merge in pconf mem handling of config

Author: brandonk10

ChangeLog

@@ -1,3 +1,38 @@
+01/03/2026
+- test: fix long int test in test_util.c so that it fits within a 32bit long int size; see #1375; thanks @moschlar
+- update copyright year to 2026
+
+12/13/2025
+- oauth: fix segfault when using OIDCOAuthVerifySharedKeys, regression since 2.4.16; closes #1373; thanks @contryboy
+
+12/08/2025
+- jwk: fix parsi8ng RSA JWKs with only an "x5c" parameter (i.e. no "n" and "e")
+- bump to 2.4.19.1dev
+
+12/01/2025
+- release 2.4.19
+
+11/23/2025
+- init: refactor pconf pool memory allocation handling
+  avoid increasing memory (pool) consumption over graceful restarts
+
+11/19/2025
+- request: set the OIDC_ERROR variables when PAR is configured but not enabled by the Provider
+
+11/18/2025
+- id_token: add "off" option to OIDCPassIDTokenAs so no claims from the ID token will be passed on
+- passphrase: generate a crypto key when OIDCCryptoPassphrase is not set
+
+11/17/2025
+- metadata: avoid double-free when validation of provider metadata fails
+- perf: store id_token/userinfo claims as JSON objects and avoid parsing/serializing overhead
+  which results in up to 7% performance increase, depending on the number of claims stored
+- session/cookie: save 20-40 bytes on the session and client-cookie size
+  NB: the internal session format has changed and is backwards incompatible: existing sessions and cookies will be invalid
+- response: avoid proto state memory leaks upon errors in response processing
+- drop support for Apache 2.2
+- bump to 2.4.19dev
+
 11/14/2025
 - test: add test/test_proto.c and migrate proto tests from test.c
 
@@ -9,7 +44,7 @@
 - test: test/Makefile.am refactor check programs
 
 11/07/2025
-- support individual SameSite cookie settings on the session cookie, state cookie and Discovery CSRF
+- cookie: support individual SameSite cookie settings on the session cookie, state cookie and Discovery CSRF
   cookie by adding 2 more arguments to OIDCCookieSameSite
 - code: avoid compiler warnings on `curl_easy_setopt` in http.c
   http.c:612:16: warning: call to '_curl_easy_setopt_err_long' declared with attribute warning: curl_easy_setopt expects a long argument [-Wattribute-warning]

Makefile.am

@@ -11,7 +11,7 @@ EXTRA_DIST = \
 	auth_openidc.conf
 
 clang-format:
-	clang-format -style=file -i $$(find . -maxdepth 3 -name *.[ch])
+	clang-format -style=file -i $$(find . -maxdepth 3 -name \*\.[ch])
 
 valgrind check-code-coverage: check
 	${MAKE} -C test $@

README.md

@@ -41,7 +41,7 @@ How to Use It
 
 1. install and load `mod_auth_openidc.so` in your Apache server
 1. set `OIDCRedirectURI` to a "vanity" URL within a location that is protected by mod_auth_openidc
-1. configure a random password in `OIDCCryptoPassphrase` for session/state encryption purposes
+
 1. configure `OIDCProviderMetadataURL` so it points to the Discovery metadata of your OpenID Connect Provider served on the `.well-known/openid-configuration` endpoint
 1. register/generate a Client identifier and a secret with the OpenID Connect Provider and configure those in `OIDCClientID` and `OIDCClientSecret` respectively
 1. register the `OIDCRedirectURI` configured above as the Redirect or Callback URI for your client at the Provider
@@ -53,7 +53,6 @@ LoadModule auth_openidc_module modules/mod_auth_openidc.so
 
 # OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
 OIDCRedirectURI https://<hostname>/secure/redirect_uri
-OIDCCryptoPassphrase <password>
 
 OIDCProviderMetadataURL <issuer>/.well-known/openid-configuration
 OIDCClientID <client_id>

auth_openidc.conf

@@ -12,7 +12,7 @@
 # support multiple vhosts that belong to the same security domain in a dynamic way
 #OIDCRedirectURI https://www.example.com/protected/redirect_uri
 
