From 59ada452e86528d8c49baaa41f9841e63fae7592 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 06 2019 11:09:55 +0000 Subject: import lasso-2.5.1-3.el7 --- diff --git a/SOURCES/0003-Choose-the-Reference-transform-based-on-the-chosen-S.patch b/SOURCES/0003-Choose-the-Reference-transform-based-on-the-chosen-S.patch new file mode 100644 index 0000000..93ec571 --- /dev/null +++ b/SOURCES/0003-Choose-the-Reference-transform-based-on-the-chosen-S.patch @@ -0,0 +1,154 @@ +From 9525237236eef4097300d9b6e93d2178a7a72267 Mon Sep 17 00:00:00 2001 +From: Benjamin Dauvergne +Date: Fri, 4 Mar 2016 10:38:07 +0100 +Subject: [PATCH] Choose the Reference transform based on the chosen Signature + transform (fixes #10155) + +i.e. if the signature use SHA2 then use SHA2 of the same strength for digesting +references. +--- + lasso/xml/tools.c | 41 +++++++++++++++++++++++++++++++++-------- + tests/login_tests_saml2.c | 45 +++++++++++++++++++++++++++++++++++++++++++-- + 2 files changed, 76 insertions(+), 10 deletions(-) + +diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c +index 0405592..cf9fe65 100644 +--- a/lasso/xml/tools.c ++++ b/lasso/xml/tools.c +@@ -2823,14 +2823,39 @@ lasso_xmlnode_add_saml2_signature_template(xmlNode *node, LassoSignatureContext + xmlAddChild(node, signature); + } + +- /* Normally the signature is son of the signed node, which holds an Id attribute, but in +- * other cases, set snippet->offset to 0 and use xmlSecTmpSignatureAddReference from another +- * node get_xmlNode virtual method to add the needed reference. +- */ +- uri = g_strdup_printf("#%s", id); +- reference = xmlSecTmplSignatureAddReference(signature, +- xmlSecTransformSha1Id, NULL, (xmlChar*)uri, NULL); +- lasso_release(uri); ++ /* choose a digest for handling references based on the chosen signature algorithm */ ++ { ++ xmlSecTransformId digest_method_id; ++ switch (context.signature_method) { ++ case LASSO_SIGNATURE_METHOD_RSA_SHA1: ++ case LASSO_SIGNATURE_METHOD_DSA_SHA1: ++ case LASSO_SIGNATURE_METHOD_HMAC_SHA1: ++ digest_method_id = xmlSecTransformSha1Id; ++ break; ++ case LASSO_SIGNATURE_METHOD_RSA_SHA256: ++ case LASSO_SIGNATURE_METHOD_HMAC_SHA256: ++ digest_method_id = xmlSecTransformSha256Id; ++ break; ++ case LASSO_SIGNATURE_METHOD_RSA_SHA384: ++ case LASSO_SIGNATURE_METHOD_HMAC_SHA384: ++ digest_method_id = xmlSecTransformSha384Id; ++ break; ++ case LASSO_SIGNATURE_METHOD_RSA_SHA512: ++ case LASSO_SIGNATURE_METHOD_HMAC_SHA512: ++ digest_method_id = xmlSecTransformSha384Id; ++ break; ++ default: ++ g_assert_not_reached(); ++ } ++ /* Normally the signature is son of the signed node, which holds an Id attribute, but in ++ * other cases, set snippet->offset to 0 and use xmlSecTmpSignatureAddReference from another ++ * node get_xmlNode virtual method to add the needed reference. ++ */ ++ uri = g_strdup_printf("#%s", id); ++ reference = xmlSecTmplSignatureAddReference(signature, digest_method_id, NULL, ++ (xmlChar*)uri, NULL); ++ lasso_release(uri); ++ } + + /* add enveloped transform */ + xmlSecTmplReferenceAddTransform(reference, xmlSecTransformEnvelopedId); +diff --git a/tests/login_tests_saml2.c b/tests/login_tests_saml2.c +index 9cd04ce..7f45099 100644 +--- a/tests/login_tests_saml2.c ++++ b/tests/login_tests_saml2.c +@@ -925,8 +925,10 @@ END_TEST + lasso_provider_add_key(LASSO_PROVIDER(providers->data), key, FALSE); \ + g_list_free(providers); + ++typedef void (*SsoCallback)(LassoLogin *idp_login_context, LassoLogin *sp_login_context); ++ + static void +-sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context) ++sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context, SsoCallback sso_callback) + { + LassoLogin *idp_login_context; + LassoLogin *sp_login_context; +@@ -970,6 +972,10 @@ sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context) + idp_login_context->parent.msg_body)); + check_good_rc(lasso_login_accept_sso(sp_login_context)); + ++ if (sso_callback) { ++ sso_callback(idp_login_context, sp_login_context); ++ } ++ + /* Cleanup */ + lasso_release_gobject(idp_login_context); + lasso_release_gobject(sp_login_context); +@@ -991,8 +997,9 @@ START_TEST(test07_sso_sp_with_hmac_sha1_signatures) + test07_make_context(idp_context, "idp6-saml2", LASSO_PROVIDER_ROLE_SP, "sp6-saml2", key) + test07_make_context(sp_context, "sp6-saml2", LASSO_PROVIDER_ROLE_IDP, "idp6-saml2", key) + ++ + block_lasso_logs; +- sso_initiated_by_sp(idp_context, sp_context); ++ sso_initiated_by_sp(idp_context, sp_context, NULL); + unblock_lasso_logs; + + /* Cleanup */ +@@ -1514,6 +1521,39 @@ START_TEST(test11_ecp) + } + END_TEST + ++void check_digest_method(LassoLogin *idp_login_context, LassoLogin *sp_login_context) ++{ ++ char *dump = lasso_node_debug((LassoNode*)sp_login_context->parent.response, 10); ++ check_true(strstr(dump, "") != NULL); ++ lasso_release_string(dump) ++} ++ ++START_TEST(test12_sso_sp_with_rsa_sha256_signatures) ++{ ++ LassoServer *idp_context = NULL; ++ LassoServer *sp_context = NULL; ++ GList *providers; ++ LassoKey *key = NULL; ++ ++ /* Create a key for signature algorithm RSA_SHA256 */ ++ key = lasso_key_new_for_signature_from_file(TESTSDATADIR "idp6-saml2/private-key.pem", NULL, ++ LASSO_SIGNATURE_METHOD_RSA_SHA256, NULL); ++ check_true(LASSO_IS_KEY(key)); ++ ++ test07_make_context(idp_context, "idp6-saml2", LASSO_PROVIDER_ROLE_SP, "sp6-saml2", key) ++ test07_make_context(sp_context, "sp6-saml2", LASSO_PROVIDER_ROLE_IDP, "idp6-saml2", key) ++ ++ block_lasso_logs; ++ sso_initiated_by_sp(idp_context, sp_context, check_digest_method); ++ unblock_lasso_logs; ++ ++ /* Cleanup */ ++ lasso_release_gobject(idp_context); ++ lasso_release_gobject(sp_context); ++ lasso_release_gobject(key); ++} ++END_TEST ++ + Suite* + login_saml2_suite() + { +@@ -1545,6 +1585,7 @@ login_saml2_suite() + tcase_add_test(tc_ecp, test09_ecp); + tcase_add_test(tc_ecp, test10_ecp); + tcase_add_test(tc_ecp, test11_ecp); ++ tcase_add_test(tc_spLogin, test12_sso_sp_with_rsa_sha256_signatures); + return s; + } + +-- +1.8.3.1 + diff --git a/SOURCES/0004-Fix-ECP-signature-not-found-error-when-only-assertio.patch b/SOURCES/0004-Fix-ECP-signature-not-found-error-when-only-assertio.patch new file mode 100644 index 0000000..2fca38f --- /dev/null +++ b/SOURCES/0004-Fix-ECP-signature-not-found-error-when-only-assertio.patch @@ -0,0 +1,329 @@ +From 642182bdf49c9c93a86b093ad7335c8a7a5ae8cc Mon Sep 17 00:00:00 2001 +From: John Dennis +Date: Wed, 9 Jan 2019 17:23:09 -0500 +Subject: [PATCH] Fix ECP signature not found error when only assertion is + signed (#26828) + +With a SAML Authn Response either the message or the assertion +contained in the response message or both can be signed. Most IdP's +sign the message. This fixes a bug