Package: release.debian.org Severity: important User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package libapache2-mod-auth-openidc New upstream releases 2.1.4 and 2.1.5 are bugfix releases which mainly fix the two security holes CVE-2017-6059 and CVE-2017-6062. See attached debdiff Christoph -- ============================================================================ Christoph Martin, Leiter Unix-Systeme Zentrum für Datenverarbeitung, Uni-Mainz, Germany Anselm Franz von Bentzel-Weg 12, 55128 Mainz Telefon: +49(6131)3926337 Instant-Messaging: Jabber: mar...@jabber.uni-mainz.de (Siehe http://www.zdv.uni-mainz.de/4010.php)
diff -Nru libapache2-mod-auth-openidc-2.1.3/AUTHORS
libapache2-mod-auth-openidc-2.1.5/AUTHORS
--- libapache2-mod-auth-openidc-2.1.3/AUTHORS 2016-10-27 16:23:12.000000000
+0200
+++ libapache2-mod-auth-openidc-2.1.5/AUTHORS 2017-01-30 20:26:39.000000000
+0100
@@ -31,3 +31,5 @@
Andy Curtis <https://github.com/asc1>
solsson <https://github.com/solsson>
drdivano <https://github.com/drdivano>
+ AliceWonderMiscreations <https://github.com/AliceWonderMiscreations>
+ Wouter Hund <https://github.com/wouterhund>
diff -Nru libapache2-mod-auth-openidc-2.1.3/ChangeLog
libapache2-mod-auth-openidc-2.1.5/ChangeLog
--- libapache2-mod-auth-openidc-2.1.3/ChangeLog 2016-12-13 18:25:06.000000000
+0100
+++ libapache2-mod-auth-openidc-2.1.5/ChangeLog 2017-01-30 20:06:45.000000000
+0100
@@ -1,3 +1,33 @@
+01/30/2017
+- security fix: scrub headers when `OIDCUnAuthAction pass` is used for an
unauthenticated user
+- release 2.1.5
+
+01/29/2017
+- fix error message about passing id_token with session type client-cookie;
mentioned in #220
+- bump to 2.1.5rc0
+
+01/25/2017
+- release 2.1.4
+
+01/18/2017
+- don't echo the query parameters on the error page when an invalid request is
made to the Redirect URI; closes #212; thanks @LukasReschke
+
+01/14/2017
+- use dynamic memory buffer for writing HTTP call responses; solves
curl/mpm-event interference; see #207
+- bump to 2.1.4rc1
+
+01/10/2017
+- don't crash when data is POST-ed to the redirect URL, it has just 1 POST
parameter and it is not "response_mode"
+
+01/2/2017
+- remove trailing linebreaks from input in test-cmd tool
+- bump copyright year to 2017
+
+12/14/2016
+- support Libre SSL, see #205, thanks @AliceWonderMiscreations
+- update OIDC logout support to Front-Channel Logout 1.0 draft 01:
http://openid.net/specs/openid-connect-frontchannel-1_0.html
+- bump to 2.1.4rc0
+
12/13/2016
- release 2.1.3
diff -Nru libapache2-mod-auth-openidc-2.1.3/configure
libapache2-mod-auth-openidc-2.1.5/configure
--- libapache2-mod-auth-openidc-2.1.3/configure 2016-12-13 18:25:23.000000000
+0100
+++ libapache2-mod-auth-openidc-2.1.5/configure 2017-01-30 20:28:17.000000000
+0100
@@ -1,8 +1,8 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for mod_auth_openidc 2.1.3.
+# Generated by GNU Autoconf 2.69 for mod_auth_openidc 2.1.5.
#
-# Report bugs to <hzandb...@pingidentity.com>.
+# Report bugs to <hans.zandb...@zmartzone.eu>.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -266,7 +266,7 @@
$as_echo "$0: be upgraded to zsh 4.3.4 or later."
else
$as_echo "$0: Please tell bug-autoc...@gnu.org and
-$0: hzandb...@pingidentity.com about your system, including
+$0: hans.zandb...@zmartzone.eu about your system, including
$0: any error possibly output before this message. Then
$0: install a modern shell, or manually run the script
$0: under such a shell if you do have one."
