pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/lasso Pullup single logout related bugfixes f...
details: https://anonhg.NetBSD.org/pkgsrc/rev/22c256f1546b
branches: trunk
changeset: 567998:22c256f1546b
user: manu <manu%pkgsrc.org@localhost>
date: Tue Dec 01 08:49:46 2009 +0000
description:
Pullup single logout related bugfixes from lasso -current.
On SP initiated logout, the SP x509 certificate was included in the
HTTP redirect URL. First this was an SAML standard violation, and second
it inflated the URL beyond 2038 bytes, which is the maximum length for
IE7 and prior. As a result, SP initated single logout was broken with IE7
and prior versions.
diffstat:
security/lasso/Makefile | 4 +-
security/lasso/distinfo | 7 +-
security/lasso/patches/patch-ca | 133 +++++++++++++++++++++++++++++++++++++--
security/lasso/patches/patch-cb | 74 ++++++++++++++++++++++
security/lasso/patches/patch-cc | 77 +++++++++++++++++++++++
security/lasso/patches/patch-cd | 9 ++
6 files changed, 293 insertions(+), 11 deletions(-)
diffs (truncated from 347 to 300 lines):
diff -r 24e04ce7cc30 -r 22c256f1546b security/lasso/Makefile
--- a/security/lasso/Makefile Tue Dec 01 08:43:52 2009 +0000
+++ b/security/lasso/Makefile Tue Dec 01 08:49:46 2009 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.2 2009/05/26 05:26:00 manu Exp $
+# $NetBSD: Makefile,v 1.3 2009/12/01 08:49:46 manu Exp $
#
-PKGREVISION= 2
+PKGREVISION= 3
CONFIGURE_ARGS+= --disable-python
CONFIGURE_ARGS+= --disable-php4
diff -r 24e04ce7cc30 -r 22c256f1546b security/lasso/distinfo
--- a/security/lasso/distinfo Tue Dec 01 08:43:52 2009 +0000
+++ b/security/lasso/distinfo Tue Dec 01 08:49:46 2009 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.5 2009/07/06 22:08:16 joerg Exp $
+$NetBSD: distinfo,v 1.6 2009/12/01 08:49:46 manu Exp $
SHA1 (lasso-2.2.2.tar.gz) = 32651fa71b16da01a94db234425846729a510623
RMD160 (lasso-2.2.2.tar.gz) = a4faae605726202db33d36a2b520b0ab8f17aa76
@@ -8,4 +8,7 @@
SHA1 (patch-bb) = 0867b8ae4036620084b73d28546ac089b57d3fb9
SHA1 (patch-bc) = 1633e47d0b4db574183bc3798a2dd839c98d11cb
SHA1 (patch-bd) = d6788200b7f7a871b8d5bb788c5feff174c2a371
-SHA1 (patch-ca) = c803ef9032744263f0fc434eda2c3b729fc96225
+SHA1 (patch-ca) = d65ec7dcf14db7be4abf0d804e666768d0cb81d5
+SHA1 (patch-cb) = 181213f32003c2744e40c45d24fa30198444e0af
+SHA1 (patch-cc) = 71794a4f081bafd451528f11b06fb61997ff4f9f
+SHA1 (patch-cd) = 6dfacf5eb7308ad78609e3c8412422b98cb891d4
diff -r 24e04ce7cc30 -r 22c256f1546b security/lasso/patches/patch-ca
--- a/security/lasso/patches/patch-ca Tue Dec 01 08:43:52 2009 +0000
+++ b/security/lasso/patches/patch-ca Tue Dec 01 08:49:46 2009 +0000
@@ -1,14 +1,133 @@
-$NetBSD: patch-ca,v 1.1 2009/05/26 05:26:00 manu Exp $
---- lasso/saml-2.0/profile.c.orig 2009-03-27 16:12:48.000000000 +0000
-+++ lasso/saml-2.0/profile.c 2009-05-25 15:40:40.000000000 +0000
-@@ -1106,10 +1106,8 @@
+$NetBSD: patch-ca,v 1.2 2009/12/01 08:49:46 manu Exp $
+--- lasso/saml-2.0/profile.c.orig 2009-03-27 17:12:48.000000000 +0100
++++ lasso/saml-2.0/profile.c 2009-11-30 20:19:47.000000000 +0100
+@@ -49,5 +49,5 @@
+ static char* lasso_saml20_profile_build_artifact(LassoProvider *provider);
+ static void remove_all_signatures(LassoNode *node);
+-static char * lasso_saml20_profile_export_to_query(LassoProfile *profile, LassoNode *msg, int sign);
++static int lasso_saml20_profile_export_to_query(LassoProfile *profile, LassoNode *msg, int sign, char **query);
+
+ /*
+@@ -1014,36 +1014,41 @@
+ * Return value: a newly allocated string containing the query string if successfull, NULL otherwise.