-# (Mandatory)
+# (Optional, but required if sessions need to be preserved across server restarts or shared across a cluster)
 # Set a password for crypto purposes, this is used for:
 # - encryption of the (temporary) state cookie
 # - encryption of cache entries, that may include the session cookie, see: OIDCCacheEncrypt and OIDCSessionType
@@ -27,6 +27,7 @@
 # will be used for encryption of new values (including a "kid" in the JWEs during the time 2 values are defined),
 # both values will be used for verification (leveraging the "kid" if present); for seamless rollover one should
 # (at minimum) wait for OIDCSessionInActivityTimeout seconds before removing the 2nd (i.e. old) passprase again.
+# When not specified, a random passphrase will be generated at server start time.
 #OIDCCryptoPassphrase [ <passphrase> | "exec:/path/to/otherProgram arg1" ] [ <previous-passphrase> | "exec:/path/to/otherProgram arg2" ]
 
 #
@@ -849,10 +850,11 @@
 # "claims" :     the claims in the id_token are passed in individual headers/environment variables
 # "payload" :    the payload of the id_token is passed as a JSON object in the "OIDC_id_token_payload" header/environment variable
 # "serialized" : the complete id_token is passed in compact serialized format in the "OIDC_id_token" header/environment variable
+# "off" :        no id_token information is passed (overrides other options)
 # Note that when OIDCSessionType client-cookie is set, the id_token itself is not stored in the session/cookie (unless explicitly
 # configured to do so) and as such the header for the "serialized" option will not be set.
 # Can be configured on a per Directory/Location basis. When not defined the default "claims" is used.. 
-#OIDCPassIDTokenAs [claims|payload|serialized]+
+#OIDCPassIDTokenAs [claims|payload|serialized|off]+
 
 # Define the way(s) in which the claims resolved from the userinfo endpoint are passed to the application according to OIDCPassClaimsAs.
 # Must be one or several of:
@@ -1032,8 +1034,13 @@
 # The default is to use internal templates
 #OIDCPreservePostTemplates <preserve-template-filepath> <restore-template-filepath>
 
-# Indicates whether the access token and access token expiry will be passed to the application in a header/environment variable, according
-# to the OIDCPassClaimsAs directive.
+# Indicates whether the access token, the access token type, the access token expiry and
+# the scope returned from the token endpoint will be passed to the application in header/environment
+# variables, according to the OIDCPassClaimsAs directive, respectively:
+#   OIDC_access_token
+#   OIDC_access_token_type
+#   OIDC_access_token_expires
+#	OIDC_scope
 # Can be configured on a per Directory/Location basis. The default is "On".
 #OIDCPassAccessToken [On|Off]
 #

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.18.2dev],[hans.zandbelt@openidc.com])
+AC_INIT([mod_auth_openidc],[2.4.19.1dev],[hans.zandbelt@openidc.com])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

src/cache/cache.h

@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2017-2025 ZmartZone Holding BV
+ * Copyright (C) 2017-2026 ZmartZone Holding BV
  * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
@@ -59,12 +59,12 @@
 #define OIDC_CACHE_KEY_SIZE_MAX 512
 
 typedef void *(*oidc_cache_cfg_create)(apr_pool_t *pool);
-typedef int (*oidc_cache_post_config_function)(server_rec *s);
+typedef int (*oidc_cache_post_config_function)(apr_pool_t *pool, server_rec *s);
 typedef int (*oidc_cache_child_init_function)(apr_pool_t *p, server_rec *s);
 typedef apr_byte_t (*oidc_cache_get_function)(request_rec *r, const char *section, const char *key, char **value);
 typedef apr_byte_t (*oidc_cache_set_function)(request_rec *r, const char *section, const char *key, const char *value,
 					      apr_time_t expiry);
-typedef int (*oidc_cache_destroy_function)(server_rec *s);
+typedef int (*oidc_cache_destroy_function)(apr_pool_t *pool, server_rec *s);
 
 typedef struct oidc_cache_t {
 	const char *name;
@@ -86,7 +86,7 @@ typedef struct oidc_cache_mutex_t {
 
 oidc_cache_mutex_t *oidc_cache_mutex_create(apr_pool_t *pool, apr_byte_t global);
 char *oidc_cache_status2str(apr_pool_t *p, apr_status_t statcode);
-apr_byte_t oidc_cache_mutex_post_config(server_rec *s, oidc_cache_mutex_t *m, const char *type);
+apr_byte_t oidc_cache_mutex_post_config(apr_pool_t *pool, server_rec *s, oidc_cache_mutex_t *m, const char *type);
 apr_status_t oidc_cache_mutex_child_init(apr_pool_t *p, server_rec *s, oidc_cache_mutex_t *m);
 apr_byte_t oidc_cache_mutex_lock(apr_pool_t *pool, server_rec *s, oidc_cache_mutex_t *m);
 apr_byte_t oidc_cache_mutex_unlock(apr_pool_t *pool, server_rec *s, oidc_cache_mutex_t *m);

src/cache/common.c

@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2017-2025 ZmartZone Holding BV
+ * Copyright (C) 2017-2026 ZmartZone Holding BV
  * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
@@ -80,21 +80,25 @@ char *oidc_cache_status2str(apr_pool_t *p, apr_status_t statcode) {
 	return apr_pstrdup(p, buf);
 }
 
