* [gentoo-commits] repo/gentoo:master commit in: www-apache/mod_auth_kerb/, www-apache/mod_auth_kerb/files/
@ 2017-10-15 12:36 Michał Górny
0 siblings, 0 replies; 4+ messages in thread
From: Michał Górny @ 2017-10-15 12:36 UTC (permalink / raw
To: gentoo-commits
commit: bbc26ed7549d91670a993e6208d98eebdc6c2ade
Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Sun Oct 15 11:40:11 2017 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Sun Oct 15 12:35:55 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bbc26ed7
www-apache/mod_auth_kerb: Move patches to a dist tarball
Closes: https://bugs.gentoo.org/620644
www-apache/mod_auth_kerb/Manifest | 1 +
.../files/mod_auth_kerb-5.4-cachedir.patch | 15 -
.../files/mod_auth_kerb-5.4-delegation.patch | 68 ---
.../files/mod_auth_kerb-5.4-fixes.patch | 40 --
.../files/mod_auth_kerb-5.4-handle-continue.patch | 20 -
.../files/mod_auth_kerb-5.4-heimdal.patch | 10 -
.../files/mod_auth_kerb-5.4-httpd24.patch | 75 ---
.../files/mod_auth_kerb-5.4-longuser.patch | 31 --
.../files/mod_auth_kerb-5.4-rcopshack.patch | 73 ---
.../files/mod_auth_kerb-5.4-s4u2proxy.patch | 601 ---------------------
.../mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild | 21 +-
11 files changed, 12 insertions(+), 943 deletions(-)
diff --git a/www-apache/mod_auth_kerb/Manifest b/www-apache/mod_auth_kerb/Manifest
index 2d942c7502e..772f8adc7b7 100644
--- a/www-apache/mod_auth_kerb/Manifest
+++ b/www-apache/mod_auth_kerb/Manifest
@@ -1 +1,2 @@
+DIST mod_auth_kerb-5.4-gentoo-patchset.tar.bz2 8717 SHA256 bc0445e337c88906bd254c26726ad3a1e45e613cf2058b402c944209550d9160 SHA512 3909c2677b30790cc17c0d8843feaa00d9acd14a012672443a887c0e88473d6b1572ba045e1491bcab53cbacff193c11cfe15e63ef1046cfcdf1f4ab60e0ac57 WHIRLPOOL 27bcb65e03d5148861a806f0bbb29550e8ab06145281fdf09064328be12a6c2242d46d3e69042be2b2ee6f17198acbdc3ec6c3709ea4341c08e4cc12fe1f4492
DIST mod_auth_kerb-5.4.tar.gz 93033 SHA256 690ddd66c6d941e2fa2dada46588329a6f57d0a3b9b2fd9bf055ebc427558265 SHA512 93fdf0e43af1c24e8c8204d09240b708747068ef99dd8d21b45cb4d132d31e6d582d49ea5e23b905f55cb0d4a20b1ecb58de1bcbfdad1d016e536fc622b63214 WHIRLPOOL 1b92217b7cf66d731a72cf9d58f188002ccadd75fc3d9075290347e6b4f1511111d3cff147fab73616951cbdb9430e8038adf5c4e204d374886bec3be69ff51c
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-cachedir.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-cachedir.patch
deleted file mode 100644
index ebc435824c4..00000000000
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-cachedir.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-
-Per https://bugzilla.redhat.com//show_bug.cgi?id=796430
-switch the cache dir to be relative to runtimedir.
-
---- mod_auth_kerb-5.4/src/mod_auth_kerb.c.cachedir
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
-@@ -891,7 +891,7 @@ create_krb5_ccache(krb5_context kcontext
- int ret;
- krb5_ccache tmp_ccache = NULL;
-
-- ccname = apr_psprintf(r->connection->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir);
-+ ccname = apr_pstrdup(r->connection->pool, "FILE:/run/httpd/krbcache/krb5cc_apache_XXXXXX");
- fd = mkstemp(ccname + strlen("FILE:"));
- if (fd < 0) {
- log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-delegation.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-delegation.patch
deleted file mode 100644
index a01e9f21e43..00000000000
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-delegation.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-
-https://bugzilla.redhat.com/show_bug.cgi?id=688210
-
---- mod_auth_kerb-5.4/src/mod_auth_kerb.c.delegation
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
-@@ -209,6 +209,7 @@ typedef struct krb5_conn_data {
- char *authline;
- char *user;
- char *mech;
-+ char *ccname;
- int last_return;
- } krb5_conn_data;
-
-@@ -875,7 +876,7 @@ create_krb5_ccache(krb5_context kcontext
- int ret;
- krb5_ccache tmp_ccache = NULL;
-
-- ccname = apr_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir);
-+ ccname = apr_psprintf(r->connection->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir);
- fd = mkstemp(ccname + strlen("FILE:"));
- if (fd < 0) {
- log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-@@ -905,7 +906,7 @@ create_krb5_ccache(krb5_context kcontext
- }
-
- apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
-- apr_pool_cleanup_register(r->pool, ccname, krb5_cache_cleanup,
-+ apr_pool_cleanup_register(r->connection->pool, ccname, krb5_cache_cleanup,
- apr_pool_cleanup_null);
-
- *ccache = tmp_ccache;
-@@ -1866,10 +1868,15 @@ already_succeeded(request_rec *r, char *
- if (apr_pool_userdata_get((void**)&conn_data, keyname, r->connection->pool) != 0)
- return NULL;
-
-- if(conn_data) {
-- if(strcmp(conn_data->authline, auth_line) == 0) {
-- log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "matched previous auth request");
-- return conn_data;
-+ if(conn_data && conn_data->ccname != NULL) {
-+ apr_finfo_t finfo;
-+
-+ if (apr_stat(&finfo, conn_data->ccname + strlen("FILE:"),
-+ APR_FINFO_NORM, r->pool) == APR_SUCCESS
-+ && (finfo.valid & APR_FINFO_TYPE)
-+ && finfo.filetype == APR_REG) {
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "matched previous auth request");
