diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3513201 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/mod_auth_openidc-2.3.7.tar.gz diff --git a/.mod_auth_openidc.metadata b/.mod_auth_openidc.metadata new file mode 100644 index 0000000..4a55f1a --- /dev/null +++ b/.mod_auth_openidc.metadata @@ -0,0 +1 @@ +0f9d620dad066ae8c415a59055903da1bfa9a4bf SOURCES/mod_auth_openidc-2.3.7.tar.gz diff --git a/SOURCES/test-segfault.patch b/SOURCES/test-segfault.patch new file mode 100644 index 0000000..34bf7f0 --- /dev/null +++ b/SOURCES/test-segfault.patch @@ -0,0 +1,167 @@ +commit fe7dfb14c45262df3b15bda374b2ee390b43cfb4 +Author: John Dennis +Date: Tue Aug 14 18:08:56 2018 -0400 + + test_proto_authorization_request() segfault due to uninitialized value + + Many thanks to Florian Weimer for his assistence + in helping diagnose the problem. + + In test_proto_authorization_request() it creates a provider object but + fails to fully initialize it. In particular it fails to initialize + auth_request_method to OIDC_AUTH_REQUEST_METHOD_GET. + + The function oidc_proto_authorization_request() in the file + src/proto.c has a weak test for provider->auth_request_method on line + 646. + + if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) { + /* construct a HTML POST auto-submit page with the authorization request parameters */ + } else { + /* construct the full authorization request URL */ + } + + The assumption is provider->auth_request_method must be one of + OIDC_AUTH_REQUEST_METHOD_GET or OIDC_AUTH_REQUEST_METHOD_POST but if + the provider struct is not properly initialized it could be any random + value. Therefore the fact provider->auth_request_method does not equal + OIDC_AUTH_REQUEST_METHOD_POST does not imply it's + OIDC_AUTH_REQUEST_METHOD_GET. The test would also be a problem if + OIDC_AUTH_REQUEST_METHOD ever added a new enumerated value. + + The defined values for OIDC_AUTH_REQUEST_METHOD are: + define OIDC_AUTH_REQUEST_METHOD_GET 0 + define OIDC_AUTH_REQUEST_METHOD_POST 1 + + So what the test on line src/proto.c:646 is really saying is this: + if provider->auth_request_method != 1 then use the GET method. + + The unit test works most of the time because it's unlikely the + unitialized auth_request_method member will be exactly 1. Except on + some architectures it is (e.g. s390x). Of course what's on the stack + is influenced by a variety of factors (all unknown). + + The segfault occurs because oidc_proto_authorization_request() takes + the OIDC_AUTH_REQUEST_METHOD_POST branch and calls + oidc_proto_html_post() which then operates on more uninitialized + data. Specfically request->connection->bucket_alloc is + NULL. Fortunately the request object was intialized to zero via + apr_pcalloc() so at least bucket_alloc will consistetnly be NULL. + + Here is the stack trace: + + Program received signal SIGSEGV, Segmentation fault. + 0x00007ffff6b9f67a in apr_bucket_alloc () from /lib64/libaprutil-1.so.0 + (gdb) bt + from /lib64/libaprutil-1.so.0 + data=0x6adfe0 "\n\n \n \n Submitting"..., + data_len=825, content_type=0x47311a "text/html", success_rvalue=-2) + at src/util.c:1307 + title=0x46bf28 "Submitting...", html_head=0x0, + on_load=0x46bf0d "document.forms[0].submit()", + html_body=0x6add40 " <p>Submitting Authentication Request...</p>\n <form method=\"post\" action=\"https://idp.example.com/authorize\">\n <p>\n <input type=\"hidden\" name=\"response_type\" value=\"code\">\n <input"..., status_code=-2) at src/util.c:1349 + url=0x465758 "https://idp.example.com/authorize", params=0x6acf30) + at src/proto.c:544 + provider=0x7fffffffd260, login_hint=0x0, + redirect_uri=0x465790 "https://www.example.com/protected/", + state=0x4657b3 "12345", proto_state=0x68e5f0, id_token_hint=0x0, + nge=0x0, auth_request_params=0x0, path_scope=0x0) at src/proto.c:650 + + This patch does the following: + + 1) Initializes the provider struct created on the stack in + test_proto_authorization_request to zero so it's at least + initialized to known consistent values. + + 2) Initializes provider.auth_request_method to + OIDC_AUTH_REQUEST_METHOD_GET. + + 3) Initializes request->connection->bucket_alloc via + apr_bucket_alloc_create() so if one does enter that code it won't + segfault. + + It's easy to verify the above observations. + + If you explicitly intialize provider.auth_request_method to + OIDC_AUTH_REQUEST_METHOD_POST in