Release 2.8.0
This commit is contained in:
parent
ade1436675
commit
6e1306c0f8
960
ChangeLog
960
ChangeLog
|
@ -1,3 +1,963 @@
|
|||
2022-03-15 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Release 2.8.0
|
||||
https://dev.entrouvert.org/projects/lasso/wiki/Check_List_Nouvelle_Version
|
||||
|
||||
2022-03-14 Frédéric Péters <fpeters@entrouvert.com>
|
||||
|
||||
debian: sync bullseye packaging with upstream debian.org (#62756)
|
||||
|
||||
2022-02-28 Frédéric Péters <fpeters@entrouvert.com>
|
||||
|
||||
jenkins: add bullseye to packaging targets
|
||||
|
||||
2021-11-20 Frédéric Péters <fpeters@entrouvert.com>
|
||||
|
||||
debian: sync bullseye packaging with upstream debian.org (#58788)
|
||||
|
||||
debian: init debian-bullseye as a copy of debian buster (#58788)
|
||||
|
||||
2021-09-28 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Does not decref boolean constants (#57268)
|
||||
TRUE/FALSE are special references in CPython bindings whose reference
|
||||
count must never be updated.
|
||||
|
||||
2021-09-13 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Keep ABI stability (#56883)
|
||||
The following functions where part of the experimental ID-WSF support
|
||||
recently removed but where incorrectly included in the official ABI, so we
|
||||
restore dummy versions of them (they do nothing or return NULL):
|
||||
- lasso_get_prefix_for_dst_service_href
|
||||
- lasso_get_prefix_for_idwsf2_dst_service_href
|
||||
- lasso_register_dst_service
|
||||
- lasso_register_idwsf2_dst_service
|
||||
|
||||
2021-09-11 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
debian: update liblasso3.symbols
|
||||
|
||||
2021-09-11 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Clear Python error indicator after logging (#56572)
|
||||
Lasso log using the GLib logging API and the Python binding install a
|
||||
hook to delegate logging to a Python logger named "lasso".
|
||||
|
||||
During the logging call the error indicator can be set to signal an
|
||||
exception. The indicator will still be set when we return from the Lasso
|
||||
API call, and is not handled by the Python wrapping of the C functions.
|
||||
If our function returns a non-NULL value, the Python interpreter will
|
||||
raise because this situation is forbidden.
|
||||
|
||||
To prevent it, if we detect that an exception occurred during logging
|
||||
calls, we print it to stderr, clear the error indicator and return
|
||||
immediately.
|
||||
|
||||
2021-09-11 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Change default key encryption padding algorithm to RSA-OAEP (#56023)
|
||||
The key encryption padding algorithm is now configurable, the default
|
||||
being changed to OAEP. It's possible to set the default through
|
||||
./configure with:
|
||||
|
||||
--with-default-key-encryption-method=[rsa-pkcs1|rsa-oaep]
|
||||
|
||||
at initialization time with an environment variable:
|
||||
|
||||
LASSO_DEFAULT_KEY_ENCRYPTION_METHOD=[rsa-pkcs1|rsa-oaep]
|
||||
|
||||
or at runtime for a service provider:
|
||||
|
||||
lasso_provider_set_key_encryption_method(LassoProvider *provider,
|
||||
LassoKeyEncryptionMethod key_encryption_method)
|
||||
|
||||
The setting is global for all encrypted nodes (Assertion or NameID).
|
||||
|
||||
2021-09-11 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Python: fix formatting (#56023)
|
||||
|
||||
Remove win32 directory (#56645)
|
||||
It's obsolete.
|
||||
|
||||
Remove ID-WSF 1.0, 2.0 and WS-* support (#56644)
|
||||
It has been deprecated for a long time.
|
||||
|
||||
2021-09-03 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Fix warning about int conversion
|
||||
saml2_authn_context.c:77:3: warning: initialization of ‘unsigned int’ from ‘void *’
|
||||
makes integer from pointer without a cast [-Wint-conversion]
|
||||
|
||||
2021-07-16 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Prevent multiple OneTimeUse elements (#52961)
|
||||
"A SAML authority MUST NOT include more than one <OneTimeUse> element within a
|
||||
<Conditions>element of an assertion"
|
||||
|
||||
2021-07-13 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
python: clear warnings about PY_SSIZE_T_CLEAN (#55561)
|
||||
Using the python3 bindings on recent python3 >=3.8 versions shows:
|
||||
|
||||
DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats
|
||||
|
||||
https://docs.python.org/3.9/whatsnew/changelog.html?highlight=py_ssize_t_clean#id193
|
||||
|
||||
2021-07-13 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
python: clear warnings about assertX methods (#55561)
|
||||
|
||||
2021-06-24 Jakub Hrozek <jhrozek@redhat.com>
|
||||
|
||||
test13_test_lasso_server_load_metadata: Don't verify signature if lasso is not configured with sha-1 (#54037)
|
||||
|
||||
python: Skip the DSA key test unless SHA-1 is configured (#54037)
|
||||
lasso supports DSA-XXX only with SHA-1. The alternative is to use
|
||||
DSA-SHA256.
|
||||
|
||||
2021-06-24 Jakub Hrozek <jhrozek@redhat.com>
|
||||
|
||||
Check if the signature method is allowed in addition to being valid (#54037)
|
||||
Adds a new utility function lasso_allowed_signature_method() that checks
|
||||
if the signature method is allowed. Previously, the code would only
|
||||
check if the method was valid.
|
||||
|
||||
This new function is used whenever lasso_validate_signature_method was
|
||||
previously used through lasso_ok_signature_method() which wraps both
|
||||
validate and allowed.
