diff --git a/.gitignore b/.gitignore index 5d66359..16796cb 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ /mod_auth_openidc-1.8.7.tar.gz /mod_auth_openidc-1.8.8.tar.gz /mod_auth_openidc-1.8.10.1.tar.gz +/mod_auth_openidc-2.3.5.tar.gz diff --git a/jose.patch b/jose.patch deleted file mode 100644 index c57ae45..0000000 --- a/jose.patch +++ /dev/null @@ -1,331 +0,0 @@ -diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jose.h jose/apr_jose.h ---- mod_auth_openidc-1.8.10.1/src/jose/apr_jose.h 2016-07-11 09:14:40.000000000 -0400 -+++ mod_auth_openidc-fb1fd4c/src/jose/apr_jose.h 2017-02-17 18:52:41.331955735 -0500 -@@ -319,4 +319,10 @@ - - apr_byte_t apr_jwt_memcmp(const void *in_a, const void *in_b, size_t len); - -+#if (OPENSSL_VERSION_NUMBER < 0x10100000) -+#include -+ EVP_MD_CTX * EVP_MD_CTX_new(); -+ void EVP_MD_CTX_free(EVP_MD_CTX *); -+#endif -+ - #endif /* _APR_JOSE_H_ */ -diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jwe.c jose/apr_jwe.c ---- mod_auth_openidc-1.8.10.1/src/jose/apr_jwe.c 2016-07-11 09:14:40.000000000 -0400 -+++ mod_auth_openidc-fb1fd4c/src/jose/apr_jwe.c 2017-02-17 18:52:41.331955735 -0500 -@@ -175,10 +175,14 @@ - jwk->key.rsa->private_exponent_len, private_exp); - } - -+ /* private_exp is NULL for public keys */ -+#if OPENSSL_VERSION_NUMBER >= 0x10100005L -+ RSA_set0_key(key, modulus, exponent, private_exp); -+#else - key->n = modulus; - key->e = exponent; -- /* private_exp is NULL for public keys */ - key->d = private_exp; -+#endif - - return key; - } -@@ -489,10 +493,10 @@ - unsigned char *plaintext = apr_palloc(pool, p_len + AES_BLOCK_SIZE); - - /* initialize decryption context */ -- EVP_CIPHER_CTX decrypt_ctx; -- EVP_CIPHER_CTX_init(&decrypt_ctx); -+ EVP_CIPHER_CTX *decrypt_ctx = EVP_CIPHER_CTX_new(); -+ EVP_CIPHER_CTX_init(decrypt_ctx); - /* pass the extracted encryption key and Initialization Vector */ -- if (!EVP_DecryptInit_ex(&decrypt_ctx, -+ if (!EVP_DecryptInit_ex(decrypt_ctx, - apr_jwe_enc_to_openssl_cipher(header->enc), NULL, enc_key, - (const unsigned char *) iv->value)) { - apr_jwt_error_openssl(err, "EVP_DecryptInit_ex"); -@@ -500,14 +504,14 @@ - } - - /* decrypt the ciphertext in to the plaintext */ -- if (!EVP_DecryptUpdate(&decrypt_ctx, plaintext, &p_len, -+ if (!EVP_DecryptUpdate(decrypt_ctx, plaintext, &p_len, - (const unsigned char *) cipher_text->value, cipher_text->len)) { - apr_jwt_error_openssl(err, "EVP_DecryptUpdate"); - return FALSE; - } - - /* decrypt the remaining bits/padding */ -- if (!EVP_DecryptFinal_ex(&decrypt_ctx, plaintext + p_len, &f_len)) { -+ if (!EVP_DecryptFinal_ex(decrypt_ctx, plaintext + p_len, &f_len)) { - apr_jwt_error_openssl(err, "EVP_DecryptFinal_ex"); - return FALSE; - } -@@ -516,7 +520,7 @@ - *decrypted = (char *) plaintext; - - /* cleanup */ -- EVP_CIPHER_CTX_cleanup(&decrypt_ctx); -+ EVP_CIPHER_CTX_free(decrypt_ctx); - - /* if we got here, all must be fine */ - return TRUE; -diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jwk.c jose/apr_jwk.c ---- mod_auth_openidc-1.8.10.1/src/jose/apr_jwk.c 2016-07-11 09:14:40.000000000 -0400 -+++ mod_auth_openidc-fb1fd4c/src/jose/apr_jwk.c 2017-02-17 18:52:41.332955699 -0500 -@@ -153,21 +153,30 @@ - goto end; - } - -+ const BIGNUM *rsa_n, *rsa_e, *rsa_d; -+#if OPENSSL_VERSION_NUMBER >= 0x10100005L -+ RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d); -+#else -+ rsa_n=rsa->n; -+ rsa_e=rsa->e; -+ rsa_d=rsa->d; -+#endif -+ - /* convert the modulus bignum in to a key/len */ -- key->modulus_len = BN_num_bytes(rsa->n); -+ key->modulus_len = BN_num_bytes(rsa_n); - key->modulus = apr_pcalloc(pool, key->modulus_len); -- BN_bn2bin(rsa->n, key->modulus); -+ BN_bn2bin(rsa_n, key->modulus); - - /* convert the exponent bignum in to a key/len */ -- key->exponent_len = BN_num_bytes(rsa->e); -+ key->exponent_len = BN_num_bytes(rsa_e); - key->exponent = apr_pcalloc(pool, key->exponent_len); -- BN_bn2bin(rsa->e, key->exponent); -+ BN_bn2bin(rsa_e, key->exponent); - - /* convert the private exponent bignum in to a key/len */ -- if (rsa->d != NULL) { -- key->private_exponent_len = BN_num_bytes(rsa->d); -+ if (rsa_d != NULL) { -+ key->private_exponent_len = BN_num_bytes(rsa_d); - key->private_exponent = apr_pcalloc(pool, key->private_exponent_len); -- BN_bn2bin(rsa->d, key->private_exponent); -+ BN_bn2bin(rsa_d, key->private_exponent); - } - - RSA_free(rsa); -diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jws.c jose/apr_jws.c ---- mod_auth_openidc-1.8.10.1/src/jose/apr_jws.c 2016-07-11 09:14:40.000000000 -0400 -+++ mod_auth_openidc-fb1fd4c/src/jose/apr_jws.c 2017-02-17 18:52:41.332955699 -0500 -@@ -219,8 +219,8 @@ - unsigned char **output, unsigned int *output_len, apr_jwt_error_t *err) { - unsigned char md_value[EVP_MAX_MD_SIZE]; - -- EVP_MD_CTX ctx; -- EVP_MD_CTX_init(&ctx); -+ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); -+ EVP_MD_CTX_init(ctx); - - const EVP_MD *evp_digest = NULL; - if ((evp_digest = EVP_get_digestbyname(s_digest)) == NULL) { -@@ -230,20 +230,20 @@ - return FALSE; - } - -- if (!EVP_DigestInit_ex(&ctx, evp_digest, NULL)) { -+ if (!EVP_DigestInit_ex(ctx, evp_digest, NULL)) { - apr_jwt_error_openssl(err, "EVP_DigestInit_ex"); - return FALSE; - } -- if (!EVP_DigestUpdate(&ctx, input, input_len)) { -+ if (!EVP_DigestUpdate(ctx, input, input_len)) { - apr_jwt_error_openssl(err, "EVP_DigestUpdate"); - return FALSE; - } -- if (!EVP_DigestFinal_ex(&ctx, md_value, output_len)) { -+ if (!EVP_DigestFinal_ex(ctx, md_value, output_len)) { - apr_jwt_error_openssl(err, "EVP_DigestFinal_ex"); - return