Hello community,
here is the log from the commit of package apache2-mod_auth_openidc for
openSUSE:Factory checked in at 2020-03-03 10:17:41
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2-mod_auth_openidc (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.26092 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_auth_openidc"
Tue Mar 3 10:17:41 2020 rev:8 rq:780843 version:2.4.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/apache2-mod_auth_openidc/apache2-mod_auth_openidc.changes
2019-10-30 14:49:11.778270170 +0100
+++
/work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.26092/apache2-mod_auth_openidc.changes
2020-03-03 10:18:59.322991549 +0100
@@ -1,0 +2,7 @@
+Fri Jan 31 14:01:12 UTC 2020 - Michael Ströder <[email protected]>
+
+- Update to version 2.4.1
+ * This release primarily addresses upcoming changes in
+ SameSite Set-Cookie behaviour in Chrome and Firefox
+
+-------------------------------------------------------------------
Old:
----
apache2-mod_auth_openidc-2.4.0.3.tar.gz
New:
----
apache2-mod_auth_openidc-2.4.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2-mod_auth_openidc.spec ++++++
--- /var/tmp/diff_new_pack.eLtx5t/_old 2020-03-03 10:19:00.502993990 +0100
+++ /var/tmp/diff_new_pack.eLtx5t/_new 2020-03-03 10:19:00.506993998 +0100
@@ -19,7 +19,7 @@
%define apxs %{_sbindir}/apxs2
%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
Name: apache2-mod_auth_openidc
-Version: 2.4.0.3
+Version: 2.4.1
Release: 0
Summary: Apache2.x module for an OpenID Connect enabled Identity
Provider
License: Apache-2.0
++++++ apache2-mod_auth_openidc-2.4.0.3.tar.gz ->
apache2-mod_auth_openidc-2.4.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/.gitignore
new/mod_auth_openidc-2.4.1/.gitignore
--- old/mod_auth_openidc-2.4.0.3/.gitignore 2019-10-03 15:53:00.000000000
+0200
+++ new/mod_auth_openidc-2.4.1/.gitignore 2020-01-30 07:54:42.000000000
+0100
@@ -19,3 +19,4 @@
/missing
/.settings/
/.autotools
+/.vscode/
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/AUTHORS
new/mod_auth_openidc-2.4.1/AUTHORS
--- old/mod_auth_openidc-2.4.0.3/AUTHORS 2019-10-03 15:53:00.000000000
+0200
+++ new/mod_auth_openidc-2.4.1/AUTHORS 2020-01-30 07:54:42.000000000 +0100
@@ -55,5 +55,7 @@
Ricardo Martin Camarero <https://github.com/rickyepoderi>
Filip Vujicic <https://github.com/FilipVujicic>
Janusz Ulanowski <https://github.com/janul>
- AIMOTO Norihito
-
+ Aimoto Norihito <https://github.com/oss-aimoto>
+ Andy Lindeman <https://github.com/alindeman>
+ Stefan Wachter <https://github.com/swachter>
+ Paolo Battino
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/ChangeLog
new/mod_auth_openidc-2.4.1/ChangeLog
--- old/mod_auth_openidc-2.4.0.3/ChangeLog 2019-10-03 15:53:00.000000000
+0200
+++ new/mod_auth_openidc-2.4.1/ChangeLog 2020-01-30 07:54:42.000000000
+0100
@@ -1,6 +1,49 @@
+01/30/2020
+- try to fix graceful restart crash; see #458
+- release 2.4.1
+
+01/29/2020
+- always add a SameSite value to the Set-Cookie header to satisfy upcoming
Chrome/Firefox changes
+ this can be overridden by using, e.g.:
+ SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
+- release 2.4.1rc6
+
+01/22/2020
+- URL encode logout url in session management JS; thanks Paolo Battino
+- bump to 2.4.1rc5
+
+01/15/2020
+- add value of OIDC_SET_COOKIE_APPEND env var to Set-Cookie headers
+ useful for handling changing/upcoming SameSite behaviors across different
browsers, e.g.:
+ SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=SameSite=None
+- bump to 2.4.1rc4
+
+01/08/2020
+- support 407 option on OIDCUnAuthAction
+
+12/09/2019
+- fix parsing of values from metadata files when the default is non-NULL (e.g.
UNSET)
+- enforce OIDCIDTokenSignedResponseAlg and OIDCUserInfoSignedResponseAlg; see
#435
+- bump to 2.4.1rc2
+- support login with OIDC session management; address #456
+- bump to 2.4.1rc3
+
+12/05/2019
+- add the possibility to use a public key instead of a certificate for
OIDCPublicKeyFiles parameter
+- added an alpine dockerfile =~ 20MB container size
+
+12/04/2019
+- return 200 OK for backchannel logout if session not found
+- bump to 2.4.1rc1
+
+11/19/2019
+- make cleaning of expired state cookies log with a warning rather than an
error; thanks Pavel Drobov
+- bump to 2.4.1rc0
+
10/03/2019
- improve validation of the post-logout URL parameter on logout; thanks AIMOTO
Norihito; closes #449
- release 2.4.0.3
+- clear any existing chunked cookies when setting a non-chunked cookie;
prevents login loops in some scenarios
08/28/2019
- fixes #447 #441 : changed storing POST params from localStorage to
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/Dockerfile
new/mod_auth_openidc-2.4.1/Dockerfile
--- old/mod_auth_openidc-2.4.0.3/Dockerfile 2019-10-03 15:53:00.000000000
+0200
+++ new/mod_auth_openidc-2.4.1/Dockerfile 2020-01-30 07:54:42.000000000
+0100
@@ -26,7 +26,7 @@
RUN ./autogen.sh
RUN ./configure CFLAGS="-g -O0" LDFLAGS="-lrt"
#-I/usr/include/apache2
-RUN make test
+RUN make clean && make test
RUN make install
WORKDIR /root
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/Dockerfile-alpine
new/mod_auth_openidc-2.4.1/Dockerfile-alpine
--- old/mod_auth_openidc-2.4.0.3/Dockerfile-alpine 1970-01-01
01:00:00.000000000 +0100
+++ new/mod_auth_openidc-2.4.1/Dockerfile-alpine 2020-01-30
07:54:42.000000000 +0100
@@ -0,0 +1,62 @@
+FROM alpine:3.10
+
+ENV BUILD_DIR /tmp/mod_auth_openidc
+
+ENV APACHE_LOG_DIR /var/log/apache2
+
+ENV APACHE_DEFAULT_CONF /etc/apache2/httpd.conf
+
+# add testing repository (for cjose library)
+RUN echo "http://nl.alpinelinux.org/alpine/edge/testing"; >>
/etc/apk/repositories
+
+# ADD source
+RUN mkdir ${BUILD_DIR}
+
+COPY . ${BUILD_DIR}
+
+# add dependencies, build and install mod_auth_openidc, need atomic operation
for image size
+RUN apk update && apk add --no-cache \
+ apache2 \
+ apache2-proxy \
+ wget \
+ jansson \
+ hiredis \
+ cjose \
+ cjose-dev \
+ git \
+ autoconf \
+ build-base \
+ automake \
+ curl \
+ apache2-dev \
+ curl-dev \
+ pcre-dev \
+ libtool \
+ && \
+ cd ${BUILD_DIR} && \
+ ./autogen.sh && \
+ ./configure CFLAGS="-g -O0" LDFLAGS="-lrt" && \
+ make test && \
+ make install && \
+ cd -- && \
+ rm -fr ${BUILD_DIR} && \
+ apk del git cjose-dev apache2-dev autoconf automake build-base wget curl-dev
pcre-dev libtool
+
+# configure apache
+RUN apk add --no-cache sed && \
+ echo "LoadModule auth_openidc_module /usr/lib/apache2/mod_auth_openidc.so"
>> ${APACHE_DEFAULT_CONF} && \
+ ln -sfT /dev/stderr "${APACHE_LOG_DIR}/error.log" && \
+ ln -sfT /dev/stdout "${APACHE_LOG_DIR}/access.log" && \
+ ln -sfT /dev/stdout "${APACHE_LOG_DIR}/other_vhosts_access.log" && \
+ chown -R --no-dereference "apache:users" "${APACHE_LOG_DIR}" && \
+ apk del sed
+
+# https://httpd.apache.org/docs/2.4/stopping.html#gracefulstop
+# stop gracefully when docker stops, create issue with interactive mode
because it's the signal use by the docker engine on windows.
