Make the default signature method and the minimal hash strength configurable (#54037)
Adds two new configure options:
--with-default-sign-algo
--min-hash-algo
--with-default-sign-algo sets the default signing algorithm and defaults
to rsa-sha1. At the moment, two algorithms are supported: rsa-sha1 and
rsa-sha256.
--min-hash-algo sets the minimum hash algorithm to be accepted. The
default is sha1 for backwards compatibility as well.
Related:
https://dev.entrouvert.org/issues/54037
This commit is contained in:
Jakub Hrozek
parent
f625eaa007
commit
f095ac8f57
42
configure.ac
42
configure.ac
|
|
@ -795,6 +795,43 @@ else
|
|||
AC_MSG_RESULT(no)
|
||||
fi
|
||||
|
||||
AC_ARG_WITH([default-sign-algo],
|
||||
[AS_HELP_STRING([--with-default-sign-algo=[rsa-sha1|rsa-sha256]],
|
||||
[Default signing algorithm (rsa-sha1)]
|
||||
)
|
||||
]
|
||||
)
|
||||
|
||||
SIGNING_ALGO=rsa-sha1
|
||||
if test x"$with_default_sign_algo" != x; then
|
||||
if test ! "$with_default_sign_algo" = "rsa-sha1" -a ! "$with_default_sign_algo" = "rsa-sha256"; then
|
||||
AC_MSG_ERROR("Default signing algorithm must be either rsa-sha1 or rsa-sha256")
|
||||
else
|
||||
SIGNING_ALGO=$with_default_sign_algo
|
||||
fi
|
||||
fi
|
||||
|
||||
AC_DEFINE_UNQUOTED(DEFAULT_SIGNING_ALGO, "$SIGNING_ALGO", ["The default signing algorithm"])
|
||||
|
||||
AC_ARG_WITH([min-hash-algo],
|
||||
[AS_HELP_STRING([--with-min-hash-algo=[sha1|sha256|sha384|sha512]],
|
||||
[Minimal allowed hash algorithm (rsa-sha1)]
|
||||
)
|
||||
]
|
||||
)
|
||||
|
||||
MIN_HASH_ALGO=sha1
|
||||
if test x"$with_min_hash_algo" != x; then
|
||||
if test ! "$with_min_hash_algo" = "sha1" -a ! "$with_min_hash_algo" = "sha256" -a ! "$with_min_hash_algo" = "sha384" -a ! "$with_min_hash_algo" = "sha512"; then
|
||||
AC_MSG_ERROR("Minimal allowed hash algorithm must be one of sha1, sha256, sha384 or sha512)
|
||||
else
|
||||
MIN_HASH_ALGO=$with_min_hash_algo
|
||||
fi
|
||||
fi
|
||||
|
||||
AC_DEFINE_UNQUOTED(MIN_HASH_ALGO, "$MIN_HASH_ALGO", ["The minimal hash algorithm"])
|
||||
|
||||
|
||||
dnl ==========================================================================
|
||||
dnl Pedantic compilation
|
||||
dnl ==========================================================================
|
||||
|
|
@ -939,4 +976,9 @@ Python binding: ${enable_python}
|
|||
|
||||
C API references: ${enable_gtk_doc}
|
||||
Tests suite: ${enable_tests}
|
||||
|
||||
Crypto settings
|
||||
---------------
|
||||
Default signature: ${SIGNING_ALGO}
|
||||
Minimal accepted hash: ${MIN_HASH_ALGO}
|
||||
)
|
||||
|
|
|
|||
|
|
@ -682,7 +682,7 @@ instance_init(LassoServer *server)
|
|||
server->private_key = NULL;
|
||||
server->private_key_password = NULL;
|
||||
server->certificate = NULL;
|
||||
server->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
||||
server->signature_method = lasso_get_default_signature_method();
|
||||
|
||||
server->services = g_hash_table_new_full(g_str_hash, g_str_equal,
|
||||
(GDestroyNotify)g_free,
|
||||
|
|
|
|||
|
|
@ -133,6 +133,8 @@ LASSO_EXPORT gchar *lasso_server_get_endpoint_url_by_id(const LassoServer *serve
|
|||
LASSO_EXPORT GList *lasso_server_get_filtered_provider_list(const LassoServer *server,
|
||||
LassoProviderRole role, LassoMdProtocolType protocol_type, LassoHttpMethod http_method);
|
||||
|
||||
LASSO_EXPORT LassoSignatureMethod lasso_get_default_signature_method();
|
||||
void lasso_set_default_signature_method(LassoSignatureMethod meth);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
|
|
|
|||
|
|
@ -149,6 +149,44 @@ lasso_xmlsec_errors_callback(const char *file G_GNUC_UNUSED, int line G_GNUC_UNU
|
|||
g_log("libxmlsec", G_LOG_LEVEL_DEBUG, "libxmlsec: %s:%d:%s:%s:%s:%s:%s", file, line, func, errorObject, errorSubject, xmlSecErrorsGetMsg(reason), msg);
|
||||
}
|
||||
|
||||
static int
|
||||
set_default_signature_method()
|
||||
{
|
||||
int rv = LASSO_ERROR_UNDEFINED;
|
||||
|
||||
if (lasso_strisequal(DEFAULT_SIGNING_ALGO, "rsa-sha256")) {
|
||||
lasso_set_default_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA256);
|
||||
rv = 0;
|
||||
} else if (lasso_strisequal(DEFAULT_SIGNING_ALGO, "rsa-sha1")) {
|
||||
lasso_set_default_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||
rv = 0;
|
||||
}
|
||||
|
||||
return rv;
|
||||
}
|
||||
|
||||
static int
|
||||
set_min_allowed_hash_algo()
|
||||
{
|
||||
int rv = LASSO_ERROR_UNDEFINED;
|
||||
|