@@ -579,9 +579,9 @@
# Identity of this package.
PACKAGE_NAME='mod_auth_openidc'
PACKAGE_TARNAME='mod_auth_openidc'
-PACKAGE_VERSION='2.1.3'
-PACKAGE_STRING='mod_auth_openidc 2.1.3'
-PACKAGE_BUGREPORT='hzandb...@pingidentity.com'
+PACKAGE_VERSION='2.1.5'
+PACKAGE_STRING='mod_auth_openidc 2.1.5'
+PACKAGE_BUGREPORT='hans.zandb...@zmartzone.eu'
PACKAGE_URL=''
ac_subst_vars='LTLIBOBJS
@@ -626,7 +626,6 @@
docdir
oldincludedir
includedir
-runstatedir
localstatedir
sharedstatedir
sysconfdir
@@ -711,7 +710,6 @@
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
-runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -964,15 +962,6 @@
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
- -runstatedir | --runstatedir | --runstatedi | --runstated \
- | --runstate | --runstat | --runsta | --runst | --runs \
- | --run | --ru | --r)
- ac_prev=runstatedir ;;
- -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
- | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
- | --run=* | --ru=* | --r=*)
- runstatedir=$ac_optarg ;;
-
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1110,7 +1099,7 @@
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
- libdir localedir mandir runstatedir
+ libdir localedir mandir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
@@ -1223,7 +1212,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures mod_auth_openidc 2.1.3 to adapt to many kinds of
systems.
+\`configure' configures mod_auth_openidc 2.1.5 to adapt to many kinds of
systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1263,7 +1252,6 @@
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
- --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
@@ -1286,7 +1274,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of mod_auth_openidc 2.1.3:";;
+ short | recursive ) echo "Configuration of mod_auth_openidc 2.1.5:";;
esac
cat <<\_ACEOF
@@ -1328,7 +1316,7 @@
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
-Report bugs to <hzandb...@pingidentity.com>.
+Report bugs to <hans.zandb...@zmartzone.eu>.
_ACEOF
ac_status=$?
fi
@@ -1391,7 +1379,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-mod_auth_openidc configure 2.1.3
+mod_auth_openidc configure 2.1.5
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1408,7 +1396,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by mod_auth_openidc $as_me 2.1.3, which was
+It was created by mod_auth_openidc $as_me 2.1.5, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -1757,7 +1745,7 @@
-NAMEVER=mod_auth_openidc-2.1.3
+NAMEVER=mod_auth_openidc-2.1.5
# This section defines the --with-apxs2 option.
@@ -3276,7 +3264,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by mod_auth_openidc $as_me 2.1.3, which was
+This file was extended by mod_auth_openidc $as_me 2.1.5, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -3323,13 +3311,13 @@
Configuration files:
$config_files
-Report bugs to <hzandb...@pingidentity.com>."
+Report bugs to <hans.zandb...@zmartzone.eu>."
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-mod_auth_openidc config.status 2.1.3
+mod_auth_openidc config.status 2.1.5
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -Nru libapache2-mod-auth-openidc-2.1.3/configure.ac
libapache2-mod-auth-openidc-2.1.5/configure.ac
--- libapache2-mod-auth-openidc-2.1.3/configure.ac 2016-12-13
18:25:06.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/configure.ac 2017-01-30
20:05:16.000000000 +0100
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.1.3],[hzandb...@pingidentity.com])
+AC_INIT([mod_auth_openidc],[2.1.5],[hans.zandb...@zmartzone.eu])
AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
diff -Nru libapache2-mod-auth-openidc-2.1.3/debian/changelog
libapache2-mod-auth-openidc-2.1.5/debian/changelog
--- libapache2-mod-auth-openidc-2.1.3/debian/changelog 2017-01-13
15:52:26.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/debian/changelog 2017-02-06
10:56:03.000000000 +0100
@@ -1,3 +1,12 @@
+libapache2-mod-auth-openidc (2.1.5-1) unstable; urgency=high
+
+ * Imported Upstream version 2.1.5
+ fixes two security issues:
+ https://github.com/pingidentity/mod_auth_openidc/issues/212
+ https://github.com/pingidentity/mod_auth_openidc/issues/222
+
+ -- Christoph Martin <mar...@uni-mainz.de> Mon, 06 Feb 2017 10:56:03 +0100
+
libapache2-mod-auth-openidc (2.1.3-1) unstable; urgency=medium
* Fix watch file
diff -Nru libapache2-mod-auth-openidc-2.1.3/DISCLAIMER
libapache2-mod-auth-openidc-2.1.5/DISCLAIMER
--- libapache2-mod-auth-openidc-2.1.3/DISCLAIMER 2016-01-08
21:50:18.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/DISCLAIMER 2017-01-28
14:28:49.000000000 +0100
@@ -1,5 +1,5 @@
/***************************************************************************
- * Copyright (C) 2014-2016 Ping Identity Corporation
+ * Copyright (C) 2014-2017 Ping Identity Corporation
* All rights reserved.