+STOPSIGNAL WINCH
+
+# port to expose, referes to the Listen 80 in the embedded httpd.conf
+EXPOSE 80
+
+# launch apache
+CMD exec /usr/sbin/httpd -D FOREGROUND -f ${APACHE_DEFAULT_CONF}
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/Makefile.in
new/mod_auth_openidc-2.4.1/Makefile.in
--- old/mod_auth_openidc-2.4.0.3/Makefile.in 2019-10-03 15:53:00.000000000
+0200
+++ new/mod_auth_openidc-2.4.1/Makefile.in 2020-01-30 07:54:42.000000000
+0100
@@ -46,6 +46,8 @@
test/test.c \
test/test-cmd.c \
test/stub.c \
+ test/public.pem \
+ test/certificate.pem \
configure \
configure.ac \
Makefile.in \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/auth_openidc.conf
new/mod_auth_openidc-2.4.1/auth_openidc.conf
--- old/mod_auth_openidc-2.4.0.3/auth_openidc.conf 2019-10-03
15:53:00.000000000 +0200
+++ new/mod_auth_openidc-2.4.1/auth_openidc.conf 2020-01-30
07:54:42.000000000 +0100
@@ -161,9 +161,9 @@
# NB: this can be overridden on a per-OP basis in the .conf file using the
key: auth_request_method
# OIDCProviderAuthRequestMethod [ GET | POST ]
-# The fully qualified names of the files that contain the PEM-formatted X.509
certificates
+# The fully qualified names of the files that contain the PEM-formatted RSA
Public key or a X.509 certificates
# that contain the RSA public keys to be used for JWT (OP state/id_token)
encryption by the OP.
-# These keys must correspond to the private keys defined in
OIDCPrivateKeyFiles.
+# One of these keys must correspond to the private keys defined in
OIDCPrivateKeyFiles.
# When not defined no encryption will be requested.
# You can also prefix <filename> with a JWK key identifier to manually
override the automatically
# generated "kid" that will be used for this key in the JWKs derived from this
certificate and
@@ -746,11 +746,12 @@
# Defines the action to be taken when an unauthenticated request is made.
# "auth" means that the user is redirected to the OpenID Connect Provider or
Discovery page.
# "401" means that HTTP 401 Unauthorized is returned.
+# "407" means that HTTP 407 Proxy Authentication Required is returned
# "410" means that HTTP 410 Gone is returned
# "pass" means that an unauthenticated request will pass but claims will still
be passed when a user happens to be authenticated already
# Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript
calls and for "anonymous access"
# When not defined the default "auth" is used.
-#OIDCUnAuthAction [auth|pass|401|410]
+#OIDCUnAuthAction [auth|pass|401|407|410]
# Defines the action to be taken when an unauthorized request is made i.e. the
user is authenticated but
# does not meet the `Require claim *:*` directives or similar.
@@ -792,7 +793,8 @@
# Also used in a single provider setup with OIDCProviderMetadatURL but 0 then
means the default of 1 day.
#OIDCProviderMetadataRefreshInterval <seconds>
-# Define the data that will be returned upon calling the info hook (i.e.
<redirect_uri>?info=json)
+# Define the data that will be returned upon calling the info hook.
+# The data can be JSON formatted using <redirect_uri>?info=json, or HTML
formatted, using <redirect_uri>?info=html.
# iat (int) : Unix timestamp indicating when this data was
created
# access_token (string) : the access token
# access_token_expires (int) : the Unix timestamp which is a hint about when
the access token will expire (as indicated by the OP)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/configure.ac
new/mod_auth_openidc-2.4.1/configure.ac
--- old/mod_auth_openidc-2.4.0.3/configure.ac 2019-10-03 15:53:00.000000000
+0200
+++ new/mod_auth_openidc-2.4.1/configure.ac 2020-01-30 07:54:42.000000000
+0100
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.0.3],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.1],[[email protected]])
AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/openidc.conf
new/mod_auth_openidc-2.4.1/openidc.conf
--- old/mod_auth_openidc-2.4.0.3/openidc.conf 2019-10-03 15:53:00.000000000
+0200
+++ new/mod_auth_openidc-2.4.1/openidc.conf 2020-01-30 07:54:42.000000000
+0100
@@ -2,16 +2,16 @@
LogLevel auth_openidc:debug
## docker
-#LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so
-#OIDCProviderMetadataURL
https://host.docker.internal:9031/.well-known/openid-configuration
-#OIDCPublicKeyFiles Aenckeykid#/etc/ssl/certs/ssl-cert-snakeoil.pem
-#OIDCPrivateKeyFiles Aenckeykid#/etc/ssl/private/ssl-cert-snakeoil.key
+LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so
+OIDCProviderMetadataURL
https://host.docker.internal:9031/.well-known/openid-configuration
+OIDCPublicKeyFiles Aenckeykid#/etc/ssl/certs/ssl-cert-snakeoil.pem
+OIDCPrivateKeyFiles Aenckeykid#/etc/ssl/private/ssl-cert-snakeoil.key
## native
-LoadModule auth_openidc_module lib/apache2/modules/mod_auth_openidc.so
-OIDCProviderMetadataURL https://localhost:9031/.well-known/openid-configuration
-OIDCPublicKeyFiles Aenckeykid#/opt/local/etc/apache2/server.crt
-OIDCPrivateKeyFiles Aenckeykid#/opt/local/etc/apache2/server.key
+#LoadModule auth_openidc_module lib/apache2/modules/mod_auth_openidc.so
+#OIDCProviderMetadataURL
https://localhost:9031/.well-known/openid-configuration
+#OIDCPublicKeyFiles Aenckeykid#/opt/local/etc/apache2/server.crt
+#OIDCPrivateKeyFiles Aenckeykid#/opt/local/etc/apache2/server.key
OIDCRedirectURI /protected/
OIDCSSLValidateServer Off
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/src/cache/common.c
new/mod_auth_openidc-2.4.1/src/cache/common.c
--- old/mod_auth_openidc-2.4.0.3/src/cache/common.c 2019-10-03
15:53:00.000000000 +0200
+++ new/mod_auth_openidc-2.4.1/src/cache/common.c 2020-01-30
07:54:42.000000000 +0100
@@ -132,6 +132,8 @@
}
#endif
+ apr_global_mutex_lock(m->mutex);
+
rv = apr_shm_create(&m->shm, sizeof(int), NULL, s->process->pool);
if (rv != APR_SUCCESS) {
oidc_serror(s, "apr_shm_create failed to create shared memory
segment");
