb 04 2016 Fedora Release Engineering - 2.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Sep 14 2015 John Dennis - 2.5.0-1 +- Upgrade to new upstream 2.5.0 release + Includes ECP support + +* Wed Jun 17 2015 Fedora Release Engineering - 2.4.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Mar 23 2015 Rob Crittenden - 2.4.1-3 +- Add BuildRequires on libtool +- Add -fPIC to LDFLAGS +- Disable perl bindings, it fails to build on x86. + +* Fri Jan 23 2015 Simo Sorce - 2.4.1-2 +- Enable perl bindings +- Also add support for building with automake 1.15 +- Fix build issues on rawhide due to missing build dep on perl(Error) + +* Thu Aug 28 2014 Simo Sorce - 2.4.1-1 +- New upstream relase 2.4.1 +- Drop patches as they have all been integrated upstream + +* Sun Aug 17 2014 Fedora Release Engineering - 2.4.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jun 20 2014 Remi Collet - 2.4.0-4 +- rebuild for https://fedoraproject.org/wiki/Changes/Php56 +- add numerical prefix to extension configuration file +- drop unneeded dependency on pecl +- add provides php-lasso + +* Sat Jun 07 2014 Fedora Release Engineering - 2.4.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri Apr 25 2014 Simo Sorce - 2.4.0-2 +- Fixes for arches where pointers and integers do not have the same size + (ppc64, s390, etc..) + +* Mon Apr 14 2014 Stanislav Ochotnicky - 2.4.0-1 +- Use OpenJDK instead of GCJ for java bindings + +* Sat Jan 11 2014 Simo Sorce 2.4.0-0 +- Update to final 2.4.0 version +- Drop all patches, they are now included in 2.4.0 +- Change Source URI + +* Mon Dec 9 2013 Simo Sorce 2.3.6-0.20131125.5 +- Add patches to fix rpmlint license issues +- Add upstream patches to fix some build issues + +* Thu Dec 5 2013 Simo Sorce 2.3.6-0.20131125.4 +- Add patch to support automake-1.14 for rawhide + +* Mon Nov 25 2013 Simo Sorce 2.3.6-0.20131125.3 +- Initial packaging +- Based on the spec file by Jean-Marc Liger +- Code is updated to latest master via a jumbo patch while waiting for + official upstream release. +- Jumbo patch includes also additional patches sent to upstream list) + to build on Fedora 20 +- Perl bindings are disabled as they fail to build +- Disable doc building as it doesn't ork correctly for now