xmlsec: re-enable KeyValue nodes when reading KeyInfo descriptors (#85339)

KeyValue has been disabled in libxmlsec >= 1.3.3, as it can be a security
liability in other settings than SAML:

   (xmlsec-core) Disabled KeyValue and DEREncodedKeyValue XML nodes by default. Use the '--enabled-key-data' option for the xmlsec command line utility or update the 'keyInfoCtx->enabledKeyData' parameter if you need to re-enable these nodes (also see question 3.5 in the FAQ).

configure.ac

@@ -90,6 +90,7 @@ fi
 dnl
 dnl Check for programs
 dnl
+CFLAGS="$CFLAGS -Werror=implicit-function-declaration"
 AC_PROG_CC
 AM_CFLAGS=""
 AC_HEADER_STDC

lasso/id-ff/server.h

@@ -133,9 +133,6 @@ LASSO_EXPORT gchar *lasso_server_get_endpoint_url_by_id(const LassoServer *serve
 LASSO_EXPORT GList *lasso_server_get_filtered_provider_list(const LassoServer *server,
 	LassoProviderRole role, LassoMdProtocolType protocol_type, LassoHttpMethod http_method);
 
-LASSO_EXPORT LassoSignatureMethod lasso_get_default_signature_method();
-void lasso_set_default_signature_method(LassoSignatureMethod meth);
-
 #ifdef __cplusplus
 }
 #endif /* __cplusplus */

lasso/xml/private.h

@@ -354,6 +354,10 @@ gchar* lasso_xmlnode_build_deflated_query(xmlNode *xmlnode);
 
 xmlTextReader *lasso_xmltextreader_from_message(const char *message, char **to_free);
 
+void lasso_set_default_signature_method(LassoSignatureMethod meth);
+void lasso_set_min_signature_method(LassoSignatureMethod meth);
+
+
 #ifdef __cplusplus
 }
 #endif /* __cplusplus */

lasso/xml/tools.c

@@ -1039,12 +1039,12 @@ lasso_saml2_query_verify_signature(const char *query, xmlSecKey *sender_public_k
 		goto_cleanup_with_rc(LASSO_PROFILE_ERROR_INVALID_QUERY);
 	}
 
-	if (! sig_alg) {
-		goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGALG);
-	}
 	if (! b64_signature) {
 		goto_cleanup_with_rc(LASSO_DS_ERROR_SIGNATURE_NOT_FOUND);
 	}
+	if (! sig_alg) {
+		goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGALG);
+	}
 	/* build the signed query */
 	if (relaystate) {
 		signed_query = g_strconcat(saml_request_response, "&", relaystate, "&", sig_alg, NULL);
@@ -1261,9 +1261,9 @@ cleanup:
 	if (doc) {
 		xmlRemoveID(doc, id_attr);
 		xmlUnlinkNode(xmlnode);
-		lasso_release_doc(doc);
 		xmlnode->parent = old_parent;
 		xmlSetTreeDoc(xmlnode, NULL);
+		lasso_release_doc(doc);
 	}
 	lasso_release_signature_context(dsig_ctx);
 	return rc;

lasso/xml/xml.h

@@ -214,6 +214,7 @@ LASSO_EXPORT LassoKeyEncryptionMethod lasso_get_default_key_encryption_method();
 LASSO_EXPORT void lasso_set_default_key_encryption_method(LassoKeyEncryptionMethod method);
 
 /* signature method and hash strength */
+LASSO_EXPORT LassoSignatureMethod lasso_get_default_signature_method();
 LASSO_EXPORT LassoSignatureMethod lasso_get_min_signature_method();
 
 void lasso_set_min_signature_method(LassoSignatureMethod meth);

