lemonldap-ng: CVE-2012-6426: SAML messages signatures are not verified
Hi all,
I've prepared the attached-patch for the #696329 security bug. It is
ready to be stored in lemonldap-ng testing package. Stable version is
not vulnerable since SAML exists only in versions >=1.0
Can you say to me if it's good ?
Thanks a lot,
Xavier
Description: Verify SAML signature
Due to a bad use of Lasso library, SAML signatures are never checked, even if
we force signature check.
[CVE-2012-6426]
Author: Clément OUDOT <coudot@linagora.com>
Bug: http://jira.ow2.org/browse/LEMONLDAP-570
Bug-Debian: http://bugs.debian.org/696329
Forwarded: yes
Reviewed-By: Xavier Guimard <x.guimard@free.fr>
Last-Update: 2012-12-19
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
@@ -2218,6 +2218,21 @@
return $self->checkLassoError($@);
}
+## @method boolean forceSignatureVerification(Lasso::Profile profile)
+# Modify Lasso signature hint to force signature verification
+# @param profile Lasso profile object
+# @return result
+sub forceSignatureVerification {
+ my ( $self, $profile ) = splice @_;
+
+ eval {
+ Lasso::Profile::set_signature_verify_hint( $profile,
+ Lasso::Constants::PROFILE_SIGNATURE_VERIFY_HINT_FORCE );
+ };
+
+ return $self->checkLassoError($@);
+}
+
## @method string getAuthnContext(string context)
# Convert configuration string into SAML2 AuthnContextClassRef string
# @param context configuration string
@@ -3223,6 +3238,10 @@
Modify Lasso signature hint to disable signature verification
+=head2 forceSignatureVerification
+
+Modify Lasso signature hint to force signature verification
+
=head2 getAuthnContext
Convert configuration string into SAML2 AuthnContextClassRef string
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
@@ -125,7 +125,18 @@
->{samlIDPMetaDataOptionsCheckSSOMessageSignature};
if ($checkSSOMessageSignature) {
- unless ( $self->checkSignatureStatus($login) ) {
+
+ $self->forceSignatureVerification($login);
+
+ if ($artifact) {
+ $result = $self->processArtResponseMsg( $login, $response );
+ }
+ else {
+ $result =
+ $self->processAuthnResponseMsg( $login, $response );
+ }
+
+ unless ($result) {
$self->lmLog( "Signature is not valid", 'error' );
return PE_SAML_SIGNATURE_ERROR;
}
@@ -406,7 +417,12 @@
->{samlIDPMetaDataOptionsCheckSLOMessageSignature};
if ($checkSLOMessageSignature) {
- unless ( $self->checkSignatureStatus($logout) ) {
+
+ $self->forceSignatureVerification($logout);
+
+ $result = $self->processLogoutResponseMsg( $logout, $response );
+
+ unless ($result) {
$self->lmLog( "Signature is not valid", 'error' );
return PE_SAML_SIGNATURE_ERROR;
}
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
@@ -150,7 +150,17 @@
->{samlSPMetaDataOptionsCheckSSOMessageSignature};
if ($checkSSOMessageSignature) {
- unless ( $self->checkSignatureStatus($login) ) {
+
+ $self->forceSignatureVerification($login);
+
+ if ($artifact) {
+ $result = $self->processArtResponseMsg( $login, $request );
+ }
+ else {
+ $result = $self->processAuthnRequestMsg( $login, $request );
+ }
+
+ unless ($result) {
$self->lmLog( "Signature is not valid", 'error' );
return PE_SAML_SIGNATURE_ERROR;
}
@@ -278,7 +288,10 @@
->{samlSPMetaDataOptionsCheckSLOMessageSignature};
if ($checkSLOMessageSignature) {
- unless ( $self->checkSignatureStatus($logout) ) {
+
+ $self->forceSignatureVerification($logout);
+
+ unless ( $self->processLogoutRequestMsg( $logout, $request ) ) {
$self->lmLog( "Signature is not valid", 'error' );
$self->sendSLOErrorResponse( $logout, $method );
}
@@ -1201,7 +1214,17 @@
->{samlSPMetaDataOptionsCheckSSOMessageSignature};
if ($checkSSOMessageSignature) {
- unless ( $self->checkSignatureStatus($login) ) {
+
+ $self->forceSignatureVerification($login);
+
+ if ($artifact) {
+ $result = $self->processArtResponseMsg( $login, $request );
+ }
+ else {
+ $result = $self->processAuthnRequestMsg( $login, $request );
+ }
+
+ unless ($result) {
$self->lmLog( "Signature is not valid", 'error' );
return PE_SAML_SIGNATURE_ERROR;
}
@@ -1864,7 +1887,10 @@
->{samlSPMetaDataOptionsCheckSLOMessageSignature};
if ($checkSLOMessageSignature) {
- unless ( $self->checkSignatureStatus($logout) ) {
+
+ $self->forceSignatureVerification($logout);
+
+ unless ( $self->processLogoutRequestMsg( $logout, $request ) ) {
$self->lmLog( "Signature is not valid", 'error' );
$self->sendSLOErrorResponse( $logout, $method );
}
Reply to: