Blame SOURCES/0006-Fix-ECP-signature-not-found-error-when-only-assertio.patch

0f20f5
From 642182bdf49c9c93a86b093ad7335c8a7a5ae8cc Mon Sep 17 00:00:00 2001
0f20f5
From: John Dennis <jdennis@redhat.com>
0f20f5
Date: Wed, 9 Jan 2019 17:23:09 -0500
0f20f5
Subject: [PATCH] Fix ECP signature not found error when only assertion is
0f20f5
 signed (#26828)
0f20f5
0f20f5
With a SAML Authn Response either the message or the assertion
0f20f5
contained in the response message or both can be signed. Most IdP's
0f20f5
sign the message. This fixes a bug when processing an ECP authn
0f20f5
response when only the assertion is signed.
0f20f5
0f20f5
lasso_saml20_profile_process_soap_response_with_headers() performs a
0f20f5
signature check on the SAML message. A signature can also appear on
0f20f5
the assertion which is checked by
0f20f5
lasso_saml20_login_process_response_status_and_assertion() The problem
0f20f5
occurred when the message was not signed and
0f20f5
lasso_saml20_profile_process_soap_response_with_headers() returned
0f20f5
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND as an error code which is not
0f20f5
actually an error because we haven't checked the signature on the
0f20f5
assertion yet. We were returning the first
0f20f5
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND error when in fact the subsequent
0f20f5
signature check in
0f20f5
lasso_saml20_login_process_response_status_and_assertion() succeeded.
0f20f5
0f20f5
The ECP unit tests were enhanced to cover these cases.
0f20f5
0f20f5
The enhanced unit test revealed a problem in two switch statements
0f20f5
operating on the return value of
0f20f5
lasso_profile_get_signature_verify_hint() which were missing a case
0f20f5
statement for LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE which caused
0f20f5
an abort due to an unknown enumeration value.
0f20f5
0f20f5
Fixes Bug: 26828
0f20f5
License: MIT
0f20f5
Signed-off-by: John Dennis <jdennis@redhat.com>
0f20f5
---
0f20f5
 lasso/saml-2.0/login.c    | 29 ++++++++----
0f20f5
 lasso/saml-2.0/profile.c  |  2 +
0f20f5
 tests/login_tests_saml2.c | 97 +++++++++++++++++++++++++++++----------
0f20f5
 3 files changed, 95 insertions(+), 33 deletions(-)
0f20f5
0f20f5
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
0f20f5
index 028ffb31..91ff302d 100644
0f20f5
--- a/lasso/saml-2.0/login.c
0f20f5
+++ b/lasso/saml-2.0/login.c
0f20f5
@@ -1107,18 +1107,31 @@ lasso_saml20_login_process_paos_response_msg(LassoLogin *login, gchar *msg)
0f20f5
 {
0f20f5
 	LassoSoapHeader *header = NULL;
0f20f5
 	LassoProfile *profile;
0f20f5
-	int rc1, rc2;
0f20f5
+	int rc;
0f20f5
 
0f20f5
 	lasso_null_param(msg);
0f20f5
 
0f20f5
 	profile = LASSO_PROFILE(login);
0f20f5
 
0f20f5
-	rc1 = lasso_saml20_profile_process_soap_response_with_headers(profile, msg, &header);
0f20f5
+        /*
0f20f5
+         * lasso_saml20_profile_process_soap_response_with_headers()
0f20f5
+         * performs a signature check on the SAML message. A signature
0f20f5
+         * can also appear on the assertion which is checked by
0f20f5
+         * lasso_saml20_login_process_response_status_and_assertion()
0f20f5
+         * (below). Therefore if the error is SIGNATURE_NOT_FOUND we
0f20f5
+         * proceed because
0f20f5
+         * lasso_saml20_login_process_response_status_and_assertion()
0f20f5
+         * will test the signature on the assertion.
0f20f5
+         */
0f20f5
+	rc = lasso_saml20_profile_process_soap_response_with_headers(profile, msg, &header);
0f20f5
+        if (rc != 0 && rc != LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) {
0f20f5
+            return rc;
0f20f5
+        }
0f20f5
 
0f20f5
 	/*
0f20f5
 	 * If the SOAP message contained a header check for the optional
0f20f5
-     * paos:Response and ecp:RelayState elements, if they exist extract their
0f20f5
-     * values into the profile.
0f20f5
+	 * paos:Response and ecp:RelayState elements, if they exist extract their
0f20f5
+	 * values into the profile.
0f20f5
 	 */
0f20f5
 	if (header) {
0f20f5
 		GList *i = NULL;
0f20f5
@@ -1142,12 +1155,8 @@ lasso_saml20_login_process_paos_response_msg(LassoLogin *login, gchar *msg)
0f20f5
 		lasso_release_gobject(header);
0f20f5
 	}
0f20f5
 
