fix concurrency issue when using OAuth2Verify metadata

- closes #37; thanks @rtitle
- fix memory leak in cURL writeback function
- release 1.4.5.1

Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>

Author: zandbelt

ChangeLog

@@ -1,3 +1,8 @@
+08/22/2022
+- fix concurrency issue when using OAuth2Verify metadata; see #37; thanks @rtitle
+- fix memory leak in cURL writeback function
+- release 1.4.5.1
+
 07/28/2022
 - fix memory leak when using OAuth2Verify metadata
 

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([liboauth2],[1.4.5],[hans.zandbelt@zmartzone.eu])
+AC_INIT([liboauth2],[1.4.5.1],[hans.zandbelt@zmartzone.eu])
 
 AM_INIT_AUTOMAKE([foreign no-define subdir-objects])
 AC_CONFIG_MACRO_DIR([m4])

src/http.c

@@ -923,6 +923,7 @@ static size_t oauth2_http_curl_buf_write(void *contents, size_t size,
 	memcpy(newptr, mem->memory, mem->size);
 	memcpy(&(newptr[mem->size]), contents, realsize);
 	mem->size += realsize;
+	oauth2_mem_free(mem->memory);
 	mem->memory = newptr;
 	mem->memory[mem->size] = 0;
 

src/oauth2.c

@@ -502,7 +502,9 @@ static bool _oauth2_metadata_verify_callback(oauth2_log_t *log,
 	char *response = NULL;
 	json_t *json_metadata = NULL, *json_jwks_uri = NULL,
 	       *json_introspection_endpoint;
-	const char *jwks_uri = NULL, *introspection_endpoint = NULL;
+	oauth2_jose_jwt_verify_ctx_t *jwks_uri_verify = NULL;
+	oauth2_introspect_ctx_t *introspect_ctx = NULL;
+	const char *jwks_uri = NULL, *introspection_uri = NULL;
 	char *peek = NULL;
 
 	if ((verify == NULL) || (verify->ctx == NULL) ||
@@ -538,12 +540,14 @@ static bool _oauth2_metadata_verify_callback(oauth2_log_t *log,
 			oauth2_warn(log, "\"jwks_uri\" value is not a string");
 		}
 	}
-
 	if (jwks_uri) {
+		// NB: need a copy because we're going to modify a static/shared config setting
+		jwks_uri_verify =
+		    oauth2_jose_jwt_verify_ctx_clone(log, ptr->jwks_uri_verify);
 		oauth2_cfg_endpoint_set_url(
-		    ptr->jwks_uri_verify->jwks_provider->jwks_uri->endpoint,
+		    jwks_uri_verify->jwks_provider->jwks_uri->endpoint,
 		    jwks_uri);
-		rc = oauth2_jose_jwt_verify(log, ptr->jwks_uri_verify, token,
+		rc = oauth2_jose_jwt_verify(log, jwks_uri_verify, token,
 					    json_payload, s_payload);
 		if (rc == true)
 			goto end;
@@ -555,7 +559,7 @@ static bool _oauth2_metadata_verify_callback(oauth2_log_t *log,
 	    json_object_get(json_metadata, "introspection_endpoint");
 	if (json_introspection_endpoint) {
 		if (json_is_string(json_introspection_endpoint)) {
-			introspection_endpoint =
+			introspection_uri =
 			    json_string_value(json_introspection_endpoint);
 		} else {
 			oauth2_warn(
@@ -564,10 +568,13 @@ static bool _oauth2_metadata_verify_callback(oauth2_log_t *log,
 		}
 	}
 
-	if (introspection_endpoint) {
-		oauth2_cfg_endpoint_set_url(ptr->introspect->endpoint,
-					    introspection_endpoint);
-		rc = _oauth2_introspect_verify(log, ptr->introspect, token,
+	if (introspection_uri) {
+		// NB: need a copy because we're going to modify a static/shared config setting
+		introspect_ctx =
+		    oauth2_introspect_ctx_clone(log, ptr->introspect);
+		oauth2_cfg_endpoint_set_url(introspect_ctx->endpoint,
+					    introspection_uri);
+		rc = _oauth2_introspect_verify(log, introspect_ctx, token,
 					       json_payload, s_payload);
 		if (rc == true)
 			goto end;
@@ -581,6 +588,10 @@ static bool _oauth2_metadata_verify_callback(oauth2_log_t *log,
 		json_decref(json_metadata);
 	if (response)
 		oauth2_mem_free(response);
+	if (jwks_uri_verify)
+		oauth2_jose_jwt_verify_ctx_free(log, jwks_uri_verify);
+	if (introspect_ctx)
+		oauth2_introspect_ctx_free(log, introspect_ctx);
 
 	return rc;
 }