+ */
+-static char *
+-lasso_saml20_profile_export_to_query(LassoProfile *profile, LassoNode *msg, int sign) {
++static int
++lasso_saml20_profile_export_to_query(LassoProfile *profile, LassoNode *msg, int sign, char **query) {
+ char *unsigned_query = NULL;
+ char *result = NULL;
++ int rc = 0;
+
+- g_return_val_if_fail(LASSO_IS_NODE(msg), NULL);
++ lasso_bad_param(PROFILE, profile);
++ lasso_bad_param(NODE, msg);
+
+ unsigned_query = lasso_node_build_query(msg);
+ if (profile->msg_relayState) {
+- char *query = unsigned_query;
+- xmlChar *encoded_relayState;
+- if (strlen(profile->msg_relayState) < 81) {
+- encoded_relayState = xmlURIEscape((xmlChar*)profile->msg_relayState);
+- if (encoded_relayState != NULL) {
+- unsigned_query = g_strdup_printf("%s&RelayState=%s", query,
+- (char*)encoded_relayState);
+- lasso_release_string(query);
+- lasso_release_xml_string(encoded_relayState);
+- }
+- } else {
+- g_warning("Refused to encode a RelayState of more than 80 bytes, #3.4.3 of"
+- " saml-bindings-2.0-os");
++ unsigned_query = lasso_url_add_parameters(unsigned_query, 1, "RelayState", profile->msg_relayState, NULL);
++
++ if (strlen(profile->msg_relayState) > 80) {
++ g_warning("Encoded a RelayState of more than 80 bytes, see #3.4.3 of saml-bindings-2.0-os");
+ }
+ }
+ if (sign && lasso_flag_add_signature) {
++ LassoServer *server = profile->server;
++ goto_cleanup_if_fail_with_rc (LASSO_IS_SERVER(server),
++ LASSO_PROFILE_ERROR_MISSING_SERVER);
++ goto_cleanup_if_fail_with_rc (
++ profile->server->signature_method != LASSO_SIGNATURE_TYPE_NONE &&
++ profile->server->private_key,
++ LASSO_DS_ERROR_PRIVATE_KEY_LOAD_FAILED);
++
+ result = lasso_query_sign(unsigned_query, profile->server->signature_method,
+ profile->server->private_key);
+- lasso_release_string(unsigned_query);
++ lasso_transfer_string(*query, result);
+ } else {
+- result = unsigned_query;
++ lasso_transfer_string(*query, unsigned_query);
+ }
+- return result;
++cleanup:
++ lasso_release_string(unsigned_query);
++ lasso_release_string(result);
++ return rc;
++
+ }
+
+@@ -1054,8 +1059,13 @@
+ if (node == NULL)
+ return;
++
+ klass = LASSO_NODE_GET_CLASS(node);
+- if (klass->node_data->sign_type_offset != 0) {
+- G_STRUCT_MEMBER(LassoSignatureType, node,klass->node_data->sign_type_offset) =
+- LASSO_SIGNATURE_TYPE_NONE;
++ /* follow the class parenting chain */
++ while (klass && LASSO_IS_NODE_CLASS(klass)) {
++ if (klass && klass->node_data && klass->node_data->sign_type_offset != 0) {
++ G_STRUCT_MEMBER(LassoSignatureType, node, klass->node_data->sign_type_offset) =
++ LASSO_SIGNATURE_TYPE_NONE;
++ }
++ klass = g_type_class_peek_parent(klass);
+ }
+ }
+@@ -1097,4 +1107,17 @@
+ }
+
++/**
++ * lasso_saml20_profile_build_http_redirect:
++ * @profile: a #LassoProfile object
++ * @msg: a #LassoNode object representing a SAML 2.0 message
++ * @must_sign: wheter to sign the query message using query signatures
++ * @url: the URL where the query is targeted
++ *
++ * Build an HTTP URL with a query-string following the SAML 2.0 HTTP-Redirect binding rules,
++ * eventually sign it. Any signature at the message level is removed.
++ *
++ * Return value: 0 if successful, an error code otherwise.
