update to 2.8.2
This commit is contained in:
lyn1001
parent
d7351d30c2
commit
6d02fb2145
@ -1,570 +0,0 @@
|
||||
From a2393bab41ba0343a42675adbef04c613154c424 Mon Sep 17 00:00:00 2001
|
||||
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
||||
Date: Wed, 16 Nov 2022 15:35:27 +0100
|
||||
Subject: [PATCH 01/11] Use OpenSSL EVP API to work around deprecation of low
|
||||
level APIs in OpenSSL 3 (#71313)
|
||||
|
||||
OpenSSL API is used to sign query-string values in the SAML 2.0 Redirect binding.
|
||||
Other binding only need the libxmlsec API as signature are XML DSIG signatures.
|
||||
---
|
||||
lasso/id-ff/provider.c | 2 +-
|
||||
lasso/xml/private.h | 4 +-
|
||||
lasso/xml/tools.c | 325 ++++++++++++++++++++---------------------
|
||||
3 files changed, 162 insertions(+), 169 deletions(-)
|
||||
|
||||
diff --git a/lasso/id-ff/provider.c b/lasso/id-ff/provider.c
|
||||
index e6bd6ba9..a4b29337 100644
|
||||
--- a/lasso/id-ff/provider.c
|
||||
+++ b/lasso/id-ff/provider.c
|
||||
@@ -1592,7 +1592,7 @@ lasso_provider_get_key_encryption_method(const LassoProvider *provider)
|
||||
int
|
||||
lasso_provider_verify_query_signature(LassoProvider *provider, const char *message)
|
||||
{
|
||||
- int (*check)(const char *, const xmlSecKey *) = NULL;
|
||||
+ int (*check)(const char *, xmlSecKey *) = NULL;
|
||||
int rc = 0;
|
||||
int signature_rc = 0;
|
||||
GList *public_keys = NULL;
|
||||
diff --git a/lasso/xml/private.h b/lasso/xml/private.h
|
||||
index a60d064c..4aa590a4 100644
|
||||
--- a/lasso/xml/private.h
|
||||
+++ b/lasso/xml/private.h
|
||||
@@ -218,9 +218,9 @@ xmlSecKeysMngr* lasso_load_certs_from_pem_certs_chain_file (const char *file);
|
||||
|
||||
char* lasso_query_sign(char *query, LassoSignatureContext signature_context);
|
||||
|
||||
-int lasso_query_verify_signature(const char *query, const xmlSecKey *public_key);
|
||||
+int lasso_query_verify_signature(const char *query, xmlSecKey *public_key);
|
||||
|
||||
-int lasso_saml2_query_verify_signature(const char *query, const xmlSecKey *sender_public_key);
|
||||
+int lasso_saml2_query_verify_signature(const char *query, xmlSecKey *sender_public_key);
|
||||
|
||||
char* lasso_sha1(const char *str);
|
||||
|
||||
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
|
||||
index 820c273b..bc0510c7 100644
|
||||
--- a/lasso/xml/tools.c
|
||||
+++ b/lasso/xml/tools.c
|
||||
@@ -46,10 +46,6 @@
|
||||
#include <libxml/parserInternals.h>
|
||||
#include <libxml/xmlIO.h>
|
||||
|
||||
-#include <openssl/pem.h>
|
||||
-#include <openssl/sha.h>
|
||||
-#include <openssl/engine.h>
|
||||
-#include <openssl/hmac.h>
|
||||
#include <openssl/evp.h>
|
||||
|
||||
#include <xmlsec/base64.h>
|
||||
@@ -60,6 +56,7 @@
|
||||
#include <xmlsec/errors.h>
|
||||
#include <xmlsec/openssl/x509.h>
|
||||
#include <xmlsec/openssl/crypto.h>
|
||||
+#include <xmlsec/openssl/evp.h>
|
||||
|
||||
#include <zlib.h>
|
||||
|
||||
@@ -481,22 +478,23 @@ char*
|
||||
lasso_query_sign(char *query, LassoSignatureContext context)
|
||||
{
|
||||
char *digest = NULL; /* 160 bit buffer */
|
||||
- RSA *rsa = NULL;
|
||||
- DSA *dsa = NULL;
|
||||
unsigned char *sigret = NULL;
|
||||
- unsigned int siglen = 0;
|
||||
+ size_t siglen = 0;
|
||||
