entrouvert
/
modmellon
17
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge pull request #156 from jdennis/sign_alg 

Add MellonSignatureMethod to control signature algorithm
This commit is contained in:
Olav Morken 2018-02-22 07:20:00 +01:00 committed by GitHub
parent 31b70eb296 9b17e5c107
commit f86a86519e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 141 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@ -583,6 +583,18 @@ MellonDiagnosticsEnable Off
# MellonRedirectDomains [self]
MellonRedirectDomains [self]
# This option controls the signature method used to sign SAML
# messages generated by Mellon, it may be one of the following
# (depending if feature was supported when Mellon was built):
#
# rsa-sha1
# rsa-sha256
# rsa-sha384
# rsa-sha512
#
# Default: rsa-sha256
# MellonSignatureMethod
</Location>
```

9
auth_mellon.h
View File

@ -239,6 +239,7 @@ typedef struct am_dir_cfg_rec {
apr_hash_t *envattr;
const char *userattr;
const char *idpattr;
LassoSignatureMethod signature_method;
int dump_session;
int dump_saml_response;
@ -416,6 +417,14 @@ static const int inherit_post_replay = -1;
static const int default_ecp_send_idplist = 0;
static const int inherit_ecp_send_idplist = -1;
/* Algorithm to use when signing Mellon SAML messages */
static const LassoSignatureMethod default_signature_method =
#if HAVE_DECL_LASSO_SIGNATURE_METHOD_RSA_SHA256
LASSO_SIGNATURE_METHOD_RSA_SHA256;
#else
LASSO_SIGNATURE_METHOD_RSA_SHA1;
#endif
static const int inherit_signature_method = -1;
void *auth_mellon_dir_config(apr_pool_t *p, char *d);
void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add);

68
auth_mellon_config.c
View File

@ -105,6 +105,7 @@ static const int default_env_vars_count_in_n = -1;
/* The default list of trusted redirect domains. */
static const char * const default_redirect_domains[] = { "[self]", NULL };
/* This function handles configuration directives which set a
* multivalued string slot in the module configuration (the destination
* strucure is a hash).
@ -1139,6 +1140,63 @@ static const char *am_set_redirect_domains(cmd_parms *cmd,
return NULL;
}
/* This function handles the MellonSignatureMethod configuration directive.
* This directive can be set to one of:
*
* Parameters:
* cmd_parms *cmd The command structure for this configuration
* directive.
* void *struct_ptr Pointer to the current directory configuration.
* const char *arg The string argument following this configuration
* directive in the configuraion file.
*
* Returns:
* NULL on success or an error string if the argument is wrong.
*/
static const char *am_set_signature_method_slot(cmd_parms *cmd,
void *struct_ptr,
const char *arg)
{
am_dir_cfg_rec *d = (am_dir_cfg_rec *)struct_ptr;
char *valid_methods = "rsa-sha1"
#if HAVE_DECL_LASSO_SIGNATURE_METHOD_RSA_SHA256
" rsa-sha256"
#endif
#if HAVE_DECL_LASSO_SIGNATURE_METHOD_RSA_SHA384
" rsa-sha384"
#endif
#if HAVE_DECL_LASSO_SIGNATURE_METHOD_RSA_SHA512
" rsa-sha512"
#endif
;
if (!strcasecmp(arg, "rsa-sha1")) {
d->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
}
#if HAVE_DECL_LASSO_SIGNATURE_METHOD_RSA_SHA256
else if (!strcasecmp(arg, "rsa-sha256")) {
d->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA256;
}
#endif
#if HAVE_DECL_LASSO_SIGNATURE_METHOD_RSA_SHA384
else if (!strcasecmp(arg, "rsa-sha384")) {
d->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA384;
}
#endif
#if HAVE_DECL_LASSO_SIGNATURE_METHOD_RSA_SHA512
else if (!strcasecmp(arg, "rsa-sha512")) {
d->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA512;
}
#endif
else {
return apr_psprintf(cmd->pool,
"%s: Invalid method \"%s\", must be one of: %s",
cmd->cmd->name, arg, valid_methods);
}
return NULL;
}
/* This array contains all the configuration directive which are handled
* by auth_mellon.