|
||||
|
||||
lasso_allowed_signature_method() is also used on a couple of places,
|
||||
notably lasso_query_verify_helper().
|
||||
|
||||
Related:
|
||||
https://dev.entrouvert.org/issues/54037
|
||||
|
||||
2021-06-23 Jakub Hrozek <jhrozek@redhat.com>
|
||||
|
||||
Mass-replace LASSO_SIGNATURE_METHOD_RSA_SHA1 with lasso_get_default_signature_method() (#54037)
|
||||
This should be backwards-compatible but at the same time use the
|
||||
selected default instead of RSA-SHA1.
|
||||
|
||||
Related:
|
||||
https://dev.entrouvert.org/issues/54037
|
||||
|
||||
2021-06-23 Jakub Hrozek <jhrozek@redhat.com>
|
||||
|
||||
Make the default signature method and the minimal hash strength configurable (#54037)
|
||||
Adds two new configure options:
|
||||
--with-default-sign-algo
|
||||
--min-hash-algo
|
||||
|
||||
--with-default-sign-algo sets the default signing algorithm and defaults
|
||||
to rsa-sha1. At the moment, two algorithms are supported: rsa-sha1 and
|
||||
rsa-sha256.
|
||||
|
||||
--min-hash-algo sets the minimum hash algorithm to be accepted. The
|
||||
default is sha1 for backwards compatibility as well.
|
||||
|
||||
Related:
|
||||
https://dev.entrouvert.org/issues/54037
|
||||
|
||||
2021-06-23 Jakub Hrozek <jhrozek@redhat.com>
|
||||
|
||||
tests: Move test08_lasso_key and test07_saml2_query_verify_signature to SHA256 (#54037)
|
||||
These tests use a hardcoded query and private key which makes it
|
||||
unsuitable to make the tests use the configured default digest. Let's
|
||||
just convert them to SHA256 unconditionally.
|
||||
|
||||
Fix lasso_query_sign HMAC other than SHA1 (#54037)
|
||||
The switch clause was using SHA1 digests for all digest types when
|
||||
signing. This obviously breaks verifying the signatures if HMAC-SHAXXX
|
||||
is used and XXX is something else than 1.
|
||||
|
||||
2021-06-01 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Release 2.7.0
|
||||
|
||||
2021-06-01 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Fix signature checking on unsigned response with multiple assertions
|
||||
CVE-2021-28091 : when AuthnResponse messages are not signed (which is
|
||||
permitted by the specifiation), all assertion's signatures should be
|
||||
checked, but currently after the first signed assertion is checked all
|
||||
following assertions are accepted without checking their signature, and
|
||||
the last one is considered the main assertion.
|
||||
|
||||
This patch :
|
||||
* check signatures from all assertions if the message is not signed,
|
||||
* refuse messages with assertion from different issuers than the one on
|
||||
the message, to prevent assertion bundling event if they are signed.
|
||||
|
||||
2021-04-07 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Jenkinsfile: update name of main branch
|
||||
|
||||
2021-03-09 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Python: improve display of warnings in the binding generator
|
||||
|
||||
2021-02-26 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
replace deprecated index() by strchr() (#51385)
|
||||
|
||||
2021-02-25 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Fix: new provider reference count is incremented one time too many (#51420)
|
||||
|
||||
2021-02-24 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
docs: update gtk-doc-tools integration (#50441)
|
||||
Using reference documentation on https://developer.gnome.org/gtk-doc-manual/stable/index.html.en
|
||||
|
||||
bindings: disable java tests when java is disabled
|
||||
|
||||
2021-02-24 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Fix: python3 bindings (#51249)
|
||||
The __str__ method called itself, resulting in an RecursionError.
|
||||
|
||||
======================================================================
|
||||
ERROR: test14 (__main__.BindingTestCase)
|
||||
----------------------------------------------------------------------
|
||||
Traceback (most recent call last):
|
||||
File "./binding_tests.py", line 336, in test14
|
||||
assert isinstance(str(cm.exception), str)
|
||||
File "../lasso.py", line 69, in __str__
|
||||
return '<lasso.%s: %s>' % (self.__class__.__name__, self)
|
||||
File "../lasso.py", line 69, in __str__
|
||||
return '<lasso.%s: %s>' % (self.__class__.__name__, self)
|
||||
File "../lasso.py", line 69, in __str__
|
||||
return '<lasso.%s: %s>' % (self.__class__.__name__, self)
|
||||
[Previous line repeated 489 more times]
|
||||
File "../lasso.py", line 68, in __str__
|
||||
if sys.version_info >= (3,):
|
||||
RecursionError: maximum recursion depth exceeded in comparison
|
||||
|
||||
----------------------------------------------------------------------
|
||||
|
||||
2021-02-23 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
configure.ac: disable java bindings
|
||||
|
||||
2020-12-26 Frédéric Péters <fpeters@entrouvert.com>
|
||||
|
||||
build: update to use origin/main
|
||||
|
||||
2020-10-12 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
debian: add packaging for debian-buster
|
||||
|
||||
jenkins.sh: build against all available python versions (#44287)
|
||||
|
||||
python: do not leak out_pyvalue if method call protocol is not respected (#44287)
|
||||
|
||||
python: do not raise in valid_seq() (#44287)
|
||||
|
||||
python: return NULL if get_list_of_strings() fails (#44287)
|
||||
|
||||
python: return NULL if get_list_of_pygobject fails (#44287)
|
||||
|
||||
python: return NULL if get_list_of_xml_nodes fails (#44287)
|
||||
|
||||
python: return NULL if set_list_of_pygobject fails (#44287)
|
||||
|
||||
python: return NULL if set_list_of_xml_nodes fails (#44287)
|
||||
|
||||
python: return NULL if set_list_of_strings fails (#44287)
|
||||
|
||||
python: return NULL if set_hashtable_of_strings fails (#44287)
|
||||
|
||||
python: return NULL if set_hashtable_of_pygobject fails (#44287)
|
||||
|
||||
python: free internal string buffer if needed in set_list_of_strings (#44287)
|
||||
|
||||
python: check if hashtable is NULL before deallocatio (#44287)n
|
||||
|
||||
python: add a failure label to method wrappers (#44287)
|
||||
To separate wrapping code from unwinding and error handling code.