xmlChar *b64_sigret = NULL, *e_b64_sigret = NULL;
|
||||
char *new_query = NULL, *s_new_query = NULL;
|
||||
int status = 0;
|
||||
const xmlChar *algo_href = NULL;
|
||||
- char *hmac_key;
|
||||
+ unsigned char *hmac_key;
|
||||
size_t hmac_key_length;
|
||||
- const EVP_MD *md = NULL;
|
||||
xmlSecKey *key;
|
||||
xmlSecKeyData *key_data;
|
||||
- unsigned int sigret_size = 0;
|
||||
LassoSignatureMethod sign_method;
|
||||
- lasso_error_t rc = 0;
|
||||
+ lasso_error_t rc = 0;
|
||||
+
|
||||
+ const EVP_MD *md = NULL;
|
||||
+ EVP_MD_CTX *evp_md_ctx = NULL;
|
||||
+ EVP_PKEY *pkey = NULL;
|
||||
+ EVP_PKEY *hmac_pkey = NULL;
|
||||
|
||||
g_return_val_if_fail(query != NULL, NULL);
|
||||
g_return_val_if_fail(lasso_ok_signature_method(context.signature_method), NULL);
|
||||
@@ -546,118 +544,89 @@ lasso_query_sign(char *query, LassoSignatureContext context)
|
||||
xmlFree(BAD_CAST t);
|
||||
}
|
||||
|
||||
- /* build buffer digest */
|
||||
+ /* define the digest algorithm */
|
||||
switch (sign_method) {
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_DSA_SHA1:
|
||||
- digest = lasso_sha1(new_query);
|
||||
+ case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
|
||||
+ md = EVP_sha1();
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA256:
|
||||
- digest = lasso_sha256(new_query);
|
||||
+ case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||
+ md = EVP_sha256();
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA384:
|
||||
- digest = lasso_sha384(new_query);
|
||||
+ case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||
+ md = EVP_sha384();
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA512:
|
||||
- digest = lasso_sha512(new_query);
|
||||
- default:
|
||||
+ case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||
+ md = EVP_sha512();
|
||||
break;
|
||||
+ case LASSO_SIGNATURE_METHOD_NONE:
|
||||
+ case LASSO_SIGNATURE_METHOD_LAST:
|
||||
+ g_assert_not_reached();
|
||||
}
|
||||
+
|
||||
+ /* Get the signture key */
|
||||
switch (sign_method) {
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA1:
|
||||
- case LASSO_SIGNATURE_METHOD_DSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA512:
|
||||
- if (digest == NULL) {
|
||||
- message(G_LOG_LEVEL_CRITICAL, "Failed to build the buffer digest");
|
||||
+ case LASSO_SIGNATURE_METHOD_DSA_SHA1:
|
||||
+ pkey = xmlSecOpenSSLEvpKeyDataGetEvp(key_data);
|
||||
+ if (! pkey) {
|
||||
+ message(G_LOG_LEVEL_CRITICAL, "Failed to get assymetric key");
|
||||
goto done;
|
||||
}
|
||||
- default:
|
||||
- break;
|
||||
- }
|
||||
- /* extract the OpenSSL key */
|
||||
- switch (sign_method) {
|
||||
- case LASSO_SIGNATURE_METHOD_RSA_SHA1:
|
||||
- case LASSO_SIGNATURE_METHOD_RSA_SHA256:
|
||||
- case LASSO_SIGNATURE_METHOD_RSA_SHA384:
|
||||
- case LASSO_SIGNATURE_METHOD_RSA_SHA512:
|
||||
- rsa = xmlSecOpenSSLKeyDataRsaGetRsa(key_data);
|
||||
- g_assert(rsa);
|
||||
- /* alloc memory for sigret */
|
||||
- sigret_size = RSA_size(rsa);
|
||||
- break;
|
||||
- case LASSO_SIGNATURE_METHOD_DSA_SHA1:
|
||||
- dsa = xmlSecOpenSSLKeyDataDsaGetDsa(key_data);
|
||||
- g_assert(dsa);
|
||||
- /* alloc memory for sigret */
|
||||
- sigret_size = DSA_size(dsa);
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
|
||||
