diff --git a/SOURCES/0006-Add-none-option-for-samesite.patch b/SOURCES/0006-Add-none-option-for-samesite.patch new file mode 100644 index 0000000..1692952 --- /dev/null +++ b/SOURCES/0006-Add-none-option-for-samesite.patch @@ -0,0 +1,95 @@ +From fb5ad7bf997946df4472cb94d7875ee70281d59c Mon Sep 17 00:00:00 2001 +From: Anthony Critelli +Date: Tue, 7 Jan 2020 11:14:24 -0500 +Subject: [PATCH] Add none option for samesite + +--- + README.md | 7 +++++-- + auth_mellon.h | 3 ++- + auth_mellon_config.c | 2 ++ + auth_mellon_cookie.c | 4 +++- + auth_mellon_diagnostics.c | 1 + + 5 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/README.md b/README.md +index be374bc..82a88fc 100644 +--- a/README.md ++++ b/README.md +@@ -218,8 +218,11 @@ MellonDiagnosticsEnable Off + + # MellonCookieSameSite allows control over the SameSite value used + # for the authentication cookie. +- # The setting accepts values of "Strict" or "Lax" +- # If not set, the SameSite attribute is not set on the cookie. ++ # The setting accepts values of "Strict", "Lax", or "None". ++ # When using none, you should set "MellonSecureCookie On" to prevent ++ # compatibility issues with newer browsers. ++ # If not set, the SameSite attribute is not set on the cookie. In newer ++ # browsers, this may cause SameSite to default to "Lax" + # Default: not set + # MellonCookieSameSite lax + +diff --git a/auth_mellon.h b/auth_mellon.h +index 9ef2d8a..5f5a20b 100644 +--- a/auth_mellon.h ++++ b/auth_mellon.h +@@ -164,7 +164,8 @@ typedef enum { + typedef enum { + am_samesite_default, + am_samesite_lax, +- am_samesite_strict ++ am_samesite_strict, ++ am_samesite_none, + } am_samesite_t; + + typedef enum { +diff --git a/auth_mellon_config.c b/auth_mellon_config.c +index 7932e2d..f1a9d12 100644 +--- a/auth_mellon_config.c ++++ b/auth_mellon_config.c +@@ -583,6 +583,8 @@ static const char *am_set_samesite_slot(cmd_parms *cmd, + d->cookie_samesite = am_samesite_lax; + } else if(!strcasecmp(arg, "strict")) { + d->cookie_samesite = am_samesite_strict; ++ } else if(!strcasecmp(arg, "none")) { ++ d->cookie_samesite = am_samesite_none; + } else { + return "The MellonCookieSameSite parameter must be 'lax' or 'strict'"; + } +diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c +index 8394c18..b2c8535 100644 +--- a/auth_mellon_cookie.c ++++ b/auth_mellon_cookie.c +@@ -1,7 +1,7 @@ + /* + * + * auth_mellon_cookie.c: an authentication apache module +- * Copyright � 2003-2007 UNINETT (http://www.uninett.no/) ++ * Copyright © 2003-2007 UNINETT (http://www.uninett.no/) + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -73,6 +73,8 @@ static const char *am_cookie_params(request_rec *r) + cookie_samesite = "; SameSite=Lax"; + } else if (cfg->cookie_samesite == am_samesite_strict) { + cookie_samesite = "; SameSite=Strict"; ++ } else if (cfg->cookie_samesite == am_samesite_none) { ++ cookie_samesite = "; SameSite=None"; + } + + secure_cookie = cfg->secure; +diff --git a/auth_mellon_diagnostics.c b/auth_mellon_diagnostics.c +index 792e894..912814b 100644 +--- a/auth_mellon_diagnostics.c ++++ b/auth_mellon_diagnostics.c +@@ -214,6 +214,7 @@ am_diag_samesite_str(request_rec *r, am_samesite_t samesite) + case am_samesite_default: return "default"; + case am_samesite_lax: return "lax"; + case am_samesite_strict: return "strict"; ++ case am_samesite_none: return "none"; + default: + return apr_psprintf(r->pool, "unknown (%d)", samesite); + } +-- +2.21.0 + diff --git a/SOURCES/0007-avoid-always-set-SameSite-cookie.patch b/SOURCES/0007-avoid-always-set-SameSite-cookie.patch