15 changed files with 1830 additions and 42 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1 @@
 SOURCES/v2.4.9.4.tar.gz
 /v2.4.9.4.tar.gz
--- a/.mod_auth_openidc.metadata
+++ b/.mod_auth_openidc.metadata
@ -0,0 +1 @@
 47f8b949552c3d32f019c5cf785c4672dc0f8aae SOURCES/v2.4.9.4.tar.gz
--- a/SOURCES/0001-CVE-2022-23527.patch
+++ b/SOURCES/0001-CVE-2022-23527.patch
--- a/SOURCES/0002-CVE-2023-28625.patch
+++ b/SOURCES/0002-CVE-2023-28625.patch
--- a/SOURCES/0003-CVE-2024-24814.patch
+++ b/SOURCES/0003-CVE-2024-24814.patch
@ -0,0 +1,46 @@
 diff -up mod_auth_openidc-2.4.9.4/src/util.c.orig mod_auth_openidc-2.4.9.4/src/util.c
 --- mod_auth_openidc-2.4.9.4/src/util.c.orig	2024-02-29 17:54:55.939797412 +0100
 +++ mod_auth_openidc-2.4.9.4/src/util.c	2024-02-29 18:01:12.042842605 +0100
@@ -1270,25 +1270,24 @@ static char* oidc_util_get_chunk_cookie_
  */
 char* oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName,
 		int chunkSize) {
 -	char *cookieValue = NULL;
 -	char *chunkValue = NULL;
 -	int i = 0;
 -	if (chunkSize == 0) {
 -		cookieValue = oidc_util_get_cookie(r, cookieName);
 -	} else {
 -		int chunkCount = oidc_util_get_chunked_count(r, cookieName);
 -		if (chunkCount > 0) {
 -			cookieValue = "";
 -			for (i = 0; i < chunkCount; i++) {
 -				chunkValue = oidc_util_get_cookie(r,
 -						oidc_util_get_chunk_cookie_name(r, cookieName, i));
 -				if (chunkValue != NULL)
 -					cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue,
 -							chunkValue);
 -			}
 -		} else {
 -			cookieValue = oidc_util_get_cookie(r, cookieName);
 +	char *cookieValue = NULL, *chunkValue = NULL;
 +	int chunkCount = 0, i = 0;
 +	if (chunkSize == 0)
 +		return oidc_util_get_cookie(r, cookieName);
 +	chunkCount = oidc_util_get_chunked_count(r, cookieName);
 +	if (chunkCount == 0)
 +		return oidc_util_get_cookie(r, cookieName);
 +	if ((chunkCount < 0) || (chunkCount > 99)) {
 +		oidc_warn(r, "chunk count out of bounds: %d", chunkCount);
 +		return NULL;
 +	}
 +	for (i = 0; i < chunkCount; i++) {
 +		chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i));
 +		if (chunkValue == NULL) {
 +			oidc_warn(r, "could not find chunk %d; aborting", i);
 +			break;
 		}
 +		cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ? cookieValue : "", chunkValue);
 	}
 	return cookieValue;
 }
--- a/SOURCES/0004-race-condition.patch
+++ b/SOURCES/0004-race-condition.patch
@ -0,0 +1,95 @@
 diff -up mod_auth_openidc-2.4.10/src/cache/file.c.orig mod_auth_openidc-2.4.10/src/cache/file.c
 --- mod_auth_openidc-2.4.10/src/cache/file.c.orig	2024-04-16 11:12:38.942552103 +0200
 +++ mod_auth_openidc-2.4.10/src/cache/file.c	2024-04-16 11:13:09.890588209 +0200
@@ -329,8 +329,10 @@ static apr_status_t oidc_cache_file_clea
 			}
 			/* read the header with cache metadata info */
 +			apr_file_lock(fd, APR_FLOCK_EXCLUSIVE);
 			rc = oidc_cache_file_read(r, path, fd, &info,
 					sizeof(oidc_cache_file_info_t));
 +			apr_file_unlock(fd);
 			apr_file_close(fd);
 			if (rc == APR_SUCCESS) {
@@ -372,14 +374,15 @@ static apr_status_t oidc_cache_file_clea
 /*
  * write a value for the specified key to the cache
  */
 -static apr_byte_t oidc_cache_file_set(request_rec *r, const char *section,
 -		const char *key, const char *value, apr_time_t expiry) {
 +static apr_byte_t oidc_cache_file_set(request_rec *r, const char *section, const char *key,
 +		const char *value, apr_time_t expiry) {
 	apr_file_t *fd = NULL;
