From e2611e16d655cf49d2e4a996eb284c86e4d49ffd Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Tue, 5 Oct 2010 16:22:46 +0200 Subject: [docs] update copyright years --- docs/reference/lasso/lasso-docs.sgml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/lasso/lasso-docs.sgml b/docs/reference/lasso/lasso-docs.sgml index 009813c6..e92d447e 100644 --- a/docs/reference/lasso/lasso-docs.sgml +++ b/docs/reference/lasso/lasso-docs.sgml @@ -21,7 +21,7 @@ - 2004, 2005, 2006, 2007, 2008, 2009 + 2004, 2005, 2006, 2007, 2008, 2009, 2010 Entr'ouvert -- cgit From 3d1d90ee315301ae258efbb66f009bf681d4a4dd Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Wed, 6 Oct 2010 10:37:07 +0200 Subject: [Core] change isdefault type in EndpointType structure As integer we can represent the three value of isdefault: - true - false - attribute absent --- lasso/id-ff/providerprivate.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lasso/id-ff/providerprivate.h b/lasso/id-ff/providerprivate.h index 66b9ad08..1adce734 100644 --- a/lasso/id-ff/providerprivate.h +++ b/lasso/id-ff/providerprivate.h @@ -49,7 +49,7 @@ struct EndpointType_s { char *url; char *return_url; int index; - gboolean is_default; + int is_default; }; typedef struct EndpointType_s EndpointType; -- cgit From 06c2ec9d61a7a06608942b464ba13702cfb4d08b Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Tue, 5 Oct 2010 19:34:40 +0200 Subject: [SAMLv2] fix ordering of endpoints Ordering by binding is wrong, first order by isDefault (as stated in saml-metadata-2.0.pdf) then by index. --- lasso/saml-2.0/provider.c | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/lasso/saml-2.0/provider.c b/lasso/saml-2.0/provider.c index bc9e70f1..15cf2a81 100644 --- a/lasso/saml-2.0/provider.c +++ b/lasso/saml-2.0/provider.c @@ -145,7 +145,7 @@ load_endpoint_type2(xmlNode *xmlnode, LassoProvider *provider, LassoProviderRole xmlChar *isDefault = getSaml2MdProp(xmlnode, LASSO_SAML2_METADATA_ATTRIBUTE_ISDEFAULT); gboolean indexed_endpoint = FALSE; int idx = *counter++; - gboolean is_default = FALSE; + int is_default = 0; EndpointType *endpoint_type; if (! binding || ! location) { @@ -158,7 +158,18 @@ load_endpoint_type2(xmlNode *xmlnode, LassoProvider *provider, LassoProviderRole warning("Invalid AssertionConsumerService, no index set"); goto cleanup; } - is_default = xsdIsTrue(isDefault); + /* isDefault is 0 if invalid or not present + * -1 if true (comes first) + * +1 if false (comes last) + */ + if (isDefault) { + if (xsdIsTrue(isDefault)) { + is_default = -1; + } + if (xsdIsFalse(isDefault)) { + is_default = 1; + } + } } endpoint_type = g_new0(EndpointType, 1); endpoint_type->kind = g_strdup((char*)xmlnode->name); @@ -182,6 +193,13 @@ static gint compare_endpoint_type(const EndpointType *a, const EndpointType *b) { int c; + /* order the sequence of endpoints: + * - first by role, + * - then by profile, + * - then by isDefault attribute (truth first, then absent, then false) + * - then by index + * - then by binding + */ if (a->role < b->role) return -1; if (a->role > b->role) @@ -189,12 +207,9 @@ compare_endpoint_type(const EndpointType *a, const EndpointType *b) { c = g_strcmp0(a->kind,b->kind); if (c != 0) return c; - c = g_strcmp0(a->binding,b->binding); - if (c != 0) - return c; - if (a->is_default && ! b->is_default) + if (a->is_default < b->is_default) return -1; - if (! a->is_default && b->is_default) + if (a->is_default > b->is_default) return +1; if (a->index < b->index) return -1; -- cgit From 6be8d9cfa82f4b8b9b4f5ac8d764f87ef0a9a895 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Tue, 5 Oct 2010 19:30:17 +0200 Subject: [SAMLv2&ID-FFv1.2] improve documentation of lasso_login_process_authn_request_msg --- lasso/id-ff/login.c | 120 ++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 108 insertions(+), 12 deletions(-) diff --git a/lasso/id-ff/login.c b/lasso/id-ff/login.c index 85deb368..20973941 100644 --- a/lasso/id-ff/login.c +++ b/lasso/id-ff/login.c @@ -307,8 +307,6 @@ static void lasso_login_build_assertion_artifact(LassoLogin *login); * * * #LASSO_PROFILE_ERROR_MISSING_RESPONSE if no response object is present ( it is normally initialized - * - * * by lasso_login_process_authn_request_msg() ) * * @@ -876,17 +874,11 @@ lasso_login_build_assertion_artifact(LassoLogin *login) * * * LASSO_PROFILE_ERROR_MISSING_REMOTE_PROVIDERID if no remote provider ID was setup in the login - * - * * profile object, it's usually done by lasso_login_process_authn_request_msg, * * * LASSO_PROFILE_ERROR_INVALID_HTTP_METHOD if the HTTP method is neither LASSO_HTTP_METHOD_REDIRECT - * - * * or LASSO_HTTP_METHOD_POST (ID-FF 1.2 case) or neither LASSO_HTTP_METHOD_ARTIFACT_GET or - * - * * LASSO_HTTP_METHOD_ARTIFACT_POST (SAML 2.0 case) for SAML 2.0), * * @@ -897,8 +889,6 @@ lasso_login_build_assertion_artifact(LassoLogin *login) * * * LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND if the remote provider is not known to our server object - * - * * which impeach us to find a service endpoint, * * @@ -1602,18 +1592,44 @@ lasso_login_init_authn_request(LassoLogin *login, const gchar *remote_providerID * binding. You must set the @response_http_method argument according to the way you received the * artifact message. * - * Return value: 0 on success; or a + * Return value: 0 on success; or + * + * + * * LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ if login is not a #LassoLogin object, + * + * + * + * * LASSO_PARAM_ERROR_INVALID_VALUE if @response_msg is NULL, + * + * + * + * * LASSO_PROFILE_ERROR_INVALID_HTTP_METHOD if the HTTP method is neither LASSO_HTTP_METHOD_REDIRECT * or LASSO_HTTP_METHOD_POST (in the ID-FF 1.2 case) or neither LASSO_HTTP_METHOD_ARTIFACT_GET or * LASSO_HTTP_METHOD_ARTIFACT_POST (in the SAML 2.0 case), + * + * + * + * * LASSO_PROFILE_ERROR_MISSING_ARTIFACT if no artifact field was found in the query string (only * possible for the LASSO_HTTP_METHOD_REDIRECT case), + * + * + * + * * LASSO_PROFILE_ERROR_INVALID_ARTIFACT if decoding of the artifact failed -- whether because * the base64 encoding is invalid or because the type code is wrong --, + * + * + * + * * LASSO_PROFILE_ERROR_MISSING_REMOTE_PROVIDERID if no provider ID could be found corresponding to * the hash contained in the artifact. + * + * + * * **/ gint @@ -1896,7 +1912,87 @@ lasso_login_must_authenticate(LassoLogin *login) * Processes received authentication request, checks it is signed correctly, * checks if requested protocol profile is supported, etc. * - * Return value: 0 on success; or a negative value otherwise. + * Return value: 0 on success; or + * + * + * + * #LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ if login is no a #LassoLogin object, + * + * + * + * + * #LASSO_PROFILE_ERROR_MISSING_REQUEST if @authn_request_msg is #NULL and no request as actually + * been processed or initialized — see lasso_login_init_idp_initiated_authn_request(), + * + * + * + * + * + * #LASSO_PROFILE_ERROR_INVALID_MSG if the content of @authn_request_msg cannot be parsed to as a + * valid lib:AuthnRequest messages for any support binding (mainly HTTP-Redirect, HTTP-Post and + * SOAP), + * + * + * + * + * + * #LASSO_PROFILE_ERROR_MISSING_ISSUER if the parsed samlp2:AuthnRequest does not have a proper Issuer element, + * + * + * + * + * + * #LASSO_PROFILE_ERROR_INVALID_REQUEST if the parsed message does not validate as a valid + * samlp2:AuthnRequest (SAMLv2) i.e. if there is no Issuer, or mutually exclusive