From 8f8abd064bebe3fff0d90450af58a1ce2c9f76ce Mon Sep 17 00:00:00 2001
From: Lars Mikal Rogne <lars.mikal.rogne@no.experis.com>
Date: Fri, 24 Nov 2023 15:00:53 +0100
Subject: [PATCH 1/2] Add configuration for blacklisted algorithms.

---
 config/authsources.php |  7 +++++++
 lang/en/auth_saml2.php |  2 ++
 settings.php           | 21 +++++++++++++++++++++
 3 files changed, 30 insertions(+)

diff --git a/config/authsources.php b/config/authsources.php
index b1acd3145..958ca913b 100644
--- a/config/authsources.php
+++ b/config/authsources.php
@@ -96,6 +96,13 @@
     $config[$saml2auth->spname]['AuthnContextClassRef'] = $saml2auth->config->authncontext;
 }
 
+if (!empty($saml2auth->config->blacklistedalgorithms)) {
+    $config[$saml2auth->spname]['encryption.blacklisted-algorithms'] = explode(',', $saml2auth->config->blacklistedalgorithms);
+} else {
+    // Support allowing all algorithms, if not set RSA 1.5 is blacklisted by default
+    $config[$saml2auth->spname]['encryption.blacklisted-algorithms'] = [];
+}
+
 /*
  * If we're configured to expose the nameid as an attribute, set this authproc filter up
  * the nameid value appears under the attribute "nameid"
diff --git a/lang/en/auth_saml2.php b/lang/en/auth_saml2.php
index 7c0c420e8..9e9f075d4 100644
--- a/lang/en/auth_saml2.php
+++ b/lang/en/auth_saml2.php
@@ -42,6 +42,8 @@
 $string['availableidps'] = 'Select available IdPs';
 $string['availableidps_help'] = 'If an IdP metadata xml contains multiple IdP entities, you will need to select which entities are availiable
 for users to login with.';
+$string['blacklistedalgorithms'] = 'Blacklisted Encryption Algorithms';
+$string['blacklistedalgorithms_help'] = 'Allows blocking use of specific encryption algorithms in the SAML communication or allowing RSA 1.5 which is blocked by default because it is insecure.';
 $string['blockredirectheading'] = 'Account blocking actions';
 $string['attrsimple'] = 'Simplify attributes';
 $string['attrsimple_help'] = 'Various IdP\'s such as ADFS use long attribute keys such as urns or namespaced xml schema names. If set to Yes this will simplify these, eg map http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname to such \'givenname\'.';
diff --git a/settings.php b/settings.php
index b1dacf0c3..20c870922 100644
--- a/settings.php
+++ b/settings.php
@@ -223,6 +223,27 @@
         ssl_algorithms::get_default_saml_signature_algorithm(),
         ssl_algorithms::get_valid_saml_signature_algorithms()));
 
+    $encryptionalgorithms = [
+        'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' => '3DES CBC',
+        'http://www.w3.org/2001/04/xmlenc#aes128-cbc' => 'AES-128 CBC',
+        'http://www.w3.org/2001/04/xmlenc#aes192-cbc' => 'AES-192 CBC',
+        'http://www.w3.org/2001/04/xmlenc#aes256-cbc' => 'AES-256 CBC',
+        'http://www.w3.org/2009/xmlenc11#aes128-gcm' => 'AES-128 GCM',
+        'http://www.w3.org/2009/xmlenc11#aes192-gcm' => 'AES-192 GCM',
+        'http://www.w3.org/2009/xmlenc11#aes256-gcm' => 'AES-256 GCM',
+        'http://www.w3.org/2001/04/xmlenc#rsa-1_5' => 'RSA 1.5',
+        'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' => 'RSA OAEP MGF1P',
+        'http://www.w3.org/2009/xmlenc11#rsa-oaep' => 'RSA OAEP',
+    ];
+    $blacklistedalgorithmssetting = new admin_setting_configmultiselect(
+        'auth_saml2/blacklistedalgorithms',
+        get_string('blacklistedalgorithms', 'auth_saml2'),
+        get_string('blacklistedalgorithms_help', 'auth_saml2'),
+        ['http://www.w3.org/2001/04/xmlenc#rsa-1_5'],
+        $encryptionalgorithms
+    );
+    $settings->add($blacklistedalgorithmssetting);
+
     // Dual Login.
     $dualloginoptions = [
         saml2_settings::OPTION_DUAL_LOGIN_NO      => get_string('no'),

From dc22fd4df8ea5935d06ddc9cc022d5a8849a5e16 Mon Sep 17 00:00:00 2001
From: Lars Mikal Rogne <lars.mikal.rogne@no.experis.com>
Date: Fri, 24 Nov 2023 21:06:19 +0100
Subject: [PATCH 2/2] Change to denylist where possible.

