diff options
Diffstat (limited to 'lasso/saml-2.0')
-rw-r--r-- | lasso/saml-2.0/login.c | 27 | ||||
-rw-r--r-- | lasso/saml-2.0/profile.c | 37 | ||||
-rw-r--r-- | lasso/saml-2.0/provider.c | 2 | ||||
-rw-r--r-- | lasso/saml-2.0/saml2_helper.c | 16 | ||||
-rw-r--r-- | lasso/saml-2.0/server.c | 4 |
5 files changed, 64 insertions, 22 deletions
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c index 3955b62c..acc9125a 100644 --- a/lasso/saml-2.0/login.c +++ b/lasso/saml-2.0/login.c @@ -1160,16 +1160,16 @@ _lasso_check_assertion_issuer(LassoSaml2Assertion *assertion, const gchar *provi static gint _lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *samlp2_response) { - xmlSecKey *encryption_private_key; - GList *it; + GList *encryption_private_keys = NULL; + GList *it = NULL; gboolean at_least_one_decryption_failture = FALSE; gboolean at_least_one_malformed_element = FALSE; if (! samlp2_response->EncryptedAssertion) return 0; /* nothing to do */ - encryption_private_key = lasso_server_get_encryption_private_key(login->parent.server); - if (! encryption_private_key) { + encryption_private_keys = lasso_server_get_encryption_private_keys(login->parent.server); + if (! encryption_private_keys) { message(G_LOG_LEVEL_WARNING, "Missing private encryption key, cannot decrypt assertions."); return LASSO_DS_ERROR_DECRYPTION_FAILED_MISSING_PRIVATE_KEY; } @@ -1185,9 +1185,19 @@ _lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *sa continue; } encrypted_assertion = (LassoSaml2EncryptedElement*)it->data; - rc1 = lasso_saml2_encrypted_element_decrypt(encrypted_assertion, encryption_private_key, (LassoNode**)&assertion); - - if (rc1) { + lasso_foreach_full_begin(xmlSecKey*, encryption_private_key, it, + encryption_private_keys) + { + rc1 = lasso_saml2_encrypted_element_decrypt(encrypted_assertion, encryption_private_key, (LassoNode**)&assertion); + if (rc1 == 0) + break; + } + lasso_foreach_full_end(); + if (rc1 == LASSO_DS_ERROR_DECRYPTION_FAILED) { + message(G_LOG_LEVEL_WARNING, "Could not decrypt the EncryptedKey"); + at_least_one_decryption_failture |= TRUE; + continue; + } else if (rc1) { message(G_LOG_LEVEL_WARNING, "Could not decrypt an assertion: %s", lasso_strerror(rc1)); at_least_one_decryption_failture |= TRUE; continue; @@ -1429,6 +1439,7 @@ lasso_saml20_login_build_authn_response_msg(LassoLogin *login) lasso_check_good_rc(lasso_saml20_profile_build_response_msg(profile, NULL, http_method, url)); cleanup: + lasso_release_string(url); return rc; } @@ -1486,7 +1497,7 @@ lasso_saml20_login_init_idp_initiated_authn_request(LassoLogin *login, return LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND; lasso_assign_string(profile->remote_providerID, remote_providerID); - lasso_assign_gobject(profile->request, lasso_samlp2_authn_request_new()); + lasso_assign_new_gobject(profile->request, lasso_samlp2_authn_request_new()); lasso_assign_new_gobject(LASSO_SAMLP2_AUTHN_REQUEST(profile->request)->NameIDPolicy, lasso_samlp2_name_id_policy_new()); lasso_assign_new_gobject(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->Issuer, diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c index 7921e04a..97b5ac69 100644 --- a/lasso/saml-2.0/profile.c +++ b/lasso/saml-2.0/profile.c @@ -506,10 +506,23 @@ lasso_saml20_profile_set_session_from_dump_decrypt( assertion->Subject->EncryptedID->original_data); lasso_release_gobject(assertion->Subject->EncryptedID); } else { /* decrypt */ - int rc = 0; - rc = lasso_saml2_encrypted_element_decrypt(assertion->Subject->EncryptedID, - lasso_server_get_encryption_private_key(profile->server), - (LassoNode**) &assertion->Subject->NameID); + int rc; + GList *encryption_private_keys = + lasso_server_get_encryption_private_keys(profile->server); + + rc = LASSO_PROFILE_ERROR_MISSING_ENCRYPTION_PRIVATE_KEY; + lasso_foreach_full_begin(xmlSecKey*, encryption_private_key, it, + encryption_private_keys); + { + rc = lasso_saml2_encrypted_element_decrypt( + assertion->Subject->EncryptedID, + encryption_private_key, + (LassoNode**)&assertion->Subject->NameID); + if (rc == 0) + break; + } + lasso_foreach_full_end(); + if (rc == 0) { lasso_release_gobject(assertion->Subject->EncryptedID); } else { @@ -560,7 +573,6 @@ lasso_saml20_profile_process_name_identifier_decryption(LassoProfile *profile, LassoSaml2NameID **name_id, LassoSaml2EncryptedElement **encrypted_id) { - xmlSecKey *encryption_private_key = NULL; int rc = 0; lasso_bad_param(PROFILE, profile); @@ -568,15 +580,20 @@ lasso_saml20_profile_process_name_identifier_decryption(LassoProfile *profile, lasso_null_param(encrypted_id); if (*name_id == NULL && *encrypted_id != NULL) { - encryption_private_key = profile->server->private_data->encryption_private_key; if (! LASSO_IS_SAML2_ENCRYPTED_ELEMENT(*encrypted_id)) { return LASSO_PROFILE_ERROR_MISSING_NAME_IDENTIFIER; } - if (encrypted_id != NULL && encryption_private_key == NULL) { - return LASSO_PROFILE_ERROR_MISSING_ENCRYPTION_PRIVATE_KEY; + rc = LASSO_PROFILE_ERROR_MISSING_ENCRYPTION_PRIVATE_KEY; + lasso_foreach_full_begin(xmlSecKey*, encryption_private_key, it, + lasso_server_get_encryption_private_keys(profile->server)); + { + rc = lasso_saml2_encrypted_element_decrypt(*encrypted_id, encryption_private_key, + &profile->nameIdentifier); + if (rc == 0) + break; } - rc = lasso_saml2_encrypted_element_decrypt(*encrypted_id, encryption_private_key, - &profile->nameIdentifier); + lasso_foreach_full_end(); + if (rc) goto cleanup; if (! LASSO_IS_SAML2_NAME_ID(profile->nameIdentifier)) { diff --git a/lasso/saml-2.0/provider.c b/lasso/saml-2.0/provider.c index 747ca2e5..66293c3f 100644 --- a/lasso/saml-2.0/provider.c +++ b/lasso/saml-2.0/provider.c @@ -287,7 +287,6 @@ load_endpoint_type(xmlNode *xmlnode, LassoProvider *provider, LassoProviderRole } else { name = g_strdup_printf("%s %s", xmlnode->name, binding_s); } - lasso_release_xml_string(binding); /* Response endpoint ? */ response_value = getSaml2MdProp(xmlnode, LASSO_SAML2_METADATA_ATTRIBUTE_RESPONSE_LOCATION); @@ -301,6 +300,7 @@ load_endpoint_type(xmlNode *xmlnode, LassoProvider *provider, LassoProviderRole _lasso_provider_add_metadata_value_for_role(provider, role, name, (char*)value); cleanup: + lasso_release_xml_string(binding); lasso_release_xml_string(value); lasso_release_xml_string(response_value); lasso_release_string(name); diff --git a/lasso/saml-2.0/saml2_helper.c b/lasso/saml-2.0/saml2_helper.c index 3d835962..4151a7b4 100644 --- a/lasso/saml-2.0/saml2_helper.c +++ b/lasso/saml-2.0/saml2_helper.c @@ -776,8 +776,22 @@ int lasso_saml2_encrypted_element_server_decrypt(LassoSaml2EncryptedElement* encrypted_element, LassoServer *server, LassoNode** decrypted_node) { lasso_bad_param(SERVER, server); + int rc = 0; + GList *encryption_private_keys; - return lasso_saml2_encrypted_element_decrypt(encrypted_element, lasso_server_get_encryption_private_key(server), decrypted_node); + encryption_private_keys = lasso_server_get_encryption_private_keys(server); + if (! encryption_private_keys) { + return LASSO_PROFILE_ERROR_MISSING_ENCRYPTION_PRIVATE_KEY; + } + lasso_foreach_full_begin(xmlSecKey*, encryption_private_key, it, encryption_private_keys) + { + rc = lasso_saml2_encrypted_element_decrypt(encrypted_element, + encryption_private_key, decrypted_node); + if (rc == 0) + break; + } + lasso_foreach_full_end(); + return rc; } /** diff --git a/lasso/saml-2.0/server.c b/lasso/saml-2.0/server.c index f2dc8879..cac2d89b 100644 --- a/lasso/saml-2.0/server.c +++ b/lasso/saml-2.0/server.c @@ -139,7 +139,7 @@ lasso_saml20_server_load_metadata_entity(LassoServer *server, LassoProviderRole provider = lasso_provider_new_from_xmlnode(role, entity); if (provider) { - char *name = g_strdup(provider->ProviderID); + char *name = provider->ProviderID; if (g_list_find_custom(blacklisted_entity_ids, name, (GCompareFunc) g_strcmp0)) { @@ -153,7 +153,7 @@ lasso_saml20_server_load_metadata_entity(LassoServer *server, LassoProviderRole l->next->data = g_strdup(name); *loaded_end = l->next; } - g_hash_table_insert(server->providers, name, provider); + g_hash_table_insert(server->providers, g_strdup(name), provider); return 0; } else { return LASSO_SERVER_ERROR_NO_PROVIDER_LOADED; |