Hello community,
here is the log from the commit of package apache2-mod_auth_openidc for
openSUSE:Factory checked in at 2019-03-20 13:19:55
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2-mod_auth_openidc (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.28833 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_auth_openidc"
Wed Mar 20 13:19:55 2019 rev:5 rq:686338 version:2.3.11
Changes:
--------
---
/work/SRC/openSUSE:Factory/apache2-mod_auth_openidc/apache2-mod_auth_openidc.changes
2019-02-20 14:15:16.686860154 +0100
+++
/work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.28833/apache2-mod_auth_openidc.changes
2019-03-20 13:19:57.609334102 +0100
@@ -0,0 +1,14 @@
+-------------------------------------------------------------------
+Wed Mar 13 20:36:33 UTC 2019 - Martin Hauke <[email protected]>
+
+- Update to version 2.3.11
+ Features
+ * dynamically pass query params to the authorization request
+ + using OIDCAuthRequestParams foo=# and/or OIDCPathAuthRequestParams foo=#
+ * add session expiry info to session info hook response
+ + session inactivity key is timeout now (was exp)
+ + session expiry key is exp
+ Other
+ * allow compilation without memcache support on older platforms
+ not providing apr_memcache.h
+
Old:
----
apache2-mod_auth_openidc-2.3.10.2.tar.gz
New:
----
apache2-mod_auth_openidc-2.3.11.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2-mod_auth_openidc.spec ++++++
--- /var/tmp/diff_new_pack.rX2jho/_old 2019-03-20 13:19:58.077333988 +0100
+++ /var/tmp/diff_new_pack.rX2jho/_new 2019-03-20 13:19:58.077333988 +0100
@@ -19,7 +19,7 @@
%define apxs %{_sbindir}/apxs2
%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
Name: apache2-mod_auth_openidc
-Version: 2.3.10.2
+Version: 2.3.11
Release: 0
Summary: Apache2.x module for an OpenID Connect enabled Identity
Provider
License: Apache-2.0
++++++ apache2-mod_auth_openidc-2.3.10.2.tar.gz ->
apache2-mod_auth_openidc-2.3.11.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.3.10.2/ChangeLog
new/mod_auth_openidc-2.3.11/ChangeLog
--- old/mod_auth_openidc-2.3.10.2/ChangeLog 2019-01-22 11:52:16.000000000
+0100
+++ new/mod_auth_openidc-2.3.11/ChangeLog 2019-03-13 07:04:49.000000000
+0100
@@ -1,3 +1,18 @@
+03/13/2019
+- release 2.3.11
+
+02/26/2019
+- add session expiry to session info hook response (and change inactivity
timeout key)
+- bump to 2.3.11rc2
+
+02/25/2019
+- add option to dynamically pass query parameters to the authorization
request; closes #401
+- bump to 2.3.11rc1
+
+01/31/2019
+- support conditional compilation of memcache support
+- bump to 2.3.11rc0
+
01/22/2019
- fix XSS vulnerability CSNC-2019-001 wrt. poll parameter in OIDC Session
Management RP iframe; thanks Mischa Bachmann
- release 2.3.10.2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.3.10.2/Makefile.in
new/mod_auth_openidc-2.3.11/Makefile.in
--- old/mod_auth_openidc-2.3.10.2/Makefile.in 2019-01-22 11:52:16.000000000
+0100
+++ new/mod_auth_openidc-2.3.11/Makefile.in 2019-03-13 07:04:49.000000000
+0100
@@ -1,7 +1,6 @@
# Source files. mod_auth_openidc.c must be the first file.
SRC=src/mod_auth_openidc.c \
src/cache/file.c \
- src/cache/memcache.c \
src/cache/shm.c \
src/cache/common.c \
src/oauth.c \
@@ -13,7 +12,7 @@
src/metadata.c \
src/jose.c \
src/parse.c \
- src/pcre_subst.c \
+ src/pcre_subst.c
ifeq (@HAVE_LIBHIREDIS@, 1)
SRC += \
@@ -22,6 +21,12 @@
REDIS_LIBS=@HIREDIS_LIBS@
endif
+ifeq (@HAVE_MEMCACHE@, 1)
+REDIS_CFLAGS+=-DUSE_MEMCACHE
+SRC += \
+ src/cache/memcache.c
+endif
+
ifeq (@HAVE_LIBJQ@, 1)
JQ_CFLAGS=-DUSE_LIBJQ @JQ_CFLAGS@
JQ_LIBS=@JQ_LIBS@
@@ -67,7 +72,7 @@
tar -c --transform="s#^#@NAMEVER@/#" -vzf $@ $(DISTFILES)
test/test test/test-cmd: test/test.c test/test-cmd.c test/stub.c
src/mod_auth_openidc.la
- @APXS2@ @APXS2_OPTS@ $(CFLAGS) -Wl,"$(LIBS)" -Isrc -Wc,-Wall -Wc,-g -c
-o $@ [email protected] test/stub.c $(SRC:.c=.lo) @APR_LIBS@
+ @APXS2@ @APXS2_OPTS@ -Wc,"-DNAMEVER=\"@NAMEVER@\" $(CFLAGS)"
-Wl,"$(LIBS)" -Isrc -Wc,-Wall -Wc,-g -c -o $@ [email protected] test/stub.c $(SRC:.c=.lo)
@APR_LIBS@
test-compile: test/test test/test-cmd
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.3.10.2/auth_openidc.conf
new/mod_auth_openidc-2.3.11/auth_openidc.conf
--- old/mod_auth_openidc-2.3.10.2/auth_openidc.conf 2019-01-22
11:52:16.000000000 +0100
+++ new/mod_auth_openidc-2.3.11/auth_openidc.conf 2019-03-13
07:04:49.000000000 +0100
@@ -117,6 +117,11 @@
# As an alternative to this option, one may choose to add the parameters as
# part of the URL set in OIDCProviderAuthorizationEndpoint or
"authorization_endpoint"