 	apr_status_t rc = APR_SUCCESS;
 	char s_err[128];
 	/* get the fully qualified path to the cache file based on the key name */
 -	const char *path = oidc_cache_file_path(r, section, key);
 +	const char *target = oidc_cache_file_path(r, section, key);
 +	const char *path = apr_psprintf(r->pool, "%s.tmp", target);
 	/* only on writes (not on reads) we clean the cache first (if not done recently) */
 	oidc_cache_file_clean(r);
@@ -387,24 +390,22 @@ static apr_byte_t oidc_cache_file_set(re
 	/* just remove cache file if value is NULL */
 	if (value == NULL) {
 		if ((rc = apr_file_remove(path, r->pool)) != APR_SUCCESS) {
 -			oidc_error(r, "could not delete cache file \"%s\" (%s)", path,
 -					apr_strerror(rc, s_err, sizeof(s_err)));
 +			oidc_error(r, "could not delete cache file \"%s\" (%s)", path, apr_strerror(rc, s_err, sizeof(s_err)));
 		}
 		return TRUE;
 	}
 	/* try to open the cache file for writing, creating it if it does not exist */
 -	if ((rc = apr_file_open(&fd, path,
 -			(APR_FOPEN_WRITE | APR_FOPEN_CREATE | APR_FOPEN_TRUNCATE),
 -			APR_OS_DEFAULT, r->pool)) != APR_SUCCESS) {
 -		oidc_error(r, "cache file \"%s\" could not be opened (%s)", path,
 -				apr_strerror(rc, s_err, sizeof(s_err)));
 +	if ((rc = apr_file_open(&fd, path, (APR_FOPEN_WRITE | APR_FOPEN_CREATE),
 +							APR_OS_DEFAULT, r->pool)) != APR_SUCCESS) {
 +		oidc_error(r, "cache file \"%s\" could not be opened (%s)", path, apr_strerror(rc, s_err, sizeof(s_err)));
 		return FALSE;
 	}
 	/* lock the file and move the write pointer to the start of it */
 	apr_file_lock(fd, APR_FLOCK_EXCLUSIVE);
 	apr_off_t begin = 0;
 +	apr_file_trunc(fd, begin);
 	apr_file_seek(fd, APR_SET, &begin);
 	/* construct the metadata for this cache entry in the header info */
@@ -413,22 +414,24 @@ static apr_byte_t oidc_cache_file_set(re
 	info.len = strlen(value) + 1;
 	/* write the header */
 -	if ((rc = oidc_cache_file_write(r, path, fd, &info,
 -			sizeof(oidc_cache_file_info_t))) != APR_SUCCESS)
 +	if ((rc = oidc_cache_file_write(r, path, fd, &info, sizeof(oidc_cache_file_info_t)))
 +			!= APR_SUCCESS)
 		return FALSE;
 	/* next write the value */
 -	rc = oidc_cache_file_write(r, path, fd, (void *) value, info.len);
 +	rc = oidc_cache_file_write(r, path, fd, (void*) value, info.len);
 	/* unlock and close the written file */
 	apr_file_unlock(fd);
 	apr_file_close(fd);
 +	if (rename(path, target) != 0) {
 +		oidc_error(r, "cache file: %s could not be renamed to: %s", path, target);
 +		return FALSE;
 +	}
 +
 	/* log our success/failure */
 -	oidc_debug(r,
 -			"%s entry for key \"%s\" in file of %" APR_SIZE_T_FMT " bytes",
 -			(rc == APR_SUCCESS) ? "successfully stored" : "could not store",
 -					key, info.len);
 +	oidc_debug(r, "%s entry for key \"%s\" in file of %" APR_SIZE_T_FMT " bytes", (rc == APR_SUCCESS) ? "successfully stored" : "could not store", key, info.len);
 	return (rc == APR_SUCCESS);
 }
--- a/SOURCES/0005-CVE-2025-31492.patch
+++ b/SOURCES/0005-CVE-2025-31492.patch
@ -0,0 +1,83 @@
 diff -up mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c
 --- mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c.orig	2025-04-11 10:49:32.095915197 +0200
 +++ mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c	2025-04-11 10:51:12.493949688 +0200
@@ -4258,7 +4258,11 @@ int oidc_content_handler(request_rec *r)
 			rc = oidc_discovery(r, c);
 -		} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN) != NULL) {
