From 284537dfc0585e08cfc0702c89b241d8986c7236 Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Fri, 3 Aug 2018 12:22:45 +0200
Subject: [PATCH 07/11] set boundaries on min and max values on number of
 parallel state cookies

Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
(cherry picked from commit b8c53d7e0439f190afe0c6eeb2e2e12e881c65ac)
---
 src/config.c | 17 ++++++++++++++++-
 src/parse.c  | 31 +++++++++++++++++++++++++++++++
 src/parse.h  |  2 ++
 3 files changed, 49 insertions(+), 1 deletion(-)

diff --git a/src/config.c b/src/config.c
index 2fd63ea..c793818 100644
--- a/src/config.c
+++ b/src/config.c
@@ -997,6 +997,21 @@ static const char *oidc_set_client_auth_bearer_token(cmd_parms *cmd,
 	return NULL;
 }
 
+/*
+ * set the maximun number of parallel state cookies
+ */
+static const char *oidc_set_max_number_of_state_cookies(cmd_parms *cmd,
+		void *struct_ptr, const char *arg) {
+	oidc_cfg *cfg = (oidc_cfg *) ap_get_module_config(
+			cmd->server->module_config, &auth_openidc_module);
+	const char *rv = oidc_parse_max_number_of_state_cookies(cmd->pool, arg,
+			&cfg->max_number_of_state_cookies);
+	return OIDC_CONFIG_DIR_RV(cmd, rv);
+}
+
+/*
+ * return the maximun number of parallel state cookies
+ */
 int oidc_cfg_max_number_of_state_cookies(oidc_cfg *cfg) {
 	if (cfg->max_number_of_state_cookies == OIDC_CONFIG_POS_INT_UNSET)
 		return OIDC_DEFAULT_MAX_NUMBER_OF_STATE_COOKIES;
@@ -2642,7 +2657,7 @@ const command_rec oidc_config_cmds[] = {
 				RSRC_CONF,
 				"Time to live in seconds for state parameter (cq. interval in which the authorization request and the corresponding response need to be completed)."),
 		AP_INIT_TAKE1(OIDCStateMaxNumberOfCookies,
-				oidc_set_int_slot,
+				oidc_set_max_number_of_state_cookies,
 				(void*)APR_OFFSETOF(oidc_cfg, max_number_of_state_cookies),
 				RSRC_CONF,
 				"Maximun number of parallel state cookies i.e. outstanding authorization requests."),
diff --git a/src/parse.c b/src/parse.c
index 9d3763c..0f986fd 100644
--- a/src/parse.c
+++ b/src/parse.c
@@ -530,6 +530,28 @@ const char *oidc_valid_session_max_duration(apr_pool_t *pool, int v) {
 	return NULL;
 }
 
+#define OIDC_MAX_NUMBER_OF_STATE_COOKIES_MIN  0
+#define OIDC_MAX_NUMBER_OF_STATE_COOKIES_MAX  255
+
+/*
+ * check the maximum number of parallel state cookies
+ */
+const char *oidc_valid_max_number_of_state_cookies(apr_pool_t *pool, int v) {
+	if (v == 0) {
+		return NULL;
+	}
+	if (v < OIDC_MAX_NUMBER_OF_STATE_COOKIES_MIN) {
+		return apr_psprintf(pool, "maximum must not be less than %d",
+				OIDC_MAX_NUMBER_OF_STATE_COOKIES_MIN);
+	}
+	if (v > OIDC_MAX_NUMBER_OF_STATE_COOKIES_MAX) {
+		return apr_psprintf(pool, "maximum must not be greater than %d",
+				OIDC_MAX_NUMBER_OF_STATE_COOKIES_MAX);
+	}
+	return NULL;
+}
+
+
 /*
  * parse a session max duration value from the provided string
  */
@@ -1218,3 +1240,12 @@ const char *oidc_parse_auth_request_method(apr_pool_t *pool, const char *arg,
 
 	return NULL;
 }
+
+/*
+ * parse the maximum number of parallel state cookies
+ */
+const char *oidc_parse_max_number_of_state_cookies(apr_pool_t *pool,
+		const char *arg, int *int_value) {
+	return oidc_parse_int_valid(pool, arg, int_value,
+			oidc_valid_max_number_of_state_cookies);
+}
diff --git a/src/parse.h b/src/parse.h
index 853e98f..6355db4 100644
--- a/src/parse.h
+++ b/src/parse.h
@@ -90,6 +90,7 @@ const char *oidc_valid_userinfo_refresh_interval(apr_pool_t *pool, int v);
 const char *oidc_valid_userinfo_token_method(apr_pool_t *pool, const char *arg);
 const char *oidc_valid_token_binding_policy(apr_pool_t *pool, const char *arg);
 const char *oidc_valid_auth_request_method(apr_pool_t *pool, const char *arg);
+const char *oidc_valid_max_number_of_state_cookies(apr_pool_t *pool, int v);
 
 const char *oidc_parse_int(apr_pool_t *pool, const char *arg, int *int_value);
 const char *oidc_parse_boolean(apr_pool_t *pool, const char *arg, int *bool_value);
@@ -116,6 +117,7 @@ const char *oidc_parse_info_hook_data(apr_pool_t *pool, const char *arg, apr_has
 const char *oidc_parse_token_binding_policy(apr_pool_t *pool, const char *arg, int *int_value);
 const char *oidc_token_binding_policy2str(apr_pool_t *pool, int v);
 const char *oidc_parse_auth_request_method(apr_pool_t *pool, const char *arg, int *method);
+const char *oidc_parse_max_number_of_state_cookies(apr_pool_t *pool, const char *arg, int *int_value);
 
 typedef const char *(*oidc_valid_int_function_t)(apr_pool_t *, int);
 typedef const char *(*oidc_valid_function_t)(apr_pool_t *, const char *);
-- 
2.26.2