@@ -141,6 +143,8 @@
m->sema = apr_shm_baseaddr_get(m->shm);
*m->sema = 1;
+ apr_global_mutex_unlock(m->mutex);
+
return TRUE;
}
@@ -210,19 +214,25 @@
apr_global_mutex_lock(m->mutex);
(*m->sema)--;
//oidc_sdebug(s, "semaphore: %d (m=%pp,s=%pp)", *m->sema,
m->mutex, s);
- apr_global_mutex_unlock(m->mutex);
if ((m->shm != NULL) && (*m->sema == 0)) {
- rv = apr_global_mutex_destroy(m->mutex);
- oidc_sdebug(s, "apr_global_mutex_destroy returned :%d",
rv);
- m->mutex = NULL;
-
rv = apr_shm_destroy(m->shm);
oidc_sdebug(s, "apr_shm_destroy for semaphore returned:
%d", rv);
m->shm = NULL;
+ apr_global_mutex_unlock(m->mutex);
+
+ rv = apr_global_mutex_destroy(m->mutex);
+ oidc_sdebug(s, "apr_global_mutex_destroy returned :%d",
rv);
+ m->mutex = NULL;
+
rv = APR_SUCCESS;
+
+ } else {
+
+ apr_global_mutex_unlock(m->mutex);
+
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/src/cache/shm.c
new/mod_auth_openidc-2.4.1/src/cache/shm.c
--- old/mod_auth_openidc-2.4.0.3/src/cache/shm.c 2019-10-03
15:53:00.000000000 +0200
+++ new/mod_auth_openidc-2.4.1/src/cache/shm.c 2020-01-30 07:54:42.000000000
+0100
@@ -340,6 +340,9 @@
oidc_cache_cfg_shm_t *context = (oidc_cache_cfg_shm_t *) cfg->cache_cfg;
apr_status_t rv = APR_SUCCESS;
+ if (context == NULL)
+ return rv;
+
if (context->shm) {
oidc_cache_mutex_lock(s, context->mutex);
if (*context->mutex->sema == 1) {
@@ -350,7 +353,11 @@
oidc_cache_mutex_unlock(s, context->mutex);
}
+ if (context->mutex == NULL)
+ return rv;
+
oidc_cache_mutex_destroy(s, context->mutex);
+ context->mutex = NULL;
return rv;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/src/config.c
new/mod_auth_openidc-2.4.1/src/config.c
--- old/mod_auth_openidc-2.4.0.3/src/config.c 2019-10-03 15:53:00.000000000
+0200
+++ new/mod_auth_openidc-2.4.1/src/config.c 2020-01-30 07:54:42.000000000
+0100
@@ -1076,6 +1076,53 @@
return dir_cfg->logout_on_error_refresh;
}
+void oidc_cfg_provider_init(oidc_provider_t *provider) {
+ provider->metadata_url = NULL;
+ provider->issuer = NULL;
+ provider->authorization_endpoint_url = NULL;
+ provider->token_endpoint_url = NULL;
+ provider->token_endpoint_auth = NULL;
+ provider->token_endpoint_params = NULL;
+ provider->userinfo_endpoint_url = NULL;
+ provider->revocation_endpoint_url = NULL;
+ provider->client_id = NULL;
+ provider->client_secret = NULL;
+ provider->token_endpoint_tls_client_cert = NULL;
+ provider->token_endpoint_tls_client_key = NULL;
+ provider->registration_endpoint_url = NULL;
+ provider->registration_endpoint_json = NULL;
+ provider->check_session_iframe = NULL;
+ provider->end_session_endpoint = NULL;
+ provider->jwks_uri = NULL;
+ provider->backchannel_logout_supported = OIDC_CONFIG_POS_INT_UNSET;
+
+ provider->ssl_validate_server = OIDC_DEFAULT_SSL_VALIDATE_SERVER;
+ provider->client_name = OIDC_DEFAULT_CLIENT_NAME;
+ provider->client_contact = NULL;
+ provider->registration_token = NULL;
+ provider->scope = OIDC_DEFAULT_SCOPE;
+ provider->response_type = OIDC_DEFAULT_RESPONSE_TYPE;
+ provider->response_mode = NULL;
+ provider->jwks_refresh_interval = OIDC_DEFAULT_JWKS_REFRESH_INTERVAL;
+ provider->idtoken_iat_slack = OIDC_DEFAULT_IDTOKEN_IAT_SLACK;
+ provider->session_max_duration = OIDC_DEFAULT_SESSION_MAX_DURATION;
+ provider->auth_request_params = NULL;
+ provider->pkce = NULL;
+
+ provider->client_jwks_uri = NULL;
+ provider->client_signing_keys = NULL;
+ provider->client_encryption_keys = NULL;
+
+ provider->id_token_signed_response_alg = NULL;
+ provider->id_token_encrypted_response_alg = NULL;
+ provider->id_token_encrypted_response_enc = NULL;
+ provider->userinfo_signed_response_alg = NULL;
+ provider->userinfo_encrypted_response_alg = NULL;
+ provider->userinfo_encrypted_response_enc = NULL;
+ provider->userinfo_token_method = OIDC_USER_INFO_TOKEN_METHOD_HEADER;
+ provider->auth_request_method = OIDC_DEFAULT_AUTH_REQUEST_METHOD;
+}
+
/*
* create a new server config record with defaults
*/
@@ -1090,50 +1137,7 @@
c->public_keys = NULL;
c->private_keys = NULL;
- c->provider.metadata_url = NULL;
- c->provider.issuer = NULL;
- c->provider.authorization_endpoint_url = NULL;
- c->provider.token_endpoint_url = NULL;
- c->provider.token_endpoint_auth = NULL;
- c->provider.token_endpoint_params = NULL;
- c->provider.userinfo_endpoint_url = NULL;
- c->provider.revocation_endpoint_url = NULL;
- c->provider.client_id = NULL;
- c->provider.client_secret = NULL;
- c->provider.token_endpoint_tls_client_cert = NULL;
- c->provider.token_endpoint_tls_client_key = NULL;
- c->provider.registration_endpoint_url = NULL;
- c->provider.registration_endpoint_json = NULL;
- c->provider.check_session_iframe = NULL;
- c->provider.end_session_endpoint = NULL;
- c->provider.jwks_uri = NULL;
- c->provider.backchannel_logout_supported = OIDC_CONFIG_POS_INT_UNSET;
-
- c->provider.ssl_validate_server = OIDC_DEFAULT_SSL_VALIDATE_SERVER;
- c->provider.client_name = OIDC_DEFAULT_CLIENT_NAME;
- c->provider.client_contact = NULL;
- c->provider.registration_token = NULL;
- c->provider.scope = OIDC_DEFAULT_SCOPE;
- c->provider.response_type = OIDC_DEFAULT_RESPONSE_TYPE;
- c->provider.response_mode = NULL;
- c->provider.jwks_refresh_interval = OIDC_DEFAULT_JWKS_REFRESH_INTERVAL;
- c->provider.idtoken_iat_slack = OIDC_DEFAULT_IDTOKEN_IAT_SLACK;
- c->provider.session_max_duration = OIDC_DEFAULT_SESSION_MAX_DURATION;
- c->provider.auth_request_params = NULL;
- c->provider.pkce = NULL;
-
- c->provider.client_jwks_uri = NULL;
- c->provider.client_signing_keys = NULL;
- c->provider.client_encryption_keys = NULL;
-
- c->provider.id_token_signed_response_alg = NULL;
- c->provider.id_token_encrypted_response_alg = NULL;
- c->provider.id_token_encrypted_response_enc = NULL;
- c->provider.userinfo_signed_response_alg = NULL;
- c->provider.userinfo_encrypted_response_alg = NULL;
- c->provider.userinfo_encrypted_response_enc = NULL;
