Commit 49ce42de authored by Christoph Martin's avatar Christoph Martin

Imported Upstream version 2.1.5

parent af3fa41d
......@@ -31,3 +31,5 @@ reporting bugs, providing fixes, suggesting useful features or other:
Andy Curtis <https://github.com/asc1>
solsson <https://github.com/solsson>
drdivano <https://github.com/drdivano>
AliceWonderMiscreations <https://github.com/AliceWonderMiscreations>
Wouter Hund <https://github.com/wouterhund>
01/30/2017
- security fix: scrub headers when `OIDCUnAuthAction pass` is used for an unauthenticated user
- release 2.1.5
01/29/2017
- fix error message about passing id_token with session type client-cookie; mentioned in #220
- bump to 2.1.5rc0
01/25/2017
- release 2.1.4
01/18/2017
- don't echo the query parameters on the error page when an invalid request is made to the Redirect URI; closes #212; thanks @LukasReschke
01/14/2017
- use dynamic memory buffer for writing HTTP call responses; solves curl/mpm-event interference; see #207
- bump to 2.1.4rc1
01/10/2017
- don't crash when data is POST-ed to the redirect URL, it has just 1 POST parameter and it is not "response_mode"
01/2/2017
- remove trailing linebreaks from input in test-cmd tool
- bump copyright year to 2017
12/14/2016
- support Libre SSL, see #205, thanks @AliceWonderMiscreations
- update OIDC logout support to Front-Channel Logout 1.0 draft 01: http://openid.net/specs/openid-connect-frontchannel-1_0.html
- bump to 2.1.4rc0
12/13/2016
- release 2.1.3
......
/***************************************************************************
* Copyright (C) 2014-2016 Ping Identity Corporation
* Copyright (C) 2014-2017 Ping Identity Corporation
* All rights reserved.
*
* Ping Identity Corporation
......
......@@ -271,13 +271,16 @@ See the Wiki pages with Frequently Asked Questions at:
There is a Google Group/mailing list at:
[mod_auth_openidc@googlegroups.com](mailto:mod_auth_openidc@googlegroups.com)
The corresponding forum/archive is at:
https://groups.google.com/forum/#!forum/mod_auth_openidc
https://groups.google.com/forum/#!forum/mod_auth_openidc
For commercial support and consultancy you can contact:
[info@zmartzone.eu](mailto:info@zmartzone.eu)
Any questions/issues should go to the mailing list, the Github issues tracker or the
primary author [hans.zandbelt@zmartzone.eu](mailto:hans.zandbelt@zmartzone.eu)
Disclaimer
----------
*This software is open sourced by Ping Identity but not supported commercially
as such. Any questions/issues should go to the mailing list, the Github issues
tracker or the author [hzandbelt@pingidentity.com](mailto:hzandbelt@pingidentity.com)
directly See also the DISCLAIMER file in this directory.*
by Ping Identity, see also the DISCLAIMER file in this directory. For commercial support
you can contact [ZmartZone IAM](https://www.zmartzone.eu) as described above.*
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for mod_auth_openidc 2.1.3.
# Generated by GNU Autoconf 2.69 for mod_auth_openidc 2.1.5.
#
# Report bugs to <hzandbelt@pingidentity.com>.
# Report bugs to <hans.zandbelt@zmartzone.eu>.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
......@@ -266,7 +266,7 @@ fi
$as_echo "$0: be upgraded to zsh 4.3.4 or later."
else
$as_echo "$0: Please tell bug-autoconf@gnu.org and
$0: hzandbelt@pingidentity.com about your system, including
$0: hans.zandbelt@zmartzone.eu about your system, including
$0: any error possibly output before this message. Then
$0: install a modern shell, or manually run the script
$0: under such a shell if you do have one."
......@@ -579,9 +579,9 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='mod_auth_openidc'
PACKAGE_TARNAME='mod_auth_openidc'
PACKAGE_VERSION='2.1.3'
PACKAGE_STRING='mod_auth_openidc 2.1.3'
PACKAGE_BUGREPORT='hzandbelt@pingidentity.com'
PACKAGE_VERSION='2.1.5'
PACKAGE_STRING='mod_auth_openidc 2.1.5'
PACKAGE_BUGREPORT='hans.zandbelt@zmartzone.eu'
PACKAGE_URL=''
ac_subst_vars='LTLIBOBJS
......@@ -626,7 +626,6 @@ infodir
docdir
oldincludedir
includedir
runstatedir
localstatedir
sharedstatedir
sysconfdir
......@@ -711,7 +710,6 @@ datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
......@@ -964,15 +962,6 @@ do
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
-runstatedir | --runstatedir | --runstatedi | --runstated \
| --runstate | --runstat | --runsta | --runst | --runs \
| --run | --ru | --r)
ac_prev=runstatedir ;;
-runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
| --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
| --run=* | --ru=* | --r=*)
runstatedir=$ac_optarg ;;
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
......@@ -1110,7 +1099,7 @@ fi
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
libdir localedir mandir runstatedir
libdir localedir mandir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
......@@ -1223,7 +1212,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures mod_auth_openidc 2.1.3 to adapt to many kinds of systems.
