commit
ffd2b0ff34
@ -0,0 +1 @@
|
|||||||
|
SOURCES/lasso-2.7.0.tar.gz
|
@ -0,0 +1 @@
|
|||||||
|
7a4175eb925427504ac5d42bb3644a97fc188409 SOURCES/lasso-2.7.0.tar.gz
|
@ -0,0 +1,104 @@
|
|||||||
|
From 8b8fd22a168860c5034822472d1fb5745f8fa0f5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Wed, 16 Jun 2021 10:18:30 +0200
|
||||||
|
Subject: [PATCH] Fix lasso_query_sign HMAC other than SHA1 (#54037)
|
||||||
|
|
||||||
|
The switch clause was using SHA1 digests for all digest types when
|
||||||
|
signing. This obviously breaks verifying the signatures if HMAC-SHAXXX
|
||||||
|
is used and XXX is something else than 1.
|
||||||
|
---
|
||||||
|
lasso/xml/tools.c | 35 +++++++++++++++++++++++------------
|
||||||
|
tests/login_tests_saml2.c | 6 +++---
|
||||||
|
2 files changed, 26 insertions(+), 15 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
|
||||||
|
index 96d88a2c4..290fd55f2 100644
|
||||||
|
--- a/lasso/xml/tools.c
|
||||||
|
+++ b/lasso/xml/tools.c
|
||||||
|
@@ -594,22 +594,20 @@ lasso_query_sign(char *query, LassoSignatureContext context)
|
||||||
|
sigret_size = DSA_size(dsa);
|
||||||
|
break;
|
||||||
|
case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
|
||||||
|
+ md = EVP_sha1();
|
||||||
|
+ sigret_size = EVP_MD_size(md);
|
||||||
|
+ break;
|
||||||
|
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||||
|
+ md = EVP_sha256();
|
||||||
|
+ sigret_size = EVP_MD_size(md);
|
||||||
|
+ break;
|
||||||
|
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||||
|
+ md = EVP_sha384();
|
||||||
|
+ sigret_size = EVP_MD_size(md);
|
||||||
|
+ break;
|
||||||
|
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||||
|
- if ((rc = lasso_get_hmac_key(key, (void**)&hmac_key,
|
||||||
|
- &hmac_key_length))) {
|
||||||
|
- message(G_LOG_LEVEL_CRITICAL, "Failed to get hmac key (%s)", lasso_strerror(rc));
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
- g_assert(hmac_key);
|
||||||
|
- md = EVP_sha1();
|
||||||
|
+ md = EVP_sha512();
|
||||||
|
sigret_size = EVP_MD_size(md);
|
||||||
|
- /* key should be at least 128 bits long */
|
||||||
|
- if (hmac_key_length < 16) {
|
||||||
|
- critical("HMAC key should be at least 128 bits long");
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
g_assert_not_reached();
|
||||||
|
@@ -645,6 +643,19 @@ lasso_query_sign(char *query, LassoSignatureContext context)
|
||||||
|
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||||
|
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||||
|
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||||
|
+ if ((rc = lasso_get_hmac_key(key, (void**)&hmac_key,
|
||||||
|
+ &hmac_key_length))) {
|
||||||
|
+ message(G_LOG_LEVEL_CRITICAL, "Failed to get hmac key (%s)", lasso_strerror(rc));
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ g_assert(hmac_key);
|
||||||
|
+
|
||||||
|
+ /* key should be at least 128 bits long */
|
||||||
|
+ if (hmac_key_length < 16) {
|
||||||
|
+ critical("HMAC key should be at least 128 bits long");
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
HMAC(md, hmac_key, hmac_key_length, (unsigned char *)new_query,
|
||||||
|
strlen(new_query), sigret, &siglen);
|
||||||
|
status = 1;
|
||||||
|
diff --git a/tests/login_tests_saml2.c b/tests/login_tests_saml2.c
|
||||||
|
index e331c07a7..e1d78b5b1 100644
|
||||||
|
--- a/tests/login_tests_saml2.c
|
||||||
|
+++ b/tests/login_tests_saml2.c
|
||||||
|
@@ -981,7 +981,7 @@ sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context, SsoCallba
|
||||||
|
lasso_release_gobject(sp_login_context);
|
||||||
|
}
|
||||||
|
|
||||||
|
-START_TEST(test07_sso_sp_with_hmac_sha1_signatures)
|
||||||
|
+START_TEST(test07_sso_sp_with_hmac_sha256_signatures)
|
||||||
|
{
|
||||||
|
LassoServer *idp_context = NULL;
|
||||||
|
LassoServer *sp_context = NULL;
|
||||||
|
@@ -990,7 +990,7 @@ START_TEST(test07_sso_sp_with_hmac_sha1_signatures)
|
||||||
|
|
||||||
|
/* Create the shared key */
|
||||||
|
key = lasso_key_new_for_signature_from_memory("xxxxxxxxxxxxxxxx", 16,
|
||||||
|
- NULL, LASSO_SIGNATURE_METHOD_HMAC_SHA1, NULL);
|
||||||
|
+ NULL, LASSO_SIGNATURE_METHOD_HMAC_SHA256, NULL);
|
||||||
|
check_true(LASSO_IS_KEY(key));
|
||||||
|
|
||||||
|
/* Create an IdP context for IdP initiated SSO with provider metadata 1 */
|
||||||
|
@@ -1640,7 +1640,7 @@ login_saml2_suite()
|
||||||
|
tcase_add_test(tc_spSloSoap, test04_sso_then_slo_soap);
|
||||||
|
tcase_add_test(tc_idpKeyRollover, test05_sso_idp_with_key_rollover);
|
||||||
|
tcase_add_test(tc_spKeyRollover, test06_sso_sp_with_key_rollover);
|
||||||
|
- tcase_add_test(tc_hmacSignature, test07_sso_sp_with_hmac_sha1_signatures);
|
||||||
|
+ tcase_add_test(tc_hmacSignature, test07_sso_sp_with_hmac_sha256_signatures);
|
||||||
|
tcase_add_test(tc_spLogin, test08_test_authnrequest_flags);
|
||||||
|
tcase_add_test(tc_ecp, test09_ecp);
|
||||||
|
tcase_add_test(tc_ecp, test10_ecp);
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,129 @@
|
|||||||
|
From f625eaa007fa3a1f6c846be0d70d26de33887714 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Wed, 16 Jun 2021 10:28:53 +0200
|
||||||
|
Subject: [PATCH 2/7] tests: Move test08_lasso_key and
|
||||||
|
test07_saml2_query_verify_signature to SHA256 (#54037)
|
||||||
|
|
||||||
|
These tests use a hardcoded query and private key which makes it
|
||||||
|
unsuitable to make the tests use the configured default digest. Let's
|
||||||
|
just convert them to SHA256 unconditionally.
|
||||||
|
---
|
||||||
|
tests/random_tests.c | 46 ++++++++++++++++++++++----------------------
|
||||||
|
1 file changed, 23 insertions(+), 23 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/random_tests.c b/tests/random_tests.c
|
||||||
|
index c4fe85883..fa0367a3c 100644
|
||||||
|
--- a/tests/random_tests.c
|
||||||
|
+++ b/tests/random_tests.c
|
||||||
|
@@ -287,11 +287,11 @@ extern int lasso_saml2_query_verify_signature(const char *query, const xmlSecKey
|
||||||
|
START_TEST(test07_saml2_query_verify_signature)
|
||||||
|
{
|
||||||
|
/* normal query as produces by Lasso */
|
||||||
|
- const char query1[] = "SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&RelayState=fake%5B%5D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D";
|
||||||
|
+ const char query1[] = "SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D&RelayState=fake&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=Zfz3DE1VMV3thaV4FWpH0fkWsBMzAFJcfvVWAbo0a3cY48Et%2BXUcbr1nvOJUJmhGoie0pQ4%2BcD9ToQlSk7BbJSBCct%2FQQgn2QNkX%2F1lk4v8RU8p5ptJRJ2iPLb8nC6WZhs81HoihQePSuj7Qe5bRUsDKvnWMq6OkD%2Fe6YO77dMXregTcfmnkrXqRb2T6TFfqyOz9i0%2FjmISsmj%2F3kEEfUzVA4LEbeEgiJDj1hec4XW26gQTih53v0sYukq4Eyb4zS2jVd3apUUxUrjn1NUpr7Z7dZ7w5MQlgZ8aw1xFDE8BkxymvIjwf8ciyx6sfTKbCRsoS9E0pQB1vxvh6OMt1Ww%3D%3D";
|
||||||
|
/* SAMLRequest field was moved in the middle, Signature to the beginning and all & were
|
||||||
|
* changed to ; */
|
||||||
|
- const char query2[] = "Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D;RelayState=fake%5B%5D;SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D;SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1";
|
||||||
|
- const char query3[] = "RelayState=fake%5B%5D&SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TacCtwg%3D%3D";
|
||||||
|
+ const char query2[] = "Signature=Zfz3DE1VMV3thaV4FWpH0fkWsBMzAFJcfvVWAbo0a3cY48Et%2BXUcbr1nvOJUJmhGoie0pQ4%2BcD9ToQlSk7BbJSBCct%2FQQgn2QNkX%2F1lk4v8RU8p5ptJRJ2iPLb8nC6WZhs81HoihQePSuj7Qe5bRUsDKvnWMq6OkD%2Fe6YO77dMXregTcfmnkrXqRb2T6TFfqyOz9i0%2FjmISsmj%2F3kEEfUzVA4LEbeEgiJDj1hec4XW26gQTih53v0sYukq4Eyb4zS2jVd3apUUxUrjn1NUpr7Z7dZ7w5MQlgZ8aw1xFDE8BkxymvIjwf8ciyx6sfTKbCRsoS9E0pQB1vxvh6OMt1Ww%3D%3D;SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D;RelayState=fake;SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256";
|
||||||
|
+ const char query3[] = "SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D&RelayState=fake&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=rUJ%2B9wVSvdGSmZWGuGXgudAPV5KBxRfxRKraBWGIslBz2XreyNbQjSA47DhIfi%2Bxf0awIIGkKcieN3Qd5sqVn4wvFU8fsmfqrdtouYi46aKsj4W91N19TxJ%2BCgrP7ygVEGDaGdc%2BrCQC3%2FuoYTELXq0gYP7tHaXA%2FCaZHfx5Z159crpRxS6eabZ6BGf4ImxiKhE1FuYzKHeISEV1iSyvgx5%2FE8ydSO%2FSP6yA5Rck4JxVJWH6ImbswCVQ80qfqR4NoJ%2BxiZqilbDJnQaSKZggx%2FgjNVoX%2FMVW1FqEmgJNcZpSjNUQqy9u4veSllpxPc2aB%2FpiUjzpbq9XzyFDOQfkUQ%3D%3D";
|
||||||
|
/* sp5-saml2 key */
|
||||||
|
const char pkey[] = "-----BEGIN CERTIFICATE-----\n\
|
||||||
|
MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP\n\
|
||||||
|
@@ -317,7 +317,7 @@ LlTxKnCrWAXftSm1rNtewTsF\n\
|
||||||
|
-----END CERTIFICATE-----";
|
||||||
|
|
||||||
|