|
||||
|
||||
python: add macro for early return (#44287)
|
||||
|
||||
python: remove newline before method call (#44287)
|
||||
|
||||
python: simplify get_logger_object (#44287)
|
||||
|
||||
python: fix warning about discarded const modifier (#44287)
|
||||
|
||||
python: replace exception by warning on logging path (#44287)
|
||||
|
||||
python: use simpler call format to prevent warning about PY_SSIZE_T_CLEAN (#44287)
|
||||
|
||||
python: remove deprecated PyErr_Warn (#44287)
|
||||
|
||||
python: remove unused PyString_Size (#44287)
|
||||
|
||||
2020-08-21 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
python: Exception.message was removed in python3 (#45995)
|
||||
|
||||
2020-08-14 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
tools: reimplement xmlURIEscapeStr to respect RFC3986 (#45581)
|
||||
Bugfix by Emmanuel Dreyfus.
|
||||
|
||||
License: MIT
|
||||
|
||||
2020-08-11 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
configure.ac: support php7 interpreter on CentOS 8 (#42299)
|
||||
|
||||
2020-04-22 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Release 2.6.1
|
||||
|
||||
Keep order of SessionIndexes
|
||||
|
||||
Clear SessionIndex when private SessionIndexes is empty (#41950)
|
||||
|
||||
2020-03-26 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
misc: clear warnings about class_init signature using coccinelle
|
||||
$ spatch --in-place --sp-file add-second-arg-to-class-init.cocci `git grep -l -C1 ^class_init \*.c`
|
||||
$ sed -i 's/\*unused\>/*unused G_GNUC_UNUSED/' `git grep -l 'void \*unused'`
|
||||
|
||||
tests: fix compilation with check>0.12 (#39101)
|
||||
|
||||
2020-03-05 Bernhard M. Wiedemann <bwiedemann@suse.de>
|
||||
|
||||
Sort input file lists (#40454)
|
||||
so that lasso.py, lasso/types.c and liblasso.so.3.13.0
|
||||
build reproducibly
|
||||
in spite of indeterministic filesystem readdir order.
|
||||
For some reason, lasso/extract_sections.py lasso/extract_symbols.py
|
||||
do not need such patches to get a reproducible openSUSE package.
|
||||
|
||||
See https://reproducible-builds.org/ for why this is good.
|
||||
|
||||
This patch was done while working on reproducible builds for openSUSE.
|
||||
|
||||
License: MIT
|
||||
|
||||
2019-09-09 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
debian: disable php7 (#28608)
|
||||
|
||||
2019-09-09 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net>
|
||||
|
||||
Modify .gitignore for PHP 7 binding (#28608)
|
||||
License: MIT
|
||||
|
||||
Add PHP 7 binding (#28608)
|
||||
License: MIT
|
||||
|
||||
2019-09-09 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Fix tests broken by new DEBUG logs (#12829)
|
||||
|
||||
2019-09-06 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Improve error logging during node parsing (#12829)
|
||||
|
||||
Improve configure compatibility (#32425)
|
||||
|
||||
Improve compatibility with Solaris (#32425)
|
||||
|
||||
2019-09-05 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Fix reference count in lasso_server_add_provider2 (fixes #35061)
|
||||
As implemented lasso_server_add_provider2 could not be used as a publik
|
||||
API as it dit not increase the reference count of the LassoProvider
|
||||
object before adding it to the providers hashtable.
|
||||
|
||||
lasso_server_add_provider_helper had to be modified to decrement the
|
||||
reference count of the new LassoProvider object after using
|
||||
lasso_server_add_provider2.
|
||||
|
||||
2019-09-05 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Fix python multi-version builds on jessie and stretch
|
||||
debian/rules supposed that lasso Makefile would always prefer python2 to
|
||||
python3, it's not the case anymore. Also recent python3 improvements to
|
||||
bindings scripts did not work with python 3.5 on jessie (on jessie/3.5
|
||||
default open() encoding is still ASCII not UTF-8 as with the default
|
||||
UTF-8 of later python3 versions).
|
||||
|
||||
2019-08-27 Thomas NOEL <tnoel@entrouvert.com>
|
||||
|
||||
docs/xsltproc: do not use Internet to fetch DTDs, entities or documents (#35590)
|
||||
|
||||
2019-07-04 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
fix missing include <strings.h> for index() (fixes #33791)
|
||||
tests/basic_tests.c:2141:7: warning: implicit declaration of function 'index' [-Wimplicit-function-declaration]
|
||||
qs = index(authnRequestUrl, '?') + 1;
|
||||
^~~~~
|
||||
tests/basic_tests.c:2141:7: warning: incompatible implicit declaration of built-in function 'index'
|
||||
|
||||
2019-07-03 Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
|
||||
|
||||
PAOS: Do not populate "Destination" attribute
|
||||
When ECP profile (saml-ecp-v2.0-cs01) is used with PAOS binding Lasso
|
||||
populates an AuthnRequest with the "Destination" attribute set to
|
||||
AssertionConsumerURL of an SP - this leads to IdP-side errors because
|
||||
the destination attribute in the request does not match the IdP URL.
