Fix lasso_query_sign HMAC other than SHA1 (#54037)
The switch clause was using SHA1 digests for all digest types when signing. This obviously breaks verifying the signatures if HMAC-SHAXXX is used and XXX is something else than 1.
This commit is contained in:
Jakub Hrozek
parent
076a37d7f0
commit
8b8fd22a16
|
|
@ -594,22 +594,20 @@ lasso_query_sign(char *query, LassoSignatureContext context)
|
|||
sigret_size = DSA_size(dsa);
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||
if ((rc = lasso_get_hmac_key(key, (void**)&hmac_key,
|
||||
&hmac_key_length))) {
|
||||
message(G_LOG_LEVEL_CRITICAL, "Failed to get hmac key (%s)", lasso_strerror(rc));
|
||||
goto done;
|
||||
}
|
||||
g_assert(hmac_key);
|
||||
md = EVP_sha1();
|
||||
sigret_size = EVP_MD_size(md);
|
||||
/* key should be at least 128 bits long */
|
||||
if (hmac_key_length < 16) {
|
||||
critical("HMAC key should be at least 128 bits long");
|
||||
goto done;
|
||||
}
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||
md = EVP_sha256();
|
||||
sigret_size = EVP_MD_size(md);
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||
md = EVP_sha384();
|
||||
sigret_size = EVP_MD_size(md);
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||
md = EVP_sha512();
|
||||
sigret_size = EVP_MD_size(md);
|
||||
break;
|
||||
default:
|
||||
g_assert_not_reached();
|
||||
|
|
@ -645,6 +643,19 @@ lasso_query_sign(char *query, LassoSignatureContext context)
|
|||
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||
if ((rc = lasso_get_hmac_key(key, (void**)&hmac_key,
|
||||
&hmac_key_length))) {
|
||||
message(G_LOG_LEVEL_CRITICAL, "Failed to get hmac key (%s)", lasso_strerror(rc));
|
||||
goto done;
|
||||
}
|
||||
g_assert(hmac_key);
|
||||
|
||||
/* key should be at least 128 bits long */
|
||||
if (hmac_key_length < 16) {
|
||||
critical("HMAC key should be at least 128 bits long");
|
||||
goto done;
|
||||
}
|
||||
|
||||
HMAC(md, hmac_key, hmac_key_length, (unsigned char *)new_query,
|
||||
strlen(new_query), sigret, &siglen);
|
||||
status = 1;
|
||||
|
|
|
|||
|
|
@ -981,7 +981,7 @@ sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context, SsoCallba
|
|||
lasso_release_gobject(sp_login_context);
|
||||
}
|
||||
|
||||
START_TEST(test07_sso_sp_with_hmac_sha1_signatures)
|
||||
START_TEST(test07_sso_sp_with_hmac_sha256_signatures)
|
||||
{
|
||||
LassoServer *idp_context = NULL;
|
||||
LassoServer *sp_context = NULL;
|
||||
|
|
@ -990,7 +990,7 @@ START_TEST(test07_sso_sp_with_hmac_sha1_signatures)
|
|||
|
||||
/* Create the shared key */
|
||||
key = lasso_key_new_for_signature_from_memory("xxxxxxxxxxxxxxxx", 16,
|
||||
NULL, LASSO_SIGNATURE_METHOD_HMAC_SHA1, NULL);
|
||||
NULL, LASSO_SIGNATURE_METHOD_HMAC_SHA256, NULL);
|
||||
check_true(LASSO_IS_KEY(key));
|
||||
|
||||
/* Create an IdP context for IdP initiated SSO with provider metadata 1 */
|
||||
|
|
@ -1640,7 +1640,7 @@ login_saml2_suite()
|
|||
tcase_add_test(tc_spSloSoap, test04_sso_then_slo_soap);
|
||||
tcase_add_test(tc_idpKeyRollover, test05_sso_idp_with_key_rollover);
|
||||
tcase_add_test(tc_spKeyRollover, test06_sso_sp_with_key_rollover);
|
||||
tcase_add_test(tc_hmacSignature, test07_sso_sp_with_hmac_sha1_signatures);
|
||||
tcase_add_test(tc_hmacSignature, test07_sso_sp_with_hmac_sha256_signatures);
|
||||
tcase_add_test(tc_spLogin, test08_test_authnrequest_flags);
|
||||
tcase_add_test(tc_ecp, test09_ecp);
|
||||
tcase_add_test(tc_ecp, test10_ecp);
|
||||
|
|
|
|||
Loading…
Reference in New Issue