-static apr_byte_t oidc_cache_mutex_global_create(server_rec *s, oidc_cache_mutex_t *m, const char *type) {
+/*
+ * create a server-wide mutex
+ */
+static apr_byte_t oidc_cache_mutex_global_create(apr_pool_t *pool, server_rec *s, oidc_cache_mutex_t *m,
+						 const char *type) {
 
 	apr_status_t rv = APR_SUCCESS;
 	const char *dir;
 
 	/* construct the mutex filename */
-	rv = apr_temp_dir_get(&dir, s->process->pool);
+	rv = apr_temp_dir_get(&dir, pool);
 	if (rv != APR_SUCCESS) {
 		oidc_serror(s, "apr_temp_dir_get failed: could not find a temp dir: %s",
-			    oidc_cache_status2str(s->process->pool, rv));
+			    oidc_cache_status2str(pool, rv));
 		return FALSE;
 	}
 
 	m->mutex_filename =
-	    apr_psprintf(s->process->pool, "%s/mod_auth_openidc_%s_mutex.%ld.%pp", dir, type, (long int)getpid(), s);
+	    apr_psprintf(pool, "%s/mod_auth_openidc_%s_mutex.%ld.%pp", dir, type, (long int)getpid(), s);
 
 	/* set the lock type */
 	apr_lockmech_e mech =
@@ -107,25 +111,60 @@ static apr_byte_t oidc_cache_mutex_global_create(server_rec *s, oidc_cache_mutex
 #endif
 	    ;
 
+	// TODO: need to allocate this on the server process pool to avoid crashes on
+	//       oidc_cache_mutex_unlock at shutdown time on graceful restarts
+	//       and test/helper.c shutdown; is it because libapr cleaned it up before us?
+
+	/*
+	 * ==54== Invalid read of size 4
+	 * ==54==    at 0x4A1C1D0: sem_post@@GLIBC_2.34 (sem_post.c:35)
+	 * ==54==    by 0x49626F7: ??? (in /usr/lib/x86_64-linux-gnu/libapr-1.so.0.7.5)
+	 * ==54==    by 0x4962065: apr_global_mutex_unlock (in /usr/lib/x86_64-linux-gnu/libapr-1.so.0.7.5)
+	 * ==54==    by 0x5A40F9B: oidc_cache_mutex_unlock (common.c:259)
+	 * ==54==    by 0x5A3FF51: oidc_cache_shm_destroy (shm.c:334)
+	 * ==54==    by 0x5A33F53: oidc_cfg_server_destroy (cfg.c:700)
+	 * ==54==    by 0x4964A4D: apr_pool_destroy (in /usr/lib/x86_64-linux-gnu/libapr-1.so.0.7.5)
+	 * ==54==    by 0x4964A2C: apr_pool_destroy (in /usr/lib/x86_64-linux-gnu/libapr-1.so.0.7.5)
+	 * ==54==    by 0x142767: ??? (in /usr/sbin/apache2)
+	 * ==54==    by 0x14223A: main (in /usr/sbin/apache2)
+	 * ==54==  Address 0x5abb008 is not stack'd, malloc'd or (recently) free'd
+	 */
+
+	// could it be related  to the remaining valgrind report on possibly lost memory: ?
+
+	/*
+	 * ==73== 24 bytes in 1 blocks are possibly lost in loss record 39 of 176
+	 * ==73==    at 0x4844818: malloc (vg_replace_malloc.c:446)
+	 * ==73==    by 0x4A91765: __tsearch (tsearch.c:337)
+	 * ==73==    by 0x4A91765: tsearch (tsearch.c:290)
+	 * ==73==    by 0x4A1C4E5: __sem_check_add_mapping (sem_routines.c:121)
+	 * ==73==    by 0x4A1C1A0: sem_open@@GLIBC_2.34 (sem_open.c:195)
+	 * ==73==    by 0x49622BF: ??? (in /usr/lib/x86_64-linux-gnu/libapr-1.so.0.7.5)
+	 * ==73==    by 0x49633D9: apr_proc_mutex_create (in /usr/lib/x86_64-linux-gnu/libapr-1.so.0.7.5)
+	 * ==73==    by 0x4961E8C: apr_global_mutex_create (in /usr/lib/x86_64-linux-gnu/libapr-1.so.0.7.5)
+	 * ==73==    by 0x5A27AD3: oidc_cache_mutex_global_create (common.c:116)
+	 * ==73==    by 0x5A27AD3: oidc_cache_mutex_post_config (common.c:144)
+	 * ==73==    by 0x5A2750D: oidc_cache_shm_post_config (shm.c:111)
+	 * ==73==    by 0x5A1D66E: oidc_cfg_post_config (cfg.c:1009)
+	 * ==73==    by 0x5A15F9C: oidc_post_config (mod_auth_openidc.c:1762)
+	 * ==73==    by 0x16B2C3: ap_run_post_config (in /usr/sbin/apache2)
+	 */
+
 	/* create the mutex lock */
 	rv = apr_global_mutex_create(&m->gmutex, (const char *)m->mutex_filename, mech, s->process->pool);
 