*
* Ping Identity Corporation
diff -Nru libapache2-mod-auth-openidc-2.1.3/README.md
libapache2-mod-auth-openidc-2.1.5/README.md
--- libapache2-mod-auth-openidc-2.1.3/README.md 2016-11-19 13:46:48.000000000
+0100
+++ libapache2-mod-auth-openidc-2.1.5/README.md 2017-01-28 14:28:49.000000000
+0100
@@ -271,13 +271,16 @@
There is a Google Group/mailing list at:
[mod_auth_open...@googlegroups.com](mailto:mod_auth_open...@googlegroups.com)
The corresponding forum/archive is at:
- https://groups.google.com/forum/#!forum/mod_auth_openidc
+ https://groups.google.com/forum/#!forum/mod_auth_openidc
+For commercial support and consultancy you can contact:
+ [i...@zmartzone.eu](mailto:i...@zmartzone.eu)
+
+Any questions/issues should go to the mailing list, the Github issues tracker
or the
+primary author [hans.zandb...@zmartzone.eu](mailto:hans.zandb...@zmartzone.eu)
Disclaimer
----------
*This software is open sourced by Ping Identity but not supported commercially
-as such. Any questions/issues should go to the mailing list, the Github issues
-tracker or the author
[hzandb...@pingidentity.com](mailto:hzandb...@pingidentity.com)
-directly See also the DISCLAIMER file in this directory.*
-
+by Ping Identity, see also the DISCLAIMER file in this directory. For
commercial support
+you can contact [ZmartZone IAM](https://www.zmartzone.eu) as described above.*
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/authz.c
libapache2-mod-auth-openidc-2.1.5/src/authz.c
--- libapache2-mod-auth-openidc-2.1.3/src/authz.c 2016-09-05
22:16:39.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/authz.c 2017-01-28
14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -47,7 +47,7 @@
*
* mostly copied from mod_auth_cas
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*/
#include <http_core.h>
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/cache/cache.h
libapache2-mod-auth-openidc-2.1.5/src/cache/cache.h
--- libapache2-mod-auth-openidc-2.1.3/src/cache/cache.h 2016-09-09
16:18:11.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/cache/cache.h 2017-01-28
14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -47,7 +47,7 @@
*
* mem_cache-like interface and semantics (string keys/values) using a storage
backend
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*/
#ifndef _MOD_AUTH_OPENIDC_CACHE_H_
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/cache/file.c
libapache2-mod-auth-openidc-2.1.5/src/cache/file.c
--- libapache2-mod-auth-openidc-2.1.3/src/cache/file.c 2016-10-27
16:23:12.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/cache/file.c 2017-01-28
14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -47,7 +47,7 @@
*
* caching using a file storage backend
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*/
#include <apr_hash.h>
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/cache/lock.c
libapache2-mod-auth-openidc-2.1.5/src/cache/lock.c
--- libapache2-mod-auth-openidc-2.1.3/src/cache/lock.c 2016-01-08
21:50:18.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/src/cache/lock.c 2017-01-28
14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -47,7 +47,7 @@
*
* global lock implementation
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*/
#ifndef WIN32
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/cache/memcache.c
libapache2-mod-auth-openidc-2.1.5/src/cache/memcache.c
--- libapache2-mod-auth-openidc-2.1.3/src/cache/memcache.c 2016-11-09
19:14:02.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/src/cache/memcache.c 2017-01-28
14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -47,7 +47,7 @@
*
* caching using a memcache backend
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*/
#include "apr_general.h"
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/cache/redis.c
libapache2-mod-auth-openidc-2.1.5/src/cache/redis.c
--- libapache2-mod-auth-openidc-2.1.3/src/cache/redis.c 2016-09-09
16:18:11.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/cache/redis.c 2017-01-28
14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -47,7 +47,7 @@
*
* caching using a Redis backend
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*/
#include "apr_general.h"
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/cache/shm.c
libapache2-mod-auth-openidc-2.1.5/src/cache/shm.c