- md = EVP_sha1();
|
||||
- sigret_size = EVP_MD_size(md);
|
||||
- break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||
- md = EVP_sha256();
|
||||
- sigret_size = EVP_MD_size(md);
|
||||
- break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||
- md = EVP_sha384();
|
||||
- sigret_size = EVP_MD_size(md);
|
||||
- break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||
- md = EVP_sha512();
|
||||
- sigret_size = EVP_MD_size(md);
|
||||
+ if ((rc = lasso_get_hmac_key(key, (void**)&hmac_key,
|
||||
+ &hmac_key_length))) {
|
||||
+ message(G_LOG_LEVEL_CRITICAL, "Failed to get hmac key (%s)", lasso_strerror(rc));
|
||||
+ goto done;
|
||||
+ }
|
||||
+ g_assert(hmac_key);
|
||||
+ hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, hmac_key, (int)hmac_key_length);
|
||||
+ if (! hmac_key) {
|
||||
+ message(G_LOG_LEVEL_CRITICAL, "EVP_PKEY_new_mac_key failed");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ pkey = hmac_pkey;
|
||||
break;
|
||||
- default:
|
||||
+ case LASSO_SIGNATURE_METHOD_LAST:
|
||||
+ case LASSO_SIGNATURE_METHOD_NONE:
|
||||
g_assert_not_reached();
|
||||
}
|
||||
- sigret = (unsigned char *)g_malloc (sigret_size);
|
||||
|
||||
switch (sign_method) {
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA1:
|
||||
- /* sign digest message */
|
||||
- status = RSA_sign(NID_sha1, (unsigned char*)digest, SHA_DIGEST_LENGTH, sigret,
|
||||
- &siglen, rsa);
|
||||
- break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA256:
|
||||
- /* sign digest message */
|
||||
- status = RSA_sign(NID_sha256, (unsigned char*)digest, SHA256_DIGEST_LENGTH, sigret,
|
||||
- &siglen, rsa);
|
||||
- break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA384:
|
||||
- /* sign digest message */
|
||||
- status = RSA_sign(NID_sha384, (unsigned char*)digest, SHA384_DIGEST_LENGTH, sigret,
|
||||
- &siglen, rsa);
|
||||
- break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA512:
|
||||
- /* sign digest message */
|
||||
- status = RSA_sign(NID_sha512, (unsigned char*)digest, SHA512_DIGEST_LENGTH, sigret,
|
||||
- &siglen, rsa);
|
||||
- break;
|
||||
case LASSO_SIGNATURE_METHOD_DSA_SHA1:
|
||||
- status = DSA_sign(NID_sha1, (unsigned char*)digest, SHA_DIGEST_LENGTH, sigret,
|
||||
- &siglen, dsa);
|
||||
- break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||
- if ((rc = lasso_get_hmac_key(key, (void**)&hmac_key,
|
||||
- &hmac_key_length))) {
|
||||
- message(G_LOG_LEVEL_CRITICAL, "Failed to get hmac key (%s)", lasso_strerror(rc));
|
||||
+ evp_md_ctx = EVP_MD_CTX_create();
|
||||
+ if (EVP_DigestSignInit(evp_md_ctx, NULL, md, NULL, pkey) <= 0) {
|
||||
+ message(G_LOG_LEVEL_CRITICAL, "EVP_DigestSignInit failed");
|
||||
goto done;
|
||||
}
|
||||
- g_assert(hmac_key);
|
||||
-
|
||||
- /* key should be at least 128 bits long */
|
||||
- if (hmac_key_length < 16) {
|
||||
- critical("HMAC key should be at least 128 bits long");
|
||||
+ if (EVP_DigestSign(evp_md_ctx, NULL, &siglen, (unsigned char*)new_query, strlen(new_query)) <= 0) {
|
||||
+ message(G_LOG_LEVEL_CRITICAL, "EVP_DigestSign failed");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ sigret = g_malloc(siglen);
|
||||
+ if (EVP_DigestSign(evp_md_ctx, sigret, &siglen, (unsigned char*)new_query, strlen(new_query)) <= 0) {
