Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apache2-mod_auth_openidc for
openSUSE:Factory checked in at 2022-11-18 15:44:22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2-mod_auth_openidc (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.1597 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_auth_openidc"
Fri Nov 18 15:44:22 2022 rev:27 rq:1036637 version:2.4.12.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/apache2-mod_auth_openidc/apache2-mod_auth_openidc.changes
2022-10-18 16:06:49.241212222 +0200
+++
/work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.1597/apache2-mod_auth_openidc.changes
2022-11-18 15:44:26.902803348 +0100
@@ -1,0 +2,29 @@
+Tue Nov 15 16:20:35 UTC 2022 - Michael Ströder <[email protected]>
+
+- update to 2.4.12.1
+ * Features
+ - add option to use ISO-8859-1 encoding for propagated claim values by
+ adding latin1 option to OIDCPassClaimsAs <> latin1; see #957
+ - Note that the encoding - including the existing "base64url" - apply to
+ both header and environment variables as well now
+ * Bugfixes
+ - switch to using apr_generate_random_bytes instead of apr_uuid_get to
+ generate session identifiers so there's no longer a (rather implicit)
+ dependency on a libapr that is compiled against libuuid on Linux
+ platforms; see #431, #603 and #694
+ - fix cache file backend: delete the correct file upon logout; closes #955
+ - fix cleanup of semaphores on graceful restarts; see #522, closes #458
+ - fix OIDCProviderMetadataRefreshInterval since it was interpreted in
+ microseconds instead of the documented and intended seconds; setting in
+ to seconds would effectively turn of caching and pull the configuration
+ document on each request
+ - define APLOG_TRACE1 if it does not exist
+ - correct ap_hook_insert_filter function signature in stub.c, part 3; see
#784
+ - fixed printout of cache mutex errors in cache/common.c
+ - prefer APR_LOCK_POSIXSEM over APR_LOCK_DEFAULT in apr_global_mutex_create
+ which is apparently required for (some) ARM based builds
+ - fix potential memory leak in proto.c when oidc_util_create_symmetric_key
fails
+ - fix potential memory leak in proto.c when
oidc_proto_validate_access_token
+ fails (at_hash validation)
+
+-------------------------------------------------------------------
Old:
----
mod_auth_openidc-2.4.12.tar.gz
New:
----
mod_auth_openidc-2.4.12.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2-mod_auth_openidc.spec ++++++
--- /var/tmp/diff_new_pack.OhkrKK/_old 2022-11-18 15:44:27.590806371 +0100
+++ /var/tmp/diff_new_pack.OhkrKK/_new 2022-11-18 15:44:27.594806389 +0100
@@ -17,7 +17,7 @@
Name: apache2-mod_auth_openidc
-Version: 2.4.12
+Version: 2.4.12.1
Release: 0
Summary: Apache2.x module for an OpenID Connect enabled Identity
Provider
License: Apache-2.0
++++++ mod_auth_openidc-2.4.12.tar.gz -> mod_auth_openidc-2.4.12.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/AUTHORS
new/mod_auth_openidc-2.4.12.1/AUTHORS
--- old/mod_auth_openidc-2.4.12/AUTHORS 2022-09-23 11:40:37.000000000 +0200
+++ new/mod_auth_openidc-2.4.12.1/AUTHORS 2022-11-14 15:35:42.000000000
+0100
@@ -84,3 +84,4 @@
smanolache <https://github.com/smanolache>
blackwhiser1 <https://github.com/blackwhiser1>
Ruediger Pluem <https://github.com/rpluem-vf>
+ Nikhil Chaudhari <https://github.com/nvchaudhari1991>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/ChangeLog
new/mod_auth_openidc-2.4.12.1/ChangeLog
--- old/mod_auth_openidc-2.4.12/ChangeLog 2022-10-17 11:00:11.000000000
+0200
+++ new/mod_auth_openidc-2.4.12.1/ChangeLog 2022-11-15 15:14:21.000000000
+0100
@@ -1,3 +1,45 @@
+11/15/2022
+- release 2.4.12.1
+
+11/13/2022
+- switch to using apr_generate_random_bytes instead of apr_uuid_get to
generate session identifiers
+ so there's no longer a (rather implicit) dependency on a libapr that is
compiled againt libuuid
+ on Linux platforms; see #431, #603 and #694; thanks @amitnarang28
+- cache file backend fix: delete the correct file upon logout; closes #955;
thanks @damisanet
+- bump to 2.4.12.1rc5
+
+11/08/2022
+- add option to use ISO-8859-1 encoding for propagated claim values by adding
+ "latin1" option to OIDCPassClaimsAs <> latin1; see #957; thanks
@nvchaudhari1991
+ Note that the encoding - including the existing "base64url" - apply to both
header and
+ environment variables as well now.
+- bump to 2.4.12.1rc4
+
+10/26/2022
+- OIDCProviderMetadataRefreshInterval was interpreted in microseconds instead
+ of the documented and intended seconds; setting in to seconds would
effectively
+ turn of caching and pull the configuration document on each request
+- bump to 2.4.12.1rc3
+
+10/25/2022
+- define APLOG_TRACE1 if it does not exist
+- bump to 2.4.12.1rc2
+
+10/20/2022
+- CI: add memory and semaphore checks on various distro's
+- correct ap_hook_insert_filter function signature in stub.c, part 3; see #784
+- fix printout of cache mutex errors in cache/common.c
+- prefer APR_LOCK_POSIXSEM over APR_LOCK_DEFAULT in apr_global_mutex_create
+ which is apparently required for (some) ARM based builds (and CI)
+- bump to 2.4.12.1rc1
+- fix potential memory leak in proto.c when oidc_util_create_symmetric_key
fails
+- fix potential memory leak in proto.c when oidc_proto_validate_access_token
fails (at_hash validation)
+
+10/19/2022
+- fix cleanup of semaphores on graceful restarts; see #522, closes #458
+ simplify mutex/shm cleanup without semaphores because we track the parent
process anyway;
+- bump to 2.4.12.1rc0
+
10/17/2022
- release 2.4.12
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/README.md
new/mod_auth_openidc-2.4.12.1/README.md
--- old/mod_auth_openidc-2.4.12/README.md 2022-10-15 10:53:17.000000000
+0200
+++ new/mod_auth_openidc-2.4.12.1/README.md 2022-11-14 15:35:42.000000000
+0100
@@ -1,14 +1,11 @@
[](https://github.com/zmartzone/mod_auth_openidc/actions/workflows/build.yml)
[<img width="184" height="96" align="right"
src="http://openid.net/wordpress-content/uploads/2016/05/oid-l-certification-mark-l-cmyk-150dpi-90mm.jpg";
alt="OpenID Certification">](https://openid.net/certification)
-[](https://github.com/zmartzone/mod_auth_openidc/actions/workflows/archs.yml)
[](https://github.com/zmartzone/mod_auth_openidc/actions/workflows/codeql-analysis.yml)
-[](https://lgtm.com/projects/g/zmartzone/mod_auth_openidc/context:cpp)
-[](https://lgtm.com/projects/g/zmartzone/mod_auth_openidc/alerts)
mod_auth_openidc
================
-*mod_auth_openidc* is a certified authentication and authorization module for
the Apache 2.x
+*mod_auth_openidc* is an OpenID Certified⢠authentication and authorization
module for the Apache 2.x
HTTP server that implements the OpenID Connect Relying Party functionality.