0f20f5
-	rc2 = lasso_saml20_login_process_response_status_and_assertion(login);
0f20f5
-	if (rc1) {
0f20f5
-		return rc1;
0f20f5
-	}
0f20f5
-	return rc2;
0f20f5
-
0f20f5
+	rc = lasso_saml20_login_process_response_status_and_assertion(login);
0f20f5
+	return rc;
0f20f5
 }
0f20f5
 
0f20f5
 /**
0f20f5
diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c
0f20f5
index 8171e79e..22a4e08c 100644
0f20f5
--- a/lasso/saml-2.0/profile.c
0f20f5
+++ b/lasso/saml-2.0/profile.c
0f20f5
@@ -398,6 +398,7 @@ lasso_saml20_profile_process_artifact_resolve(LassoProfile *profile, const char
0f20f5
 
0f20f5
 	switch (lasso_profile_get_signature_verify_hint(profile)) {
0f20f5
 		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
0f20f5
+		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
0f20f5
 			rc = profile->signature_status;
0f20f5
 			break;
0f20f5
 		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE:
0f20f5
@@ -1559,6 +1560,7 @@ lasso_saml20_profile_process_soap_response_with_headers(LassoProfile *profile,
0f20f5
 			remote_provider, response_msg, "ID", LASSO_MESSAGE_FORMAT_SOAP);
0f20f5
 	switch (lasso_profile_get_signature_verify_hint(profile)) {
0f20f5
 		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
0f20f5
+		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
0f20f5
 			rc = profile->signature_status;
0f20f5
 			break;
0f20f5
 		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE:
0f20f5
diff --git a/tests/login_tests_saml2.c b/tests/login_tests_saml2.c
0f20f5
index 54c7fb63..e331c07a 100644
0f20f5
--- a/tests/login_tests_saml2.c
0f20f5
+++ b/tests/login_tests_saml2.c
0f20f5
@@ -1090,42 +1090,42 @@ START_TEST(test08_test_authnrequest_flags)
0f20f5
 	make_context(sp_context, "sp5-saml2", "", LASSO_PROVIDER_ROLE_IDP, "idp5-saml2", "")
0f20f5
 
0f20f5
 	block_lasso_logs;
0f20f5
-	sso_initiated_by_sp2(idp_context, sp_context, 
0f20f5
-			(SsoSettings) { 
0f20f5
+	sso_initiated_by_sp2(idp_context, sp_context,
0f20f5
+			(SsoSettings) {
0f20f5
 				.use_assertion_consumer_service_idx = 1,
0f20f5
 				.assertion_consumer_service_idx = 0,
0f20f5
 				.stop_after_build_assertion = 1,
0f20f5
 			});
0f20f5
-	sso_initiated_by_sp2(idp_context, sp_context, 
0f20f5
-			(SsoSettings) { 
0f20f5
+	sso_initiated_by_sp2(idp_context, sp_context,
0f20f5
+			(SsoSettings) {
0f20f5
 				.assertion_consumer_service_url = "http://sp5/singleSignOnPost",
0f20f5
 				.stop_after_build_assertion = 1,
0f20f5
 			});
0f20f5
-	sso_initiated_by_sp2(idp_context, sp_context, 
0f20f5
-			(SsoSettings) { 
0f20f5
+	sso_initiated_by_sp2(idp_context, sp_context,
0f20f5
+			(SsoSettings) {
0f20f5
 				.protocol_binding = LASSO_SAML2_METADATA_BINDING_ARTIFACT,
0f20f5
 				.stop_after_build_assertion = 1,
0f20f5
 			});
0f20f5
-	sso_initiated_by_sp2(idp_context, sp_context, 
0f20f5
-			(SsoSettings) { 
0f20f5
+	sso_initiated_by_sp2(idp_context, sp_context,
0f20f5
+			(SsoSettings) {
0f20f5
 				.assertion_consumer_service_url = "http://sp5/singleSignOnPost",
0f20f5
 				.protocol_binding = LASSO_SAML2_METADATA_BINDING_POST,
0f20f5
 				.stop_after_build_assertion = 1,
0f20f5
 			});
0f20f5
-	sso_initiated_by_sp2(idp_context, sp_context, 
0f20f5
-			(SsoSettings) { 
0f20f5
+	sso_initiated_by_sp2(idp_context, sp_context,
0f20f5
+			(SsoSettings) {
0f20f5
 				.assertion_consumer_service_url = "http://sp5/singleSignOnArtifact",
0f20f5
 				.protocol_binding = LASSO_SAML2_METADATA_BINDING_ARTIFACT,
0f20f5
 				.stop_after_build_assertion = 1,
0f20f5
 			});
0f20f5
-	sso_initiated_by_sp2(idp_context, sp_context, 
0f20f5
-			(SsoSettings) { 
0f20f5
+	sso_initiated_by_sp2(idp_context, sp_context,
0f20f5
+			(SsoSettings) {
0f20f5
 				.assertion_consumer_service_url = "http://sp5/singleSignOnPostAndArtifact",
0f20f5
 				.protocol_binding = LASSO_SAML2_METADATA_BINDING_ARTIFACT,
0f20f5
 				.stop_after_build_assertion = 1,
0f20f5
 			});
0f20f5
-	sso_initiated_by_sp2(idp_context, sp_context, 
0f20f5
-			(SsoSettings) { 
0f20f5
+	sso_initiated_by_sp2(idp_context, sp_context,
0f20f5
+			(SsoSettings) {
0f20f5
 				.assertion_consumer_service_url = "http://sp5/singleSignOnPostAndArtifact",
0f20f5
 				.protocol_binding = LASSO_SAML2_METADATA_BINDING_POST,
0f20f5
 				.stop_after_build_assertion = 1,
0f20f5
@@ -1278,7 +1278,9 @@ static void validate_idp_list(LassoEcp *ecp, EcpIdpListVariant ecpIDPListVariant
0f20f5
 	check_str_equals((char*)g_list_nth(ecp->known_idp_entity_ids_supporting_ecp, 0)->data, "http://idp5/metadata");
0f20f5
 }
0f20f5
 