|
||||
+ message(G_LOG_LEVEL_CRITICAL, "EVP_DigestSign failed");
|
||||
goto done;
|
||||
}
|
||||
-
|
||||
- HMAC(md, hmac_key, hmac_key_length, (unsigned char *)new_query,
|
||||
- strlen(new_query), sigret, &siglen);
|
||||
status = 1;
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_LAST:
|
||||
@@ -665,14 +634,13 @@ lasso_query_sign(char *query, LassoSignatureContext context)
|
||||
g_assert_not_reached();
|
||||
}
|
||||
|
||||
- g_assert(siglen == sigret_size);
|
||||
|
||||
if (status == 0) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* Base64 encode the signature value */
|
||||
- b64_sigret = xmlSecBase64Encode(sigret, sigret_size, 0);
|
||||
+ b64_sigret = xmlSecBase64Encode(sigret, siglen, 0);
|
||||
/* escape b64_sigret */
|
||||
e_b64_sigret = lasso_xmlURIEscapeStr((xmlChar*)b64_sigret, NULL);
|
||||
|
||||
@@ -701,7 +669,15 @@ done:
|
||||
lasso_release(sigret);
|
||||
lasso_release_xml_string(b64_sigret);
|
||||
lasso_release_xml_string(e_b64_sigret);
|
||||
-
|
||||
+ if (evp_md_ctx) {
|
||||
+ EVP_MD_CTX_free(evp_md_ctx);
|
||||
+ evp_md_ctx = NULL;
|
||||
+ }
|
||||
+ if (hmac_pkey) {
|
||||
+ EVP_PKEY_free(hmac_pkey);
|
||||
+ hmac_pkey = NULL;
|
||||
+ pkey = NULL;
|
||||
+ }
|
||||
return s_new_query;
|
||||
}
|
||||
|
||||
@@ -728,153 +704,162 @@ lasso_assertion_encrypt(LassoSaml2Assertion *assertion, char *recipient)
|
||||
|
||||
static lasso_error_t
|
||||
lasso_query_verify_helper(const char *signed_content, const char *b64_signature, const char *algorithm,
|
||||
- const xmlSecKey *key)
|
||||
+ xmlSecKey *key)
|
||||
{
|
||||
- RSA *rsa = NULL;
|
||||
- DSA *dsa = NULL;
|
||||
char *digest = NULL;
|
||||
- xmlSecByte *signature = NULL;
|
||||
- int key_size = 0;
|
||||
+ char *signature = NULL;
|
||||
+ unsigned int signature_len = 0;
|
||||
unsigned char *hmac_key = NULL;
|
||||
size_t hmac_key_length = 0;
|
||||
const EVP_MD *md = NULL;
|
||||
lasso_error_t rc = 0;
|
||||
LassoSignatureMethod method = LASSO_SIGNATURE_METHOD_NONE;
|
||||
- size_t digest_size = 1;
|
||||
- int type = -1;
|
||||
+ EVP_PKEY *hmac_pkey = NULL;
|
||||
+ unsigned char *new_signature = NULL;
|
||||
+ EVP_MD_CTX *evp_md_ctx = NULL;
|
||||
|
||||
if (lasso_strisequal(algorithm, (char*)xmlSecHrefRsaSha1)) {
|
||||
goto_cleanup_if_fail_with_rc(key->value->id == xmlSecOpenSSLKeyDataRsaId,
|
||||
LASSO_DS_ERROR_INVALID_SIGALG)
|
||||
- rsa = xmlSecOpenSSLKeyDataRsaGetRsa(key->value);
|
||||
- key_size = RSA_size(rsa);
|
||||
method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
||||
- digest_size = SHA_DIGEST_LENGTH;
|
||||
- type = NID_sha1;
|
||||
} else if (lasso_strisequal(algorithm, (char*)xmlSecHrefDsaSha1)) {
|
||||
goto_cleanup_if_fail_with_rc(key->value->id == xmlSecOpenSSLKeyDataDsaId, LASSO_DS_ERROR_INVALID_SIGALG);
|
||||
- dsa = xmlSecOpenSSLKeyDataDsaGetDsa(key->value);
|
||||
- key_size = DSA_size(dsa);
|
||||
method = LASSO_SIGNATURE_METHOD_DSA_SHA1;
|
||||
- digest_size = SHA_DIGEST_LENGTH;
|
||||
- type = NID_sha1;
|
||||
} else if (lasso_strisequal(algorithm, (char*)xmlSecHrefRsaSha256)) {
|
||||
goto_cleanup_if_fail_with_rc(key->value->id == xmlSecOpenSSLKeyDataRsaId,
|
||||
LASSO_DS_ERROR_INVALID_SIGALG)
|
||||
- rsa = xmlSecOpenSSLKeyDataRsaGetRsa(key->value);