|
||||
|
||||
The "Destination" attribute is mandatory only for HTTP Redirect and HTTP
|
||||
Post bindings when AuthRequests are signed per saml-bindings-2.0-os
|
||||
(sections 3.4.5.2 and 3.5.5.2). Specifically for PAOS it makes sense to
|
||||
avoid setting that optional attribute because an ECP decides which IdP
|
||||
to use, not the SP.
|
||||
|
||||
Fixes Bug: 34409
|
||||
License: MIT
|
||||
|
||||
2019-07-02 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
export symbol lasso_log (#33784)
|
||||
The symbol lasso_log has to be exported, otherwise Solaris run-time linker
|
||||
fails due to an unresolved symbol dependency.
|
||||
|
||||
2019-06-11 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
tests: use self-generated certificate to sign federation metadata file (#33823)
|
||||
Generation procedure :
|
||||
|
||||
openssl genrsa -out rootCA.key 4096
|
||||
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 99999 -out rootCA.crt
|
||||
openssl genrsa -out lasso.key 2048
|
||||
openssl req -new -sha256 -key lasso.key -subj "/C=FR/CN=Lasso" -out lasso.csr
|
||||
openssl x509 -req -in lasso.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out lasso.crt -days 99999 -sha256
|
||||
openssl pkcs12 -export -inkey lasso.key -password pass: -in lasso.crt -name lasso -out lasso.pkcs12
|
||||
xmlsec1 --sign --output renater.xml --trusted-pem rootCA.crt --pwd "" --pkcs12 lasso.pkcs12 metadata/renater-metadata.xml
|
||||
xmlsec1 --verify --trusted-pem rootCA.crt metadata/renater-metadata.xml
|
||||
|
||||
2019-05-23 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Do not ignore WantAuthnRequestSigned value with hint MAYBE (fixes #33354)
|
||||
Bug introduced in commit 394680712.
|
||||
|
||||
Use io.open(encoding=utf8) in extract_symbols/sections.py (fixes #33360)
|
||||
|
||||
2019-01-19 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
xml: adapt schema in saml2:AuthnContext (#29340)
|
||||
saml2:AuthnContext XML schema indicate that AuthenticatingAuthority is
|
||||
an optional unbounded list of nodes, but the current Lasso schema only
|
||||
handle an unique element. To prevent Lasso from refusing perfectly legal
|
||||
messages, we add a rule to the Lasso ignoring other nodes after the
|
||||
first one.
|
||||
|
||||
2019-01-11 John Dennis <jdennis@redhat.com>
|
||||
|
||||
Fix ECP signature not found error when only assertion is signed (#26828)
|
||||
With a SAML Authn Response either the message or the assertion
|
||||
contained in the response message or both can be signed. Most IdP's
|
||||
sign the message. This fixes a bug when processing an ECP authn
|
||||
response when only the assertion is signed.
|
||||
|
||||
lasso_saml20_profile_process_soap_response_with_headers() performs a
|
||||
signature check on the SAML message. A signature can also appear on
|
||||
the assertion which is checked by
|
||||
lasso_saml20_login_process_response_status_and_assertion() The problem
|
||||
occurred when the message was not signed and
|
||||
lasso_saml20_profile_process_soap_response_with_headers() returned
|
||||
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND as an error code which is not
|
||||
actually an error because we haven't checked the signature on the
|
||||
assertion yet. We were returning the first
|
||||
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND error when in fact the subsequent
|
||||
signature check in
|
||||
lasso_saml20_login_process_response_status_and_assertion() succeeded.
|
||||
|
||||
The ECP unit tests were enhanced to cover these cases.
|
||||
|
||||
The enhanced unit test revealed a problem in two switch statements
|
||||
operating on the return value of
|
||||
lasso_profile_get_signature_verify_hint() which were missing a case
|
||||
statement for LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE which caused
|
||||
an abort due to an unknown enumeration value.
|
||||
|
||||
Fixes Bug: 26828
|
||||
License: MIT
|
||||
|
||||
2018-10-15 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
extract_types.py: force io to use UTF-8 encoding (fixes #27332)
|
||||
|
||||
2018-10-14 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
add Jenkinsfile
|
||||
|
||||
xml: fix parsing of saml:AuthnContext (fixes #25640)
|
||||
Decl/DeclRef are alternatives, when matching a Decl we should jump over
|
||||
the DeclRef.
|
||||
|
||||
2018-07-24 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Remove -Werror from --enable-debugging (fixes #24771)
|
||||
GCC 8 has better warnings and it breaks the build on platform already
|
||||
using it and wanting debugging symbols.
|
||||
|
||||
Move AC_SUBST declaration for AM_CFLAGS with alike (#24771)
|
||||
Just to reorder things properly in configure.ac.
|
||||
|
||||
Clean python cache when building python3 binding
|
||||
Python3 store .pyc cache in hidden directory __pycache__, distcheck
|
||||
complained that the source directory was not completely clean after a
|
||||
distclean.
|
||||
|
||||
2018-07-24 John Dennis <jdennis@redhat.com>
|
||||
|
||||
Configure should search for versioned Python interpreter.