 +		} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST) != NULL) {
 +
 +			rc = OK;
 +
 +		} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE) != NULL) {
 			rc = OK;
 diff -up mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h.orig mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h
 --- mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h.orig	2025-04-11 10:49:32.081518446 +0200
 +++ mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h	2025-04-11 10:51:12.495521138 +0200
@@ -88,7 +88,8 @@ APLOG_USE_MODULE(auth_openidc);
 #define OIDC_REQUEST_STATE_KEY_IDTOKEN "i"
 #define OIDC_REQUEST_STATE_KEY_CLAIMS  "c"
 #define OIDC_REQUEST_STATE_KEY_DISCOVERY  "d"
 -#define OIDC_REQUEST_STATE_KEY_AUTHN  "a"
 +#define OIDC_REQUEST_STATE_KEY_AUTHN_POST  "a"
 +#define OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE  "p"
 /* parameter name of the callback URL in the discovery response */
 #define OIDC_DISC_CB_PARAM "oidc_callback"
 diff -up mod_auth_openidc-2.4.9.4/src/proto.c.orig mod_auth_openidc-2.4.9.4/src/proto.c
 --- mod_auth_openidc-2.4.9.4/src/proto.c.orig	2021-09-03 10:41:21.000000000 +0200
 +++ mod_auth_openidc-2.4.9.4/src/proto.c	2025-04-11 10:51:12.495927318 +0200
@@ -591,7 +591,7 @@ static int oidc_proto_add_form_post_para
 /*
  * make the browser POST parameters through Javascript auto-submit
  */
 -static int oidc_proto_html_post(request_rec *r, const char *url,
 +static void oidc_proto_html_post(request_rec *r, const char *url,
 		apr_table_t *params) {
 	oidc_debug(r, "enter");
@@ -607,8 +607,7 @@ static int oidc_proto_html_post(request_
 	html_body = apr_psprintf(r->pool, "%s%s", data.html_body, "      </p>\n"
 			"    </form>\n");
 -	return oidc_util_html_send(r, "Submitting...", NULL,
 -			"document.forms[0].submit", html_body, OK);
 +	oidc_util_html_send(r, "Submitting...", NULL, "document.forms[0].submit", html_body, OK);
 }
 void add_auth_request_params(request_rec *r, apr_table_t *params,
@@ -739,8 +738,12 @@ int oidc_proto_authorization_request(req
 	if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) {
 		/* construct a HTML POST auto-submit page with the authorization request parameters */
 -		rv = oidc_proto_html_post(r, provider->authorization_endpoint_url,
 -				params);
 +		oidc_proto_html_post(r, provider->authorization_endpoint_url, params);
 +
 +		/* signal this to the content handler */
 +		oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST, "");
 +		r->user = "";
 +		rv = OK;
 	} else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) {
@@ -748,7 +751,6 @@ int oidc_proto_authorization_request(req
 		authorization_request = oidc_util_http_query_encoded_url(r,
 				provider->authorization_endpoint_url, params);
 -		// TODO: should also enable this when using the POST binding for the auth request
 		/* see if we need to preserve POST parameters through Javascript/HTML5 storage */
 		if (oidc_post_preserve_javascript(r, authorization_request, NULL,
 				NULL) == FALSE) {
@@ -762,7 +764,7 @@ int oidc_proto_authorization_request(req
 		} else {
 			/* signal this to the content handler */
 -			oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN, "");
 +			oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE, "");
 			r->user = "";
 			rv = OK;
--- a/SOURCES/0006-string-compare.patch
+++ b/SOURCES/0006-string-compare.patch
--- a/SPECS/mod_auth_openidc.spec
+++ b/SPECS/mod_auth_openidc.spec
@ -15,14 +15,18 @@
