The key encryption padding algorithm is now configurable, the default
being changed to OAEP. It's possible to set the default through
./configure with:
--with-default-key-encryption-method=[rsa-pkcs1|rsa-oaep]
at initialization time with an environment variable:
LASSO_DEFAULT_KEY_ENCRYPTION_METHOD=[rsa-pkcs1|rsa-oaep]
or at runtime for a service provider:
lasso_provider_set_key_encryption_method(LassoProvider *provider,
LassoKeyEncryptionMethod key_encryption_method)
The setting is global for all encrypted nodes (Assertion or NameID).
Adds two new configure options:
--with-default-sign-algo
--min-hash-algo
--with-default-sign-algo sets the default signing algorithm and defaults
to rsa-sha1. At the moment, two algorithms are supported: rsa-sha1 and
rsa-sha256.
--min-hash-algo sets the minimum hash algorithm to be accepted. The
default is sha1 for backwards compatibility as well.
Related:
https://dev.entrouvert.org/issues/54037
Following the guidelines in Python PEP 394 with regards to the python
command on UNIX like systems preference should be given to explicitly
versioned command interpreter as opposed to unversioned and that an
unversioned python command should (but might not) refer to
Python2. Also in some environments unversioned Python interpreters
(e.g. /usr/bin/python) do not even exist, onlyh their explicitly
versioned variants are (e.g. /usr/bin/python2 and /usr/bin/python3).
Therefore the AC_CHECK_PROGS directive in configure.ac should not rely
exclusively on an unversioned Python interpreter as it does not,
rather it should search in priority order. First for python3, then for
an unversionsed python because some distributions have already moved
the default unversioned python to python3, and then finally search for
python2. In the scenario where unversioned python is still pointing to
python2 it's equivalent to selecting the last prority option of
python2, but if unversioned python is pointing to python3 you get
instead. The net result is always preferring python3 but gracefully
falling back to python2 not matter how the environment exports it's
Python.
If AC_CHECK_PROGS for python does not check for the versioned variants
the build fails in environments that only have versioned variants with
this error:
configure: error: Python must be installed to compile lasso
License: MIT
Signed-off-by: John Dennis <jdennis@redhat.com>
CFLAGS is initialized to the empty string in configure.ac, this
effectively turned off user supplied values for CFLAGS preventing site
specific values from being used. A further complicating factor was of
all the user supplied values documented in Automake only CFLAGS was
disabled allowing all other user supplied variables to take
effect. Some variables must be coordinated (e.g. CFLAGS with LDFLAGS),
the fact LDFLAGS was picked up from the environment but CFLAGS was
discarded caused build failures due to incompatible combination of
compiler and linker options.
The problem was first introduced in commit: 73d9c98f "Reset CFLAGS
when --enable-debugging is used". This patch simply removes hardcoding
CFLAGS to the empty string and appends the debug options
(--enable-debugging) to the existing CFLAGS.
Proper use of the variables is described in the Automake documentation
in the section "Flag Variables Ordering"
https://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Ordering.html
Although the Automake documentation claims manipulating CFLAGS
directly is improper use there are many examples of this in the
existing configure.ac, this patch makes no attempt at addressing this
issue, rather it makes existing usage consistent. In the particular
case of debug flags appending to CFLAGS is probably the only valid
solution because the debug flags must appear at the end of the list of
flags in order to override earlier flags, CFLAGS always appears last
in the Makefile (see above Automake doc).
Signed-off-by: John Dennis <jdennis@redhat.com>
License: MIT
The SAMLv2 protocol defines 5 XML types which we need to map to
LassoNode objectes so thay can be serialized from XML and back into
XML.
ecp:RelayState
ecp:Request
ecp:Response
paos:Request
paso:Response
This patch addes these 5 new LassoNode's and updates the build
configuration to include them.
Signed-off-by: John Dennis <jdennis@redhat.com>
License: MIT
Benjamin Dauvergne
Jakub Hrozek
Tomohiro "Tomo-p" KATO
John Dennis
Frédéric Péters
Houzéfa Abbasbhay
Simo Sorce
Tim Newsome