2.4.19dev: drop support for Apache 2.2

bump to 2.4.19dev

Signed-off-by: Hans Zandbelt <[email protected]>

Author: zandbelt

ChangeLog

@@ -1,5 +1,7 @@
 11/17/2025
 - metadata: avoid double-free when validation of provider metadata fails
+- drop support for Apache 2.2
+- bump to 2.4.19dev
 
 11/14/2025
 - test: add test/test_proto.c and migrate proto tests from test.c

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.18.2dev],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.19dev],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

src/cache/common.c

@@ -118,11 +118,7 @@ static apr_byte_t oidc_cache_mutex_global_create(server_rec *s, oidc_cache_mutex
 
 	/* need this on Linux */
 #ifdef AP_NEED_SET_MUTEX_PERMS
-#if MODULE_MAGIC_NUMBER_MAJOR >= 20081201
 	rv = ap_unixd_set_global_mutex_perms(m->gmutex);
-#else
-	rv = unixd_set_global_mutex_perms(m->gmutex);
-#endif
 	if (rv != APR_SUCCESS) {
 		oidc_serror(s, "unixd_set_global_mutex_perms failed; could not set permissions: %s (%d)",
 			    oidc_cache_status2str(s->process->pool, rv), rv);

src/cfg/cfg.h

@@ -141,9 +141,7 @@ typedef enum {
 #define OIDC_HTML_ERROR_TEMPLATE_DEPRECATED "deprecated"
 
 typedef struct oidc_apr_expr_t {
-#if HAVE_APACHE_24
 	ap_expr_info_t *expr;
-#endif
 	char *str;
 } oidc_apr_expr_t;
 

src/cfg/parse.c

@@ -530,44 +530,6 @@ const char *oidc_cfg_parse_action_on_error_refresh_as(apr_pool_t *pool, const ch
 	return oidc_cfg_parse_option(pool, options, OIDC_CFG_OPTIONS_SIZE(options), arg, (int *)action);
 }
 
-#if !(HAVE_APACHE_24)
-static char *ap_get_exec_line(apr_pool_t *p, const char *cmd, const char *const *argv) {
-	char buf[MAX_STRING_LEN];
-	apr_procattr_t *procattr;
-	apr_proc_t *proc;
-	apr_file_t *fp;
-	apr_size_t nbytes = 1;
-	char c;
-	int k;
-
-	if (apr_procattr_create(&procattr, p) != APR_SUCCESS)
-		return NULL;
-	if (apr_procattr_io_set(procattr, APR_FULL_BLOCK, APR_FULL_BLOCK, APR_FULL_BLOCK) != APR_SUCCESS)
-		return NULL;
-	if (apr_procattr_dir_set(procattr, ap_make_dirstr_parent(p, cmd)) != APR_SUCCESS)
-		return NULL;
-	if (apr_procattr_cmdtype_set(procattr, APR_PROGRAM) != APR_SUCCESS)
-		return NULL;
-	proc = apr_pcalloc(p, sizeof(apr_proc_t));
-	if (apr_proc_create(proc, cmd, argv, NULL, procattr, p) != APR_SUCCESS)
-		return NULL;
-	fp = proc->out;
-
-	if (fp == NULL)
-		return NULL;
-	/* XXX: we are reading 1 byte at a time here */
-	for (k = 0; apr_file_read(fp, &c, &nbytes) == APR_SUCCESS && nbytes == 1 && (k < MAX_STRING_LEN - 1);) {
-		if (c == '\n' || c == '\r')
-			break;
-		buf[k++] = c;
-	}
-	buf[k] = '\0';
-	apr_file_close(fp);
-
-	return apr_pstrndup(p, buf, k);
-}
-#endif
-
 /*
  * set a string value in the server config with exec support
  */

src/const.h

@@ -110,8 +110,6 @@ static inline int _oidc_str_to_int(const char *s, const int default_value) {
 #define snprintf _snprintf
 #endif
 
-#define HAVE_APACHE_24 MODULE_MAGIC_NUMBER_MAJOR >= 20100714
-
 #ifndef OIDC_DEBUG
 #define OIDC_DEBUG APLOG_DEBUG
 #endif

src/handle/authz.c

@@ -448,8 +448,6 @@ static apr_byte_t oidc_authz_skip_to_content_handler(request_rec *r) {
 	return FALSE;
 }
 
-#if HAVE_APACHE_24
-
 /*
  * Apache >=2.4 authorization routine: match the claims from the authenticated user against the Require primitive
  */
@@ -635,192 +633,3 @@ authz_status oidc_authz_24_checker_claims_expr(request_rec *r, const char *requi
 	return oidc_authz_24_checker(r, require_args, parsed_require_args, oidc_authz_match_claims_expr);
 }
 #endif
-
-#else
-
-/*
- * Apache <2.4 authorization routine: match the claims from the authenticated user against the Require primitive
- */
-static int oidc_authz_22_worker(request_rec *r, json_t *claims, const require_line *const reqs, int nelts) {
-	const int m = r->method_number;
-	const char *token;
-	const char *requirement;
-	int i;
-	int have_oauthattr = 0;
-	int count_oauth_claims = 0;
-	oidc_authz_match_claim_fn_type match_claim_fn = NULL;
-
-	/* go through applicable Require directives */
-	for (i = 0; i < nelts; ++i) {
-
-		/* ignore this Require if it's in a <Limit> section that exclude this method */
-		if (!(reqs[i].method_mask & (AP_METHOD_BIT << m))) {
-			continue;
-		}
-
-		/* ignore if it's not a "Require claim ..." */
-		requirement = reqs[i].requirement;
-
-		token = ap_getword_white(r->pool, &requirement);
-
-		/* see if we've got anything meant for us */
-		if (_oidc_strnatcasecmp(token, OIDC_REQUIRE_CLAIM_NAME) == 0) {
-			match_claim_fn = oidc_authz_match_claim;
-#ifdef USE_LIBJQ
-		} else if (_oidc_strnatcasecmp(token, OIDC_REQUIRE_CLAIMS_EXPR_NAME) == 0) {
-			match_claim_fn = oidc_authz_match_claims_expr;
-#endif
-		} else {
-			continue;
-		}
-
-		/* ok, we have a "Require claim/claims_expr" to satisfy */
-		have_oauthattr = 1;
-
-		/*
-		 * If we have an applicable claim, but no claims were sent in the request, then we can
-		 * just stop looking here, because it's not satisfiable. The code after this loop will
-		 * give the appropriate response.
-		 */
-		if (!claims) {
-			break;
-		}
-
-		/*
-		 * iterate over the claim specification strings in this require directive searching
-		 * for a specification that matches one of the claims/expressions.
-		 */
-		while (*requirement) {
-			token = ap_getword_conf(r->pool, &requirement);
-			count_oauth_claims++;
-
-			oidc_debug(r, "evaluating claim/expr specification: %s", token);
-
-			if (match_claim_fn(r, token, claims) == TRUE) {
-
-				/* if *any* claim matches, then authorization has succeeded and all of the others are
-				 * ignored */
-				oidc_debug(r, "require claim/expr '%s' matched", token);
-				return OK;
-			}
-		}
-
-		oidc_authz_error_add(r, requirement);
-	}
-
-	/* if there weren't any "Require claim" directives, we're irrelevant */
-	if (!have_oauthattr) {
-		oidc_debug(r, "no claim/expr statements found, not performing authz");
-		return DECLINED;
-	}
-	/* if there was a "Require claim", but no actual claims, that's cause to warn the admin of an iffy configuration
-	 */
-	if (count_oauth_claims == 0) {
-		oidc_warn(r, "'require claim/expr' missing specification(s) in configuration, declining");
-		return DECLINED;
-	}
-
-	/* log the event, also in Apache speak */
-	oidc_debug(r, "authorization denied for require claims (0/%d): '%s'", nelts,
-		   nelts > 0 ? reqs[0].requirement : "(none)");
-
-	ap_note_auth_failure(r);
-
-	return HTTP_UNAUTHORIZED;
-}
-
-/*
- * find out which action we need to take when encountering an unauthorized request
- */