- c->provider.userinfo_token_method = OIDC_USER_INFO_TOKEN_METHOD_HEADER;
- c->provider.auth_request_method = OIDC_DEFAULT_AUTH_REQUEST_METHOD;
+ oidc_cfg_provider_init(&c->provider);
c->oauth.ssl_validate_server = OIDC_DEFAULT_SSL_VALIDATE_SERVER;
c->oauth.metadata_url = NULL;
@@ -2574,7 +2578,7 @@
oidc_set_signed_response_alg,
(void *)APR_OFFSETOF(oidc_cfg,
provider.id_token_signed_response_alg),
RSRC_CONF,
- "The algorithm that the OP should use to sign
the id_token (used only in dynamic client registration); must be one of
[RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512]"),
+ "The algorithm that the OP must use to sign the
ID token."),
AP_INIT_TAKE1(OIDCIDTokenEncryptedResponseAlg,
oidc_set_encrypted_response_alg,
(void *)APR_OFFSETOF(oidc_cfg,
provider.id_token_encrypted_response_alg),
@@ -2974,7 +2978,7 @@
oidc_set_unauth_action,
(void *) APR_OFFSETOF(oidc_dir_cfg,
unauth_action),
RSRC_CONF|ACCESS_CONF|OR_AUTHCFG,
- "Sets the action taken when an unauthenticated
request occurs: must be one of \"auth\" (default), \"pass\" , \"401\" or
\"410\"."),
+ "Sets the action taken when an unauthenticated
request occurs: must be one of \"auth\" (default), \"pass\" , \"401\", \"407\",
or \"410\"."),
AP_INIT_TAKE1(OIDCUnAutzAction,
oidc_set_unautz_action,
(void *) APR_OFFSETOF(oidc_dir_cfg,
unautz_action),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/src/jose.c
new/mod_auth_openidc-2.4.1/src/jose.c
--- old/mod_auth_openidc-2.4.0.3/src/jose.c 2019-10-03 15:53:00.000000000
+0200
+++ new/mod_auth_openidc-2.4.1/src/jose.c 2020-01-30 07:54:42.000000000
+0100
@@ -1076,15 +1076,15 @@
}
/*
- * convert the RSA public key in the X.509 certificate in the BIO pointed to
+ * convert the RSA public key - eventually in a X.509 certificate - in the BIO
pointed to
* by "input" to a JSON Web Key object
*/
-static apr_byte_t oidc_jwk_rsa_bio_to_jwk(apr_pool_t *pool, BIO *input,
+apr_byte_t oidc_jwk_rsa_bio_to_jwk(apr_pool_t *pool, BIO *input,
const char *kid, cjose_jwk_t **jwk, int is_private_key,
oidc_jose_error_t *err) {
X509 *x509 = NULL;
- EVP_PKEY *pkey = NULL;
+ EVP_PKEY *pkey = NULL;
apr_byte_t rv = FALSE;
cjose_jwk_rsa_keyspec key_spec;
@@ -1097,15 +1097,20 @@
goto end;
}
} else {
- /* read the X.509 struct */
- if ((x509 = PEM_read_bio_X509_AUX(input, NULL, NULL, NULL)) ==
NULL) {
- oidc_jose_error_openssl(err, "PEM_read_bio_X509_AUX");
- goto end;
- }
- /* get the public key struct from the X.509 struct */
- if ((pkey = X509_get_pubkey(x509)) == NULL) {
- oidc_jose_error_openssl(err, "X509_get_pubkey");
- goto end;
+ /* read public key */
+ if ((pkey = PEM_read_bio_PUBKEY(input, NULL, NULL, NULL)) ==
NULL) {
+ /* not a public key - reset the buffer */
+ BIO_reset(input);
+ /* read the X.509 struct - assume input is no public
key */
+ if ((x509 = PEM_read_bio_X509_AUX(input, NULL, NULL,
NULL)) == NULL) {
+ oidc_jose_error_openssl(err,
"PEM_read_bio_X509_AUX");
+ goto end;
+ }
+ /* get the public key struct from the X.509 struct */
+ if ((pkey = X509_get_pubkey(x509)) == NULL) {
+ oidc_jose_error_openssl(err, "X509_get_pubkey");
+ goto end;
+ }
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/src/jose.h
new/mod_auth_openidc-2.4.1/src/jose.h
--- old/mod_auth_openidc-2.4.0.3/src/jose.h 2019-10-03 15:53:00.000000000
+0200
+++ new/mod_auth_openidc-2.4.1/src/jose.h 2020-01-30 07:54:42.000000000
+0100
@@ -249,4 +249,8 @@
/* return the key size for an algorithm */
unsigned int oidc_alg2keysize(const char *alg);
+apr_byte_t oidc_jwk_rsa_bio_to_jwk(apr_pool_t *pool, BIO *input,
+ const char *kid, cjose_jwk_t **jwk, int is_private_key,
+ oidc_jose_error_t *err);
+
#endif /* MOD_AUTH_OPENIDC_JOSE_H_ */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/src/metadata.c
new/mod_auth_openidc-2.4.1/src/metadata.c
--- old/mod_auth_openidc-2.4.0.3/src/metadata.c 2019-10-03 15:53:00.000000000
+0200
+++ new/mod_auth_openidc-2.4.1/src/metadata.c 2020-01-30 07:54:42.000000000
+0100
@@ -1446,6 +1446,7 @@
/* allocate space for a parsed-and-merged metadata struct */
*provider = apr_pcalloc(r->pool, sizeof(oidc_provider_t));
+ oidc_cfg_provider_init(*provider);
/*
* read and parse the provider, conf and client metadata respectively
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/src/mod_auth_openidc.c
new/mod_auth_openidc-2.4.1/src/mod_auth_openidc.c
--- old/mod_auth_openidc-2.4.0.3/src/mod_auth_openidc.c 2019-10-03
15:53:00.000000000 +0200
+++ new/mod_auth_openidc-2.4.1/src/mod_auth_openidc.c 2020-01-30
07:54:42.000000000 +0100
@@ -666,7 +666,7 @@
oidc_jwks_uri_t jwks_uri = { provider->jwks_uri,
provider->jwks_refresh_interval,
provider->ssl_validate_server };
if (oidc_proto_jwt_verify(r, c, jwt, &jwks_uri,
- oidc_util_merge_symmetric_key(r->pool, NULL, jwk)) ==
FALSE) {
+ oidc_util_merge_symmetric_key(r->pool, NULL, jwk),
NULL) == FALSE) {
oidc_error(r, "state JWT could not be validated, aborting");
oidc_jwt_destroy(jwt);
return FALSE;
@@ -757,7 +757,7 @@
json_int_t ts =
oidc_proto_state_get_timestamp(
proto_state);
if (apr_time_now() > ts
+ apr_time_from_sec(c->state_timeout)) {
- oidc_error(r,
+ oidc_warn(r,
"state (%s) has expired (original_url=%s)",
cookieName,
oidc_proto_state_get_original_url(
@@ -921,7 +921,9 @@
/* set it as a cookie */
oidc_util_set_cookie(r, cookieName, cookieValue, -1,
- c->cookie_same_site ? OIDC_COOKIE_EXT_SAME_SITE_LAX :
NULL);
+ c->cookie_same_site ?
+ OIDC_COOKIE_EXT_SAME_SITE_LAX :
+ OIDC_COOKIE_EXT_SAME_SITE_NONE);
return HTTP_OK;
}
@@ -1049,6 +1051,8 @@
switch (oidc_dir_cfg_unauth_action(r)) {
case OIDC_UNAUTH_RETURN410:
return HTTP_GONE;
+ case OIDC_UNAUTH_RETURN407:
+ return HTTP_PROXY_AUTHENTICATION_REQUIRED;
case OIDC_UNAUTH_RETURN401:
return HTTP_UNAUTHORIZED;
case OIDC_UNAUTH_PASS:
@@ -2262,7 +2266,7 @@
oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1,
cfg->cookie_same_site ?
