summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBenjamin Dauvergne <bdauvergne@entrouvert.com>2021-02-24 23:15:17 (GMT)
committerBenjamin Dauvergne <bdauvergne@entrouvert.com>2021-02-26 15:32:07 (GMT)
commitbc5dbd754a25d55f44d1d497a8d9e90ca22bfa09 (patch)
tree4be98bc6041d1bf5e88e629c8607b091385d6ee5
parentf912e8d1efe89e22c26078e4c869ffe4f393e4e7 (diff)
downloadlasso-bc5dbd754a25d55f44d1d497a8d9e90ca22bfa09.zip
lasso-bc5dbd754a25d55f44d1d497a8d9e90ca22bfa09.tar.gz
lasso-bc5dbd754a25d55f44d1d497a8d9e90ca22bfa09.tar.bz2
Return early with an error if signature of any assertion fails (#51419)
Some IdP do not sign their Response message, in this case any assertion can be added to the Response message. We also fix the following rule: the first assertion is always the one returned as the main assertion by the API, the one returned by lasso_login_get_assertion().
-rw-r--r--lasso/saml-2.0/login.c16
1 files changed, 10 insertions, 6 deletions
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
index 0d4bb1d..9a03548 100644
--- a/lasso/saml-2.0/login.c
+++ b/lasso/saml-2.0/login.c
@@ -1413,8 +1413,6 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
lasso_foreach_full_begin(LassoSaml2Assertion*, assertion, it, samlp2_response->Assertion);
LassoSaml2Subject *subject = NULL;
- lasso_assign_gobject (login->private_data->saml2_assertion, assertion);
-
/* If signature has already been verified on the message, and assertion has the same
* issuer as the message, the assertion is covered. So no need to verify a second
* time */
@@ -1426,7 +1424,7 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
assertion);
/* If signature validation fails, it is the return code for this function */
if (assertion_signature_status) {
- rc = LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE;
+ goto_cleanup_with_rc(assertion_signature_status);
}
}
@@ -1438,16 +1436,23 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
const char *in_response_to = lasso_saml2_assertion_get_in_response_to(assertion);
if (lasso_strisnotequal(in_response_to,login->private_data->request_id)) {
- rc = LASSO_LOGIN_ERROR_ASSERTION_DOES_NOT_MATCH_REQUEST_ID;
- goto cleanup;
+ goto_cleanup_with_rc(LASSO_LOGIN_ERROR_ASSERTION_DOES_NOT_MATCH_REQUEST_ID);
}
}
/** Handle nameid */
lasso_check_good_rc(lasso_saml20_profile_process_name_identifier_decryption(profile,
&subject->NameID, &subject->EncryptedID));
+
lasso_foreach_full_end();
+ /* If there are assertions, use the first as the main one */
+ if (samlp2_response->Assertion) {
+ lasso_assign_gobject (login->private_data->saml2_assertion, (LassoSaml2Assertion*)samlp2_response->Assertion->data);
+ }
+
+
+cleanup:
switch (verify_hint) {
case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
@@ -1461,7 +1466,6 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
default:
g_assert(0);
}
-cleanup:
return rc;
}