\`configure' configures mod_auth_openidc 2.1.5 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
......@@ -1263,7 +1252,6 @@ Fine tuning of the installation directories:
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
......@@ -1286,7 +1274,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of mod_auth_openidc 2.1.3:";;
short | recursive ) echo "Configuration of mod_auth_openidc 2.1.5:";;
esac
cat <<\_ACEOF
......@@ -1328,7 +1316,7 @@ Some influential environment variables:
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
Report bugs to <hzandbelt@pingidentity.com>.
Report bugs to <hans.zandbelt@zmartzone.eu>.
_ACEOF
ac_status=$?
fi
......@@ -1391,7 +1379,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
mod_auth_openidc configure 2.1.3
mod_auth_openidc configure 2.1.5
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
......@@ -1408,7 +1396,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by mod_auth_openidc $as_me 2.1.3, which was
It was created by mod_auth_openidc $as_me 2.1.5, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
......@@ -1757,7 +1745,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
NAMEVER=mod_auth_openidc-2.1.3
NAMEVER=mod_auth_openidc-2.1.5
# This section defines the --with-apxs2 option.
......@@ -3276,7 +3264,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by mod_auth_openidc $as_me 2.1.3, which was
This file was extended by mod_auth_openidc $as_me 2.1.5, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
......@@ -3323,13 +3311,13 @@ Usage: $0 [OPTION]... [TAG]...
Configuration files:
$config_files
Report bugs to <hzandbelt@pingidentity.com>."
Report bugs to <hans.zandbelt@zmartzone.eu>."
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
mod_auth_openidc config.status 2.1.3
mod_auth_openidc config.status 2.1.5
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
......
AC_INIT([mod_auth_openidc],[2.1.3],[hzandbelt@pingidentity.com])
AC_INIT([mod_auth_openidc],[2.1.5],[hans.zandbelt@zmartzone.eu])
AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
......
......@@ -18,7 +18,7 @@
*/
/***************************************************************************
* Copyright (C) 2013-2016 Ping Identity Corporation
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
......@@ -47,7 +47,7 @@
*
* mostly copied from mod_auth_cas
*
* @Author: Hans Zandbelt - hzandbelt@pingidentity.com
* @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
*/
#include <http_core.h>
......
......@@ -18,7 +18,7 @@
*/
/***************************************************************************
* Copyright (C) 2013-2016 Ping Identity Corporation
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
......@@ -47,7 +47,7 @@
*
* mem_cache-like interface and semantics (string keys/values) using a storage backend
*
* @Author: Hans Zandbelt - hzandbelt@pingidentity.com
* @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
*/
#ifndef _MOD_AUTH_OPENIDC_CACHE_H_
......
......@@ -18,7 +18,7 @@
*/
/***************************************************************************
* Copyright (C) 2013-2016 Ping Identity Corporation
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
......@@ -47,7 +47,7 @@
*
* caching using a file storage backend
*
* @Author: Hans Zandbelt - hzandbelt@pingidentity.com
* @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
*/
#include <apr_hash.h>
......
......@@ -18,7 +18,7 @@
*/
/***************************************************************************
* Copyright (C) 2013-2016 Ping Identity Corporation
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
......@@ -47,7 +47,7 @@
*
* global lock implementation
*
* @Author: Hans Zandbelt - hzandbelt@pingidentity.com
* @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
*/
#ifndef WIN32
......
......@@ -18,7 +18,7 @@
*/
/***************************************************************************
* Copyright (C) 2013-2016 Ping Identity Corporation
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
......@@ -47,7 +47,7 @@
*
* caching using a memcache backend
*
* @Author: Hans Zandbelt - hzandbelt@pingidentity.com
* @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
*/
#include "apr_general.h"
......
......@@ -18,7 +18,7 @@
*/
/***************************************************************************
* Copyright (C) 2013-2016 Ping Identity Corporation
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
......@@ -47,7 +47,7 @@
*
* caching using a Redis backend
*
* @Author: Hans Zandbelt - hzandbelt@pingidentity.com
* @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
*/
#include "apr_general.h"
......