Overview
@@ -41,7 +38,7 @@
Interoperability
----------------
-*mod_auth_openidc* is [OpenID Connect
certified](https://openid.net/certification/#RPs) and supports the following
specifications:
+*mod_auth_openidc* is [OpenID
Certifiedâ¢](https://openid.net/certification/#RPs) and supports the following
specifications:
- [OpenID Connect Core
1.0](http://openid.net/specs/openid-connect-core-1_0.html) *(Basic, Implicit,
Hybrid and Refresh flows)*
- [OpenID Connect Discovery
1.0](http://openid.net/specs/openid-connect-discovery-1_0.html)
- [OpenID Connect Dynamic Client Registration
1.0](http://openid.net/specs/openid-connect-registration-1_0.html)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/auth_openidc.conf
new/mod_auth_openidc-2.4.12.1/auth_openidc.conf
--- old/mod_auth_openidc-2.4.12/auth_openidc.conf 2022-10-17
10:57:49.000000000 +0200
+++ new/mod_auth_openidc-2.4.12.1/auth_openidc.conf 2022-11-14
15:35:42.000000000 +0100
@@ -800,13 +800,14 @@
# "both": claims/tokens are passed as both headers as well as environment
variables (default)
#
# Since version 2.4.6 one can specify "base64url" as the 2nd argument to apply
base64url encoding to
-# all values passed in headers.
-#
-# When not defined the default is "both" and base64url encoding is not applied
to the header values.
+# all values passed in headers. Since version 2.4.12.1 there's a "latin1"
option as well to apply
+# ISO-8859-1 encoding to all values passed in headers as well as environment
variables, which may
+# result in out of bound characters converted to the "?" character.
+# When not defined the default is "both" and no encoding is applied to the
header/environment values.
#
# The access token is passed in OIDC_access_token; the access token expiry is
passed in OIDC_access_token_expires.
# The refresh token is only passed in OIDC_refresh_token if enabled for that
specific directory/location (see: OIDCPassRefreshToken)
-#OIDCPassClaimsAs [none|headers|environment|both] [base64url]
+#OIDCPassClaimsAs [none|headers|environment|both] [base64url|latin1]
# Specify the HTTP header variable name to set with the name of the
authenticated user,
# i.e. copy what is set in REMOTE_USER and configured in OIDCRemoteUserClaim
or OIDCOAuthRemoteUserClaim.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/configure
new/mod_auth_openidc-2.4.12.1/configure
--- old/mod_auth_openidc-2.4.12/configure 2022-10-17 11:00:18.000000000
+0200
+++ new/mod_auth_openidc-2.4.12.1/configure 2022-11-15 15:15:33.000000000
+0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for mod_auth_openidc 2.4.12.
+# Generated by GNU Autoconf 2.71 for mod_auth_openidc 2.4.12.1.
#
# Report bugs to <[email protected]>.
#
@@ -621,8 +621,8 @@
# Identity of this package.
PACKAGE_NAME='mod_auth_openidc'
PACKAGE_TARNAME='mod_auth_openidc'
-PACKAGE_VERSION='2.4.12'
-PACKAGE_STRING='mod_auth_openidc 2.4.12'
+PACKAGE_VERSION='2.4.12.1'
+PACKAGE_STRING='mod_auth_openidc 2.4.12.1'
PACKAGE_BUGREPORT='[email protected]'
PACKAGE_URL=''
@@ -1407,7 +1407,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures mod_auth_openidc 2.4.12 to adapt to many kinds of
systems.
+\`configure' configures mod_auth_openidc 2.4.12.1 to adapt to many kinds of
systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1479,7 +1479,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of mod_auth_openidc 2.4.12:";;
+ short | recursive ) echo "Configuration of mod_auth_openidc 2.4.12.1:";;
esac
cat <<\_ACEOF
@@ -1621,7 +1621,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-mod_auth_openidc configure 2.4.12
+mod_auth_openidc configure 2.4.12.1
generated by GNU Autoconf 2.71
Copyright (C) 2021 Free Software Foundation, Inc.
@@ -1839,7 +1839,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by mod_auth_openidc $as_me 2.4.12, which was
+It was created by mod_auth_openidc $as_me 2.4.12.1, which was
generated by GNU Autoconf 2.71. Invocation command line was
$ $0$ac_configure_args_raw
@@ -2595,7 +2595,7 @@
-NAMEVER=mod_auth_openidc-2.4.12
+NAMEVER=mod_auth_openidc-2.4.12.1
am__api_version='1.16'
@@ -3112,7 +3112,7 @@
# Define the identity of the package.
PACKAGE='mod_auth_openidc'
- VERSION='2.4.12'
+ VERSION='2.4.12.1'
printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -14732,7 +14732,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by mod_auth_openidc $as_me 2.4.12, which was
+This file was extended by mod_auth_openidc $as_me 2.4.12.1, which was
generated by GNU Autoconf 2.71. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -14800,7 +14800,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-mod_auth_openidc config.status 2.4.12
+mod_auth_openidc config.status 2.4.12.1
configured by $0, generated by GNU Autoconf 2.71,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/configure.ac
new/mod_auth_openidc-2.4.12.1/configure.ac
--- old/mod_auth_openidc-2.4.12/configure.ac 2022-10-17 11:00:06.000000000
+0200
+++ new/mod_auth_openidc-2.4.12.1/configure.ac 2022-11-15 15:14:28.000000000
+0100
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.12],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.12.1],[[email protected]])
AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/src/cache/cache.h
new/mod_auth_openidc-2.4.12.1/src/cache/cache.h
--- old/mod_auth_openidc-2.4.12/src/cache/cache.h 2022-10-15
10:57:42.000000000 +0200
+++ new/mod_auth_openidc-2.4.12.1/src/cache/cache.h 2022-11-14
15:34:36.000000000 +0100
@@ -72,8 +72,6 @@
typedef struct oidc_cache_mutex_t {
apr_global_mutex_t *mutex;
char *mutex_filename;
- apr_shm_t *shm;
- int *sema;
apr_byte_t is_parent;
} oidc_cache_mutex_t;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/src/cache/common.c
new/mod_auth_openidc-2.4.12.1/src/cache/common.c
--- old/mod_auth_openidc-2.4.12/src/cache/common.c 2022-09-23
11:40:37.000000000 +0200
+++ new/mod_auth_openidc-2.4.12.1/src/cache/common.c 2022-11-13
12:59:47.000000000 +0100
@@ -60,8 +60,6 @@
oidc_cache_mutex_t *ctx = apr_pcalloc(pool, sizeof(oidc_cache_mutex_t));
ctx->mutex = NULL;
ctx->mutex_filename = NULL;
- ctx->shm = NULL;
- ctx->sema = NULL;
ctx->is_parent = TRUE;
return ctx;
}
@@ -71,9 +69,10 @@
/*
* convert a apr status code to a string
*/
-char *oidc_cache_status2str(apr_status_t statcode) {
+char *oidc_cache_status2str(apr_pool_t *p, apr_status_t statcode) {
char buf[OIDC_CACHE_ERROR_STR_MAX];
- return apr_strerror(statcode, buf, OIDC_CACHE_ERROR_STR_MAX);
+ apr_strerror(statcode, buf, OIDC_CACHE_ERROR_STR_MAX);
+ return apr_pstrdup(p, buf);
}
apr_byte_t oidc_cache_mutex_post_config(server_rec *s, oidc_cache_mutex_t *m,
@@ -82,8 +81,6 @@
apr_status_t rv = APR_SUCCESS;
const char *dir;
- // oidc_sdebug(s, "enter: %d (m=%pp,s=%pp, p=%d)", (m && m->sema) ?