# in the .provider metadata (though that would not work with Discovery OPs).
+#
+# Since version 2.3.11rc1 one can pass on query parameters from the request to
the authorization
+# request by adding e.g. "foo=#" which which will dynamically pull in the
query parameter value
+# from the request query parameter and add it to the authentication request to
the OP.
+#
# The default is to not add extra parameters.
# NB: this can be overridden on a per-OP basis in the .conf file using the
key: auth_request_params
#OIDCAuthRequestParams <query-encoded-string>
@@ -619,7 +624,13 @@
# Extra parameters that will be sent along with the Authorization Request.
# These must be URL-query-encoded as in: "display=popup&prompt=consent".
+#
# NB: since version 2.3.0 this can be configured on a per-path basis across
all configured Providers.
+#
+# Since version 2.3.11rc1 one can pass on query parameters from the request to
the authorization
+# request by adding e.g. "foo=#" which which will dynamically pull in the
query parameter value
+# from the request query parameter and add it to the authentication request to
the OP.
+#
# The default is to not add extra parameters.
#OIDCPathAuthRequestParams <query-encoded-string>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.3.10.2/configure.ac
new/mod_auth_openidc-2.3.11/configure.ac
--- old/mod_auth_openidc-2.3.10.2/configure.ac 2019-01-22 11:52:16.000000000
+0100
+++ new/mod_auth_openidc-2.3.11/configure.ac 2019-03-13 07:04:49.000000000
+0100
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.3.10.2],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.3.11],[[email protected]])
AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
@@ -57,6 +57,13 @@
AC_SUBST(APR_CFLAGS)
AC_SUBST(APR_LIBS)
+# older versions of libapr may not have memcache support
+old_CPPFLAGS=$CPPFLAGS
+CPPFLAGS="${APR_CFLAGS} $CPPFLAGS"
+AC_CHECK_HEADERS([apr_memcache.h], [HAVE_MEMCACHE=1], [HAVE_MEMCACHE=0])
+AC_SUBST(HAVE_MEMCACHE)
+CPPFLAGS=$old_CPPFLAGS
+
# We need Jansson for JSON parsing.
PKG_CHECK_MODULES(JANSSON, jansson)
AC_SUBST(JANSSON_CFLAGS)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.3.10.2/src/cache/cache.h
new/mod_auth_openidc-2.3.11/src/cache/cache.h
--- old/mod_auth_openidc-2.3.10.2/src/cache/cache.h 2019-01-22
11:52:16.000000000 +0100
+++ new/mod_auth_openidc-2.3.11/src/cache/cache.h 2019-03-13
07:04:49.000000000 +0100
@@ -132,9 +132,12 @@
#define oidc_cache_set_sid(r, key, value, expiry) oidc_cache_set(r,
OIDC_CACHE_SECTION_SID, key, value, expiry)
extern oidc_cache_t oidc_cache_file;
-extern oidc_cache_t oidc_cache_memcache;
extern oidc_cache_t oidc_cache_shm;
+#ifdef USE_MEMCACHE
+extern oidc_cache_t oidc_cache_memcache;
+#endif
+
#ifdef USE_LIBHIREDIS
extern oidc_cache_t oidc_cache_redis;
#endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.3.10.2/src/config.c
new/mod_auth_openidc-2.3.11/src/config.c
--- old/mod_auth_openidc-2.3.10.2/src/config.c 2019-01-22 11:52:16.000000000
+0100
+++ new/mod_auth_openidc-2.3.11/src/config.c 2019-03-13 07:04:49.000000000
+0100
@@ -1153,7 +1153,9 @@
c->cache_file_dir = NULL;
c->cache_file_clean_interval = OIDC_DEFAULT_CACHE_FILE_CLEAN_INTERVAL;
+#ifdef USE_MEMCACHE
c->cache_memcache_servers = NULL;
+#endif
c->cache_shm_size_max = OIDC_DEFAULT_CACHE_SHM_SIZE;
c->cache_shm_entry_size_max = OIDC_DEFAULT_CACHE_SHM_ENTRY_SIZE_MAX;
#ifdef USE_LIBHIREDIS
@@ -1533,9 +1535,11 @@
add->cache_file_clean_interval :
base->cache_file_clean_interval;
+#ifdef USE_MEMCACHE
c->cache_memcache_servers =
add->cache_memcache_servers != NULL ?