|
||||
- key_size = RSA_size(rsa);
|
||||
method = LASSO_SIGNATURE_METHOD_RSA_SHA256;
|
||||
- digest_size = SHA256_DIGEST_LENGTH;
|
||||
- type = NID_sha256;
|
||||
} else if (lasso_strisequal(algorithm, (char*)xmlSecHrefRsaSha384)) {
|
||||
goto_cleanup_if_fail_with_rc(key->value->id == xmlSecOpenSSLKeyDataRsaId,
|
||||
LASSO_DS_ERROR_INVALID_SIGALG)
|
||||
- rsa = xmlSecOpenSSLKeyDataRsaGetRsa(key->value);
|
||||
- key_size = RSA_size(rsa);
|
||||
method = LASSO_SIGNATURE_METHOD_RSA_SHA384;
|
||||
- digest_size = SHA384_DIGEST_LENGTH;
|
||||
- type = NID_sha384;
|
||||
} else if (lasso_strisequal(algorithm, (char*)xmlSecHrefRsaSha512)) {
|
||||
goto_cleanup_if_fail_with_rc(key->value->id == xmlSecOpenSSLKeyDataRsaId,
|
||||
LASSO_DS_ERROR_INVALID_SIGALG)
|
||||
- rsa = xmlSecOpenSSLKeyDataRsaGetRsa(key->value);
|
||||
- key_size = RSA_size(rsa);
|
||||
method = LASSO_SIGNATURE_METHOD_RSA_SHA512;
|
||||
- digest_size = SHA512_DIGEST_LENGTH;
|
||||
- type = NID_sha512;
|
||||
} else if (lasso_strisequal(algorithm, (char*)xmlSecHrefHmacSha1)) {
|
||||
lasso_check_good_rc(lasso_get_hmac_key(key, (void**)&hmac_key, &hmac_key_length));
|
||||
- md = EVP_sha1();
|
||||
- key_size = EVP_MD_size(md);
|
||||
method = LASSO_SIGNATURE_METHOD_HMAC_SHA1;
|
||||
} else if (lasso_strisequal(algorithm, (char*)xmlSecHrefHmacSha256)) {
|
||||
lasso_check_good_rc(lasso_get_hmac_key(key, (void**)&hmac_key, &hmac_key_length));
|
||||
- md = EVP_sha256();
|
||||
- key_size = EVP_MD_size(md);
|
||||
method = LASSO_SIGNATURE_METHOD_HMAC_SHA256;
|
||||
} else if (lasso_strisequal(algorithm, (char*)xmlSecHrefHmacSha384)) {
|
||||
lasso_check_good_rc(lasso_get_hmac_key(key, (void**)&hmac_key, &hmac_key_length));
|
||||
- md = EVP_sha384();
|
||||
- key_size = EVP_MD_size(md);
|
||||
method = LASSO_SIGNATURE_METHOD_HMAC_SHA384;
|
||||
} else if (lasso_strisequal(algorithm, (char*)xmlSecHrefHmacSha512)) {
|
||||
lasso_check_good_rc(lasso_get_hmac_key(key, (void**)&hmac_key, &hmac_key_length));
|
||||
- md = EVP_sha512();
|
||||
- key_size = EVP_MD_size(md);
|
||||
method = LASSO_SIGNATURE_METHOD_HMAC_SHA512;
|
||||
} else {
|
||||
goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGALG);
|
||||
}
|
||||
|
||||
- /* is the signature algo allowed */
|
||||
- goto_cleanup_if_fail_with_rc(
|
||||
- lasso_allowed_signature_method(method),
|
||||
- LASSO_DS_ERROR_INVALID_SIGALG);
|
||||
-
|
||||
- /* decode signature */
|
||||
- signature = g_malloc(key_size+1);
|
||||
- goto_cleanup_if_fail_with_rc(
|
||||
- xmlSecBase64Decode((xmlChar*)b64_signature, signature, key_size+1) != 0,
|
||||
- LASSO_DS_ERROR_INVALID_SIGNATURE);
|
||||
- /* digest */
|
||||
+ /* define the digest algorithm */
|
||||
switch (method) {
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_DSA_SHA1:
|
||||
- digest = lasso_sha1(signed_content);
|
||||
+ case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
|
||||
+ md = EVP_sha1();
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA256:
|
||||
- digest = lasso_sha256(signed_content);
|
||||
+ case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||
+ md = EVP_sha256();
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA384:
|
||||
- digest = lasso_sha384(signed_content);