*m->sema : -1, m->mutex ? m->mutex : 0, s, m->is_parent);
-
/* construct the mutex filename */
apr_temp_dir_get(&dir, s->process->pool);
m->mutex_filename = apr_psprintf(s->process->pool,
@@ -92,11 +89,16 @@
/* create the mutex lock */
rv = apr_global_mutex_create(&m->mutex, (const char *)
m->mutex_filename,
- APR_LOCK_DEFAULT, s->process->pool);
+#if APR_HAS_POSIXSEM_SERIALIZE
+ APR_LOCK_POSIXSEM,
+#else
+ APR_LOCK_DEFAULT,
+#endif
+ s->process->pool);
if (rv != APR_SUCCESS) {
oidc_serror(s,
"apr_global_mutex_create failed to create mutex
on file %s: %s (%d)",
- m->mutex_filename, oidc_cache_status2str(rv),
rv);
+ m->mutex_filename,
oidc_cache_status2str(s->process->pool, rv), rv);
return FALSE;
}
@@ -110,23 +112,12 @@
if (rv != APR_SUCCESS) {
oidc_serror(s,
"unixd_set_global_mutex_perms failed; could not
set permissions: %s (%d)",
- oidc_cache_status2str(rv), rv);
+ oidc_cache_status2str(s->process->pool, rv),
rv);
return FALSE;
}
#endif
- apr_global_mutex_lock(m->mutex);
-
- rv = apr_shm_create(&m->shm, sizeof(int), NULL, s->process->pool);
- if (rv != APR_SUCCESS) {
- oidc_serror(s, "apr_shm_create failed to create shared memory
segment");
- return FALSE;
- }
-
- m->sema = apr_shm_baseaddr_get(m->shm);
- *m->sema = 1;
-
- apr_global_mutex_unlock(m->mutex);
+ oidc_slog(s, APLOG_TRACE1, "create: %pp (m=%pp,s=%pp, p=%d)", m,
m->mutex ? m->mutex : 0, s, m->is_parent);
return TRUE;
}
@@ -137,7 +128,7 @@
apr_status_t oidc_cache_mutex_child_init(apr_pool_t *p, server_rec *s,
oidc_cache_mutex_t *m) {
- // oidc_sdebug(s, "enter: %d (m=%pp,s=%pp, p=%d)", (m && m->sema) ?
*m->sema : -1, m->mutex ? m->mutex : 0, s, m->is_parent);
+ oidc_slog(s, APLOG_TRACE1, "init: %pp (m=%pp,s=%pp, p=%d)", m, m->mutex
? m->mutex : 0, s, m->is_parent);
if (m->is_parent == FALSE)
return APR_SUCCESS;
@@ -149,16 +140,10 @@
if (rv != APR_SUCCESS) {
oidc_serror(s,
"apr_global_mutex_child_init failed to reopen
mutex on file %s: %s (%d)",
- m->mutex_filename, oidc_cache_status2str(rv),
rv);
- } else {
- apr_global_mutex_lock(m->mutex);
- m->sema = apr_shm_baseaddr_get(m->shm);
- (*m->sema)++;
- apr_global_mutex_unlock(m->mutex);
+ m->mutex_filename, oidc_cache_status2str(p,
rv), rv);
}
m->is_parent = FALSE;
- //oidc_sdebug(s, "semaphore: %d (m=%pp,s=%pp)", *m->sema, m, s);
return rv;
}
@@ -172,7 +157,7 @@
if (rv != APR_SUCCESS)
oidc_serror(s, "apr_global_mutex_lock() failed: %s (%d)",
- oidc_cache_status2str(rv), rv);
+ oidc_cache_status2str(s->process->pool, rv),
rv);
return TRUE;
}
@@ -186,7 +171,7 @@
if (rv != APR_SUCCESS)
oidc_serror(s, "apr_global_mutex_unlock() failed: %s (%d)",
- oidc_cache_status2str(rv), rv);
+ oidc_cache_status2str(s->process->pool, rv),
rv);
return TRUE;
}
@@ -198,35 +183,12 @@
apr_status_t rv = APR_SUCCESS;
- // oidc_sdebug(s, "enter: %d (m=%pp,s=%pp, p=%d)", (m && m->sema) ?
*m->sema : -1, m->mutex ? m->mutex : 0, s, m->is_parent);
-
- if (m->mutex != NULL) {
-
- apr_global_mutex_lock(m->mutex);
- (*m->sema)--;
- //oidc_sdebug(s, "semaphore: %d (m=%pp,s=%pp)", *m->sema,
m->mutex, s);
-
- // oidc_sdebug(s, "processing: %d (m=%pp,s=%pp, p=%d)", (m &&
m->sema) ? *m->sema : -1, m->mutex ? m->mutex : 0, s, m->is_parent);
-
- if ((m->shm != NULL) && (*m->sema == 0) && (m->is_parent ==
TRUE)) {
-
- rv = apr_shm_destroy(m->shm);
- oidc_sdebug(s, "apr_shm_destroy for semaphore returned:
%d", rv);
- m->shm = NULL;
-
- apr_global_mutex_unlock(m->mutex);
-
- rv = apr_global_mutex_destroy(m->mutex);
- oidc_sdebug(s, "apr_global_mutex_destroy returned :%d",
rv);
- m->mutex = NULL;
-
- rv = APR_SUCCESS;
-
- } else {
-
- apr_global_mutex_unlock(m->mutex);
+ oidc_slog(s, APLOG_TRACE1, "init: %pp (m=%pp,s=%pp, p=%d)", m, m->mutex
? m->mutex : 0, s, m->is_parent);
- }
+ if ((m) && (m->is_parent == TRUE) && (m->mutex)) {
+ rv = apr_global_mutex_destroy(m->mutex);
+ oidc_sdebug(s, "apr_global_mutex_destroy returned :%d", rv);
+ m->mutex = NULL;
}
return rv;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/src/cache/file.c
new/mod_auth_openidc-2.4.12.1/src/cache/file.c
--- old/mod_auth_openidc-2.4.12/src/cache/file.c 2022-09-23
11:40:37.000000000 +0200
+++ new/mod_auth_openidc-2.4.12.1/src/cache/file.c 2022-11-14
15:35:42.000000000 +0100
@@ -392,7 +392,7 @@
/* just remove cache file if value is NULL */
if (value == NULL) {
- if ((rc = apr_file_remove(path, r->pool)) != APR_SUCCESS) {
+ if ((rc = apr_file_remove(target, r->pool)) != APR_SUCCESS) {
oidc_error(r, "could not delete cache file \"%s\"
(%s)", path, apr_strerror(rc, s_err, sizeof(s_err)));
}
return TRUE;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/src/cache/shm.c
new/mod_auth_openidc-2.4.12.1/src/cache/shm.c
--- old/mod_auth_openidc-2.4.12/src/cache/shm.c 2022-09-23 11:40:37.000000000
+0200
+++ new/mod_auth_openidc-2.4.12.1/src/cache/shm.c 2022-11-13
20:14:59.000000000 +0100
@@ -119,6 +119,8 @@
"initialized shared memory with a cache size (#
entries) of: %d, and a max (single) entry size of: %d",
cfg->cache_shm_size_max, cfg->cache_shm_entry_size_max);
+ oidc_slog(s, APLOG_TRACE1, "create: %pp (shm=%pp,s=%pp, p=%d)",
context, context ? context->shm : 0, s, context ? context->is_parent : -1);
+
return OK;
}
@@ -130,6 +132,10 @@