test_proto_authorization_request() + instead of allowing it to be a random stack value you will segfault + every time. However if you initialize request->connection->bucket_alloc + the segfault goes away and the unit test correctly reports the error, + e.g. + + Failed: # test_proto_authorization_request: error in oidc_proto_authorization_request (1): result "0" != expected "1" + + WARNING: This patch does not address the test in proto.c:646. That + test should be augmented to assure only valid enumerated values are + operated on and if the enumerated value is not valid it should return + an error. + +Note: The above was fixed in the following commit. + + Signed-off-by: John Dennis <jdennis@redhat.com> + +diff --git a/test/test.c b/test/test.c +index 16f09b5..87d3700 100755 +--- a/test/test.c ++++ b/test/test.c +@@ -1019,6 +1019,9 @@ static char *test_proto_validate_code(request_rec *r) { + static char * test_proto_authorization_request(request_rec *r) { + + oidc_provider_t provider; ++ ++ memset(&provider, 0, sizeof(provider)); ++ + provider.issuer = "https://idp.example.com"; + provider.authorization_endpoint_url = "https://idp.example.com/authorize"; + provider.scope = "openid"; +@@ -1028,6 +1031,8 @@ static char * test_proto_authorization_request(request_rec *r) { + provider.auth_request_params = NULL; + provider.request_object = NULL; + provider.token_binding_policy = OIDC_TOKEN_BINDING_POLICY_OPTIONAL; ++ provider.auth_request_method = OIDC_AUTH_REQUEST_METHOD_GET; ++ + const char *redirect_uri = "https://www.example.com/protected/"; + const char *state = "12345"; + +@@ -1260,6 +1265,7 @@ static request_rec * test_setup(apr_pool_t *pool) { + sizeof(struct process_rec)); + request->server->process->pool = request->pool; + request->connection = apr_pcalloc(request->pool, sizeof(struct conn_rec)); ++ request->connection->bucket_alloc = apr_bucket_alloc_create(request->pool); + request->connection->local_addr = apr_pcalloc(request->pool, + sizeof(apr_sockaddr_t)); + +commit aca77a82c1ce2f1ec8f363066ffbc480b3bd75c8 +Author: Hans Zandbelt <hans.zandbelt@zmartzone.eu> +Date: Wed Aug 15 07:47:57 2018 +0200 + + add sanity check on provider->auth_request_method; closes #382 + + thanks @jdennis; bump to 2.3.8rc4 + + Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu> + +diff --git a/src/proto.c b/src/proto.c +index e9dbc99..ac7696a 100644 +--- a/src/proto.c ++++ b/src/proto.c +@@ -649,7 +649,7 @@ int oidc_proto_authorization_request(request_rec *r, + rv = oidc_proto_html_post(r, provider->authorization_endpoint_url, + params); + +- } else { ++ } else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) { + + /* construct the full authorization request URL */ + authorization_request = oidc_util_http_query_encoded_url(r, +@@ -666,6 +666,10 @@ int oidc_proto_authorization_request(request_rec *r, + /* and tell Apache to return an HTTP Redirect (302) message */ + rv = HTTP_MOVED_TEMPORARILY; + } ++ } else { ++ oidc_error(r, "provider->auth_request_method set to wrong value: %d", ++ provider->auth_request_method); ++ return HTTP_INTERNAL_SERVER_ERROR; + } + + /* add a referred token binding request for the provider if enabled */ diff --git a/SPECS/mod_auth_openidc.spec b/SPECS/mod_auth_openidc.spec new file mode 100644 index 0000000..43ab2f6 --- /dev/null +++ b/SPECS/mod_auth_openidc.spec @@ -0,0 +1,163 @@ +%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo 0-0)}} +%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}} +%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %{_sysconfdir}/httpd/conf.d}} + +# Optionally build with hiredis if --with hiredis is passed +%{!?_with_hiredis: %{!?_without_hiredis: %global _without_hiredis --without-hiredis}} +# It is an error if both or neither required options exist. +%{?_with_hiredis: %{?_without_hiredis: %{error: both _with_hiredis and _without_hiredis}}} +%{!?_with_hiredis: %{!?_without_hiredis: %{error: neither _with_hiredis nor _without_hiredis}}} + +# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4 +%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}} + +%global httpd_pkg_cache_dir /var/cache/httpd/mod_auth_openidc + +Name: mod_auth_openidc +Version: 2.3.7 +Release: 3%{?dist} +Summary: OpenID Connect auth module for Apache HTTP Server + +Group: System Environment/Daemons +License: ASL 2.0 +URL: https://github.com/zmartzone/mod_auth_openidc +Source0: https://github.com/zmartzone/mod_auth_openidc/releases/download/v%{version}/mod_auth_openidc-%{version}.tar.gz + +Patch1: test-segfault.patch + +BuildRequires: gcc +BuildRequires: httpd-devel +BuildRequires: openssl-devel +BuildRequires: curl-devel +BuildRequires: jansson-devel +BuildRequires: pcre-devel +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: cjose-devel +BuildRequires: jq-devel +%{?