gsasl-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SCM] GNU gsasl branch, master, updated. gsasl-1-7-2-12-g79a6296

From: Simon Josefsson
Subject: [SCM] GNU gsasl branch, master, updated. gsasl-1-7-2-12-g79a6296
Date: Tue, 03 Apr 2012 08:25:18 +0000 
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gsasl".

http://git.savannah.gnu.org/cgit/gsasl.git/commit/?id=79a6296b07dc2c44e6f6ee0dce2399e37bde253f

The branch, master has been updated
       via  79a6296b07dc2c44e6f6ee0dce2399e37bde253f (commit)
       via  5c6f55be1f15664d9290aa844f5daf6c1a604d2c (commit)
       via  8264c0e92f197f15bf30ef26102bbf5eb7877d93 (commit)
      from  2af8ffb4b6739d10734c080a51c136c7c29ae0d5 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 79a6296b07dc2c44e6f6ee0dce2399e37bde253f
Author: Simon Josefsson <address@hidden>
Date:   Tue Apr 3 10:24:36 2012 +0200

    Update NEWS.

commit 5c6f55be1f15664d9290aa844f5daf6c1a604d2c
Author: Simon Josefsson <address@hidden>
Date:   Tue Apr 3 10:22:58 2012 +0200

    Update SAML20 implementation to -09.  Use = instead of empty message.

commit 8264c0e92f197f15bf30ef26102bbf5eb7877d93
Author: Simon Josefsson <address@hidden>
Date:   Tue Apr 3 09:55:39 2012 +0200

    Doc fixes.

-----------------------------------------------------------------------

Summary of changes:
 NEWS                |    2 ++
 doc/gsasl.texi      |   29 ++++++++++++++++++++++-------
 lib/NEWS            |    6 +++++-
 lib/saml20/client.c |   23 +++++++++++++----------
 lib/saml20/server.c |   10 ++++++++++
 5 files changed, 52 insertions(+), 18 deletions(-)

diff --git a/NEWS b/NEWS
index 45ce821..a6ced00 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,8 @@ SASL.  That include the manual, the command line tool, and self 
tests.
 
 * Version 1.7.3 (unreleased) [alpha]
 
+** The SAML20 mechanism has been updated and is now enabled by default.
+
 ** Doc fixes and updates for the callback/property change in the library.
 See lib/NEWS for details.
 
diff --git a/doc/gsasl.texi b/doc/gsasl.texi
index 9130aee..d255a90 100644
--- a/doc/gsasl.texi
+++ b/doc/gsasl.texi
@@ -2053,7 +2053,7 @@ XXX: update when implementation has matured
 The SAML20 mechanism makes it possible to use SAML in SASL, in a way
 that offloads the authentication exchange to an external browser.  The
 protocol implemented is as specified in
address@hidden
address@hidden
 
 The mechanism makes use of the following properties:
 @code{GSASL_AUTHZID}, @code{GSASL_SAML20_IDP_IDENTIFIER},
@@ -2077,6 +2077,17 @@ will hopefully complete authentication in the browser.  
The server
 callback @code{GSASL_VALIDATE_SAML20} should check whether the
 authentication attempt was successful.
 
+Note that SAML itself is not implemented by the GNU SASL library.  On
+the client side, no SAML knowledge is needed, it is only required on
+the server side.  Your server application is expected to call a SAML
+library of your choice to generate the AuthRequest and to implement an
+AssertionConsumerService to validate the AuthResponse.  There is an
+example of a SMTP server with SAML 2.0 support distributed with GNU
+SASL in the examples/saml20/ sub-directory that uses the Lasso SAML
+implementation (@url{http://lasso.entrouvert.org/}).  That may be used
+as inspiration for your own implementation.  The @code{gsasl} command
+line client supports SAML20 as a client.
+
 @node OPENID20
 @section The OPENID20 mechanism
 @cindex OpenID
@@ -2122,12 +2133,16 @@ received some OpenID Simple Registry (SREG) attributes 
from the OpenID
 Identity Provider, it may use the @code{GSASL_OPENID20_OUTCOME_DATA}
 property to send these to the client.
 