0f20f5
-void test_ecp(EcpIdpListVariant ecpIDPListVariant)
0f20f5
+void test_ecp(EcpIdpListVariant ecpIDPListVariant,
0f20f5
+              LassoProfileSignatureHint signature_hint,
0f20f5
+              LassoProfileSignatureVerifyHint signature_verify_hint)
0f20f5
 {
0f20f5
 	char *serviceProviderContextDump = NULL, *identityProviderContextDump = NULL;
0f20f5
 	LassoServer *spContext = NULL, *ecpContext=NULL, *idpContext = NULL;
0f20f5
@@ -1286,7 +1288,7 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
0f20f5
 	LassoEcp *ecp = NULL;
0f20f5
 	LassoSamlp2AuthnRequest *request = NULL;
0f20f5
 	gboolean is_passive = FALSE;
0f20f5
-    char *provider_name = NULL;
0f20f5
+	char *provider_name = NULL;
0f20f5
 	char *relayState = NULL;
0f20f5
 	char *messageID = NULL;
0f20f5
 	char *extracted_messageID = NULL;
0f20f5
@@ -1296,7 +1298,7 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
0f20f5
 	char *ecpPaosResponseMsg = NULL;
0f20f5
 	char *spLoginDump = NULL;
0f20f5
 	LassoSaml2Assertion *assertion;
0f20f5
-    LassoSamlp2IDPList *idp_list = NULL;
0f20f5
+	LassoSamlp2IDPList *idp_list = NULL;
0f20f5
 
0f20f5
 	/*
0f20f5
 	 * SAML2 Profile for ECP (Section 4.2) defines these steps for an ECP
0f20f5
@@ -1322,6 +1324,8 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
0f20f5
 	spContext = lasso_server_new_from_dump(serviceProviderContextDump);
0f20f5
 	spLoginContext = lasso_login_new(spContext);
0f20f5
 	check_not_null(spLoginContext);
0f20f5
+	lasso_profile_set_signature_hint(LASSO_PROFILE(spLoginContext), signature_hint);
0f20f5
+	lasso_profile_set_signature_verify_hint(LASSO_PROFILE(spLoginContext), signature_verify_hint);
0f20f5
 
0f20f5
 	check_good_rc(lasso_login_init_authn_request(spLoginContext, "http://idp5/metadata",
0f20f5
 												 LASSO_HTTP_METHOD_PAOS));
0f20f5
@@ -1419,6 +1423,8 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
0f20f5
 	idpContext = lasso_server_new_from_dump(identityProviderContextDump);
0f20f5
 	idpLoginContext = lasso_login_new(idpContext);
0f20f5
 	check_not_null(idpLoginContext);
0f20f5
+	lasso_profile_set_signature_hint(LASSO_PROFILE(idpLoginContext), signature_hint);
0f20f5
+	lasso_profile_set_signature_verify_hint(LASSO_PROFILE(idpLoginContext), signature_verify_hint);
0f20f5
 
0f20f5
 	/* Parse the ecpSoapRequestMsg */
0f20f5
 	check_good_rc(lasso_login_process_authn_request_msg(idpLoginContext, ecpSoapRequestMsg));
0f20f5
@@ -1465,7 +1471,7 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
0f20f5
 	check_str_equals(ecp->relaystate, relayState);
0f20f5
 	check_str_equals(ecp->issuer->content, "http://sp5/metadata");
0f20f5
 	check_str_equals(ecp->provider_name, provider_name);
0f20f5
-    check_equals(ecp->is_passive, is_passive);
0f20f5
+	check_equals(ecp->is_passive, is_passive);
0f20f5
 