......@@ -18,7 +18,7 @@
*/
/***************************************************************************
* Copyright (C) 2013-2016 Ping Identity Corporation
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
......@@ -48,7 +48,7 @@
* caching using a shared memory backend, FIFO-style
* based on mod_auth_mellon code
*
* @Author: Hans Zandbelt - hzandbelt@pingidentity.com
* @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
*/
#include <httpd.h>
......
......@@ -18,7 +18,7 @@
*/
/***************************************************************************
* Copyright (C) 2013-2016 Ping Identity Corporation
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
......@@ -45,7 +45,7 @@
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* @Author: Hans Zandbelt - hzandbelt@pingidentity.com
* @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
*/
#include <apr.h>
......
......@@ -18,7 +18,7 @@
*/
/***************************************************************************
* Copyright (C) 2013-2016 Ping Identity Corporation
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
......@@ -47,7 +47,7 @@
*
* JSON Web Token handling
*
* @Author: Hans Zandbelt - hzandbelt@pingidentity.com
* @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
*/
#include <apr_base64.h>
......@@ -1061,7 +1061,7 @@ static apr_byte_t oidc_jwk_rsa_bio_to_jwk(apr_pool_t *pool, BIO *input,
}
const BIGNUM *rsa_n, *rsa_e, *rsa_d;
#if OPENSSL_VERSION_NUMBER >= 0x10100005L
#if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined (LIBRESSL_VERSION_NUMBER)
RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d);
#else
rsa_n = rsa->n;
......
......@@ -18,7 +18,7 @@
*/
/***************************************************************************
* Copyright (C) 2013-2016 Ping Identity Corporation
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
......@@ -47,7 +47,7 @@
*
* JSON Object Signing and Encryption
*
* @Author: Hans Zandbelt - hzandbelt@pingidentity.com
* @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
*/
#ifndef MOD_AUTH_OPENIDC_JOSE_H_
......
......@@ -18,7 +18,7 @@
*/
/***************************************************************************
* Copyright (C) 2013-2016 Ping Identity Corporation
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
......@@ -47,7 +47,7 @@
*
* OpenID Connect metadata handling routines, for both OP discovery and client registration
*
* @Author: Hans Zandbelt - hzandbelt@pingidentity.com
* @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
*/
#include <apr_hash.h>
......@@ -535,7 +535,7 @@ static apr_byte_t oidc_metadata_client_register(request_rec *r, oidc_cfg *cfg,
json_object_set_new(data, "initiate_login_uri",
json_string(cfg->redirect_uri));
json_object_set_new(data, "logout_uri",
json_object_set_new(data, "frontchannel_logout_uri",
json_string(apr_psprintf(r->pool, "%s?logout=%s", cfg->redirect_uri,
OIDC_GET_STYLE_LOGOUT_PARAM_VALUE)));
......
......@@ -18,7 +18,7 @@
*/
/***************************************************************************
* Copyright (C) 2013-2016 Ping Identity Corporation
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
......@@ -51,7 +51,7 @@
* Other code copied/borrowed/adapted:
* shared memory caching: mod_auth_mellon
*
* @Author: Hans Zandbelt - hzandbelt@pingidentity.com
* @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
*
**************************************************************************/
......@@ -129,6 +129,30 @@ static void oidc_scrub_request_headers(request_rec *r, const char *claim_prefix,
r->headers_in = clean_headers;
}
/*
* scrub all mod_auth_openidc related headers
*/
static void oidc_scrub_headers(request_rec *r) {
oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
&auth_openidc_module);
if (cfg->scrub_request_headers != 0) {
/* scrub all headers starting with OIDC_ first */
oidc_scrub_request_headers(r, OIDC_DEFAULT_HEADER_PREFIX,
oidc_cfg_dir_authn_header(r));
/*
* then see if the claim headers need to be removed on top of that
* (i.e. the prefix does not start with the default OIDC_)
*/
if ((strstr(cfg->claim_prefix, OIDC_DEFAULT_HEADER_PREFIX)
!= cfg->claim_prefix)) {
oidc_scrub_request_headers(r, cfg->claim_prefix, NULL);
}
}
}
/*
* strip the session cookie from the headers sent to the application/backend
*/
......@@ -1260,21 +1284,7 @@ static int oidc_handle_existing_session(request_rec *r, oidc_cfg *cfg,