OIDC_COOKIE_EXT_SAME_SITE_STRICT :
- NULL);
+ OIDC_COOKIE_EXT_SAME_SITE_NONE);
/* see if we need to preserve POST parameters through
Javascript/HTML5 storage */
if (oidc_post_preserve_javascript(r, url, NULL, NULL) == TRUE)
@@ -2355,7 +2359,9 @@
s = apr_psprintf(r->pool, "%s</form>\n", s);
oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1,
- cfg->cookie_same_site ?
OIDC_COOKIE_EXT_SAME_SITE_STRICT : NULL);
+ cfg->cookie_same_site ?
+ OIDC_COOKIE_EXT_SAME_SITE_STRICT :
+ OIDC_COOKIE_EXT_SAME_SITE_NONE);
char *javascript = NULL, *javascript_method = NULL;
char *html_head =
@@ -2894,7 +2900,8 @@
oidc_jwks_uri_t jwks_uri = { provider->jwks_uri,
provider->jwks_refresh_interval,
provider->ssl_validate_server };
if (oidc_proto_jwt_verify(r, cfg, jwt, &jwks_uri,
- oidc_util_merge_symmetric_key(r->pool, NULL, jwk)) ==
FALSE) {
+ oidc_util_merge_symmetric_key(r->pool, NULL, jwk),
+ provider->id_token_signed_response_alg) == FALSE) {
oidc_error(r, "id_token signature could not be validated,
aborting");
goto out;
@@ -2993,6 +3000,9 @@
oidc_error(r,
"could not find session based on sid/sub
provided in logout token: %s",
sid);
+ // return HTTP 200 according to (new?) spec and terminate early
+ // to avoid Apache returning auth/authz error 500 for the
redirect URI
+ rc = DONE;
goto out;
}
@@ -3063,6 +3073,14 @@
url);
oidc_error(r, "%s: %s", *err_str, *err_desc);
return FALSE;
+ } else if ((uri.hostname == NULL) && (strstr(url, "/\\") == url)) {
+ *err_str = apr_pstrdup(r->pool, "Malformed URL");
+ *err_desc =
+ apr_psprintf(r->pool,
+ "No hostname was parsed and
starting with '/\\': %s",
+ url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
}
/* validate the URL to prevent HTTP header splitting */
@@ -3208,7 +3226,10 @@
const char *java_script =
" <script type=\"text/javascript\">\n"
" var targetOrigin = '%s';\n"
- " var message = '%s' + ' ' + '%s';\n"
+ " var clientId = '%s';\n"
+ " var sessionId = '%s';\n"
+ " var loginUrl = '%s';\n"
+ " var message = clientId + ' ' + sessionId;\n"
" var timerID;\n"
"\n"
" function checkSession() {\n"
@@ -3230,10 +3251,14 @@
" }\n"
" if (e.data != 'unchanged') {\n"
" clearInterval(timerID);\n"
- " if (e.data == 'changed') {\n"
- " window.location.href =
'%s?session=check';\n"
- " } else {\n"
- " window.location.href =
'%s?session=logout';\n"
+ " if (e.data == 'changed' && sessionId == '' )
{\n"
+ " // 'changed' + no session:
enforce a login (if we have a login url...)\n"
+ " if (loginUrl != '') {\n"
+ " window.top.location.replace(loginUrl);\n"
+ " }\n"
+ " } else {\n"
+ " // either 'changed' + active session, or
'error': enforce a logout\n"
+ " window.top.location.replace('%s?logout='
+ encodeURIComponent(window.top.location.href));\n"
" }\n"
" }\n"
" }\n"
@@ -3257,7 +3282,7 @@
if (session_state == NULL) {
oidc_warn(r,
"no session_state found in the session; the OP
does probably not support session management!?");
- return OK;
+ //return OK;
}
char *s_poll_interval = NULL;
@@ -3266,10 +3291,14 @@
if ((poll_interval <= 0) || (poll_interval > 3600 * 24))
poll_interval = 3000;
+ char *login_uri = NULL;
+ oidc_util_get_request_parameter(r, "login_uri", &login_uri);
+
const char *redirect_uri = oidc_get_redirect_uri(r, c);
+
java_script = apr_psprintf(r->pool, java_script, origin, client_id,
- session_state, op_iframe_id, poll_interval,
redirect_uri,
- redirect_uri);
+ session_state ? session_state : "", login_uri ?
login_uri : "",
+ op_iframe_id, poll_interval,
redirect_uri, redirect_uri);
return oidc_util_html_send(r, NULL, java_script, "setTimer", NULL, OK);
}
@@ -3297,7 +3326,11 @@
return oidc_handle_logout_request(r, c, session,
c->default_slo_url);
}
- oidc_get_provider_from_session(r, c, session, &provider);
+ if (oidc_get_provider_from_session(r, c, session, &provider) == FALSE) {
+ if ((oidc_provider_static_config(r, c, &provider) == FALSE)
+ || (provider == NULL))
+ return HTTP_NOT_FOUND;
+ }
/* see if this is a request for the OP iframe */
if (apr_strnatcmp("iframe_op", cmd) == 0) {
@@ -3324,23 +3357,17 @@
/* see if this is a request check the login state with the OP */
if (apr_strnatcmp("check", cmd) == 0) {
id_token_hint = oidc_session_get_idtoken(r, session);
- if ((session->remote_user != NULL) && (provider != NULL)) {
- /*
- * TODO: this doesn't work with per-path provided
auth_request_params and scopes
- * as oidc_dir_cfg_path_auth_request_params and
oidc_dir_cfg_path_scope will pick
- * those for the redirect_uri itself; do we need
to store those as part of the
- * session now?
- */
- return oidc_authenticate_user(r, c, provider,
- apr_psprintf(r->pool,
"%s?session=iframe_rp",
-
oidc_get_redirect_uri_iss(r, c, provider)), NULL,
- id_token_hint, "none",
-
oidc_dir_cfg_path_auth_request_params(r),
-
oidc_dir_cfg_path_scope(r));
- }
- oidc_debug(r,
- "[session=check] calling
oidc_handle_logout_request because no session found.");
- return oidc_session_redirect_parent_window_to_logout(r, c);
+ /*
+ * TODO: this doesn't work with per-path provided
auth_request_params and scopes
+ * as oidc_dir_cfg_path_auth_request_params and
oidc_dir_cfg_path_scope will pick
+ * those for the redirect_uri itself; do we need to store
those as part of the
+ * session now?