0f20f5
 	/* Validate ECP IdP list info */
0f20f5
 	validate_idp_list(ecp, ecpIDPListVariant, idp_list);
0f20f5
@@ -1480,6 +1486,8 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
0f20f5
 	spContext = lasso_server_new_from_dump(serviceProviderContextDump);
0f20f5
 	spLoginContext = lasso_login_new(spContext);
0f20f5
 	check_not_null(spLoginContext);
0f20f5
+	lasso_profile_set_signature_hint(LASSO_PROFILE(spLoginContext), signature_hint);
0f20f5
+	lasso_profile_set_signature_verify_hint(LASSO_PROFILE(spLoginContext), signature_verify_hint);
0f20f5
 
0f20f5
 	/* Parse the ecpPaosResponseMsg */
0f20f5
 	check_good_rc(lasso_login_process_paos_response_msg(spLoginContext, ecpPaosResponseMsg));
0f20f5
@@ -1515,19 +1523,61 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
0f20f5
 
0f20f5
 START_TEST(test09_ecp)
0f20f5
 {
0f20f5
-	test_ecp(ECP_IDP_LIST_NONE);
0f20f5
+	test_ecp(ECP_IDP_LIST_NONE,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
0f20f5
 }
0f20f5
 END_TEST
0f20f5
 
0f20f5
 START_TEST(test10_ecp)
0f20f5
 {
0f20f5
-	test_ecp(ECP_IDP_LIST_ECP);
0f20f5
+	test_ecp(ECP_IDP_LIST_ECP,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
0f20f5
 }
0f20f5
 END_TEST
0f20f5
 
0f20f5
 START_TEST(test11_ecp)
0f20f5
 {
0f20f5
-	test_ecp(ECP_IDP_LIST_BOGUS);
0f20f5
+	test_ecp(ECP_IDP_LIST_BOGUS,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
0f20f5
+}
0f20f5
+END_TEST
0f20f5
+
0f20f5
+START_TEST(test12_ecp)
0f20f5
+{
0f20f5
+	/* Maybe Sign */
0f20f5
+	test_ecp(ECP_IDP_LIST_NONE,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
0f20f5
+
0f20f5
+	test_ecp(ECP_IDP_LIST_NONE,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE);
0f20f5
+
0f20f5
+	test_ecp(ECP_IDP_LIST_NONE,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE);
0f20f5
+
0f20f5
+	/* Force Sign */
0f20f5
+	test_ecp(ECP_IDP_LIST_NONE,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_HINT_FORCE,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
0f20f5
+
0f20f5
+	test_ecp(ECP_IDP_LIST_NONE,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_HINT_FORCE,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE);
0f20f5
+
0f20f5
+	test_ecp(ECP_IDP_LIST_NONE,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_HINT_FORCE,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE);
0f20f5
+
0f20f5
+	/* Forbid Sign */
0f20f5
+	test_ecp(ECP_IDP_LIST_NONE,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_HINT_FORBID,
0f20f5
+		 LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE);
0f20f5
+
0f20f5
 }
0f20f5
 END_TEST
0f20f5
 
0f20f5
@@ -1538,7 +1588,7 @@ void check_digest_method(G_GNUC_UNUSED LassoLogin *idp_login_context, LassoLogin
0f20f5
 	lasso_release_string(dump)
0f20f5
 }
0f20f5
 
0f20f5
-START_TEST(test12_sso_sp_with_rsa_sha256_signatures)
0f20f5
+START_TEST(test13_sso_sp_with_rsa_sha256_signatures)
0f20f5
 {
0f20f5
 	LassoServer *idp_context = NULL;
0f20f5
 	LassoServer *sp_context = NULL;
0f20f5
@@ -1595,7 +1645,8 @@ login_saml2_suite()
0f20f5
 	tcase_add_test(tc_ecp, test09_ecp);
0f20f5
 	tcase_add_test(tc_ecp, test10_ecp);
0f20f5
 	tcase_add_test(tc_ecp, test11_ecp);
0f20f5
-	tcase_add_test(tc_spLogin, test12_sso_sp_with_rsa_sha256_signatures);
0f20f5
+	tcase_add_test(tc_ecp, test12_ecp);
0f20f5
+	tcase_add_test(tc_spLogin, test13_sso_sp_with_rsa_sha256_signatures);
0f20f5
 	return s;
0f20f5
 }
0f20f5
 
0f20f5
-- 
0f20f5
2.20.1
0f20f5