xmlSecKeyPtr key = lasso_xmlsec_load_private_key_from_buffer(pkey, sizeof(pkey)-1, NULL,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
|
||||||
|
+ LASSO_SIGNATURE_METHOD_RSA_SHA256, NULL);
|
||||||
|
|
||||||
|
fail_unless(key != NULL, "Cannot load public key");
|
||||||
|
fail_unless(lasso_saml2_query_verify_signature(query1, key) == 0, "Signature was not validated");
|
||||||
|
@@ -332,11 +332,11 @@ END_TEST
|
||||||
|
START_TEST(test08_lasso_key)
|
||||||
|
{
|
||||||
|
/* normal query as produces by Lasso */
|
||||||
|
- const char query1[] = "SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&RelayState=fake%5B%5D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D";
|
||||||
|
+ const char query1[] = "SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D&RelayState=fake&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=Zfz3DE1VMV3thaV4FWpH0fkWsBMzAFJcfvVWAbo0a3cY48Et%2BXUcbr1nvOJUJmhGoie0pQ4%2BcD9ToQlSk7BbJSBCct%2FQQgn2QNkX%2F1lk4v8RU8p5ptJRJ2iPLb8nC6WZhs81HoihQePSuj7Qe5bRUsDKvnWMq6OkD%2Fe6YO77dMXregTcfmnkrXqRb2T6TFfqyOz9i0%2FjmISsmj%2F3kEEfUzVA4LEbeEgiJDj1hec4XW26gQTih53v0sYukq4Eyb4zS2jVd3apUUxUrjn1NUpr7Z7dZ7w5MQlgZ8aw1xFDE8BkxymvIjwf8ciyx6sfTKbCRsoS9E0pQB1vxvh6OMt1Ww%3D%3D";
|
||||||
|
/* SAMLRequest field was moved in the middle, Signature to the beginning and all & were
|
||||||
|
* changed to ; */
|
||||||
|
- const char query2[] = "Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D;RelayState=fake%5B%5D;SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D;SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1";
|
||||||
|
- const char query3[] = "RelayState=fake%5B%5D&SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TacCtwg%3D%3D";
|
||||||
|
+ const char query2[] = "Signature=Zfz3DE1VMV3thaV4FWpH0fkWsBMzAFJcfvVWAbo0a3cY48Et%2BXUcbr1nvOJUJmhGoie0pQ4%2BcD9ToQlSk7BbJSBCct%2FQQgn2QNkX%2F1lk4v8RU8p5ptJRJ2iPLb8nC6WZhs81HoihQePSuj7Qe5bRUsDKvnWMq6OkD%2Fe6YO77dMXregTcfmnkrXqRb2T6TFfqyOz9i0%2FjmISsmj%2F3kEEfUzVA4LEbeEgiJDj1hec4XW26gQTih53v0sYukq4Eyb4zS2jVd3apUUxUrjn1NUpr7Z7dZ7w5MQlgZ8aw1xFDE8BkxymvIjwf8ciyx6sfTKbCRsoS9E0pQB1vxvh6OMt1Ww%3D%3D;SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D;RelayState=fake;SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256";
|
||||||
|
+ const char query3[] = "SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D&RelayState=fake&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=rUJ%2B9wVSvdGSmZWGuGXgudAPV5KBxRfxRKraBWGIslBz2XreyNbQjSA47DhIfi%2Bxf0awIIGkKcieN3Qd5sqVn4wvFU8fsmfqrdtouYi46aKsj4W91N19TxJ%2BCgrP7ygVEGDaGdc%2BrCQC3%2FuoYTELXq0gYP7tHaXA%2FCaZHfx5Z159crpRxS6eabZ6BGf4ImxiKhE1FuYzKHeISEV1iSyvgx5%2FE8ydSO%2FSP6yA5Rck4JxVJWH6ImbswCVQ80qfqR4NoJ%2BxiZqilbDJnQaSKZggx%2FgjNVoX%2FMVW1FqEmgJNcZpSjNUQqy9u4veSllpxPc2aB%2FpiUjzpbq9XzyFDOQfkUQ%3D%3D";
|
||||||
|
/* sp5-saml2 key */
|
||||||
|
const char pkey[] = "-----BEGIN CERTIFICATE-----\n\
|
||||||
|
MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP\n\
|
||||||
|
@@ -361,29 +361,29 @@ NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR\n\
|
||||||
|
LlTxKnCrWAXftSm1rNtewTsF\n\
|
||||||
|
-----END CERTIFICATE-----";
|
||||||
|
LassoKey *key = lasso_key_new_for_signature_from_memory(pkey, strlen(pkey), NULL,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
|
||||||
|
+ LASSO_SIGNATURE_METHOD_RSA_SHA256, NULL);
|
||||||
|
LassoKey *key2 = lasso_key_new_for_signature_from_file(
|
||||||
|
TESTSDATADIR "/sp5-saml2/private-key.pem", NULL,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
|
||||||
|
- char *message = "<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_E3F8E9116EE08F0E2607CF9789649BB4\" Version=\"2.0\" IssueInstant=\"2012-03-09T11:34:48Z\" ForceAuthn=\"false\" IsPassive=\"false\"><saml:Issuer>http://sp5/metadata</saml:Issuer><Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n\
|
||||||
|
+ LASSO_SIGNATURE_METHOD_RSA_SHA256, NULL);
|
||||||
|
+ char *message = "<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\"><s:Body><samlp:ArtifactResolve ID=\"_5E4DB038BC15C020CE085F743D485443\" Version=\"2.0\" IssueInstant=\"2021-06-18T16:07:49Z\" Destination=\"http://idp5/artifact\"><saml:Issuer>http://sp5/metadata</saml:Issuer><Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n\
|
||||||
|
<SignedInfo>\n\
|
||||||
|
<CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n\
|
||||||
|
-<SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/>\n\
|
||||||
|
-<Reference URI=\"#_E3F8E9116EE08F0E2607CF9789649BB4\">\n\
|
||||||
|
+<SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/>\n\
|
||||||
|
+<Reference URI=\"#_5E4DB038BC15C020CE085F743D485443\">\n\
|
||||||
|
<Transforms>\n\
|
||||||
|
<Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/>\n\
|
||||||
|
<Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n\
|
||||||
|
</Transforms>\n\
|
||||||
|
-<DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/>\n\
|
||||||
|
-<DigestValue>tMncKjklMJaJLbmB7bARmX14Fdg=</DigestValue>\n\
|
||||||
|
+<DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/>\n\
|
||||||
|
+<DigestValue>1Xy/VevGqojdKIvLzkczdd9Mp3AFYvZfsakldADTuO4=</DigestValue>\n\
|
||||||
|
</Reference>\n\
|
||||||
|
</SignedInfo>\n\
|
||||||
|
-<SignatureValue>VjAHErXE8rz5yQ/t9Ubws11E59PsU/tXPtL6eCMAVLQxV4Bv0dwyYkeHtge1DXDT\n\
|
||||||
|
-usTy1c17+iuYCVqD3Db51+LMVsHchj0j44fhu/PXNQTmgiT2AuVfH97YhiBWykAs\n\
|
||||||
|
-LwT8MiE9vNGiHQwsWVjhdzooVmU0M80m0Ij2DFMcYiKzmuMhE4M65qUO4tygQLiL\n\
|
||||||
|
-YB5oPe0VYKEBJLfaTvuijLBTi4ecx6aU+HptAvuEOcCbcJZtGyv7jr2yuEDSq72S\n\
|
||||||
|
-0hwOV0CIsQoSf/vL7R9RzTs2bpgYVGqgerhpWsz6dqo7YX0NSj9pMbXZiOyX/YzS\n\
|
||||||
|
-uP3QSjow05NiPhy8ywKW8A==</SignatureValue>\n\
|
||||||
|
+<SignatureValue>R5unK5JQ8no8VCokUKKw8zXglIsjggH16cQxnqKl2GpFeeFh8Tzi4KRXTzVNXi9c\n\
|
||||||
|
+dID0FTAsFM2Ol5Sqg/j2TVasR93PyIg2pUOb00tNwx8D81xEi1lXdWThHfiinYI0\n\
|
||||||
|
+2qJSFj1H8wt/ceULmnvC0F01ga78LQervkjMaSpqlvyKYrNNOEJEYo0SJSUnUE5p\n\
|
||||||
|
+wlv30BjnUCyXWQl9i03MvpPSOTJkXrFLqbJB8rB/HNdS71lWAU3k8r56OAxzTXUn\n\
|
||||||
|
+WXr73mrQrLGJzbofDjO1Lfz8JpZXRzsffAsMCxKfoL+VzrElPNW5aklrFm603w2w\n\
|
||||||
|
+6/xQk0BsHvPP8k6V32RuXQ==</SignatureValue>\n\
|
||||||
|
<KeyInfo>\n\
|
||||||
|
<KeyValue>\n\
|
||||||
|
<RSAKeyValue>\n\
|
||||||
|
@@ -401,7 +401,7 @@ AQAB\n\
|
||||||
|
</RSAKeyValue>\n\
|
||||||
|
</KeyValue>\n\
|
||||||
|
</KeyInfo>\n\
|
||||||
|
-</Signature><samlp:NameIDPolicy Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\" AllowCreate=\"true\"/></samlp:AuthnRequest>";
|
||||||
|
+</Signature><samlp:Artifact>AAQAALQUO+cobSry7mQpUjWDhKkaePFoNDRBMDY3RDY3QjNFM0QzQzA1NzQ=</samlp:Artifact></samlp:ArtifactResolve></s:Body></s:Envelope>";
|
||||||
|
xmlDoc *doc;
|
||||||
|
|
||||||
|
doc = xmlParseDoc(BAD_CAST message);
|
||||||
|
@@ -411,7 +411,7 @@ AQAB\n\
|
||||||
|
fail_unless(lasso_key_query_verify(key, query2) == 0, "Disordered signature was not validated");
|
||||||
|
fail_unless(lasso_key_query_verify(key, query3) != 0, "Altered signature was validated");
|
||||||
|
fail_unless(lasso_key_saml2_xml_verify(key,
|
||||||
|
- "_E3F8E9116EE08F0E2607CF9789649BB4", xmlDocGetRootElement(doc)) == 0,
|
||||||
|
+ "_5E4DB038BC15C020CE085F743D485443", xmlDocGetRootElement(doc)) == 0,
|
||||||
|
"XML Signature is not validated");
|
||||||
|
g_object_unref(key);
|
||||||
|
fail_unless(key2 != NULL, "Cannot load public key2");
|
||||||
|
@@ -420,7 +420,7 @@ AQAB\n\
|
||||||
|
fail_unless(lasso_key_query_verify(key2, query2) == 0, "Disordered signature was not validated");
|
||||||
|
fail_unless(lasso_key_query_verify(key2, query3) != 0, "Altered signature was validated");
|
||||||
|
fail_unless(lasso_key_saml2_xml_verify(key2,
|
||||||
|
- "_E3F8E9116EE08F0E2607CF9789649BB4", xmlDocGetRootElement(doc)) == 0,
|
||||||
|
+ "_5E4DB038BC15C020CE085F743D485443", xmlDocGetRootElement(doc)) == 0,
|
||||||
|
"XML Signature is not validated");
|
||||||
|
g_object_unref(key2);
|
||||||
|
lasso_release_doc(doc);
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,363 @@
|
|||||||
|
From f095ac8f5740b6eee687cac97840bc7e72992999 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Mon, 7 Jun 2021 12:27:15 +0200
|
||||||
|
Subject: [PATCH 3/7] Make the default signature method and the minimal hash
|
||||||
|
strength configurable (#54037)
|
||||||
|
|
||||||
|
Adds two new configure options:
|
||||||
|
--with-default-sign-algo
|
||||||
|
--min-hash-algo
|
||||||
|
|
||||||
|
--with-default-sign-algo sets the default signing algorithm and defaults
|
||||||
|
to rsa-sha1. At the moment, two algorithms are supported: rsa-sha1 and
|
||||||
|
rsa-sha256.
|
||||||
|
|
||||||
|
--min-hash-algo sets the minimum hash algorithm to be accepted. The
|
||||||
|
default is sha1 for backwards compatibility as well.