+ */
+ return oidc_authenticate_user(r, c, provider,
+ apr_psprintf(r->pool, "%s?session=iframe_rp",
+ oidc_get_redirect_uri_iss(r, c,
provider)), NULL,
+ id_token_hint, "none",
oidc_dir_cfg_path_auth_request_params(r),
+ oidc_dir_cfg_path_scope(r));
}
/* handle failure in fallthrough */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/src/mod_auth_openidc.h
new/mod_auth_openidc-2.4.1/src/mod_auth_openidc.h
--- old/mod_auth_openidc-2.4.0.3/src/mod_auth_openidc.h 2019-10-03
15:53:00.000000000 +0200
+++ new/mod_auth_openidc-2.4.1/src/mod_auth_openidc.h 2020-01-30
07:54:42.000000000 +0100
@@ -206,6 +206,7 @@
#define OIDC_UNAUTH_PASS 2
#define OIDC_UNAUTH_RETURN401 3
#define OIDC_UNAUTH_RETURN410 4
+#define OIDC_UNAUTH_RETURN407 5
#define OIDC_UNAUTZ_RETURN403 1
#define OIDC_UNAUTZ_RETURN401 2
@@ -218,6 +219,7 @@
#define OIDC_COOKIE_EXT_SAME_SITE_LAX "SameSite=Lax"
#define OIDC_COOKIE_EXT_SAME_SITE_STRICT "SameSite=Strict"
+#define OIDC_COOKIE_EXT_SAME_SITE_NONE "SameSite=None"
/* https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-01 */
#define OIDC_TB_CFG_PROVIDED_ENV_VAR "Sec-Provided-Token-Binding-ID"
@@ -639,7 +641,7 @@
apr_array_header_t *oidc_proto_supported_flows(apr_pool_t *pool);
apr_byte_t oidc_proto_flow_is_supported(apr_pool_t *pool, const char *flow);
apr_byte_t oidc_proto_validate_authorization_response(request_rec *r, const
char *response_type, const char *requested_response_mode, char **code, char
**id_token, char **access_token, char **token_type, const char
*used_response_mode);
-apr_byte_t oidc_proto_jwt_verify(request_rec *r, oidc_cfg *cfg, oidc_jwt_t
*jwt, const oidc_jwks_uri_t *jwks_uri, apr_hash_t *symmetric_keys);
+apr_byte_t oidc_proto_jwt_verify(request_rec *r, oidc_cfg *cfg, oidc_jwt_t
*jwt, const oidc_jwks_uri_t *jwks_uri, apr_hash_t *symmetric_keys, const char
*alg);
apr_byte_t oidc_proto_validate_jwt(request_rec *r, oidc_jwt_t *jwt, const char
*iss, apr_byte_t exp_is_mandatory, apr_byte_t iat_is_mandatory, int iat_slack,
int token_binding_policy);
apr_byte_t oidc_proto_generate_nonce(request_rec *r, char **nonce, int len);
apr_byte_t oidc_proto_validate_aud_and_azp(request_rec *r, oidc_cfg *cfg,
oidc_provider_t *provider, oidc_jwt_payload_t *id_token_payload);
@@ -718,6 +720,7 @@
int oidc_cfg_dir_refresh_access_token_before_expiry(request_rec *r);
int oidc_cfg_dir_logout_on_error_refresh(request_rec *r);
int oidc_cfg_delete_oldest_state_cookies(oidc_cfg *cfg);
+void oidc_cfg_provider_init(oidc_provider_t *provider);
// oidc_util.c
int oidc_strnenvcmp(const char *a, const char *b, int len);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/src/oauth.c
new/mod_auth_openidc-2.4.1/src/oauth.c
--- old/mod_auth_openidc-2.4.0.3/src/oauth.c 2019-10-03 15:53:00.000000000
+0200
+++ new/mod_auth_openidc-2.4.1/src/oauth.c 2020-01-30 07:54:42.000000000
+0100
@@ -642,7 +642,7 @@
c->provider.jwks_refresh_interval,
c->oauth.ssl_validate_server };
if (oidc_proto_jwt_verify(r, c, jwt, &jwks_uri,
oidc_util_merge_key_sets(r->pool,
c->oauth.verify_public_keys,
- c->oauth.verify_shared_keys)) == FALSE)
{
+ c->oauth.verify_shared_keys), NULL) ==
FALSE) {
oidc_error(r,
"JWT access token signature could not be
validated, aborting");
oidc_jwt_destroy(jwt);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/src/parse.c
new/mod_auth_openidc-2.4.1/src/parse.c
--- old/mod_auth_openidc-2.4.0.3/src/parse.c 2019-10-03 15:53:00.000000000
+0200
+++ new/mod_auth_openidc-2.4.1/src/parse.c 2020-01-30 07:54:42.000000000
+0100
@@ -986,6 +986,7 @@
#define OIDC_UNAUTH_ACTION_AUTH_STR "auth"
#define OIDC_UNAUTH_ACTION_PASS_STR "pass"
#define OIDC_UNAUTH_ACTION_401_STR "401"
+#define OIDC_UNAUTH_ACTION_407_STR "407"
#define OIDC_UNAUTH_ACTION_410_STR "410"
/*
@@ -997,6 +998,7 @@
OIDC_UNAUTH_ACTION_AUTH_STR,
OIDC_UNAUTH_ACTION_PASS_STR,
OIDC_UNAUTH_ACTION_401_STR,
+ OIDC_UNAUTH_ACTION_407_STR,
OIDC_UNAUTH_ACTION_410_STR,
NULL };
const char *rv = oidc_valid_string_option(pool, arg, options);
@@ -1009,6 +1011,8 @@
*action = OIDC_UNAUTH_PASS;
else if (apr_strnatcmp(arg, OIDC_UNAUTH_ACTION_401_STR) == 0)
*action = OIDC_UNAUTH_RETURN401;
+ else if (apr_strnatcmp(arg, OIDC_UNAUTH_ACTION_407_STR) == 0)
+ *action = OIDC_UNAUTH_RETURN407;
else if (apr_strnatcmp(arg, OIDC_UNAUTH_ACTION_410_STR) == 0)
*action = OIDC_UNAUTH_RETURN410;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/src/proto.c
new/mod_auth_openidc-2.4.1/src/proto.c
--- old/mod_auth_openidc-2.4.0.3/src/proto.c 2019-10-03 15:53:00.000000000
+0200
+++ new/mod_auth_openidc-2.4.1/src/proto.c 2020-01-30 07:54:42.000000000
+0100
@@ -1530,10 +1530,22 @@
* verify the signature on a JWT using the dynamically obtained and statically
configured keys
*/
apr_byte_t oidc_proto_jwt_verify(request_rec *r, oidc_cfg *cfg, oidc_jwt_t
*jwt,
- const oidc_jwks_uri_t *jwks_uri, apr_hash_t *static_keys) {
+ const oidc_jwks_uri_t *jwks_uri, apr_hash_t *static_keys,
+ const char *alg) {
oidc_jose_error_t err;
- apr_hash_t *dynamic_keys = apr_hash_make(r->pool);
+ apr_hash_t *dynamic_keys = NULL;
+
+ if (alg != NULL) {
+ if (apr_strnatcmp(jwt->header.alg, alg) != 0) {
+ oidc_error(r,
+ "JWT was not signed with the expected
configured algorithm: %s != %s",
+ jwt->header.alg, alg);
+ return FALSE;
+ }
+ }
+
+ dynamic_keys = apr_hash_make(r->pool);
/* see if we've got a JWKs URI set for signature validation with
dynamically obtained asymmetric keys */
if (jwks_uri->url == NULL) {
@@ -1650,7 +1662,8 @@
oidc_jwks_uri_t jwks_uri = { provider->jwks_uri,
provider->jwks_refresh_interval,
provider->ssl_validate_server };
if (oidc_proto_jwt_verify(r, cfg, *jwt, &jwks_uri,
- oidc_util_merge_symmetric_key(r->pool, NULL,
jwk)) == FALSE) {
+ oidc_util_merge_symmetric_key(r->pool, NULL,
jwk),
+ provider->id_token_signed_response_alg) ==
FALSE) {
oidc_error(r,
"id_token signature could not be
validated, aborting");
@@ -2150,7 +2163,8 @@
oidc_jwks_uri_t jwks_uri = { provider->jwks_uri,
provider->jwks_refresh_interval,
provider->ssl_validate_server };
if (oidc_proto_jwt_verify(r, cfg, jwt, &jwks_uri,
- oidc_util_merge_symmetric_key(r->pool, NULL,
jwk)) == FALSE) {
+ oidc_util_merge_symmetric_key(r->pool, NULL,
jwk),
+ provider->userinfo_signed_response_alg) ==
FALSE) {
oidc_error(r, "JWT signature could not be validated,
aborting");
oidc_jwt_destroy(jwt);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/src/session.c
new/mod_auth_openidc-2.4.1/src/session.c
--- old/mod_auth_openidc-2.4.0.3/src/session.c 2019-10-03 15:53:00.000000000
+0200
+++ new/mod_auth_openidc-2.4.1/src/session.c 2020-01-30 07:54:42.000000000
+0100
@@ -226,7 +226,7 @@
(first_time ?