&auth_openidc_module);
oidc_cache_cfg_shm_t *context = (oidc_cache_cfg_shm_t *) cfg->cache_cfg;
+ oidc_slog(s, APLOG_TRACE1, "init: %pp (shm=%pp,s=%pp, p=%d)", context,
context ? context->shm : 0, s, context ? context->is_parent : -1);
+
+ if (context->is_parent == FALSE)
+ return APR_SUCCESS;
context->is_parent = FALSE;
/* initialize the lock for the child process */
@@ -330,24 +336,20 @@
oidc_cache_cfg_shm_t *context = (oidc_cache_cfg_shm_t *) cfg->cache_cfg;
apr_status_t rv = APR_SUCCESS;
- if (context == NULL)
- return rv;
+ oidc_slog(s, APLOG_TRACE1, "destroy: %pp (shm=%pp,s=%pp, p=%d)",
context, context ? context->shm : 0, s, context ? context->is_parent : -1);
- if ((context->is_parent == TRUE) && (context->shm)) {
+ if ((context) && (context->is_parent == TRUE) && (context->shm) &&
(context->mutex)) {
oidc_cache_mutex_lock(s, context->mutex);
- if (*context->mutex->sema == 1) {
- rv = apr_shm_destroy(context->shm);
- oidc_sdebug(s, "apr_shm_destroy returned: %d", rv);
- }
+ rv = apr_shm_destroy(context->shm);
+ oidc_sdebug(s, "apr_shm_destroy returned: %d", rv);
context->shm = NULL;
oidc_cache_mutex_unlock(s, context->mutex);
}
- if (context->mutex == NULL)
- return rv;
-
- oidc_cache_mutex_destroy(s, context->mutex);
- context->mutex = NULL;
+ if ((context) && (context->mutex)) {
+ rv = oidc_cache_mutex_destroy(s, context->mutex);
+ context->mutex = NULL;
+ }
return rv;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/src/config.c
new/mod_auth_openidc-2.4.12.1/src/config.c
--- old/mod_auth_openidc-2.4.12/src/config.c 2022-10-17 10:57:49.000000000
+0200
+++ new/mod_auth_openidc-2.4.12.1/src/config.c 2022-11-14 15:35:42.000000000
+0100
@@ -132,7 +132,7 @@
/* default for passing app info in environment variables */
#define OIDC_DEFAULT_PASS_APP_INFO_IN_ENVVARS 1
/* default for passing app info in base64 encoded format */
-#define OIDC_DEFAULT_PASS_APP_INFO_BASE64URL 0
+#define OIDC_DEFAULT_PASS_APP_INFO_HDR_AS 0
/* default value for the token introspection interval (0 = disabled, no expiry
of claims) */
#define OIDC_DEFAULT_TOKEN_INTROSPECTION_INTERVAL 0
/* default action to take on an incoming unauthenticated request */
@@ -291,7 +291,7 @@
apr_array_header_t *strip_cookies;
int pass_info_in_headers;
int pass_info_in_env_vars;
- int pass_info_base64url;
+ int pass_info_as;
int oauth_accept_token_in;
apr_hash_t *oauth_accept_token_options;
int oauth_token_introspect_interval;
@@ -1062,10 +1062,12 @@
if (rv == NULL) {
if (arg2 != NULL) {
if (apr_strnatcmp(arg2, "base64url") == 0) {
- dir_cfg->pass_info_base64url = 1;
+ dir_cfg->pass_info_as =
OIDC_PASS_APP_INFO_AS_BASE64URL;
+ } else if (apr_strnatcmp(arg2, "latin1") == 0) {
+ dir_cfg->pass_info_as =
OIDC_PASS_APP_INFO_AS_LATIN1;
} else {
rv = apr_pstrcat(cmd->temp_pool, "unknown
encoding option \"",
- arg2, "\", only \"base64url\"
is supported", NULL);
+ arg2, "\", only \"base64url\"
or \"latin1\" is supported", NULL);
}
}
}
@@ -2130,7 +2132,7 @@
c->strip_cookies = NULL;
c->pass_info_in_headers = OIDC_CONFIG_POS_INT_UNSET;
c->pass_info_in_env_vars = OIDC_CONFIG_POS_INT_UNSET;
- c->pass_info_base64url = OIDC_CONFIG_POS_INT_UNSET;
+ c->pass_info_as = OIDC_CONFIG_POS_INT_UNSET;
c->oauth_accept_token_in = OIDC_CONFIG_POS_INT_UNSET;
c->oauth_accept_token_options = apr_hash_make(pool);
c->oauth_token_introspect_interval = -2;
@@ -2206,12 +2208,12 @@
return dir_cfg->pass_info_in_env_vars;
}
-apr_byte_t oidc_cfg_dir_pass_info_base64url(request_rec *r) {
+int oidc_cfg_dir_pass_info_encoding(request_rec *r) {
oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
&auth_openidc_module);
- if (dir_cfg->pass_info_base64url == OIDC_CONFIG_POS_INT_UNSET)
- return OIDC_DEFAULT_PASS_APP_INFO_BASE64URL;
- return dir_cfg->pass_info_base64url;
+ if (dir_cfg->pass_info_as == OIDC_CONFIG_POS_INT_UNSET)
+ return OIDC_DEFAULT_PASS_APP_INFO_HDR_AS;
+ return dir_cfg->pass_info_as;
}
apr_byte_t oidc_cfg_dir_pass_refresh_token(request_rec *r) {
@@ -2393,9 +2395,9 @@
c->pass_info_in_env_vars =
add->pass_info_in_env_vars != OIDC_CONFIG_POS_INT_UNSET
?
add->pass_info_in_env_vars :
base->pass_info_in_env_vars;
- c->pass_info_base64url =
- add->pass_info_base64url != OIDC_CONFIG_POS_INT_UNSET ?
- add->pass_info_base64url :
base->pass_info_base64url;
+ c->pass_info_as =
+ add->pass_info_as != OIDC_CONFIG_POS_INT_UNSET ?
+ add->pass_info_as : base->pass_info_as;
c->oauth_accept_token_in =
add->oauth_accept_token_in != OIDC_CONFIG_POS_INT_UNSET
?
add->oauth_accept_token_in :
base->oauth_accept_token_in;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/src/mod_auth_openidc.c
new/mod_auth_openidc-2.4.12.1/src/mod_auth_openidc.c
--- old/mod_auth_openidc-2.4.12/src/mod_auth_openidc.c 2022-10-15
10:53:17.000000000 +0200
+++ new/mod_auth_openidc-2.4.12.1/src/mod_auth_openidc.c 2022-11-14
15:36:15.000000000 +0100
@@ -296,7 +296,7 @@
}
oidc_cache_set_provider(r, c->provider.metadata_url, s_json,
- apr_time_now() +
(c->provider_metadata_refresh_interval <= 0 ? apr_time_from_sec(
OIDC_CACHE_PROVIDER_METADATA_EXPIRY_DEFAULT) :
c->provider_metadata_refresh_interval));
+ apr_time_now() +
apr_time_from_sec(c->provider_metadata_refresh_interval <= 0 ?
