simplesamlphp/saml2

Add support for AES-GCM

Skywalker-11 opened this issue ยท 26 comments

simplsamlphp currently does not support AES in GCM mode.

If an IDP uses AES-GCM for encryption of the ssertions eg:

<saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
  ....
  <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> 
   ....

this creates an error in form of the following message on a SP running simplesamlphp:

simplesamlphp: 3  Decryption failed: Could not locate key algorithm in encrypted data.
simplesamlphp: 3  SimpleSAML\Error\Error: UNHANDLEDEXCEPTION
simplesamlphp: 3  Backtrace:
simplesamlphp: 3  1 /opt/simplesamlphp/www/_include.php:17 (SimpleSAML_exception_handler)
simplesamlphp: 3  0  (N/A)
simplesamlphp: 3  Caused by: Exception: Failed to decrypt XML element.
simplesamlphp: 3  Backtrace:
simplesamlphp: 3  7 /opt/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Utils.php:575 (SAML2\Utils::decryptElement)
simplesamlphp: 3  6 /opt/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/EncryptedAssertion.php:98 (SAML2\EncryptedAssertion::getAssertion)
simplesamlphp: 3  5 /opt/simplesamlphp/modules/saml/lib/Message.php:391 (SimpleSAML\Module\saml\Message::decryptAssertion)
simplesamlphp: 3  4 /opt/simplesamlphp/modules/saml/lib/Message.php:647 (SimpleSAML\Module\saml\Message::processAssertion)
simplesamlphp: 3  3 /opt/simplesamlphp/modules/saml/lib/Message.php:614 (SimpleSAML\Module\saml\Message::processResponse)
simplesamlphp: 3  2 /opt/simplesamlphp/modules/saml/www/sp/saml2-acs.php:134 (require)
simplesamlphp: 3  1 /opt/simplesamlphp/lib/SimpleSAML/Module.php:236 (SimpleSAML\Module::process)
simplesamlphp: 3  0 /opt/simplesamlphp/www/module.php:9 (N/A)

Depending on change in library xmlseclibs (robrichards/xmlseclibs#134)

@Skywalker-11 have you found any alternatives to simplesamlphp or a way to include 3rd party support of aes-gcm for simplesamlphp users?

I am not using simplesaml myself but noticed the error when interacting with 3rd party SPs

AES-GCM is the default in Shibboleth 4.0, so missing support breaks compatibility of SimpleSAMLphp with a growing number of IdPs.

@melanger The issue here is not SimpleSAMLphp, but two dependency-levels down in the xmlseclibs library.. So, unless you can open up a can of crypto-savvy PHP developers, this is really out of our control.

@tvdijen There is an open issue in the library as well, robrichards/xmlseclibs#134, but it seems that the support was actually added in 3.1 https://github.com/robrichards/xmlseclibs/releases/tag/3.1.0

Requires PHP 7.1+, but SimpleSAML already requires 7.2+ on master

I might be mistaken here, but I would say this is just a matter of updating the xmlseclibs dependency, since 3.1.0 implements support for AES-GCM.

I see Shibboleth 4.0 IdPs using http://www.w3.org/2009/xmlenc11#aes128-gcm algorithm for encryption. This is a rising concern as 4.0 went GA in March. IdPs are rolling out v4 to production soon.

If you're using SimpleSAMLphp:

  • On 1.18 you can get this working by running composer require robrichards/xmlseclibs:^3.1.
  • 1.19 will officially include this.

If you're using this library directly:

  • Use v4.1.8 of the libary
s0rin commented

The workaround in SSP 1.18.7 to install manually xmlseclibs 3.1.0 over the existent 3.0.8 didn't work for me, the error "Failed to decrypt XML element" still occur. How to check the xmlseclibs installed version?

You can check the installed version in the composer.lock file
Also, what's your PHP-version? xmlseclibs will not process aes-128-gcm on PHP <7.1

s0rin commented

The PHP version is right:

# php -v
PHP 7.2.33 (cli) (built: Sep  1 2020 05:35:29) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.33, Copyright (c) 1999-2018, by Zend Technologies

but the xmlseclibs is not:

# cat /var/simplesamlphp/composer.lock | grep xmlseclibs
                "robrichards/xmlseclibs": "^3.0.4",

Note. With the newer SSP 1.18.8 is no change :-(

In conclusion the workaround for 1.18.x to install xmlseclibs with composer manually is not working (maybe some steps are missing, i.e. to edit composer.lock?). I will rather wait for 1.19...

That one's not relevant.. The one I tagged is the one actually installed & packaged...
I'll see if I can run a few tests with aes-gcm encrypted assertions this weekend. and see if I can figure this out..
Reopening this so I won't forget

s0rin commented

I've retested 1.18.8 today and AES-GCM is still not working :-(

That doesn't surprise me, because nothing has changed in SimpleSAMLphp or the saml2 library..
I just need to find the time to work out a test-setup with AES-GCM encrypted assertions so I can reproduce your issue and see what changes we may need to get this working..

Well, the good news is that I can reproduce the issue, but the bad news is that I have no idea how to solve this...