-+ return conn_data;
- }
- }
- return NULL;
-@@ -2001,6 +2008,8 @@ kerb_authenticate_user(request_rec *r)
- ret = prevauth->last_return;
- MK_USER = prevauth->user;
- MK_AUTH_TYPE = prevauth->mech;
-+ if (prevauth->ccname)
-+ apr_table_setn(r->subprocess_env, "KRB5CCNAME", prevauth->ccname);
- }
-
- /*
-@@ -2011,6 +2020,7 @@ kerb_authenticate_user(request_rec *r)
- prevauth->user = apr_pstrdup(r->connection->pool, MK_USER);
- prevauth->authline = apr_pstrdup(r->connection->pool, auth_line);
- prevauth->mech = apr_pstrdup(r->connection->pool, auth_type);
-+ prevauth->ccname = apr_pstrdup(r->connection->pool, apr_table_get(r->subprocess_env, "KRB5CCNAME"));
- prevauth->last_return = ret;
- snprintf(keyname, sizeof(keyname) - 1,
- "mod_auth_kerb::connection::%s::%ld",
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-fixes.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-fixes.patch
deleted file mode 100644
index b86be697ae0..00000000000
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-fixes.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-
-Compiler warning fixes.
-
---- mod_auth_kerb-5.4/src/mod_auth_kerb.c.fixes
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
-@@ -677,7 +677,8 @@ end:
- static krb5_error_code
- verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
- const char *password, krb5_principal server,
-- krb5_keytab keytab, int krb_verify_kdc, char *krb_service_name, krb5_ccache *ccache)
-+ krb5_keytab keytab, int krb_verify_kdc,
-+ const char *krb_service_name, krb5_ccache *ccache)
- {
- krb5_creds creds;
- krb5_get_init_creds_opt options;
-@@ -1280,6 +1281,7 @@ get_gss_creds(request_rec *r,
- return 0;
- }
-
-+#ifndef GSSAPI_SUPPORTS_SPNEGO
- static int
- cmp_gss_type(gss_buffer_t token, gss_OID oid)
- {
-@@ -1306,6 +1308,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID
-
- return memcmp(p, oid->elements, oid->length);
- }
-+#endif
-
- static int
- authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
-@@ -1722,7 +1725,7 @@ kerb_authenticate_user(request_rec *r)
- return ret;
- }
-
--int
-+static int
- have_rcache_type(const char *type)
- {
- krb5_error_code ret;
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-handle-continue.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-handle-continue.patch
deleted file mode 100644
index 4b77a497f4c..00000000000
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-handle-continue.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
-index 2aab5ee..ca81878 100644
---- a/src/mod_auth_kerb.c
-+++ b/src/mod_auth_kerb.c
-@@ -1744,7 +1744,6 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
- goto end;
- }
-
--#if 0
- /* This is a _Kerberos_ module so multiple authentication rounds aren't
- * supported. If we wanted a generic GSS authentication we would have to do
- * some magic with exporting context etc. */
-@@ -1752,7 +1751,6 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
- ret = HTTP_UNAUTHORIZED;
- goto end;
- }
--#endif
-
- major_status = gss_display_name(&minor_status, client_name, &output_token, NULL);
- gss_release_name(&minor_status, &client_name);
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-heimdal.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-heimdal.patch
deleted file mode 100644
index a5d3d4ba62c..00000000000
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-heimdal.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- mod_auth_kerb-5.4/src/mod_auth_kerb.c 2010-10-04 16:21:22.169285716 +0200
-+++ mod_auth_kerb-5.4.new/src/mod_auth_kerb.c 2010-10-04 16:20:41.584250095 +0200
-@@ -89,6 +89,7 @@
- #include <krb5.h>
- #ifdef HEIMDAL
- # include <gssapi.h>
-+# include <gssapi/gssapi_krb5.h>
- #else
- # include <gssapi/gssapi.h>
- # include <gssapi/gssapi_generic.h>
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-httpd24.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-httpd24.patch
deleted file mode 100644
index 86c9b47d6bd..00000000000
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-httpd24.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-
-Fixes for 2.4 API.
-
---- mod_auth_kerb-5.4/src/mod_auth_kerb.c.httpd24
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
-@@ -179,6 +179,16 @@ static apr_global_mutex_t *s4u2proxy_loc
- #define PROXYREQ_PROXY STD_PROXY
- #endif
-
-+#if MODULE_MAGIC_NUMBER_MAJOR >= 20100606
-+/* 2.4.x or later */
-+#define WITH_HTTPD24 1
-+#define client_ip(r) ((r)->useragent_ip)
-+APLOG_USE_MODULE(auth_kerb);
-+#else
-+#define client_ip(r) ((r)->connection->remote_ip)
-+#define ap_unixd_set_global_mutex_perms unixd_set_global_mutex_perms
-+#endif
-+
- /***************************************************************************
- Auth Configuration Structure
- ***************************************************************************/
-@@ -383,7 +393,11 @@ cmd_delegationlock(cmd_parms *cmd, void
- }
-
- static void
--log_rerror(const char *file, int line, int level, int status,
-+log_rerror(const char *file, int line,
-+#ifdef WITH_HTTPD24
-+ int module_index,
-+#endif
-+ int level, int status,
- const request_rec *r, const char *fmt, ...)