|
||||||
|
|
||||||
|
Related:
|
||||||
|
https://dev.entrouvert.org/issues/54037
|
||||||
|
---
|
||||||
|
configure.ac | 42 +++++++++++++++++++++++++++++
|
||||||
|
lasso/id-ff/server.c | 2 +-
|
||||||
|
lasso/id-ff/server.h | 2 ++
|
||||||
|
lasso/lasso.c | 51 +++++++++++++++++++++++++++++++++++
|
||||||
|
lasso/xml/tools.c | 63 +++++++++++++++++++++++++++++++++++---------
|
||||||
|
lasso/xml/xml.c | 24 +++++++++++++++++
|
||||||
|
lasso/xml/xml.h | 9 +++++++
|
||||||
|
tests/random_tests.c | 6 ++---
|
||||||
|
8 files changed, 182 insertions(+), 17 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index b527def43..2cdfbb149 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -795,6 +795,43 @@ else
|
||||||
|
AC_MSG_RESULT(no)
|
||||||
|
fi
|
||||||
|
|
||||||
|
+AC_ARG_WITH([default-sign-algo],
|
||||||
|
+ [AS_HELP_STRING([--with-default-sign-algo=[rsa-sha1|rsa-sha256]],
|
||||||
|
+ [Default signing algorithm (rsa-sha1)]
|
||||||
|
+ )
|
||||||
|
+ ]
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
+SIGNING_ALGO=rsa-sha1
|
||||||
|
+if test x"$with_default_sign_algo" != x; then
|
||||||
|
+ if test ! "$with_default_sign_algo" = "rsa-sha1" -a ! "$with_default_sign_algo" = "rsa-sha256"; then
|
||||||
|
+ AC_MSG_ERROR("Default signing algorithm must be either rsa-sha1 or rsa-sha256")
|
||||||
|
+ else
|
||||||
|
+ SIGNING_ALGO=$with_default_sign_algo
|
||||||
|
+ fi
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+AC_DEFINE_UNQUOTED(DEFAULT_SIGNING_ALGO, "$SIGNING_ALGO", ["The default signing algorithm"])
|
||||||
|
+
|
||||||
|
+AC_ARG_WITH([min-hash-algo],
|
||||||
|
+ [AS_HELP_STRING([--with-min-hash-algo=[sha1|sha256|sha384|sha512]],
|
||||||
|
+ [Minimal allowed hash algorithm (rsa-sha1)]
|
||||||
|
+ )
|
||||||
|
+ ]
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
+MIN_HASH_ALGO=sha1
|
||||||
|
+if test x"$with_min_hash_algo" != x; then
|
||||||
|
+ if test ! "$with_min_hash_algo" = "sha1" -a ! "$with_min_hash_algo" = "sha256" -a ! "$with_min_hash_algo" = "sha384" -a ! "$with_min_hash_algo" = "sha512"; then
|
||||||
|
+ AC_MSG_ERROR("Minimal allowed hash algorithm must be one of sha1, sha256, sha384 or sha512)
|
||||||
|
+ else
|
||||||
|
+ MIN_HASH_ALGO=$with_min_hash_algo
|
||||||
|
+ fi
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+AC_DEFINE_UNQUOTED(MIN_HASH_ALGO, "$MIN_HASH_ALGO", ["The minimal hash algorithm"])
|
||||||
|
+
|
||||||
|
+
|
||||||
|
dnl ==========================================================================
|
||||||
|
dnl Pedantic compilation
|
||||||
|
dnl ==========================================================================
|
||||||
|
@@ -939,4 +976,9 @@ Python binding: ${enable_python}
|
||||||
|
|
||||||
|
C API references: ${enable_gtk_doc}
|
||||||
|
Tests suite: ${enable_tests}
|
||||||
|
+
|
||||||
|
+Crypto settings
|
||||||
|
+---------------
|
||||||
|
+Default signature: ${SIGNING_ALGO}
|
||||||
|
+Minimal accepted hash: ${MIN_HASH_ALGO}
|
||||||
|
)
|
||||||
|
diff --git a/lasso/id-ff/server.c b/lasso/id-ff/server.c
|
||||||
|
index 08bbde833..2bf5b7a8c 100644
|
||||||
|
--- a/lasso/id-ff/server.c
|
||||||
|
+++ b/lasso/id-ff/server.c
|
||||||
|
@@ -682,7 +682,7 @@ instance_init(LassoServer *server)
|
||||||
|
server->private_key = NULL;
|
||||||
|
server->private_key_password = NULL;
|
||||||
|
server->certificate = NULL;
|
||||||
|
- server->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
||||||
|
+ server->signature_method = lasso_get_default_signature_method();
|
||||||
|
|
||||||
|
server->services = g_hash_table_new_full(g_str_hash, g_str_equal,
|
||||||
|
(GDestroyNotify)g_free,
|
||||||
|
diff --git a/lasso/id-ff/server.h b/lasso/id-ff/server.h
|
||||||
|
index 8b4192793..5f9022e9d 100644
|
||||||
|
--- a/lasso/id-ff/server.h
|
||||||
|
+++ b/lasso/id-ff/server.h
|
||||||
|
@@ -133,6 +133,8 @@ LASSO_EXPORT gchar *lasso_server_get_endpoint_url_by_id(const LassoServer *serve
|
||||||
|
LASSO_EXPORT GList *lasso_server_get_filtered_provider_list(const LassoServer *server,
|
||||||
|
LassoProviderRole role, LassoMdProtocolType protocol_type, LassoHttpMethod http_method);
|
||||||
|
|
||||||
|
+LASSO_EXPORT LassoSignatureMethod lasso_get_default_signature_method();
|
||||||
|
+void lasso_set_default_signature_method(LassoSignatureMethod meth);
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
}
|
||||||
|
diff --git a/lasso/lasso.c b/lasso/lasso.c
|
||||||
|
index 087485998..67340317d 100644
|
||||||
|
--- a/lasso/lasso.c
|
||||||
|
+++ b/lasso/lasso.c
|
||||||
|
@@ -149,6 +149,44 @@ lasso_xmlsec_errors_callback(const char *file G_GNUC_UNUSED, int line G_GNUC_UNU
|
||||||
|
g_log("libxmlsec", G_LOG_LEVEL_DEBUG, "libxmlsec: %s:%d:%s:%s:%s:%s:%s", file, line, func, errorObject, errorSubject, xmlSecErrorsGetMsg(reason), msg);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+set_default_signature_method()
|
||||||
|
+{
|
||||||
|
+ int rv = LASSO_ERROR_UNDEFINED;
|
||||||
|
+
|
||||||
|
+ if (lasso_strisequal(DEFAULT_SIGNING_ALGO, "rsa-sha256")) {
|
||||||
|
+ lasso_set_default_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA256);
|
||||||
|
+ rv = 0;
|
||||||
|
+ } else if (lasso_strisequal(DEFAULT_SIGNING_ALGO, "rsa-sha1")) {
|
||||||
|
+ lasso_set_default_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ rv = 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return rv;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+set_min_allowed_hash_algo()
|
||||||
|
+{
|
||||||
|
+ int rv = LASSO_ERROR_UNDEFINED;
|
||||||
|
+
|
||||||
|
+ if (lasso_strisequal(MIN_HASH_ALGO, "sha1")) {
|
||||||
|
+ lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ rv = 0;
|
||||||
|
+ } else if (lasso_strisequal(MIN_HASH_ALGO, "sha256")) {
|
||||||
|
+ lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA256);
|
||||||
|
+ rv = 0;
|
||||||
|
+ } else if (lasso_strisequal(MIN_HASH_ALGO, "sha384")) {
|
||||||
|
+ lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA384);
|
||||||
|
+ rv = 0;
|
||||||
|
+ } else if (lasso_strisequal(MIN_HASH_ALGO, "sha512")) {
|
||||||
|
+ lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA512);
|
||||||
|
+ rv = 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return rv;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
* lasso_init:
|
||||||
|
*
|
||||||
|
@@ -164,6 +202,19 @@ int lasso_init()
|
||||||
|
g_type_init();
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+ /* Set the default hash algo */
|
||||||
|
+ if (set_default_signature_method() != 0) {
|
||||||
|
+ message(G_LOG_LEVEL_CRITICAL, "Unsupported signature "
|
||||||
|
+ "algorithm "DEFAULT_SIGNING_ALGO" configured");
|
||||||
|
+ return LASSO_ERROR_UNDEFINED;
|
||||||
|
+ }
|
||||||
|
+ if (set_min_allowed_hash_algo() != 0) {
|
||||||
|
+ message(G_LOG_LEVEL_CRITICAL, "Unsupported hash algorithm "
|
||||||
|
+ "algorithm "MIN_HASH_ALGO" configured");
|
||||||
|
+ return LASSO_ERROR_UNDEFINED;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+
|
||||||
|
/* Init Lasso classes */
|
||||||
|
for (i=0; functions[i]; i++)
|
||||||
|
functions[i]();
|
||||||
|
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
|
||||||
|
index 290fd55f2..ce322ee1f 100644
|
||||||
|
--- a/lasso/xml/tools.c
|
||||||
|
+++ b/lasso/xml/tools.c
|
||||||
|
@@ -1505,16 +1505,6 @@ lasso_saml_constrain_dsigctxt(xmlSecDSigCtxPtr dsigCtx) {
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformExclC14NWithCommentsId) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11Id) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11WithCommentsId) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha1Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha1Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformDsaSha1Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha1Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha256Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha256Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha256Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha384Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha384Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha384Id) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha512Id) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha512Id) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha512Id) < 0)
|
||||||
|
@@ -1523,15 +1513,62 @@ lasso_saml_constrain_dsigctxt(xmlSecDSigCtxPtr dsigCtx) {
|
||||||
|
message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed signature transforms");
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (lasso_get_min_signature_method() <= LASSO_SIGNATURE_METHOD_RSA_SHA384) {
|
||||||
|
+ if ((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha384Id) < 0) ||
|
||||||
|
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha384Id) < 0) ||
|
||||||
|
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha384Id) < 0)) {
|
||||||
|
+
|
||||||
|
+ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha384 signature transforms");
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha384Id) < 0) {
|
||||||
|
+
|
||||||
|
+ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha384 reference transforms");
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (lasso_get_min_signature_method() <= LASSO_SIGNATURE_METHOD_RSA_SHA256) {
|
||||||
|
+ if ((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha256Id) < 0) ||
|
||||||
|
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha256Id) < 0) ||
|
||||||
|
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha256Id) < 0)) {
|
||||||
|
+
|
||||||
|
+ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha256 signature transforms");
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha256Id) < 0) {
|
||||||
|
+
|
||||||
|
+ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha256 reference transforms");
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (lasso_get_min_signature_method() <= LASSO_SIGNATURE_METHOD_RSA_SHA1) {
|
||||||
|
+ if ((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha1Id) < 0) ||
|
||||||
|
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha1Id) < 0) ||
|
||||||
|
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformDsaSha1Id) < 0) ||
|
||||||
|
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha1Id) < 0)) {
|
||||||
|
+
|
||||||
|
+ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha1 signature transforms");
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha1Id) < 0) {
|
||||||
|
+
|
||||||
|
+ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha1 reference transforms");
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if((xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformInclC14NId) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformExclC14NId) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14NWithCommentsId) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformExclC14NWithCommentsId) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11Id) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11WithCommentsId) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha1Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha256Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha384Id) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha512Id) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformEnvelopedId) < 0)) {
|
||||||
|
|
||||||
|
diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
|
||||||
|
index 938844baf..f017ebbe3 100644
|
||||||
|
--- a/lasso/xml/xml.c
|
||||||
|
+++ b/lasso/xml/xml.c
|
||||||
|
@@ -91,6 +91,10 @@ GHashTable *dst_services_by_prefix = NULL; /* ID-WSF 1 extra DST services, index
|
||||||
|
GHashTable *idwsf2_dst_services_by_href = NULL; /* ID-WSF 2 DST services, indexed on href */
|
||||||
|
GHashTable *idwsf2_dst_services_by_prefix = NULL; /* ID-WSF 2 DST services, indexed on prefix */
|
||||||
|
|
||||||
|
+
|
||||||
|
+static LassoSignatureMethod default_signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
||||||
|
+static LassoSignatureMethod min_signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
||||||
|
+
|
||||||
|
/*****************************************************************************/
|
||||||
|
/* global methods */
|
||||||
|
/*****************************************************************************/