--- libapache2-mod-auth-openidc-2.1.3/src/cache/shm.c 2016-09-09
16:18:11.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/cache/shm.c 2017-01-28
14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -48,7 +48,7 @@
* caching using a shared memory backend, FIFO-style
* based on mod_auth_mellon code
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*/
#include <httpd.h>
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/config.c
libapache2-mod-auth-openidc-2.1.5/src/config.c
--- libapache2-mod-auth-openidc-2.1.3/src/config.c 2016-10-27
16:23:12.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/config.c 2017-01-28
14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -45,7 +45,7 @@
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*/
#include <apr.h>
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/jose.c
libapache2-mod-auth-openidc-2.1.5/src/jose.c
--- libapache2-mod-auth-openidc-2.1.3/src/jose.c 2016-10-27
16:23:12.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/jose.c 2017-01-28
14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -47,7 +47,7 @@
*
* JSON Web Token handling
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*/
#include <apr_base64.h>
@@ -1061,7 +1061,7 @@
}
const BIGNUM *rsa_n, *rsa_e, *rsa_d;
-#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+#if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined (LIBRESSL_VERSION_NUMBER)
RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d);
#else
rsa_n = rsa->n;
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/jose.h
libapache2-mod-auth-openidc-2.1.5/src/jose.h
--- libapache2-mod-auth-openidc-2.1.3/src/jose.h 2016-10-27
16:23:12.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/jose.h 2017-01-28
14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -47,7 +47,7 @@
*
* JSON Object Signing and Encryption
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*/
#ifndef MOD_AUTH_OPENIDC_JOSE_H_
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/metadata.c
libapache2-mod-auth-openidc-2.1.5/src/metadata.c
--- libapache2-mod-auth-openidc-2.1.3/src/metadata.c 2016-10-27
16:23:12.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/metadata.c 2017-01-28
14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -47,7 +47,7 @@
*
* OpenID Connect metadata handling routines, for both OP discovery and client
registration
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*/
#include <apr_hash.h>
@@ -535,7 +535,7 @@
json_object_set_new(data, "initiate_login_uri",
json_string(cfg->redirect_uri));
- json_object_set_new(data, "logout_uri",
+ json_object_set_new(data, "frontchannel_logout_uri",
json_string(apr_psprintf(r->pool, "%s?logout=%s",
cfg->redirect_uri,
OIDC_GET_STYLE_LOGOUT_PARAM_VALUE)));
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/mod_auth_openidc.c
libapache2-mod-auth-openidc-2.1.5/src/mod_auth_openidc.c
--- libapache2-mod-auth-openidc-2.1.3/src/mod_auth_openidc.c 2016-11-09
19:14:02.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/src/mod_auth_openidc.c 2017-01-30
20:01:47.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -51,7 +51,7 @@
* Other code copied/borrowed/adapted:
* shared memory caching: mod_auth_mellon
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*
**************************************************************************/
@@ -130,6 +130,30 @@
}
/*
+ * scrub all mod_auth_openidc related headers
+ */
+static void oidc_scrub_headers(request_rec *r) {
+ oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
+ &auth_openidc_module);
+
+ if (cfg->scrub_request_headers != 0) {
+
+ /* scrub all headers starting with OIDC_ first */
+ oidc_scrub_request_headers(r, OIDC_DEFAULT_HEADER_PREFIX,
+ oidc_cfg_dir_authn_header(r));
+
+ /*
+ * then see if the claim headers need to be removed on top of
that
+ * (i.e. the prefix does not start with the default OIDC_)
+ */
+ if ((strstr(cfg->claim_prefix, OIDC_DEFAULT_HEADER_PREFIX)
+ != cfg->claim_prefix)) {
+ oidc_scrub_request_headers(r, cfg->claim_prefix, NULL);
+ }
+ }
+}
+
+/*
* strip the session cookie from the headers sent to the application/backend
*/
static void oidc_strip_cookies(request_rec *r) {
@@ -1260,21 +1284,7 @@
* we're going to pass the information that we have to the application,
* but first we need to scrub the headers that we're going to use for