- {
- char errstr[1024];
-@@ -394,7 +408,9 @@ log_rerror(const char *file, int line, i
- va_end(ap);
-
-
--#ifdef STANDARD20_MODULE_STUFF
-+#if defined(WITH_HTTPD24)
-+ ap_log_rerror(file, line, module_index, level, status, r, "%s", errstr);
-+#elif defined(STANDARD20_MODULE_STUFF)
- ap_log_rerror(file, line, level | APLOG_NOERRNO, status, r, "%s", errstr);
- #else
- ap_log_rerror(file, line, level | APLOG_NOERRNO, r, "%s", errstr);
-@@ -1860,8 +1876,8 @@ already_succeeded(request_rec *r, char *
- char keyname[1024];
-
- snprintf(keyname, sizeof(keyname) - 1,
-- "mod_auth_kerb::connection::%s::%ld", r->connection->remote_ip,
-- r->connection->id);
-+ "mod_auth_kerb::connection::%s::%ld", client_ip(r),
-+ r->connection->id);
-
- if (apr_pool_userdata_get((void**)&conn_data, keyname, r->connection->pool) != 0)
- return NULL;
-@@ -2014,7 +2030,7 @@ kerb_authenticate_user(request_rec *r)
- prevauth->last_return = ret;
- snprintf(keyname, sizeof(keyname) - 1,
- "mod_auth_kerb::connection::%s::%ld",
-- r->connection->remote_ip, r->connection->id);
-+ client_ip(r), r->connection->id);
- apr_pool_userdata_set(prevauth, keyname, NULL, r->connection->pool);
- }
-
-@@ -2073,7 +2089,7 @@ s4u2proxylock_create(server_rec *s, apr_
- }
-
- #ifdef AP_NEED_SET_MUTEX_PERMS
-- rc = unixd_set_global_mutex_perms(s4u2proxy_lock);
-+ rc = ap_unixd_set_global_mutex_perms(s4u2proxy_lock);
- if (rc != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
- "mod_auth_kerb: Parent could not set permissions "
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-longuser.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-longuser.patch
deleted file mode 100644
index 100fd364af8..00000000000
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-longuser.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-
-https://bugzilla.redhat.com/show_bug.cgi?id=867153
-
-Patch by: jkaluza
-
---- mod_auth_kerb-5.4/src/mod_auth_kerb.c.longuser
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
-@@ -80,6 +80,7 @@
-
- #define MECH_NEGOTIATE "Negotiate"
- #define SERVICE_NAME "HTTP"
-+#define MAX_LOCAL_USERNAME 255
-
- #include <httpd.h>
- #include <http_config.h>
-@@ -1815,13 +1816,13 @@ do_krb5_an_to_ln(request_rec *r) {
- krb5_get_err_text(kcontext, code));
- goto end;
- }
-- MK_USER_LNAME = apr_pcalloc(r->pool, strlen(MK_USER)+1);
-+ MK_USER_LNAME = apr_pcalloc(r->pool, MAX_LOCAL_USERNAME+1);
- if (MK_USER_LNAME == NULL) {
- log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "ap_pcalloc() failed (not enough memory)");
- goto end;
- }
-- code = krb5_aname_to_localname(kcontext, client, strlen(MK_USER), MK_USER_LNAME);
-+ code = krb5_aname_to_localname(kcontext, client, MAX_LOCAL_USERNAME, MK_USER_LNAME);
- if (code) {
- if (code != KRB5_LNAME_NOTRANS) {
- log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-rcopshack.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-rcopshack.patch
deleted file mode 100644
index abbf4dba47b..00000000000
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-rcopshack.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-
-Remove the Krb5 1.3.x-specific hack which mucks about with
-libkrb5 internals, and shouldn't.
-
---- mod_auth_kerb-5.4/src/mod_auth_kerb.c.rcopshack
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
-@@ -285,34 +285,6 @@ mkstemp(char *template)
- }
- #endif
-
--#if defined(KRB5) && !defined(HEIMDAL)
--/* Needed to work around problems with replay caches */
--#include "mit-internals.h"
--
--/* This is our replacement krb5_rc_store function */
--static krb5_error_code KRB5_LIB_FUNCTION
--mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache,
-- krb5_donot_replay_internal *donot_replay)
--{
-- return 0;
--}
--
--/* And this is the operations vector for our replay cache */
--const krb5_rc_ops_internal mod_auth_kerb_rc_ops = {
-- 0,
-- "dfl",
-- krb5_rc_dfl_init,
-- krb5_rc_dfl_recover,
-- krb5_rc_dfl_destroy,
-- krb5_rc_dfl_close,
-- mod_auth_kerb_rc_store,
-- krb5_rc_dfl_expunge,
-- krb5_rc_dfl_get_span,
-- krb5_rc_dfl_get_name,
-- krb5_rc_dfl_resolve
--};
--#endif
--
- /***************************************************************************
- Auth Configuration Initialization
- ***************************************************************************/
-@@ -1252,31 +1224,6 @@ get_gss_creds(request_rec *r,
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
--#ifndef HEIMDAL
-- /*
-- * With MIT Kerberos 5 1.3.x the gss_cred_id_t is the same as
-- * krb5_gss_cred_id_t and krb5_gss_cred_id_rec contains a pointer to
-- * the replay cache.