 Name:		mod_auth_openidc
 Version:	2.4.9.4
-Release:	5%{?dist}
+Release:	8%{?dist}
 Summary:	OpenID Connect auth module for Apache HTTP Server
 License:	ASL 2.0
 URL:		https://github.com/zmartzone/mod_auth_openidc
 Source0:	https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz
-Patch0:		0001-CVE-2022-23527.patch
+Patch1:		0001-CVE-2022-23527.patch
-Patch1:		0002-CVE-2023-28625.patch
+Patch2:		0002-CVE-2023-28625.patch
 Patch3:		0003-CVE-2024-24814.patch
 Patch4:		0004-race-condition.patch
 Patch5:		0005-CVE-2025-31492.patch
 Patch6:		0006-string-compare.patch
 BuildRequires:  gcc
 BuildRequires:	httpd-devel
@ -98,6 +102,19 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
 %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache
 %changelog
 * Fri Apr 25 2025 Tomas Halman <thalman@redhat.com> - 2.4.9.4-8
 - Resolves: RHEL-87759 - Empty POST causes crash with OIDCPreservePost
 * Fri Apr 11 2025 Tomas Halman <thalman@redhat.com> - 2.4.9.4-7
 - Resolves: RHEL-86218 - mod_auth_openidc allows OIDCProviderAuthRequestMethod
            POSTs to leak protected data (CVE-2025-31492)
 * Fri Apr 12 2024 Tomas Halman <thalman@redhat.com> - 2.4.9.4-6
 - Resolves: RHEL-36492 Race condition in mod_auth_openidc filecache
 - Resolves: RHEL-25421 mod_auth_openidc: DoS when using
    `OIDCSessionType client-cookie` and manipulating cookies
    (CVE-2024-24814)
 * Tue Apr 25 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-5
  Related: rhbz#2141850 - fix cjose version dependency
@ -108,7 +125,7 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
 - Resolves: rhbz#2184144 - CVE-2023-28625 NULL pointer dereference
      when OIDCStripCookies is set and a crafted Cookie header is supplied
-* Thu Feb 21 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-2
+* Tue Feb 21 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-2
 - Resolves: rhbz#2153659 - CVE-2022-23527 - Open Redirect in
      oidc_validate_redirect_url() using tab character
--- a/gating.yaml
+++ b/gating.yaml
@ -1,6 +0,0 @@
 --- !Policy
 product_versions:
  - rhel-9
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
--- a/1
+++ b/1
@ -1 +0,0 @@
 SHA512 (v2.4.9.4.tar.gz) = cc4850cf88e5920fd944f5865f2bf0072f12d26a7f5aad38f378412dec01a9698c899616320a584a6e6d81f5dd50aaa1f5598cdc7cb50df6215dc516fa507d4e
--- a/tests/.fmf/version
+++ b/tests/.fmf/version
@ -1 +0,0 @@
 1
--- a/tests/provision.fmf
+++ b/tests/provision.fmf
@ -1,5 +0,0 @@
 ---
 standard-inventory-qcow2:
  qemu:
    m: 3G
    smp: 2
--- a/tests/scripts/run_tests.sh
+++ b/tests/scripts/run_tests.sh
@ -1,12 +0,0 @@
 #!/bin/bash
 export GIT_SSL_NO_VERIFY=true
 git clone https://github.com/latchset/federation_testing.git
 cd federation_testing
 if [ ! -d /tmp/artifacts ]; then
    mkdir -p /tmp/artifacts
 fi
 ./setup.sh
 ./test_oidc.sh
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -1,12 +0,0 @@
 - hosts: localhost
  roles:
  - role: standard-test-basic
    tags:
    - classic
    tests:
    - mod_auth_mellon:
        dir: scripts
        run: ./run_tests.sh
    required_packages:
    - git
`@ -1,2 +1 @@`
	`SOURCES/v2.4.9.4.tar.gz`	`SOURCES/v2.4.9.4.tar.gz`
	`/v2.4.9.4.tar.gz`
		`@ -0,0 +1 @@`
							`47f8b949552c3d32f019c5cf785c4672dc0f8aae SOURCES/v2.4.9.4.tar.gz`
		`@ -1 +0,0 @@`
			`SHA512 (v2.4.9.4.tar.gz) = cc4850cf88e5920fd944f5865f2bf0072f12d26a7f5aad38f378412dec01a9698c899616320a584a6e6d81f5dd50aaa1f5598cdc7cb50df6215dc516fa507d4e`