|
||||
+ case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||
+ md = EVP_sha384();
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA512:
|
||||
- digest = lasso_sha512(signed_content);
|
||||
- break;
|
||||
- case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
|
||||
- case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||
- case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||
+ md = EVP_sha512();
|
||||
break;
|
||||
- default:
|
||||
+ case LASSO_SIGNATURE_METHOD_NONE:
|
||||
+ case LASSO_SIGNATURE_METHOD_LAST:
|
||||
g_assert_not_reached();
|
||||
}
|
||||
+
|
||||
+ /* is the signature algo allowed */
|
||||
+ goto_cleanup_if_fail_with_rc(
|
||||
+ lasso_allowed_signature_method(method),
|
||||
+ LASSO_DS_ERROR_INVALID_SIGALG);
|
||||
+
|
||||
+ /* decode signature */
|
||||
+ goto_cleanup_if_fail_with_rc(
|
||||
+ lasso_base64_decode(b64_signature, &signature, (int*)&signature_len),
|
||||
+ LASSO_DS_ERROR_INVALID_SIGNATURE);
|
||||
/* verify signature */
|
||||
+ evp_md_ctx = EVP_MD_CTX_create();
|
||||
+
|
||||
switch (method) {
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA512:
|
||||
- goto_cleanup_if_fail_with_rc(
|
||||
- RSA_verify(
|
||||
- type,
|
||||
- (unsigned char*)digest,
|
||||
- digest_size,
|
||||
- signature,
|
||||
- key_size, rsa) == 1,
|
||||
- LASSO_DS_ERROR_INVALID_SIGNATURE);
|
||||
- break;
|
||||
case LASSO_SIGNATURE_METHOD_DSA_SHA1:
|
||||
- goto_cleanup_if_fail_with_rc(
|
||||
- DSA_verify(
|
||||
- type,
|
||||
- (unsigned char*)digest,
|
||||
- digest_size,
|
||||
- signature,
|
||||
- key_size, dsa) == 1,
|
||||
- LASSO_DS_ERROR_INVALID_SIGNATURE);
|
||||
+ {
|
||||
+ xmlSecKeyData *key_data = xmlSecKeyGetValue(key);
|
||||
+ if (! key_data) {
|
||||
+ message(G_LOG_LEVEL_CRITICAL, "Failed to get KeyData");
|
||||
+ goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGNATURE);
|
||||
+ }
|
||||
+ EVP_PKEY *pkey = xmlSecOpenSSLEvpKeyDataGetEvp(key_data);
|
||||
+ if (! pkey) {
|
||||
+ message(G_LOG_LEVEL_CRITICAL, "Failed to get assymetric key");
|
||||
+ goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGNATURE);
|
||||
+ }
|
||||
+ if (1 != EVP_DigestVerifyInit(evp_md_ctx, NULL, md, NULL, pkey)) {
|
||||
+ message(G_LOG_LEVEL_CRITICAL, "EVP_DigestVerifyInit failed");
|
||||
+ goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGNATURE);
|
||||
+ }
|
||||
+ if (1 != EVP_DigestVerifyUpdate(evp_md_ctx, signed_content, strlen(signed_content))) {
|
||||
+ message(G_LOG_LEVEL_CRITICAL, "EVP_DigestVerifyUpdate failed");
|
||||
+ goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGNATURE);
|
||||
+ }
|
||||
+ if(1 != EVP_DigestVerifyFinal(evp_md_ctx, (unsigned char*)signature, signature_len)) {
|
||||
+ goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGNATURE);
|
||||
+ }
|
||||
+ }
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||
- digest = g_malloc(key_size);
|
||||
- HMAC(md, hmac_key, hmac_key_length, (unsigned char*)signed_content,
|
||||
- strlen(signed_content), (unsigned char*)digest, NULL);
|
||||
+ {
|
||||
+ unsigned char *hmac_key;
|
||||
+ size_t hmac_key_length;
|
||||
+ size_t new_signature_len;
|
||||
+
|
||||
+ if ((rc = lasso_get_hmac_key(key, (void**)&hmac_key,
|
||||