-- * This allows us to override the replay cache function vector with
-- * our own one.
-- * Note that this is a dirty hack to get things working and there may
-- * well be unknown side-effects.
-- */
-- {
-- krb5_gss_cred_id_t gss_creds = (krb5_gss_cred_id_t) *server_creds;
--
-- /* First we try to verify we are linked with 1.3.x to prevent from
-- crashing when linked with 1.4.x */
-- if (gss_creds && (gss_creds->usage == GSS_C_ACCEPT)) {
-- if (gss_creds->rcache && gss_creds->rcache->ops &&
-- gss_creds->rcache->ops->type &&
-- memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0)
-- /* Override the rcache operations */
-- gss_creds->rcache->ops = &mod_auth_kerb_rc_ops;
-- }
-- }
--#endif
--
- return 0;
- }
-
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy.patch
deleted file mode 100644
index 07a6e3b7c8e..00000000000
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy.patch
+++ /dev/null
@@ -1,601 +0,0 @@
-
-Add S4U2Proxy feature:
-
-http://sourceforge.net/mailarchive/forum.php?thread_name=4EE665D1.3000308%40redhat.com&forum_name=modauthkerb-help
-
-The attached patches add support for using s4u2proxy
-(http://k5wiki.kerberos.org/wiki/Projects/Services4User) to allow the
-web service to obtain credentials on behalf of the authenticated user.
-
-The first patch adds basic support for s4u2proxy. This requires the web
-administrator to manually create and manage the credentails cache for
-the apache user (via a cron job, for example).
-
-The second patch builds on this and makes mod_auth_kerb manage the
-ccache instead.
-
-These are patches against the current CVS HEAD (mod_auth_krb 5.4).
-
-I've added a new module option to enable this support,
-KrbConstrainedDelegation. The default is off.
-
-diff -up --recursive mod_auth_kerb-5.4.orig/README mod_auth_kerb-5.4/README
---- mod_auth_kerb-5.4.orig/README 2008-11-26 11:51:05.000000000 -0500
-+++ mod_auth_kerb-5.4/README 2014-01-21 13:46:21.482223432 -0500
-@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be
- credential cache that will be available for the request handler. The ticket
- file will be removed after request is handled.
-
-+Constrained Delegation
-+----------------------
-+S4U2Proxy, or constrained delegation, enables a service to use a client's
-+ticket to itself to request another ticket for delegation. The KDC
-+checks krbAllowedToDelegateTo to decide if it will issue a new ticket.
-+If KrbConstrainedDelegation is enabled the server will use its own credentials
-+to retrieve a delegated ticket for the user. For this to work the user must
-+have a forwardable ticket (though the delegation flag need not be set).
-+The server needs a valid credentials cache for this to work.
-+
-+The module itself will obtain and manage the necessary credentials.
-+
- $Id: README,v 1.12 2008/09/17 14:01:55 baalberith Exp $
-diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.4/src/mod_auth_kerb.c
---- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2014-01-21 13:45:21.605538007 -0500
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c 2014-01-21 13:46:46.746668762 -0500
-@@ -42,6 +42,31 @@
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-+/*
-+ * Locking mechanism inspired by mod_rewrite.
-+ *
-+ * Licensed to the Apache Software Foundation (ASF) under one or more
-+ * contributor license agreements. See the NOTICE file distributed with
-+ * this work for additional information regarding copyright ownership.
-+ * The ASF licenses this file to You under the Apache License, Version 2.0
-+ * (the "License"); you may not use this file except in compliance with
-+ * the License. You may obtain a copy of the License at
-+ *
-+ * http://www.apache.org/licenses/LICENSE-2.0
-+ *
-+ * Unless required by applicable law or agreed to in writing, software
-+ * distributed under the License is distributed on an "AS IS" BASIS,
-+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+ * See the License for the specific language governing permissions and
-+ * limitations under the License.
-+ */
-+
-+/*
-+ * S4U2Proxy code
-+ *
-+ * Copyright (C) 2012 Red Hat
-+ */
-+
- #ident "$Id: mod_auth_kerb.c,v 1.150 2008/12/04 10:14:03 baalberith Exp $"
-
- #include "config.h"
-@@ -49,6 +74,7 @@
- #include <stdlib.h>
- #include <stdio.h>
- #include <stdarg.h>
-+#include <unixd.h>
-
- #define MODAUTHKERB_VERSION "5.4"
-
-@@ -131,6 +157,12 @@ module AP_MODULE_DECLARE_DATA auth_kerb_
- module auth_kerb_module;
- #endif
-
-+#ifdef STANDARD20_MODULE_STUFF
-+/* s4u2proxy only supported in 2.0+ */
-+static const char *lockname;
-+static apr_global_mutex_t *s4u2proxy_lock = NULL;
-+#endif
-+
- /***************************************************************************
- Macros To Ease Compatibility
- ***************************************************************************/
-@@ -165,6 +197,7 @@ typedef struct {
- int krb_method_gssapi;
- int krb_method_k5pass;
- int krb5_do_auth_to_local;
-+ int krb5_s4u2proxy;
- #endif
- #ifdef KRB4
- char *krb_4_srvtab;
-@@ -185,6 +218,11 @@ set_kerb_auth_headers(request_rec *r, co
-
- static const char*
- krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg);
-+static const char *
-+cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1);
-+
-+static int
-+obtain_server_credentials(request_rec *r, const char *service_name);
-
- #ifdef STANDARD20_MODULE_STUFF
- #define command(name, func, var, type, usage) \
