From 8c02ed22c03732e374bb34a9c3e49d2a0a3de155 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 02 2019 23:25:35 +0000
Subject: import mod_auth_openidc-1.8.8-5.el7


---

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..1b4f275
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/mod_auth_openidc-1.8.8.tar.gz
diff --git a/.mod_auth_openidc.metadata b/.mod_auth_openidc.metadata
new file mode 100644
index 0000000..c60aa50
--- /dev/null
+++ b/.mod_auth_openidc.metadata
@@ -0,0 +1 @@
+7c104ab387273cd2794f18f7d66ced700a14aa80 SOURCES/mod_auth_openidc-1.8.8.tar.gz
diff --git a/SOURCES/0001-don-t-echo-query-params-on-invalid-requests-to-redir.patch b/SOURCES/0001-don-t-echo-query-params-on-invalid-requests-to-redir.patch
new file mode 100644
index 0000000..3e9e0fe
--- /dev/null
+++ b/SOURCES/0001-don-t-echo-query-params-on-invalid-requests-to-redir.patch
@@ -0,0 +1,32 @@
+From d3973074a984f78af2267006625a11e672574dff Mon Sep 17 00:00:00 2001
+From: Hans Zandbelt <hzandbelt@pingidentity.com>
+Date: Thu, 19 Jan 2017 00:03:37 +0100
+Subject: [PATCH 1000/1002] don't echo query params on invalid requests to
+ redirect URI; closes #212
+
+thanks @LukasReschke; I'm sure there's some OWASP guideline that warns
+against this
+
+(cherry picked from commit 612e309bfffd6f9b8ad7cdccda3019fc0865f3b4)
+---
+ src/mod_auth_openidc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
+index 2db6108..a494238 100644
+--- a/src/mod_auth_openidc.c
++++ b/src/mod_auth_openidc.c
+@@ -2493,8 +2493,8 @@ int oidc_handle_redirect_uri_request(request_rec *r, oidc_cfg *c,
+ 	/* something went wrong */
+ 	return oidc_util_html_send_error(r, c->error_template, "Invalid Request",
+ 			apr_psprintf(r->pool,
+-					"The OpenID Connect callback URL received an invalid request: %s",
+-					r->args), HTTP_INTERNAL_SERVER_ERROR);
++					"The OpenID Connect callback URL received an invalid request"),
++					HTTP_INTERNAL_SERVER_ERROR);
+ }
+ 
+ /*
+-- 
+2.19.2
+
diff --git a/SOURCES/0002-Backport-security-fix-scrub-headers-on-OIDCUnAuthAct.patch b/SOURCES/0002-Backport-security-fix-scrub-headers-on-OIDCUnAuthAct.patch
new file mode 100644
index 0000000..3a41e67
--- /dev/null
+++ b/SOURCES/0002-Backport-security-fix-scrub-headers-on-OIDCUnAuthAct.patch
@@ -0,0 +1,84 @@
+From f1e8dec3e749eea3a54553e07b7a1994a4aaf5b9 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jakub.hrozek@posteo.se>
+Date: Fri, 23 Nov 2018 15:38:42 +0100
+Subject: [PATCH 1001/1002] Backport security fix: scrub headers on
+ OIDCUnAuthAction pass; closes #222
+
+---
+ src/mod_auth_openidc.c | 46 ++++++++++++++++++++++++++++--------------
+ 1 file changed, 31 insertions(+), 15 deletions(-)
+
+diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
+index a494238..f00280f 100644
+--- a/src/mod_auth_openidc.c
++++ b/src/mod_auth_openidc.c
+@@ -133,6 +133,29 @@ static void oidc_scrub_request_headers(request_rec *r, const char *claim_prefix,
+ 	r->headers_in = clean_headers;
+ }
+ 
++static void oidc_scrub_headers(request_rec *r) {
++	oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
++			&auth_openidc_module);
++
++	/* get a handle to the directory config */
++	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
++			&auth_openidc_module);
++
++	if (cfg->scrub_request_headers != 0) {
++		/* scrub all headers starting with OIDC_ first */
++		oidc_scrub_request_headers(r, OIDC_DEFAULT_HEADER_PREFIX,
++				dir_cfg->authn_header);
++		/*
++		 * then see if the claim headers need to be removed on top of that
++		 * (i.e. the prefix does not start with the default OIDC_)
++		 */
++		if ((strstr(cfg->claim_prefix, OIDC_DEFAULT_HEADER_PREFIX)
++				!= cfg->claim_prefix)) {
++			oidc_scrub_request_headers(r, cfg->claim_prefix, NULL);
++		}
++	}
++}
++
+ #define OIDC_SHA1_LEN 20
+ 
+ /*
+@@ -988,21 +1011,7 @@ static int oidc_handle_existing_session(request_rec *r, oidc_cfg *cfg,
+ 	 * we're going to pass the information that we have to the application,
+ 	 * but first we need to scrub the headers that we're going to use for security reasons