* we're going to pass the information that we have to the application,
* but first we need to scrub the headers that we're going to use for security reasons
*/
if (cfg->scrub_request_headers != 0) {
/* scrub all headers starting with OIDC_ first */
oidc_scrub_request_headers(r, OIDC_DEFAULT_HEADER_PREFIX,
oidc_cfg_dir_authn_header(r));
/*
* then see if the claim headers need to be removed on top of that
* (i.e. the prefix does not start with the default OIDC_)
*/
if ((strstr(cfg->claim_prefix, OIDC_DEFAULT_HEADER_PREFIX)
!= cfg->claim_prefix)) {
oidc_scrub_request_headers(r, cfg->claim_prefix, NULL);
}
}
oidc_scrub_headers(r);
/* set the user authentication HTTP header if set and required */
if ((r->user != NULL) && (authn_header != NULL))
......@@ -1302,18 +1312,18 @@ static int oidc_handle_existing_session(request_rec *r, oidc_cfg *cfg,
OIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars);
}
if (cfg->session_type != OIDC_SESSION_TYPE_CLIENT_COOKIE) {
if ((cfg->pass_idtoken_as & OIDC_PASS_IDTOKEN_AS_SERIALIZED)) {
if ((cfg->pass_idtoken_as & OIDC_PASS_IDTOKEN_AS_SERIALIZED)) {
if (cfg->session_type != OIDC_SESSION_TYPE_CLIENT_COOKIE) {
const char *s_id_token = NULL;
/* get the compact serialized JWT from the session */
oidc_session_get(r, session, OIDC_IDTOKEN_SESSION_KEY, &s_id_token);
/* pass the compact serialized JWT to the app in a header or environment variable */
oidc_util_set_app_info(r, "id_token", s_id_token,
OIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars);
} else {
oidc_error(r,
"session type \"client-cookie\" does not allow storing/passing the id_token; use \"OIDCSessionType server-cache\" for that");
}
} else {
oidc_error(r,
"session type \"client-cookie\" does not allow storing/passing the id_token; use \"OIDCSessionType server-cache\" for that");
}
/* set the refresh_token in the app headers/variables, if enabled for this location/directory */
......@@ -1846,6 +1856,7 @@ static int oidc_handle_post_authorization_response(request_rec *r, oidc_cfg *c,
/* see if we've got any POST-ed data at all */
if ((apr_table_elts(params)->nelts < 1)
|| ((apr_table_elts(params)->nelts == 1)
&& apr_table_get(params, "response_mode")
&& (apr_strnatcmp(apr_table_get(params, "response_mode"),
"fragment") == 0))) {
return oidc_util_html_send_error(r, c->error_template,
......@@ -2841,11 +2852,15 @@ int oidc_handle_redirect_uri_request(request_rec *r, oidc_cfg *c,
oidc_handle_redirect_authorization_response(r, c, session);
}
oidc_error(r,
"The OpenID Connect callback URL received an invalid request: %s; returning HTTP_INTERNAL_SERVER_ERROR",
r->args);
/* something went wrong */
return oidc_util_html_send_error(r, c->error_template, "Invalid Request",
apr_psprintf(r->pool,
"The OpenID Connect callback URL received an invalid request: %s",
r->args), HTTP_INTERNAL_SERVER_ERROR);
"The OpenID Connect callback URL received an invalid request"),
HTTP_INTERNAL_SERVER_ERROR);
}
/*
......@@ -2955,6 +2970,13 @@ static int oidc_check_userid_openidc(request_rec *r, oidc_cfg *c) {
return HTTP_UNAUTHORIZED;
case OIDC_UNAUTH_PASS:
r->user = "";
/*
* we're not going to pass information about an authenticated user to the application,
* but we do need to scrub the headers that mod_auth_openidc would set for security reasons
*/
oidc_scrub_headers(r);
return OK;
case OIDC_UNAUTH_AUTHENTICATE:
/* if this is a Javascript path we won't redirect the user and create a state cookie */
......
......@@ -18,7 +18,7 @@
*/
/***************************************************************************
* Copyright (C) 2013-2016 Ping Identity Corporation
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
......@@ -45,7 +45,7 @@
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* @Author: Hans Zandbelt - hzandbelt@pingidentity.com
* @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
*/
#ifndef MOD_AUTH_OPENIDC_H_
......
......@@ -18,7 +18,7 @@
*/
/***************************************************************************
* Copyright (C) 2013-2016 Ping Identity Corporation
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
......@@ -45,7 +45,7 @@
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* @Author: Hans Zandbelt - hzandbelt@pingidentity.com
* @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
*/
#include <apr_lib.h>
......