---
 config/authsources.php |  6 +++---
 lang/en/auth_saml2.php |  4 ++--
 settings.php           | 10 +++++-----
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/config/authsources.php b/config/authsources.php
index 958ca913b..114902678 100644
--- a/config/authsources.php
+++ b/config/authsources.php
@@ -96,10 +96,10 @@
     $config[$saml2auth->spname]['AuthnContextClassRef'] = $saml2auth->config->authncontext;
 }
 
-if (!empty($saml2auth->config->blacklistedalgorithms)) {
-    $config[$saml2auth->spname]['encryption.blacklisted-algorithms'] = explode(',', $saml2auth->config->blacklistedalgorithms);
+if (!empty($saml2auth->config->denylistedalgorithms)) {
+    $config[$saml2auth->spname]['encryption.blacklisted-algorithms'] = explode(',', $saml2auth->config->denylistedalgorithms);
 } else {
-    // Support allowing all algorithms, if not set RSA 1.5 is blacklisted by default
+    // Support allowing all algorithms, if not set RSA 1.5 is denylisted by default
     $config[$saml2auth->spname]['encryption.blacklisted-algorithms'] = [];
 }
 
diff --git a/lang/en/auth_saml2.php b/lang/en/auth_saml2.php
index 9e9f075d4..b19634b60 100644
--- a/lang/en/auth_saml2.php
+++ b/lang/en/auth_saml2.php
@@ -42,8 +42,8 @@
 $string['availableidps'] = 'Select available IdPs';
 $string['availableidps_help'] = 'If an IdP metadata xml contains multiple IdP entities, you will need to select which entities are availiable
 for users to login with.';
-$string['blacklistedalgorithms'] = 'Blacklisted Encryption Algorithms';
-$string['blacklistedalgorithms_help'] = 'Allows blocking use of specific encryption algorithms in the SAML communication or allowing RSA 1.5 which is blocked by default because it is insecure.';
+$string['denylistedalgorithms'] = 'Denylisted Encryption Algorithms';
+$string['denylistedalgorithms_help'] = 'Allows blocking use of specific encryption algorithms in the SAML communication or allowing RSA 1.5 which is blocked by default because it is insecure.';
 $string['blockredirectheading'] = 'Account blocking actions';
 $string['attrsimple'] = 'Simplify attributes';
 $string['attrsimple_help'] = 'Various IdP\'s such as ADFS use long attribute keys such as urns or namespaced xml schema names. If set to Yes this will simplify these, eg map http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname to such \'givenname\'.';
diff --git a/settings.php b/settings.php
index 20c870922..d971a9ec4 100644
--- a/settings.php
+++ b/settings.php
@@ -235,14 +235,14 @@
         'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' => 'RSA OAEP MGF1P',
         'http://www.w3.org/2009/xmlenc11#rsa-oaep' => 'RSA OAEP',
     ];
-    $blacklistedalgorithmssetting = new admin_setting_configmultiselect(
-        'auth_saml2/blacklistedalgorithms',
-        get_string('blacklistedalgorithms', 'auth_saml2'),
-        get_string('blacklistedalgorithms_help', 'auth_saml2'),
+    $denylistedalgorithmssetting = new admin_setting_configmultiselect(
+        'auth_saml2/denylistedalgorithms',
+        get_string('denylistedalgorithms', 'auth_saml2'),
+        get_string('denylistedalgorithms_help', 'auth_saml2'),
         ['http://www.w3.org/2001/04/xmlenc#rsa-1_5'],
         $encryptionalgorithms
     );
-    $settings->add($blacklistedalgorithmssetting);
+    $settings->add($denylistedalgorithmssetting);
 
     // Dual Login.
     $dualloginoptions = [