add->cache_memcache_servers :
base->cache_memcache_servers;
+#endif
c->cache_shm_size_max =
add->cache_shm_size_max != OIDC_DEFAULT_CACHE_SHM_SIZE ?
add->cache_shm_size_max :
base->cache_shm_size_max;
@@ -2196,22 +2200,26 @@
}
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
- "%s - init - cjose %s, %s, EC=%s, GCM=%s, Redis=%s,
JQ=%s",
- NAMEVERSION,
- cjose_version(),
- OPENSSL_VERSION_TEXT,
+ "%s - init - cjose %s, %s, EC=%s, GCM=%s, Memcache=%s,
Redis=%s, JQ=%s",
+ NAMEVERSION, cjose_version(), OPENSSL_VERSION_TEXT,
OIDC_JOSE_EC_SUPPORT ? "yes" : "no",
- OIDC_JOSE_GCM_SUPPORT ? "yes" : "no",
+ OIDC_JOSE_GCM_SUPPORT ? "yes" : "no",
+#ifdef USE_MEMCACHE
+ "yes"
+#else
+ "no"
+#endif
+ ,
#ifdef USE_LIBHIREDIS
- "yes"
+ "yes"
#else
- "no"
+ "no"
#endif
- ,
+ ,
#ifdef USE_LIBJQ
- "yes"
+ "yes"
#else
- "no"
+ "no"
#endif
);
@@ -2280,8 +2288,7 @@
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
static const authz_provider oidc_authz_claim_provider = {
&oidc_authz_checker_claim,
- NULL,
-};
+ NULL, };
#ifdef USE_LIBJQ
static const authz_provider oidc_authz_claims_expr_provider = {
@@ -2784,11 +2791,13 @@
(void*)APR_OFFSETOF(oidc_cfg,
cache_file_clean_interval),
RSRC_CONF,
"Cache file clean interval in seconds."),
+#ifdef USE_MEMCACHE
AP_INIT_TAKE1(OIDCMemCacheServers,
oidc_set_string_slot,
(void*)APR_OFFSETOF(oidc_cfg,
cache_memcache_servers),
RSRC_CONF,
"Memcache servers used for caching (space
separated list of <hostname>[:<port>] tuples)"),
+#endif
AP_INIT_TAKE1(OIDCCacheShmMax,
oidc_set_int_slot,
(void*)APR_OFFSETOF(oidc_cfg,
cache_shm_size_max),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.3.10.2/src/jose.c
new/mod_auth_openidc-2.3.11/src/jose.c
--- old/mod_auth_openidc-2.3.10.2/src/jose.c 2019-01-22 11:52:16.000000000
+0100
+++ new/mod_auth_openidc-2.3.11/src/jose.c 2019-03-13 07:04:49.000000000
+0100
@@ -1272,7 +1272,7 @@
}
/*
- * parse an X.509 PEM formatted certificate file with an RSA public key to a
JWK struct
+ * parse a PEM formatted RSA private key to a JWK
*/
apr_byte_t oidc_jwk_parse_rsa_private_key(apr_pool_t *pool, const char *kid,
const char *filename, oidc_jwk_t **jwk, oidc_jose_error_t *err)
{
@@ -1280,7 +1280,7 @@
}
/*
- * parse an X.509 PEM formatted RSA private key file to a JWK
+ * parse a PEM formatted RSA public key file to a JWK
*/
apr_byte_t oidc_jwk_parse_rsa_public_key(apr_pool_t *pool, const char *kid,
const char *filename, oidc_jwk_t **jwk, oidc_jose_error_t *err)
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.3.10.2/src/mod_auth_openidc.c
new/mod_auth_openidc-2.3.11/src/mod_auth_openidc.c
--- old/mod_auth_openidc-2.3.10.2/src/mod_auth_openidc.c 2019-01-22
11:52:16.000000000 +0100
+++ new/mod_auth_openidc-2.3.11/src/mod_auth_openidc.c 2019-03-13
07:04:49.000000000 +0100
@@ -3496,11 +3496,16 @@
session->state);
json_object_set_new(j_session, OIDC_HOOK_INFO_SESSION_UUID,
json_string(session->uuid));
- json_object_set_new(j_session, OIDC_HOOK_INFO_SESSION_EXP,
+ json_object_set_new(j_session, OIDC_HOOK_INFO_SESSION_TIMEOUT,
json_integer(apr_time_sec(session->expiry)));
+ apr_time_t session_expires = oidc_session_get_session_expires(r,
+ session);
+ json_object_set_new(j_session, OIDC_HOOK_INFO_SESSION_EXP,
+ json_integer(apr_time_sec(session_expires)));
json_object_set_new(j_session,
OIDC_HOOK_INFO_SESSION_REMOTE_USER,
json_string(session->remote_user));
