Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add configuration for denylisted algorithms. #792

Open
wants to merge 2 commits into
base: MOODLE_39_STABLE
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions config/authsources.php
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,13 @@
$config[$saml2auth->spname]['AuthnContextClassRef'] = $saml2auth->config->authncontext;
}

if (!empty($saml2auth->config->denylistedalgorithms)) {
$config[$saml2auth->spname]['encryption.blacklisted-algorithms'] = explode(',', $saml2auth->config->denylistedalgorithms);
} else {
// Support allowing all algorithms, if not set RSA 1.5 is denylisted by default
$config[$saml2auth->spname]['encryption.blacklisted-algorithms'] = [];
}

/*
* If we're configured to expose the nameid as an attribute, set this authproc filter up
* the nameid value appears under the attribute "nameid"
Expand Down
2 changes: 2 additions & 0 deletions lang/en/auth_saml2.php
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@
$string['availableidps'] = 'Select available IdPs';
$string['availableidps_help'] = 'If an IdP metadata xml contains multiple IdP entities, you will need to select which entities are availiable
for users to login with.';
$string['denylistedalgorithms'] = 'Denylisted Encryption Algorithms';
$string['denylistedalgorithms_help'] = 'Allows blocking use of specific encryption algorithms in the SAML communication or allowing RSA 1.5 which is blocked by default because it is insecure.';
$string['blockredirectheading'] = 'Account blocking actions';
$string['attrsimple'] = 'Simplify attributes';
$string['attrsimple_help'] = 'Various IdP\'s such as ADFS use long attribute keys such as urns or namespaced xml schema names. If set to Yes this will simplify these, eg map http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname to such \'givenname\'.';
Expand Down
21 changes: 21 additions & 0 deletions settings.php
Original file line number Diff line number Diff line change
Expand Up @@ -223,6 +223,27 @@
ssl_algorithms::get_default_saml_signature_algorithm(),
ssl_algorithms::get_valid_saml_signature_algorithms()));

$encryptionalgorithms = [
'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' => '3DES CBC',
'http://www.w3.org/2001/04/xmlenc#aes128-cbc' => 'AES-128 CBC',
'http://www.w3.org/2001/04/xmlenc#aes192-cbc' => 'AES-192 CBC',
'http://www.w3.org/2001/04/xmlenc#aes256-cbc' => 'AES-256 CBC',
'http://www.w3.org/2009/xmlenc11#aes128-gcm' => 'AES-128 GCM',
'http://www.w3.org/2009/xmlenc11#aes192-gcm' => 'AES-192 GCM',
'http://www.w3.org/2009/xmlenc11#aes256-gcm' => 'AES-256 GCM',
'http://www.w3.org/2001/04/xmlenc#rsa-1_5' => 'RSA 1.5',
'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' => 'RSA OAEP MGF1P',
'http://www.w3.org/2009/xmlenc11#rsa-oaep' => 'RSA OAEP',
];
$denylistedalgorithmssetting = new admin_setting_configmultiselect(
'auth_saml2/denylistedalgorithms',
get_string('denylistedalgorithms', 'auth_saml2'),
get_string('denylistedalgorithms_help', 'auth_saml2'),
['http://www.w3.org/2001/04/xmlenc#rsa-1_5'],
$encryptionalgorithms
);
$settings->add($denylistedalgorithmssetting);

// Dual Login.
$dualloginoptions = [
saml2_settings::OPTION_DUAL_LOGIN_NO => get_string('no'),
Expand Down