 	if (rv != APR_SUCCESS) {
 		oidc_serror(s, "apr_global_mutex_create failed to create mutex (%d) on file %s: %s (%d)", mech,
-			    m->mutex_filename, oidc_cache_status2str(s->process->pool, rv), rv);
+			    m->mutex_filename, oidc_cache_status2str(pool, rv), rv);
 		return FALSE;
 	}
 
 	/* need this on Linux */
 #ifdef AP_NEED_SET_MUTEX_PERMS
-#if MODULE_MAGIC_NUMBER_MAJOR >= 20081201
 	rv = ap_unixd_set_global_mutex_perms(m->gmutex);
-#else
-	rv = unixd_set_global_mutex_perms(m->gmutex);
-#endif
 	if (rv != APR_SUCCESS) {
 		oidc_serror(s, "unixd_set_global_mutex_perms failed; could not set permissions: %s (%d)",
-			    oidc_cache_status2str(s->process->pool, rv), rv);
+			    oidc_cache_status2str(pool, rv), rv);
 		return FALSE;
 	}
 #endif
@@ -135,21 +174,29 @@ static apr_byte_t oidc_cache_mutex_global_create(server_rec *s, oidc_cache_mutex
 	return TRUE;
 }
 
-apr_byte_t oidc_cache_mutex_post_config(server_rec *s, oidc_cache_mutex_t *m, const char *type) {
-
+/*
+ * initialize a server- or process-wide mutex
+ */
+apr_byte_t oidc_cache_mutex_post_config(apr_pool_t *pool, server_rec *s, oidc_cache_mutex_t *m, const char *type) {
+	apr_byte_t rc = TRUE;
 	apr_status_t rv = APR_SUCCESS;
 
-	if (m->is_global)
-		return oidc_cache_mutex_global_create(s, m, type);
+	if (m->is_global) {
+		rc = oidc_cache_mutex_global_create(pool, s, m, type);
+		goto end;
+	}
 
+	// NB: see note above at apr_global_mutex_create on the use of s->process->pool
 	rv = apr_thread_mutex_create(&m->tmutex, APR_THREAD_MUTEX_DEFAULT, s->process->pool);
 	if (rv != APR_SUCCESS) {
-		oidc_serror(s, "apr_thread_mutex_create failed: %s (%d)", oidc_cache_status2str(s->process->pool, rv),
-			    rv);
-		return FALSE;
+		oidc_serror(s, "apr_thread_mutex_create failed: %s (%d)", oidc_cache_status2str(pool, rv), rv);
+		rc = FALSE;
+		goto end;
 	}
 