json_object_set_new(json, OIDC_HOOK_INFO_SESSION, j_session);
+
}
if (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_REFRESH_TOKEN,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.3.10.2/src/mod_auth_openidc.h
new/mod_auth_openidc-2.3.11/src/mod_auth_openidc.h
--- old/mod_auth_openidc-2.3.10.2/src/mod_auth_openidc.h 2019-01-22
11:52:16.000000000 +0100
+++ new/mod_auth_openidc-2.3.11/src/mod_auth_openidc.h 2019-03-13
07:04:49.000000000 +0100
@@ -367,8 +367,10 @@
char *cache_file_dir;
/* cache_type = file: clean interval */
int cache_file_clean_interval;
+#ifdef USE_MEMCACHE
/* cache_type= memcache: list of memcache host/port servers to use */
char *cache_memcache_servers;
+#endif
/* cache_type = shm: size of the shared memory segment (cq. max number
of cached entries) */
int cache_shm_size_max;
/* cache_type = shm: maximum size in bytes of a cache entry */
@@ -544,6 +546,7 @@
#define OIDC_HOOK_INFO_SESSION_STATE "state"
#define OIDC_HOOK_INFO_SESSION_UUID "uuid"
#define OIDC_HOOK_INFO_SESSION_EXP "exp"
+#define OIDC_HOOK_INFO_SESSION_TIMEOUT "timeout"
#define OIDC_HOOK_INFO_SESSION_REMOTE_USER "remote_user"
#define OIDC_HOOK_INFO_REFRESH_TOKEN "refresh_token"
@@ -564,6 +567,7 @@
#define OIDC_STR_FORWARD_SLASH "/"
#define OIDC_STR_AT "@"
#define OIDC_STR_COMMA ","
+#define OIDC_STR_HASH "#"
#define OIDC_CHAR_EQUAL '='
#define OIDC_CHAR_COLON ':'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.3.10.2/src/parse.c
new/mod_auth_openidc-2.3.11/src/parse.c
--- old/mod_auth_openidc-2.3.10.2/src/parse.c 2019-01-22 11:52:16.000000000
+0100
+++ new/mod_auth_openidc-2.3.11/src/parse.c 2019-03-13 07:04:49.000000000
+0100
@@ -274,7 +274,9 @@
oidc_cache_t **type) {
static char *options[] = {
OIDC_CACHE_TYPE_SHM,
+#ifdef USE_MEMCACHE
OIDC_CACHE_TYPE_MEMCACHE,
+#endif
#ifdef USE_LIBHIREDIS
OIDC_CACHE_TYPE_REDIS,
#endif
@@ -286,8 +288,10 @@
if (apr_strnatcmp(arg, OIDC_CACHE_TYPE_SHM) == 0) {
*type = &oidc_cache_shm;
+#ifdef USE_MEMCACHE
} else if (apr_strnatcmp(arg, OIDC_CACHE_TYPE_MEMCACHE) == 0) {
*type = &oidc_cache_memcache;
+#endif
} else if (apr_strnatcmp(arg, OIDC_CACHE_TYPE_FILE) == 0) {
*type = &oidc_cache_file;
#ifdef USE_LIBHIREDIS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.3.10.2/src/proto.c
new/mod_auth_openidc-2.3.11/src/proto.c
--- old/mod_auth_openidc-2.3.10.2/src/proto.c 2019-01-22 11:52:16.000000000
+0100
+++ new/mod_auth_openidc-2.3.11/src/proto.c 2019-03-13 07:04:49.000000000
+0100
@@ -545,6 +545,29 @@
"document.forms[0].submit()", html_body, DONE);
}
+void add_auth_request_params(request_rec *r, apr_table_t *params,
+ const char *auth_request_params) {
+ char *key = NULL;
+ char *val = NULL;
+
+ if (auth_request_params == NULL)
+ return;
+
+ while (*auth_request_params && (val = ap_getword(r->pool,
&auth_request_params, OIDC_CHAR_AMP))) {
+ key = ap_getword(r->pool, (const char **)&val, OIDC_CHAR_EQUAL);
+ ap_unescape_url(key);
+ ap_unescape_url(val);
+ if (apr_strnatcmp(val, OIDC_STR_HASH) != 0) {
+ apr_table_add(params, key, val);
+ continue;
+ }
+ if (oidc_util_request_has_parameter(r, key) == TRUE) {
+ oidc_util_get_request_parameter(r, key, &val);
+ apr_table_add(params, key, val);
+ }
+ }
+}
+
/*
* send an OpenID Connect authorization request to the specified provider
*/
@@ -576,8 +599,9 @@
const char *scope = provider->scope;
if (path_scope != NULL)
scope = ((scope != NULL) && (apr_strnatcmp(scope, "") != 0)) ?