security reasons
*/
- if (cfg->scrub_request_headers != 0) {
-
- /* scrub all headers starting with OIDC_ first */
- oidc_scrub_request_headers(r, OIDC_DEFAULT_HEADER_PREFIX,
- oidc_cfg_dir_authn_header(r));
-
- /*
- * then see if the claim headers need to be removed on top of
that
- * (i.e. the prefix does not start with the default OIDC_)
- */
- if ((strstr(cfg->claim_prefix, OIDC_DEFAULT_HEADER_PREFIX)
- != cfg->claim_prefix)) {
- oidc_scrub_request_headers(r, cfg->claim_prefix, NULL);
- }
- }
+ oidc_scrub_headers(r);
/* set the user authentication HTTP header if set and required */
if ((r->user != NULL) && (authn_header != NULL))
@@ -1302,18 +1312,18 @@
OIDC_DEFAULT_HEADER_PREFIX, pass_headers,
pass_envvars);
}
- if (cfg->session_type != OIDC_SESSION_TYPE_CLIENT_COOKIE) {
- if ((cfg->pass_idtoken_as & OIDC_PASS_IDTOKEN_AS_SERIALIZED)) {
+ if ((cfg->pass_idtoken_as & OIDC_PASS_IDTOKEN_AS_SERIALIZED)) {
+ if (cfg->session_type != OIDC_SESSION_TYPE_CLIENT_COOKIE) {
const char *s_id_token = NULL;
/* get the compact serialized JWT from the session */
oidc_session_get(r, session, OIDC_IDTOKEN_SESSION_KEY,
&s_id_token);
/* pass the compact serialized JWT to the app in a
header or environment variable */
oidc_util_set_app_info(r, "id_token", s_id_token,
OIDC_DEFAULT_HEADER_PREFIX,
pass_headers, pass_envvars);
+ } else {
+ oidc_error(r,
+ "session type \"client-cookie\" does
not allow storing/passing the id_token; use \"OIDCSessionType server-cache\"
for that");
}
- } else {
- oidc_error(r,
- "session type \"client-cookie\" does not allow
storing/passing the id_token; use \"OIDCSessionType server-cache\" for that");
}
/* set the refresh_token in the app headers/variables, if enabled for
this location/directory */
@@ -1846,6 +1856,7 @@
/* see if we've got any POST-ed data at all */
if ((apr_table_elts(params)->nelts < 1)
|| ((apr_table_elts(params)->nelts == 1)
+ && apr_table_get(params,
"response_mode")
&& (apr_strnatcmp(apr_table_get(params,
"response_mode"),
"fragment") == 0))) {
return oidc_util_html_send_error(r, c->error_template,
@@ -2841,11 +2852,15 @@
oidc_handle_redirect_authorization_response(r, c, session);
}
+ oidc_error(r,
+ "The OpenID Connect callback URL received an invalid
request: %s; returning HTTP_INTERNAL_SERVER_ERROR",
+ r->args);
+
/* something went wrong */
return oidc_util_html_send_error(r, c->error_template, "Invalid
Request",
apr_psprintf(r->pool,
- "The OpenID Connect callback URL
received an invalid request: %s",
- r->args), HTTP_INTERNAL_SERVER_ERROR);
+ "The OpenID Connect callback URL
received an invalid request"),
+ HTTP_INTERNAL_SERVER_ERROR);
}
/*
@@ -2955,6 +2970,13 @@
return HTTP_UNAUTHORIZED;
case OIDC_UNAUTH_PASS:
r->user = "";
+
+ /*
+ * we're not going to pass information about an
authenticated user to the application,
+ * but we do need to scrub the headers that
mod_auth_openidc would set for security reasons
+ */
+ oidc_scrub_headers(r);
+
return OK;
case OIDC_UNAUTH_AUTHENTICATE:
/* if this is a Javascript path we won't redirect the
user and create a state cookie */
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/mod_auth_openidc.h
libapache2-mod-auth-openidc-2.1.5/src/mod_auth_openidc.h
--- libapache2-mod-auth-openidc-2.1.3/src/mod_auth_openidc.h 2016-12-13
18:25:06.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/src/mod_auth_openidc.h 2017-01-29
15:05:57.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -45,7 +45,7 @@
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*/
#ifndef MOD_AUTH_OPENIDC_H_
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/oauth.c
libapache2-mod-auth-openidc-2.1.5/src/oauth.c
--- libapache2-mod-auth-openidc-2.1.3/src/oauth.c 2016-10-20
14:09:24.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/oauth.c 2017-01-28
14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -45,7 +45,7 @@
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*/
#include <apr_lib.h>
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/parse.c
libapache2-mod-auth-openidc-2.1.5/src/parse.c
--- libapache2-mod-auth-openidc-2.1.3/src/parse.c 2016-10-27
16:23:12.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/parse.c 2017-01-28
14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -47,7 +47,7 @@
*
* Validation and parsing of configuration values.
