diff options
author | Benjamin Dauvergne <bdauvergne@entrouvert.com> | 2010-09-10 15:33:50 +0200 |
---|---|---|
committer | Benjamin Dauvergne <bdauvergne@entrouvert.com> | 2010-09-10 15:37:41 +0200 |
commit | 280ee2820294b408ca654eb156bdeb09c265e79a (patch) | |
tree | 97e9df38f53a37664a874d8ac35b53eb72fdd43e /lasso | |
parent | d7c56d7c20cd958ebf907e870917b9004c6611d0 (diff) | |
download | lasso-280ee2820294b408ca654eb156bdeb09c265e79a.tar.gz lasso-280ee2820294b408ca654eb156bdeb09c265e79a.tar.xz lasso-280ee2820294b408ca654eb156bdeb09c265e79a.zip |
[SAMLv2 NID management] report signature error in response, do not check response signature if forbidden
- build_response_msg will report signature error in response status
code when called without an initialized response (without a call to
validate_request)
- process_response_msg now use
lasso_saml20_profile_check_signature_status to check the signature
status only if permitted.
Diffstat (limited to 'lasso')
-rw-r--r-- | lasso/saml-2.0/name_id_management.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/lasso/saml-2.0/name_id_management.c b/lasso/saml-2.0/name_id_management.c index b10b914d..a495f2d2 100644 --- a/lasso/saml-2.0/name_id_management.c +++ b/lasso/saml-2.0/name_id_management.c @@ -289,6 +289,7 @@ lasso_name_id_management_build_response_msg(LassoNameIdManagement *name_id_manag { LassoProfile *profile = NULL; LassoSamlp2StatusResponse *response; + int rc = 0; lasso_bad_param(NAME_ID_MANAGEMENT, name_id_management); profile = &name_id_management->parent; @@ -296,13 +297,22 @@ lasso_name_id_management_build_response_msg(LassoNameIdManagement *name_id_manag /* no response set here means request denied */ if (! LASSO_IS_SAMLP2_STATUS_RESPONSE(profile->response)) { response = (LassoSamlp2StatusResponse*)lasso_samlp2_manage_name_id_response_new(); - lasso_saml20_profile_init_response(profile, response, LASSO_SAML2_STATUS_CODE_RESPONDER, - LASSO_SAML2_STATUS_CODE_REQUEST_DENIED); + if (lasso_saml20_profile_check_signature_status(profile)) { + lasso_check_good_rc(lasso_saml20_profile_init_response(profile, response, + LASSO_SAML2_STATUS_CODE_REQUESTER, + LASSO_LIB_STATUS_CODE_INVALID_SIGNATURE)); + } else { + lasso_check_good_rc(lasso_saml20_profile_init_response(profile, response, + LASSO_SAML2_STATUS_CODE_RESPONDER, + LASSO_SAML2_STATUS_CODE_REQUEST_DENIED)); + } lasso_release_gobject(response); } /* use the same binding as for the request */ - return lasso_saml20_profile_build_response_msg(profile, "ManageNameIDService", profile->http_request_method, NULL); + rc = lasso_saml20_profile_build_response_msg(profile, "ManageNameIDService", profile->http_request_method, NULL); +cleanup: + return rc; } @@ -334,7 +344,7 @@ lasso_name_id_management_process_response_msg( lasso_check_good_rc(lasso_saml20_profile_process_any_response(profile, response, NULL, response_msg)); /* Stop here if signature validation failed. */ - goto_cleanup_if_fail_with_rc(profile->signature_status == 0, profile->signature_status); + lasso_check_good_rc(lasso_saml20_profile_check_signature_status(profile)); if (LASSO_SAMLP2_MANAGE_NAME_ID_REQUEST(profile->request)->Terminate) { lasso_identity_remove_federation(profile->identity, profile->remote_providerID); |