- apr_pstrcat(r->pool, scope, OIDC_STR_SPACE,
path_scope, NULL) :
- path_scope;
+ apr_pstrcat(r->pool, scope, OIDC_STR_SPACE,
path_scope,
+ NULL) :
+ path_scope;
if (scope != NULL) {
if (!oidc_util_spaced_string_contains(r->pool, scope,
@@ -629,14 +653,10 @@
apr_table_setn(params, OIDC_PROTO_PROMPT, prompt);
/* add any statically configured custom authorization request
parameters */
- if (provider->auth_request_params != NULL)
- oidc_util_table_add_query_encoded_params(r->pool, params,
- provider->auth_request_params);
+ add_auth_request_params(r, params, provider->auth_request_params);
/* add any dynamically configured custom authorization request
parameters */
- if (auth_request_params != NULL)
- oidc_util_table_add_query_encoded_params(r->pool, params,
- auth_request_params);
+ add_auth_request_params(r, params, auth_request_params);
/* add request parameter (request or request_uri) if set */
if (provider->request_object != NULL)
@@ -986,8 +1006,8 @@
void oidc_proto_state_set_pkce_state(oidc_proto_state_t *proto_state,
const char *pkce_state) {
- oidc_proto_state_set_string_value(proto_state,
OIDC_PROTO_STATE_PKCE_STATE,
- pkce_state);
+ oidc_proto_state_set_string_value(proto_state,
+ OIDC_PROTO_STATE_PKCE_STATE, pkce_state);
}
void oidc_proto_state_set_timestamp_now(oidc_proto_state_t *proto_state) {
@@ -1017,7 +1037,8 @@
/* get the "nonce" value in the id_token payload */
char *j_nonce = NULL;
- if (oidc_jose_get_string(r->pool, jwt->payload.value.json,
OIDC_CLAIM_NONCE,
+ if (oidc_jose_get_string(r->pool, jwt->payload.value.json,
+ OIDC_CLAIM_NONCE,
TRUE, &j_nonce, &err) == FALSE) {
oidc_error(r,
"id_token JSON payload did not contain a \"%s\"
string: %s",
@@ -1058,7 +1079,8 @@
oidc_provider_t *provider, oidc_jwt_payload_t
*id_token_payload) {
char *azp = NULL;
- oidc_jose_get_string(r->pool, id_token_payload->value.json,
OIDC_CLAIM_AZP,
+ oidc_jose_get_string(r->pool, id_token_payload->value.json,
+ OIDC_CLAIM_AZP,
FALSE, &azp,
NULL);
@@ -1075,7 +1097,8 @@
}
/* get the "aud" value from the JSON payload */
- json_t *aud = json_object_get(id_token_payload->value.json,
OIDC_CLAIM_AUD);
+ json_t *aud = json_object_get(id_token_payload->value.json,
+ OIDC_CLAIM_AUD);
if (aud != NULL) {
/* check if it is a single-value */
@@ -1362,7 +1385,8 @@
/* we are looking for a specific x5t, get the x5t from the
current element */
char *s_x5t = NULL;
- oidc_json_object_get_string(r->pool, elem, OIDC_JWK_X5T,
&s_x5t, NULL);
+ oidc_json_object_get_string(r->pool, elem, OIDC_JWK_X5T, &s_x5t,
+ NULL);
/* compare the requested thumbprint against the current element
*/
if ((s_x5t != NULL) && (x5t != NULL)
&& (apr_strnatcmp(x5t, s_x5t) == 0)) {
@@ -1650,7 +1674,8 @@
oidc_jwt_t *jwt = *out;
char *jti = NULL;
- oidc_proto_generate_random_string(r, &jti,
OIDC_PROTO_ASSERTION_JTI_LEN);
+ oidc_proto_generate_random_string(r, &jti,
+ OIDC_PROTO_ASSERTION_JTI_LEN);
json_object_set_new(jwt->payload.value.json, OIDC_CLAIM_ISS,
json_string(client_id));
@@ -1708,8 +1733,8 @@
return FALSE;
oidc_jwk_t *jwk = oidc_jwk_create_symmetric_key(r->pool, NULL,
- (const unsigned char *) client_secret,
strlen(client_secret), FALSE,
- &err);
+ (const unsigned char *) client_secret,
strlen(client_secret),
+ FALSE, &err);
if (jwk == NULL) {
oidc_error(r, "parsing of client secret into JWK failed: %s",
oidc_jose_e2s(r->pool, err));
@@ -1854,8 +1879,8 @@
/* add the token endpoint authentication credentials */
if (oidc_proto_token_endpoint_auth(r, cfg,
provider->token_endpoint_auth,
provider->client_id, provider->client_secret,
- provider->token_endpoint_url, params, NULL, &basic_auth,
