diff --git a/SOURCES/0007-PAOS-Do-not-populate-Destination-attribute.patch b/SOURCES/0007-PAOS-Do-not-populate-Destination-attribute.patch new file mode 100644 index 0000000..63eead1 --- /dev/null +++ b/SOURCES/0007-PAOS-Do-not-populate-Destination-attribute.patch @@ -0,0 +1,99 @@ +From 1e85f1b2bd30c0d93b4a2ef37b35abeae3d15b56 Mon Sep 17 00:00:00 2001 +From: Dmitrii Shcherbakov +Date: Fri, 28 Jun 2019 02:36:19 +0300 +Subject: [PATCH] PAOS: Do not populate "Destination" attribute + +When ECP profile (saml-ecp-v2.0-cs01) is used with PAOS binding Lasso +populates an AuthnRequest with the "Destination" attribute set to +AssertionConsumerURL of an SP - this leads to IdP-side errors because +the destination attribute in the request does not match the IdP URL. + +The "Destination" attribute is mandatory only for HTTP Redirect and HTTP +Post bindings when AuthRequests are signed per saml-bindings-2.0-os +(sections 3.4.5.2 and 3.5.5.2). Specifically for PAOS it makes sense to +avoid setting that optional attribute because an ECP decides which IdP +to use, not the SP. + +Fixes Bug: 34409 +License: MIT +Signed-off-by: Dmitrii Shcherbakov +--- + lasso/saml-2.0/login.c | 18 +++++++++--------- + lasso/saml-2.0/profile.c | 10 +++++++++- + 2 files changed, 18 insertions(+), 10 deletions(-) + +diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c +index 6e8f7553..0d4bb1da 100644 +--- a/lasso/saml-2.0/login.c ++++ b/lasso/saml-2.0/login.c +@@ -222,7 +222,7 @@ _lasso_login_must_verify_signature(LassoProfile *profile) { + gint + lasso_saml20_login_build_authn_request_msg(LassoLogin *login) + { +- char *url = NULL; ++ char *assertionConsumerServiceURL = NULL; + gboolean must_sign = TRUE; + LassoProfile *profile; + LassoSamlp2AuthnRequest *authn_request; +@@ -247,29 +247,29 @@ lasso_saml20_login_build_authn_request_msg(LassoLogin *login) + } + + if (login->http_method == LASSO_HTTP_METHOD_PAOS) { +- + /* + * PAOS is special, the url passed to build_request is the + * AssertionConsumerServiceURL of this SP, not the +- * destination. ++ * destination IdP URL. This is done to fill paos:responseConsumerURL ++ * appropriately down the line in build_request_msg. ++ * See https://dev.entrouvert.org/issues/34409 for more information. + */ + if (authn_request->AssertionConsumerServiceURL) { +- url = authn_request->AssertionConsumerServiceURL; ++ assertionConsumerServiceURL = authn_request->AssertionConsumerServiceURL; + if (!lasso_saml20_provider_check_assertion_consumer_service_url( +- LASSO_PROVIDER(profile->server), url, LASSO_SAML2_METADATA_BINDING_PAOS)) { ++ LASSO_PROVIDER(profile->server), assertionConsumerServiceURL, LASSO_SAML2_METADATA_BINDING_PAOS)) { + rc = LASSO_PROFILE_ERROR_INVALID_REQUEST; + goto cleanup; + } + } else { +- url = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding( ++ assertionConsumerServiceURL = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding( + LASSO_PROVIDER(profile->server), LASSO_SAML2_METADATA_BINDING_PAOS); +- lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, url); ++ lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, assertionConsumerServiceURL); + } + } + +- + lasso_check_good_rc(lasso_saml20_profile_build_request_msg(profile, "SingleSignOnService", +- login->http_method, url)); ++ login->http_method, assertionConsumerServiceURL)); + + cleanup: + return rc; +diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c +index 22a4e08c..85f535ae 100644 +--- a/lasso/saml-2.0/profile.c ++++ b/lasso/saml-2.0/profile.c +@@ -968,7 +968,15 @@ lasso_saml20_profile_build_request_msg(LassoProfile *profile, const char *servic + made_url = url = get_url(provider, service, http_method_to_binding(method)); + } + +- if (url) { ++ ++ // Usage of the Destination attribute on a request is mandated only ++ // in "3.4.5.2" and "3.5.5.2" in saml-bindings-2.0-os for signed requests ++ // and is marked as optional in the XSD schema otherwise. ++ // PAOS is a special case because an SP does not select an IdP - ECP does ++ // it instead. Therefore, this attribute needs to be left unpopulated. ++ if (method == LASSO_HTTP_METHOD_PAOS) { ++ lasso_release_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination); ++ } else if (url) { + lasso_assign_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination, + url); + } else { +-- +2.20.1 + diff --git a/SPECS/lasso.spec b/SPECS/lasso.spec index 45bc1ff..ed66fa1 100644 --- a/SPECS/lasso.spec +++ b/SPECS/lasso.spec @@ -58,7 +58,7 @@ Summary: Liberty Alliance Single Sign On Name: lasso Version: 2.6.0 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ Group: System Environment/Libraries Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz @@ -69,6 +69,7 @@ Patch3: duplicate-python-LogoutTestCase.patch Patch4: versioned-python-configure.patch Patch5: 0005-tests-use-self-generated-certificate-to-sign-federat.patch Patch6: 0006-Fix-ECP-signature-not-found-error-when-only-assertio.patch +Patch7: 0007-PAOS-Do-not-populate-Destination-attribute.patch BuildRequires: libtool autoconf automake @@ -203,6 +204,7 @@ library. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 # Remove any python script shebang lines (unless they refer to python3) sed -i -E -e '/^#![[:blank:]]*(\/usr\/bin\/env[[:blank:]]+python[^3]?\>)|(\/usr\/bin\/python[^3]?\>)/d' \ @@ -320,6 +322,12 @@ rm -fr %{buildroot}%{_defaultdocdir}/%{name} %endif %changelog +* Fri Oct 18 2019 Jakub Hrozek - 2.6.0-8 +- Resolves: rhbz#1730018 - lasso includes "Destination" attribute in SAML + AuthnRequest populated with SP + AssertionConsumerServiceURL when ECP workflow + is used which leads to IdP-side errors + * Fri Jun 14 2019 Jakub Hrozek - 2.6.0-7 - Resolves: rhbz#1634268 - ECP signature check fails with LASSO_DS_ERROR_SIGNATURE_NOT_FOUND when