_with_hiredis:BuildRequires: hiredis-devel} +Requires: httpd-mmn = %{_httpd_mmn} + +%description +This module enables an Apache 2.x web server to operate as +an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. + +%prep +%setup -q +%patch1 -p1 + +%build +# workaround rpm-buildroot-usage +export MODULES_DIR=%{_httpd_moddir} +export APXS2_OPTS='-S LIBEXECDIR=${MODULES_DIR}' +autoreconf +%configure \ + --with-jq=/usr/lib64/ \ + %{?_with_hiredis} \ + %{?_without_hiredis} + +make %{?_smp_mflags} + +%check +export MODULES_DIR=%{_httpd_moddir} +export APXS2_OPTS='-S LIBEXECDIR=${MODULES_DIR}' +make test + +%install +mkdir -p $RPM_BUILD_ROOT%{_httpd_moddir} +make install MODULES_DIR=$RPM_BUILD_ROOT%{_httpd_moddir} + +install -m 755 -d $RPM_BUILD_ROOT%{_httpd_modconfdir} +echo 'LoadModule auth_openidc_module modules/mod_auth_openidc.so' > \ + $RPM_BUILD_ROOT%{_httpd_modconfdir}/10-auth_openidc.conf + +install -m 755 -d $RPM_BUILD_ROOT%{_httpd_confdir} +install -m 644 auth_openidc.conf $RPM_BUILD_ROOT%{_httpd_confdir} +# Adjust httpd cache location in install config file +sed -i 's!/var/cache/apache2/!/var/cache/httpd/!' $RPM_BUILD_ROOT%{_httpd_confdir}/auth_openidc.conf +install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir} +install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/metadata +install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache + + +%files +%if 0%{?rhel} && 0%{?rhel} < 7 +%doc LICENSE.txt +%else +%license LICENSE.txt +%endif +%doc ChangeLog +%doc AUTHORS +%doc README.md +%{_httpd_moddir}/mod_auth_openidc.so +%config(noreplace) %{_httpd_modconfdir}/10-auth_openidc.conf +%config(noreplace) %{_httpd_confdir}/auth_openidc.conf +%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir} +%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/metadata +%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache + +%changelog +* Thu Aug 16 2018 <jdennis@redhat.com> - 2.3.7-3 +- Resolves: rhbz# 1614977 - fix unit test segfault, + the problem was not limited exclusively to s390x, but s390x provoked it. + +* Fri Aug 10 2018 <jdennis@redhat.com> - 2.3.7-2 +- disable running check on s390x + +* Wed Aug 1 2018 <jdennis@redhat.com> - 2.3.7-1 +- upgrade to upstream 2.3.7 + +* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed May 23 2018 Patrick Uiterwijk <patrick@puiterwijk.org> - 2.3.5-1 +- Rebase to 2.3.5 + +* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.8.10.1-7 +- Escape macros in %%changelog + +* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.10.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.10.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.10.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 18 2017 John Dennis <jdennis@redhat.com> - 1.8.10.1-3 +- Resolves: #1423956 fails to build with openssl 1.1.x + Also rolls up all fixes to jose library before the change over to cjose + +* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.10.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Jul 12 2016 John Dennis <jdennis@redhat.com> - 1.8.10.1-1 +- Upgrade to new upstream + See /usr/share/doc/mod_auth_openidc/ChangeLog for details + +* Tue Mar 29 2016 John Dennis <jdennis@redhat.com> - 1.8.8-4 +- Add %%check to run test + +* Wed Mar 23 2016 John Dennis <jdennis@redhat.com> - 1.8.8-3 +- Make building with redis support optional (defaults to without) + +* Mon Mar 21 2016 John Dennis <jdennis@redhat.com> - 1.8.8-2 +- Add missing unpackaged files/directories + + Add to doc: README.md, DISCLAIMER, AUTHORS + Add to httpd/conf.d: auth_openidc.conf + Add to /var/cache: /var/cache/httpd/mod_auth_openidc/cache + /var/cache/httpd/mod_auth_openidc/metadata + +* Thu Mar 10 2016 Jan Pazdziora <jpazdziora@redhat.com> 1.8.8-1 +- Update to 1.8.8 (#1316528) + +* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Sat Jan 09 2016 Fedora Release Monitoring <release-monitoring@fedoraproject.org> - 1.8.7-1 +- Update to 1.8.7 (#1297080) + +* Sat Nov 07 2015 Jan Pazdziora <jpazdziora@redhat.com> 1.8.6-1 +- Initial packaging for Fedora 23.