+ &hmac_key_length))) {
|
||||
+ message(G_LOG_LEVEL_CRITICAL, "Failed to get hmac key (%s)", lasso_strerror(rc));
|
||||
+ goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGNATURE);
|
||||
+ }
|
||||
+ g_assert(hmac_key);
|
||||
+ hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, hmac_key, (int)hmac_key_length);
|
||||
+ if (! hmac_key) {
|
||||
+ message(G_LOG_LEVEL_CRITICAL, "EVP_PKEY_new_mac_key failed");
|
||||
+ goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGNATURE);
|
||||
+ }
|
||||
|
||||
- goto_cleanup_if_fail_with_rc(lasso_crypto_memequal(digest, signature,
|
||||
- key_size),
|
||||
- LASSO_DS_ERROR_INVALID_SIGNATURE);
|
||||
+ if (EVP_DigestSignInit(evp_md_ctx, NULL, md, NULL, hmac_pkey) != 1) {
|
||||
+ message(G_LOG_LEVEL_CRITICAL, "EVP_DigestSignInit failed");
|
||||
+ goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGNATURE);
|
||||
+ }
|
||||
+ if (EVP_DigestSign(evp_md_ctx, NULL, &new_signature_len, (unsigned char*)signed_content, strlen(signed_content)) != 1) {
|
||||
+ message(G_LOG_LEVEL_CRITICAL, "EVP_DigestSign failed");
|
||||
+ goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGNATURE);
|
||||
+ }
|
||||
+ if (new_signature_len != signature_len) {
|
||||
+ goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGNATURE);
|
||||
+ }
|
||||
+ new_signature = g_malloc(new_signature_len);
|
||||
+ if (EVP_DigestSign(evp_md_ctx, new_signature, &new_signature_len, (unsigned char*)signed_content, strlen(signed_content)) != 1) {
|
||||
+ message(G_LOG_LEVEL_CRITICAL, "EVP_DigestSign failed");
|
||||
+ goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGNATURE);
|
||||
+ }
|
||||
+ if (CRYPTO_memcmp(signature, new_signature, signature_len) != 0) {
|
||||
+ goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGNATURE);
|
||||
+ }
|
||||
+ }
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_NONE:
|
||||
case LASSO_SIGNATURE_METHOD_LAST:
|
||||
@@ -882,7 +867,15 @@ lasso_query_verify_helper(const char *signed_content, const char *b64_signature,
|
||||
}
|
||||
cleanup:
|
||||
lasso_release_string(digest);
|
||||
- lasso_release_string(signature);
|
||||
+ lasso_release_string(new_signature);
|
||||
+ if (evp_md_ctx) {
|
||||
+ EVP_MD_CTX_free(evp_md_ctx);
|
||||
+ evp_md_ctx = NULL;
|
||||
+ }
|
||||
+ if (hmac_pkey) {
|
||||
+ EVP_PKEY_free(hmac_pkey);
|
||||
+ hmac_pkey = NULL;
|
||||
+ }
|
||||
return rc;
|
||||
|
||||
}
|
||||
@@ -899,7 +892,7 @@ cleanup:
|
||||
* a negative value if an error occurs during verification
|
||||
**/
|
||||
lasso_error_t
|
||||
-lasso_query_verify_signature(const char *query, const xmlSecKey *sender_public_key)
|
||||
+lasso_query_verify_signature(const char *query, xmlSecKey *sender_public_key)
|
||||
{
|
||||
gchar **str_split = NULL;
|
||||
char *b64_signature = NULL;
|
||||
@@ -958,7 +951,7 @@ cleanup:
|
||||
* Return value: 0 if signature is validated, an error code otherwise.
|
||||
*/
|
||||
int
|
||||
-lasso_saml2_query_verify_signature(const char *query, const xmlSecKey *sender_public_key)
|
||||
+lasso_saml2_query_verify_signature(const char *query, xmlSecKey *sender_public_key)
|
||||
{
|
||||
char *b64_signature = NULL;
|
||||
char *query_copy = NULL;
|
||||
--
|
||||
2.37.2
|
||||
|
||||
Binary file not shown.