|
||||
Following the guidelines in Python PEP 394 with regards to the python
|
||||
command on UNIX like systems preference should be given to explicitly
|
||||
versioned command interpreter as opposed to unversioned and that an
|
||||
unversioned python command should (but might not) refer to
|
||||
Python2. Also in some environments unversioned Python interpreters
|
||||
(e.g. /usr/bin/python) do not even exist, onlyh their explicitly
|
||||
versioned variants are (e.g. /usr/bin/python2 and /usr/bin/python3).
|
||||
|
||||
Therefore the AC_CHECK_PROGS directive in configure.ac should not rely
|
||||
exclusively on an unversioned Python interpreter as it does not,
|
||||
rather it should search in priority order. First for python3, then for
|
||||
an unversionsed python because some distributions have already moved
|
||||
the default unversioned python to python3, and then finally search for
|
||||
python2. In the scenario where unversioned python is still pointing to
|
||||
python2 it's equivalent to selecting the last prority option of
|
||||
python2, but if unversioned python is pointing to python3 you get
|
||||
instead. The net result is always preferring python3 but gracefully
|
||||
falling back to python2 not matter how the environment exports it's
|
||||
Python.
|
||||
|
||||
If AC_CHECK_PROGS for python does not check for the versioned variants
|
||||
the build fails in environments that only have versioned variants with
|
||||
this error:
|
||||
|
||||
configure: error: Python must be installed to compile lasso
|
||||
|
||||
License: MIT
|
||||
|
||||
2018-07-24 John Dennis <jdennis@redhat.com>
|
||||
|
||||
Make more Python scripts compatible with both Py2 and Py3
|
||||
While porting other Python code in the repo to run under Py3 (as well
|
||||
as Py2) it was discovered there were a number of other Python scripts
|
||||
which also needed porting. However these scripts are never invoked
|
||||
during a build so there was no easy way to test the porting work. I
|
||||
assume these scripts are for developers only and/or are
|
||||
historical. Because there was no way for me to test the porting
|
||||
changes on these scripts I did not want to include the changes in the
|
||||
patch for the Py3 porting which fixed scripts that are invoked during
|
||||
the build (the former patch is mandatory, this patch is optional at
|
||||
the moment). I did verify the scripts compile cleanly under both Py2
|
||||
and Py3, however it's possible I missed porting something or the error
|
||||
does not show up until run-time.
|
||||
|
||||
Examples of the required changes are:
|
||||
|
||||
* Replace use of the built-in function file() with open(). file()
|
||||
does not exist in Py3, open works in both Py2 and Py3. The code was
|
||||
also modified to use a file context manager (e.g. with open(xxx) as
|
||||
f:). This assures open files are properly closed when the code block
|
||||
using the file goes out of scope. This is a standard modern Python
|
||||
idiom.
|
||||
|
||||
* Replace all use of the print keyword with the six.print_()
|
||||
function, which itself is an emulation of Py3's print function. Py3
|
||||
no longer has a print keyword, only a print() function.
|
||||
|
||||
* The dict methods .keys(), .values(), .items() no longer return a
|
||||
list in Py3, instead they return a "view" object which is an
|
||||
iterator whose result is an unordered set. The most notable
|
||||
consequence is you cannot index the result of these functions like
|
||||
your could in Py2 (e.g. dict.keys()[0] will raise a run time
|
||||
exception).
|
||||
|
||||
* Replace use of StringIO.StringIO and cStringIO with
|
||||
six.StringIO. Py3 no longer has cStringIO and the six variant
|
||||
handles the correct import.
|
||||
|
||||
* Py3 no longer allows the "except xxx, variable" syntax, where
|
||||
variable appering after the comma is assigned the exception object,
|
||||
you must use the "as" keyword to perform the variable assignment
|
||||
(e.g. execpt xxx as variable)
|
||||
|
||||
* Python PEP 3113 removed tuple parameter unpacking. Therefore you can
|
||||
no longer define a formal parameter list that contains tuple
|
||||
notation representing a single parameter that is unpacked into
|
||||
multiple arguments.
|
||||
|
||||
License: MIT
|
||||
|
||||
2018-07-24 John Dennis <jdennis@redhat.com>
|
||||
|
||||
Downcase UTF-8 file encoding name
|
||||
Python and Emacs (and others?) recognize a special directive line in a
|
||||
file that identifies what encoding the file is encoded in. See Python
|
||||
PEP 263. For example:
|
||||
|
||||
The general form of the directive is:
|
||||
|
||||
where xxx is the name of a codec. Python codec names are lower case
|
||||
with underscores used to seperate words.
|
||||
|
||||
In both Python and Emacs one can create aliases for the codecs so you
|
||||
can use an alternate name to refer to the same codec.
|
||||
|
||||
Python is forgiving with respect to case, underscore and
|
||||
hyphens. Python will automatically create an alias for a codec name by
|
||||
downcasing it and replacing hyphens with underscores, thus "UTF-8" is
|
||||
actually an alias for the "utf_8" codec. Unfortunately emacs does not
|
||||
automatically create such aliases, although one can add aliases via a
|
||||
custom initialization file, but doing so requires every user using
|
||||
emacs to edit the files to manually create their own aliases.
|
||||
|
||||
If you try to write a file in emacs with the "UTF-8" codec name it
|
||||
won't recognize it as "utf-8", instead you'll get errors like this:
|
||||
|
||||
Warning (mule): Invalid coding system ‘UTF-8’ is specified
|
||||
for the current buffer/file by the :coding tag.
|
||||
It is highly recommended to fix it before writing to a file.
|
||||
|
||||
and you must force the file to be written by responding to additional
|
||||
propmpts.