-@@ -237,6 +275,12 @@ static const command_rec kerb_auth_cmds[
-
- command("KrbLocalUserMapping", ap_set_flag_slot, krb5_do_auth_to_local,
- FLAG, "Set to 'on' to have Kerberos do auth_to_local mapping of principal names to system user names."),
-+
-+ command("KrbConstrainedDelegation", ap_set_flag_slot, krb5_s4u2proxy,
-+ FLAG, "Set to 'on' to have Kerberos use S4U2Proxy delegation."),
-+
-+ AP_INIT_TAKE1("KrbConstrainedDelegationLock", cmd_delegationlock, NULL,
-+ RSRC_CONF, "the filename of a lockfile used for inter-process synchronization"),
- #endif
-
- #ifdef KRB4
-@@ -302,6 +346,7 @@ static void *kerb_dir_create_config(MK_P
- #endif
- #ifdef KRB5
- ((kerb_auth_config *)rec)->krb5_do_auth_to_local = 0;
-+ ((kerb_auth_config *)rec)->krb5_s4u2proxy = 0;
- ((kerb_auth_config *)rec)->krb_method_k5pass = 1;
- ((kerb_auth_config *)rec)->krb_method_gssapi = 1;
- #endif
-@@ -319,6 +364,24 @@ krb5_save_realms(cmd_parms *cmd, void *v
- return NULL;
- }
-
-+static const char *
-+cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1)
-+{
-+ const char *error;
-+
-+ if ((error = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
-+ return error;
-+
-+ /* fixup the path, especially for s4u2proxylock_remove() */
-+ lockname = ap_server_root_relative(cmd->pool, a1);
-+
-+ if (!lockname) {
-+ return apr_pstrcat(cmd->pool, "Invalid KrbConstrainedDelegationLock path ", a1, NULL);
-+ }
-+
-+ return NULL;
-+}
-+
- static void
- log_rerror(const char *file, int line, int level, int status,
- const request_rec *r, const char *fmt, ...)
-@@ -1170,6 +1233,7 @@ get_gss_creds(request_rec *r,
- gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
- OM_uint32 major_status, minor_status, minor_status2;
- gss_name_t server_name = GSS_C_NO_NAME;
-+ gss_cred_usage_t usage = GSS_C_ACCEPT;
- char buf[1024];
- int have_server_princ;
-
-@@ -1212,10 +1276,14 @@ get_gss_creds(request_rec *r,
-
- log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s",
- token.value);
-+ if (conf->krb5_s4u2proxy) {
-+ usage = GSS_C_BOTH;
-+ obtain_server_credentials(r, conf->krb_service_name);
-+ }
- gss_release_buffer(&minor_status, &token);
-
- major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
-- GSS_C_NO_OID_SET, GSS_C_ACCEPT,
-+ GSS_C_NO_OID_SET, usage,
- server_creds, NULL, NULL);
- gss_release_name(&minor_status2, &server_name);
- if (GSS_ERROR(major_status)) {
-@@ -1257,6 +1325,302 @@ cmp_gss_type(gss_buffer_t token, gss_OID
- }
- #endif
-
-+/* Renew the ticket if it will expire in under a minute */
-+#define RENEWAL_TIME 60
-+
-+/*
-+ * Services4U2Proxy lets a server prinicipal request another service
-+ * principal on behalf of a user. To do this the Apache service needs
-+ * to have its own ccache. This will ensure that the ccache has a valid
-+ * principal and will initialize or renew new credentials when needed.
-+ */
-+
-+static int
-+verify_server_credentials(request_rec *r,
-+ krb5_context kcontext,
-+ krb5_ccache ccache,
-+ krb5_principal princ,
-+ int *renew
-+)
-+{
-+ krb5_creds match_cred;
-+ krb5_creds creds;
-+ char * princ_name = NULL;
-+ char *tgs_princ_name = NULL;
-+ krb5_timestamp now;
-+ krb5_error_code kerr = 0;
-+
-+ *renew = 0;
-+
-+ memset (&match_cred, 0, sizeof(match_cred));
-+ memset (&creds, 0, sizeof(creds));
-+
-+ if (NULL == ccache || NULL == princ) {
-+ /* Nothing to verify */
-+ *renew = 1;
-+ goto cleanup;
-+ }
-+
-+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Could not unparse principal %s (%d)",
-+ error_message(kerr), kerr);
-+ goto cleanup;
-+ }
-+
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Using principal %s for s4u2proxy", princ_name);
-+
-+ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,
-+ krb5_princ_realm(kcontext, princ)->length,
-+ krb5_princ_realm(kcontext, princ)->data,
-+ krb5_princ_realm(kcontext, princ)->length,
-+ krb5_princ_realm(kcontext, princ)->data);
-+
-+ if ((kerr = krb5_parse_name(kcontext, tgs_princ_name, &match_cred.server)))
-+ {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Could not parse principal %s: %s (%d)",
-+ tgs_princ_name, error_message(kerr), kerr);
-+ goto cleanup;
-+ }
-+
-+ match_cred.client = princ;
-+
-+ if ((kerr = krb5_cc_retrieve_cred(kcontext, ccache, 0, &match_cred, &creds)))
-+ {
-+ krb5_unparse_name(kcontext, princ, &princ_name);
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Could not unparse principal %s: %s (%d)",
-+ princ_name, error_message(kerr), kerr);
-+ goto cleanup;
-+ }
-+
-+ if ((kerr = krb5_timeofday(kcontext, &now))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Could not get current time: %d (%s)",
-+ kerr, error_message(kerr));
-+ goto cleanup;
-+ }
-+
-+ if (now > (creds.times.endtime + RENEWAL_TIME)) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Credentials for %s have expired or will soon "
-+ "expire - now %d endtime %d",
-+ princ_name, now, creds.times.endtime);
-+ *renew = 1;
-+ } else {
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Credentials for %s will expire at "
-+ "%d, it is now %d", princ_name, creds.times.endtime, now);
-+ }
-+
-+cleanup:
-+ /* Closing context, ccache, etc happens elsewhere */
-+ if (match_cred.server) {
-+ krb5_free_principal(kcontext, match_cred.server);
-+ }
-+ if (creds.client) {
-+ krb5_free_cred_contents(kcontext, &creds);
-+ }
-+
-+ return kerr;
-+}
-+
-+static int
-+obtain_server_credentials(request_rec *r,