attributes are + * used (ProtocolBinding and AssertionConsumerServiceIndex), + * + * + * + * + * + * #LASSO_PROFILE_ERROR_INVALID_PROTOCOLPROFILE if the protocolProfile (ID-FFv1.2) or the + * protocolBinding (SAMLv2) is unsupported by Lasso, + * + * + * + * + * + * #LASSO_PROFILE_ERROR_UNSUPPORTED_PROFILE if the protocolProfile (ID-FFv1.2) or the protocolBinding + * (SAMLv2) for the AssertionConsumer is unsupported by this provider implementation as indicated by + * its metadata file, + * + * + * + * + * + * #LASSO_PROFILE_ERROR_UNKNOWN_PROVIDER, or + * #LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND if the metadata for the issuer of the request are absent + * from the #LassoServer object of this profile, + * + * + * + * + * + * #LASSO_DS_ERROR_SIGNATURE_NOT_FOUND if no signature could be found and signature validation is + * forced — by the service provider metadata with the AuthnRequestsSigned attribute + * (ID-FFv1.2&SAMLv2), the attribute WantAuthnRequestsSigned in the identity provider metadata file + * (SAMLv2) or as advised by the lasso_profile_set_signature_verify_hint() method), + * + * + * + * + * + * #LASSO_DS_ERROR_SIGNATURE_VERIFICATION_FAILED if the signature validation failed on a present + * signature, + * + * + * + * + * #LASSO_DS_ERROR_INVALID_SIGNATURE if the signature was malformed and a signature was present, + * + * + * + * **/ gint lasso_login_process_authn_request_msg(LassoLogin *login, const char *authn_request_msg) -- cgit From 7a27400a87380e3f4262a71946ffc5d17c464c2d Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Wed, 6 Oct 2010 10:38:43 +0200 Subject: [SAMLv2] adopt same behaviour as ID-FFv1.2 for invalid AuthnRequest --- lasso/saml-2.0/login.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c index aa892315..a75e4cc0 100644 --- a/lasso/saml-2.0/login.c +++ b/lasso/saml-2.0/login.c @@ -288,7 +288,7 @@ lasso_saml20_login_process_authn_request_msg(LassoLogin *login, const char *auth lasso_check_good_rc(lasso_saml20_profile_process_any_request(profile, request, authn_request_msg)); } if (! LASSO_IS_SAMLP2_AUTHN_REQUEST(request)) { - return critical_error(LASSO_PROFILE_ERROR_MISSING_REQUEST); + return critical_error(LASSO_PROFILE_ERROR_INVALID_MSG); } authn_request = LASSO_SAMLP2_AUTHN_REQUEST(request); /* intialize the response */ -- cgit From 58a3868361ba63d51d5c0f802d3b7d2a9a8ae376 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Wed, 6 Oct 2010 10:39:18 +0200 Subject: [ID-FFv1.2] make lasso_login_process_authn_request_msg() return LASSO_PROFILE_ERROR_INVALID_MSG if received request is not a lib:AuthnRequest --- lasso/id-ff/login.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lasso/id-ff/login.c b/lasso/id-ff/login.c index 20973941..2cb6cf30 100644 --- a/lasso/id-ff/login.c +++ b/lasso/id-ff/login.c @@ -2030,7 +2030,11 @@ lasso_login_process_authn_request_msg(LassoLogin *login, const char *authn_reque return critical_error(LASSO_PROFILE_ERROR_INVALID_MSG); } - lasso_assign_new_gobject(profile->request, LASSO_NODE(request)); + lasso_assign_new_gobject(profile->request, request); + if (! LASSO_IS_LIB_AUTHN_REQUEST(profile->request)) { + lasso_release_gobject(profile->request); + return LASSO_PROFILE_ERROR_INVALID_MSG; + } /* get remote ProviderID */ lasso_assign_string(profile->remote_providerID, -- cgit From 5d56e4558eba80b6cffb79797fe124ad90199632 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Wed, 6 Oct 2010 10:40:14 +0200 Subject: [ID-FFv1.2] in lasso_login_process_authn_request_msg() adopt simpler behaviour for checking signatures There is two sources of advice for signature checking: AuthnRequestsSigned attribute in service provider metadata files and value of lasso_profile_get_signature_verify_hint(). If