OIDC_CACHE_PROVIDER_METADATA_EXPIRY_DEFAULT :
c->provider_metadata_refresh_interval));
} else {
@@ -803,7 +803,7 @@
oidc_util_set_app_infos(r, j_claims, oidc_cfg_claim_prefix(r),
cfg->claim_delimiter,
oidc_cfg_dir_pass_info_in_headers(r),
oidc_cfg_dir_pass_info_in_envvars(r),
- oidc_cfg_dir_pass_info_base64url(r));
+ oidc_cfg_dir_pass_info_encoding(r));
/* release resources */
json_decref(j_claims);
@@ -1267,14 +1267,14 @@
apr_byte_t pass_headers = oidc_cfg_dir_pass_info_in_headers(r);
apr_byte_t pass_envvars = oidc_cfg_dir_pass_info_in_envvars(r);
- apr_byte_t pass_base64url = oidc_cfg_dir_pass_info_base64url(r);
+ int pass_hdr_as = oidc_cfg_dir_pass_info_encoding(r);
/* set the refresh_token in the app headers/variables, if enabled for
this location/directory */
const char *refresh_token = oidc_session_get_refresh_token(r, session);
if ((oidc_cfg_dir_pass_refresh_token(r) != 0) && (refresh_token !=
NULL)) {
/* pass it to the app in a header or environment variable */
oidc_util_set_app_info(r, OIDC_APP_INFO_REFRESH_TOKEN,
refresh_token,
- OIDC_DEFAULT_HEADER_PREFIX, pass_headers,
pass_envvars, pass_base64url);
+ OIDC_DEFAULT_HEADER_PREFIX, pass_headers,
pass_envvars, pass_hdr_as);
}
/* set the access_token in the app headers/variables */
@@ -1282,7 +1282,7 @@
if (access_token != NULL) {
/* pass it to the app in a header or environment variable */
oidc_util_set_app_info(r, OIDC_APP_INFO_ACCESS_TOKEN,
access_token,
- OIDC_DEFAULT_HEADER_PREFIX, pass_headers,
pass_envvars, pass_base64url);
+ OIDC_DEFAULT_HEADER_PREFIX, pass_headers,
pass_envvars, pass_hdr_as);
}
/* set the expiry timestamp in the app headers/variables */
@@ -1293,7 +1293,7 @@
oidc_util_set_app_info(r, OIDC_APP_INFO_ACCESS_TOKEN_EXP,
access_token_expires,
OIDC_DEFAULT_HEADER_PREFIX, pass_headers,
pass_envvars,
- pass_base64url);
+ pass_hdr_as);
}
/*
@@ -1402,7 +1402,7 @@
char *authn_header = oidc_cfg_dir_authn_header(r);
apr_byte_t pass_headers = oidc_cfg_dir_pass_info_in_headers(r);
apr_byte_t pass_envvars = oidc_cfg_dir_pass_info_in_envvars(r);
- apr_byte_t pass_base64url = oidc_cfg_dir_pass_info_base64url(r);
+ int pass_hdr_as = oidc_cfg_dir_pass_info_encoding(r);
/* verify current cookie domain against issued cookie domain */
if (oidc_check_cookie_domain(r, cfg, session) == FALSE) {
@@ -1455,7 +1455,7 @@
if ((cfg->pass_userinfo_as & OIDC_PASS_USERINFO_AS_JSON_OBJECT)) {
/* pass the userinfo JSON object to the app in a header or
environment variable */
oidc_util_set_app_info(r, OIDC_APP_INFO_USERINFO_JSON, s_claims,
- OIDC_DEFAULT_HEADER_PREFIX, pass_headers,
pass_envvars, pass_base64url);
+ OIDC_DEFAULT_HEADER_PREFIX, pass_headers,
pass_envvars, pass_hdr_as);
}
if ((cfg->pass_userinfo_as & OIDC_PASS_USERINFO_AS_JWT)) {
@@ -1468,7 +1468,7 @@
oidc_util_set_app_info(r,
OIDC_APP_INFO_USERINFO_JWT,
s_userinfo_jwt,
OIDC_DEFAULT_HEADER_PREFIX,
pass_headers, pass_envvars,
- pass_base64url);
+ pass_hdr_as);
} else {
oidc_debug(r,
"configured to pass userinfo in
a JWT, but no such JWT was found in the session (probably no such JWT was
returned from the userinfo endpoint)");
@@ -1488,7 +1488,7 @@
if ((cfg->pass_idtoken_as & OIDC_PASS_IDTOKEN_AS_PAYLOAD)) {
/* pass the id_token JSON object to the app in a header or
environment variable */
oidc_util_set_app_info(r, OIDC_APP_INFO_ID_TOKEN_PAYLOAD,
s_id_token,
- OIDC_DEFAULT_HEADER_PREFIX, pass_headers,
pass_envvars, pass_base64url);
+ OIDC_DEFAULT_HEADER_PREFIX, pass_headers,
pass_envvars, pass_hdr_as);
}
if ((cfg->pass_idtoken_as & OIDC_PASS_IDTOKEN_AS_SERIALIZED)) {
@@ -1497,7 +1497,7 @@
if (s_id_token) {
/* pass the compact serialized JWT to the app in a
header or environment variable */
oidc_util_set_app_info(r, OIDC_APP_INFO_ID_TOKEN,
s_id_token,
-
OIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars, pass_base64url);
+
OIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars, pass_hdr_as);
} else {
oidc_warn(r, "id_token was not found in the session so
it cannot be passed on");
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/src/mod_auth_openidc.h
new/mod_auth_openidc-2.4.12.1/src/mod_auth_openidc.h
--- old/mod_auth_openidc-2.4.12/src/mod_auth_openidc.h 2022-10-17
10:57:49.000000000 +0200
+++ new/mod_auth_openidc-2.4.12.1/src/mod_auth_openidc.h 2022-11-14
15:36:15.000000000 +0100
@@ -79,6 +79,10 @@
#define OIDC_DEBUG APLOG_DEBUG
#endif
+#ifndef APLOG_TRACE1
+#define APLOG_TRACE1 APLOG_DEBUG
+#endif
+
#define oidc_log(r, level, fmt, ...) ap_log_rerror(APLOG_MARK, level, 0,
r,"%s: %s", __FUNCTION__, apr_psprintf(r->pool, fmt, ##__VA_ARGS__))
#define oidc_slog(s, level, fmt, ...) ap_log_error(APLOG_MARK, level, 0, s,
"%s: %s", __FUNCTION__, apr_psprintf(s->process->pconf, fmt, ##__VA_ARGS__))
//#define oidc_log(r, level, fmt, ...) fprintf(stderr, "# %s: %s\n",
__FUNCTION__, apr_psprintf(r->pool, fmt, ##__VA_ARGS__))
@@ -150,6 +154,9 @@
/* pass userinfo as a JWT in header (when returned as a JWT) */
#define OIDC_PASS_USERINFO_AS_JWT 4
+#define OIDC_PASS_APP_INFO_AS_BASE64URL 1
+#define OIDC_PASS_APP_INFO_AS_LATIN1 2
+
/* logout on refresh error before expiry */
#define OIDC_LOGOUT_ON_ERROR_REFRESH 1
@@ -703,6 +710,7 @@
apr_byte_t oidc_proto_handle_authorization_response_code(request_rec *r,
oidc_cfg *c, oidc_proto_state_t *proto_state, oidc_provider_t *provider,
apr_table_t *params, const char *response_mode, oidc_jwt_t **jwt);
apr_byte_t oidc_proto_handle_authorization_response_idtoken_token(request_rec
*r, oidc_cfg *c, oidc_proto_state_t *proto_state, oidc_provider_t *provider,
apr_table_t *params, const char *response_mode, oidc_jwt_t **jwt);
apr_byte_t oidc_proto_handle_authorization_response_idtoken(request_rec *r,
oidc_cfg *c, oidc_proto_state_t *proto_state, oidc_provider_t *provider,
apr_table_t *params, const char *response_mode, oidc_jwt_t **jwt);
+apr_byte_t oidc_proto_generate_random_string(request_rec *r, char **output,
int len);
// non-static for test.c