||||
if (lasso_strisequal(MIN_HASH_ALGO, "sha1")) {
|
||||
lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||
rv = 0;
|
||||
} else if (lasso_strisequal(MIN_HASH_ALGO, "sha256")) {
|
||||
lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA256);
|
||||
rv = 0;
|
||||
} else if (lasso_strisequal(MIN_HASH_ALGO, "sha384")) {
|
||||
lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA384);
|
||||
rv = 0;
|
||||
} else if (lasso_strisequal(MIN_HASH_ALGO, "sha512")) {
|
||||
lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA512);
|
||||
rv = 0;
|
||||
}
|
||||
|
||||
return rv;
|
||||
}
|
||||
|
||||
/**
|
||||
* lasso_init:
|
||||
*
|
||||
|
|
@ -164,6 +202,19 @@ int lasso_init()
|
|||
g_type_init();
|
||||
#endif
|
||||
|
||||
/* Set the default hash algo */
|
||||
if (set_default_signature_method() != 0) {
|
||||
message(G_LOG_LEVEL_CRITICAL, "Unsupported signature "
|
||||
"algorithm "DEFAULT_SIGNING_ALGO" configured");
|
||||
return LASSO_ERROR_UNDEFINED;
|
||||
}
|
||||
if (set_min_allowed_hash_algo() != 0) {
|
||||
message(G_LOG_LEVEL_CRITICAL, "Unsupported hash algorithm "
|
||||
"algorithm "MIN_HASH_ALGO" configured");
|
||||
return LASSO_ERROR_UNDEFINED;
|
||||
}
|
||||
|
||||
|
||||
/* Init Lasso classes */
|
||||
for (i=0; functions[i]; i++)
|
||||
functions[i]();
|
||||
|
|
|
|||
|
|
@ -1505,16 +1505,6 @@ lasso_saml_constrain_dsigctxt(xmlSecDSigCtxPtr dsigCtx) {
|
|||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformExclC14NWithCommentsId) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11WithCommentsId) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha1Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha1Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformDsaSha1Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha1Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha256Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha256Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha256Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha384Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha384Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha384Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha512Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha512Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha512Id) < 0)
|
||||
|
|
@ -1523,15 +1513,62 @@ lasso_saml_constrain_dsigctxt(xmlSecDSigCtxPtr dsigCtx) {
|
|||
message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed signature transforms");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (lasso_get_min_signature_method() <= LASSO_SIGNATURE_METHOD_RSA_SHA384) {
|
||||
if ((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha384Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha384Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha384Id) < 0)) {
|
||||
|
||||
message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha384 signature transforms");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha384Id) < 0) {
|
||||
|
||||
message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha384 reference transforms");
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
if (lasso_get_min_signature_method() <= LASSO_SIGNATURE_METHOD_RSA_SHA256) {
|
||||
if ((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha256Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha256Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha256Id) < 0)) {
|
||||
|
||||
message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha256 signature transforms");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha256Id) < 0) {
|
||||
|
||||
message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha256 reference transforms");
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
if (lasso_get_min_signature_method() <= LASSO_SIGNATURE_METHOD_RSA_SHA1) {
|
||||
if ((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha1Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha1Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformDsaSha1Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha1Id) < 0)) {
|
||||
|
||||
message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha1 signature transforms");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha1Id) < 0) {
|
||||
|
||||
message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha1 reference transforms");
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