FALSE; - } - -- EVP_MD_CTX_cleanup(&ctx); -+ EVP_MD_CTX_free(ctx); - - *output = apr_pcalloc(pool, *output_len); - memcpy(*output, md_value, *output_len); -@@ -303,8 +303,8 @@ - if ((digest = apr_jws_crypto_alg_to_evp(pool, jwt->header.alg, err)) == NULL) - return FALSE; - -- EVP_MD_CTX ctx; -- EVP_MD_CTX_init(&ctx); -+ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); -+ EVP_MD_CTX_init(ctx); - - RSA * privkey = RSA_new(); - -@@ -317,9 +317,13 @@ - BN_bin2bn(jwk->key.rsa->private_exponent, - jwk->key.rsa->private_exponent_len, private_exponent); - -+#if OPENSSL_VERSION_NUMBER >= 0x10100005L -+ RSA_set0_key(privkey, modulus, exponent, private_exponent); -+#else - privkey->n = modulus; - privkey->e = exponent; - privkey->d = private_exponent; -+#endif - - EVP_PKEY* pRsaKey = EVP_PKEY_new(); - if (!EVP_PKEY_assign_RSA(pRsaKey, privkey)) { -@@ -333,15 +337,15 @@ - unsigned char *pDigest = apr_pcalloc(pool, RSA_size(privkey)); - unsigned int uDigestLen = RSA_size(privkey); - -- if (!EVP_DigestInit(&ctx, digest)) { -+ if (!EVP_DigestInit(ctx, digest)) { - apr_jwt_error_openssl(err, "EVP_DigestInit"); - goto end; - } -- if (!EVP_DigestUpdate(&ctx, jwt->message, strlen(jwt->message))) { -+ if (!EVP_DigestUpdate(ctx, jwt->message, strlen(jwt->message))) { - apr_jwt_error_openssl(err, "EVP_DigestUpdate"); - goto end; - } -- if (!EVP_DigestFinal(&ctx, pDigest, &uDigestLen)) { -+ if (!EVP_DigestFinal(ctx, pDigest, &uDigestLen)) { - apr_jwt_error_openssl(err, "wrong key? EVP_DigestFinal"); - goto end; - } -@@ -371,17 +375,17 @@ - - } else { - -- if (!EVP_SignInit_ex(&ctx, digest, NULL)) { -+ if (!EVP_SignInit_ex(ctx, digest, NULL)) { - apr_jwt_error_openssl(err, "EVP_SignInit_ex"); - goto end; - } - -- if (!EVP_SignUpdate(&ctx, jwt->message, strlen(jwt->message))) { -+ if (!EVP_SignUpdate(ctx, jwt->message, strlen(jwt->message))) { - apr_jwt_error_openssl(err, "EVP_SignUpdate"); - goto end; - } - -- if (!EVP_SignFinal(&ctx, (unsigned char *) jwt->signature.bytes, -+ if (!EVP_SignFinal(ctx, (unsigned char *) jwt->signature.bytes, - (unsigned int *) &jwt->signature.length, pRsaKey)) { - apr_jwt_error_openssl(err, "wrong key? EVP_SignFinal"); - goto end; -@@ -398,7 +402,7 @@ - } else if (privkey) { - RSA_free(privkey); - } -- EVP_MD_CTX_cleanup(&ctx); -+ EVP_MD_CTX_free(ctx); - - return rc; - } -@@ -416,8 +420,8 @@ - if ((digest = apr_jws_crypto_alg_to_evp(pool, jwt->header.alg, err)) == NULL) - return FALSE; - -- EVP_MD_CTX ctx; -- EVP_MD_CTX_init(&ctx); -+ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); -+ EVP_MD_CTX_init(ctx); - - RSA * pubkey = RSA_new(); - -@@ -427,8 +431,12 @@ - BN_bin2bn(jwk->key.rsa->modulus, jwk->key.rsa->modulus_len, modulus); - BN_bin2bn(jwk->key.rsa->exponent, jwk->key.rsa->exponent_len, exponent); - -+#if