-+ const char *service_name)
-+{
-+ krb5_context kcontext = NULL;
-+ krb5_keytab keytab = NULL;
-+ krb5_ccache ccache = NULL;
-+ char * princ_name = NULL;
-+ char *tgs_princ_name = NULL;
-+ krb5_error_code kerr = 0;
-+ krb5_principal princ = NULL;
-+ krb5_creds creds;
-+ krb5_get_init_creds_opt gicopts;
-+ int renew = 0;
-+ apr_status_t rv = 0;
-+
-+ memset(&creds, 0, sizeof(creds));
-+
-+ if ((kerr = krb5_init_context(&kcontext))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Kerberos context initialization failed: %s (%d)", error_message(kerr), kerr);
-+ goto done;
-+ }
-+
-+ if ((kerr = krb5_cc_default(kcontext, &ccache))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Could not get default Kerberos ccache: %s (%d)",
-+ error_message(kerr), kerr);
-+ goto done;
-+ }
-+
-+ if ((kerr = krb5_cc_get_principal(kcontext, ccache, &princ))) {
-+ char * name = NULL;
-+
-+ if ((asprintf(&name, "%s:%s", krb5_cc_get_type(kcontext, ccache),
-+ krb5_cc_get_name(kcontext, ccache))) == -1) {
-+ kerr = KRB5_CC_NOMEM;
-+ goto done;
-+ }
-+
-+ if (KRB5_FCC_NOFILE == kerr) {
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Credentials cache %s not found, create one", name);
-+ krb5_cc_close(kcontext, ccache);
-+ ccache = NULL;
-+ free(name);
-+ } else {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Failure to open credentials cache %s: %s (%d)",
-+ name, error_message(kerr), kerr);
-+ free(name);
-+ goto done;
-+ }
-+ }
-+
-+ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);
-+
-+ if (kerr || !renew) {
-+ goto done;
-+ }
-+
-+#ifdef STANDARD20_MODULE_STUFF
-+ if (s4u2proxy_lock) {
-+ rv = apr_global_mutex_lock(s4u2proxy_lock);
-+ if (rv != APR_SUCCESS) {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
-+ "apr_global_mutex_lock(s4u2proxy_lock) "
-+ "failed");
-+ }
-+ }
-+#endif
-+
-+ /* We have the lock, check again to be sure another process hasn't already
-+ * renewed the ticket.
-+ */
-+ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);
-+ if (kerr || !renew) {
-+ goto unlock;
-+ }
-+
-+ if (NULL == princ) {
-+ if (strchr(service_name, '/') != NULL)
-+ kerr = krb5_parse_name(kcontext, service_name, &princ);
-+ else
-+ kerr = krb5_sname_to_principal(kcontext, ap_get_server_name(r),
-+ (service_name) ? service_name : SERVICE_NAME,
-+ KRB5_NT_SRV_HST, &princ);
-+
-+ if (kerr) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Could not parse principal: %s (%d) ",
-+ error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+
-+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Could not unparse principal %s: %s (%d)",
-+ princ_name, error_message(kerr), kerr);
-+ }
-+ } else if (NULL == princ_name) {
-+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Could not unparse principal %s: %s (%d)",
-+ princ_name, error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+ }
-+
-+ if ((kerr = krb5_kt_default(kcontext, &keytab))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Unable to get default keytab: %s (%d)",
-+ error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Obtaining new credentials for %s", princ_name);
-+ krb5_get_init_creds_opt_init(&gicopts);
-+ krb5_get_init_creds_opt_set_forwardable(&gicopts, 1);
-+
-+ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,
-+ krb5_princ_realm(kcontext, princ)->length,
-+ krb5_princ_realm(kcontext, princ)->data,
-+ krb5_princ_realm(kcontext, princ)->length,
-+ krb5_princ_realm(kcontext, princ)->data);
-+
-+ if ((kerr = krb5_get_init_creds_keytab(kcontext, &creds, princ, keytab,
-+ 0, tgs_princ_name, &gicopts))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Failed to obtain credentials for principal %s: "
-+ "%s (%d)", princ_name, error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+
-+ krb5_kt_close(kcontext, keytab);
-+ keytab = NULL;
-+
-+ if (NULL == ccache) {
-+ if ((kerr = krb5_cc_default(kcontext, &ccache))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Failed to open default ccache: %s (%d)",
-+ error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+ }
-+
-+ if ((kerr = krb5_cc_initialize(kcontext, ccache, princ))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Failed to initialize ccache for %s: %s (%d)",
-+ princ_name, error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+
-+ if ((kerr = krb5_cc_store_cred(kcontext, ccache, &creds))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Failed to store %s in ccache: %s (%d)",
-+ princ_name, error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+
-+unlock:
-+#ifdef STANDARD20_MODULE_STUFF
-+ if (s4u2proxy_lock) {
-+ apr_global_mutex_unlock(s4u2proxy_lock);
-+ if (rv != APR_SUCCESS) {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
-+ "apr_global_mutex_unlock(s4u2proxy_lock) "
-+ "failed");
-+ }
-+ }
-+#endif
-+
-+done:
-+ if (0 == kerr)
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Done obtaining credentials for s4u2proxy");
-+ else
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Failed to obtain credentials for s4u2proxy");
-+
-+ if (creds.client) {
-+ krb5_free_cred_contents(kcontext, &creds);
-+ }
-+ if (ccache) {
-+ krb5_cc_close(kcontext, ccache);
-+ }
-+ if (kcontext) {
-+ krb5_free_context(kcontext);
-+ }
-+
-+ return kerr;
-+}
-+
- static int
- authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
- const char *auth_line, char **negotiate_ret_value)