apr_byte_t oidc_proto_validate_access_token(request_rec *r, oidc_provider_t
*provider, oidc_jwt_t *jwt, const char *response_type, const char
*access_token);
@@ -756,7 +764,7 @@
char *oidc_cfg_dir_authn_header(request_rec *r);
apr_byte_t oidc_cfg_dir_pass_info_in_headers(request_rec *r);
apr_byte_t oidc_cfg_dir_pass_info_in_envvars(request_rec *r);
-apr_byte_t oidc_cfg_dir_pass_info_base64url(request_rec *r);
+int oidc_cfg_dir_pass_info_encoding(request_rec *r);
apr_byte_t oidc_cfg_dir_pass_refresh_token(request_rec *r);
apr_byte_t oidc_cfg_dir_accept_token_in(request_rec *r);
char *oidc_cfg_dir_accept_token_in_option(request_rec *r, const char *key);
@@ -816,8 +824,8 @@
apr_byte_t oidc_util_issuer_match(const char *a, const char *b);
int oidc_util_html_send_error(request_rec *r, const char *html_template, const
char *error, const char *description, int status_code);
apr_byte_t oidc_util_json_array_has_value(request_rec *r, json_t *haystack,
const char *needle);
-void oidc_util_set_app_info(request_rec *r, const char *s_key, const char
*s_value, const char *claim_prefix, apr_byte_t as_header, apr_byte_t
as_env_var, apr_byte_t base64url);
-void oidc_util_set_app_infos(request_rec *r, const json_t *j_attrs, const char
*claim_prefix, const char *claim_delimiter, apr_byte_t as_header, apr_byte_t
as_env_var, apr_byte_t base64url);
+void oidc_util_set_app_info(request_rec *r, const char *s_key, const char
*s_value, const char *claim_prefix, apr_byte_t as_header, apr_byte_t
as_env_var, int pass_as);
+void oidc_util_set_app_infos(request_rec *r, const json_t *j_attrs, const char
*claim_prefix, const char *claim_delimiter, apr_byte_t as_header, apr_byte_t
as_env_var, int pass_as);
apr_hash_t *oidc_util_spaced_string_to_hashtable(apr_pool_t *pool, const char
*str);
apr_byte_t oidc_util_spaced_string_equals(apr_pool_t *pool, const char *a,
const char *b);
apr_byte_t oidc_util_spaced_string_contains(apr_pool_t *pool, const char *str,
const char *match);
@@ -911,7 +919,7 @@
// oidc_session.c
typedef struct {
- char uuid[APR_UUID_FORMATTED_LENGTH + 1]; /* unique id */
+ char *uuid; /* unique id */
const char *remote_user; /* user who owns this
particular session */
json_t *state; /* the state for this
session, encoded in a JSON object */
apr_time_t expiry; /* if > 0, the time of expiry
of this session */
@@ -926,6 +934,7 @@
apr_byte_t oidc_session_free(request_rec *r, oidc_session_t *z);
apr_byte_t oidc_session_extract(request_rec *r, oidc_session_t *z);
apr_byte_t oidc_session_load_cache_by_uuid(request_rec *r, oidc_cfg *c, const
char *uuid, oidc_session_t *z);
+void oidc_session_id_new(request_rec *r, oidc_session_t *z);
void oidc_session_set_userinfo_jwt(request_rec *r, oidc_session_t *z, const
char *userinfo_jwt);
const char * oidc_session_get_userinfo_jwt(request_rec *r, oidc_session_t *z);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/src/oauth.c
new/mod_auth_openidc-2.4.12.1/src/oauth.c
--- old/mod_auth_openidc-2.4.12/src/oauth.c 2022-09-23 11:40:37.000000000
+0200
+++ new/mod_auth_openidc-2.4.12.1/src/oauth.c 2022-11-14 15:35:42.000000000
+0100
@@ -808,19 +808,19 @@
char *authn_header = oidc_cfg_dir_authn_header(r);
apr_byte_t pass_headers = oidc_cfg_dir_pass_info_in_headers(r);
apr_byte_t pass_envvars = oidc_cfg_dir_pass_info_in_envvars(r);
- apr_byte_t pass_base64url = oidc_cfg_dir_pass_info_base64url(r);
+ int pass_hdr_as = oidc_cfg_dir_pass_info_encoding(r);
if ((r->user != NULL) && (authn_header != NULL))
oidc_util_hdr_in_set(r, authn_header, r->user);
/* set the resolved claims in the HTTP headers for the target
application */
oidc_util_set_app_infos(r, token, oidc_cfg_claim_prefix(r),
- c->claim_delimiter, pass_headers, pass_envvars,
pass_base64url);
+ c->claim_delimiter, pass_headers, pass_envvars,
pass_hdr_as);
/* set the access_token in the app headers */
if (access_token != NULL) {
oidc_util_set_app_info(r, OIDC_APP_INFO_ACCESS_TOKEN,
access_token,
- OIDC_DEFAULT_HEADER_PREFIX, pass_headers,
pass_envvars, pass_base64url);
+ OIDC_DEFAULT_HEADER_PREFIX, pass_headers,
pass_envvars, pass_hdr_as);
}
/* free JSON resources */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/src/proto.c
new/mod_auth_openidc-2.4.12.1/src/proto.c
--- old/mod_auth_openidc-2.4.12/src/proto.c 2022-10-15 10:53:06.000000000
+0200
+++ new/mod_auth_openidc-2.4.12.1/src/proto.c 2022-11-14 15:36:15.000000000
+0100
@@ -58,9 +58,9 @@
extern module AP_MODULE_DECLARE_DATA auth_openidc_module;
-apr_status_t oidc_proto_generate_random_bytes(request_rec *r,
+static apr_status_t oidc_proto_generate_random_bytes(request_rec *r,
unsigned char *buf, apr_size_t length) {
- apr_status_t rv;
+ apr_status_t rv = APR_SUCCESS;
#ifndef USE_URANDOM
@@ -115,7 +115,7 @@
/*
* generate a random string value value of a specified length
*/
-static apr_byte_t oidc_proto_generate_random_string(request_rec *r,
+apr_byte_t oidc_proto_generate_random_string(request_rec *r,
char **output, int len) {
unsigned char *bytes = apr_pcalloc(r->pool, len);
if (oidc_proto_generate_random_bytes(r, bytes, len) != APR_SUCCESS) {
@@ -1659,8 +1659,11 @@
jwk = NULL;
if (oidc_util_create_symmetric_key(r, provider->client_secret,
0,
- NULL, TRUE, &jwk) == FALSE)
+ NULL, TRUE, &jwk) == FALSE) {
+ oidc_jwt_destroy(*jwt);
+ *jwt = NULL;
return FALSE;
+ }
oidc_jwks_uri_t jwks_uri = { provider->jwks_uri,
provider->jwks_refresh_interval,
provider->ssl_validate_server };
@@ -2899,6 +2902,7 @@
&& (oidc_proto_validate_code(r, provider, *jwt,
response_type, code)
== FALSE)) {
oidc_jwt_destroy(*jwt);
+ *jwt = NULL;
return FALSE;
}
@@ -3070,8 +3074,11 @@
if ((apr_table_get(params, OIDC_PROTO_ACCESS_TOKEN) != NULL)
&& (oidc_proto_validate_access_token(r, provider, *jwt,
response_type,
- apr_table_get(params,
OIDC_PROTO_ACCESS_TOKEN)) == FALSE))
+ apr_table_get(params,
OIDC_PROTO_ACCESS_TOKEN)) == FALSE)) {
+ oidc_jwt_destroy(*jwt);
+ *jwt = NULL;
return FALSE;
+ }