|
||||||
|
@@ -3689,3 +3693,23 @@ lasso_node_new_from_saml2_query(const char *url_or_qs, const char *param_name, L
|
||||||
|
cleanup:
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+LassoSignatureMethod
|
||||||
|
+lasso_get_default_signature_method() {
|
||||||
|
+ return default_signature_method;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+lasso_set_default_signature_method(LassoSignatureMethod meth) {
|
||||||
|
+ default_signature_method = meth;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+LassoSignatureMethod
|
||||||
|
+lasso_get_min_signature_method() {
|
||||||
|
+ return min_signature_method;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+lasso_set_min_signature_method(LassoSignatureMethod meth) {
|
||||||
|
+ min_signature_method = meth;
|
||||||
|
+}
|
||||||
|
diff --git a/lasso/xml/xml.h b/lasso/xml/xml.h
|
||||||
|
index 7660a0647..d0d3e1b0d 100644
|
||||||
|
--- a/lasso/xml/xml.h
|
||||||
|
+++ b/lasso/xml/xml.h
|
||||||
|
@@ -116,6 +116,15 @@ typedef enum {
|
||||||
|
LASSO_SIGNATURE_METHOD_LAST
|
||||||
|
} LassoSignatureMethod;
|
||||||
|
|
||||||
|
+/* signature method and hash strength */
|
||||||
|
+LassoSignatureMethod lasso_get_default_signature_method();
|
||||||
|
+
|
||||||
|
+void lasso_set_default_signature_method(LassoSignatureMethod meth);
|
||||||
|
+
|
||||||
|
+LassoSignatureMethod lasso_get_min_signature_method();
|
||||||
|
+
|
||||||
|
+void lasso_set_min_signature_method(LassoSignatureMethod meth);
|
||||||
|
+
|
||||||
|
static inline gboolean
|
||||||
|
lasso_validate_signature_method(LassoSignatureMethod signature_method)
|
||||||
|
{
|
||||||
|
diff --git a/tests/random_tests.c b/tests/random_tests.c
|
||||||
|
index fa0367a3c..cf112c7e2 100644
|
||||||
|
--- a/tests/random_tests.c
|
||||||
|
+++ b/tests/random_tests.c
|
||||||
|
@@ -97,7 +97,7 @@ START_TEST(test01_server_new)
|
||||||
|
fail_unless(server->private_key != NULL);
|
||||||
|
fail_unless(server->private_key_password == NULL);
|
||||||
|
fail_unless(server->certificate != NULL);
|
||||||
|
- fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ fail_unless(server->signature_method == lasso_get_default_signature_method());
|
||||||
|
fail_unless(provider->ProviderID != NULL);
|
||||||
|
fail_unless(provider->role == 0);
|
||||||
|
fail_unless(g_file_get_contents(TESTSDATADIR "/idp1-la/metadata.xml", &content, &len, NULL));
|
||||||
|
@@ -115,7 +115,7 @@ START_TEST(test01_server_new)
|
||||||
|
fail_unless(server->private_key != NULL);
|
||||||
|
fail_unless(server->private_key_password == NULL);
|
||||||
|
fail_unless(server->certificate != NULL);
|
||||||
|
- fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ fail_unless(server->signature_method == lasso_get_default_signature_method());
|
||||||
|
fail_unless(server->providers != NULL);
|
||||||
|
fail_unless(provider->ProviderID != NULL);
|
||||||
|
fail_unless(provider->role == 0, "provider->role != 0 => provider := %d", provider->role);
|
||||||
|
@@ -143,7 +143,7 @@ START_TEST(test02_server_add_provider)
|
||||||
|
fail_unless(server->private_key != NULL);
|
||||||
|
fail_unless(! server->private_key_password);
|
||||||
|
fail_unless(server->certificate != NULL);
|
||||||
|
- fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ fail_unless(server->signature_method == lasso_get_default_signature_method());
|
||||||
|
fail_unless(server->providers != NULL);
|
||||||
|
lasso_server_add_provider(
|
||||||
|
server,
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,162 @@
|
|||||||
|
From 0d34c97be1c761a9eb12692e4cc4eac58feb7d19 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Tue, 15 Jun 2021 14:45:14 +0200
|
||||||
|
Subject: [PATCH 4/7] Mass-replace LASSO_SIGNATURE_METHOD_RSA_SHA1 with
|
||||||
|
lasso_get_default_signature_method() (#54037)
|
||||||
|
|
||||||
|
This should be backwards-compatible but at the same time use the
|
||||||
|
selected default instead of RSA-SHA1.
|
||||||
|
|
||||||
|
Related:
|
||||||
|
https://dev.entrouvert.org/issues/54037
|
||||||
|
---
|
||||||
|
lasso/id-ff/defederation.c | 2 +-
|
||||||
|
lasso/id-ff/logout.c | 6 +++---
|
||||||
|
lasso/id-ff/name_identifier_mapping.c | 4 ++--
|
||||||
|
lasso/id-ff/name_registration.c | 4 ++--
|
||||||
|
lasso/id-ff/provider.c | 2 +-
|
||||||
|
lasso/xml/tools.c | 2 +-
|
||||||
|
tests/basic_tests.c | 6 +++---
|
||||||
|
7 files changed, 13 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lasso/id-ff/defederation.c b/lasso/id-ff/defederation.c
|
||||||
|
index d711e4eed..d2382f4ae 100644
|
||||||
|
--- a/lasso/id-ff/defederation.c
|
||||||
|
+++ b/lasso/id-ff/defederation.c
|
||||||
|
@@ -251,7 +251,7 @@ lasso_defederation_init_notification(LassoDefederation *defederation, gchar *rem
|
||||||
|
nameIdentifier,
|
||||||
|
profile->server->certificate ?
|
||||||
|
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ lasso_get_default_signature_method());
|
||||||
|
if (profile->msg_relayState) {
|
||||||
|
message(G_LOG_LEVEL_WARNING,
|
||||||
|
"RelayState was defined but can't be used "\
|
||||||
|
diff --git a/lasso/id-ff/logout.c b/lasso/id-ff/logout.c
|
||||||
|
index 20d04ed82..d307db586 100644
|
||||||
|
--- a/lasso/id-ff/logout.c
|
||||||
|
+++ b/lasso/id-ff/logout.c
|
||||||
|
@@ -396,7 +396,7 @@ lasso_logout_build_response_msg(LassoLogout *logout)
|
||||||
|
profile->server->certificate ?
|
||||||
|
LASSO_SIGNATURE_TYPE_WITHX509 :
|
||||||
|
LASSO_SIGNATURE_TYPE_SIMPLE,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1));
|
||||||
|
+ lasso_get_default_signature_method()));
|
||||||
|
} else if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) {
|
||||||
|
lasso_assign_new_gobject(profile->response,
|
||||||
|
lasso_lib_logout_response_new_full(
|
||||||
|
@@ -608,7 +608,7 @@ lasso_logout_init_request(LassoLogout *logout, char *remote_providerID,
|
||||||
|
nameIdentifier,
|
||||||
|
profile->server->certificate ?
|
||||||
|
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ lasso_get_default_signature_method());
|
||||||
|
} else { /* http_method == LASSO_HTTP_METHOD_REDIRECT */
|
||||||
|
is_http_redirect_get_method = TRUE;
|
||||||
|
lib_logout_request = (LassoLibLogoutRequest*)lasso_lib_logout_request_new_full(
|
||||||
|
@@ -990,7 +990,7 @@ lasso_logout_validate_request(LassoLogout *logout)
|
||||||
|
logout_request,
|
||||||
|
profile->server->certificate ?
|
||||||
|
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1));
|
||||||
|
+ lasso_get_default_signature_method()));
|
||||||
|
}
|
||||||
|
if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) {
|
||||||
|
lasso_assign_new_gobject(profile->response, lasso_lib_logout_response_new_full(
|
||||||
|
diff --git a/lasso/id-ff/name_identifier_mapping.c b/lasso/id-ff/name_identifier_mapping.c
|
||||||
|
index 80af6fec4..f84020eb6 100644
|
||||||
|
--- a/lasso/id-ff/name_identifier_mapping.c
|
||||||
|
+++ b/lasso/id-ff/name_identifier_mapping.c
|
||||||
|
@@ -259,7 +259,7 @@ lasso_name_identifier_mapping_init_request(LassoNameIdentifierMapping *mapping,
|
||||||
|
targetNamespace,
|
||||||
|
profile->server->certificate ?
|
||||||
|
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ lasso_get_default_signature_method());
|
||||||
|
if (LASSO_IS_LIB_NAME_IDENTIFIER_MAPPING_REQUEST(profile->request) == FALSE) {
|
||||||
|
return critical_error(LASSO_PROFILE_ERROR_BUILDING_REQUEST_FAILED);
|
||||||
|
}
|
||||||
|
@@ -458,7 +458,7 @@ lasso_name_identifier_mapping_validate_request(LassoNameIdentifierMapping *mappi
|
||||||
|
request,
|
||||||
|
profile->server->certificate ?
|
||||||
|
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ lasso_get_default_signature_method());
|
||||||
|
|
||||||
|
if (LASSO_IS_LIB_NAME_IDENTIFIER_MAPPING_RESPONSE(profile->response) == FALSE) {
|
||||||
|
return critical_error(LASSO_PROFILE_ERROR_BUILDING_RESPONSE_FAILED);
|
||||||
|
diff --git a/lasso/id-ff/name_registration.c b/lasso/id-ff/name_registration.c
|
||||||
|
index 11dbf24fe..076cf9624 100644
|
||||||
|
--- a/lasso/id-ff/name_registration.c
|
||||||
|
+++ b/lasso/id-ff/name_registration.c
|
||||||
|
@@ -339,7 +339,7 @@ lasso_name_registration_init_request(LassoNameRegistration *name_registration,
|
||||||
|
idpNameIdentifier, spNameIdentifier, oldNameIdentifier,
|
||||||
|
profile->server->certificate ?
|
||||||
|
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ lasso_get_default_signature_method());
|
||||||
|
if (profile->request == NULL) {
|
||||||
|
return critical_error(LASSO_PROFILE_ERROR_BUILDING_REQUEST_FAILED);
|
||||||
|
}
|
||||||
|
@@ -575,7 +575,7 @@ lasso_name_registration_validate_request(LassoNameRegistration *name_registratio
|
||||||
|
LASSO_LIB_REGISTER_NAME_IDENTIFIER_REQUEST(profile->request),
|
||||||
|
profile->server->certificate ?
|
||||||
|
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ lasso_get_default_signature_method());
|
||||||
|
if (LASSO_IS_LIB_REGISTER_NAME_IDENTIFIER_RESPONSE(profile->response) == FALSE) {
|
||||||
|
return critical_error(LASSO_PROFILE_ERROR_BUILDING_RESPONSE_FAILED);
|
||||||
|
}
|
||||||
|
diff --git a/lasso/id-ff/provider.c b/lasso/id-ff/provider.c
|
||||||
|
index 32a907d43..961c3669d 100644
|
||||||
|
--- a/lasso/id-ff/provider.c
|
||||||
|
+++ b/lasso/id-ff/provider.c
|
||||||
|
@@ -1274,7 +1274,7 @@ lasso_provider_load_public_key(LassoProvider *provider, LassoPublicKeyType publi
|
||||||
|
|
||||||
|
if (public_key != NULL) {
|
||||||
|
xmlSecKey *key = lasso_xmlsec_load_private_key(public_key, NULL,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
|
||||||
|
+ lasso_get_default_signature_method(), NULL);
|
||||||
|
if (key) {
|
||||||
|
lasso_list_add_new_sec_key(keys, key);
|
||||||
|
} else {
|
||||||
|
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
|
||||||
|
index ce322ee1f..cf6dade09 100644
|
||||||
|
--- a/lasso/xml/tools.c
|
||||||
|
+++ b/lasso/xml/tools.c
|
||||||
|
@@ -2746,7 +2746,7 @@ next:
|
||||||
|
content = xmlNodeGetContent(key_value);
|
||||||
|
if (content) {
|
||||||
|
result = lasso_xmlsec_load_private_key_from_buffer((char*)content,
|
||||||
|
- strlen((char*)content), NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
|
||||||
|
+ strlen((char*)content), NULL, lasso_get_default_signature_method(), NULL);
|
||||||
|
xmlFree(content);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
diff --git a/tests/basic_tests.c b/tests/basic_tests.c
|
||||||
|
index f9cfef266..0652abc28 100644
|
||||||
|
--- a/tests/basic_tests.c
|
||||||
|
+++ b/tests/basic_tests.c
|
||||||
|
@@ -2008,16 +2008,16 @@ START_TEST(test14_lasso_key)
|
||||||
|
|
||||||
|
check_true(g_file_get_contents(TESTSDATADIR "sp1-la/private-key-raw.pem", &buffer, &length, NULL));
|
||||||
|
check_not_null(key = lasso_key_new_for_signature_from_memory(buffer,
|
||||||
|
- length, NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1,
|
||||||
|
+ length, NULL, lasso_get_default_signature_method(),
|
||||||
|
NULL));
|
||||||
|
lasso_release_gobject(key);
|
||||||
|
check_not_null(key = lasso_key_new_for_signature_from_file(TESTSDATADIR
|
||||||
|
- "sp1-la/private-key-raw.pem", NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1,
|
||||||
|
+ "sp1-la/private-key-raw.pem", NULL, lasso_get_default_signature_method(),
|
||||||
|
NULL));
|
||||||
|
lasso_release_gobject(key);
|
||||||
|
base64_encoded = g_base64_encode(BAD_CAST buffer, length);
|
||||||
|
check_not_null(key = lasso_key_new_for_signature_from_base64_string(base64_encoded, NULL,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL));
|
||||||
|
+ lasso_get_default_signature_method(), NULL));
|
||||||
|
lasso_release_string(base64_encoded);
|
||||||
|
lasso_release_string(buffer);
|
||||||
|
lasso_release_gobject(key);
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,160 @@
|
|||||||
|
From f9a3aca0cb31a412faae25dd9fdbbf3fb61cb62f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Tue, 15 Jun 2021 15:08:44 +0200
|
||||||
|
Subject: [PATCH 5/7] Check if the signature method is allowed in addition to
|
||||||
|
being valid (#54037)
|
||||||
|
|
||||||
|
Adds a new utility function lasso_allowed_signature_method() that checks
|
||||||
|
if the signature method is allowed. Previously, the code would only
|
||||||
|
check if the method was valid.