|
||||
|
||||
This patch simply downcases the the "UTF-8" codec name to "utf-8" so
|
||||
that both Python and Emacs will accept the codec name.
|
||||
|
||||
License: MIT
|
||||
|
||||
2018-07-24 John Dennis <jdennis@redhat.com>
|
||||
|
||||
fix duplicate definition of LogoutTestCase and logoutSuite
|
||||
Commit 6f617027e added a duplicate definition of the LogoutTestCase
|
||||
class containing only 1 test which shaddowed the original
|
||||
LogoutTestCase containing 4 tests. The logoutSuite variable was also
|
||||
shadowed and the allTests variable contained a duplicate of
|
||||
logoutSuite causing the 2nd definition of LogoutTestCase to be run
|
||||
twice.
|
||||
|
||||
Not only were the original 4 tests not being run but the entire unit
|
||||
test in profiles_tests.py was failing under Python3. This is because
|
||||
the unittest code in Py3 deletes a test from it's list of tests to run
|
||||
once it's been run. The second time the logoutSuite was invoked it no
|
||||
longer contained any tests which caused an exception to be raised
|
||||
because there were no tests to be run.
|
||||
|
||||
License: MIT
|
||||
|
||||
2018-07-24 John Dennis <jdennis@redhat.com>
|
||||
|
||||
Make Python scripts compatible with both Py2 and Py3
|
||||
During the build if the Python3 interpreter is used a number of
|
||||
scripts will fail because they were never ported from Py2 to Py3. In
|
||||
general we want Python code to be compatible with both Py2 and
|
||||
Py3. This patch brings the scripts up to date with Py3 but retains
|
||||
backwards compatibility with Py2 (specifically Py 2.7, the last Py2
|
||||
release).
|
||||
|
||||
Examples of the required changes are:
|
||||
|
||||
* Replace use of the built-in function file() with open(). file()
|
||||
does not exist in Py3, open works in both Py2 and Py3. The code was
|
||||
also modified to use a file context manager (e.g. with open(xxx) as
|
||||
f:). This assures open files are properly closed when the code block
|
||||
using the file goes out of scope. This is a standard modern Python
|
||||
idiom.
|
||||
|
||||
* Replace all use of the print keyword with the six.print_()
|
||||
function, which itself is an emulation of Py3's print function. Py3
|
||||
no longer has a print keyword, only a print() function.
|
||||
|
||||
* The dict methods .keys(), .values(), .items() no longer return a
|
||||
list in Py3, instead they return a "view" object which is an
|
||||
iterator whose result is an unordered set. The most notable
|
||||
consequence is you cannot index the result of these functions like
|
||||
your could in Py2 (e.g. dict.keys()[0] will raise a run time
|
||||
exception).
|
||||
|
||||
* Replace use of StringIO.StringIO and cStringIO with
|
||||
six.StringIO. Py3 no longer has cStringIO and the six variant
|
||||
handles the correct import.
|
||||
|
||||
* Py3 no longer allows the "except xxx, variable" syntax, where
|
||||
variable appering after the comma is assigned the exception object,
|
||||
you must use the "as" keyword to perform the variable assignment
|
||||
(e.g. execpt xxx as variable)
|
||||
|
||||
Note: the modifications in this patch are the minimum necessary to get
|
||||
the build to run with the Py3 interpreter. There are numerous other
|
||||
Python scripts in the repo which need Py3 porting as well but because
|
||||
they are not invoked during a build they will be updated in a
|
||||
subsequent patch.
|
||||
|
||||
License: MIT
|
||||
|
||||
2018-07-24 John Dennis <jdennis@redhat.com>
|
||||
|
||||
Use python interpreter specified configure script
|
||||
The configure script allows you to specify the python interpreter to
|
||||
use via the --with-python option. There were several places where the
|
||||
python interpreter was implicity invoked without using the specified
|
||||
version. This can create a number of problems in an environment with
|
||||
multiple python versions as is the case during the transition from
|
||||
Python 2 to Python 3. Python 2 is not compatible with Python
|
||||
3. Lasso's Python code is supposed to be compatible with both
|
||||
versions. But during the build and when running the unit tests it is
|
||||
essential the same interpreter be used consistently otherwise you can
|
||||
have problems.
|
||||
|
||||
This patch assures whenever python is invoked it does so via the
|
||||
$(PYTHON) configuration variable.
|
||||
|
||||
What about shebang lines (e.g #/usr/bin/python) at the top of scripts?
|
||||
Python PEP 394 (https://www.python.org/dev/peps/pep-0394/) covers
|
||||
this. Basically it says if a script is compatible only with Py2 the
|
||||
shebang should be #/usr/bin/python2, if only compatible with Py3 the
|
||||
shebang should be #/usr/bin/python3. However, if the script is
|
||||
compatible with both versions it can continue to use the
|
||||
compatible with both Py2 and Py3.
|
||||
|
||||
License: MIT
|
||||
|
||||
2018-06-28 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
tools: set output buffer size in lasso_inflate to 20 times the input size (fixes #24853)
|
||||
|
||||
jenkins.sh: add a make clean to prevent previous build to break new ones
|
||||
|
||||
tools: fix segfault in lasso_get_saml_message (fixes #24830)
|
||||
We reuse the "message" local variable but we should not.
|
||||
Also fix a segfault in lasso_xmltextreader_from_message() when getting
|
||||
the length of "message" before checking if it is NULL or not.