-static int oidc_authz_22_unauthorized_user(request_rec *r) {
-
-	oidc_cfg_t *c = ap_get_module_config(r->server->module_config, &auth_openidc_module);
-
-	if (_oidc_strnatcasecmp((const char *)ap_auth_type(r), OIDC_AUTH_TYPE_OPENID_OAUTH20) == 0) {
-		OIDC_METRICS_COUNTER_INC(r, c, OM_AUTHZ_ERROR_OAUTH20);
-		oidc_proto_return_www_authenticate(r, "insufficient_scope",
-						   "Different scope(s) or other claims required");
-		return HTTP_UNAUTHORIZED;
-	}
-
-	/* see if we've configured OIDCUnAutzAction for this path */
-	switch (oidc_cfg_dir_unautz_action_get(r)) {
-	case OIDC_UNAUTZ_RETURN403:
-		OIDC_METRICS_COUNTER_INC(r, c, OM_AUTHZ_ACTION_403);
-		if (oidc_cfg_dir_unauthz_arg_get(r))
-			oidc_util_html_send(r, "Authorization Error", NULL, NULL, oidc_cfg_dir_unauthz_arg_get(r),
-					    HTTP_FORBIDDEN);
-		return HTTP_FORBIDDEN;
-	case OIDC_UNAUTZ_RETURN401:
-		OIDC_METRICS_COUNTER_INC(r, c, OM_AUTHZ_ACTION_401);
-		if (oidc_cfg_dir_unauthz_arg_get(r))
-			oidc_util_html_send(r, "Authorization Error", NULL, NULL, oidc_cfg_dir_unauthz_arg_get(r),
-					    HTTP_UNAUTHORIZED);
-		return HTTP_UNAUTHORIZED;
-	case OIDC_UNAUTZ_RETURN302:
-		OIDC_METRICS_COUNTER_INC(r, c, OM_AUTHZ_ACTION_302);
-		oidc_http_hdr_out_location_set(r, oidc_cfg_dir_unauthz_arg_get(r));
-		return HTTP_MOVED_TEMPORARILY;
-	case OIDC_UNAUTZ_AUTHENTICATE:
-		/*
-		 * exception handling: if this looks like a XMLHttpRequest call we
-		 * won't redirect the user and thus avoid creating a state cookie
-		 * for a non-browser (= Javascript) call that will never return from the OP
-		 */
-		if (oidc_is_auth_capable_request(r) == FALSE) {
-			OIDC_METRICS_COUNTER_INC(r, c, OM_AUTHZ_ACTION_401);
-			return HTTP_UNAUTHORIZED;
-		}
-
-		OIDC_METRICS_COUNTER_INC(r, c, OM_AUTHZ_ACTION_AUTH);
-	}
-
-	return oidc_request_authenticate_user(r, c, NULL, oidc_util_url_cur(r, oidc_cfg_x_forwarded_headers_get(c)),
-					      NULL, NULL, NULL, oidc_cfg_dir_path_auth_request_params_get(r),
-					      oidc_cfg_dir_path_scope_get(r));
-}
-
-/*
- * generic Apache <2.4 authorization hook for this module
- * handles both OpenID Connect and OAuth 2.0 in the same way, based on the claims stored in the request context
- */
-int oidc_authz_22_checker(request_rec *r) {
-
-	/* check for anonymous access and PASS mode */
-	if ((r->user != NULL) && (_oidc_strlen(r->user) == 0)) {
-		r->user = NULL;
-		if (oidc_cfg_dir_unauth_action_get(r) == OIDC_UNAUTH_PASS)
-			return OK;
-		if (oidc_authz_skip_to_content_handler(r) == TRUE)
-			return OK;
-		if (r->method_number == M_OPTIONS)
-			return OK;
-	}
-
-	/* get the set of claims from the request state (they've been set in the authentication part earlier */
-	json_t *claims = oidc_authz_merge_claims(r);
-
-	/* get the Require statements */
-	const apr_array_header_t *const reqs_arr = ap_requires(r);
-
-	/* see if we have any */
-	const require_line *const reqs = reqs_arr ? (require_line *)reqs_arr->elts : NULL;
-	if (!reqs_arr) {
-		oidc_debug(r, "no require statements found, so declining to perform authorization.");
-		return DECLINED;
-	}
-
-	/* dispatch to the <2.4 specific authz routine */
-	int rc = oidc_authz_22_worker(r, claims, reqs, reqs_arr->nelts);
-
-	/* cleanup */
-	if (claims)
-		json_decref(claims);
-
-	if ((rc == HTTP_UNAUTHORIZED) && ap_auth_type(r))
-		rc = oidc_authz_22_unauthorized_user(r);
-
-	return rc;
-}
-
-#endif