when processing an ECP authn +response when only the assertion is signed. + +lasso_saml20_profile_process_soap_response_with_headers() performs a +signature check on the SAML message. A signature can also appear on +the assertion which is checked by +lasso_saml20_login_process_response_status_and_assertion() The problem +occurred when the message was not signed and +lasso_saml20_profile_process_soap_response_with_headers() returned +LASSO_DS_ERROR_SIGNATURE_NOT_FOUND as an error code which is not +actually an error because we haven't checked the signature on the +assertion yet. We were returning the first +LASSO_DS_ERROR_SIGNATURE_NOT_FOUND error when in fact the subsequent +signature check in +lasso_saml20_login_process_response_status_and_assertion() succeeded. + +The ECP unit tests were enhanced to cover these cases. + +The enhanced unit test revealed a problem in two switch statements +operating on the return value of +lasso_profile_get_signature_verify_hint() which were missing a case +statement for LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE which caused +an abort due to an unknown enumeration value. + +Fixes Bug: 26828 +License: MIT +Signed-off-by: John Dennis +--- + lasso/saml-2.0/login.c | 29 +++++++++----- + lasso/saml-2.0/profile.c | 2 + + tests/login_tests_saml2.c | 97 ++++++++++++++++++++++++++++++++++++----------- + 3 files changed, 95 insertions(+), 33 deletions(-) + +diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c +index 028ffb3..91ff302 100644 +--- a/lasso/saml-2.0/login.c ++++ b/lasso/saml-2.0/login.c +@@ -1107,18 +1107,31 @@ lasso_saml20_login_process_paos_response_msg(LassoLogin *login, gchar *msg) + { + LassoSoapHeader *header = NULL; + LassoProfile *profile; +- int rc1, rc2; ++ int rc; + + lasso_null_param(msg); + + profile = LASSO_PROFILE(login); + +- rc1 = lasso_saml20_profile_process_soap_response_with_headers(profile, msg, &header); ++ /* ++ * lasso_saml20_profile_process_soap_response_with_headers() ++ * performs a signature check on the SAML message. A signature ++ * can also appear on the assertion which is checked by ++ * lasso_saml20_login_process_response_status_and_assertion() ++ * (below). Therefore if the error is SIGNATURE_NOT_FOUND we ++ * proceed because ++ * lasso_saml20_login_process_response_status_and_assertion() ++ * will test the signature on the assertion. ++ */ ++ rc = lasso_saml20_profile_process_soap_response_with_headers(profile, msg, &header); ++ if (rc != 0 && rc != LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) { ++ return rc; ++ } + + /* + * If the SOAP message contained a header check for the optional +- * paos:Response and ecp:RelayState elements, if they exist extract their +- * values into the profile. ++ * paos:Response and ecp:RelayState elements, if they exist extract their ++ * values into the profile. + */ + if (header) { + GList *i = NULL; +@@ -1142,12 +1155,8 @@ lasso_saml20_login_process_paos_response_msg(LassoLogin *login, gchar *msg) + lasso_release_gobject(header); + } + +- rc2 = lasso_saml20_login_process_response_status_and_assertion(login); +- if (rc1) { +- return rc1; +- } +- return rc2; +- ++ rc = lasso_saml20_login_process_response_status_and_assertion(login); ++ return rc; + } + + /** +diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c +index 8171e79..22a4e08 100644 +--- a/lasso/saml-2.0/profile.c ++++ b/lasso/saml-2.0/profile.c +@@ -398,6 +398,7 @@ lasso_saml20_profile_process_artifact_resolve(LassoProfile *profile, const char + + switch (lasso_profile_get_signature_verify_hint(profile)) { + case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE: ++ case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE: + rc = profile->signature_status; + break; + case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE: +@@ -1559,6 +1560,7 @@ lasso_saml20_profile_process_soap_response_with_headers(LassoProfile *profile, + remote_provider, response_msg, "ID", LASSO_MESSAGE_FORMAT_SOAP); + switch (lasso_profile_get_signature_verify_hint(profile)) { + case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE: ++ case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE: + rc = profile->signature_status; + break; + case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE: +diff --git a/tests/login_tests_saml2.c b/tests/login_tests_saml2.c +index 54c7fb6..e331c07 100644 +--- a/tests/login_tests_saml2.c ++++ b/tests/login_tests_saml2.c +@@ -1090,42 +1090,42 @@ START_TEST(test08_test_authnrequest_flags) + make_context(sp_context, "sp5-saml2", "", LASSO_PROVIDER_ROLE_IDP, "idp5-saml2", "") + + block_lasso_logs; +- sso_initiated_by_sp2(idp_context, sp_context, +- (SsoSettings) { ++ sso_initiated_by_sp2(idp_context, sp_context, ++ (SsoSettings) { + .use_assertion_consumer_service_idx = 1, + .assertion_consumer_service_idx = 0, + .stop_after_build_assertion = 1, + }); +- sso_initiated_by_sp2(idp_context, sp_context, +- (SsoSettings) { ++ sso_initiated_by_sp2(idp_context, sp_context, ++ (SsoSettings) { + .assertion_consumer_service_url = "http://sp5/singleSignOnPost", + .stop_after_build_assertion = 1, + }); +- sso_initiated_by_sp2(idp_context, sp_context, +- (SsoSettings) { ++ sso_initiated_by_sp2(idp_context, sp_context, ++ (SsoSettings) { + .protocol_binding = LASSO_SAML2_METADATA_BINDING_ARTIFACT, + .stop_after_build_assertion = 1, + }); +- sso_initiated_by_sp2(idp_context, sp_context, +- (SsoSettings) { ++ sso_initiated_by_sp2(idp_context, sp_context, ++ (SsoSettings) { + .assertion_consumer_service_url = "http://sp5/singleSignOnPost", + .protocol_binding = LASSO_SAML2_METADATA_BINDING_POST, + .stop_after_build_assertion = 1, + }); +- sso_initiated_by_sp2(idp_context, sp_context, +- (SsoSettings) { ++ sso_initiated_by_sp2(idp_context, sp_context, ++ (SsoSettings) { + .assertion_consumer_service_url = "http://sp5/singleSignOnArtifact", + .protocol_binding = LASSO_SAML2_METADATA_BINDING_ARTIFACT, + .stop_after_build_assertion = 1, + }); +- sso_initiated_by_sp2(idp_context, sp_context, +- (SsoSettings) { ++ sso_initiated_by_sp2(idp_context, sp_context, ++ (SsoSettings) { + .assertion_consumer_service_url = "http://sp5/singleSignOnPostAndArtifact", + .protocol_binding = LASSO_SAML2_METADATA_BINDING_ARTIFACT, + .stop_after_build_assertion = 1, + }); +- sso_initiated_by_sp2(idp_context, sp_context, +- (SsoSettings) { ++ sso_initiated_by_sp2(idp_context, sp_context, ++ (SsoSettings) { + .assertion_consumer_service_url = "http://sp5/singleSignOnPostAndArtifact", + .protocol_binding = LASSO_SAML2_METADATA_BINDING_POST, + .stop_after_build_assertion = 1, +@@ -1278,7 +1278,9 @@ static void validate_idp_list(LassoEcp *ecp, EcpIdpListVariant ecpIDPListVariant + check_str_equals((char*)g_list_nth(ecp->known_idp_entity_ids_supporting_ecp, 0)->data, "http://idp5/metadata"); + } + +-void test_ecp(EcpIdpListVariant ecpIDPListVariant) ++void test_ecp(EcpIdpListVariant ecpIDPListVariant, ++ LassoProfileSignatureHint signature_hint, ++ LassoProfileSignatureVerifyHint signature_verify_hint) + { + char *serviceProviderContextDump = NULL, *identityProviderContextDump = NULL; + LassoServer *spContext = NULL, *ecpContext=NULL, *idpContext = NULL; +@@ -1286,7 +1288,7 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant) + LassoEcp *ecp = NULL; + LassoSamlp2AuthnRequest *request = NULL; + gboolean is_passive = FALSE; +- char *provider_name = NULL; ++ char *provider_name = NULL; + char *relayState = NULL; + char *messageID = NULL; + char *extracted_messageID = NULL; +@@ -1296,7 +1298,7 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant) + char *ecpPaosResponseMsg = NULL; + char *spLoginDump = NULL; + LassoSaml2Assertion *assertion; +- LassoSamlp2IDPList *idp_list = NULL; ++ LassoSamlp2IDPList *idp_list = NULL; + + /* + * SAML2 Profile for ECP (Section 4.2) defines these steps for an ECP +@@ -1322,6 +1324,8 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant) + spContext = lasso_server_new_from_dump(serviceProviderContextDump); + spLoginContext = lasso_login_new(spContext); + check_not_null(spLoginContext); ++ lasso_profile_set_signature_hint(LASSO_PROFILE(spLoginContext), signature_hint); ++ lasso_profile_set_signature_verify_hint(LASSO_PROFILE(spLoginContext), signature_verify_hint); + + check_good_rc(lasso_login_init_authn_request(spLoginContext, "http://idp5/metadata", + LASSO_HTTP_METHOD_PAOS)); +@@ -1419,6 +1423,8 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant) + idpContext = lasso_server_new_from_dump(identityProviderContextDump); + idpLoginContext = lasso_login_new(idpContext); + check_not_null(idpLoginContext); ++ lasso_profile_set_signature_hint(LASSO_PROFILE(idpLoginContext), signature_hint); ++ lasso_profile_set_signature_verify_hint(LASSO_PROFILE(idpLoginContext), signature_verify_hint); + + /* Parse the ecpSoapRequestMsg */ + check_good_rc(lasso_login_process_authn_request_msg(idpLoginContext, ecpSoapRequestMsg)); +@@ -1465,7 +1471,7 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant) + check_str_equals(ecp->relaystate, relayState); + check_str_equals(ecp->issuer->content, "http://sp5/metadata"); + check_str_equals(ecp->provider_name, provider_name); +- check_equals(ecp->is_passive, is_passive); ++ check_equals(ecp->is_passive, is_passive); + + /* Validate ECP IdP list info */ + validate_idp_list(ecp, ecpIDPListVariant, idp_list); +@@ -1480,6 +1486,8 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant) + spContext = lasso_server_new_from_dump(serviceProviderContextDump); + spLoginContext = lasso_login_new(spContext); + check_not_null(spLoginContext); ++ lasso_profile_set_signature_hint(LASSO_PROFILE(spLoginContext), signature_hint); ++ lasso_profile_set_signature_verify_hint(LASSO_PROFILE(spLoginContext), signature_verify_hint); + + /* Parse the ecpPaosResponseMsg */ + check_good_rc(lasso_login_process_paos_response_msg(spLoginContext, ecpPaosResponseMsg)); +@@ -1515,19 +1523,61 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant) + + START_TEST(test09_ecp) + { +- test_ecp(ECP_IDP_LIST_NONE); ++ test_ecp(ECP_IDP_LIST_NONE, ++ LASSO_PROFILE_SIGNATURE_HINT_MAYBE, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE); + } + END_TEST + + START_TEST(test10_ecp) + { +- test_ecp(ECP_IDP_LIST_ECP); ++ test_ecp(ECP_IDP_LIST_ECP, ++ LASSO_PROFILE_SIGNATURE_HINT_MAYBE, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE); + } + END_TEST + + START_TEST(test11_ecp) + { +- test_ecp(ECP_IDP_LIST_BOGUS); ++ test_ecp(ECP_IDP_LIST_BOGUS, ++ LASSO_PROFILE_SIGNATURE_HINT_MAYBE, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE); ++} ++END_TEST ++ ++START_TEST(test12_ecp) ++{ ++ /* Maybe Sign */ ++ test_ecp(ECP_IDP_LIST_NONE, ++ LASSO_PROFILE_SIGNATURE_HINT_MAYBE, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE); ++ ++ test_ecp(ECP_IDP_LIST_NONE, ++ LASSO_PROFILE_SIGNATURE_HINT_MAYBE, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE); ++ ++ test_ecp(ECP_IDP_LIST_NONE, ++ LASSO_PROFILE_SIGNATURE_HINT_MAYBE, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE); ++ ++ /* Force Sign */ ++ test_ecp(ECP_IDP_LIST_NONE, ++ LASSO_PROFILE_SIGNATURE_HINT_FORCE, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE); ++ ++ test_ecp(ECP_IDP_LIST_NONE, ++ LASSO_PROFILE_SIGNATURE_HINT_FORCE, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE); ++ ++ test_ecp(ECP_IDP_LIST_NONE, ++ LASSO_PROFILE_SIGNATURE_HINT_FORCE, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE); ++ ++ /* Forbid Sign */ ++ test_ecp(ECP_IDP_LIST_NONE, ++ LASSO_PROFILE_SIGNATURE_HINT_FORBID, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE); ++ + } + END_TEST + +@@ -1538,7 +1588,7 @@ void check_digest_method(G_GNUC_UNUSED LassoLogin *idp_login_context, LassoLogin + lasso_release_string(dump) + } + +-START_TEST(test12_sso_sp_with_rsa_sha256_signatures) ++START_TEST(test13_sso_sp_with_rsa_sha256_signatures) + { + LassoServer *idp_context = NULL; + LassoServer *sp_context = NULL; +@@ -1595,7 +1645,8 @@ login_saml2_suite() + tcase_add_test(tc_ecp, test09_ecp); + tcase_add_test(tc_ecp, test10_ecp); + tcase_add_test(tc_ecp, test11_ecp); +- tcase_add_test(tc_spLogin, test12_sso_sp_with_rsa_sha256_signatures); ++ tcase_add_test(tc_ecp, test12_ecp); ++ tcase_add_test(tc_spLogin, test13_sso_sp_with_rsa_sha256_signatures); + return s; + } + +-- +1.8.3.1 + diff --git a/SPECS/lasso.spec b/SPECS/lasso.spec index 3c1aebf..16d0fbc 100644 --- a/SPECS/lasso.spec +++ b/SPECS/lasso.spec @@ -15,7 +15,7 @@ Summary: Liberty Alliance Single Sign On Name: lasso Version: 2.5.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Libraries Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz @@ -33,6 +33,8 @@ Url: http://lasso.entrouvert.org/ patch1: cflags.patch patch2: validate_idp_list_test.patch +patch3: 0003-Choose-the-Reference-transform-based-on-the-chosen-S.patch +patch4: 0004-Fix-ECP-signature-not-found-error-when-only-assertio.patch %description Lasso is a library that implements the Liberty Alliance Single Sign On @@ -110,6 +112,8 @@ library. %setup -q -n %{name}-%{version} %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 %build autoreconf -vif @@ -218,6 +222,11 @@ rm -fr %{buildroot}%{_defaultdocdir}/%{name} %endif %changelog +* Sun Feb 10 2019 Jakub Hrozek - 2.5.1-3 +- Resolves: #1634267 - ECP signature check fails with + LASSO_DS_ERROR_SIGNATURE_NOT_FOUND when assertion signed + instead of response + * Fri Jun 17 2016 John Dennis - 2.5.1-2 - Rebase to upstream 2.5.1 Resolves: #1310860