*/
@ -1587,6 +1645,13 @@ const command_rec auth_mellon_commands[] = {
OR_AUTHCFG,
"List of domains we can redirect to."
),
AP_INIT_TAKE1(
"MellonSignatureMethod",
am_set_signature_method_slot,
NULL,
OR_AUTHCFG,
"Signature method used to sign SAML messages sent by Mellon"
),
{NULL}
};
@ -1651,6 +1716,7 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d)
dir->envattr = apr_hash_make(p);
dir->userattr = default_user_attribute;
dir->idpattr = NULL;
dir->signature_method = inherit_signature_method;
dir->dump_session = default_dump_session;
dir->dump_saml_response = default_dump_saml_response;
@ -1810,6 +1876,8 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add)
add_cfg->idpattr :
base_cfg->idpattr);
new_cfg->signature_method = CFG_MERGE(add_cfg, base_cfg, signature_method);
new_cfg->dump_session = (add_cfg->dump_session != default_dump_session ?
add_cfg->dump_session :
base_cfg->dump_session);

54
auth_mellon_diagnostics.c
View File

@ -39,14 +39,17 @@ static const char *
am_diag_cond_flag_str(request_rec *r, am_cond_flag_t flags);
static const char *
am_diag_enable_str(am_enable_t enable);
am_diag_enable_str(request_rec *r, am_enable_t enable);
static const char *
am_diag_samesite_str(am_samesite_t samesite);
am_diag_samesite_str(request_rec *r, am_samesite_t samesite);
static const char *
am_diag_httpd_error_level_str(request_rec *r, int level);
static const char *
am_diag_signature_method_str(request_rec *r,
LassoSignatureMethod signature_method);
static apr_size_t
am_diag_time_t_to_8601_buf(char *buf, apr_size_t buf_size, apr_time_t t);
@ -191,26 +194,28 @@ am_diag_cond_flag_str(request_rec *r, am_cond_flag_t flags)
}
static const char *
am_diag_enable_str(am_enable_t enable)
am_diag_enable_str(request_rec *r, am_enable_t enable)
{
switch(enable) {
case am_enable_default: return "default";
case am_enable_off: return "off";
case am_enable_info: return "info";
case am_enable_auth: return "auth";
default: return "unknown";
default:
return apr_psprintf(r->pool, "unknown (%d)", enable);
}
}
static const char *
am_diag_samesite_str(am_samesite_t samesite)
am_diag_samesite_str(request_rec *r, am_samesite_t samesite)
{
switch(samesite) {
case am_samesite_default: return "default";
case am_samesite_lax: return "lax";
case am_samesite_strict: return "strict";
default: return "unknown";
default:
return apr_psprintf(r->pool, "unknown (%d)", samesite);
}
}
@ -239,6 +244,26 @@ am_diag_httpd_error_level_str(request_rec *r, int level)
}
}
static const char *
am_diag_signature_method_str(request_rec *r,
LassoSignatureMethod signature_method)
{
switch(signature_method) {
case LASSO_SIGNATURE_METHOD_RSA_SHA1: return "rsa-sha1";
#if HAVE_DECL_LASSO_SIGNATURE_METHOD_RSA_SHA256
case LASSO_SIGNATURE_METHOD_RSA_SHA256: return "rsa-sha256";
#endif
#if HAVE_DECL_LASSO_SIGNATURE_METHOD_RSA_SHA384
case LASSO_SIGNATURE_METHOD_RSA_SHA384: return "rsa-sha384";
#endif
#if HAVE_DECL_LASSO_SIGNATURE_METHOD_RSA_SHA512
case LASSO_SIGNATURE_METHOD_RSA_SHA512: return "rsa-sha512";
#endif
default:
return apr_psprintf(r->pool, "unknown (%d)", signature_method);
}
}