tests/random_tests.c

@@ -292,6 +292,8 @@ START_TEST(test07_saml2_query_verify_signature)
 	 * changed to ; */
 	const char query2[] = "Signature=Zfz3DE1VMV3thaV4FWpH0fkWsBMzAFJcfvVWAbo0a3cY48Et%2BXUcbr1nvOJUJmhGoie0pQ4%2BcD9ToQlSk7BbJSBCct%2FQQgn2QNkX%2F1lk4v8RU8p5ptJRJ2iPLb8nC6WZhs81HoihQePSuj7Qe5bRUsDKvnWMq6OkD%2Fe6YO77dMXregTcfmnkrXqRb2T6TFfqyOz9i0%2FjmISsmj%2F3kEEfUzVA4LEbeEgiJDj1hec4XW26gQTih53v0sYukq4Eyb4zS2jVd3apUUxUrjn1NUpr7Z7dZ7w5MQlgZ8aw1xFDE8BkxymvIjwf8ciyx6sfTKbCRsoS9E0pQB1vxvh6OMt1Ww%3D%3D;SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D;RelayState=fake;SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256";
 	const char query3[] = "SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D&RelayState=fake&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=rUJ%2B9wVSvdGSmZWGuGXgudAPV5KBxRfxRKraBWGIslBz2XreyNbQjSA47DhIfi%2Bxf0awIIGkKcieN3Qd5sqVn4wvFU8fsmfqrdtouYi46aKsj4W91N19TxJ%2BCgrP7ygVEGDaGdc%2BrCQC3%2FuoYTELXq0gYP7tHaXA%2FCaZHfx5Z159crpRxS6eabZ6BGf4ImxiKhE1FuYzKHeISEV1iSyvgx5%2FE8ydSO%2FSP6yA5Rck4JxVJWH6ImbswCVQ80qfqR4NoJ%2BxiZqilbDJnQaSKZggx%2FgjNVoX%2FMVW1FqEmgJNcZpSjNUQqy9u4veSllpxPc2aB%2FpiUjzpbq9XzyFDOQfkUQ%3D%3D";
+	/* Deleting SigAlg & Signature fields */
+	const char query4[] = "SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D&RelayState=fake";
 	/* sp5-saml2 key */
 	const char pkey[] = "-----BEGIN CERTIFICATE-----\n\
 MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP\n\
@@ -324,6 +326,11 @@ LlTxKnCrWAXftSm1rNtewTsF\n\
 	/* test reordering and semi-colon separator support */
 	ck_assert_msg(lasso_saml2_query_verify_signature(query2, key) == 0, "Disordered signature was not validated");
 	ck_assert_msg(lasso_saml2_query_verify_signature(query3, key) != 0, "Altered signature was validated");
+	/* test missing signature error code */
+	ck_assert_msg(lasso_saml2_query_verify_signature(query3, key) == LASSO_DS_ERROR_INVALID_SIGNATURE,
+			"Altered signature do not lead to invalid signature");
+	ck_assert_msg(lasso_saml2_query_verify_signature(query4, key) == LASSO_DS_ERROR_SIGNATURE_NOT_FOUND,
+			"Bad error code when missing signature");
 	xmlSecKeyDestroy(key);
 }
 END_TEST

website/web/documentation/index.xml

@@ -39,7 +39,7 @@
    <li><a
    href="/documentation/slides/20050201-lasso-solutions-linux.pdf">General
    presentation</a> given February 1st 2005 in the "Identity Management" track
-   of <a href="http://www.solutionslinux.fr">Solutions Linux</a> in Paris.
+   of Solutions Linux in Paris.
    (in French)
    </li>
   </ul>

website/web/index.xml

@@ -14,15 +14,15 @@
    protocols.  Lasso is built on top of <a href="http://www.xmlsoft.org">libxml2</a>,
    <a href="http://www.aleksey.com/xmlsec/">XMLSec</a> and <a
    href="http://www.openssl.org">OpenSSL</a> and is licensed under the <a
-   href="/license">GNU General Public License</a>
+   href="https://www.gnu.org/licenses/gpl-3.0.en.html">GNU General Public License</a>
    (with an <a href="/license#openssl">OpenSSL exception</a>).
   </p>
   
   <p>
-   We strongly recommend the use of the <a href="/license">GNU General Public
+   We strongly recommend the use of the <a href="https://www.gnu.org/licenses/gpl-3.0.en.html">GNU General Public
    License</a> each time it is possible. But for proprietary projects, that
    wouldn't want to use it, we designed a <a
-   href="http://www.entrouvert.com/en/expertise/licenses/">commercial
+   href="https://www.entrouvert.com/expertise/licences/">commercial
    license</a>.
   </p>
 

website/web/news/02-slides-solution-linux.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <div xmlns="http://www.w3.org/1999/xhtml">
- <h3>2005-02-01: Conference at <a href="http://www.solutionslinux.fr">Solutions Linux</a></h3>
+ <h3>2005-02-01: Conference at Solutions Linux</h3>
 
  <p>
   Lasso made a remarked appearance in the "Identity management" track.  <a