diff options
| author | Frederic Peters <fpeters@entrouvert.com> | 2004-12-14 13:50:46 +0000 |
|---|---|---|
| committer | Frederic Peters <fpeters@entrouvert.com> | 2004-12-14 13:50:46 +0000 |
| commit | 45f00e1aa4002dcdfd8b45948b3ab099c1193f7a (patch) | |
| tree | 9e52957e92f899c7a77f0338d576ce2cb8bdec16 | |
| parent | c13df5834335830c9aca6f65f972890fdfbceeaf (diff) | |
| download | lasso-45f00e1aa4002dcdfd8b45948b3ab099c1193f7a.tar.gz lasso-45f00e1aa4002dcdfd8b45948b3ab099c1193f7a.tar.xz lasso-45f00e1aa4002dcdfd8b45948b3ab099c1193f7a.zip | |
properly check signature on soap samlp:Request (login/artifact)
| -rw-r--r-- | lasso/id-ff/login.c | 44 | ||||
| -rw-r--r-- | lasso/id-ff/login.h | 3 | ||||
| -rw-r--r-- | lasso/id-ff/provider.c | 3 |
3 files changed, 50 insertions, 0 deletions
diff --git a/lasso/id-ff/login.c b/lasso/id-ff/login.c index c4196ee6..c5686666 100644 --- a/lasso/id-ff/login.c +++ b/lasso/id-ff/login.c @@ -31,6 +31,12 @@ #include <lasso/id-ff/login.h> #include <lasso/id-ff/provider.h> + +struct _LassoLoginPrivate +{ + char *soap_request_msg; +}; + /*****************************************************************************/ /* static methods/functions */ /*****************************************************************************/ @@ -815,6 +821,12 @@ lasso_login_build_response_msg(LassoLogin *login, gchar *remote_providerID) LASSO_PROFILE(login)->remote_providerID = g_strdup(remote_providerID); remote_provider = g_hash_table_lookup(LASSO_PROFILE(login)->server->providers, LASSO_PROFILE(login)->remote_providerID); + ret = lasso_provider_verify_signature(remote_provider, + login->private_data->soap_request_msg, + "RequestID", LASSO_MESSAGE_FORMAT_SOAP); + g_free(login->private_data->soap_request_msg); + login->private_data->soap_request_msg = NULL; + /* changed status code into RequestDenied if signature is invalid or not found if an error occurs during verification */ @@ -1229,6 +1241,11 @@ lasso_login_process_request_msg(LassoLogin *login, gchar *request_msg) login->assertionArtifact = g_strdup( LASSO_SAMLP_REQUEST(profile->request)->AssertionArtifact); + /* Keep a copy of request msg so signature can be verified when we get + * the providerId in lasso_login_build_response_msg() + */ + login->private_data->soap_request_msg = g_strdup(request_msg); + return ret; } @@ -1308,6 +1325,27 @@ init_from_xml(LassoNode *node, xmlNode *xmlnode) return 0; } + +/*****************************************************************************/ +/* overridden parent class methods */ +/*****************************************************************************/ + +static void +dispose(GObject *object) +{ + LassoLogin *login = LASSO_LOGIN(object); + g_free(login->private_data->soap_request_msg); + G_OBJECT_CLASS(parent_class)->dispose(object); +} + +static void +finalize(GObject *object) +{ + LassoLogin *login = LASSO_LOGIN(object); + g_free(login->private_data); + G_OBJECT_CLASS(parent_class)->finalize(object); +} + /*****************************************************************************/ /* instance and class init functions */ /*****************************************************************************/ @@ -1315,6 +1353,9 @@ init_from_xml(LassoNode *node, xmlNode *xmlnode) static void instance_init(LassoLogin *login) { + login->private_data = g_new(LassoLoginPrivate, 1); + login->private_data->soap_request_msg = NULL; + login->protocolProfile = 0; login->assertionArtifact = NULL; login->nameIDPolicy = NULL; @@ -1332,6 +1373,9 @@ class_init(LassoLoginClass *klass) nclass->node_data = g_new0(LassoNodeClassData, 1); lasso_node_class_set_nodename(nclass, "Login"); lasso_node_class_add_snippets(nclass, schema_snippets); + + G_OBJECT_CLASS(klass)->dispose = dispose; + G_OBJECT_CLASS(klass)->finalize = finalize; } GType diff --git a/lasso/id-ff/login.h b/lasso/id-ff/login.h index 18e3c77b..3cab7cee 100644 --- a/lasso/id-ff/login.h +++ b/lasso/id-ff/login.h @@ -49,6 +49,7 @@ extern "C" { typedef struct _LassoLogin LassoLogin; typedef struct _LassoLoginClass LassoLoginClass; +typedef struct _LassoLoginPrivate LassoLoginPrivate; typedef enum { LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_ART = 1, @@ -64,6 +65,8 @@ struct _LassoLogin { /*< private >*/ gchar *nameIDPolicy; lassoHttpMethod http_method; + + LassoLoginPrivate *private_data; }; struct _LassoLoginClass { diff --git a/lasso/id-ff/provider.c b/lasso/id-ff/provider.c index 8e4e99a7..8daf4654 100644 --- a/lasso/id-ff/provider.c +++ b/lasso/id-ff/provider.c @@ -518,6 +518,9 @@ int lasso_provider_verify_signature(LassoProvider *provider, msg = (char*)message; + if (message == NULL) + return -2; + if (format == LASSO_MESSAGE_FORMAT_ERROR) return -2; if (format == LASSO_MESSAGE_FORMAT_UNKNOWN) |