++ */
++
+ gint
+ lasso_saml20_profile_build_http_redirect(LassoProfile *profile,
+@@ -1103,12 +1126,17 @@
+ const char *url)
+ {
+- char *query;
++ char *query = NULL;
++ int rc = 0;
if (url == NULL) {
return critical_error(LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL);
}
-- /* No signature on the XML message */
++ /* remove XML signature */
++ remove_signature(msg);
+ /* No signature on the XML message */
- remove_all_signatures(msg);
- query = lasso_saml20_profile_export_to_query(profile, msg, must_sign);
+- query = lasso_saml20_profile_export_to_query(profile, msg, must_sign);
++ rc = lasso_saml20_profile_export_to_query(profile, msg, must_sign, &query);
++ if (rc)
++ return rc;
++
lasso_assign_new_string(profile->msg_url, lasso_concat_url_query(url, query));
lasso_release(profile->msg_body);
- lasso_release(query);
+@@ -1317,4 +1345,5 @@
+ lasso_release(idx);
+ }
++ /* remove signature at the message level */
+ rc = lasso_saml20_profile_build_http_redirect(profile, msg, must_sign, url);
+ lasso_release(url);
diff -r 24e04ce7cc30 -r 22c256f1546b security/lasso/patches/patch-cb
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/lasso/patches/patch-cb Tue Dec 01 08:49:46 2009 +0000
@@ -0,0 +1,74 @@
+$NetBSD: patch-cb,v 1.3 2009/12/01 08:49:46 manu Exp $
+--- lasso/xml/tools.c.orig 2009-11-30 18:38:05.000000000 +0100
++++ lasso/xml/tools.c 2009-11-30 18:39:45.000000000 +0100
+@@ -1492,2 +1492,70 @@
+ return result;
+ }
++
++
++/**
++ * lasso_url_add_parameters:
++ * @url: the original URL
++ * @free: whether to free the URL parameter
++ * @...: pairs of strings, key, value, followed by NULL
++ *
++ * Iterate over all pairs of key,value, and concatenate them to @url encoded as "&key=value", where
++ * key and value are url-encoded.
++ * If free is true and at least one pair was given, url is freed. If url is NULL, the first
++ * ampersand is omitted.
++ *
++ * Return value: a newly allocated string, or url.
++ */
++char*
++lasso_url_add_parameters(char *url,
++ gboolean free, ...)
++{
++ char *old_url = url, *new_url;
++ xmlChar *encoded_key, *encoded_value;
++ int rc = 0;
++ va_list ap;
++
++ va_start(ap, free);
++
++ while (1) {
++ char *key;
++ char *value;
++
++ key = va_arg(ap, char*);
++ if (! key) {
++ break;
++ }
++ encoded_key = xmlURIEscapeStr((xmlChar*)key, NULL);
++ goto_cleanup_if_fail_with_rc(encoded_key, 0);
++
++ value = va_arg(ap, char*);
++ if (! value) {
++ message(G_LOG_LEVEL_CRITICAL, "lasso_url_add_parameter: key without a value !!");
++ break;
++ }
++ encoded_value = xmlURIEscapeStr((xmlChar*)value, NULL);
++ goto_cleanup_if_fail_with_rc(encoded_value, 0);
++
++ if (old_url) {
++ new_url = g_strdup_printf("%s&%s=%s", old_url, (char*)encoded_key, (char*)encoded_value);
++ } else {
++ new_url = g_strdup_printf("%s=%s", (char*)encoded_key, (char*)encoded_value);
++ }
++ if (old_url != url) {
++ lasso_release_string(old_url);
++ }
++ old_url = new_url;
++
++ lasso_release_xml_string(encoded_key);
++ lasso_release_xml_string(encoded_value);
++ }
++cleanup:
++ va_end(ap);
++ if (free && new_url != url) {
++ lasso_release(url);
++ }
++ lasso_release_xml_string(encoded_key);
++
++ return new_url;
++}
++
diff -r 24e04ce7cc30 -r 22c256f1546b security/lasso/patches/patch-cc
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/lasso/patches/patch-cc Tue Dec 01 08:49:46 2009 +0000
@@ -0,0 +1,77 @@
+$NetBSD: patch-cc,v 1.1 2009/12/01 08:49:46 manu Exp $
+--- lasso/utils.h.orig 2009-11-30 18:54:46.000000000 +0100
++++ lasso/utils.h 2009-11-30 19:31:22.000000000 +0100
+@@ -336,4 +336,73 @@
+ g_return_val_if_fail(name != NULL, LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
+
++/**
++ * The following macros are made to create some formalism for function's cleanup code.
++ *
++ * The exit label should be called 'cleanup'. And for functions returning an integer error code, the
++ * error code should be named 'rc' and 'return rc;' should be the last statement of the function.
++ */
++
++/**
++ * goto_cleanup_with_rc:
++ * @rc_value: integer return value
++ *
++ * This macro jump to the 'cleanup' label and set the return value to @rc_value.
++ *
++ */
++#define goto_cleanup_with_rc(rc_value) \
++ {\
++ rc = (rc_value); \
++ goto cleanup; \
++ }
++
++/**
++ * goto_cleanup_if_fail:
++ * @condition: a boolean condition
++ *
++ * Jump to the 'cleanup' label if the @condition is FALSE.
++ *
++ */
++#define goto_cleanup_if_fail(condition) \
++ {\
++ if (! (condition) ) {\
++ goto cleanup; \
++ } \
++ }
++
++/**
++ * goto_cleanup_if_fail_with_rc:
++ * @condition: a boolean condition
Home |
Main Index |
Thread Index |
Old Index