|
||||
|
||||
2018-06-28 Frédéric Péters <fpeters@entrouvert.com>
|
||||
|
||||
python: add a classmethod for lasso.profileGetIssuer (#24831)
|
||||
|
||||
2018-06-27 Frédéric Péters <fpeters@entrouvert.com>
|
||||
|
||||
faq: fix references to lasso.profileGetIssuer (#24832)
|
||||
|
||||
debian: sync with debian package (#24595)
|
||||
|
||||
2018-06-14 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
website: add news about 2.6.0 release
|
||||
|
||||
2018-05-30 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Release 2.6.0
|
||||
|
||||
perl/tests: build Makefile.perl before running the tests
|
||||
|
||||
2018-05-01 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
deprecate loading PEM formatted public keys in lasso_xmlsec_load_key_info
|
||||
Also ensure work-around bug[1] in libxmlsec 1.2.24 and 1.2.25.
|
||||
|
||||
[1]: https://github.com/lsh123/xmlsec/issues/164
|
||||
|
||||
2018-05-01 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
add a pem-public-key runtime flag
|
||||
We want to deprecate support for loading PEM formatted key
|
||||
from ds:KeyValue nodes, before final removal it will have to be activated
|
||||
through a runtime flag (using LASSO_FLAG environment variable).
|
||||
|
||||
2018-04-30 John Dennis <jdennis@redhat.com>
|
||||
|
||||
Replace xmlSecSoap functions with lasso implementations
|
||||
xmlsec has removed support for SOAP. The missing xmlSecSoap* functions
|
||||
and their dependent utiliity functions were added to Lasso following
|
||||
the model of the existing xmlSec implmentations.
|
||||
|
||||
Note: Lasso tried to accommodate both SOAP 1.1 and SOAP 1.2 but SAML2
|
||||
*only* uses SOAP 1.1 thus the SOAP 1.2 support was superfluous and
|
||||
confused matters. Therefire the SOAP 1.2 support was removed.
|
||||
|
||||
The following new functions were added to Lasso to support SOAP:
|
||||
|
||||
* lasso_xml_next_element_node
|
||||
* lasso_xml_get_node_ns_href
|
||||
* lasso_xml_is_element_node
|
||||
* lasso_xml_soap11_get_header
|
||||
* lasso_xml_soap11_get_body
|
||||
|
||||
The following is the mapping from the deprecated xmlSecSoap symbols
|
||||
to the new Lasso symbols:
|
||||
|
||||
xmlSecSoap11Ns -> LASSO_SOAP_ENV_HREF
|
||||
xmlSecGetNextElementNode -> lasso_xml_next_element_node
|
||||
xmlSecGetNodeNsHref -> lasso_xml_get_node_ns_href
|
||||
xmlSecCheckNodeName -> lasso_xml_is_element_node
|
||||
xmlSecSoap11GetHeader -> lasso_xml_soap11_get_header
|
||||
xmlSecSoap11GetBody -> lasso_xml_soap11_get_body
|
||||
|
||||
This patch also extends the automake version support in autogen.sh to the
|
||||
current 1.16 version.
|
||||
|
||||
License: MIT
|
||||
|
||||
2018-04-30 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
perl: set DESTDIR and PREFIX at Makefile's creation
|
||||
|
||||
2018-04-29 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
perl: force use of the in-tree lasso when running tests (fixes #23276)
|
||||
|
||||
python: route logs for libxml2 and libxmlsec2 to their own logger
|
||||
|
||||
2018-04-06 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
add xmlsec_soap.h to Makefile
|
||||
|
||||
java: stop setting a bytecode version target
|
||||
|
||||
tests: prevent crash in glib caused by abort on recursive logging
|
||||
The fail() function from libcheck is doing a longjump() from inside the
|
||||
logging subsystem, preventing the depth counter to be reinitialised to 0.
|
||||
(Seen with g_private_get(&g_log_depth) in a gdb session).
|
||||
|
||||
route logs from libxml2 and libxmlsec through GLib logging
|
||||
|
||||
fix get_issuer and get_in_response_to
|
||||
|
||||
fix warnings
|
||||
|
||||
replace use of <xmlsec/soap.h> which is deprecated (fixes #18771)
|
||||
|
||||
2018-02-10 Frédéric Péters <fpeters@entrouvert.com>
|
||||
|
||||
debian: initialize stretch packaging with a copy of upstream debian (#21772)
|
||||
|
||||
2017-09-11 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
saml-2.0: improve support for free content inside samlp2:Extensions (fixes #18581)
|
||||
Four new accesors:
|
||||
|
||||
lasso_samlp2_extensions_get_any
|
||||
lasso_samlp2_extensions_set_any
|
||||
lasso_samlp2_extensions_get_attributes
|
||||
lasso_samlp2_extensions_set_attributes
|
||||
|
||||
The two new pseudo field are fully supported in the python binding.
|
||||
|
||||
node = lasso.Samlp2Extensions()
|
||||
node.any = '<test>ok</test>'
|
||||
node.attributes = {'{http://entrouvert.org/}attribute1': 'value'}
|
||||
print node.dump()
|
||||
|
||||
2017-08-12 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
ignore unknown attributes from the xsi: namespace
|
||||
|
||||
add defined for the XML namespace
|
||||
|
||||
jenkins.sh: add V=1
|
||||
|
||||
2016-08-04 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
fix definitions of error, critical and warning macros (fixes #12830)
|
||||
They all log at the DEBUG level instead of their respective levels.
|
||||
|
||||
tests: convert log level as string
|
||||
|
||||
2016-06-18 John Dennis <jdennis@redhat.com>
|
||||
|
||||
Fix ecp test validate_idp_list() (fixes #11421)
|
||||
validate_idp_list was not using the correct list elements when it
|
||||
iterated over the known_sp_provided_idp_entries_supporting_ecp list.
