From c0e60902a0cab4823323d1dd349666e7eb3781f3 Mon Sep 17 00:00:00 2001 From: Francis Lachapelle Date: Thu, 27 May 2021 13:54:34 -0400 Subject: [PATCH 1/2] fix(saml): don't ignore the signature of messages See CVE-2021-33054 --- SoObjects/SOGo/SOGoSAML2Session.m | 1 - 1 file changed, 1 deletion(-) diff --git a/SoObjects/SOGo/SOGoSAML2Session.m b/SoObjects/SOGo/SOGoSAML2Session.m index 96ced1516..c18390e76 100644 --- a/SoObjects/SOGo/SOGoSAML2Session.m +++ b/SoObjects/SOGo/SOGoSAML2Session.m @@ -464,7 +464,6 @@ static NSMapTable *serverTable = nil; responseData = strdup ([authnResponse UTF8String]); - lasso_profile_set_signature_verify_hint(lassoLogin, LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE); rc = lasso_login_process_authn_response_msg (lassoLogin, responseData); if (rc) [NSException raiseSAML2Exception: rc]; From 3d1b365b5d8802291270824fea176ac5e1838bf9 Mon Sep 17 00:00:00 2001 From: Francis Lachapelle Date: Thu, 27 May 2021 13:58:45 -0400 Subject: [PATCH 2/2] fix(saml): fix profile initialization, improve error handling Fixes #5153 Fixes #5270 --- SoObjects/SOGo/SOGoSAML2Session.h | 1 - SoObjects/SOGo/SOGoSAML2Session.m | 49 ++++++++++++------------------- 2 files changed, 19 insertions(+), 31 deletions(-) diff --git a/SoObjects/SOGo/SOGoSAML2Session.h b/SoObjects/SOGo/SOGoSAML2Session.h index 0592f38e1..abc10fb10 100644 --- a/SoObjects/SOGo/SOGoSAML2Session.h +++ b/SoObjects/SOGo/SOGoSAML2Session.h @@ -24,7 +24,6 @@ /* implementation of the SAML2 protocol as required for a client: https://www.oasis-open.org/standards#samlv2.0 */ -#import #include diff --git a/SoObjects/SOGo/SOGoSAML2Session.m b/SoObjects/SOGo/SOGoSAML2Session.m index c18390e76..0b845d317 100644 --- a/SoObjects/SOGo/SOGoSAML2Session.m +++ b/SoObjects/SOGo/SOGoSAML2Session.m @@ -18,25 +18,14 @@ * Boston, MA 02111-1307, USA. */ -#include #include #include #include #include #include -#include - -#import -#import -#import -#import -#import -#import #import -#import #import -#import #import "SOGoCache.h" #import "SOGoSAML2Exceptions.h" @@ -247,22 +236,24 @@ static NSMapTable *serverTable = nil; - (void) _updateDataFromLogin { - LassoSaml2Assertion *saml2Assertion; GList *statementList, *attributeList; - LassoSaml2AttributeStatement *statement; - LassoSaml2Attribute *attribute; - LassoSaml2AttributeValue *value; LassoMiscTextNode *textNode; + LassoNode *lassoNode; + LassoSaml2Assertion *saml2Assertion; + LassoSaml2Attribute *attribute; + LassoSaml2AttributeStatement *statement; + LassoSaml2AttributeValue *value; LassoSaml2NameID *nameIdentifier; - SOGoSystemDefaults *sd; NSString *loginAttribue; + SOGoSystemDefaults *sd; gchar *dump; - - saml2Assertion = LASSO_SAML2_ASSERTION (lasso_login_get_assertion (lassoLogin)); + + lassoNode = lasso_login_get_assertion (lassoLogin); + saml2Assertion = LASSO_SAML2_ASSERTION (lassoNode); sd = [SOGoSystemDefaults sharedSystemDefaults]; loginAttribue = [sd SAML2LoginAttribute]; - + if (saml2Assertion) { /* deduce user login */ @@ -277,6 +268,7 @@ static NSMapTable *serverTable = nil; while (!login && attributeList) { attribute = LASSO_SAML2_ATTRIBUTE (attributeList->data); + if (loginAttribue && (strcmp (attribute->Name, [loginAttribue UTF8String]) == 0)) { value = LASSO_SAML2_ATTRIBUTE_VALUE (attribute->AttributeValue->data); @@ -330,8 +322,7 @@ static NSMapTable *serverTable = nil; assertion = nil; } - nameIdentifier - = LASSO_SAML2_NAME_ID (LASSO_PROFILE (lassoLogin)->nameIdentifier); + nameIdentifier = LASSO_SAML2_NAME_ID (LASSO_PROFILE (lassoLogin)->nameIdentifier); if (nameIdentifier) { /* deduce session id */ @@ -344,7 +335,7 @@ static NSMapTable *serverTable = nil; - (id) _initWithDump: (NSDictionary *) saml2Dump inContext: (WOContext *) context { - // lasso_error_t rc; + lasso_error_t rc; LassoServer *server; LassoProfile *profile; const gchar *dump; @@ -356,10 +347,10 @@ static NSMapTable *serverTable = nil; if (saml2Dump) { profile = LASSO_PROFILE (lassoLogin); + ASSIGN (login, [saml2Dump objectForKey: @"login"]); ASSIGN (identifier, [saml2Dump objectForKey: @"identifier"]); ASSIGN (assertion, [saml2Dump objectForKey: @"assertion"]); - ASSIGN(identity, [saml2Dump objectForKey: @"identity"]); dump = [identity UTF8String]; if (dump) @@ -369,11 +360,10 @@ static NSMapTable *serverTable = nil; dump = [session UTF8String]; if (dump) lasso_profile_set_session_from_dump (profile, dump); - - lasso_login_accept_sso (lassoLogin); - // if (rc) - // [NSException raiseSAML2Exception: rc]; - [self _updateDataFromLogin]; + + rc = lasso_login_accept_sso (lassoLogin); + if (!rc) + [self _updateDataFromLogin]; } } @@ -464,6 +454,7 @@ static NSMapTable *serverTable = nil; responseData = strdup ([authnResponse UTF8String]); + profile = LASSO_PROFILE (lassoLogin); rc = lasso_login_process_authn_response_msg (lassoLogin, responseData); if (rc) [NSException raiseSAML2Exception: rc]; @@ -479,8 +470,6 @@ static NSMapTable *serverTable = nil; [saml2Dump setObject: identifier forKey: @"identifier"]; [saml2Dump setObject: assertion forKey: @"assertion"]; - profile = LASSO_PROFILE (lassoLogin); - lasso_session = lasso_profile_get_session (profile); if (lasso_session) {