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*/
#include <apr_base64.h>
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/parse.h
libapache2-mod-auth-openidc-2.1.5/src/parse.h
--- libapache2-mod-auth-openidc-2.1.3/src/parse.h 2016-10-27
16:23:12.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/parse.h 2017-01-28
14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -47,7 +47,7 @@
*
* Validation and parsing of configuration values.
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*/
#ifndef MOD_AUTH_OPENIDC_PARSE_H_
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/proto.c
libapache2-mod-auth-openidc-2.1.5/src/proto.c
--- libapache2-mod-auth-openidc-2.1.3/src/proto.c 2016-11-19
13:46:48.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/src/proto.c 2017-01-28
14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -45,7 +45,7 @@
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*/
#include <httpd.h>
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/session.c
libapache2-mod-auth-openidc-2.1.5/src/session.c
--- libapache2-mod-auth-openidc-2.1.3/src/session.c 2016-12-13
18:25:06.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/src/session.c 2017-01-28
14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -45,7 +45,7 @@
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*/
#include <apr_base64.h>
diff -Nru libapache2-mod-auth-openidc-2.1.3/src/util.c
libapache2-mod-auth-openidc-2.1.5/src/util.c
--- libapache2-mod-auth-openidc-2.1.3/src/util.c 2016-10-20
14:09:24.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/src/util.c 2017-01-28
14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -45,7 +45,7 @@
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*/
#include <apr_strings.h>
@@ -449,28 +449,48 @@
return url;
}
-/* maximum size of any response returned in HTTP calls */
-#define OIDC_CURL_MAX_RESPONSE_SIZE 65536
-
/* buffer to hold HTTP call responses */
typedef struct oidc_curl_buffer {
- char buf[OIDC_CURL_MAX_RESPONSE_SIZE];
- size_t written;
+ request_rec *r;
+ char *memory;
+ size_t size;
} oidc_curl_buffer;
+/* maximum acceptable size of HTTP responses: 1 Mb */
+#define OIDC_CURL_MAX_RESPONSE_SIZE 1024 * 1024
+
/*
* callback for CURL to write bytes that come back from an HTTP call
*/
-size_t oidc_curl_write(const void *ptr, size_t size, size_t nmemb, void
*stream) {
- oidc_curl_buffer *curlBuffer = (oidc_curl_buffer *) stream;
+size_t oidc_curl_write(void *contents, size_t size, size_t nmemb, void *userp)
{
+ size_t realsize = size * nmemb;
+ oidc_curl_buffer *mem = (oidc_curl_buffer *) userp;
+
+ /* check if we don't run over the maximum buffer/memory size for HTTP
responses */
+ if (mem->size + realsize > OIDC_CURL_MAX_RESPONSE_SIZE) {
+ oidc_error(mem->r,
+ "HTTP response larger than maximum allowed
size: current size=%ld, additional size=%ld, max=%d",
+ mem->size, realsize,
OIDC_CURL_MAX_RESPONSE_SIZE);
+ return 0;
+ }
- if ((nmemb * size) + curlBuffer->written >= OIDC_CURL_MAX_RESPONSE_SIZE)
+ /* allocate the new buffer for the current + new response bytes */
+ char *newptr = apr_palloc(mem->r->pool, mem->size + realsize + 1);
+ if (newptr == NULL) {
+ oidc_error(mem->r,
+ "memory allocation for new buffer of %ld bytes
failed",
+ mem->size + realsize + 1);
return 0;
+ }
- memcpy((curlBuffer->buf + curlBuffer->written), ptr, (nmemb * size));
- curlBuffer->written += (nmemb * size);
+ /* copy over the data from current memory plus the cURL buffer */
+ memcpy(newptr, mem->memory, mem->size);
+ memcpy(&(newptr[mem->size]), contents, realsize);
+ mem->size += realsize;
+ mem->memory = newptr;
+ mem->memory[mem->size] = 0;
- return (nmemb * size);
+ return realsize;
}
/* context structure for encoding parameters */
@@ -519,6 +539,9 @@
return FALSE;
}
+ /* set the error buffer as empty before performing a request */
+ curlError[0] = 0;
