Commit 98bdf6fe authored by Moritz Schlarb's avatar Moritz Schlarb

New upstream version 2.1.6

parent 49ce42de
02/20/2017
- security fix: scrub headers for "AuthType oauth20"
- release 2.1.6
02/15/2017
- improve logging of session max duration and session inactivity timeout
- refactor so that the call to the refresh hook also resets the session inactivity timeout and passes tokens down
02/14/2017
- treat only "X-Requested-With: XMLHttpRequest" header as a non-browser client; closes #228 ; thanks @mguillem
- improve error message on state timeout; closes #226; thanks @security4java
02/09/2017
- correctly parse "kid" in OIDCPublicKeyFiles and OIDCOAuthVerifyCertFiles; thanks Alessandro Papacci
- bump to 2.1.6rc2
02/07/2017
- fix parsing of mandatory/optional attribute in OIDCOAuthTokenExpiryClaim; closes #225; thanks Alessandro Papacci
- bump to 2.1.6rc1
02/06/2017
- improve logging around the availability of session management; closes #223
02/02/2017
- interpret OIDCUnAuthAction also when the maximum session duration has been exceeded; see #220
- bump to 2.1.6rc0
01/30/2017
- security fix: scrub headers when `OIDCUnAuthAction pass` is used for an unauthenticated user
- release 2.1.5
......
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for mod_auth_openidc 2.1.5.
# Generated by GNU Autoconf 2.69 for mod_auth_openidc 2.1.6.
#
# Report bugs to <hans.zandbelt@zmartzone.eu>.
#
......@@ -579,8 +579,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='mod_auth_openidc'
PACKAGE_TARNAME='mod_auth_openidc'
PACKAGE_VERSION='2.1.5'
PACKAGE_STRING='mod_auth_openidc 2.1.5'
PACKAGE_VERSION='2.1.6'
PACKAGE_STRING='mod_auth_openidc 2.1.6'
PACKAGE_BUGREPORT='hans.zandbelt@zmartzone.eu'
PACKAGE_URL=''
......@@ -1212,7 +1212,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures mod_auth_openidc 2.1.5 to adapt to many kinds of systems.
\`configure' configures mod_auth_openidc 2.1.6 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
......@@ -1274,7 +1274,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of mod_auth_openidc 2.1.5:";;
short | recursive ) echo "Configuration of mod_auth_openidc 2.1.6:";;
esac
cat <<\_ACEOF
......@@ -1379,7 +1379,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
mod_auth_openidc configure 2.1.5
mod_auth_openidc configure 2.1.6
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
......@@ -1396,7 +1396,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by mod_auth_openidc $as_me 2.1.5, which was
It was created by mod_auth_openidc $as_me 2.1.6, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
......@@ -1745,7 +1745,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
NAMEVER=mod_auth_openidc-2.1.5
NAMEVER=mod_auth_openidc-2.1.6
# This section defines the --with-apxs2 option.
......@@ -3264,7 +3264,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by mod_auth_openidc $as_me 2.1.5, which was
This file was extended by mod_auth_openidc $as_me 2.1.6, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
......@@ -3317,7 +3317,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
mod_auth_openidc config.status 2.1.5
mod_auth_openidc config.status 2.1.6
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
......
AC_INIT([mod_auth_openidc],[2.1.5],[hans.zandbelt@zmartzone.eu])
AC_INIT([mod_auth_openidc],[2.1.6],[hans.zandbelt@zmartzone.eu])
AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
......
......@@ -1025,7 +1025,8 @@ int oidc_jose_hash_length(const char *alg) {
* by "input" to a JSON Web Key object
*/
static apr_byte_t oidc_jwk_rsa_bio_to_jwk(apr_pool_t *pool, BIO *input,
cjose_jwk_t **jwk, int is_private_key, oidc_jose_error_t *err) {
const char *kid, cjose_jwk_t **jwk, int is_private_key,
oidc_jose_error_t *err) {
X509 *x509 = NULL;
EVP_PKEY *pkey = NULL;
......@@ -1100,14 +1101,14 @@ static apr_byte_t oidc_jwk_rsa_bio_to_jwk(apr_pool_t *pool, BIO *input,
memcpy(fingerprint, key_spec.n, key_spec.nlen);
memcpy(fingerprint + key_spec.nlen, key_spec.e, key_spec.elen);
if (oidc_jwk_set_or_generate_kid(pool, *jwk, NULL, fingerprint,
if (oidc_jwk_set_or_generate_kid(pool, *jwk, kid, fingerprint,
key_spec.nlen + key_spec.elen, err) == FALSE) {
goto end;
}
rv = TRUE;
end:
end:
if (pkey)
EVP_PKEY_free(pkey);
......@@ -1137,7 +1138,7 @@ static apr_byte_t oidc_jwk_parse_rsa_key(apr_pool_t *pool, int is_private_key,
}
cjose_jwk_t *cjose_jwk = NULL;
if (oidc_jwk_rsa_bio_to_jwk(pool, input, &cjose_jwk, is_private_key,
if (oidc_jwk_rsa_bio_to_jwk(pool, input, kid, &cjose_jwk, is_private_key,
err) == FALSE)
goto end;
......@@ -1145,7 +1146,7 @@ static apr_byte_t oidc_jwk_parse_rsa_key(apr_pool_t *pool, int is_private_key,
rv = TRUE;
end:
end:
if (input)
BIO_free(input);
......@@ -1212,7 +1213,7 @@ static apr_byte_t oidc_jwk_parse_rsa_x5c(apr_pool_t *pool, json_t *json,
}
/* do the actual parsing */
rv = oidc_jwk_rsa_bio_to_jwk(pool, input, jwk, FALSE, err);
rv = oidc_jwk_rsa_bio_to_jwk(pool, input, NULL, jwk, FALSE, err);
BIO_free(input);
......
This diff is collapsed.
......@@ -387,6 +387,7 @@ void oidc_request_state_set(request_rec *r, const char *key, const char *value);
const char*oidc_request_state_get(request_rec *r, const char *key);
int oidc_handle_jwks(request_rec *r, oidc_cfg *c);
apr_byte_t oidc_post_preserve_javascript(request_rec *r, const char *location, char **javascript, char **javascript_method);
void oidc_scrub_headers(request_rec *r);
// oidc_oauth
int oidc_oauth_check_userid(request_rec *r, oidc_cfg *c);
......
......@@ -664,6 +664,12 @@ int oidc_oauth_check_userid(request_rec *r, oidc_cfg *c) {
"Could not set remote user");
}
/*
* we're going to pass the information that we have to the application,
* but first we need to scrub the headers that we're going to use for security reasons
*/
oidc_scrub_headers(r);
/* set the user authentication HTTP header if set and required */
char *authn_header = oidc_cfg_dir_authn_header(r);
int pass_headers = oidc_cfg_dir_pass_info_in_headers(r);
......
......@@ -805,7 +805,7 @@ const char *oidc_parse_claim_required(apr_pool_t *pool, const char *arg,
const char *rv = oidc_valid_string_option(pool, arg, options);
if (rv != NULL)
return rv;
*is_required = apr_strnatcmp(arg, OIDC_CLAIM_REQUIRED_MANDATORY);
*is_required = (apr_strnatcmp(arg, OIDC_CLAIM_REQUIRED_MANDATORY) == 0);
return NULL;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment