entrouvert
/
lasso
16
0
Fork 0
Code Issues Pull Requests Releases Activity

[SAMLv2/SSO] when processing AuthnResponse with binding HTTP-Post only the assertion need to be signed 

If the message is signed, the assertion is also covered, but if only the
assertion is signed, there is no error to report. If the caller ask for
forcing the validation of message signature, then we report an error.

This commit also add checking for the binding used, if it is not
HTTP-Post lasso_login_process_authn_response_msg will now report an
error.
This commit is contained in:
Benjamin Dauvergne 2010-07-19 15:27:10 +00:00
parent 19372c88c1
commit e79fcf3beb
1 changed files with 24 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
lasso/saml-2.0/login.c
View File

@ -58,7 +58,8 @@
static int lasso_saml20_login_process_federation(LassoLogin *login, gboolean is_consent_obtained);
static gboolean lasso_saml20_login_must_ask_for_consent_private(LassoLogin *login);
static gint lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login);
static gint lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login,
lasso_error_t *assertion_signature_status);
static char* lasso_saml20_login_get_assertion_consumer_service_url(LassoLogin *login,
LassoProvider *remote_provider);
static gboolean _lasso_login_must_verify_signature(LassoProfile *profile) G_GNUC_UNUSED;
@ -1014,7 +1015,7 @@ lasso_saml20_login_process_paos_response_msg(LassoLogin *login, gchar *msg)
profile = LASSO_PROFILE(login);
rc1 = lasso_saml20_profile_process_soap_response(profile, msg);
rc2 = lasso_saml20_login_process_response_status_and_assertion(login);
rc2 = lasso_saml20_login_process_response_status_and_assertion(login, NULL);
if (rc1) {
return rc1;
@ -1038,6 +1039,7 @@ lasso_saml20_login_process_authn_response_msg(LassoLogin *login, gchar *authn_re
LassoProfile *profile = NULL;
int rc1, rc2, message_signature_status;
LassoSamlp2Response *samlp2_response = NULL;
LassoHttpMethod response_method = LASSO_HTTP_METHOD_NONE;
lasso_null_param(authn_response_msg);
@ -1045,11 +1047,17 @@ lasso_saml20_login_process_authn_response_msg(LassoLogin *login, gchar *authn_re
profile = LASSO_PROFILE(login);
samlp2_response = (LassoSamlp2Response*)lasso_samlp2_response_new();
rc1 = lasso_saml20_profile_process_any_response(profile,
(LassoSamlp2StatusResponse*)samlp2_response, NULL,
(LassoSamlp2StatusResponse*)samlp2_response, &response_method,
authn_response_msg);
if (response_method != LASSO_HTTP_METHOD_POST) {
/* Only HTTP-Post binding is possible through this method */
return LASSO_PROFILE_ERROR_UNSUPPORTED_PROFILE;
}
message_signature_status = profile->signature_status;
rc2 = lasso_saml20_login_process_response_status_and_assertion(login);
rc2 = lasso_saml20_login_process_response_status_and_assertion(login,
NULL);
/** The more important signature errors */
lasso_release_gobject(samlp2_response);
if (rc1) {
@ -1060,11 +1068,12 @@ lasso_saml20_login_process_authn_response_msg(LassoLogin *login, gchar *authn_re
}
switch (lasso_profile_get_signature_verify_hint(profile)) {
case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
if (message_signature_status) {
return message_signature_status;
}
if (profile->signature_status) {
case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
if (response_method == LASSO_HTTP_METHOD_POST &&
profile->signature_status) {
return profile->signature_status;
}
break;
@ -1089,7 +1098,7 @@ lasso_saml20_login_process_response_msg(LassoLogin *login, gchar *response_msg)
if (LASSO_IS_SAMLP2_ARTIFACT_RESPONSE(login->parent.response)) {
return lasso_saml20_login_process_authn_request_msg(login, NULL);
} else {
return lasso_saml20_login_process_response_status_and_assertion(login);
return lasso_saml20_login_process_response_status_and_assertion(login, NULL);
}
}
@ -1222,7 +1231,7 @@ _lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *sa
}
static gint
lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login, lasso_error_t *assertion_signature_status)
{
LassoSamlp2StatusResponse *response;
LassoSamlp2Response *samlp2_response = NULL;
@ -1230,6 +1239,7 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
char *status_value;
int rc = 0, rc1 = 0, message_signature_status;
LassoProfileSignatureVerifyHint verify_hint;
lasso_error_t _assertion_signature_status = 0;
profile = &login->parent;
lasso_extract_node_or_fail(response, profile->response, SAMLP2_STATUS_RESPONSE,
@ -1284,11 +1294,13 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
/* If signature has already been verified on the message, and assertion has the same
* issuer as the message, the assertion is covered. So no need to verify a second
* time */
_assertion_signature_status = lasso_saml20_login_check_assertion_signature(login,
assertion);
if (message_signature_status != 0
|| ! _lasso_check_assertion_issuer(assertion,
profile->remote_providerID)
|| verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE) {
rc2 = lasso_saml20_login_check_assertion_signature(login, assertion);
rc2 = _assertion_signature_status;
profile->signature_status = rc2;
}
@ -1322,6 +1334,9 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
lasso_foreach_full_end();
cleanup:
if (assertion_signature_status) {
*assertion_signature_status = _assertion_signature_status;
}
return rc;
}