......@@ -18,7 +18,7 @@
*/
/***************************************************************************
* Copyright (C) 2013-2016 Ping Identity Corporation
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
......@@ -47,7 +47,7 @@
*
* Validation and parsing of configuration values.
*
* @Author: Hans Zandbelt - hzandbelt@pingidentity.com
* @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
*/
#include <apr_base64.h>
......
......@@ -18,7 +18,7 @@
*/
/***************************************************************************
* Copyright (C) 2013-2016 Ping Identity Corporation
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
......@@ -47,7 +47,7 @@
*
* Validation and parsing of configuration values.
*
* @Author: Hans Zandbelt - hzandbelt@pingidentity.com
* @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
*/
#ifndef MOD_AUTH_OPENIDC_PARSE_H_
......
......@@ -18,7 +18,7 @@
*/
/***************************************************************************
* Copyright (C) 2013-2016 Ping Identity Corporation
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
......@@ -45,7 +45,7 @@
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* @Author: Hans Zandbelt - hzandbelt@pingidentity.com
* @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
*/
#include <httpd.h>
......
......@@ -18,7 +18,7 @@
*/
/***************************************************************************
* Copyright (C) 2013-2016 Ping Identity Corporation
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
......@@ -45,7 +45,7 @@
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* @Author: Hans Zandbelt - hzandbelt@pingidentity.com
* @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
*/
#include <apr_base64.h>
......
......@@ -18,7 +18,7 @@
*/
/***************************************************************************
* Copyright (C) 2013-2016 Ping Identity Corporation
* Copyright (C) 2013-2017 Ping Identity Corporation
* All rights reserved.
*
* For further information please contact:
......@@ -45,7 +45,7 @@
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* @Author: Hans Zandbelt - hzandbelt@pingidentity.com
* @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
*/
#include <apr_strings.h>
......@@ -449,28 +449,48 @@ char *oidc_get_current_url(request_rec *r) {
return url;
}
/* maximum size of any response returned in HTTP calls */
#define OIDC_CURL_MAX_RESPONSE_SIZE 65536
/* buffer to hold HTTP call responses */
typedef struct oidc_curl_buffer {
char buf[OIDC_CURL_MAX_RESPONSE_SIZE];
size_t written;
request_rec *r;
char *memory;
size_t size;
} oidc_curl_buffer;
/* maximum acceptable size of HTTP responses: 1 Mb */
#define OIDC_CURL_MAX_RESPONSE_SIZE 1024 * 1024
/*
* callback for CURL to write bytes that come back from an HTTP call
*/
size_t oidc_curl_write(const void *ptr, size_t size, size_t nmemb, void *stream) {
oidc_curl_buffer *curlBuffer = (oidc_curl_buffer *) stream;
size_t oidc_curl_write(void *contents, size_t size, size_t nmemb, void *userp) {
size_t realsize = size * nmemb;
oidc_curl_buffer *mem = (oidc_curl_buffer *) userp;
/* check if we don't run over the maximum buffer/memory size for HTTP responses */
if (mem->size + realsize > OIDC_CURL_MAX_RESPONSE_SIZE) {
oidc_error(mem->r,
"HTTP response larger than maximum allowed size: current size=%ld, additional size=%ld, max=%d",
mem->size, realsize, OIDC_CURL_MAX_RESPONSE_SIZE);
return 0;
}
if ((nmemb * size) + curlBuffer->written >= OIDC_CURL_MAX_RESPONSE_SIZE)
/* allocate the new buffer for the current + new response bytes */
char *newptr = apr_palloc(mem->r->pool, mem->size + realsize + 1);
if (newptr == NULL) {
oidc_error(mem->r,
"memory allocation for new buffer of %ld bytes failed",
mem->size + realsize + 1);
return 0;
}
memcpy((curlBuffer->buf + curlBuffer->written), ptr, (nmemb * size));
curlBuffer->written += (nmemb * size);
/* copy over the data from current memory plus the cURL buffer */
memcpy(newptr, mem->memory, mem->size);
memcpy(&(newptr[mem->size]), contents, realsize);
mem->size += realsize;
mem->memory = newptr;
mem->memory[mem->size] = 0;
return (nmemb * size);
return realsize;
}
/* context structure for encoding parameters */
......@@ -519,6 +539,9 @@ static apr_byte_t oidc_util_http_call(request_rec *r, const char *url,
return FALSE;
}
/* set the error buffer as empty before performing a request */
curlError[0] = 0;
/* some of these are not really required */
curl_easy_setopt(curl, CURLOPT_HEADER, 0L);
curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 1L);