First, there is this bug in xmlseclibs that needs to be taken care of; robrichards/xmlseclibs#213
Then, I found a bug in saml2 that I fixed: 1f0c32f
I then ended up with an algorithm mismatch due to some hardcoded stuff in SSP, which for the test I manually changed to AES-GCM-128: https://github.com/simplesamlphp/simplesamlphp/blob/e4246a2a0286e553f7544e20f0fd246aeea3d5df/modules/saml/lib/Message.php#L336 for the SP and https://github.com/simplesamlphp/simplesamlphp/blob/e4246a2a0286e553f7544e20f0fd246aeea3d5df/modules/saml/lib/IdP/SAML2.php#L1353 for the IDP

After the above I ended up with the following traceback:

Caused by: Exception: Failure decrypting Data (openssl symmetric) - error:0607A082:digital envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length
Backtrace:
11 /apps/installation/simplesamlphp/simplesamlphp-1.19/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:472 (RobRichards\XMLSecLibs\XMLSecurityKey::decryptSymmetric)
10 /apps/installation/simplesamlphp/simplesamlphp-1.19/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:612 (RobRichards\XMLSecLibs\XMLSecurityKey::decryptData)
 9 /apps/installation/simplesamlphp/simplesamlphp-1.19/vendor/robrichards/xmlseclibs/src/XMLSecEnc.php:263 (RobRichards\XMLSecLibs\XMLSecEnc::decryptNode)
 8 /apps/installation/simplesamlphp/simplesamlphp-1.19/vendor/simplesamlphp/saml2/src/SAML2/Utils.php:463 (SAML2\Utils::doDecryptElement)
 7 /apps/installation/simplesamlphp/simplesamlphp-1.19/vendor/simplesamlphp/saml2/src/SAML2/Utils.php:498 (SAML2\Utils::decryptElement)
 6 /apps/installation/simplesamlphp/simplesamlphp-1.19/vendor/simplesamlphp/saml2/src/SAML2/EncryptedAssertion.php:122 (SAML2\EncryptedAssertion::getAssertion)
 5 /apps/installation/simplesamlphp/simplesamlphp-1.19/modules/saml/lib/Message.php:413 (SimpleSAML\Module\saml\Message::decryptAssertion)
 4 /apps/installation/simplesamlphp/simplesamlphp-1.19/modules/saml/lib/Message.php:674 (SimpleSAML\Module\saml\Message::processAssertion)
 3 /apps/installation/simplesamlphp/simplesamlphp-1.19/modules/saml/lib/Message.php:642 (SimpleSAML\Module\saml\Message::processResponse)
 2 /apps/installation/simplesamlphp/simplesamlphp-1.19/modules/saml/www/sp/saml2-acs.php:145 (require)
 1 /apps/installation/simplesamlphp/simplesamlphp-1.19/lib/SimpleSAML/Module.php:266 (SimpleSAML\Module::process)
 0 /apps/installation/simplesamlphp/simplesamlphp-1.19/www/module.php:10 (N/A)

OK, I got it working now.. I got off on the wrong foot last night a bit..

You need: robrichards/xmlseclibs#213 and 1f0c32f
And then in SimpleSAMLphp set https://github.com/simplesamlphp/simplesamlphp/blob/e4246a2a0286e553f7544e20f0fd246aeea3d5df/modules/saml/lib/Message.php#L312 to the right algo and you're all set!

I don't think it makes much sense to tag a new saml2-release until xmlseclibs is fixed, so I'm keeping this open and in the meanwhile I can try and work on making the algorithm configurable in SSP. I've also asked Rob for a bugfix release on xmlsec and that's about as much as I can for you do right now

s0rin commented

Retesting with 1.19-rc1 but still not working.

SimpleSAML\Error\Error: UNHANDLEDEXCEPTION

Backtrace:
1 www/_include.php:17 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Failed to decrypt XML element.
Backtrace:
7 vendor/simplesamlphp/saml2/src/SAML2/Utils.php:537 (SAML2\Utils::decryptElement)
6 vendor/simplesamlphp/saml2/src/SAML2/EncryptedAssertion.php:119 (SAML2\EncryptedAssertion::getAssertion)
5 modules/saml/lib/Message.php:413 (SimpleSAML\Module\saml\Message::decryptAssertion)
4 modules/saml/lib/Message.php:674 (SimpleSAML\Module\saml\Message::processAssertion)
3 modules/saml/lib/Message.php:642 (SimpleSAML\Module\saml\Message::processResponse)
2 modules/saml/www/sp/saml2-acs.php:145 (require)
1 lib/SimpleSAML/Module.php:266 (SimpleSAML\Module::process)
0 www/module.php:10 (N/A)

Maybe because 1.19-rc1 is ten days old and I got it working only 9 days ago?
For it to work, you still need the manual changes as I described..

Seems that robrichards/xmlseclibs 3.1.1 includes the needed change:
robrichards/xmlseclibs@3.1.0...3.1.1

And when updating with Composer:
composer update --with-dependencies simplesamlphp/simplesamlphp
it updates robrichards/xmlseclibs to 3.1.1

SimpleSAMLphp also seems to have this change https://github.com/simplesamlphp/simplesamlphp/blob/e4246a2a0286e553f7544e20f0fd246aeea3d5df/modules/saml/lib/Message.php#L312 in https://github.com/simplesamlphp/simplesamlphp/blob/v1.18.8/modules/saml/lib/Message.php#L310.

There's one PR for that which will land in 1.19; simplesamlphp/simplesamlphp#1377

I just got word from my university contact handling the Shibboleth 4:

Changing encryption from GCM (default in Shibboleth 4) to CBC made it work with both:

  • SSP 1.18.6 (we had this before Shibboleth was updated)
  • SSP 1.18.8 (works also with GCM)

I can confirm that SimpleSAMLphp 1.18.8 with updated xmlseclibs to 3.1.1 and updates to EncryptedAssertion.php and Message.php according to #179 (comment) makes it working with an Shibboleth IdP 4.0.1 using AES-GCM encryption.

Looking forward to see AES-GCM support in 1.19 out of the box.

Thanks @JanOppolzer ! There's some discussion on the changes to SSP 1.19, but the next RC should ease all of your problems.