-@@ -1697,10 +2061,60 @@ have_rcache_type(const char *type)
- /***************************************************************************
- Module Setup/Configuration
- ***************************************************************************/
-+#ifdef STANDARD20_MODULE_STUFF
-+static apr_status_t
-+s4u2proxylock_create(server_rec *s, apr_pool_t *p)
-+{
-+ apr_status_t rc;
-+
-+ /* only operate if a lockfile is used */
-+ if (lockname == NULL || *(lockname) == '\0') {
-+ return APR_SUCCESS;
-+ }
-+
-+ /* create the lockfile */
-+ rc = apr_global_mutex_create(&s4u2proxy_lock, lockname,
-+ APR_LOCK_DEFAULT, p);
-+ if (rc != APR_SUCCESS) {
-+ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
-+ "Parent could not create lock file %s", lockname);
-+ return rc;
-+ }
-+
-+#ifdef AP_NEED_SET_MUTEX_PERMS
-+ rc = unixd_set_global_mutex_perms(s4u2proxy_lock);
-+ if (rc != APR_SUCCESS) {
-+ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
-+ "mod_auth_kerb: Parent could not set permissions "
-+ "on lock; check User and Group directives");
-+ return rc;
-+ }
-+#endif
-+
-+ return APR_SUCCESS;
-+}
-+
-+static apr_status_t
-+s4u2proxylock_remove(void *unused)
-+{
-+ /* only operate if a lockfile is used */
-+ if (lockname == NULL || *(lockname) == '\0') {
-+ return APR_SUCCESS;
-+ }
-+
-+ /* destroy the rewritelock */
-+ apr_global_mutex_destroy(s4u2proxy_lock);
-+ s4u2proxy_lock = NULL;
-+ lockname = NULL;
-+ return APR_SUCCESS;
-+}
-+#endif
-+
- #ifndef STANDARD20_MODULE_STUFF
- static void
- kerb_module_init(server_rec *dummy, pool *p)
- {
-+ apr_status_t status;
- #ifndef HEIMDAL
- /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
- 1.3.x are covered by the hack overiding the replay calls */
-@@ -1741,6 +2155,7 @@ static int
- kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,
- apr_pool_t *ptemp, server_rec *s)
- {
-+ apr_status_t rv;
- ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION);
- #ifndef HEIMDAL
- /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
-@@ -1748,14 +2163,41 @@ kerb_init_handler(apr_pool_t *p, apr_poo
- if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
- putenv(strdup("KRB5RCACHETYPE=none"));
- #endif
-+#ifdef STANDARD20_MODULE_STUFF
-+ rv = s4u2proxylock_create(s, p);
-+ if (rv != APR_SUCCESS) {
-+ return HTTP_INTERNAL_SERVER_ERROR;
-+ }
-+
-+ apr_pool_cleanup_register(p, (void *)s, s4u2proxylock_remove,
-+ apr_pool_cleanup_null);
-+#endif
-
- return OK;
- }
-
- static void
-+initialize_child(apr_pool_t *p, server_rec *s)
-+{
-+ apr_status_t rv = 0;
-+
-+#ifdef STANDARD20_MODULE_STUFF
-+ if (lockname != NULL && *(lockname) != '\0') {
-+ rv = apr_global_mutex_child_init(&s4u2proxy_lock, lockname, p);
-+ if (rv != APR_SUCCESS) {
-+ ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
-+ "mod_auth_kerb: could not init s4u2proxy_lock"
-+ " in child");
-+ }
-+ }
-+#endif
-+}
-+
-+static void
- kerb_register_hooks(apr_pool_t *p)
- {
- ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
-+ ap_hook_child_init(initialize_child, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);
- }
-
diff --git a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild
index 1d1b560367c..9094681f3d4 100644
--- a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild
+++ b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild
@@ -6,7 +6,8 @@ inherit apache-module eutils systemd
DESCRIPTION="An Apache authentication module using Kerberos"
HOMEPAGE="http://modauthkerb.sourceforge.net/"
-SRC_URI="mirror://sourceforge/modauthkerb/${P}.tar.gz"
+SRC_URI="mirror://sourceforge/modauthkerb/${P}.tar.gz
+ https://dev.gentoo.org/~mgorny/dist/${P}-gentoo-patchset.tar.bz2"
LICENSE="BSD openafs-krb5-a HPND"
SLOT="0"
@@ -24,15 +25,15 @@ DOCFILES="INSTALL README"
need_apache2
PATCHES=(
- "${FILESDIR}"/${P}-rcopshack.patch
- "${FILESDIR}"/${P}-fixes.patch
- "${FILESDIR}"/${P}-s4u2proxy.patch
- "${FILESDIR}"/${P}-httpd24.patch
- "${FILESDIR}"/${P}-delegation.patch
- "${FILESDIR}"/${P}-cachedir.patch
- "${FILESDIR}"/${P}-longuser.patch
- "${FILESDIR}"/${P}-handle-continue.patch
- "${FILESDIR}"/${P}-heimdal.patch
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-rcopshack.patch
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-fixes.patch
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-s4u2proxy.patch
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-httpd24.patch
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-delegation.patch
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-cachedir.patch
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-longuser.patch
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-handle-continue.patch
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-heimdal.patch
)
src_prepare() {
^ permalink raw reply related [flat|nested] 4+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: www-apache/mod_auth_kerb/, www-apache/mod_auth_kerb/files/
@ 2021-12-29 8:39 Sam James
0 siblings, 0 replies; 4+ messages in thread
From: Sam James @ 2021-12-29 8:39 UTC (permalink / raw
To: gentoo-commits
commit: b4c542201cff236f67aac6eaa0ca86863d34df80
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Wed Dec 29 08:38:06 2021 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Dec 29 08:38:06 2021 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4c54220
www-apache/mod_auth_kerb: add Debian patch for krb5 ABI break
Was using an internal API.
