fix merging top-level configured OIDCCryptoPassphrase into vhosts

zandbelt · zandbelt · commit 79fe9809d545 · 2026-01-29T18:15:33.000+01:00
that have not explicitly configured it; regression introduced in 2.4.19

Signed-off-by: Hans Zandbelt &lt;hans.zandbelt@openidc.com&gt;
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,7 @@
+01/29/2026
+- fix merging top-level configured OIDCCryptoPassphrase into vhosts that have not explicitly configured it
+  regression introduced in 2.4.19
+
 01/28/2026
 - refresh: fix releasing the best effort distributed refresh lock immediately after refreshing
   the access token fails to avoid parallel requests queuing up and blocking threads; also
diff --git a/src/cfg/cfg.c b/src/cfg/cfg.c
@@ -783,7 +783,7 @@ void *oidc_cfg_server_create(apr_pool_t *pool, server_rec *svr) {
 	c->outgoing_proxy.username_password = NULL;
 	c->outgoing_proxy.auth_type = OIDC_CONFIG_POS_INT_UNSET;
 
-	c->crypto_passphrase.secret1 = oidc_util_rand_hex_str(NULL, pool, 32);
+	c->crypto_passphrase.secret1 = NULL;
 	c->crypto_passphrase.secret2 = NULL;
 
 	c->post_preserve_template = NULL;
diff --git a/src/cfg/cfg.h b/src/cfg/cfg.h
@@ -196,6 +196,7 @@ void oidc_cfg_child_init(apr_pool_t *pool, oidc_cfg_t *cfg, server_rec *s);
 void oidc_cfg_process_cleanup(oidc_cfg_t *cfg, server_rec *s);
 const char *oidc_cfg_string_list_add(apr_pool_t *pool, apr_array_header_t **list, const char *arg);
 const char *oidc_cfg_endpoint_auth_set(apr_pool_t *pool, oidc_cfg_t *cfg, const char *arg, char **auth, char **alg);
+void oidc_cfg_crypto_passphrase_secret1_set(oidc_cfg_t *cfg, const char *secret);
 
 #define OIDC_CFG_MEMBER_FUNC_NAME(member, type, method) oidc_##type##_##member##_##method
 
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -412,7 +412,7 @@ void oidc_request_state_json_set(request_rec *r, const char *key, json_t *value)
 	json_t *json = json_copy(value);
 
 	/* register a cleanup for the json object */
-	apr_pool_cleanup_register(r->pool, json, (apr_status_t (*)(void *))json_decref, apr_pool_cleanup_null);
+	apr_pool_cleanup_register(r->pool, json, (apr_status_t(*)(void *))json_decref, apr_pool_cleanup_null);
 
 	/* put the name/value pair in that hash table */
 	apr_hash_set(state, key, APR_HASH_KEY_STRING, json);
@@ -1563,10 +1563,8 @@ static int oidc_config_check_vhost_config(apr_pool_t *pool, server_rec *s) {
 
 	oidc_sdebug(s, "enter");
 
-	if (oidc_cfg_crypto_passphrase_secret1_get(cfg) == NULL) {
-		oidc_serror(s, "'" OIDCCryptoPassphrase "' must be set");
-		return HTTP_INTERNAL_SERVER_ERROR;
-	}
+	if (oidc_cfg_crypto_passphrase_secret1_get(cfg) == NULL)
+		oidc_cfg_crypto_passphrase_secret1_set(cfg, oidc_util_rand_hex_str(NULL, s->process->pool, 32));
 
 	if ((oidc_cfg_metadata_dir_get(cfg) != NULL) ||
 	    (oidc_cfg_provider_issuer_get(oidc_cfg_provider_get(cfg)) != NULL) ||