|
||||||
|
|
||||||
|
This new function is used whenever lasso_validate_signature_method was
|
||||||
|
previously used through lasso_ok_signature_method() which wraps both
|
||||||
|
validate and allowed.
|
||||||
|
|
||||||
|
lasso_allowed_signature_method() is also used on a couple of places,
|
||||||
|
notably lasso_query_verify_helper().
|
||||||
|
|
||||||
|
Related:
|
||||||
|
https://dev.entrouvert.org/issues/54037
|
||||||
|
---
|
||||||
|
lasso/id-ff/server.c | 4 ++--
|
||||||
|
lasso/saml-2.0/profile.c | 4 ++--
|
||||||
|
lasso/xml/tools.c | 11 ++++++++++-
|
||||||
|
lasso/xml/xml.c | 5 +++--
|
||||||
|
lasso/xml/xml.h | 13 +++++++++++++
|
||||||
|
5 files changed, 30 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lasso/id-ff/server.c b/lasso/id-ff/server.c
|
||||||
|
index 2bf5b7a8c..98a6c0214 100644
|
||||||
|
--- a/lasso/id-ff/server.c
|
||||||
|
+++ b/lasso/id-ff/server.c
|
||||||
|
@@ -909,7 +909,7 @@ lasso_server_get_signature_context_for_provider(LassoServer *server,
|
||||||
|
private_context = &provider->private_data->signature_context;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (private_context && lasso_validate_signature_method(private_context->signature_method)) {
|
||||||
|
+ if (private_context && lasso_ok_signature_method(private_context->signature_method)) {
|
||||||
|
lasso_assign_signature_context(*signature_context, *private_context);
|
||||||
|
} else {
|
||||||
|
rc = lasso_server_get_signature_context(server, signature_context);
|
||||||
|
@@ -1014,7 +1014,7 @@ lasso_server_export_to_query_for_provider_by_name(LassoServer *server, const cha
|
||||||
|
provider_id, &context));
|
||||||
|
query = lasso_node_build_query(node);
|
||||||
|
goto_cleanup_if_fail_with_rc(query, LASSO_PROFILE_ERROR_BUILDING_QUERY_FAILED);
|
||||||
|
- if (lasso_validate_signature_method(context.signature_method)) {
|
||||||
|
+ if (lasso_ok_signature_method(context.signature_method)) {
|
||||||
|
lasso_assign_new_string(query, lasso_query_sign(query, context));
|
||||||
|
}
|
||||||
|
goto_cleanup_if_fail_with_rc(query,
|
||||||
|
diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c
|
||||||
|
index 85f535ae0..412c391a6 100644
|
||||||
|
--- a/lasso/saml-2.0/profile.c
|
||||||
|
+++ b/lasso/saml-2.0/profile.c
|
||||||
|
@@ -1181,7 +1181,7 @@ lasso_saml20_profile_export_to_query(LassoProfile *profile, LassoNode *msg, char
|
||||||
|
"see #3.4.3 of saml-bindings-2.0-os");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- if (lasso_validate_signature_method(context.signature_method)) {
|
||||||
|
+ if (lasso_ok_signature_method(context.signature_method)) {
|
||||||
|
result = lasso_query_sign(unsigned_query, context);
|
||||||
|
goto_cleanup_if_fail_with_rc(result != NULL,
|
||||||
|
LASSO_PROFILE_ERROR_BUILDING_QUERY_FAILED);
|
||||||
|
@@ -1219,7 +1219,7 @@ lasso_saml20_profile_build_http_redirect(LassoProfile *profile,
|
||||||
|
goto_cleanup_if_fail_with_rc (url != NULL, LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL);
|
||||||
|
/* if message is signed, remove XML signature, add query signature */
|
||||||
|
lasso_assign_signature_context(context, lasso_node_get_signature(msg));
|
||||||
|
- if (lasso_validate_signature_method(context.signature_method)) {
|
||||||
|
+ if (lasso_ok_signature_method(context.signature_method)) {
|
||||||
|
lasso_node_remove_signature(msg);
|
||||||
|
}
|
||||||
|
lasso_check_good_rc(lasso_saml20_profile_export_to_query(profile, msg, &query, context));
|
||||||
|
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
|
||||||
|
index cf6dade09..077b1134d 100644
|
||||||
|
--- a/lasso/xml/tools.c
|
||||||
|
+++ b/lasso/xml/tools.c
|
||||||
|
@@ -499,7 +499,7 @@ lasso_query_sign(char *query, LassoSignatureContext context)
|
||||||
|
lasso_error_t rc = 0;
|
||||||
|
|
||||||
|
g_return_val_if_fail(query != NULL, NULL);
|
||||||
|
- g_return_val_if_fail(lasso_validate_signature_method(context.signature_method), NULL);
|
||||||
|
+ g_return_val_if_fail(lasso_ok_signature_method(context.signature_method), NULL);
|
||||||
|
|
||||||
|
key = context.signature_key;
|
||||||
|
sign_method = context.signature_method;
|
||||||
|
@@ -804,6 +804,12 @@ lasso_query_verify_helper(const char *signed_content, const char *b64_signature,
|
||||||
|
} else {
|
||||||
|
goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGALG);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ /* is the signature algo allowed */
|
||||||
|
+ goto_cleanup_if_fail_with_rc(
|
||||||
|
+ lasso_allowed_signature_method(method),
|
||||||
|
+ LASSO_DS_ERROR_INVALID_SIGALG);
|
||||||
|
+
|
||||||
|
/* decode signature */
|
||||||
|
signature = g_malloc(key_size+1);
|
||||||
|
goto_cleanup_if_fail_with_rc(
|
||||||
|
@@ -2434,6 +2440,9 @@ _lasso_xmlsec_load_key_from_buffer(const char *buffer, size_t length, const char
|
||||||
|
};
|
||||||
|
xmlSecKey *private_key = NULL;
|
||||||
|
|
||||||
|
+ /* is the signature algo allowed */
|
||||||
|
+ goto_cleanup_if_fail(lasso_allowed_signature_method(signature_method));
|
||||||
|
+
|
||||||
|
xmlSecErrorsDefaultCallbackEnableOutput(FALSE);
|
||||||
|
switch (signature_method) {
|
||||||
|
case LASSO_SIGNATURE_METHOD_RSA_SHA1:
|
||||||
|
diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
|
||||||
|
index f017ebbe3..49574de68 100644
|
||||||
|
--- a/lasso/xml/xml.c
|
||||||
|
+++ b/lasso/xml/xml.c
|
||||||
|
@@ -824,7 +824,7 @@ lasso_legacy_extract_and_copy_signature_parameters(LassoNode *node, LassoNodeCla
|
||||||
|
node_data->sign_method_offset);
|
||||||
|
private_key_file = G_STRUCT_MEMBER(char *, node, node_data->private_key_file_offset);
|
||||||
|
certificate_file = G_STRUCT_MEMBER(char *, node, node_data->certificate_file_offset);
|
||||||
|
- if (! lasso_validate_signature_method(signature_method)) {
|
||||||
|
+ if (! lasso_ok_signature_method(signature_method)) {
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
if (lasso_node_set_signature(node,
|
||||||
|
@@ -1873,10 +1873,11 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode)
|
||||||
|
int what;
|
||||||
|
if (! lasso_get_integer_attribute(xmlnode, LASSO_SIGNATURE_METHOD_ATTRIBUTE,
|
||||||
|
BAD_CAST LASSO_LIB_HREF, &what,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1,
|
||||||
|
+ lasso_get_min_signature_method(),
|
||||||
|
LASSO_SIGNATURE_METHOD_LAST))
|
||||||
|
break;
|
||||||
|
method = what;
|
||||||
|
+
|
||||||
|
if (! lasso_get_integer_attribute(xmlnode, LASSO_SIGNATURE_METHOD_ATTRIBUTE,
|
||||||
|
BAD_CAST LASSO_LIB_HREF, &what, LASSO_SIGNATURE_TYPE_NONE+1,
|
||||||
|
LASSO_SIGNATURE_TYPE_LAST))
|
||||||
|
diff --git a/lasso/xml/xml.h b/lasso/xml/xml.h
|
||||||
|
index d0d3e1b0d..60c04eae5 100644
|
||||||
|
--- a/lasso/xml/xml.h
|
||||||
|
+++ b/lasso/xml/xml.h
|
||||||
|
@@ -132,6 +132,19 @@ lasso_validate_signature_method(LassoSignatureMethod signature_method)
|
||||||
|
&& signature_method < (LassoSignatureMethod)LASSO_SIGNATURE_METHOD_LAST;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static inline gboolean
|
||||||
|
+lasso_allowed_signature_method(LassoSignatureMethod signature_method)
|
||||||
|
+{
|
||||||
|
+ return signature_method >= lasso_get_min_signature_method();
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static inline gboolean
|
||||||
|
+lasso_ok_signature_method(LassoSignatureMethod signature_method)
|
||||||
|
+{
|
||||||
|
+ return lasso_validate_signature_method(signature_method) \
|
||||||
|
+ && lasso_allowed_signature_method(signature_method);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
typedef struct _LassoNode LassoNode;
|
||||||
|
typedef struct _LassoNodeClass LassoNodeClass;
|
||||||
|
typedef struct _LassoNodeClassData LassoNodeClassData;
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,30 @@
|
|||||||
|
From f70eee9ef7faa9ccfb6f815977431ae2e02260bc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Wed, 16 Jun 2021 12:23:47 +0200
|
||||||
|
Subject: [PATCH 6/7] python: Skip the DSA key test unless SHA-1 is configured
|
||||||
|
(#54037)
|
||||||
|
|
||||||
|
lasso supports DSA-XXX only with SHA-1. The alternative is to use
|
||||||
|
DSA-SHA256.
