diff options
| author | Benjamin Dauvergne <bdauvergne@entrouvert.com> | 2010-12-14 12:10:47 +0100 |
|---|---|---|
| committer | Benjamin Dauvergne <bdauvergne@entrouvert.com> | 2010-12-14 12:10:47 +0100 |
| commit | 4391f1ffb91e59545c6c324068e22fb7a5da7d27 (patch) | |
| tree | a5d4db6166bfec9e472252e969e0316b52cd46ff /lasso | |
| parent | 4f5e6c60007c85f8fdca2a05544151300c522d74 (diff) | |
| download | lasso-4391f1ffb91e59545c6c324068e22fb7a5da7d27.tar.gz lasso-4391f1ffb91e59545c6c324068e22fb7a5da7d27.tar.xz lasso-4391f1ffb91e59545c6c324068e22fb7a5da7d27.zip | |
[saml2] make LASSO_SIGNATURE_VERIFY_HINT_FORCE as least as stringent as _MAYBE when checking signature on messages
Diffstat (limited to 'lasso')
| -rw-r--r-- | lasso/saml-2.0/profile.c | 32 |
1 files changed, 23 insertions, 9 deletions
diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c index 41af2fd0..ff1b67a3 100644 --- a/lasso/saml-2.0/profile.c +++ b/lasso/saml-2.0/profile.c @@ -1040,12 +1040,19 @@ lasso_saml20_profile_validate_request(LassoProfile *profile, gboolean needs_iden lasso_saml20_profile_init_response(profile, status_response, LASSO_SAML2_STATUS_CODE_SUCCESS, NULL); - if (lasso_profile_get_signature_verify_hint(profile) == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE && - profile->signature_status) { - lasso_saml20_profile_set_response_status(profile, - LASSO_SAML2_STATUS_CODE_REQUESTER, - LASSO_LIB_STATUS_CODE_INVALID_SIGNATURE); - return profile->signature_status; + switch (lasso_profile_get_signature_verify_hint(profile)) { + case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE: + case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE: + if (profile->signature_status) { + lasso_saml20_profile_set_response_status(profile, + LASSO_SAML2_STATUS_CODE_REQUESTER, + LASSO_LIB_STATUS_CODE_INVALID_SIGNATURE); + return profile->signature_status; + } + case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE: + break; + case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_LAST: + g_assert_not_reached(); } cleanup: @@ -1412,9 +1419,16 @@ cleanup: if (rc) { return rc; } - if ((signature_verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE) && - profile->signature_status) { - return LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE; + switch (lasso_profile_get_signature_verify_hint(profile)) { + case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE: + case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE: + if (profile->signature_status) { + return LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE; + } + case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE: + break; + case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_LAST: + g_assert_not_reached(); } if (missing_issuer) { return LASSO_PROFILE_ERROR_MISSING_ISSUER; |