OPENSSL_VERSION_NUMBER >= 0x10100005L -+ RSA_set0_key(pubkey, modulus, exponent, NULL); -+#else - pubkey->n = modulus; - pubkey->e = exponent; -+#endif - - EVP_PKEY* pRsaKey = EVP_PKEY_new(); - if (!EVP_PKEY_assign_RSA(pRsaKey, pubkey)) { -@@ -451,15 +459,15 @@ - unsigned char *pDigest = apr_pcalloc(pool, RSA_size(pubkey)); - unsigned int uDigestLen = RSA_size(pubkey); - -- if (!EVP_DigestInit(&ctx, digest)) { -+ if (!EVP_DigestInit(ctx, digest)) { - apr_jwt_error_openssl(err, "EVP_DigestInit"); - goto end; - } -- if (!EVP_DigestUpdate(&ctx, jwt->message, strlen(jwt->message))) { -+ if (!EVP_DigestUpdate(ctx, jwt->message, strlen(jwt->message))) { - apr_jwt_error_openssl(err, "EVP_DigestUpdate"); - goto end; - } -- if (!EVP_DigestFinal(&ctx, pDigest, &uDigestLen)) { -+ if (!EVP_DigestFinal(ctx, pDigest, &uDigestLen)) { - apr_jwt_error_openssl(err, "wrong key? EVP_DigestFinal"); - goto end; - } -@@ -477,16 +485,16 @@ - } else if (apr_jws_signature_starts_with(pool, jwt->header.alg, - "RS") == TRUE) { - -- if (!EVP_VerifyInit_ex(&ctx, digest, NULL)) { -+ if (!EVP_VerifyInit_ex(ctx, digest, NULL)) { - apr_jwt_error_openssl(err, "EVP_VerifyInit_ex"); - goto end; - } -- if (!EVP_VerifyUpdate(&ctx, jwt->message, strlen(jwt->message))) { -+ if (!EVP_VerifyUpdate(ctx, jwt->message, strlen(jwt->message))) { - apr_jwt_error_openssl(err, "EVP_VerifyUpdate"); - goto end; - } - -- int rv = EVP_VerifyFinal(&ctx, (const unsigned char *) jwt->signature.bytes, -+ int rv = EVP_VerifyFinal(ctx, (const unsigned char *) jwt->signature.bytes, - jwt->signature.length, pRsaKey); - - if (rv < 0) { -@@ -508,7 +516,7 @@ - } else if (pubkey) { - RSA_free(pubkey); - } -- EVP_MD_CTX_cleanup(&ctx); -+ EVP_MD_CTX_free(ctx); - - return rc; - } -diff -u -r mod_auth_openidc-1.8.10.1/src/jose/apr_jwt.c jose/apr_jwt.c ---- mod_auth_openidc-1.8.10.1/src/jose/apr_jwt.c 2016-07-11 09:14:40.000000000 -0400 -+++ mod_auth_openidc-fb1fd4c/src/jose/apr_jwt.c 2017-02-17 18:52:41.332955699 -0500 -@@ -496,12 +496,12 @@ - - static void apr_jwt_serialize_message(apr_pool_t *pool, apr_jwt_t *jwt) { - -- char *s_hdr = json_dumps(jwt->header.value.json, JSON_ENCODE_ANY); -+ char *s_hdr = json_dumps(jwt->header.value.json, JSON_COMPACT); - apr_jwt_base64url_encode(pool, &jwt->header.value.str, s_hdr, strlen(s_hdr), - 0); - free(s_hdr); - -- char *s_payload = json_dumps(jwt->payload.value.json, JSON_ENCODE_ANY); -+ char *s_payload = json_dumps(jwt->payload.value.json, JSON_COMPACT); - apr_jwt_base64url_encode(pool, &jwt->payload.value.str, s_payload, - strlen(s_payload), 0); - free(s_payload); -@@ -589,3 +589,13 @@ - jwt->signature.length, 0); - return apr_psprintf(pool, "%s.