|
||||||
|
---
|
||||||
|
bindings/python/tests/profiles_tests.py | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/bindings/python/tests/profiles_tests.py b/bindings/python/tests/profiles_tests.py
|
||||||
|
index 6ec612077..501fd9199 100755
|
||||||
|
--- a/bindings/python/tests/profiles_tests.py
|
||||||
|
+++ b/bindings/python/tests/profiles_tests.py
|
||||||
|
@@ -276,6 +276,10 @@ class LoginTestCase(unittest.TestCase):
|
||||||
|
|
||||||
|
def test07(self):
|
||||||
|
'''SAMLv2 SSO with DSA key for the IdP'''
|
||||||
|
+ default_sign_meth = lasso.getDefaultSignatureMethod()
|
||||||
|
+ if default_sign_meth != lasso.SIGNATURE_METHOD_RSA_SHA1:
|
||||||
|
+ self.skipTest("This test requires that lasso is compiled with SHA1 as the default signature method")
|
||||||
|
+
|
||||||
|
sp = lasso.Server(
|
||||||
|
os.path.join(dataDir, 'sp5-saml2/metadata.xml'),
|
||||||
|
os.path.join(dataDir, 'sp5-saml2/private-key.pem'))
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,41 @@
|
|||||||
|
From 1b0000e0163edc9d831894bf4aac7503f0294062 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Fri, 18 Jun 2021 18:45:38 +0200
|
||||||
|
Subject: [PATCH 7/7] test13_test_lasso_server_load_metadata: Don't verify
|
||||||
|
signature if lasso is not configured with sha-1 (#54037)
|
||||||
|
|
||||||
|
---
|
||||||
|
tests/basic_tests.c | 10 +++++++++-
|
||||||
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tests/basic_tests.c b/tests/basic_tests.c
|
||||||
|
index 0652abc28..470d64fc6 100644
|
||||||
|
--- a/tests/basic_tests.c
|
||||||
|
+++ b/tests/basic_tests.c
|
||||||
|
@@ -1974,6 +1974,14 @@ START_TEST(test13_test_lasso_server_load_metadata)
|
||||||
|
LassoServer *server = NULL;
|
||||||
|
GList *loaded_entity_ids = NULL;
|
||||||
|
GList blacklisted_1 = { .data = "https://identities.univ-jfc.fr/idp/prod", .next = NULL };
|
||||||
|
+ const gchar *trusted_roots = TESTSDATADIR "/rootCA.crt";
|
||||||
|
+
|
||||||
|
+ /* The IDP metadata file is signed with rsa-sha1, so verifying it would
|
||||||
|
+ * fail incase sha1 is not available
|
||||||
|
+ */
|
||||||
|
+ if (lasso_get_default_signature_method() != LASSO_SIGNATURE_METHOD_RSA_SHA1) {
|
||||||
|
+ trusted_roots = NULL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
check_not_null(server = lasso_server_new(
|
||||||
|
TESTSDATADIR "/idp5-saml2/metadata.xml",
|
||||||
|
@@ -1983,7 +1991,7 @@ START_TEST(test13_test_lasso_server_load_metadata)
|
||||||
|
block_lasso_logs;
|
||||||
|
check_good_rc(lasso_server_load_metadata(server, LASSO_PROVIDER_ROLE_IDP,
|
||||||
|
TESTSDATADIR "/metadata/renater-metadata.xml",
|
||||||
|
- TESTSDATADIR "/rootCA.crt",
|
||||||
|
+ trusted_roots,
|
||||||
|
&blacklisted_1, &loaded_entity_ids,
|
||||||
|
LASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT));
|
||||||
|
unblock_lasso_logs;
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,59 @@
|
|||||||
|
From 20f653f70818b85fe1b4de77a629fce352fb8cbd Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Mon, 26 Jul 2021 16:25:52 +0200
|
||||||
|
Subject: [PATCH] lasso_saml20_login_process_response_status_and_assertion:
|
||||||
|
handle rc as per verify_hint
|
||||||
|
|
||||||
|
In case VERIFY_HINT was set to IGNORE and the login signature was
|
||||||
|
incorrect, lasso_saml20_login_process_response_status_and_assertion
|
||||||
|
would have jumped straight to the cleanup label which just returns the
|
||||||
|
return code. Let's jump to a new label handlerc instead which might set
|
||||||
|
the return code to 0 in case verify_hint is set to IGNORE.
|
||||||
|
|
||||||
|
Related: https://dev.entrouvert.org/issues/54689
|
||||||
|
---
|
||||||
|
lasso/saml-2.0/login.c | 20 ++++++--------------
|
||||||
|
1 file changed, 6 insertions(+), 14 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
|
||||||
|
index cf62c1cc9..1d5668b5b 100644
|
||||||
|
--- a/lasso/saml-2.0/login.c
|
||||||
|
+++ b/lasso/saml-2.0/login.c
|
||||||
|
@@ -1371,7 +1371,7 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
|
||||||
|
char *status_value;
|
||||||
|
lasso_error_t rc = 0;
|
||||||
|
lasso_error_t assertion_signature_status = 0;
|
||||||
|
- LassoProfileSignatureVerifyHint verify_hint;
|
||||||
|
+ LassoProfileSignatureVerifyHint verify_hint = LASSO_PROFILE_SIGNATURE_VERIFY_HINT_LAST;
|
||||||
|
|
||||||
|
profile = &login->parent;
|
||||||
|
lasso_extract_node_or_fail(response, profile->response, SAMLP2_STATUS_RESPONSE,
|
||||||
|
@@ -1492,20 +1492,12 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
|
||||||
|
lasso_assign_gobject (login->private_data->saml2_assertion, last_assertion);
|
||||||
|
}
|
||||||
|
|
||||||
|
- switch (verify_hint) {
|
||||||
|
- case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
|
||||||
|
- case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
|
||||||
|
- break;
|
||||||
|
- case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE:
|
||||||
|
- /* ignore signature errors */
|
||||||
|
- if (rc == LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE) {
|
||||||
|
- rc = 0;
|
||||||
|
- }
|
||||||
|
- break;
|
||||||
|
- default:
|
||||||
|
- g_assert(0);
|
||||||
|
- }
|
||||||
|
cleanup:
|
||||||
|
+ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE &&
|
||||||
|
+ rc == LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE) {
|
||||||
|
+ profile->signature_status = rc;
|
||||||
|
+ rc = 0;
|
||||||
|
+ }
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,28 @@
|
|||||||
|
diff -up lasso-2.7.0/autogen.sh.noconfig lasso-2.7.0/autogen.sh
|
||||||
|
--- lasso-2.7.0/autogen.sh.noconfig 2021-06-28 22:39:00.473005330 +0200
|
||||||
|
+++ lasso-2.7.0/autogen.sh 2021-06-28 22:39:43.028114738 +0200
|
||||||
|
@@ -77,11 +77,6 @@ test $TEST_TYPE $FILE || {
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
-if test "$#" = 0; then
|
||||||
|
- echo "I am going to run ./configure with no arguments - if you wish "
|
||||||
|
- echo "to pass any to it, please specify them on the $0 command line."
|
||||||
|
-fi
|
||||||
|
-
|
||||||
|
# to support timj aclocal setup we are shipping gnome-doc-utils.m4
|
||||||
|
# and making sure automake picks it up ;)
|
||||||
|
# this is bad as -I prepends to the search path
|
||||||
|
@@ -107,12 +102,3 @@ autoconf || exit $?
|
||||||
|
|
||||||
|
echo "* Running $AUTOMAKE"
|
||||||
|
$AUTOMAKE --add-missing -Wno-portability $am_opt || exit $?
|
||||||
|
-
|
||||||
|
-cd "$THEDIR"
|
||||||
|
-
|
||||||
|
-if [ "$1" != "noconfig" ]; then
|
||||||
|
- $srcdir/configure --enable-gtk-doc --enable-maintainer-mode "$@" || exit $?
|
||||||
|
-fi
|
||||||
|
-
|
||||||
|
-echo
|
||||||
|
-echo "Now type 'make install' to install $PROJECT."
|
@ -0,0 +1,605 @@
|
|||||||
|
%global with_java 0
|
||||||
|
%global with_php 0
|
||||||
|
%global with_perl 1
|
||||||
|
# The Lasso build system requires python, especially the binding generators
|
||||||
|
%global with_python 1
|
||||||
|
%global with_python2 0
|
||||||
|
%global with_python3 0
|
||||||
|
%global with_wsf 0
|
||||||
|
%global obsolete_old_lang_subpackages 0
|
||||||
|
|
||||||
|
%if %{with_php}
|
||||||
|
%if "%{php_version}" < "5.6"
|
||||||
|
%global ini_name %{name}.ini
|
||||||
|
%else
|
||||||
|
%global ini_name 40-%{name}.ini
|
||||||
|
%endif
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if (0%{?fedora} > 0 && 0%{?fedora} <= 29) || (0%{?rhel} > 0 && 0%{?rhel} <= 7)
|
||||||
|
%global obsolete_old_lang_subpackages 1
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with_python}
|
||||||
|
%if (0%{?fedora} > 0 && 0%{?fedora} < 32) || (0%{?rhel} > 0 && 0%{?rhel} <= 7)
|
||||||
|
%global with_python2 1
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if 0%{?fedora} || 0%{?rhel} >= 8
|
||||||
|
%global with_python3 1
|
||||||
|
%endif
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%global configure_args %{nil}
|
||||||
|
%global configure_args %{configure_args} --with-default-sign-algo=rsa-sha256 --with-min-hash-algo=sha256
|
||||||
|
|
||||||
|
%if !%{with_java}
|
||||||
|
%global configure_args %{configure_args} --disable-java
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if !%{with_perl}
|
||||||
|
%global configure_args %{configure_args} --disable-perl
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with_php}
|
||||||
|
%global configure_args %{configure_args} --enable-php5=yes --with-php5-config-dir=%{php_inidir}
|
||||||
|
%else
|
||||||
|
%global configure_args %{configure_args} --enable-php5=no
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with_wsf}
|
||||||
|
%global configure_args %{configure_args} --enable-wsf --with-sasl2=%{_prefix}/sasl2
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if !%{with_python}
|
||||||
|
%global configure_args %{configure_args} --disable-python
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
|
Summary: Liberty Alliance Single Sign On
|
||||||
|
Name: lasso
|
||||||
|
Version: 2.7.0
|
||||||
|
Release: 8%{?dist}
|
||||||
|
License: GPLv2+
|
||||||
|
URL: http://lasso.entrouvert.org/
|
||||||
|
Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz
|
||||||
|
|
||||||
|
BuildRequires: autoconf
|
||||||
|
BuildRequires: automake
|
||||||
|
BuildRequires: check-devel
|
||||||
|
BuildRequires: glib2-devel
|
||||||
|
BuildRequires: gtk-doc
|
||||||
|
BuildRequires: libtool
|
||||||
|
BuildRequires: libtool-ltdl-devel
|
||||||
|
BuildRequires: libxml2-devel
|
||||||
|
BuildRequires: openssl-devel
|
||||||
|
BuildRequires: swig
|
||||||
|
BuildRequires: xmlsec1-devel
|
||||||
|
BuildRequires: xmlsec1-openssl-devel
|
||||||
|
BuildRequires: zlib-devel
|
||||||
|
%if %{with_wsf}
|
||||||
|
BuildRequires: cyrus-sasl-devel
|
||||||
|
%endif
|
||||||
|
|
||||||
|
Requires: xmlsec1
|
||||||
|
|
||||||
|
# lasso upstream no longer supports java bindings
|
||||||
|
# see https://dev.entrouvert.org/issues/45876#change-289747
|
||||||
|
# and https://dev.entrouvert.org/issues/51418
|
||||||
|
Obsoletes: java-lasso < %{version}-%{release}
|
||||||
|
|
||||||
|
Patch0001: 0001-Fix-lasso_query_sign-HMAC-other-than-SHA1-54037.patch
|
||||||
|
Patch0002: 0002-tests-Move-test08_lasso_key-and-test07_saml2_query_v.patch
|
||||||
|
Patch0003: 0003-Make-the-default-signature-method-and-the-minimal-ha.patch
|
||||||
|
Patch0004: 0004-Mass-replace-LASSO_SIGNATURE_METHOD_RSA_SHA1-with-la.patch
|
||||||
|
Patch0005: 0005-Check-if-the-signature-method-is-allowed-in-addition.patch
|
||||||
|
Patch0006: 0006-python-Skip-the-DSA-key-test-unless-SHA-1-is-configu.patch
|
||||||
|
Patch0007: 0007-test13_test_lasso_server_load_metadata-Don-t-verify-.patch
|
||||||
|
Patch0008: autogen.noconfig
|
||||||
|
Patch0009: 0009-lasso_saml20_login_process_response_status_and_asser.patch
|
||||||
|
|
||||||
|
%description
|
||||||
|
Lasso is a library that implements the Liberty Alliance Single Sign On
|
||||||
|
standards, including the SAML and SAML2 specifications. It allows to handle
|
||||||
|
the whole life-cycle of SAML based Federations, and provides bindings
|
||||||
|
for multiple languages.
|
||||||
|
|
||||||
|
%package devel
|
||||||
|
Summary: Lasso development headers and documentation
|
||||||
|
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||||
|
|
||||||
|
%description devel
|
||||||
|
This package contains the header files, static libraries and development
|
||||||
|
documentation for Lasso.
|
||||||
|
|
||||||
|
%if %{with_perl}
|
||||||
|
%package -n perl-%{name}
|
||||||
|
Summary: Liberty Alliance Single Sign On (lasso) Perl bindings
|
||||||
|
BuildRequires: perl-devel
|
||||||
|
BuildRequires: perl-generators
|
||||||
|
BuildRequires: perl(Error)
|
||||||
|
BuildRequires: perl(ExtUtils::MakeMaker)
|
||||||
|
BuildRequires: perl(strict)
|
||||||
|
BuildRequires: perl(Test::More)
|
||||||
|
BuildRequires: perl(warnings)
|
||||||
|
BuildRequires: perl(XSLoader)
|
||||||
|
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
|
||||||
|
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||||
|
|
||||||
|
%description -n perl-%{name}
|
||||||
|
Perl language bindings for the lasso (Liberty Alliance Single Sign On) library.