+ 	 */
+-	if (cfg->scrub_request_headers != 0) {
+-
+-		/* scrub all headers starting with OIDC_ first */
+-		oidc_scrub_request_headers(r, OIDC_DEFAULT_HEADER_PREFIX,
+-				dir_cfg->authn_header);
+-
+-		/*
+-		 * then see if the claim headers need to be removed on top of that
+-		 * (i.e. the prefix does not start with the default OIDC_)
+-		 */
+-		if ((strstr(cfg->claim_prefix, OIDC_DEFAULT_HEADER_PREFIX)
+-				!= cfg->claim_prefix)) {
+-			oidc_scrub_request_headers(r, cfg->claim_prefix, NULL);
+-		}
+-	}
++	oidc_scrub_headers(r);
+ 
+ 	/* set the user authentication HTTP header if set and required */
+ 	if ((r->user != NULL) && (dir_cfg->authn_header != NULL))
+@@ -2560,6 +2569,13 @@ static int oidc_check_userid_openidc(request_rec *r, oidc_cfg *c) {
+ 		case RETURN401:
+ 			return HTTP_UNAUTHORIZED;
+ 		case PASS:
++			/*
++			 * we're not going to pass information about
++			 * an authenticated user to the application, *
++			 * but we do need to scrub the headers that
++			 * mod_auth_openidc would set for security reasons
++			 */
++			oidc_scrub_headers(r);
+ 			return OK;
+ 		case AUTHENTICATE:
+ 			/* if this is a Javascript path we won't redirect the user and create a state cookie */
+-- 
+2.19.2
+
diff --git a/SOURCES/0003-Backport-security-fix-scrub-headers-for-AuthType-oau.patch b/SOURCES/0003-Backport-security-fix-scrub-headers-for-AuthType-oau.patch
new file mode 100644
index 0000000..d984042
--- /dev/null
+++ b/SOURCES/0003-Backport-security-fix-scrub-headers-for-AuthType-oau.patch
@@ -0,0 +1,58 @@
+From 53bc62391d71418130edc0cb706f1aa5b0844c3a Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jakub.hrozek@posteo.se>
+Date: Fri, 23 Nov 2018 16:41:18 +0100
+Subject: [PATCH 1002/1002] Backport security fix: scrub headers for "AuthType
+ oauth20"
+
+---
+ src/mod_auth_openidc.c | 2 +-
+ src/mod_auth_openidc.h | 2 ++
+ src/oauth.c            | 6 ++++++
+ 3 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
+index f00280f..b504ecb 100644
+--- a/src/mod_auth_openidc.c
++++ b/src/mod_auth_openidc.c
+@@ -133,7 +133,7 @@ static void oidc_scrub_request_headers(request_rec *r, const char *claim_prefix,
+ 	r->headers_in = clean_headers;
+ }
+ 
+-static void oidc_scrub_headers(request_rec *r) {
++void oidc_scrub_headers(request_rec *r) {
+ 	oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
+ 			&auth_openidc_module);
+ 
+diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
+index a92b81f..6f6bd92 100644
+--- a/src/mod_auth_openidc.h
++++ b/src/mod_auth_openidc.h
+@@ -373,6 +373,8 @@ void oidc_request_state_set(request_rec *r, const char *key, const char *value);
+ const char*oidc_request_state_get(request_rec *r, const char *key);
+ int oidc_handle_jwks(request_rec *r, oidc_cfg *c);
+ 
++void oidc_scrub_headers(request_rec *r);
++
+ // oidc_oauth
+ int oidc_oauth_check_userid(request_rec *r, oidc_cfg *c);
+ 
+diff --git a/src/oauth.c b/src/oauth.c
+index 218112b..279ee74 100644
+--- a/src/oauth.c
++++ b/src/oauth.c
+@@ -572,6 +572,12 @@ int oidc_oauth_check_userid(request_rec *r, oidc_cfg *c) {
+ 	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
+ 			&auth_openidc_module);
+ 
++	/*
++	* we're going to pass the information that we have to the application,
++	* but first we need to scrub the headers that we're going to use for security reasons
++	*/
++	oidc_scrub_headers(r);
++
+ 	/* set the user authentication HTTP header if set and required */
+ 	if ((r->user != NULL) && (dir_cfg->authn_header != NULL)) {
+ 		oidc_debug(r, "setting authn header (%s) to: %s", dir_cfg->authn_header,
+-- 
+2.19.2
+
diff --git a/SOURCES/decrypt_aesgcm.patch b/SOURCES/decrypt_aesgcm.patch
new file mode 100644
index 0000000..c0993ec
--- /dev/null
+++ b/SOURCES/decrypt_aesgcm.patch
@@ -0,0 +1,72 @@
+commit 71dcbcda4692922360fe6222bd6556cce89d98e4
+Author: John Dennis <jdennis@redhat.com>
+Date:   Thu Mar 31 16:09:11 2016 -0400
+
+    apr_jwe_decrypt_content_aesgcm() null terminate string
+    
+    Also fixes unit test failure.