new file mode 100644 index 0000000..f1a160c --- /dev/null +++ b/SOURCES/0007-avoid-always-set-SameSite-cookie.patch @@ -0,0 +1,69 @@ +From b9d87e0deb528817689f1648999a95645b1b19ad Mon Sep 17 00:00:00 2001 +From: Keita SUZUKI +Date: Mon, 20 Jan 2020 11:03:14 +0900 +Subject: [PATCH] avoid always set SameSite cookie + +--- + auth_mellon.h | 5 +++++ + auth_mellon_cookie.c | 22 ++++++++++++++++------ + 2 files changed, 21 insertions(+), 6 deletions(-) + +diff --git a/auth_mellon.h b/auth_mellon.h +index 5f5a20b..8bb8023 100644 +--- a/auth_mellon.h ++++ b/auth_mellon.h +@@ -96,6 +96,11 @@ typedef enum { + } am_diag_flags_t; + #endif + ++ ++/* Disable SameSite Environment Value */ ++#define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE" ++ ++ + /* This is the length of the id we use (for session IDs and + * replaying POST data). + */ +diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c +index b2c8535..55f77a5 100644 +--- a/auth_mellon_cookie.c ++++ b/auth_mellon_cookie.c +@@ -59,6 +59,7 @@ static const char *am_cookie_params(request_rec *r) + const char *cookie_domain = ap_get_server_name(r); + const char *cookie_path = "/"; + const char *cookie_samesite = ""; ++ const char *env_var_value = NULL; + am_dir_cfg_rec *cfg = am_get_dir_cfg(r); + + if (cfg->cookie_domain) { +@@ -69,12 +70,21 @@ static const char *am_cookie_params(request_rec *r) + cookie_path = cfg->cookie_path; + } + +- if (cfg->cookie_samesite == am_samesite_lax) { +- cookie_samesite = "; SameSite=Lax"; +- } else if (cfg->cookie_samesite == am_samesite_strict) { +- cookie_samesite = "; SameSite=Strict"; +- } else if (cfg->cookie_samesite == am_samesite_none) { +- cookie_samesite = "; SameSite=None"; ++ if (r->subprocess_env != NULL){ ++ env_var_value = apr_table_get(r->subprocess_env, ++ AM_DISABLE_SAMESITE_ENV_VAR); ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, ++ "%s : %s", AM_DISABLE_SAMESITE_ENV_VAR, env_var_value); ++ } ++ ++ if (env_var_value == NULL){ ++ if (cfg->cookie_samesite == am_samesite_lax) { ++ cookie_samesite = "; SameSite=Lax"; ++ } else if (cfg->cookie_samesite == am_samesite_strict) { ++ cookie_samesite = "; SameSite=Strict"; ++ } else if (cfg->cookie_samesite == am_samesite_none) { ++ cookie_samesite = "; SameSite=None"; ++ } + } + + secure_cookie = cfg->secure; +-- +2.21.0 + diff --git a/SOURCES/0008-Set-SameSite-to-None-on-test-cookie.patch b/SOURCES/0008-Set-SameSite-to-None-on-test-cookie.patch new file mode 100644 index 0000000..89bb5a6 --- /dev/null +++ b/SOURCES/0008-Set-SameSite-to-None-on-test-cookie.patch @@ -0,0 +1,78 @@ +From 7ef4ae72a8578475064eb66e3ed5703ccf6ee078 Mon Sep 17 00:00:00 2001 +From: Ruediger Pluem +Date: Thu, 30 Apr 2020 07:56:01 +0200 +Subject: [PATCH] Set SameSite to None on test cookie + +If the SameSite cookie attribute is to be set because +MellonCookieSameSite is configured and MELLON_DISABLE_SAMESITE not set +for this particular request set it to None for the test cookie. +This ensures that the test cookie with the static test content does not +get lost in the HTTP-POST binding request issued by the autosubmit form +returned by the IDP. +Addresses #20 + +* auth_mellon.h: Add AM_FORCE_SAMESITE_NONE_NOTE + +* auth_mellon_handler.c (am_send_login_authn_request): Set request note + to set SameSite to None if appropriate. + +* auth_mellon_cookie.c (am_cookie_params): Set SameSite to None if + requested via request note. +--- + auth_mellon.h | 3 +++ + auth_mellon_cookie.c | 6 +++++- + auth_mellon_handler.c | 5 +++++ + 3 