return TRUE;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/src/session.c
new/mod_auth_openidc-2.4.12.1/src/session.c
--- old/mod_auth_openidc-2.4.12/src/session.c 2022-10-15 10:53:06.000000000
+0200
+++ new/mod_auth_openidc-2.4.12.1/src/session.c 2022-11-14 15:36:15.000000000
+0100
@@ -89,17 +89,16 @@
/*
* generate a unique identifier for a session
*/
-static void oidc_session_uuid_new(request_rec *r, oidc_session_t *z) {
- apr_uuid_t uuid;
- apr_uuid_get(&uuid);
- apr_uuid_format((char *) &z->uuid, &uuid);
+void oidc_session_id_new(request_rec *r, oidc_session_t *z) {
+ oidc_proto_generate_random_string(r, &z->uuid, 20);
+ //for (char *p = z->uuid ; (p && *p); ++p) *p = tolower(*p);
}
/*
* clear contents of a session
*/
static void oidc_session_clear(request_rec *r, oidc_session_t *z) {
- z->uuid[0] = '\0';
+ z->uuid = NULL;
z->remote_user = NULL;
// NB: don't clear sid
z->expiry = 0;
@@ -120,8 +119,7 @@
if ((rc == TRUE) && (s_json != NULL)) {
rc = oidc_session_decode(r, c, z, s_json, FALSE);
if (rc == TRUE) {
- strncpy(z->uuid, uuid, APR_UUID_FORMATTED_LENGTH);
- z->uuid[APR_UUID_FORMATTED_LENGTH] = '\0';
+ z->uuid = apr_pstrdup(r->pool, uuid);
/* compare the session id in the cache value so it
allows us to detect cache corruption */
oidc_session_get(r, z, OIDC_SESSION_SESSION_ID,
&stored_uuid);
@@ -186,9 +184,9 @@
if (z->state != NULL) {
- if (apr_strnatcmp(z->uuid, "") == 0) {
- /* get a new uuid for this session */
- oidc_session_uuid_new(r, z);
+ if (z->uuid == NULL) {
+ /* get a new id for this session */
+ oidc_session_id_new(r, z);
/* store the session id in the cache value so it allows
us to detect cache corruption */
oidc_session_set(r, z, OIDC_SESSION_SESSION_ID,
z->uuid);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/src/util.c
new/mod_auth_openidc-2.4.12.1/src/util.c
--- old/mod_auth_openidc-2.4.12/src/util.c 2022-10-15 10:53:06.000000000
+0200
+++ new/mod_auth_openidc-2.4.12.1/src/util.c 2022-11-14 15:36:15.000000000
+0100
@@ -2007,22 +2007,59 @@
return (i == json_array_size(haystack)) ? FALSE : TRUE;
}
+static char* oidc_util_utf8_to_latin1(request_rec *r, const char *src) {
+ char *dst = "";
+ unsigned int cp = 0;
+ unsigned char ch;
+ if (src == NULL)
+ return NULL;
+ while (*src != '\0') {
+ ch = (unsigned char) (*src);
+ if (ch <= 0x7f)
+ cp = ch;
+ else if (ch <= 0xbf)
+ cp = (cp << 6) | (ch & 0x3f);
+ else if (ch <= 0xdf)
+ cp = ch & 0x1f;
+ else if (ch <= 0xef)
+ cp = ch & 0x0f;
+ else
+ cp = ch & 0x07;
+ ++src;
+ if (((*src & 0xc0) != 0x80) && (cp <= 0x10ffff)) {
+ if (cp <= 255) {
+ dst = apr_psprintf(r->pool, "%s%c", dst,
(unsigned char)cp);
+ } else {
+ // no encoding possible
+ dst = apr_psprintf(r->pool, "%s%c", dst, '?');
+ }
+ }
+ }
+ return dst;
+}
+
+
/*
* set a HTTP header and/or environment variable to pass information to the
application
*/
void oidc_util_set_app_info(request_rec *r, const char *s_key,
const char *s_value, const char *claim_prefix, apr_byte_t
as_header,
- apr_byte_t as_env_var, apr_byte_t base64url) {
+ apr_byte_t as_env_var, int pass_as) {
/* construct the header name, cq. put the prefix in front of a
normalized key name */
const char *s_name = apr_psprintf(r->pool, "%s%s", claim_prefix,
oidc_normalize_header_name(r, s_key));
char *d_value = NULL;
- if (as_header) {
- if ((base64url == TRUE) && (s_value != NULL)) {
+ if (s_value != NULL) {
+ if (pass_as == OIDC_PASS_APP_INFO_AS_BASE64URL) {
oidc_base64url_encode(r, &d_value, s_value,
strlen(s_value), TRUE);
+ } else if (pass_as == OIDC_PASS_APP_INFO_AS_LATIN1) {
+ d_value = oidc_util_utf8_to_latin1(r, s_value);
}
+ }
+
+ if (as_header) {
oidc_util_hdr_in_set(r, s_name, (d_value != NULL) ? d_value :
s_value);
}
@@ -2030,9 +2067,9 @@
/* do some logging about this event */
oidc_debug(r, "setting environment variable \"%s: %s\"", s_name,
- s_value);
+ (d_value != NULL) ? d_value : s_value);
- apr_table_set(r->subprocess_env, s_name, s_value);
+ apr_table_set(r->subprocess_env, s_name, (d_value != NULL) ?
d_value : s_value);
}
}
@@ -2041,7 +2078,7 @@
*/
void oidc_util_set_app_infos(request_rec *r, const json_t *j_attrs,
const char *claim_prefix, const char *claim_delimiter,
- apr_byte_t as_header, apr_byte_t as_env_var, apr_byte_t
base64url) {
+ apr_byte_t as_header, apr_byte_t as_env_var, int pass_as) {
char s_int[255];
json_t *j_value = NULL;
@@ -2070,21 +2107,21 @@
/* set the single string in the application header
whose name is based on the key and the prefix */
oidc_util_set_app_info(r, s_key,
json_string_value(j_value),
- claim_prefix, as_header, as_env_var,
base64url);
+ claim_prefix, as_header, as_env_var,
pass_as);
} else if (json_is_boolean(j_value)) {
/* set boolean value in the application header whose
name is based on the key and the prefix */
oidc_util_set_app_info(r, s_key,
(json_is_true(j_value) ? "1" : "0"),
claim_prefix,
- as_header, as_env_var, base64url);
+ as_header, as_env_var, pass_as);
} else if (json_is_integer(j_value)) {
if (sprintf(s_int, "%ld", (long)
json_integer_value(j_value)) > 0) {
/* set long value in the application header
whose name is based on the key and the prefix */
oidc_util_set_app_info(r, s_key, s_int,
claim_prefix, as_header,
- as_env_var, base64url);
+ as_env_var, pass_as);
} else {
oidc_warn(r,
"could not convert JSON number
to string (> 255 characters?), skipping");
@@ -2095,14 +2132,14 @@
/* set float value in the application header whose name
is based on the key and the prefix */
oidc_util_set_app_info(r, s_key,
apr_psprintf(r->pool, "%lf",
json_real_value(j_value)),
- claim_prefix, as_header, as_env_var,
base64url);
+ claim_prefix, as_header, as_env_var,
pass_as);
} else if (json_is_object(j_value)) {
/* set json value in the application header whose name
is based on the key and the prefix */
oidc_util_set_app_info(r, s_key,
oidc_util_encode_json_object(r,
j_value, 0), claim_prefix,
- as_header, as_env_var, base64url);
+ as_header, as_env_var, pass_as);