+
/* some of these are not really required */
curl_easy_setopt(curl, CURLOPT_HEADER, 0L);
curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 1L);
@@ -531,10 +554,11 @@
curl_easy_setopt(curl, CURLOPT_TIMEOUT, timeout);
/* setup the buffer where the response will be written to */
- curlBuffer.written = 0;
- memset(curlBuffer.buf, '\0', sizeof(curlBuffer.buf));
- curl_easy_setopt(curl, CURLOPT_WRITEDATA, &curlBuffer);
+ curlBuffer.r = r;
+ curlBuffer.memory = NULL;
+ curlBuffer.size = 0;
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, oidc_curl_write);
+ curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void * )&curlBuffer);
#ifndef LIBCURL_NO_CURLPROTO
curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS,
@@ -635,7 +659,8 @@
/* call it and record the result */
int rv = TRUE;
if (curl_easy_perform(curl) != CURLE_OK) {
- oidc_error(r, "curl_easy_perform() failed on: %s (%s)", url,
curlError);
+ oidc_error(r, "curl_easy_perform() failed on: %s (%s)", url,
+ curlError[0] ? curlError : "");
rv = FALSE;
goto out;
}
@@ -644,10 +669,10 @@
curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &response_code);
oidc_debug(r, "HTTP response code=%ld", response_code);
- *response = apr_pstrndup(r->pool, curlBuffer.buf, curlBuffer.written);
+ *response = apr_pstrndup(r->pool, curlBuffer.memory, curlBuffer.size);
/* set and log the response */
- oidc_debug(r, "response=%s", *response);
+ oidc_debug(r, "response=%s", *response ? *response : "");
out:
diff -Nru libapache2-mod-auth-openidc-2.1.3/test/test.c
libapache2-mod-auth-openidc-2.1.5/test/test.c
--- libapache2-mod-auth-openidc-2.1.3/test/test.c 2016-10-20
14:09:24.000000000 +0200
+++ libapache2-mod-auth-openidc-2.1.5/test/test.c 2017-01-28
14:28:49.000000000 +0100
@@ -18,7 +18,7 @@
*/
/***************************************************************************
- * Copyright (C) 2013-2016 Ping Identity Corporation
+ * Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
@@ -45,7 +45,7 @@
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * @Author: Hans Zandbelt - hzandb...@pingidentity.com
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
*
**************************************************************************/
diff -Nru libapache2-mod-auth-openidc-2.1.3/test/test-cmd.c
libapache2-mod-auth-openidc-2.1.5/test/test-cmd.c
--- libapache2-mod-auth-openidc-2.1.3/test/test-cmd.c 2016-11-09
19:14:02.000000000 +0100
+++ libapache2-mod-auth-openidc-2.1.5/test/test-cmd.c 2017-01-28
14:28:49.000000000 +0100
@@ -1,3 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/***************************************************************************
+ * Copyright (C) 2013-2017 Ping Identity Corporation
+ * All rights reserved.
+ *
+ * For further information please contact:
+ *
+ * Ping Identity Corporation
+ * 1099 18th St Suite 2950
+ * Denver, CO 80202
+ * 303.468.2900
+ * http://www.pingidentity.com
+ *
+ * DISCLAIMER OF WARRANTIES:
+ *
+ * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT
+ * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING,
+ * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT,
+ * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NOR ARE THERE ANY
+ * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE
+ * USAGE. FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET
+ * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE
+ * WILL BE UNINTERRUPTED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu
+ *
+ **************************************************************************/
+
#include <stdio.h>
#include <string.h>
@@ -47,6 +98,12 @@
(*rbuf)[bytes_read] = '\0';
+ bytes_read--;
+ while ((*rbuf)[bytes_read] == '\n') {
+ (*rbuf)[bytes_read] = '\0';
+ bytes_read --;
+ }
+
apr_file_close(fd);
return 0;
<<attachment: martin.vcf>>
signature.asc
Description: OpenPGP digital signature