BIN
lasso-2.8.2.tar.gz
Normal file
BIN
lasso-2.8.2.tar.gz
Normal file
Binary file not shown.
22
lasso.spec
22
lasso.spec
@ -1,17 +1,16 @@
|
||||
Name: lasso
|
||||
Version: 2.8.0
|
||||
Version: 2.8.2
|
||||
Release: 1
|
||||
Summary: Liberty Alliance Single Sign On
|
||||
License: GPLv2+
|
||||
URL: http://lasso.entrouvert.org/
|
||||
Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz
|
||||
Requires: xmlsec1 >= 1.2.25-4
|
||||
Patch1: Use-OpenSSL-EVP-API-to-work-around-deprecation-of-low.patch
|
||||
|
||||
BuildRequires: autoconf automake check-devel glib2-devel gtk-doc libtool
|
||||
BuildRequires: libxml2-devel openssl-devel swig xmlsec1-devel >= 1.2.25-4
|
||||
BuildRequires: xmlsec1-openssl-devel >= 1.2.25-4 zlib-devel jpackage-utils
|
||||
BuildRequires: java-1.8.0-openjdk-devel perl(ExtUtils::MakeMaker) perl(strict) perl(Error)
|
||||
BuildRequires: xmlsec1-openssl-devel >= 1.2.25-4 zlib-devel
|
||||
BuildRequires: perl(ExtUtils::MakeMaker) perl(strict) perl(Error)
|
||||
BuildRequires: perl-devel perl-generators perl(XSLoader) perl(warnings)
|
||||
BuildRequires: perl(Test::More) python3 python3-devel
|
||||
BuildRequires: python3-lxml python3-six libtool-ltdl-devel
|
||||
@ -38,15 +37,6 @@ Requires: lasso = %{version}-%{release}
|
||||
The package provide Perl language bindings for the lasso
|
||||
(Liberty Alliance Single Sign On) library.
|
||||
|
||||
%package -n java-lasso
|
||||
Summary: Liberty Alliance Single Sign On (lasso) Java bindings
|
||||
Requires: java-headless jpackage-utils lasso = %{version}-%{release}
|
||||
Provides: lasso-java = %{version}-%{release}
|
||||
Obsoletes: lasso-java < %{version}-%{release}
|
||||
%description -n java-lasso
|
||||
The package provide Java language bindings for the lasso
|
||||
(Liberty Alliance Single Sign On) library.
|
||||
|
||||
%package -n python3-lasso
|
||||
%{?python_provide:%python_provide python3-lasso}
|
||||
Summary: Liberty Alliance Single Sign On (lasso) Python bindings
|
||||
@ -69,7 +59,6 @@ sed -i -E -e '/^#![[:blank:]]*(\/usr\/bin\/env[[:blank:]]+python[^3]?\>) \
|
||||
|(/usr/bin/env[[:blank:]]+python[^3]?)' *`
|
||||
|
||||
%build
|
||||
export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk
|
||||
./autogen.sh
|
||||
%configure --enable-php5=no --with-python=%{__python3}
|
||||
%make_build CFLAGS="%{optflags}"
|
||||
@ -102,8 +91,6 @@ fi
|
||||
|
||||
%files -n perl-lasso -f lasso-perl-filelist
|
||||
|
||||
%files -n java-lasso
|
||||
|
||||
%files -n python3-lasso
|
||||
%{python3_sitearch}/{lasso.py*,_lasso.so,__pycache__/*}
|
||||
|
||||
@ -111,6 +98,9 @@ fi
|
||||
%doc AUTHORS NEWS README
|
||||
|
||||
%changelog
|
||||
* Thu Jul 6 2023 liyanan <thistleslyn@163.com> - 2.8.2-1
|
||||
- Update to version 2.8.2
|
||||
|
||||
* Wed Feb 08 2023 Ge Wang <wangge20@h-partners.com> - 2.8.0-1
|
||||
- Update to version 2.8.0 fix build failure due to openssl update to version 3.0.8
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user