/* check if it is a multi-value string */
} else if (json_is_array(j_value)) {
@@ -2157,7 +2194,7 @@
/* set the concatenated string */
oidc_util_set_app_info(r, s_key, s_concat,
claim_prefix, as_header,
- as_env_var, base64url);
+ as_env_var, pass_as);
} else {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/test/stub.c
new/mod_auth_openidc-2.4.12.1/test/stub.c
--- old/mod_auth_openidc-2.4.12/test/stub.c 2022-09-23 11:40:37.000000000
+0200
+++ new/mod_auth_openidc-2.4.12.1/test/stub.c 2022-11-13 12:59:47.000000000
+0100
@@ -151,7 +151,8 @@
return 0;
}
-AP_DECLARE(void) ap_hook_insert_filter(struct request_rec *r) {
+AP_DECLARE(void) ap_hook_insert_filter(void (*insert_filter)(request_rec *r),
+ const char *const*aszPre, const char *const*aszSucc, int
nOrder) {
}
AP_DECLARE(void) ap_hook_post_config(
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/test/test-cmd.c
new/mod_auth_openidc-2.4.12.1/test/test-cmd.c
--- old/mod_auth_openidc-2.4.12/test/test-cmd.c 2022-10-17 10:57:49.000000000
+0200
+++ new/mod_auth_openidc-2.4.12.1/test/test-cmd.c 2022-11-14
15:35:42.000000000 +0100
@@ -312,6 +312,7 @@
request->server->process = apr_pcalloc(request->pool,
sizeof(struct process_rec));
request->server->process->pool = request->pool;
+ request->server->process->pconf = request->pool;
request->connection = apr_pcalloc(request->pool, sizeof(struct
conn_rec));
request->connection->local_addr = apr_pcalloc(request->pool,
sizeof(apr_sockaddr_t));
@@ -451,36 +452,33 @@
}
int uuid(int argc, char **argv, apr_pool_t *pool) {
- char s_uuid[APR_UUID_FORMATTED_LENGTH + 1];
const unsigned long e = 1000000;
- unsigned long n = 10000000;
+ unsigned long n = 25000000;
unsigned long i = 0;
+ oidc_session_t z;
if (argc > 2)
n = atoi(argv[2]);
+ request_rec *r = request_setup(pool);
+
apr_hash_t *entries = apr_hash_make(pool);
- apr_uuid_t *uuid;
while (i < n) {
- uuid = (apr_uuid_t *) apr_pcalloc(pool, sizeof(apr_uuid_t));
- apr_uuid_get(uuid);
- if (apr_hash_get(entries, (const void *) uuid,
- sizeof(apr_uuid_t)) != NULL) {
- apr_uuid_format((char *) &s_uuid, uuid);
- fprintf(stderr, "duplicate found: %s\n", s_uuid);
+ z.uuid = NULL;
+ oidc_session_id_new(r, &z);
+ if (apr_hash_get(entries, (const void*) &z.uuid,
APR_HASH_KEY_STRING) != NULL) {
+ fprintf(stderr, "duplicate found: %s\n", z.uuid);
exit(-1);
} else {
- apr_hash_set(entries, (const void *) uuid,
sizeof(apr_uuid_t),
- (const void *) 1);
+ apr_hash_set(entries, (const void*) apr_pstrdup(pool,
z.uuid), APR_HASH_KEY_STRING, (const void*) 1);
}
i++;
if (i % e == 0)
- fprintf(stderr, "\r %lu ", i / e);
+ fprintf(stderr, "\r %lu (%s)", i / e, z.uuid);
}
fprintf(stderr, "\n");
return 0;
}
-
int main(int argc, char **argv, char **env) {
if (argc <= 1)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.12/test/test.c
new/mod_auth_openidc-2.4.12.1/test/test.c
--- old/mod_auth_openidc-2.4.12/test/test.c 2022-10-15 10:53:06.000000000
+0200
+++ new/mod_auth_openidc-2.4.12.1/test/test.c 2022-11-14 15:36:15.000000000
+0100
@@ -1467,7 +1467,13 @@
"}"
"},"
- "\"https://test.com/pay\": \"alot\""
+ "\"https://test.com/pay\": \"alot\","
+
+ "\"https://company.com/productAccess\": ["
+ "\"snake2\","
+ "\"snake2ref\","
+ "\"fxt\""
+ "]"
"}";
@@ -1561,6 +1567,11 @@
rc = oidc_authz_worker24(r, json, require_args, parsed_require_args,
oidc_authz_match_claim);
TST_ASSERT("auth status (17: expression)", rc == AUTHZ_GRANTED);
+ require_args = "Require claim https://company.com/productAccess:snake2";;
+ parsed_require_args->filename = require_args;
+ rc = oidc_authz_worker24(r, json, require_args, parsed_require_args,
oidc_authz_match_claim);
+ TST_ASSERT("auth status (18: key in namespaced array)", rc ==
AUTHZ_GRANTED);
+
json_decref(json);
return 0;
@@ -1708,6 +1719,38 @@
return 0;
}
+static char* test_set_app_infos(request_rec *r) {
+ apr_byte_t rc = FALSE;
+ json_t *claims = NULL;
+
+ rc = oidc_util_decode_json_object(r, "{"
+ "\"simple\":\"hans\","
+ "\"name\": \"GÃnther\","
+ "\"dagger\": \"Dâ gger\""
+ "}", &claims);
+ TST_ASSERT("valid JSON", rc == TRUE);
+
+ oidc_util_set_app_infos(r, claims, "OIDC_CLAIM_", ",", TRUE, FALSE, 0);
+ TST_ASSERT_STR("header plain simple", apr_table_get(r->headers_in,
"OIDC_CLAIM_simple"), "hans");
+ TST_ASSERT_STR("header plain name", apr_table_get(r->headers_in,
"OIDC_CLAIM_name"), "G\u00DCnther");
+ TST_ASSERT_STR("header plain dagger", apr_table_get(r->headers_in,
"OIDC_CLAIM_dagger"), "D\u2020gger");
+
+ oidc_util_set_app_infos(r, claims, "OIDC_CLAIM_", ",", TRUE, FALSE,
OIDC_PASS_APP_INFO_AS_BASE64URL);
+ TST_ASSERT_STR("header base64url simple", apr_table_get(r->headers_in,
"OIDC_CLAIM_simple"), "aGFucw");
+ TST_ASSERT_STR("header base64url name", apr_table_get(r->headers_in,
"OIDC_CLAIM_name"), "R8OcbnRoZXI");
+ TST_ASSERT_STR("header base64url dagger", apr_table_get(r->headers_in,
"OIDC_CLAIM_dagger"), "ROKAoGdnZXI");
+
+ oidc_util_set_app_infos(r, claims, "OIDC_CLAIM_", ",", TRUE, FALSE,
OIDC_PASS_APP_INFO_AS_LATIN1);
+ TST_ASSERT_STR("header latin1 simple", apr_table_get(r->headers_in,
"OIDC_CLAIM_simple"), "hans");
+ TST_ASSERT_STR("header latin1 name", apr_table_get(r->headers_in,
"OIDC_CLAIM_name"), "G\xDCnther");
+ TST_ASSERT_STR("header latin1 dagger", apr_table_get(r->headers_in,
"OIDC_CLAIM_dagger"), "D?gger");
+
+ json_decref(claims);
+
+ return 0;
+}
+
+
static char * all_tests(apr_pool_t *pool, request_rec *r) {
char *message;
TST_RUN(test_public_key_parse, pool);
@@ -1746,6 +1789,7 @@
TST_RUN(test_remote_user, r);
TST_RUN(test_is_auth_capable_request, r);
TST_RUN(test_open_redirect, r);
+ TST_RUN(test_set_app_infos, r);
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
TST_RUN(test_authz_worker, r);
![http://openid.net/wordpress-content/uploads/2016/05/oid-l-certification-mark-l-cmyk-150dpi-90mm.jpg"](http://openid.net/wordpress-content/uploads/2016/05/oid-l-certification-mark-l-cmyk-150dpi-90mm.jpg"){kind=link}