+    
+    The test test_jwt_decrypt_gcm() in test.c would sometimes fail. The
+    failure was caused by extra garbage appearing in the decrypted string
+    after the expected string. This is due to the failure of
+    apr_jwe_decrypt_content_aesgcm() to null terminate the string as is
+    similarity done in apr_jwe_decrypt_content_aescbc().
+    
+    This patch copies the logic from apr_jwe_decrypt_content_aescbc()
+    regarding the decryption output length (p_len) and the final output
+    length (f_len) which are then used to compute the end of the data in
+    the output buffer, the next octet after the decrypted data in the
+    output buffer is then assigned a null terminator.
+    
+    Signed-off-by: John Dennis <jdennis@redhat.com>
+
+diff --git a/src/jose/apr_jwe.c b/src/jose/apr_jwe.c
+index 6800033..d4b64cb 100644
+--- a/src/jose/apr_jwe.c
++++ b/src/jose/apr_jwe.c
+@@ -382,7 +382,7 @@ apr_byte_t apr_jwe_decrypt_content_aesgcm(apr_pool_t *pool,
+ 		apr_jwt_error_t *err) {
+ 
+ 	EVP_CIPHER_CTX *ctx;
+-	int outlen, rv;
++	int rv;
+ 
+ 	ctx = EVP_CIPHER_CTX_new();
+ 	if (!EVP_DecryptInit_ex(ctx, apr_jwe_enc_to_openssl_cipher(header->enc),
+@@ -391,8 +391,9 @@ apr_byte_t apr_jwe_decrypt_content_aesgcm(apr_pool_t *pool,
+ 		return FALSE;
+ 	}
+ 
++	int p_len = cipher_text->len, f_len = 0;
+ 	unsigned char *plaintext = apr_palloc(pool,
+-			cipher_text->len
++			p_len
+ 			+ EVP_CIPHER_block_size(
+ 					apr_jwe_enc_to_openssl_cipher(header->enc)));
+ 
+@@ -407,13 +408,13 @@ apr_byte_t apr_jwe_decrypt_content_aesgcm(apr_pool_t *pool,
+ 		return FALSE;
+ 	}
+ 	/* zero or more calls to specify any AAD */
+-	if (!EVP_DecryptUpdate(ctx, NULL, &outlen, (unsigned char *) aad,
++	if (!EVP_DecryptUpdate(ctx, NULL, &p_len, (unsigned char *) aad,
+ 			aad_len)) {
+ 		apr_jwt_error_openssl(err, "EVP_DecryptUpdate (aad)");
+ 		return FALSE;
+ 	}
+ 	/* decrypt plaintext */
+-	if (!EVP_DecryptUpdate(ctx, plaintext, &outlen,
++	if (!EVP_DecryptUpdate(ctx, plaintext, &p_len,
+ 			(unsigned char *) cipher_text->value, cipher_text->len)) {
+ 		apr_jwt_error_openssl(err, "EVP_DecryptUpdate (ciphertext)");
+ 		return FALSE;
+@@ -425,7 +426,8 @@ apr_byte_t apr_jwe_decrypt_content_aesgcm(apr_pool_t *pool,
+ 	}
+ 
+ 	/* finalise: note get no output for GCM */
+-	rv = EVP_DecryptFinal_ex(ctx, plaintext, &outlen);
++	rv = EVP_DecryptFinal_ex(ctx, plaintext, &f_len);
++	plaintext[p_len + f_len] = '\0';
+ 
+ 	EVP_CIPHER_CTX_free(ctx);
+ 
diff --git a/SPECS/mod_auth_openidc.spec b/SPECS/mod_auth_openidc.spec
new file mode 100644
index 0000000..2c83c33
--- /dev/null
+++ b/SPECS/mod_auth_openidc.spec
@@ -0,0 +1,123 @@
+%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo 0-0)}}
+%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}}
+%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %{_sysconfdir}/httpd/conf.d}}
+
+# Optionally build with hiredis if --with hiredis is passed
+%{!?_with_hiredis: %{!?_without_hiredis: %global _without_hiredis --without-hiredis}}
+# It is an error if both or neither required options exist.