%s", jwt->message, b64sig); - } -+ -+#if (OPENSSL_VERSION_NUMBER < 0x10100000) -+EVP_MD_CTX * EVP_MD_CTX_new() { -+ return malloc(sizeof(EVP_MD_CTX)); -+} -+void EVP_MD_CTX_free(EVP_MD_CTX *ctx) { -+ if (ctx) free(ctx); -+} -+ -+#endif diff --git a/mod_auth_openidc.spec b/mod_auth_openidc.spec index 529da08..e9e914a 100644 --- a/mod_auth_openidc.spec +++ b/mod_auth_openidc.spec @@ -14,16 +14,14 @@ %global httpd_pkg_cache_dir /var/cache/httpd/mod_auth_openidc Name: mod_auth_openidc -Version: 1.8.10.1 -Release: 7%{?dist} +Version: 2.3.5 +Release: 1%{?dist} Summary: OpenID Connect auth module for Apache HTTP Server Group: System Environment/Daemons License: ASL 2.0 -URL: https://github.com/pingidentity/mod_auth_openidc -Source0: https://github.com/pingidentity/mod_auth_openidc/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz - -Patch1: jose.patch +URL: https://github.com/zmartzone/mod_auth_openidc +Source0: https://github.com/zmartzone/mod_auth_openidc/releases/download/v%{version}/mod_auth_openidc-%{version}.tar.gz BuildRequires: httpd-devel BuildRequires: openssl-devel @@ -32,7 +30,9 @@ BuildRequires: jansson-devel BuildRequires: pcre-devel BuildRequires: autoconf BuildRequires: automake -%{?_with_hiresdis:BuildRequires: hiresdis-devel} +BuildRequires: cjose-devel +BuildRequires: jq-devel +%{?_with_hiredis:BuildRequires: hiredis-devel} Requires: httpd-mmn = %{_httpd_mmn} %description @@ -41,7 +41,6 @@ an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. %prep %setup -q -%patch1 -p1 %build # workaround rpm-buildroot-usage @@ -49,6 +48,7 @@ export MODULES_DIR=%{_httpd_moddir} export APXS2_OPTS='-S LIBEXECDIR=${MODULES_DIR}' autoreconf %configure \ + --with-jq=/usr/lib64/ \ %{?_with_hiredis} \ %{?_without_hiredis} @@ -56,7 +56,8 @@ make %{?_smp_mflags} %check export MODULES_DIR=%{_httpd_moddir} -make %{?_smp_mflags} test +export APXS2_OPTS='-S LIBEXECDIR=${MODULES_DIR}' +make test %install mkdir -p $RPM_BUILD_ROOT%{_httpd_moddir} @@ -83,7 +84,6 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache %endif %doc ChangeLog %doc AUTHORS -%doc DISCLAIMER %doc README.md %{_httpd_moddir}/mod_auth_openidc.so %config(noreplace) %{_httpd_modconfdir}/10-auth_openidc.conf @@ -93,6 +93,9 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache %changelog +* Wed May 23 2018 Patrick Uiterwijk - 2.3.5-1 +- Rebase to 2.3.5 + * Fri Feb 09 2018 Igor Gnatenko - 1.8.10.1-7 - Escape macros in %%changelog diff --git a/sources b/sources index 42dae9d..c1cba2c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -f73804c4b1df7e4402b7de4badc2866a mod_auth_openidc-1.8.10.1.tar.gz +SHA512 (mod_auth_openidc-2.3.5.tar.gz) = f15c0c4c62abfa7d19d3c1ea7e1e10e972d1faaca577e9ae7064cdb10f0e986295ce853dd9e74ddd907ec7b59cf8ee8fbb5a42d12a2267485e0df4f6cabfe8c6