- &bearer_auth) == FALSE)
+ provider->token_endpoint_url, params,
+ NULL, &basic_auth, &bearer_auth) == FALSE)
return FALSE;
/* add any configured extra static parameters to the token endpoint */
@@ -2102,8 +2127,8 @@
const char *access_token = json_string_value(
json_object_get(value,
OIDC_COMPOSITE_CLAIM_ACCESS_TOKEN));
- const char *endpoint = json_string_value(
- json_object_get(value,
OIDC_COMPOSITE_CLAIM_ENDPOINT));
+ const char *endpoint =
json_string_value(json_object_get(value,
+ OIDC_COMPOSITE_CLAIM_ENDPOINT));
if ((access_token != NULL) && (endpoint !=
NULL)) {
oidc_util_http_get(r, endpoint,
NULL, NULL,
access_token, cfg->provider.ssl_validate_server,
@@ -2503,7 +2528,8 @@
apr_array_header_t *oidc_proto_supported_flows(apr_pool_t *pool) {
apr_array_header_t *result = apr_array_make(pool, 6, sizeof(const
char*));
*(const char**) apr_array_push(result) = OIDC_PROTO_RESPONSE_TYPE_CODE;
- *(const char**) apr_array_push(result) =
OIDC_PROTO_RESPONSE_TYPE_IDTOKEN;
+ *(const char**) apr_array_push(result) =
+ OIDC_PROTO_RESPONSE_TYPE_IDTOKEN;
*(const char**) apr_array_push(result) =
OIDC_PROTO_RESPONSE_TYPE_IDTOKEN_TOKEN;
*(const char**) apr_array_push(result) =
@@ -2711,7 +2737,8 @@
const char *code = apr_table_get(params, OIDC_PROTO_CODE);
const char *id_token = apr_table_get(params, OIDC_PROTO_ID_TOKEN);
- const char *access_token = apr_table_get(params,
OIDC_PROTO_ACCESS_TOKEN);
+ const char *access_token = apr_table_get(params,
+ OIDC_PROTO_ACCESS_TOKEN);
const char *iss = apr_table_get(params, OIDC_PROTO_ISS);
const char *client_id = apr_table_get(params, OIDC_PROTO_CLIENT_ID);
@@ -2829,8 +2856,9 @@
static const char *response_type =
OIDC_PROTO_RESPONSE_TYPE_CODE_IDTOKEN;
if (oidc_proto_validate_response_type_mode_issuer(r, response_type,
params,
- proto_state, response_mode,
OIDC_PROTO_RESPONSE_MODE_FRAGMENT,
- provider->issuer, provider->client_id) == FALSE)
+ proto_state, response_mode,
+ OIDC_PROTO_RESPONSE_MODE_FRAGMENT, provider->issuer,
+ provider->client_id) == FALSE)
return FALSE;
if (oidc_proto_parse_idtoken_and_validate_code(r, c, proto_state,
provider,
@@ -2862,8 +2890,9 @@
static const char *response_type = OIDC_PROTO_RESPONSE_TYPE_CODE_TOKEN;
if (oidc_proto_validate_response_type_mode_issuer(r, response_type,
params,
- proto_state, response_mode,
OIDC_PROTO_RESPONSE_MODE_FRAGMENT,
- provider->issuer, provider->client_id) == FALSE)
+ proto_state, response_mode,
+ OIDC_PROTO_RESPONSE_MODE_FRAGMENT, provider->issuer,
+ provider->client_id) == FALSE)
return FALSE;
/* clear parameters that should only be set from the token endpoint */
@@ -2893,8 +2922,9 @@
static const char *response_type = OIDC_PROTO_RESPONSE_TYPE_CODE;
if (oidc_proto_validate_response_type_mode_issuer(r, response_type,
params,
- proto_state, response_mode,
OIDC_PROTO_RESPONSE_MODE_QUERY,
- provider->issuer, provider->client_id) == FALSE)
+ proto_state, response_mode,
+ OIDC_PROTO_RESPONSE_MODE_QUERY, provider->issuer,
+ provider->client_id) == FALSE)
return FALSE;
/* clear parameters that should only be set from the token endpoint */
@@ -2936,8 +2966,9 @@
const char *response_mode, oidc_jwt_t **jwt) {
if (oidc_proto_validate_response_type_mode_issuer(r, response_type,
params,
- proto_state, response_mode,
OIDC_PROTO_RESPONSE_MODE_FRAGMENT,
- provider->issuer, provider->client_id) == FALSE)
+ proto_state, response_mode,
+ OIDC_PROTO_RESPONSE_MODE_FRAGMENT, provider->issuer,
+ provider->client_id) == FALSE)
return FALSE;
if (oidc_proto_parse_idtoken_and_validate_code(r, c, proto_state,
provider,
@@ -2987,7 +3018,8 @@
oidc_debug(r, "enter");