OIDC_COOKIE_EXT_SAME_SITE_LAX :
OIDC_COOKIE_EXT_SAME_SITE_STRICT) :
-
NULL);
+
OIDC_COOKIE_EXT_SAME_SITE_NONE);
} else {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/src/util.c
new/mod_auth_openidc-2.4.1/src/util.c
--- old/mod_auth_openidc-2.4.0.3/src/util.c 2019-10-03 15:53:00.000000000
+0200
+++ new/mod_auth_openidc-2.4.1/src/util.c 2020-01-30 07:54:42.000000000
+0100
@@ -931,6 +931,27 @@
#define OIDC_COOKIE_MAX_SIZE 4093
+#define OIDC_SET_COOKIE_APPEND_ENV_VAR "OIDC_SET_COOKIE_APPEND"
+
+const char *oidc_util_set_cookie_append_value(request_rec *r, oidc_cfg *c) {
+ const char *env_var_value = NULL;
+
+ if (r->subprocess_env != NULL)
+ env_var_value = apr_table_get(r->subprocess_env,
+ OIDC_SET_COOKIE_APPEND_ENV_VAR);
+
+ if (env_var_value == NULL) {
+ oidc_debug(r, "no cookie append environment variable %s found",
+ OIDC_SET_COOKIE_APPEND_ENV_VAR);
+ return NULL;
+ }
+
+ oidc_debug(r, "cookie append environment variable %s=%s found",
+ OIDC_SET_COOKIE_APPEND_ENV_VAR, env_var_value);
+
+ return env_var_value;
+}
+
/*
* set a cookie in the HTTP response headers
*/
@@ -940,6 +961,7 @@
oidc_cfg *c = ap_get_module_config(r->server->module_config,
&auth_openidc_module);
char *headerString, *expiresString = NULL;
+ const char *appendString = NULL;
/* see if we need to clear the cookie */
if (apr_strnatcmp(cookieValue, "") == 0)
@@ -975,7 +997,11 @@
headerString = apr_psprintf(r->pool, "%s; %s", headerString,
OIDC_COOKIE_FLAG_HTTP_ONLY);
- if (ext != NULL)
+ appendString = oidc_util_set_cookie_append_value(r, c);
+ if (appendString != NULL)
+ headerString = apr_psprintf(r->pool, "%s; %s", headerString,
+ appendString);
+ else if (ext != NULL)
headerString = apr_psprintf(r->pool, "%s; %s", headerString,
ext);
/* sanity check on overall cookie value size */
@@ -1097,6 +1123,23 @@
}
/*
+ * unset all chunked cookies, including the counter cookie, if they exist
+ */
+static void oidc_util_clear_chunked_cookie(request_rec *r,
+ const char *cookieName, apr_time_t expires, const char *ext) {
+ int i = 0;
+ int chunkCount = oidc_util_get_chunked_count(r, cookieName);
+ if (chunkCount > 0) {
+ for (i = 0; i < chunkCount; i++)
+ oidc_util_set_cookie(r,
+ oidc_util_get_chunk_cookie_name(r,
cookieName, i), "",
+ expires, ext);
+ oidc_util_set_cookie(r, oidc_util_get_chunk_count_name(r,
cookieName),
+ "", expires, ext);
+ }
+}
+
+/*
* set a cookie value that is split over a number of chunked cookies
*/
void oidc_util_set_chunked_cookie(request_rec *r, const char *cookieName,
@@ -1104,28 +1147,20 @@
const char *ext) {
int i = 0;
int cookieLength = strlen(cookieValue);
- char *chunkCountName = oidc_util_get_chunk_count_name(r, cookieName);
char *chunkValue = NULL;
/* see if we need to chunk at all */
if ((chunkSize == 0)
|| ((cookieLength > 0) && (cookieLength < chunkSize))) {
oidc_util_set_cookie(r, cookieName, cookieValue, expires, ext);
+ oidc_util_clear_chunked_cookie(r, cookieName, expires, ext);
return;
}
/* see if we need to clear a possibly chunked cookie */
if (cookieLength == 0) {
- int chunkCount = oidc_util_get_chunked_count(r, cookieName);
- if (chunkCount > 0) {
- for (i = 0; i < chunkCount; i++)
- oidc_util_set_cookie(r,
-
oidc_util_get_chunk_cookie_name(r, cookieName, i), "",
- expires, ext);
- oidc_util_set_cookie(r, chunkCountName, "", expires,
ext);
- } else {
- oidc_util_set_cookie(r, cookieName, "", expires, ext);
- }
+ oidc_util_set_cookie(r, cookieName, "", expires, ext);
+ oidc_util_clear_chunked_cookie(r, cookieName, expires, ext);
return;
}
@@ -1139,8 +1174,9 @@
oidc_util_get_chunk_cookie_name(r, cookieName,
i), chunkValue,
expires, ext);
};
- oidc_util_set_cookie(r, chunkCountName,
+ oidc_util_set_cookie(r, oidc_util_get_chunk_count_name(r, cookieName),
apr_psprintf(r->pool, "%d", chunkCountValue), expires,
ext);
+ oidc_util_set_cookie(r, cookieName, "", expires, ext);
}
/*
@@ -2598,4 +2634,3 @@
// TODO: we don't know which token binding the client supports, do we ?
return FALSE;
}
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/test/certificate.pem
new/mod_auth_openidc-2.4.1/test/certificate.pem
--- old/mod_auth_openidc-2.4.0.3/test/certificate.pem 1970-01-01
01:00:00.000000000 +0100
+++ new/mod_auth_openidc-2.4.1/test/certificate.pem 2020-01-30
07:54:42.000000000 +0100
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICnTCCAYUCBgFuk1+FLDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAd2aW5j
+ZW50MB4XDTE5MTEyMjEzNDcyMVoXDTI5MTEyMjEzNDkwMVowEjEQMA4GA1UEAwwH
+dmluY2VudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIhnk1231eWz
+Kace6O6jCwrlSCqmwWv6jswYjTaXtCvK44O/tc/Rgrkpam2bTNP+QUOmxqJ50jw/
+vj6MIRXYr0uFjQN9ztCpdbUNMHR90zp8LniDvWoX1uKtARhbzDm53ivrY8IjTI9Z
+fnGbfKb7kvty7U1iMwvoU2TOHGlJsuaJZuT1XZq7ugulea8ZG2ATyExUs5eZqbqP
+wukVfzGEcAIetIIbNjhLyFg6yZGZ2Ghe7IxwvY/uJH3DOaGO2YYPCrh8paLnWDc5
+ao1QD3dDG5C5IdaWvH5h7JzenIH12LRSu2fFo2A1AIUx9SY2QlUhTeeQPudXYA+H