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with_java}
|
||||||
|
%package -n java-%{name}
|
||||||
|
Summary: Liberty Alliance Single Sign On (lasso) Java bindings
|
||||||
|
Buildrequires: java-1.8.0-openjdk-devel
|
||||||
|
BuildRequires: jpackage-utils
|
||||||
|
Requires: java-headless
|
||||||
|
Requires: jpackage-utils
|
||||||
|
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||||
|
%if %{obsolete_old_lang_subpackages}
|
||||||
|
Provides: %{name}-java = %{version}-%{release}
|
||||||
|
Provides: %{name}-java%{?_isa} = %{version}-%{release}
|
||||||
|
Obsoletes: %{name}-java < %{version}-%{release}
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%description -n java-%{name}
|
||||||
|
Java language bindings for the lasso (Liberty Alliance Single Sign On) library.
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with_php}
|
||||||
|
%package -n php-%{name}
|
||||||
|
Summary: Liberty Alliance Single Sign On (lasso) PHP bindings
|
||||||
|
BuildRequires: expat-devel
|
||||||
|
BuildRequires: php-devel
|
||||||
|
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: php(zend-abi) = %{php_zend_api}
|
||||||
|
Requires: php(api) = %{php_core_api}
|
||||||
|
|
||||||
|
%description -n php-%{name}
|
||||||
|
PHP language bindings for the lasso (Liberty Alliance Single Sign On) library.
|
||||||
|
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with_python2}
|
||||||
|
%package -n python2-%{name}
|
||||||
|
%{?python_provide:%python_provide python2-%{name}}
|
||||||
|
Summary: Liberty Alliance Single Sign On (lasso) Python bindings
|
||||||
|
BuildRequires: python2
|
||||||
|
BuildRequires: python2-devel
|
||||||
|
%if 0%{?rhel} && 0%{?rhel} <= 7
|
||||||
|
BuildRequires: python-lxml
|
||||||
|
%else
|
||||||
|
BuildRequires: python2-lxml
|
||||||
|
%endif
|
||||||
|
BuildRequires: python2-six
|
||||||
|
Requires: python2
|
||||||
|
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||||
|
%if %{obsolete_old_lang_subpackages}
|
||||||
|
Provides: %{name}-python = %{version}-%{release}
|
||||||
|
Provides: %{name}-python%{?_isa} = %{version}-%{release}
|
||||||
|
Obsoletes: %{name}-python < %{version}-%{release}
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%description -n python2-%{name}
|
||||||
|
Python language bindings for the lasso (Liberty Alliance Single Sign On)
|
||||||
|
library.
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with_python3}
|
||||||
|
%package -n python3-%{name}
|
||||||
|
%{?python_provide:%python_provide python3-%{name}}
|
||||||
|
Summary: Liberty Alliance Single Sign On (lasso) Python bindings
|
||||||
|
BuildRequires: python3
|
||||||
|
BuildRequires: python3-devel
|
||||||
|
BuildRequires: python3-lxml
|
||||||
|
BuildRequires: python3-six
|
||||||
|
BuildRequires: make
|
||||||
|
Requires: python3
|
||||||
|
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||||
|
|
||||||
|
%description -n python3-%{name}
|
||||||
|
Python language bindings for the lasso (Liberty Alliance Single Sign On)
|
||||||
|
library.
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%autosetup -p1
|
||||||
|
|
||||||
|
# Remove any python script shebang lines (unless they refer to python3)
|
||||||
|
sed -i -E -e '/^#![[:blank:]]*(\/usr\/bin\/env[[:blank:]]+python[^3]?\>)|(\/usr\/bin\/python[^3]?\>)/d' \
|
||||||
|
`grep -r -l -E '^#![[:blank:]]*(/usr/bin/python[^3]?)|(/usr/bin/env[[:blank:]]+python[^3]?)' *`
|
||||||
|
|
||||||
|
%build
|
||||||
|
export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk
|
||||||
|
./autogen.sh
|
||||||
|
%if 0%{?with_python2}
|
||||||
|
%configure %{configure_args} --with-python=%{__python2}
|
||||||
|
pushd lasso
|
||||||
|
make %{?_smp_mflags} CFLAGS="%{optflags}"
|
||||||
|
popd
|
||||||
|
pushd bindings/python
|
||||||
|
make %{?_smp_mflags} CFLAGS="%{optflags}"
|
||||||
|
make check CK_TIMEOUT_MULTIPLIER=5
|
||||||
|
mkdir py2
|
||||||
|
mv lasso.py .libs/_lasso.so py2
|
||||||
|
popd
|
||||||
|
make clean
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if 0%{?with_python3}
|
||||||
|
%configure %{configure_args} --with-python=%{__python3}
|
||||||
|
%else
|
||||||
|
%configure %{configure_args}
|
||||||
|
%endif
|
||||||
|
%make_build CFLAGS="%{optflags}"
|
||||||
|
|
||||||
|
%check
|
||||||
|
make check CK_TIMEOUT_MULTIPLIER=10 VERBOSE=yes
|
||||||
|
|
||||||
|
%install
|
||||||
|
#install -m 755 -d %{buildroot}%{_datadir}/gtk-doc/html
|
||||||
|
|
||||||
|
make install exec_prefix=%{_prefix} DESTDIR=%{buildroot}
|
||||||
|
find %{buildroot} -type f -name '*.la' -exec rm -f {} \;
|
||||||
|
find %{buildroot} -type f -name '*.a' -exec rm -f {} \;
|
||||||
|
|
||||||
|
%if 0%{?with_python2}
|
||||||
|
# Install Python 2 files saved from first build
|
||||||
|
install -d -m 0755 %{buildroot}/%{python2_sitearch}
|
||||||
|
install -m 0644 bindings/python/py2/lasso.py %{buildroot}/%{python2_sitearch}
|
||||||
|
install -m 0755 bindings/python/py2/_lasso.so %{buildroot}/%{python2_sitearch}
|
||||||
|
%endif
|
||||||
|
|
||||||
|
# Perl subpackage
|
||||||
|
%if %{with_perl}
|
||||||
|
find %{buildroot} \( -name perllocal.pod -o -name .packlist \) -exec rm -v {} \;
|
||||||
|
|
||||||
|
find %{buildroot}/usr/lib*/perl5 -type f -print |
|
||||||
|
sed "s@^%{buildroot}@@g" > %{name}-perl-filelist
|
||||||
|
if [ "$(cat %{name}-perl-filelist)X" = "X" ] ; then
|
||||||
|
echo "ERROR: EMPTY FILE LIST"
|
||||||
|
exit -1
|
||||||
|
fi
|
||||||
|
%endif
|
||||||
|
|
||||||
|
# PHP subpackage
|
||||||
|
%if %{with_php}
|
||||||
|
install -m 755 -d %{buildroot}%{_datadir}/php/%{name}
|
||||||
|
mv %{buildroot}%{_datadir}/php/lasso.php %{buildroot}%{_datadir}/php/%{name}
|
||||||
|
|
||||||
|
# rename the PHP config file when needed (PHP 5.6+)
|
||||||
|
if [ "%{name}.ini" != "%{ini_name}" ]; then
|
||||||
|
mv %{buildroot}%{php_inidir}/%{name}.ini \
|
||||||
|
%{buildroot}%{php_inidir}/%{ini_name}
|
||||||
|
fi
|
||||||
|
%endif
|
||||||
|
|
||||||
|
# Remove bogus doc files
|
||||||
|
rm -fr %{buildroot}%{_defaultdocdir}/%{name}
|
||||||
|
|
||||||
|
%ldconfig_scriptlets
|
||||||
|
|
||||||
|
%files
|
||||||
|
%{_libdir}/liblasso.so.3*
|
||||||
|
%doc AUTHORS NEWS README
|
||||||
|
%license COPYING
|
||||||
|
|
||||||
|
%files devel
|
||||||
|
%{_libdir}/liblasso.so
|
||||||
|
%{_libdir}/pkgconfig/lasso.pc
|
||||||
|
%{_includedir}/%{name}
|
||||||
|
|
||||||
|
%if %{with_perl}
|
||||||
|
%files -n perl-%{name} -f %{name}-perl-filelist
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with_java}
|
||||||
|
%files -n java-%{name}
|
||||||
|
%{_libdir}/java/libjnilasso.so
|
||||||
|
%{_javadir}/lasso.jar
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with_php}
|
||||||
|
%files -n php-%{name}
|
||||||
|
%{php_extdir}/lasso.so
|
||||||
|
%config(noreplace) %{php_inidir}/%{ini_name}
|
||||||
|
%dir %{_datadir}/php/%{name}
|
||||||
|
%{_datadir}/php/%{name}/lasso.php
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with_python2}
|
||||||
|
%files -n python2-%{name}
|
||||||
|
%{python2_sitearch}/lasso.py*
|
||||||
|
%{python2_sitearch}/_lasso.so
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with_python3}
|
||||||
|
%files -n python3-%{name}
|
||||||
|
%{python3_sitearch}/lasso.py*
|
||||||
|
%{python3_sitearch}/_lasso.so
|
||||||
|
%{python3_sitearch}/__pycache__/*
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 2.7.0-8
|
||||||
|
- Rebuilt for MSVSphere 9.1.