- static const char *response_type =
OIDC_PROTO_RESPONSE_TYPE_IDTOKEN_TOKEN;
+ static const char *response_type =
+ OIDC_PROTO_RESPONSE_TYPE_IDTOKEN_TOKEN;
if (oidc_proto_handle_implicit_flow(r, c, response_type, proto_state,
provider, params, response_mode, jwt) == FALSE)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.3.10.2/test/stub.c
new/mod_auth_openidc-2.3.11/test/stub.c
--- old/mod_auth_openidc-2.3.10.2/test/stub.c 2019-01-22 11:52:16.000000000
+0100
+++ new/mod_auth_openidc-2.3.11/test/stub.c 2019-03-13 07:04:49.000000000
+0100
@@ -2,6 +2,7 @@
#include <http_core.h>
#include <http_config.h>
#include <apr_global_mutex.h>
+#include <apr_strings.h>
#include <apr_lib.h>
#include <http_log.h>
@@ -36,8 +37,26 @@
return 0;
}
-AP_DECLARE(char *) ap_getword(apr_pool_t *p, const char **line, char stop) {
- return "";
+AP_DECLARE(char *) ap_getword(apr_pool_t *atrans, const char **line, char
stop) {
+ const char *pos = *line;
+ int len;
+ char *res;
+
+ while ((*pos != stop) && *pos) {
+ ++pos;
+ }
+
+ len = pos - *line;
+ res = apr_pstrmemdup(atrans, *line, len);
+
+ if (stop) {
+ while (*pos == stop) {
+ ++pos;
+ }
+ }
+ *line = pos;
+
+ return res;
}
static char *substring_conf(apr_pool_t *p, const char *start, int len,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.3.10.2/test/test-cmd.c
new/mod_auth_openidc-2.3.11/test/test-cmd.c
--- old/mod_auth_openidc-2.3.10.2/test/test-cmd.c 2019-01-22
11:52:16.000000000 +0100
+++ new/mod_auth_openidc-2.3.11/test/test-cmd.c 2019-03-13 07:04:49.000000000
+0100
@@ -66,7 +66,7 @@
int usage(int argc, char **argv, const char *msg) {
fprintf(stderr, "Usage: %s %s\n", argv[0],
- msg ? msg : "[ sign | verify | jwk2cert | cert2jwk |
enckey | hash_base64url | timestamp | uuid] <options>");
+ msg ? msg : "[ sign | verify | jwk2cert | key2jwk |
enckey | hash_base64url | timestamp | uuid ] <options>");
return -1;
}
@@ -314,17 +314,28 @@
return 0;
}
-int cert2jwk(int argc, char **argv, apr_pool_t *pool) {
+int key2jwk(int argc, char **argv, apr_pool_t *pool) {
if (argc <= 2)
- return usage(argc, argv, "cert2jwk <pem-file>");
+ return usage(argc, argv, "key2jwk <pem-file> <is_private_key>");
oidc_jwk_t *jwk = NULL;
oidc_jose_error_t err;
- if (oidc_jwk_parse_rsa_public_key(pool, NULL, argv[2], &jwk, &err) ==
FALSE) {
- fprintf(stderr, "oidc_jwk_parse_rsa_public_key failed: %s",
- oidc_jose_e2s(pool, err));
- return -1;
+
+ int is_private_key = (argc > 3);
+
+ if (is_private_key) {
+ if (oidc_jwk_parse_rsa_private_key(pool, NULL, argv[2], &jwk,
&err) == FALSE) {
+ fprintf(stderr, "oidc_jwk_parse_rsa_private_key failed:
%s",
+ oidc_jose_e2s(pool, err));
+ return -1;
+ }
+ } else {
+ if (oidc_jwk_parse_rsa_public_key(pool, NULL, argv[2], &jwk,
&err) == FALSE) {
+ fprintf(stderr, "oidc_jwk_parse_rsa_public_key failed:
%s",
+ oidc_jose_e2s(pool, err));
+ return -1;
+ }
}
char *s_json = NULL;
@@ -558,8 +569,8 @@
if (strcmp(argv[1], "jwk2cert") == 0)
return jwk2cert(argc, argv, pool);
- if (strcmp(argv[1], "cert2jwk") == 0)
- return cert2jwk(argc, argv, pool);
+ if (strcmp(argv[1], "key2jwk") == 0)
+ return key2jwk(argc, argv, pool);
if (strcmp(argv[1], "enckey") == 0)
return enckey(argc, argv, pool);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.3.10.2/test/test.c
new/mod_auth_openidc-2.3.11/test/test.c
--- old/mod_auth_openidc-2.3.10.2/test/test.c 2019-01-22 11:52:16.000000000
+0100
+++ new/mod_auth_openidc-2.3.11/test/test.c 2019-03-13 07:04:49.000000000
+0100
@@ -1043,7 +1043,7 @@
provider.client_id = "client_id";
provider.client_secret = NULL;
provider.response_type = "code";
- provider.auth_request_params = NULL;
