entrouvert
/
lasso
16
0
Fork 0
Code Issues Pull Requests Releases Activity

[SAMLv2 NID management] report signature error in response, do not check response signature if forbidden 

- build_response_msg will report signature error in response status
   code when called without an initialized response (without a call to
   validate_request)
 - process_response_msg now use
   lasso_saml20_profile_check_signature_status to check the signature
   status only if permitted.
This commit is contained in:
Benjamin Dauvergne 2010-09-10 15:33:50 +02:00
parent d7c56d7c20
commit 280ee28202
1 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
lasso/saml-2.0/name_id_management.c
View File

@ -289,6 +289,7 @@ lasso_name_id_management_build_response_msg(LassoNameIdManagement *name_id_manag
{
LassoProfile *profile = NULL;
LassoSamlp2StatusResponse *response;
int rc = 0;
lasso_bad_param(NAME_ID_MANAGEMENT, name_id_management);
profile = &name_id_management->parent;
@ -296,13 +297,22 @@ lasso_name_id_management_build_response_msg(LassoNameIdManagement *name_id_manag
/* no response set here means request denied */
if (! LASSO_IS_SAMLP2_STATUS_RESPONSE(profile->response)) {
response = (LassoSamlp2StatusResponse*)lasso_samlp2_manage_name_id_response_new();
lasso_saml20_profile_init_response(profile, response, LASSO_SAML2_STATUS_CODE_RESPONDER,
LASSO_SAML2_STATUS_CODE_REQUEST_DENIED);
if (lasso_saml20_profile_check_signature_status(profile)) {
lasso_check_good_rc(lasso_saml20_profile_init_response(profile, response,
LASSO_SAML2_STATUS_CODE_REQUESTER,
LASSO_LIB_STATUS_CODE_INVALID_SIGNATURE));
} else {
lasso_check_good_rc(lasso_saml20_profile_init_response(profile, response,
LASSO_SAML2_STATUS_CODE_RESPONDER,
LASSO_SAML2_STATUS_CODE_REQUEST_DENIED));
}
lasso_release_gobject(response);
}
/* use the same binding as for the request */
return lasso_saml20_profile_build_response_msg(profile, "ManageNameIDService", profile->http_request_method, NULL);
rc = lasso_saml20_profile_build_response_msg(profile, "ManageNameIDService", profile->http_request_method, NULL);
cleanup:
return rc;
}
@ -334,7 +344,7 @@ lasso_name_id_management_process_response_msg(
lasso_check_good_rc(lasso_saml20_profile_process_any_response(profile, response, NULL, response_msg));
/* Stop here if signature validation failed. */
goto_cleanup_if_fail_with_rc(profile->signature_status == 0, profile->signature_status);
lasso_check_good_rc(lasso_saml20_profile_check_signature_status(profile));
if (LASSO_SAMLP2_MANAGE_NAME_ID_REQUEST(profile->request)->Terminate) {
lasso_identity_remove_federation(profile->identity, profile->remote_providerID);