lemonldap-ng: CVE-2012-6426: SAML messages signatures are not verified

[Xavier Guimard <x.guimard@free.fr>]

Hi all,

I've prepared the attached-patch for the #696329 security bug. It is
ready to be stored in lemonldap-ng testing package. Stable version is
not vulnerable since SAML exists only in versions >=1.0

Can you say to me if it's good ?

Thanks a lot,
Xavier

Description: Verify SAML signature
 Due to a bad use of Lasso library, SAML signatures are never checked, even if
 we force signature check.
 [CVE-2012-6426]
Author: Clément OUDOT <coudot@linagora.com>
Bug: http://jira.ow2.org/browse/LEMONLDAP-570
Bug-Debian: http://bugs.debian.org/696329
Forwarded: yes
Reviewed-By: Xavier Guimard <x.guimard@free.fr>
Last-Update: 2012-12-19

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
@@ -2218,6 +2218,21 @@
     return $self->checkLassoError($@);
 }
 
+## @method boolean forceSignatureVerification(Lasso::Profile profile)
+# Modify Lasso signature hint to force signature verification
+# @param profile Lasso profile object
+# @return result
+sub forceSignatureVerification {
+    my ( $self, $profile ) = splice @_;
+
+    eval {
+        Lasso::Profile::set_signature_verify_hint( $profile,
+            Lasso::Constants::PROFILE_SIGNATURE_VERIFY_HINT_FORCE );
+    };
+
+    return $self->checkLassoError($@);
+}
+
 ## @method string getAuthnContext(string context)
 # Convert configuration string into SAML2 AuthnContextClassRef string
 # @param context configuration string
@@ -3223,6 +3238,10 @@
 
 Modify Lasso signature hint to disable signature verification
 
+=head2 forceSignatureVerification
+
+Modify Lasso signature hint to force signature verification
+
 =head2 getAuthnContext
 
 Convert configuration string into SAML2 AuthnContextClassRef string
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
@@ -125,7 +125,18 @@
               ->{samlIDPMetaDataOptionsCheckSSOMessageSignature};
 
             if ($checkSSOMessageSignature) {
-                unless ( $self->checkSignatureStatus($login) ) {
+
+                $self->forceSignatureVerification($login);
+
+                if ($artifact) {
+                    $result = $self->processArtResponseMsg( $login, $response );
+                }
+                else {
+                    $result =
+                      $self->processAuthnResponseMsg( $login, $response );
+                }
+
+                unless ($result) {
                     $self->lmLog( "Signature is not valid", 'error' );
                     return PE_SAML_SIGNATURE_ERROR;
                 }
@@ -406,7 +417,12 @@
               ->{samlIDPMetaDataOptionsCheckSLOMessageSignature};
 
             if ($checkSLOMessageSignature) {
-                unless ( $self->checkSignatureStatus($logout) ) {
+
+                $self->forceSignatureVerification($logout);
+
+                $result = $self->processLogoutResponseMsg( $logout, $response );
+
+                unless ($result) {
                     $self->lmLog( "Signature is not valid", 'error' );
                     return PE_SAML_SIGNATURE_ERROR;
                 }
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
@@ -150,7 +150,17 @@
               ->{samlSPMetaDataOptionsCheckSSOMessageSignature};
 
             if ($checkSSOMessageSignature) {
-                unless ( $self->checkSignatureStatus($login) ) {
+
+                $self->forceSignatureVerification($login);
+
+                if ($artifact) {
+                    $result = $self->processArtResponseMsg( $login, $request );
+                }
+                else {
+                    $result = $self->processAuthnRequestMsg( $login, $request );
+                }
+
+                unless ($result) {
                     $self->lmLog( "Signature is not valid", 'error' );
                     return PE_SAML_SIGNATURE_ERROR;
                 }
@@ -278,7 +288,10 @@
               ->{samlSPMetaDataOptionsCheckSLOMessageSignature};
 
             if ($checkSLOMessageSignature) {
-                unless ( $self->checkSignatureStatus($logout) ) {
+
+                $self->forceSignatureVerification($logout);
+
+                unless ( $self->processLogoutRequestMsg( $logout, $request ) ) {
                     $self->lmLog( "Signature is not valid", 'error' );
                     $self->sendSLOErrorResponse( $logout, $method );
                 }
@@ -1201,7 +1214,17 @@
               ->{samlSPMetaDataOptionsCheckSSOMessageSignature};
 
             if ($checkSSOMessageSignature) {
-                unless ( $self->checkSignatureStatus($login) ) {
+
+                $self->forceSignatureVerification($login);
+
+                if ($artifact) {
+                    $result = $self->processArtResponseMsg( $login, $request );
+                }
+                else {
+                    $result = $self->processAuthnRequestMsg( $login, $request );
+                }
+
+                unless ($result) {
                     $self->lmLog( "Signature is not valid", 'error' );
                     return PE_SAML_SIGNATURE_ERROR;
                 }
@@ -1864,7 +1887,10 @@
               ->{samlSPMetaDataOptionsCheckSLOMessageSignature};
 
             if ($checkSLOMessageSignature) {
-                unless ( $self->checkSignatureStatus($logout) ) {
+
+                $self->forceSignatureVerification($logout);
+
+                unless ( $self->processLogoutRequestMsg( $logout, $request ) ) {
                     $self->lmLog( "Signature is not valid", 'error' );
                     $self->sendSLOErrorResponse( $logout, $method );
                 }