|
||||
It treated them as lists of strings instead of lists of
|
||||
LassoSamlp2IDPEntry.
|
||||
|
||||
License: MIT
|
||||
|
||||
2016-06-15 John Dennis <jdennis@redhat.com>
|
||||
|
||||
enable user supplied CFLAGS
|
||||
CFLAGS is initialized to the empty string in configure.ac, this
|
||||
effectively turned off user supplied values for CFLAGS preventing site
|
||||
specific values from being used. A further complicating factor was of
|
||||
all the user supplied values documented in Automake only CFLAGS was
|
||||
disabled allowing all other user supplied variables to take
|
||||
effect. Some variables must be coordinated (e.g. CFLAGS with LDFLAGS),
|
||||
the fact LDFLAGS was picked up from the environment but CFLAGS was
|
||||
discarded caused build failures due to incompatible combination of
|
||||
compiler and linker options.
|
||||
|
||||
The problem was first introduced in commit: 73d9c98f "Reset CFLAGS
|
||||
when --enable-debugging is used". This patch simply removes hardcoding
|
||||
CFLAGS to the empty string and appends the debug options
|
||||
(--enable-debugging) to the existing CFLAGS.
|
||||
|
||||
Proper use of the variables is described in the Automake documentation
|
||||
in the section "Flag Variables Ordering"
|
||||
https://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Ordering.html
|
||||
|
||||
Although the Automake documentation claims manipulating CFLAGS
|
||||
directly is improper use there are many examples of this in the
|
||||
existing configure.ac, this patch makes no attempt at addressing this
|
||||
issue, rather it makes existing usage consistent. In the particular
|
||||
case of debug flags appending to CFLAGS is probably the only valid
|
||||
solution because the debug flags must appear at the end of the list of
|
||||
flags in order to override earlier flags, CFLAGS always appears last
|
||||
in the Makefile (see above Automake doc).
|
||||
|
||||
License: MIT
|
||||
|
||||
2016-04-26 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
do not call xmlSecKeyDuplicate is source key is NULL
|
||||
|
||||
2016-03-11 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
fix segfault when parsed node has no namespace (#47)
|
||||
This bug was introduced in commit 8d06806d, the check for a correct namespace on
|
||||
head node of parsed XML fragments does not handle the case where the node has no
|
||||
namespace. Using lasso_equal_namespace() fix this.
|
||||
|
||||
2016-03-07 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
check node names in lasso_node_impl_init_from_xml() (fixes #47)
|
||||
|
||||
tests: silence unused variable warning
|
||||
|
||||
2016-03-06 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
add docstring on SHA-2 signature method enum
|
||||
|
||||
remove DGME specific commented out code
|
||||
|
||||
add support for C14N 1.1 methods and C14N withComments methods (fixes #4863)
|
||||
|
||||
Choose the Reference transform based on the chosen Signature transform (fixes #10155)
|
||||
i.e. if the signature use SHA2 then use SHA2 of the same strength for digesting
|
||||
references.
|
||||
|
||||
2016-02-24 John Dennis <jdennis@redhat.com>
|
||||
|
||||
add inline implementation of lasso_log
|
||||
lasso_log is a private function of lasso and as such cannot be
|
||||
referenced by the loader.
|
||||
|
||||
This is equivalent to commit e0bda691 in the PHP binding which
|
||||
exhibited the same problem.
|
||||
|
||||
lasso_log is referenced in jobject_to_gobject() because of
|
||||
lasso_assign_gobject macro, which includes the lasso_release_gobject
|
||||
macro which invokes the message macro which expands to lasso_log.
|
||||
|
||||
License: MIT
|
||||
|
||||
2016-02-18 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
Release 2.5.1
|
||||
|
||||
fix warning about INCLUDES directive
|
||||
|
||||
2016-02-18 Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
|
||||
bindings/php5: fix enum getters and setters (fixes #10032)
|
||||
|
|
13
NEWS
13
NEWS
|
@ -1,6 +1,19 @@
|
|||
NEWS
|
||||
====
|
||||
|
||||
2.8.0 - March 15th 2022
|
||||
-----------------------
|
||||
|
||||
22 commits, 585 files changed, 2448 insertions, 69478 deletions
|
||||
|
||||
* Removal of all win32 and ID-WSF related source code obsoleted a long time ago
|
||||
* Improve choice of signature method and of allowed signature method (by Jakub
|
||||
* Hrozek <jhrozek@redhat.com>), it's now possible to completely forbid SHA1 for
|
||||
example
|
||||
* Change default RSA encryption padding to OAEP
|
||||
* Fix: HMAC signature other than SHA1 (jhrozek@redhat.com)
|
||||
* Fix: prevent multiple OneTimeUse elements
|
||||
|
||||
2.7.0 - June 1st 2021
|
||||
----------------------
|
||||
36 commits, 45 files changed, 1945 insertions, 177 deletions
|
||||
|
|
|
@ -187,7 +187,7 @@ dnl - interfaces removed -> AGE = 0
|
|||
# m = a
|
||||
# r = r
|
||||
current=`expr $VERSION_MAJOR + $VERSION_MINOR`
|
||||
LASSO_VERSION_INFO="16:1:13"
|
||||
LASSO_VERSION_INFO="18:0:15"
|
||||
AC_SUBST(LASSO_VERSION_INFO)
|
||||
|
||||
dnl Compute the minimal supported ABI version for Win32 scripts and resources files.
|
||||
|
|
Loading…
Reference in New Issue