-Note that the actual OpenID algorithms are not implemented by the GNU
-SASL library, but is expected to be spun off to external OpenID
-implementations.  There is a complete example of a SMTP server with
-OpenID 2.0 support distributed with GNU SASL in the examples/openid20/
-sub-directory that uses the JanRain PHP5 OpenID implementation.  The
address@hidden command line client supports OPENID20.
+Note that OpenID itself is not implemented by the GNU SASL library.
+On the client side, no OpenID knowledge is required, it is only
+required on the server side.  Your server application is expected to
+use a OpenID library of your choice to generate the redirect URL and
+to implement the Service Provider to validate the response from the
+IdP.  There is a complete example of a SMTP server with OpenID 2.0
+support distributed with GNU SASL in the examples/openid20/
+sub-directory that uses the JanRain PHP5 OpenID implementation.  That
+may be used as inspiration for your own implementation.  The
address@hidden command line client supports OPENID20 as a client.
 
 @c **********************************************************
 @c *****************  Global Functions  *********************
diff --git a/lib/NEWS b/lib/NEWS
index 745eb48..0d6dd48 100644
--- a/lib/NEWS
+++ b/lib/NEWS
@@ -4,7 +4,11 @@ See the end for copying conditions.
 
 * Version 1.7.3 (unreleased) [alpha]
 
-** The SAML20 mechanism is now enabled by default.
+** libgsasl: The SAML20 mechanism is now enabled by default.
+
+** libgsasl: The SAML20 mechanism was updated to draft -09.
+There was a minor protocol change, the final client response is now
+"=" instead of the empty string.
 
 ** libgsasl: Unified some of the SAML and OpenID callbacks/properties.
 See API changes below.
diff --git a/lib/saml20/client.c b/lib/saml20/client.c
index ec88b06..3580f01 100644
--- a/lib/saml20/client.c
+++ b/lib/saml20/client.c
@@ -72,34 +72,37 @@ _gsasl_saml20_client_step (Gsasl_session * sctx,
     case 0:
       {
        const char *authzid = gsasl_property_get (sctx, GSASL_AUTHZID);
-       const char *p;
+       const char *idp =
+         gsasl_property_get (sctx, GSASL_SAML20_IDP_IDENTIFIER);
 
-       p = gsasl_property_get (sctx, GSASL_SAML20_IDP_IDENTIFIER);
-       if (!p || !*p)
+       if (!idp || !*idp)
          return GSASL_NO_SAML20_IDP_IDENTIFIER;
 
        res = _gsasl_gs2_generate_header (false, 'n', NULL, authzid,
-                                         strlen (p), p,
+                                         strlen (idp), idp,
                                          output, output_len);
        if (res != GSASL_OK)
          return res;
 
        res = GSASL_NEEDS_MORE;
        state->step++;
-       break;
       }
+      break;
 
     case 1:
       {
        gsasl_property_set_raw (sctx, GSASL_REDIRECT_URL, input, input_len);
 
        res = gsasl_callback (NULL, sctx, GSASL_AUTHENTICATE_IN_BROWSER);
-       if (res == GSASL_OK)
-         {
-           *output_len = 0;
-           *output = NULL;
-         }
+       if (res != GSASL_OK)
+         return res;
+
+       *output_len = 1;
+       *output = strdup ("=");
+       if (!*output)
+         return GSASL_MALLOC_ERROR;
 
+       res = GSASL_OK;
        state->step++;
       }
       break;
diff --git a/lib/saml20/server.c b/lib/saml20/server.c
index e425a36..2f9469a 100644
--- a/lib/saml20/server.c
+++ b/lib/saml20/server.c
@@ -113,7 +113,17 @@ _gsasl_saml20_server_step (Gsasl_session * sctx,
 
     case 1:
       {
+       if (!(input_len == 1 && *input == '='))
+         return GSASL_MECHANISM_PARSE_ERROR;
+
        res = gsasl_callback (NULL, sctx, GSASL_VALIDATE_SAML20);
+       if (res != GSASL_OK)
+         return res;
+
+       *output = NULL;
+       *output_len = 0;
+
+       res = GSASL_OK;
        state->step++;
        break;
       }


hooks/post-receive
-- 
GNU gsasl
reply via email to
[Prev in Thread] Current Thread [Next in Thread]