if((xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformInclC14NId) < 0) ||
|
||||
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformExclC14NId) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14NWithCommentsId) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformExclC14NWithCommentsId) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11WithCommentsId) < 0) ||
|
||||
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha1Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha256Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha384Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha512Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformEnvelopedId) < 0)) {
|
||||
|
||||
|
|
|
|||
|
|
@ -91,6 +91,10 @@ GHashTable *dst_services_by_prefix = NULL; /* ID-WSF 1 extra DST services, index
|
|||
GHashTable *idwsf2_dst_services_by_href = NULL; /* ID-WSF 2 DST services, indexed on href */
|
||||
GHashTable *idwsf2_dst_services_by_prefix = NULL; /* ID-WSF 2 DST services, indexed on prefix */
|
||||
|
||||
|
||||
static LassoSignatureMethod default_signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
||||
static LassoSignatureMethod min_signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
||||
|
||||
/*****************************************************************************/
|
||||
/* global methods */
|
||||
/*****************************************************************************/
|
||||
|
|
@ -3689,3 +3693,23 @@ lasso_node_new_from_saml2_query(const char *url_or_qs, const char *param_name, L
|
|||
cleanup:
|
||||
return result;
|
||||
}
|
||||
|
||||
LassoSignatureMethod
|
||||
lasso_get_default_signature_method() {
|
||||
return default_signature_method;
|
||||
}
|
||||
|
||||
void
|
||||
lasso_set_default_signature_method(LassoSignatureMethod meth) {
|
||||
default_signature_method = meth;
|
||||
}
|
||||
|
||||
LassoSignatureMethod
|
||||
lasso_get_min_signature_method() {
|
||||
return min_signature_method;
|
||||
}
|
||||
|
||||
void
|
||||
lasso_set_min_signature_method(LassoSignatureMethod meth) {
|
||||
min_signature_method = meth;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -116,6 +116,15 @@ typedef enum {
|
|||
LASSO_SIGNATURE_METHOD_LAST
|
||||
} LassoSignatureMethod;
|
||||
|
||||
/* signature method and hash strength */
|
||||
LassoSignatureMethod lasso_get_default_signature_method();
|
||||
|
||||
void lasso_set_default_signature_method(LassoSignatureMethod meth);
|
||||
|
||||
LassoSignatureMethod lasso_get_min_signature_method();
|
||||
|
||||
void lasso_set_min_signature_method(LassoSignatureMethod meth);
|
||||
|
||||
static inline gboolean
|
||||
lasso_validate_signature_method(LassoSignatureMethod signature_method)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -97,7 +97,7 @@ START_TEST(test01_server_new)
|
|||
fail_unless(server->private_key != NULL);
|
||||
fail_unless(server->private_key_password == NULL);
|
||||
fail_unless(server->certificate != NULL);
|
||||
fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||
fail_unless(server->signature_method == lasso_get_default_signature_method());
|
||||
fail_unless(provider->ProviderID != NULL);
|
||||
fail_unless(provider->role == 0);
|
||||
fail_unless(g_file_get_contents(TESTSDATADIR "/idp1-la/metadata.xml", &content, &len, NULL));
|
||||
|
|
@ -115,7 +115,7 @@ START_TEST(test01_server_new)
|
|||
fail_unless(server->private_key != NULL);
|
||||
fail_unless(server->private_key_password == NULL);
|
||||
fail_unless(server->certificate != NULL);
|
||||
fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||
fail_unless(server->signature_method == lasso_get_default_signature_method());
|
||||
fail_unless(server->providers != NULL);
|
||||
fail_unless(provider->ProviderID != NULL);
|
||||
fail_unless(provider->role == 0, "provider->role != 0 => provider := %d", provider->role);
|
||||
|
|
@ -143,7 +143,7 @@ START_TEST(test02_server_add_provider)
|
|||
fail_unless(server->private_key != NULL);
|
||||
fail_unless(! server->private_key_password);
|
||||
fail_unless(server->certificate != NULL);
|
||||
fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||
fail_unless(server->signature_method == lasso_get_default_signature_method());
|
||||
fail_unless(server->providers != NULL);
|
||||
lasso_server_add_provider(
|
||||
server,
|
||||
|
|
|
|||
Loading…
Reference in New Issue