src/handle/handle.h

@@ -60,17 +60,13 @@
 #endif
 typedef apr_byte_t (*oidc_authz_match_claim_fn_type)(request_rec *, const char *const, json_t *);
 apr_byte_t oidc_authz_match_claim(request_rec *r, const char *const attr_spec, json_t *claims);
-#if HAVE_APACHE_24
 #ifdef USE_LIBJQ
 authz_status oidc_authz_24_checker_claims_expr(request_rec *r, const char *require_args,
 					       const void *parsed_require_args);
 #endif
 authz_status oidc_authz_24_checker_claim(request_rec *r, const char *require_args, const void *parsed_require_args);
 authz_status oidc_authz_24_worker(request_rec *r, json_t *claims, const char *require_args,
 				  const void *parsed_require_args, oidc_authz_match_claim_fn_type match_claim_fn);
-#else
-int oidc_authz_22_checker(request_rec *r);
-#endif
 
 // content.c
 int oidc_content_handler(request_rec *r);

src/mod_auth_openidc.c

@@ -1769,8 +1769,6 @@ static int oidc_post_config(apr_pool_t *pool, apr_pool_t *p1, apr_pool_t *p2, se
 	return oidc_config_check_merged_vhost_configs(pool, s);
 }
 
-#if HAVE_APACHE_24
-
 /*
  * parse an Apache expression in the configured require value
  */
@@ -1799,8 +1797,6 @@ static const authz_provider oidc_authz_claims_expr_provider = {
 };
 #endif
 
-#endif
-
 /*
  * initialize cache context in child process if required
  */
@@ -1923,19 +1919,13 @@ static void oidc_register_hooks(apr_pool_t *pool) {
 	ap_hook_handler(oidc_content_handler, NULL, proxySucc, APR_HOOK_FIRST);
 	ap_hook_insert_filter(oidc_filter_in_insert_filter, NULL, NULL, APR_HOOK_MIDDLE);
 	ap_register_input_filter(oidcFilterName, oidc_filter_in_filter, NULL, AP_FTYPE_RESOURCE);
-#if HAVE_APACHE_24
 	ap_hook_check_authn(oidc_check_user_id, NULL, NULL, APR_HOOK_MIDDLE, AP_AUTH_INTERNAL_PER_CONF);
 	ap_register_auth_provider(pool, AUTHZ_PROVIDER_GROUP, OIDC_REQUIRE_CLAIM_NAME, "0", &oidc_authz_claim_provider,
 				  AP_AUTH_INTERNAL_PER_CONF);
 #ifdef USE_LIBJQ
 	ap_register_auth_provider(pool, AUTHZ_PROVIDER_GROUP, OIDC_REQUIRE_CLAIMS_EXPR_NAME, "0",
 				  &oidc_authz_claims_expr_provider, AP_AUTH_INTERNAL_PER_CONF);
 #endif
-#else
-	static const char *const authzSucc[] = {"mod_authz_user.c", NULL};
-	ap_hook_check_user_id(oidc_check_user_id, NULL, NULL, APR_HOOK_MIDDLE);
-	ap_hook_auth_checker(oidc_authz_22_checker, NULL, authzSucc, APR_HOOK_MIDDLE);
-#endif
 }
 
 // clang-format off

src/util/expr.c

@@ -132,7 +132,6 @@ char *oidc_util_apr_expr_parse(cmd_parms *cmd, const char *str, oidc_apr_expr_t
 		return NULL;
 	*expr = apr_pcalloc(cmd->pool, sizeof(oidc_apr_expr_t));
 	(*expr)->str = apr_pstrdup(cmd->pool, str);
-#if HAVE_APACHE_24
 	const char *expr_err = NULL;
 	unsigned int flags = AP_EXPR_FLAG_DONT_VARY & AP_EXPR_FLAG_RESTRICTED;
 	if (result_is_str)
@@ -142,7 +141,6 @@ char *oidc_util_apr_expr_parse(cmd_parms *cmd, const char *str, oidc_apr_expr_t
 		rv = apr_pstrcat(cmd->temp_pool, "cannot parse expression: ", expr_err, NULL);
 		*expr = NULL;
 	}
-#endif
 	return rv;
 }
 
@@ -153,7 +151,6 @@ const char *oidc_util_apr_expr_exec(request_rec *r, const oidc_apr_expr_t *expr,
 	const char *expr_result = NULL;
 	if (expr == NULL)
 		return NULL;
-#if HAVE_APACHE_24
 	const char *expr_err = NULL;
 	if (result_is_str) {
 		expr_result = ap_expr_str_exec(r, expr->expr, &expr_err);
@@ -164,8 +161,5 @@ const char *oidc_util_apr_expr_exec(request_rec *r, const oidc_apr_expr_t *expr,
 		oidc_error(r, "executing expression \"%s\" failed: %s", expr->str, expr_err);
 		expr_result = NULL;
 	}
-#else
-	expr_result = expr->str;
-#endif
 	return expr_result;
 }