+EDc4nixBJCcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAfAo40il4qw7DfOkke0p1
+ZFAgLQQS3J5hYNDSRvVv+vxkk9o/N++zTMoHbfcDcU5BdVH6Qsr/12PXPX7Ur5WY
+Dq+bWGAK3MAaGtZlmycFeVhoVRfab4TUWUy43H3VyFUNqjGRAVJ/VD1RW3fJ18Kr
+QTN2fcKSd88Jqt5TvjROKghq95+8BQtlhrR/sQVrjgYwc+eU9ljWI56MQXbpHstl
+9IewMXnusSPxKRTbutjaxzKaoXRTUncPL6ga0SSxOTdKksM4ZYpPnq0B93silb+0
+qs8aJraGzjAmLE30opfufP+roth19VJxAfYsW5mgAmXP9kEAF+iWB8FB4/Q4noNG
+8Q==
+-----END CERTIFICATE-----
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/test/private.pem
new/mod_auth_openidc-2.4.1/test/private.pem
--- old/mod_auth_openidc-2.4.0.3/test/private.pem 1970-01-01
01:00:00.000000000 +0100
+++ new/mod_auth_openidc-2.4.1/test/private.pem 2020-01-30 07:54:42.000000000
+0100
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAiGeTXbfV5bMppx7o7qMLCuVIKqbBa/qOzBiNNpe0K8rjg7+1
+z9GCuSlqbZtM0/5BQ6bGonnSPD++PowhFdivS4WNA33O0Kl1tQ0wdH3TOnwueIO9
+ahfW4q0BGFvMObneK+tjwiNMj1l+cZt8pvuS+3LtTWIzC+hTZM4caUmy5olm5PVd
+mru6C6V5rxkbYBPITFSzl5mpuo/C6RV/MYRwAh60ghs2OEvIWDrJkZnYaF7sjHC9
+j+4kfcM5oY7Zhg8KuHyloudYNzlqjVAPd0MbkLkh1pa8fmHsnN6cgfXYtFK7Z8Wj
+YDUAhTH1JjZCVSFN55A+51dgD4cQNzieLEEkJwIDAQABAoIBAF3PXfpGREUFQtA8
+4dW9LAsCRO+QX9XzK+IRwIybKL41euNRJakXXeAaK6fV9rCVXC06tcFoJr5o2F4L
+4XU04Nn/r0uHaoT3BozN1VVIc8z1OsCHWe1tF8wtT2OBPqM0wSdTa/hIbo7n7Z4U
+YVY2DpAAKlPeBV1bGn9pgQCoPvFs61sdjHlo3y3BO/Q5ki/SMNmq3ilURpSnXSCD
+5x2/jMPRwe2QslUwtb+bKoUD8uqj6PFx3UI7vxGEZSDjJLFPJHG9tEf3s4m/6x7l
+cCVZUzZOjLxVCI+Gsl3V9d0MuJEwUYkDO6bpj2sqRBOAqwH01j9AGJxMM/xRpbjq
+TGTc6AECgYEA0ENWGZHWN84M1ztxH1DSL+po7MxEdKcwGSqye6379px0ximKr+8+
+DWKS8xeWsBc1OupdrzO2p7lvWwYBstlJoLfVMVEHeLEhkN2fdBjeRzDf2RbbtZnd
+NAYHNSX4xv9B8DyJs7js0uVVmOuuojNkoQFqh3NcIFsC7OuGfEhR48ECgYEAp6uo
+rIDqGD2YCL+Bx6lEf96Jlcmu5zwB3jnKqSxA5PnkbE4ZS3RidM0HSrUABcq3n4So
+61lwdbGtnjyhBXrEYbpNokVye6RV5DwXZN9LVeA/aZWlAccUHSoDuwovSsowfoG4
+xj8yyUUFE8/+xgM0CnqaoWP1tCkrhXk5mX0w4ecCgYEAhp7wOekOOtZjcIFI90As
+DbMNjfvgSDOGIM57vvzRATFTPoC92Enip45PhPl7e2oVC3dRhZ389OAl/gWc9XoF
+YPFTyuQg20BMfTL1DnvAuu351H81GGdUGHvJDu7zp9Z6Tgsjy9u+ofiCYy39nXVx
+F64tqU7Ff1i1RGZecVniLUECgYBdyeyhCb9obdPEWPNMbweNCzsk2VsHp45X8zXE
+qadnLc0zNAB8L47/TMyeYl6v3rQV+8vNUgtRGmFGmR1tBj4heGgCtBwUw1j0QRTI
+7Qqj77so4XcaZnR+18iccFcB29WCfieQZTuQUBZF/dvCgXozvl8Ole6Tp0/b6nJo
+xBl60wKBgDHdWW2qVche9wuZf6iDyVpE1DouMeg3sUxq77KCUXsmIHUuGgqlhuIj
+wLIgkuBOf4dEmSlwB/4onxTx+DRcvK89oZjFUnL9CR8jaE1HQACKj3xMn1ubkXqH
+z6itCDUZ0fP+LLYSREyBHlnaYOtXJgxKKK2yC1kTJmBs9HUMaLNk
+-----END RSA PRIVATE KEY-----
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/test/public.pem
new/mod_auth_openidc-2.4.1/test/public.pem
--- old/mod_auth_openidc-2.4.0.3/test/public.pem 1970-01-01
01:00:00.000000000 +0100
+++ new/mod_auth_openidc-2.4.1/test/public.pem 2020-01-30 07:54:42.000000000
+0100
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiGeTXbfV5bMppx7o7qML
+CuVIKqbBa/qOzBiNNpe0K8rjg7+1z9GCuSlqbZtM0/5BQ6bGonnSPD++PowhFdiv
+S4WNA33O0Kl1tQ0wdH3TOnwueIO9ahfW4q0BGFvMObneK+tjwiNMj1l+cZt8pvuS
++3LtTWIzC+hTZM4caUmy5olm5PVdmru6C6V5rxkbYBPITFSzl5mpuo/C6RV/MYRw
+Ah60ghs2OEvIWDrJkZnYaF7sjHC9j+4kfcM5oY7Zhg8KuHyloudYNzlqjVAPd0Mb
+kLkh1pa8fmHsnN6cgfXYtFK7Z8WjYDUAhTH1JjZCVSFN55A+51dgD4cQNzieLEEk
+JwIDAQAB
+-----END PUBLIC KEY-----
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0.3/test/test.c
new/mod_auth_openidc-2.4.1/test/test.c
--- old/mod_auth_openidc-2.4.0.3/test/test.c 2019-10-03 15:53:00.000000000
+0200
+++ new/mod_auth_openidc-2.4.1/test/test.c 2020-01-30 07:54:42.000000000
+0100
@@ -124,6 +124,38 @@
return 0;
}
+
+static char *test_public_key_parse(apr_pool_t *pool) {
+
+ oidc_jose_error_t err;
+ cjose_jwk_t *jwk, *jwkCert = NULL;
+
+ BIO *input, *inputCert = NULL;
+ int isPrivateKey = 0;
+ int result;
+
+ const char publicKeyFile[] = "./test/public.pem";
+ const char certificateFile[] = "./test/certificate.pem";
+
+ input = BIO_new(BIO_s_file());
+ TST_ASSERT_ERR("test_public_key_parse_BIO_new_public_key", input !=
NULL, pool, err);
+
+ TST_ASSERT_ERR("test_public_key_parse_BIOread_filename_public_key",
result = BIO_read_filename(input, publicKeyFile), pool, err);
+
+ TST_ASSERT_ERR("oidc_jwk_rsa_bio_to_jwk", oidc_jwk_rsa_bio_to_jwk(pool,
input, NULL, &jwk, isPrivateKey, &err),
+ pool, err);
+
+ inputCert = BIO_new(BIO_s_file());
+ TST_ASSERT_ERR("test_public_key_parse_BIO_new_certificate", inputCert
!= NULL, pool, err);
+
+ TST_ASSERT_ERR("test_public_key_parse_BIOread_filename_certificate",
BIO_read_filename(inputCert, certificateFile), pool, err);
+
+ TST_ASSERT_ERR("oidc_jwk_rsa_bio_to_jwk", oidc_jwk_rsa_bio_to_jwk(pool,
inputCert, NULL, &jwkCert, isPrivateKey, &err),
+ pool, err);
+
+ return 0;
+}
+
static char *test_jwt_parse(apr_pool_t *pool) {
// from http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20
@@ -1421,6 +1453,7 @@
static char * all_tests(apr_pool_t *pool, request_rec *r) {
char *message;
+ TST_RUN(test_public_key_parse, pool);
TST_RUN(test_jwt_parse, pool);
TST_RUN(test_plaintext_jwt_parse, pool);
TST_RUN(test_jwt_get_string, pool);