|
||||||
|
|
||||||
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com>
|
||||||
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||||
|
Related: rhbz#1991688
|
||||||
|
|
||||||
|
* Mon Jun 28 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.7.0-7
|
||||||
|
- Fix dead code issue
|
||||||
|
- Resolves: rhbz#1966606: CVE-2021-28091 lasso: XML signature wrapping
|
||||||
|
vulnerability when parsing SAML responses
|
||||||
|
|
||||||
|
* Thu Jul 29 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.7.0-6
|
||||||
|
- Resolves: rhbz#1984822 - lasso: FTBFS in test suite due to short test
|
||||||
|
timeout (potentially OpenSSL-related)
|
||||||
|
|
||||||
|
* Mon Jun 28 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.7.0-5
|
||||||
|
- Don't run configure twice
|
||||||
|
- Resolves: rhbz#1935987 - lasso implements and/or uses the deprecated
|
||||||
|
SHA-1 algorithm by default
|
||||||
|
|
||||||
|
* Thu Jun 24 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.7.0-4
|
||||||
|
- Resolves: rhbz#1935987 - lasso implements and/or uses the deprecated
|
||||||
|
SHA-1 algorithm by default
|
||||||
|
|
||||||
|
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.7.0-3
|
||||||
|
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
||||||
|
Related: rhbz#1971065
|
||||||
|
|
||||||
|
* Fri Jun 4 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.7.0-2
|
||||||
|
- Rebuild with openssl3, presumably in a buildroot with xmlsec1
|
||||||
|
linked against openssl3
|
||||||
|
- Resolves: rhbz#1962052 - lasso: Port to OpenSSL 3.0
|
||||||
|
|
||||||
|
* Wed Jun 2 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.7.0-1
|
||||||
|
- Lasso 2.7.0
|
||||||
|
- Resolves: rhbz#1966606: CVE-2021-28091 lasso: XML signature wrapping
|
||||||
|
vulnerability when parsing SAML responses
|
||||||
|
- Remove java bindings
|
||||||
|
|
||||||
|
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.1-9
|
||||||
|
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||||
|
|
||||||
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-8
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Aug 13 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.6.1-7
|
||||||
|
- Temporarily build with OpenJDK 8
|
||||||
|
- upstream ticket for OpenJDK11 support: https://dev.entrouvert.org/issues/45876
|
||||||
|
|
||||||
|
* Fri Aug 07 2020 Jeff Law <law@redhat.com> - 2.6.1-6
|
||||||
|
- Revert last change. I lost the patchfile and I can't reproduce the gcc-11
|
||||||
|
problem which almost certainly prompted it
|
||||||
|
|
||||||
|
* Fri Aug 07 2020 Jeff Law <law@redhat.com> - 2.6.1-5
|
||||||
|
- Fix format string problem
|
||||||
|
|
||||||
|
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-4
|
||||||
|
- Second attempt - Rebuilt for
|
||||||
|
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Jul 10 2020 Jiri Vanek <jvanek@redhat.com> - 2.6.1-2
|
||||||
|
- Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11
|
||||||
|
|
||||||
|
* Fri Jul 03 2020 Xavier Bachelot <xavier@bachelot.org> - 2.6.1-1
|
||||||
|
- Update to 2.6.1
|
||||||
|
|
||||||
|
* Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.6.0-23
|
||||||
|
- Perl 5.32 rebuild
|
||||||
|
|
||||||
|
* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 2.6.0-22
|
||||||
|
- Rebuilt for Python 3.9
|
||||||
|
|
||||||
|
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.0-21
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Jan 17 2020 Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
- Resolves: #1778645 - lasso-2.6.0-19.fc32 FTBFS:
|
||||||
|
non_regression_tests.c:240:51: error: initializer
|
||||||
|
element is not constant
|
||||||
|
|
||||||
|
* Mon Sep 2 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-19
|
||||||
|
- Resolves: #1730010 - lasso includes "Destination" attribute in SAML
|
||||||
|
AuthnRequest populated with SP
|
||||||
|
AssertionConsumerServiceURL when ECP workflow
|
||||||
|
is used which leads to IdP-side errors
|
||||||
|
|
||||||
|
* Sun Sep 1 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-18
|
||||||
|
- Let tests run longer
|
||||||
|
- Resolves: #1743888 - lasso unit tests time out on slower arches (e.g. arm)
|
||||||
|
|
||||||
|
* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 2.6.0-17
|
||||||
|
- Rebuilt for Python 3.8
|
||||||
|
|
||||||
|
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.0-16
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jun 17 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-15
|
||||||
|
- Use the upstream patch that uses a self-signed cert in tests
|
||||||
|
- Related: #1705700 - lasso FTBFS because an expired certificate is
|
||||||
|
used in the tests
|
||||||
|
- Resolves: #1634266 - ECP signature check fails with
|
||||||
|
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND when assertion
|
||||||
|
signed instead of response
|
||||||
|
|
||||||
|
* Tue Jun 04 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.6.0-14
|
||||||
|
- Perl 5.30 re-rebuild updated packages
|
||||||
|
|
||||||
|
* Mon Jun 3 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-13
|
||||||
|
- Don't use the expired certificate the tarball provides for tests
|
||||||
|
- Resolves: #1705700 - lasso FTBFS because an expired certificate is
|
||||||
|
used in the tests
|
||||||
|
|
||||||
|
* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.6.0-12
|
||||||
|
- Perl 5.30 rebuild
|
||||||
|
|
||||||
|
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.0-11
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Dec 04 2018 Xavier Bachelot <xavier@bachelot.org> - 2.6.0-10
|
||||||
|
- Specfile clean up:
|
||||||
|
- Consolidate BuildRequires
|
||||||
|
- Remove Group: tags
|
||||||
|
- Uppercase and move Url: tag
|
||||||
|
- Use %%license for COPYING
|
||||||
|
- Use %%make_build
|
||||||
|
- Use %%autosetup
|
||||||
|
- Don't glob soname to prevent unintentionnal soname bump
|
||||||
|
- Use %%ldconfig_scriptlets
|
||||||
|
- Specify all perl dependencies in BR:s
|
||||||
|
- Drop useless %%attr in php-lasso sub-package
|
||||||
|
|
||||||
|
* Mon Dec 03 2018 Xavier Bachelot <xavier@bachelot.org> - 2.6.0-9
|
||||||
|
- Generate perl requires/provides.
|
||||||
|
|
||||||
|
* Tue Jul 17 2018 <jdennis@redhat.com> - 2.6.0-8
|
||||||
|
- more py2/py3 build dependencies fixes
|
||||||
|
|
||||||
|
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.0-7
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
|
* Sat Jul 7 2018 <jdennis@redhat.com> - 2.6.0-6
|
||||||
|
- Modify configure to search for versioned python
|
||||||
|
- Resolves: rhbz#1598047
|
||||||
|
|
||||||
|
* Wed Jul 04 2018 Petr Pisar <ppisar@redhat.com> - 2.6.0-5
|
||||||
|
- Perl 5.28 rebuild
|
||||||
|
|
||||||
|
* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 2.6.0-4
|
||||||
|
- Rebuilt for Python 3.7
|
||||||
|
|
||||||
|
* Sat Jun 30 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.6.0-3
|
||||||
|
- Perl 5.28 rebuild
|
||||||
|
|
||||||
|
* Wed Jun 27 2018 <jdennis@redhat.com> - 2.6.0-2
|
||||||
|
- fix language bindings package names to comply with guidelines,
|
||||||
|
instead of %%{name}-lang use lang-%%{name}
|
||||||
|
- fix conditional logic used to build on rhel
|
||||||
|
|
||||||
|
* Tue Jun 26 2018 <jdennis@redhat.com> - 2.6.0-1
|
||||||
|
- Upgrade to latest upstream
|
||||||
|
- Build using Python3, add python3 subpackage
|
||||||
|
- Resolves: rhbz#1592416 Enable perl subpackage
|
||||||
|
|
||||||
|
* Wed May 2 2018 John Dennis <jdennis@redhat.com> - 2.5.1-13
|
||||||
|
- add xmlsec1 version dependency
|
||||||
|
|
||||||
|
* Tue May 1 2018 John Dennis <jdennis@redhat.com> - 2.5.1-12
|
||||||
|
- Resolves: rhbz#1542126, rhbz#1556016
|
||||||
|
- xmlsec removed SOAP support, reimplement missing xmlSecSoap* in Lasso
|
||||||
|
|
||||||
|
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.1-11
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Jan 05 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.5.1-10
|
||||||
|
- Update Python 2 dependency declarations to new packaging standards
|
||||||
|
(See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
|
||||||
|
|
||||||
|
* Sun Aug 20 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.5.1-9
|
||||||
|
- Add Provides for the old name without %%_isa
|
||||||
|
|
||||||
|
* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.5.1-8
|
||||||
|
- Python 2 binary package renamed to python2-lasso
|
||||||
|
See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3
|
||||||
|
|
||||||
|
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.1-7
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.1-6
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.1-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5.1-4
|
||||||
|
- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
|
||||||
|
|
||||||
|
* Thu Jun 30 2016 John Dennis <jdennis@redhat.com> - 2.5.1-3
|
||||||
|
- disbable PHP binding because PHP-7 is now the default and lasso
|
||||||
|
only knows how to build with PHP-5
|
||||||
|
|
||||||
|
* Wed Jun 15 2016 John Dennis <jdennis@redhat.com> - 2.5.1-2
|
||||||
|
- fix CFLAGS override in configure
|
||||||
|
|
||||||
|
* Mon Feb 22 2016 John Dennis <jdennis@redhat.com> - 2.5.1-1
|
||||||
|
- Upgrade to upstream 2.5.1 release
|
||||||
|
See Changelog for details, mostly bugs fixes,
|
||||||
|
most signficant is proper support of SHA-2
|
||||||
|
Resolves: #1295472
|
||||||
|
Resolves: #1303573
|
||||||
|
- Add java_binding_lasso_log.patch to fix "make check" failure during rpmbuild
|
||||||
|
upstream commit d8e3ae8
|
||||||
|
|
||||||
|
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Sep 14 2015 John Dennis <jdennis@redhat.com> - 2.5.0-1
|
||||||
|
- Upgrade to new upstream 2.5.0 release
|
||||||
|
Includes ECP support
|
||||||
|
|
||||||
|
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.1-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Mar 23 2015 Rob Crittenden <rcritten@redhat.com> - 2.4.1-3
|
||||||
|
- Add BuildRequires on libtool
|
||||||
|
- Add -fPIC to LDFLAGS
|
||||||
|
- Disable perl bindings, it fails to build on x86.
|
||||||
|
|
||||||
|
* Fri Jan 23 2015 Simo Sorce <simo@redhat.com> - 2.4.1-2
|
||||||
|
- Enable perl bindings
|
||||||
|
- Also add support for building with automake 1.15
|
||||||
|
- Fix build issues on rawhide due to missing build dep on perl(Error)
|
||||||
|
|
||||||
|
* Thu Aug 28 2014 Simo Sorce <simo@redhat.com> - 2.4.1-1
|
||||||
|
- New upstream relase 2.4.1
|
||||||
|
- Drop patches as they have all been integrated upstream
|
||||||
|
|
||||||
|
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.0-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Jun 20 2014 Remi Collet <rcollet@redhat.com> - 2.4.0-4
|
||||||
|
- rebuild for https://fedoraproject.org/wiki/Changes/Php56
|
||||||
|
- add numerical prefix to extension configuration file
|
||||||
|
- drop unneeded dependency on pecl
|
||||||
|
- add provides php-lasso
|
||||||
|
|
||||||
|
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.0-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Apr 25 2014 Simo Sorce <simo@redhat.com> - 2.4.0-2
|
||||||
|
- Fixes for arches where pointers and integers do not have the same size
|
||||||
|
(ppc64, s390, etc..)
|
||||||
|
|
||||||
|
* Mon Apr 14 2014 Stanislav Ochotnicky <sochotnicky@redhat.com> - 2.4.0-1
|
||||||
|
- Use OpenJDK instead of GCJ for java bindings
|
||||||
|
|
||||||
|
* Sat Jan 11 2014 Simo Sorce <simo@redhat.com> 2.4.0-0
|
||||||
|
- Update to final 2.4.0 version
|
||||||
|
- Drop all patches, they are now included in 2.4.0
|
||||||
|
- Change Source URI
|
||||||
|
|
||||||
|
* Mon Dec 9 2013 Simo Sorce <simo@redhat.com> 2.3.6-0.20131125.5
|
||||||
|
- Add patches to fix rpmlint license issues
|
||||||
|
- Add upstream patches to fix some build issues
|
||||||
|
|
||||||
|
* Thu Dec 5 2013 Simo Sorce <simo@redhat.com> 2.3.6-0.20131125.4
|
||||||
|
- Add patch to support automake-1.14 for rawhide
|
||||||
|
|
||||||
|
* Mon Nov 25 2013 Simo Sorce <simo@redhat.com> 2.3.6-0.20131125.3
|
||||||
|
- Initial packaging
|
||||||
|
- Based on the spec file by Jean-Marc Liger <jmliger@siris.sorbonne.fr>
|
||||||
|
- Code is updated to latest master via a jumbo patch while waiting for
|
||||||
|
official upstream release.
|
||||||
|
- Jumbo patch includes also additional patches sent to upstream list)
|
||||||
|
to build on Fedora 20
|
||||||
|
- Perl bindings are disabled as they fail to build
|
||||||
|
- Disable doc building as it doesn't ork correctly for now
|
Loading…
Reference in new issue