+%{?_with_hiredis: %{?_without_hiredis: %{error: both _with_hiredis and _without_hiredis}}}
+%{!?_with_hiredis: %{!?_without_hiredis: %{error: neither _with_hiredis nor _without_hiredis}}}
+
+# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4
+%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}}
+
+%global httpd_pkg_cache_dir /var/cache/httpd/mod_auth_openidc
+
+Name:		mod_auth_openidc
+Version:	1.8.8
+Release:	5%{?dist}
+Summary:	OpenID Connect auth module for Apache HTTP Server
+
+Group:		System Environment/Daemons
+License:	ASL 2.0
+URL:		https://github.com/pingidentity/mod_auth_openidc
+Source0:	https://github.com/pingidentity/mod_auth_openidc/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+
+Patch0: decrypt_aesgcm.patch
+Patch1: 0001-don-t-echo-query-params-on-invalid-requests-to-redir.patch
+Patch2: 0002-Backport-security-fix-scrub-headers-on-OIDCUnAuthAct.patch
+Patch3: 0003-Backport-security-fix-scrub-headers-for-AuthType-oau.patch
+
+BuildRequires:	httpd-devel
+BuildRequires:	openssl-devel
+BuildRequires:	curl-devel
+BuildRequires:	jansson-devel
+BuildRequires:	pcre-devel
+BuildRequires:	autoconf
+BuildRequires:	automake
+%{?_with_hiresdis:BuildRequires: hiresdis-devel}
+Requires:	httpd-mmn = %{_httpd_mmn}
+
+%description
+This module enables an Apache 2.x web server to operate as
+an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
+
+%prep
+%setup -q
+%patch0 -p1 -b decrypt_aesgcm
+%patch1 -p1 -b echo_req
+%patch2 -p1 -b scrub_headers
+%patch3 -p1 -b scrub_headers_oauth
+
+%build
+# workaround rpm-buildroot-usage
+export MODULES_DIR=%{_httpd_moddir}
+export APXS2_OPTS='-S LIBEXECDIR=${MODULES_DIR}'
+autoreconf
+%configure \
+  %{?_with_hiredis} \
+  %{?_without_hiredis}
+
+make %{?_smp_mflags}
+
+%check
+export MODULES_DIR=%{_httpd_moddir}
+make %{?_smp_mflags} test
+
+%install
+mkdir -p $RPM_BUILD_ROOT%{_httpd_moddir}
+make install MODULES_DIR=$RPM_BUILD_ROOT%{_httpd_moddir}
+
+install -m 755 -d $RPM_BUILD_ROOT%{_httpd_modconfdir}
+echo 'LoadModule auth_openidc_module modules/mod_auth_openidc.so' > \
+	$RPM_BUILD_ROOT%{_httpd_modconfdir}/10-auth_openidc.conf
+
+install -m 755 -d $RPM_BUILD_ROOT%{_httpd_confdir}
+install -m 644 auth_openidc.conf $RPM_BUILD_ROOT%{_httpd_confdir}
+# Adjust httpd cache location in install config file
+sed -i 's!/var/cache/apache2/!/var/cache/httpd/!' $RPM_BUILD_ROOT%{_httpd_confdir}/auth_openidc.conf
+install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}
+install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/metadata
+install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
+
+
+%files
+%if 0%{?rhel} && 0%{?rhel} < 7
+%doc LICENSE.txt
+%else
+%license LICENSE.txt
+%endif
+%doc ChangeLog
+%doc AUTHORS
+%doc DISCLAIMER
+%doc README.md
+%{_httpd_moddir}/mod_auth_openidc.so
+%config(noreplace) %{_httpd_modconfdir}/10-auth_openidc.conf
+%config(noreplace) %{_httpd_confdir}/auth_openidc.conf
+%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}
+%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/metadata
+%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache
+
+%changelog
+* Tue Jan 29 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.8.8-5
+- Resolves: rhbz#1626297 - CVE-2017-6413 mod_auth_openidc: OIDC_CLAIM and
+                           OIDCAuthNHeader not skipped in an "AuthType oauth20"
+                           configuration [rhel-7]
+
+* Tue Jan 29 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.8.8-4
+- Resolves: rhbz#1626299 - CVE-2017-6059 mod_auth_openidc: Shows
+                           user-supplied content on error pages [rhel-7]
+
+* Thu Mar 31 2016 John Dennis <jdennis@redhat.com> - 1.8.8-3
+- fix unit test failure caused by apr_jwe_decrypt_content_aesgcm()
+  failing to null terminate decrypted string
+  Resolves: bug#1292561 New package: mod_auth_openidc
+
+* Tue Mar 29 2016 John Dennis <jdennis@redhat.com> - 1.8.8-2
+- Add %check to run test
+  Resolves: bug#1292561 New package: mod_auth_openidc
+
+* Tue Mar 29 2016 John Dennis <jdennis@redhat.com> - 1.8.8-1
+- Initial import
+  Resolves: bug#1292561 New package: mod_auth_openidc
+