+ provider.auth_request_params = "jan=piet&foo=#";
provider.request_object = NULL;
provider.token_binding_policy = OIDC_TOKEN_BINDING_POLICY_OPTIONAL;
provider.auth_request_method = OIDC_AUTH_REQUEST_METHOD_GET;
@@ -1065,7 +1065,7 @@
TST_ASSERT_STR("oidc_proto_authorization_request (2)",
apr_table_get(r->headers_out, "Location"),
-
"https://idp.example.com/authorize?response_type=code&scope=openid&client_id=client_id&state=12345&redirect_uri=https%3A%2F%2Fwww.example.com%2Fprotected%2F&nonce=anonce";);
+
"https://idp.example.com/authorize?response_type=code&scope=openid&client_id=client_id&state=12345&redirect_uri=https%3A%2F%2Fwww.example.com%2Fprotected%2F&nonce=anonce&jan=piet&foo=bar";);
return 0;
}
@@ -1181,8 +1181,8 @@
r->pool, err);
TST_ASSERT_ERR("oidc_proto_validate_jwt",
- oidc_proto_validate_jwt(r, jwt, s_issuer, TRUE, TRUE,
10, OIDC_TOKEN_BINDING_POLICY_DISABLED), r->pool,
- err);
+ oidc_proto_validate_jwt(r, jwt, s_issuer, TRUE, TRUE,
10, OIDC_TOKEN_BINDING_POLICY_DISABLED),
+ r->pool, err);
oidc_jwk_destroy(jwk);
oidc_jwt_destroy(jwt);
@@ -1198,38 +1198,46 @@
r->unparsed_uri = apr_pstrcat(r->pool, r->uri, "?", r->args, NULL);
url = oidc_get_current_url(r);
- TST_ASSERT_STR("test_current_url (1)", url,
"https://www.example.com/test?foo=bar¶m1=value1";);
+ TST_ASSERT_STR("test_current_url (1)", url,
+ "https://www.example.com/test?foo=bar¶m1=value1";);
apr_table_set(r->headers_in, "X-Forwarded-Host", "www.outer.com");
url = oidc_get_current_url(r);
- TST_ASSERT_STR("test_current_url (2)", url,
"https://www.outer.com/test?foo=bar¶m1=value1";);
+ TST_ASSERT_STR("test_current_url (2)", url,
+ "https://www.outer.com/test?foo=bar¶m1=value1";);
apr_table_set(r->headers_in, "X-Forwarded-Host", "www.outer.com:654");
url = oidc_get_current_url(r);
- TST_ASSERT_STR("test_current_url (3)", url,
"https://www.outer.com:654/test?foo=bar¶m1=value1";);
+ TST_ASSERT_STR("test_current_url (3)", url,
+ "https://www.outer.com:654/test?foo=bar¶m1=value1";);
apr_table_set(r->headers_in, "X-Forwarded-Port", "321");
url = oidc_get_current_url(r);
- TST_ASSERT_STR("test_current_url (4)", url,
"https://www.outer.com:321/test?foo=bar¶m1=value1";);
+ TST_ASSERT_STR("test_current_url (4)", url,
+ "https://www.outer.com:321/test?foo=bar¶m1=value1";);
apr_table_set(r->headers_in, "X-Forwarded-Proto", "http");
url = oidc_get_current_url(r);
- TST_ASSERT_STR("test_current_url (5)", url,
"http://www.outer.com:321/test?foo=bar¶m1=value1";);
+ TST_ASSERT_STR("test_current_url (5)", url,
+ "http://www.outer.com:321/test?foo=bar¶m1=value1";);
apr_table_set(r->headers_in, "X-Forwarded-Proto", "https , http");
url = oidc_get_current_url(r);
- TST_ASSERT_STR("test_current_url (6)", url,
"https://www.outer.com:321/test?foo=bar¶m1=value1";);
+ TST_ASSERT_STR("test_current_url (6)", url,
+ "https://www.outer.com:321/test?foo=bar¶m1=value1";);
apr_table_unset(r->headers_in, "X-Forwarded-Host");
apr_table_unset(r->headers_in, "X-Forwarded-Port");
url = oidc_get_current_url(r);
- TST_ASSERT_STR("test_current_url (7)", url,
"https://www.example.com/test?foo=bar¶m1=value1";);
+ TST_ASSERT_STR("test_current_url (7)", url,
+ "https://www.example.com/test?foo=bar¶m1=value1";);
apr_table_set(r->headers_in, "X-Forwarded-Proto", "http ");
apr_table_set(r->headers_in, "Host", "remotehost:8380");
r->uri = "http://remotehost:8380/private/";;
url = oidc_get_current_url(r);
- TST_ASSERT_STR("test_current_url (8)", url,
"http://remotehost:8380/private/?foo=bar¶m1=value1";);
+ TST_ASSERT_STR("test_current_url (8)", url,
+
"http://remotehost:8380/private/?foo=bar¶m1=value1";);
return 0;
}
