summaryrefslogtreecommitdiffstats
path: root/lasso/saml-2.0
diff options
context:
space:
mode:
Diffstat (limited to 'lasso/saml-2.0')
-rw-r--r--lasso/saml-2.0/login.c27
-rw-r--r--lasso/saml-2.0/profile.c37
-rw-r--r--lasso/saml-2.0/provider.c2
-rw-r--r--lasso/saml-2.0/saml2_helper.c16
-rw-r--r--lasso/saml-2.0/server.c4
5 files changed, 64 insertions, 22 deletions
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
index 3955b62c..acc9125a 100644
--- a/lasso/saml-2.0/login.c
+++ b/lasso/saml-2.0/login.c
@@ -1160,16 +1160,16 @@ _lasso_check_assertion_issuer(LassoSaml2Assertion *assertion, const gchar *provi
static gint
_lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *samlp2_response)
{
- xmlSecKey *encryption_private_key;
- GList *it;
+ GList *encryption_private_keys = NULL;
+ GList *it = NULL;
gboolean at_least_one_decryption_failture = FALSE;
gboolean at_least_one_malformed_element = FALSE;
if (! samlp2_response->EncryptedAssertion)
return 0; /* nothing to do */
- encryption_private_key = lasso_server_get_encryption_private_key(login->parent.server);
- if (! encryption_private_key) {
+ encryption_private_keys = lasso_server_get_encryption_private_keys(login->parent.server);
+ if (! encryption_private_keys) {
message(G_LOG_LEVEL_WARNING, "Missing private encryption key, cannot decrypt assertions.");
return LASSO_DS_ERROR_DECRYPTION_FAILED_MISSING_PRIVATE_KEY;
}
@@ -1185,9 +1185,19 @@ _lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *sa
continue;
}
encrypted_assertion = (LassoSaml2EncryptedElement*)it->data;
- rc1 = lasso_saml2_encrypted_element_decrypt(encrypted_assertion, encryption_private_key, (LassoNode**)&assertion);
-
- if (rc1) {
+ lasso_foreach_full_begin(xmlSecKey*, encryption_private_key, it,
+ encryption_private_keys)
+ {
+ rc1 = lasso_saml2_encrypted_element_decrypt(encrypted_assertion, encryption_private_key, (LassoNode**)&assertion);
+ if (rc1 == 0)
+ break;
+ }
+ lasso_foreach_full_end();
+ if (rc1 == LASSO_DS_ERROR_DECRYPTION_FAILED) {
+ message(G_LOG_LEVEL_WARNING, "Could not decrypt the EncryptedKey");
+ at_least_one_decryption_failture |= TRUE;
+ continue;
+ } else if (rc1) {
message(G_LOG_LEVEL_WARNING, "Could not decrypt an assertion: %s", lasso_strerror(rc1));
at_least_one_decryption_failture |= TRUE;
continue;
@@ -1429,6 +1439,7 @@ lasso_saml20_login_build_authn_response_msg(LassoLogin *login)
lasso_check_good_rc(lasso_saml20_profile_build_response_msg(profile, NULL, http_method, url));
cleanup:
+ lasso_release_string(url);
return rc;
}
@@ -1486,7 +1497,7 @@ lasso_saml20_login_init_idp_initiated_authn_request(LassoLogin *login,
return LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND;
lasso_assign_string(profile->remote_providerID, remote_providerID);
- lasso_assign_gobject(profile->request, lasso_samlp2_authn_request_new());
+ lasso_assign_new_gobject(profile->request, lasso_samlp2_authn_request_new());
lasso_assign_new_gobject(LASSO_SAMLP2_AUTHN_REQUEST(profile->request)->NameIDPolicy,
lasso_samlp2_name_id_policy_new());
lasso_assign_new_gobject(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->Issuer,
diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c
index 7921e04a..97b5ac69 100644
--- a/lasso/saml-2.0/profile.c
+++ b/lasso/saml-2.0/profile.c
@@ -506,10 +506,23 @@ lasso_saml20_profile_set_session_from_dump_decrypt(
assertion->Subject->EncryptedID->original_data);
lasso_release_gobject(assertion->Subject->EncryptedID);
} else { /* decrypt */
- int rc = 0;
- rc = lasso_saml2_encrypted_element_decrypt(assertion->Subject->EncryptedID,
- lasso_server_get_encryption_private_key(profile->server),
- (LassoNode**) &assertion->Subject->NameID);
+ int rc;
+ GList *encryption_private_keys =
+ lasso_server_get_encryption_private_keys(profile->server);
+
+ rc = LASSO_PROFILE_ERROR_MISSING_ENCRYPTION_PRIVATE_KEY;
+ lasso_foreach_full_begin(xmlSecKey*, encryption_private_key, it,
+ encryption_private_keys);
+ {
+ rc = lasso_saml2_encrypted_element_decrypt(
+ assertion->Subject->EncryptedID,
+ encryption_private_key,
+ (LassoNode**)&assertion->Subject->NameID);
+ if (rc == 0)
+ break;
+ }
+ lasso_foreach_full_end();
