diff options
| author | Benjamin Dauvergne <bdauvergne@entrouvert.com> | 2010-07-19 15:27:10 +0000 |
|---|---|---|
| committer | Benjamin Dauvergne <bdauvergne@entrouvert.com> | 2010-07-19 15:27:10 +0000 |
| commit | e79fcf3beb92f15973946ef55d38ef53cc185dfd (patch) | |
| tree | ff9cb8d79d7b1bb0eea68383bd26545fbe46e073 | |
| parent | 19372c88c1a7687d695cb66ba83d00eb8f25737b (diff) | |
| download | lasso-e79fcf3beb92f15973946ef55d38ef53cc185dfd.tar.gz lasso-e79fcf3beb92f15973946ef55d38ef53cc185dfd.tar.xz lasso-e79fcf3beb92f15973946ef55d38ef53cc185dfd.zip | |
[SAMLv2/SSO] when processing AuthnResponse with binding HTTP-Post only the assertion need to be signed
If the message is signed, the assertion is also covered, but if only the
assertion is signed, there is no error to report. If the caller ask for
forcing the validation of message signature, then we report an error.
This commit also add checking for the binding used, if it is not
HTTP-Post lasso_login_process_authn_response_msg will now report an
error.
| -rw-r--r-- | lasso/saml-2.0/login.c | 33 |
1 files changed, 24 insertions, 9 deletions
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c index c7c62c9e..4125ba27 100644 --- a/lasso/saml-2.0/login.c +++ b/lasso/saml-2.0/login.c @@ -58,7 +58,8 @@ static int lasso_saml20_login_process_federation(LassoLogin *login, gboolean is_consent_obtained); static gboolean lasso_saml20_login_must_ask_for_consent_private(LassoLogin *login); -static gint lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login); +static gint lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login, + lasso_error_t *assertion_signature_status); static char* lasso_saml20_login_get_assertion_consumer_service_url(LassoLogin *login, LassoProvider *remote_provider); static gboolean _lasso_login_must_verify_signature(LassoProfile *profile) G_GNUC_UNUSED; @@ -1014,7 +1015,7 @@ lasso_saml20_login_process_paos_response_msg(LassoLogin *login, gchar *msg) profile = LASSO_PROFILE(login); rc1 = lasso_saml20_profile_process_soap_response(profile, msg); - rc2 = lasso_saml20_login_process_response_status_and_assertion(login); + rc2 = lasso_saml20_login_process_response_status_and_assertion(login, NULL); if (rc1) { return rc1; @@ -1038,6 +1039,7 @@ lasso_saml20_login_process_authn_response_msg(LassoLogin *login, gchar *authn_re LassoProfile *profile = NULL; int rc1, rc2, message_signature_status; LassoSamlp2Response *samlp2_response = NULL; + LassoHttpMethod response_method = LASSO_HTTP_METHOD_NONE; lasso_null_param(authn_response_msg); @@ -1045,11 +1047,17 @@ lasso_saml20_login_process_authn_response_msg(LassoLogin *login, gchar *authn_re profile = LASSO_PROFILE(login); samlp2_response = (LassoSamlp2Response*)lasso_samlp2_response_new(); rc1 = lasso_saml20_profile_process_any_response(profile, - (LassoSamlp2StatusResponse*)samlp2_response, NULL, + (LassoSamlp2StatusResponse*)samlp2_response, &response_method, authn_response_msg); + if (response_method != LASSO_HTTP_METHOD_POST) { + /* Only HTTP-Post binding is possible through this method */ + return LASSO_PROFILE_ERROR_UNSUPPORTED_PROFILE; + } + message_signature_status = profile->signature_status; - rc2 = lasso_saml20_login_process_response_status_and_assertion(login); + rc2 = lasso_saml20_login_process_response_status_and_assertion(login, + NULL); /** The more important signature errors */ lasso_release_gobject(samlp2_response); if (rc1) { @@ -1060,11 +1068,12 @@ lasso_saml20_login_process_authn_response_msg(LassoLogin *login, gchar *authn_re } switch (lasso_profile_get_signature_verify_hint(profile)) { case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE: - case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE: if (message_signature_status) { return message_signature_status; } - if (profile->signature_status) { + case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE: + if (response_method == LASSO_HTTP_METHOD_POST && + profile->signature_status) { return profile->signature_status; } break; @@ -1089,7 +1098,7 @@ lasso_saml20_login_process_response_msg(LassoLogin *login, gchar *response_msg) if (LASSO_IS_SAMLP2_ARTIFACT_RESPONSE(login->parent.response)) { return lasso_saml20_login_process_authn_request_msg(login, NULL); } else { - return lasso_saml20_login_process_response_status_and_assertion(login); + return lasso_saml20_login_process_response_status_and_assertion(login, NULL); } } @@ -1222,7 +1231,7 @@ _lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *sa } static gint -lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login) +lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login, lasso_error_t *assertion_signature_status) { LassoSamlp2StatusResponse *response; LassoSamlp2Response *samlp2_response = NULL; @@ -1230,6 +1239,7 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login) char *status_value; int rc = 0, rc1 = 0, message_signature_status; LassoProfileSignatureVerifyHint verify_hint; + lasso_error_t _assertion_signature_status = 0; profile = &login->parent; lasso_extract_node_or_fail(response, profile->response, SAMLP2_STATUS_RESPONSE, @@ -1284,11 +1294,13 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login) /* If signature has already been verified on the message, and assertion has the same * issuer as the message, the assertion is covered. So no need to verify a second * time */ + _assertion_signature_status = lasso_saml20_login_check_assertion_signature(login, + assertion); if (message_signature_status != 0 || ! _lasso_check_assertion_issuer(assertion, profile->remote_providerID) || verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE) { - rc2 = lasso_saml20_login_check_assertion_signature(login, assertion); + rc2 = _assertion_signature_status; profile->signature_status = rc2; } @@ -1322,6 +1334,9 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login) lasso_foreach_full_end(); cleanup: + if (assertion_signature_status) { + *assertion_signature_status = _assertion_signature_status; + } return rc; } |