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/auth_mellon.h b/auth_mellon.h +index fd39b28..401ed9c 100644 +--- a/auth_mellon.h ++++ b/auth_mellon.h +@@ -100,6 +100,9 @@ typedef enum { + /* Disable SameSite Environment Value */ + #define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE" + ++/* Force setting SameSite to None */ ++#define AM_FORCE_SAMESITE_NONE_NOTE "MELLON_FORCE_SAMESITE_NONE" ++ + + /* This is the length of the id we use (for session IDs and + * replaying POST data). +diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c +index 55f77a5..6bff81e 100644 +--- a/auth_mellon_cookie.c ++++ b/auth_mellon_cookie.c +@@ -78,7 +78,11 @@ static const char *am_cookie_params(request_rec *r) + } + + if (env_var_value == NULL){ +- if (cfg->cookie_samesite == am_samesite_lax) { ++ if ((cfg->cookie_samesite != am_samesite_default) && ++ (apr_table_get(r->notes, AM_FORCE_SAMESITE_NONE_NOTE) != NULL)) { ++ cookie_samesite = "; SameSite=None"; ++ } ++ else if (cfg->cookie_samesite == am_samesite_lax) { + cookie_samesite = "; SameSite=Lax"; + } else if (cfg->cookie_samesite == am_samesite_strict) { + cookie_samesite = "; SameSite=Strict"; +diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c +index 395ee1d..40c9bcd 100644 +--- a/auth_mellon_handler.c ++++ b/auth_mellon_handler.c +@@ -3261,8 +3261,13 @@ static int am_send_login_authn_request(request_rec *r, const char *idp, + /* Add cookie for cookie test. We know that we should have + * a valid cookie when we return from the IdP after SP-initiated + * login. ++ * Ensure that SameSite is set to None for this cookie if SameSite ++ * is allowed to be set as the cookie otherwise gets lost on ++ * HTTP-POST binding messages. + */ ++ apr_table_setn(r->notes, AM_FORCE_SAMESITE_NONE_NOTE, "1"); + am_cookie_set(r, "cookietest"); ++ apr_table_unset(r->notes, AM_FORCE_SAMESITE_NONE_NOTE); + + server = am_get_lasso_server(r); + if(server == NULL) { +-- +2.26.2 + diff --git a/SPECS/mod_auth_mellon.spec b/SPECS/mod_auth_mellon.spec index f8398aa..a844abb 100644 --- a/SPECS/mod_auth_mellon.spec +++ b/SPECS/mod_auth_mellon.spec @@ -1,7 +1,7 @@ Summary: A SAML 2.0 authentication module for the Apache Httpd Server Name: mod_auth_mellon Version: 0.14.0 -Release: 11%{?dist} +Release: 12%{?dist} Group: System Environment/Daemons Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz Source1: auth_mellon.conf @@ -27,6 +27,9 @@ Patch0002: 0002-Fix-redirect-URL-validation-bypass.patch Patch0003: 0003-backport-Make-the-environment-variable-prefix-configurable.patch Patch0004: 0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch Patch0005: 0005-CVE_2019_13038.patch +Patch0006: 0006-Add-none-option-for-samesite.patch +Patch0007: 0007-avoid-always-set-SameSite-cookie.patch +Patch0008: 0008-Set-SameSite-to-None-on-test-cookie.patch # FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However, # I could not get asciidoc to render properly so instead I generated @@ -46,6 +49,9 @@ received in assertions generated by a IdP server. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 %build export APXS=%{_httpd_apxs} @@ -116,6 +122,10 @@ in the doc directory for instructions on using the diagnostics build. %attr(0755,apache,apache) %dir /run/%{name}/ %changelog +* Mon Jan 25 2021 Jakub Hrozek - 0.14.0-12 +- Resolves: rhbz#1791262 - Backport SameSite=None cookie from upstream to + support latest browsers + * Fri Oct 18 2019 Jakub Hrozek - 0.14.0-11 - Resolves: rhbz#1731053 - CVE-2019-13038 mod_auth_mellon: an Open Redirect via the login?ReturnTo= substring which could