static apr_size_t
am_diag_time_t_to_8601_buf(char *buf, apr_size_t buf_size, apr_time_t t)
{
@ -388,7 +413,7 @@ am_diag_log_dir_cfg(request_rec *r, int level, am_dir_cfg_rec *cfg,
apr_file_printf(diag_cfg->fd,
"%sMellonEnable (enable): %s\n",
indent(level+1), am_diag_enable_str(cfg->enable_mellon));
indent(level+1), am_diag_enable_str(r, cfg->enable_mellon));
apr_file_printf(diag_cfg->fd,
"%sMellonVariable (varname): %s\n",
indent(level+1), cfg->varname);
@ -416,7 +441,7 @@ am_diag_log_dir_cfg(request_rec *r, int level, am_dir_cfg_rec *cfg,
apr_file_printf(diag_cfg->fd,
"%sMellonCookieSameSite (cookie_samesite): %s\n",
indent(level+1),
am_diag_samesite_str(cfg->cookie_samesite));
am_diag_samesite_str(r, cfg->cookie_samesite));
apr_file_printf(diag_cfg->fd,
"%sMellonCond (cond): %d items\n",
@ -597,7 +622,7 @@ am_diag_log_dir_cfg(request_rec *r, int level, am_dir_cfg_rec *cfg,
"%sMellonSubjectConfirmationDataAddressCheck"
" (subject_confirmation_data_address_check): %s\n",
indent(level+1),
cfg->subject_confirmation_data_address_check ? "On":"Off");
CFG_VALUE(cfg, subject_confirmation_data_address_check) ? "On":"Off");
apr_file_printf(diag_cfg->fd,
"%sMellonDoNotVerifyLogoutSignature"
@ -622,13 +647,13 @@ am_diag_log_dir_cfg(request_rec *r, int level, am_dir_cfg_rec *cfg,
"%sMellonSendCacheControlHeader"
" (send_cache_control_header): %s\n",
indent(level+1),
cfg->send_cache_control_header ? "On":"Off");
CFG_VALUE(cfg, send_cache_control_header) ? "On":"Off");
apr_file_printf(diag_cfg->fd,
"%sMellonPostReplay (post_replay): %s\n",
indent(level+1), cfg->post_replay ? "On":"Off");
indent(level+1), CFG_VALUE(cfg, post_replay) ? "On":"Off");
apr_file_printf(diag_cfg->fd,
"%sMellonECPSendIDPList (ecp_send_idplist): %s\n",
indent(level+1), cfg->ecp_send_idplist ? "On":"Off");
indent(level+1), CFG_VALUE(cfg, ecp_send_idplist) ? "On":"Off");
for (n_items = 0; cfg->redirect_domains[n_items] != NULL; n_items++);
apr_file_printf(diag_cfg->fd,
@ -640,6 +665,11 @@ am_diag_log_dir_cfg(request_rec *r, int level, am_dir_cfg_rec *cfg,
indent(level+2), cfg->redirect_domains[i]);
}
apr_file_printf(diag_cfg->fd,
"%sMellonSignatureMethod (signature_method): %s\n",
indent(level+1),
am_diag_signature_method_str(r, CFG_VALUE(cfg, signature_method)));
apr_file_flush(diag_cfg->fd);
}

2
auth_mellon_handler.c
View File

@ -372,6 +372,8 @@ static LassoServer *am_get_lasso_server(request_rec *r)
apr_thread_mutex_unlock(cfg->server_mutex);
return NULL;
}
cfg->server->signature_method = CFG_VALUE(cfg, signature_method);
}
apr_thread_mutex_unlock(cfg->server_mutex);

8
configure.ac
View File

@ -102,6 +102,14 @@ AC_CHECK_HEADER([lasso/utils.h], LASSO_CFLAGS="$LASSO_CFLAGS -DHAVE_LASSO_UTILS_
CFLAGS=$saved_CFLAGS
CPPFLAGS=$saved_CPPFLAGS
# Determine what definitions exist in Lasso
saved_CFLAGS=$CFLAGS
CFLAGS="$CFLAGS $pkg_cv_LASSO_CFLAGS"
AC_CHECK_DECLS([LASSO_SIGNATURE_METHOD_RSA_SHA256,
LASSO_SIGNATURE_METHOD_RSA_SHA384,
LASSO_SIGNATURE_METHOD_RSA_SHA512,
], [], [], [#include <lasso/xml/xml.h>])
CFLAGS=$saved_CFLAGS
# Create Makefile from Makefile.in
AC_CONFIG_FILES([Makefile])