+
if (rc == 0) {
lasso_release_gobject(assertion->Subject->EncryptedID);
} else {
@@ -560,7 +573,6 @@ lasso_saml20_profile_process_name_identifier_decryption(LassoProfile *profile,
LassoSaml2NameID **name_id,
LassoSaml2EncryptedElement **encrypted_id)
{
- xmlSecKey *encryption_private_key = NULL;
int rc = 0;
lasso_bad_param(PROFILE, profile);
@@ -568,15 +580,20 @@ lasso_saml20_profile_process_name_identifier_decryption(LassoProfile *profile,
lasso_null_param(encrypted_id);
if (*name_id == NULL && *encrypted_id != NULL) {
- encryption_private_key = profile->server->private_data->encryption_private_key;
if (! LASSO_IS_SAML2_ENCRYPTED_ELEMENT(*encrypted_id)) {
return LASSO_PROFILE_ERROR_MISSING_NAME_IDENTIFIER;
}
- if (encrypted_id != NULL && encryption_private_key == NULL) {
- return LASSO_PROFILE_ERROR_MISSING_ENCRYPTION_PRIVATE_KEY;
+ rc = LASSO_PROFILE_ERROR_MISSING_ENCRYPTION_PRIVATE_KEY;
+ lasso_foreach_full_begin(xmlSecKey*, encryption_private_key, it,
+ lasso_server_get_encryption_private_keys(profile->server));
+ {
+ rc = lasso_saml2_encrypted_element_decrypt(*encrypted_id, encryption_private_key,
+ &profile->nameIdentifier);
+ if (rc == 0)
+ break;
}
- rc = lasso_saml2_encrypted_element_decrypt(*encrypted_id, encryption_private_key,
- &profile->nameIdentifier);
+ lasso_foreach_full_end();
+
if (rc)
goto cleanup;
if (! LASSO_IS_SAML2_NAME_ID(profile->nameIdentifier)) {
diff --git a/lasso/saml-2.0/provider.c b/lasso/saml-2.0/provider.c
index 747ca2e5..66293c3f 100644
--- a/lasso/saml-2.0/provider.c
+++ b/lasso/saml-2.0/provider.c
@@ -287,7 +287,6 @@ load_endpoint_type(xmlNode *xmlnode, LassoProvider *provider, LassoProviderRole
} else {
name = g_strdup_printf("%s %s", xmlnode->name, binding_s);
}
- lasso_release_xml_string(binding);
/* Response endpoint ? */
response_value = getSaml2MdProp(xmlnode, LASSO_SAML2_METADATA_ATTRIBUTE_RESPONSE_LOCATION);
@@ -301,6 +300,7 @@ load_endpoint_type(xmlNode *xmlnode, LassoProvider *provider, LassoProviderRole
_lasso_provider_add_metadata_value_for_role(provider, role, name, (char*)value);
cleanup:
+ lasso_release_xml_string(binding);
lasso_release_xml_string(value);
lasso_release_xml_string(response_value);
lasso_release_string(name);
diff --git a/lasso/saml-2.0/saml2_helper.c b/lasso/saml-2.0/saml2_helper.c
index 3d835962..4151a7b4 100644
--- a/lasso/saml-2.0/saml2_helper.c
+++ b/lasso/saml-2.0/saml2_helper.c
@@ -776,8 +776,22 @@ int
lasso_saml2_encrypted_element_server_decrypt(LassoSaml2EncryptedElement* encrypted_element, LassoServer *server, LassoNode** decrypted_node)
{
lasso_bad_param(SERVER, server);
+ int rc = 0;
+ GList *encryption_private_keys;
- return lasso_saml2_encrypted_element_decrypt(encrypted_element, lasso_server_get_encryption_private_key(server), decrypted_node);
+ encryption_private_keys = lasso_server_get_encryption_private_keys(server);
+ if (! encryption_private_keys) {
+ return LASSO_PROFILE_ERROR_MISSING_ENCRYPTION_PRIVATE_KEY;
+ }
+ lasso_foreach_full_begin(xmlSecKey*, encryption_private_key, it, encryption_private_keys)
+ {
+ rc = lasso_saml2_encrypted_element_decrypt(encrypted_element,
+ encryption_private_key, decrypted_node);
+ if (rc == 0)
+ break;
+ }
+ lasso_foreach_full_end();
+ return rc;
}
/**
diff --git a/lasso/saml-2.0/server.c b/lasso/saml-2.0/server.c
index f2dc8879..cac2d89b 100644
--- a/lasso/saml-2.0/server.c
+++ b/lasso/saml-2.0/server.c
@@ -139,7 +139,7 @@ lasso_saml20_server_load_metadata_entity(LassoServer *server, LassoProviderRole
provider = lasso_provider_new_from_xmlnode(role, entity);
if (provider) {
- char *name = g_strdup(provider->ProviderID);
+ char *name = provider->ProviderID;
if (g_list_find_custom(blacklisted_entity_ids, name,
(GCompareFunc) g_strcmp0)) {
@@ -153,7 +153,7 @@ lasso_saml20_server_load_metadata_entity(LassoServer *server, LassoProviderRole
l->next->data = g_strdup(name);
*loaded_end = l->next;
}
- g_hash_table_insert(server->providers, name, provider);
+ g_hash_table_insert(server->providers, g_strdup(name), provider);
return 0;
} else {
return LASSO_SERVER_ERROR_NO_PROVIDER_LOADED;
generated by cgit (git 2.34.1) at 2024-09-30 19:48:01 +0000