|
 |
0719f5 |
From 20f653f70818b85fe1b4de77a629fce352fb8cbd Mon Sep 17 00:00:00 2001
|
|
|
0719f5 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
0719f5 |
Date: Mon, 26 Jul 2021 16:25:52 +0200
|
|
|
0719f5 |
Subject: [PATCH] lasso_saml20_login_process_response_status_and_assertion:
|
|
|
0719f5 |
handle rc as per verify_hint
|
|
|
0719f5 |
|
|
|
0719f5 |
In case VERIFY_HINT was set to IGNORE and the login signature was
|
|
|
0719f5 |
incorrect, lasso_saml20_login_process_response_status_and_assertion
|
|
|
0719f5 |
would have jumped straight to the cleanup label which just returns the
|
|
|
0719f5 |
return code. Let's jump to a new label handlerc instead which might set
|
|
|
0719f5 |
the return code to 0 in case verify_hint is set to IGNORE.
|
|
|
0719f5 |
|
|
|
0719f5 |
Related: https://dev.entrouvert.org/issues/54689
|
|
|
0719f5 |
---
|
|
|
0719f5 |
lasso/saml-2.0/login.c | 20 ++++++--------------
|
|
|
0719f5 |
1 file changed, 6 insertions(+), 14 deletions(-)
|
|
|
0719f5 |
|
|
|
0719f5 |
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
|
|
|
0719f5 |
index cf62c1cc9..1d5668b5b 100644
|
|
|
0719f5 |
--- a/lasso/saml-2.0/login.c
|
|
|
0719f5 |
+++ b/lasso/saml-2.0/login.c
|
|
|
0719f5 |
@@ -1371,7 +1371,7 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
|
|
|
0719f5 |
char *status_value;
|
|
|
0719f5 |
lasso_error_t rc = 0;
|
|
|
0719f5 |
lasso_error_t assertion_signature_status = 0;
|
|
|
0719f5 |
- LassoProfileSignatureVerifyHint verify_hint;
|
|
|
0719f5 |
+ LassoProfileSignatureVerifyHint verify_hint = LASSO_PROFILE_SIGNATURE_VERIFY_HINT_LAST;
|
|
|
0719f5 |
|
|
|
0719f5 |
profile = &login->parent;
|
|
|
0719f5 |
lasso_extract_node_or_fail(response, profile->response, SAMLP2_STATUS_RESPONSE,
|
|
|
0719f5 |
@@ -1492,20 +1492,12 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
|
|
|
0719f5 |
lasso_assign_gobject (login->private_data->saml2_assertion, last_assertion);
|
|
|
0719f5 |
}
|
|
|
0719f5 |
|
|
|
0719f5 |
- switch (verify_hint) {
|
|
|
0719f5 |
- case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
|
|
|
0719f5 |
- case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
|
|
|
0719f5 |
- break;
|
|
|
0719f5 |
- case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE:
|
|
|
0719f5 |
- /* ignore signature errors */
|
|
|
0719f5 |
- if (rc == LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE) {
|
|
|
0719f5 |
- rc = 0;
|
|
|
0719f5 |
- }
|
|
|
0719f5 |
- break;
|
|
|
0719f5 |
- default:
|
|
|
0719f5 |
- g_assert(0);
|
|
|
0719f5 |
- }
|
|
|
0719f5 |
cleanup:
|
|
|
0719f5 |
+ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE &&
|
|
|
0719f5 |
+ rc == LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE) {
|
|
|
0719f5 |
+ profile->signature_status = rc;
|
|
|
0719f5 |
+ rc = 0;
|
|
|
0719f5 |
+ }
|
|
|
0719f5 |
return rc;
|
|
|
0719f5 |
}
|
|
|
0719f5 |
|
|
|
0719f5 |
--
|
|
|
0719f5 |
2.26.3
|
|
|
0719f5 |
|