-	return TRUE;
+end:
+
+	return rc;
 }
 
 /*
@@ -252,7 +299,7 @@ static inline apr_byte_t oidc_cache_crypto_encrypt(request_rec *r, const char *p
 /*
  * AES GCM decrypt using the crypto passphrase as symmetric key
  */
-static inline apr_byte_t oidc_cache_crypto_decrypt(request_rec *r, const char *cache_value, char *secret,
+static inline apr_byte_t oidc_cache_crypto_decrypt(request_rec *r, const char *cache_value, const char *secret,
 						   char **plaintext) {
 	oidc_crypto_passphrase_t passphrase;
 	passphrase.secret1 = secret;
@@ -313,12 +360,12 @@ apr_byte_t oidc_cache_get(request_rec *r, const char *section, const char *key,
 	char *msg = NULL;
 	const char *s_key = NULL;
 	char *cache_value = NULL;
-	char *s_secret = NULL;
+	const char *s_secret = NULL;
 	const char *s_section = oidc_cache_section_get(r, section);
 
 	oidc_debug(r, "enter: %s (section=%s, decrypt=%d, type=%s)", key, s_section, encrypted, cfg->cache.impl->name);
 
-	s_secret = cfg->crypto_passphrase.secret1;
+	s_secret = oidc_cfg_crypto_passphrase_secret1_get(cfg);
 	if (oidc_cache_get_key(r, key, s_secret, encrypted, &s_key) == FALSE)
 		goto end;
 
@@ -329,9 +376,9 @@ apr_byte_t oidc_cache_get(request_rec *r, const char *section, const char *key,
 		goto end;
 
 	/* see if it is any good */
-	if ((cache_value == NULL) && (encrypted == 1) && (cfg->crypto_passphrase.secret2 != NULL)) {
+	if ((cache_value == NULL) && (encrypted == 1) && (oidc_cfg_crypto_passphrase_secret2_get(cfg) != NULL)) {
 		oidc_debug(r, "2nd try with previous passphrase");
-		s_secret = cfg->crypto_passphrase.secret2;
+		s_secret = oidc_cfg_crypto_passphrase_secret2_get(cfg);
 		if (oidc_cache_get_key(r, key, s_secret, encrypted, &s_key) == FALSE)
 			goto end;
 		if (cfg->cache.impl->get(r, s_section, s_key, &cache_value) == FALSE)
@@ -389,12 +436,12 @@ apr_byte_t oidc_cache_set(request_rec *r, const char *section, const char *key,
 		   value ? (int)_oidc_strlen(value) : 0, encrypted, apr_time_sec(expiry - apr_time_now()),
 		   cfg->cache.impl->name);
 
-	if (oidc_cache_get_key(r, key, cfg->crypto_passphrase.secret1, encrypted, &s_key) == FALSE)
+	if (oidc_cache_get_key(r, key, oidc_cfg_crypto_passphrase_secret1_get(cfg), encrypted, &s_key) == FALSE)
 		goto end;
 
 	/* see if we need to encrypt */
 	if ((encrypted == 1) && (value != NULL)) {
-		if (oidc_cache_crypto_encrypt(r, value, &cfg->crypto_passphrase, &encoded) == FALSE)
+		if (oidc_cache_crypto_encrypt(r, value, oidc_cfg_crypto_passphrase_get(cfg), &encoded) == FALSE)
 			goto end;
 		value = encoded;
 	}

src/cache/file.c

@@ -18,7 +18,7 @@
  */
 
 /***************************************************************************
- * Copyright (C) 2017-2025 ZmartZone Holding BV
+ * Copyright (C) 2017-2026 ZmartZone Holding BV
  * Copyright (C) 2013-2017 Ping Identity Corporation
  * All rights reserved.
  *
@@ -63,15 +63,15 @@ typedef struct {
 #define OIDC_CACHE_FILE_PREFIX "mod-auth-openidc-"
 
 /* post config routine */
-int oidc_cache_file_post_config(server_rec *s) {
+int oidc_cache_file_post_config(apr_pool_t *pool, server_rec *s) {
 	apr_status_t rv = APR_SUCCESS;
 	oidc_cfg_t *cfg = (oidc_cfg_t *)ap_get_module_config(s->module_config, &auth_openidc_module);
 	if (cfg->cache.file_dir == NULL) {
 		/* by default we'll use the OS specified /tmp dir for cache files */
-		rv = apr_temp_dir_get((const char **)&cfg->cache.file_dir, s->process->pool);
+		rv = apr_temp_dir_get((const char **)&cfg->cache.file_dir, pool);
 		if (rv != APR_SUCCESS) {
 			oidc_serror(s, "apr_temp_dir_get failed: could not find a temp dir: %s",
-				    oidc_cache_status2str(s->process->pool, rv));
+				    oidc_cache_status2str(pool, rv));
 			return HTTP_INTERNAL_SERVER_ERROR;
 		}
 	}