From: scantor Date: Tue, 31 Jul 2012 04:02:17 +0000 (+0000) Subject: https://issues.shibboleth.net/jira/browse/SSPCPP-486 X-Git-Tag: 2.5.0~17 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fsp.git;a=commitdiff_plain;h=68b468f01f8c00a7437f0876fe1778c369c38102 https://issues.shibboleth.net/jira/browse/SSPCPP-486 git-svn-id: https://svn.shibboleth.net/cpp-sp/branches/REL_2@3741 cb58f699-b61c-0410-a6fe-9272a202ed29 --- diff --git a/schemas/shibboleth-2.0-native-sp-config.xsd b/schemas/shibboleth-2.0-native-sp-config.xsd index d398e7e..bfdbc7b 100644 --- a/schemas/shibboleth-2.0-native-sp-config.xsd +++ b/schemas/shibboleth-2.0-native-sp-config.xsd @@ -710,7 +710,15 @@ - + + + + + + + + + diff --git a/shibsp/impl/XMLSecurityPolicyProvider.cpp b/shibsp/impl/XMLSecurityPolicyProvider.cpp index 5989916..8c383d6 100644 --- a/shibsp/impl/XMLSecurityPolicyProvider.cpp +++ b/shibsp/impl/XMLSecurityPolicyProvider.cpp @@ -62,7 +62,7 @@ namespace shibsp { class SHIBSP_DLLLOCAL XMLSecurityPolicyProviderImpl { public: - XMLSecurityPolicyProviderImpl(const DOMElement* e, Category& log); + XMLSecurityPolicyProviderImpl(const DOMElement*, Category&); ~XMLSecurityPolicyProviderImpl() { if (m_document) m_document->release(); @@ -74,6 +74,7 @@ namespace shibsp { private: DOMDocument* m_document; + bool m_includeDefaultBlacklist; vector m_whitelist,m_blacklist; vector< boost::shared_ptr > m_ruleJanitor; // need this to maintain vector type in API typedef map< string,pair< boost::shared_ptr,vector > > policymap_t; @@ -112,6 +113,9 @@ namespace shibsp { return i->second.second; throw ConfigurationException("Security Policy ($1) not found, check element.", params(1,id)); } + const vector& getDefaultAlgorithmBlacklist() const { + return m_impl->m_includeDefaultBlacklist ? m_defaultBlacklist : m_empty; + } const vector& getAlgorithmBlacklist() const { return m_impl->m_blacklist; } @@ -125,6 +129,7 @@ namespace shibsp { private: scoped_ptr m_impl; + static vector m_empty; }; #if defined (_MSC_VER) @@ -151,6 +156,7 @@ namespace shibsp { static const XMLCh _id[] = UNICODE_LITERAL_2(i,d); static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e); + static const XMLCh includeDefaultBlacklist[] = UNICODE_LITERAL_23(i,n,c,l,u,d,e,D,e,f,a,u,l,t,B,l,a,c,k,l,i,s,t); static const XMLCh AlgorithmBlacklist[] = UNICODE_LITERAL_18(A,l,g,o,r,i,t,h,m,B,l,a,c,k,l,i,s,t); static const XMLCh AlgorithmWhitelist[] = UNICODE_LITERAL_18(A,l,g,o,r,i,t,h,m,W,h,i,t,e,l,i,s,t); static const XMLCh Policy[] = UNICODE_LITERAL_6(P,o,l,i,c,y); @@ -166,12 +172,20 @@ void SHIBSP_API shibsp::registerSecurityPolicyProviders() SecurityPolicyProvider::SecurityPolicyProvider() { + m_defaultBlacklist.push_back(DSIGConstants::s_unicodeStrURIRSA_MD5); + m_defaultBlacklist.push_back(DSIGConstants::s_unicodeStrURIMD5); + m_defaultBlacklist.push_back(DSIGConstants::s_unicodeStrURIRSA_1_5); } SecurityPolicyProvider::~SecurityPolicyProvider() { } +const vector& SecurityPolicyProvider::getDefaultAlgorithmBlacklist() const +{ + return m_defaultBlacklist; +} + SecurityPolicy* SecurityPolicyProvider::createSecurityPolicy( const Application& application, const xmltooling::QName* role, const char* policyId ) const @@ -181,7 +195,7 @@ SecurityPolicy* SecurityPolicyProvider::createSecurityPolicy( } XMLSecurityPolicyProviderImpl::XMLSecurityPolicyProviderImpl(const DOMElement* e, Category& log) - : m_document(nullptr), m_defaultPolicy(m_policyMap.end()) + : m_document(nullptr), m_includeDefaultBlacklist(true), m_defaultPolicy(m_policyMap.end()) { #ifdef _DEBUG xmltooling::NDC ndc("XMLSecurityPolicyProviderImpl"); @@ -192,11 +206,15 @@ XMLSecurityPolicyProviderImpl::XMLSecurityPolicyProviderImpl(const DOMElement* e const XMLCh* algs = nullptr; const DOMElement* alglist = XMLHelper::getLastChildElement(e, AlgorithmBlacklist); - if (alglist && alglist->hasChildNodes()) { - algs = alglist->getFirstChild()->getNodeValue(); + if (alglist) { + m_includeDefaultBlacklist = XMLHelper::getAttrBool(alglist, true, includeDefaultBlacklist); + if (alglist->hasChildNodes()) { + algs = alglist->getFirstChild()->getNodeValue(); + } } else if ((alglist = XMLHelper::getLastChildElement(e, AlgorithmWhitelist)) && alglist->hasChildNodes()) { algs = alglist->getFirstChild()->getNodeValue(); + m_includeDefaultBlacklist = false; } if (algs) { const XMLCh* token; @@ -276,6 +294,8 @@ XMLSecurityPolicyProviderImpl::XMLSecurityPolicyProviderImpl(const DOMElement* e throw ConfigurationException("XML SecurityPolicyProvider requires at least one Policy."); } +vector XMLSecurityPolicyProvider::m_empty; + pair XMLSecurityPolicyProvider::load(bool backup) { // Load from source using base class. diff --git a/shibsp/impl/XMLServiceProvider.cpp b/shibsp/impl/XMLServiceProvider.cpp index 1f098a5..de3fb0f 100644 --- a/shibsp/impl/XMLServiceProvider.cpp +++ b/shibsp/impl/XMLServiceProvider.cpp @@ -2097,22 +2097,32 @@ XMLConfigImpl::XMLConfigImpl(const DOMElement* e, bool first, XMLConfig* outer, } if (first) { - if (!m_policy->getAlgorithmBlacklist().empty()) { + if (!m_policy->getAlgorithmWhitelist().empty()) { #ifdef SHIBSP_XMLSEC_WHITELISTING - for_each( - m_policy->getAlgorithmBlacklist().begin(), m_policy->getAlgorithmBlacklist().end(), - boost::bind(&XSECPlatformUtils::blacklistAlgorithm, boost::bind(&xstring::c_str, _1)) - ); + for (vector::const_iterator white = m_policy->getAlgorithmWhitelist().begin(); + white != m_policy->getAlgorithmWhitelist().end(); ++white) { + XSECPlatformUtils::whitelistAlgorithm(white->c_str()); + auto_ptr_char whitelog(white->c_str()); + log.info("explicitly whitelisting security algorithm (%s)", whitelog.get()); + } #else log.crit("XML-Security-C library prior to 1.6.0 does not support algorithm white/blacklists"); #endif } - else if (!m_policy->getAlgorithmWhitelist().empty()) { + else if (!m_policy->getDefaultAlgorithmBlacklist().empty() || !m_policy->getAlgorithmBlacklist().empty()) { #ifdef SHIBSP_XMLSEC_WHITELISTING - for_each( - m_policy->getAlgorithmWhitelist().begin(), m_policy->getAlgorithmWhitelist().end(), - boost::bind(&XSECPlatformUtils::whitelistAlgorithm, boost::bind(&xstring::c_str, _1)) - ); + for (vector::const_iterator black = m_policy->getDefaultAlgorithmBlacklist().begin(); + black != m_policy->getDefaultAlgorithmBlacklist().end(); ++black) { + XSECPlatformUtils::blacklistAlgorithm(black->c_str()); + auto_ptr_char blacklog(black->c_str()); + log.info("automatically blacklisting security algorithm (%s)", blacklog.get()); + } + for (vector::const_iterator black = m_policy->getAlgorithmBlacklist().begin(); + black != m_policy->getAlgorithmBlacklist().end(); ++black) { + XSECPlatformUtils::blacklistAlgorithm(black->c_str()); + auto_ptr_char blacklog(black->c_str()); + log.info("explicitly blacklisting security algorithm (%s)", blacklog.get()); + } #else log.crit("XML-Security-C library prior to 1.6.0 does not support algorithm white/blacklists"); #endif diff --git a/shibsp/security/SecurityPolicyProvider.h b/shibsp/security/SecurityPolicyProvider.h index 65f5bdf..3fed8b2 100644 --- a/shibsp/security/SecurityPolicyProvider.h +++ b/shibsp/security/SecurityPolicyProvider.h @@ -57,6 +57,10 @@ namespace shibsp { MAKE_NONCOPYABLE(SecurityPolicyProvider); protected: SecurityPolicyProvider(); + + /** Default algorithms to block in the current release. */ + std::vector m_defaultBlacklist; + public: virtual ~SecurityPolicyProvider(); @@ -77,6 +81,13 @@ namespace shibsp { virtual const std::vector& getPolicyRules(const char* id=nullptr) const=0; /** + * Returns a default/implicit set of XML Signature/Encryption algorithm identifiers to block. + * + * @return an array of algorithm URIs to block + */ + virtual const std::vector& getDefaultAlgorithmBlacklist() const; + + /** * Returns a set of XML Signature/Encryption algorithm identifiers to block. * * @return an array of algorithm URIs to block