Fixed authn check when https connections are reused.

diff --git a/shib-target/ArtifactMapper.cpp b/shib-target/ArtifactMapper.cpp
index dda1a07..7312498 100644 (file)
--- a/shib-target/ArtifactMapper.cpp
+++ b/shib-target/ArtifactMapper.cpp
@@ -104,6 +104,7 @@ SAMLResponse* STArtifactMapper::resolve(SAMLRequest* request)
 
        SAMLResponse* response = NULL;
        bool authenticated = false;
+    static const XMLCh https[] = {chLatin_h, chLatin_t, chLatin_t, chLatin_p, chLatin_s, chColon, chNull};
 
     // Depends on type of artifact.
     const SAMLArtifactType0001* type1=dynamic_cast<const SAMLArtifactType0001*>(artifact);
@@ -124,7 +125,6 @@ SAMLResponse* STArtifactMapper::resolve(SAMLRequest* request)
                     log.warn("skipping binding on unsupported protocol (%s)", prot.get());
                     continue;
                 }
-                auto_ptr_char loc(ep->getLocation());
                        try {
                            response = binding->send(ep->getLocation(),*request,&callCtx);
                            if (log.isDebugEnabled())
@@ -134,7 +134,7 @@ SAMLResponse* STArtifactMapper::resolve(SAMLRequest* request)
                                delete response;
                                throw FatalProfileException("No SAML assertions returned in response to artifact profile request.");
                            }
-                           authenticated = callCtx.isAuthenticated();
+                           authenticated = callCtx.isAuthenticated() && !XMLString::compareNString(ep->getLocation(),https,6);
                        }
                        catch (SAMLException& ex) {
                                annotateException(&ex,idp); // rethrows it
@@ -173,7 +173,7 @@ SAMLResponse* STArtifactMapper::resolve(SAMLRequest* request)
                                        delete response;
                                        throw FatalProfileException("No SAML assertions returned in response to artifact profile request.");
                                    }
-                                   authenticated = callCtx.isAuthenticated();
+                        authenticated = callCtx.isAuthenticated() && !XMLString::compareNString(ep->getLocation(),https,6);
                                }
                                catch (SAMLException& ex) {
                                        annotateException(&ex,idp); // rethrows it

diff --git a/shib-target/shib-ccache.cpp b/shib-target/shib-ccache.cpp
index 463ebc6..72e3082 100644 (file)
--- a/shib-target/shib-ccache.cpp
+++ b/shib-target/shib-ccache.cpp
@@ -776,12 +776,13 @@ pair<SAMLResponse*,SAMLResponse*> InternalCCacheEntry::getNewResponse()
                     log->warn("skipping binding on unsupported protocol (%s)", prot.get());
                     continue;
                 }
+                static const XMLCh https[] = {chLatin_h, chLatin_t, chLatin_t, chLatin_p, chLatin_s, chColon, chNull};
                 auto_ptr<SAMLResponse> r(binding->send(ep->getLocation(), *(req.get()), &ctx));
                 if (r->isSigned()) {
                        if (!t.validate(*r,AA))
                            throw TrustException("Unable to verify signed response message.");
                 }
-                else if (!ctx.isAuthenticated())
+                else if (!ctx.isAuthenticated() || XMLString::compareNString(ep->getLocation(),https,6))
                        throw TrustException("Response message was unauthenticated.");
                 response = r.release();
             }

diff --git a/shib/ShibHTTPHook.cpp b/shib/ShibHTTPHook.cpp
index 29be2da..4663dd2 100644 (file)
--- a/shib/ShibHTTPHook.cpp
+++ b/shib/ShibHTTPHook.cpp
@@ -98,7 +98,6 @@ static int verify_callback(X509_STORE_CTX* x509_ctx, void* arg)
     }
     
     // Signal success. Hopefully it doesn't matter what's actually in the structure now.
-    ctx->setAuthenticated();
     return 1;
 }
 
@@ -141,7 +140,12 @@ static bool ssl_ctx_callback(void* ssl_ctx, void* userptr)
             NULL
             );
         SSL_CTX_set_verify_depth(reinterpret_cast<SSL_CTX*>(ssl_ctx),reinterpret_cast<int>(userptr));
+
 #endif
+        // The best we can do is assume authentication succeeds because when libcurl reuses
+        // SSL connections, no callback is made. Since we always authenticate SSL connections,
+        // the caller should check that the protocol is https.
+        ctx->setAuthenticated();
     }
     catch (SAMLException& e) {
         log.error(string("caught a SAML exception while attaching credentials to request: ") + e.what());
@@ -153,6 +157,7 @@ static bool ssl_ctx_callback(void* ssl_ctx, void* userptr)
         return false;
     }
 #endif
+    
     return true;
 }