lasso_profile_get_signature_verify_hint() forbid to check signature, we do not check. If the SP advise to check signature, we check. If lasso_profile_get_signature_verify_hint() forces to check signature, we do not check. In all other cases we only check if a signature is present, i.e. we ignore the error LASSO_DS_ERROR_SIGNATURE_NOT_FOUND. --- lasso/id-ff/login.c | 42 ++++++++++++++++++++++++++---------------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/lasso/id-ff/login.c b/lasso/id-ff/login.c index 2cb6cf30..b605aff5 100644 --- a/lasso/id-ff/login.c +++ b/lasso/id-ff/login.c @@ -2072,28 +2072,38 @@ lasso_login_process_authn_request_msg(LassoLogin *login, const char *authn_reque /* Check authnRequest signature. */ if (authn_request_msg != NULL) { + LassoProfileSignatureVerifyHint sig_verify_hint; + + sig_verify_hint = lasso_profile_get_signature_verify_hint(profile); remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID); - if (remote_provider != NULL) { - /* Is authnRequest signed ? */ - authnRequestSigned = lasso_provider_get_metadata_one( - remote_provider, "AuthnRequestsSigned"); - if (authnRequestSigned != NULL) { - must_verify_signature = strcmp(authnRequestSigned, "true") == 0; - lasso_release_string(authnRequestSigned); - } else { - /* missing element in metadata; shouldn't - * happen, assume true */ - must_verify_signature = TRUE; - } - } else { + if (remote_provider == NULL) { return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND); } - - /* verify request signature */ + /* Is authnRequest signed ? */ + must_verify_signature = TRUE; + authnRequestSigned = lasso_provider_get_metadata_one( + remote_provider, "AuthnRequestsSigned"); + if (authnRequestSigned != NULL) { + must_verify_signature = strcmp(authnRequestSigned, "true") == 0; + lasso_release_string(authnRequestSigned); + } + if (sig_verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE) { + must_verify_signature = TRUE; + } + if (sig_verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE) { + must_verify_signature = FALSE; + } + /* reset the signature_status, and if signature validation was not really needed + * just choke on the presence of an invalid signature, if no signature just goes on + * */ + profile->signature_status = 0; if (must_verify_signature) { ret = lasso_provider_verify_signature(remote_provider, authn_request_msg, "RequestID", format); - profile->signature_status = ret; + if (profile == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE && ret != + LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) { + profile->signature_status = ret; + } } } -- cgit From 21d61b5ba6a44e5de788afbe5fb910b68ccd0414 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Wed, 6 Oct 2010 17:02:18 +0200 Subject: [configure.ac] increment version and libtool version info --- configure.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 59c0a1f9..1ccb4146 100644 --- a/configure.ac +++ b/configure.ac @@ -15,7 +15,7 @@ dnl - Second number is the number of supported API versions where API version > dnl first number. dnl - Third number is the current API version implementation version number. dnl See libtool explanations about current, age and release, later in this file. -AC_INIT([lasso], 2.3.3, lasso-devel@lists.labs.libre-entreprise.org) +AC_INIT([lasso], 2.3.4, lasso-devel@lists.labs.libre-entreprise.org) dnl Check if autoconf ver > 2.53 AC_PREREQ(2.53) AC_CONFIG_MACRO_DIR([m4]) @@ -184,7 +184,7 @@ dnl - interfaces removed -> AGE = 0 # m = a # r = r current=`expr $VERSION_MAJOR + $VERSION_MINOR` -LASSO_VERSION_INFO="12:1:9" +LASSO_VERSION_INFO="12:2:9" AC_SUBST(LASSO_VERSION_INFO) dnl Compute the minimal supported ABI version for Win32 scripts and resources files. -- cgit