Closes: https://bugs.gentoo.org/830208
Signed-off-by: Sam James <sam <AT> gentoo.org>
.../files/mod_auth_kerb-5.4-api-change-krb5.patch | 51 ++++++++++++++++++
.../mod_auth_kerb/mod_auth_kerb-5.4-r4.ebuild | 63 ++++++++++++++++++++++
2 files changed, 114 insertions(+)
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch
new file mode 100644
index 000000000000..d0421a0eb6ea
--- /dev/null
+++ b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch
@@ -0,0 +1,51 @@
+https://sources.debian.org/data/main/liba/libapache-mod-auth-kerb/5.4-2.5/debian/patches/0011-Always-use-NONE-replay-cache-type.patch
+https://bugs.gentoo.org/830208
+--- a/src/mod_auth_kerb.c
++++ b/src/mod_auth_kerb.c
+@@ -2061,28 +2061,6 @@
+ return ret;
+ }
+
+-static int
+-have_rcache_type(const char *type)
+-{
+- krb5_error_code ret;
+- krb5_context context;
+- krb5_rcache id = NULL;
+- int found;
+-
+- ret = krb5_init_context(&context);
+- if (ret)
+- return 0;
+-
+- ret = krb5_rc_resolve_full(context, &id, "none:");
+- found = (ret == 0);
+-
+- if (ret == 0)
+- krb5_rc_destroy(context, id);
+- krb5_free_context(context);
+-
+- return found;
+-}
+-
+ /***************************************************************************
+ Module Setup/Configuration
+ ***************************************************************************/
+@@ -2143,7 +2121,7 @@
+ #ifndef HEIMDAL
+ /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
+ 1.3.x are covered by the hack overiding the replay calls */
+- if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
++ if (getenv("KRB5RCACHETYPE") == NULL)
+ putenv(strdup("KRB5RCACHETYPE=none"));
+ #endif
+ }
+@@ -2185,7 +2163,7 @@
+ #ifndef HEIMDAL
+ /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
+ 1.3.x are covered by the hack overiding the replay calls */
+- if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
++ if (getenv("KRB5RCACHETYPE") == NULL)
+ putenv(strdup("KRB5RCACHETYPE=none"));
+ #endif
+ #ifdef STANDARD20_MODULE_STUFF
diff --git a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r4.ebuild b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r4.ebuild
new file mode 100644
index 000000000000..c8e1b13352e1
--- /dev/null
+++ b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r4.ebuild
@@ -0,0 +1,63 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit apache-module depend.apache tmpfiles
+
+DESCRIPTION="An Apache authentication module using Kerberos"
+HOMEPAGE="http://modauthkerb.sourceforge.net/"
+SRC_URI="mirror://sourceforge/project/modauthkerb/${PN}/${P}/${P}.tar.gz
+ https://dev.gentoo.org/~mgorny/dist/${P}-gentoo-patchset.tar.bz2"
+
+LICENSE="BSD openafs-krb5-a HPND"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+
+DEPEND="virtual/krb5"
+RDEPEND="${DEPEND}"
+
+APACHE2_MOD_CONF="11_${PN}"
+APACHE2_MOD_DEFINE="AUTH_KERB"
+
+DOCFILES="INSTALL README"
+
+need_apache2
+
+PATCHES=(
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-rcopshack.patch
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-fixes.patch
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-s4u2proxy.patch
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-httpd24.patch
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-delegation.patch
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-cachedir.patch
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-longuser.patch
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-handle-continue.patch
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-heimdal.patch
+
+ # bug #830208
+ "${FILESDIR}"/${P}-api-change-krb5.patch
+)
+
+# Work around Bug #616612
+pkg_setup() {
+ _init_apache2
+ _init_apache2_late
+}
+
+src_configure() {
+ CFLAGS="" APXS="${APXS}" econf --with-krb5=/usr --without-krb4
+}
+
+src_compile() {
+ emake
+}
+
+src_install() {
+ apache-module_src_install
+ dotmpfiles "${FILESDIR}/${PN}.conf"
+}
+
+pkg_postinst() {
+ tmpfiles_process ${PN}.conf
+}
^ permalink raw reply related [flat|nested] 4+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: www-apache/mod_auth_kerb/, www-apache/mod_auth_kerb/files/
@ 2017-06-04 18:32 Pacho Ramos
0 siblings, 0 replies; 4+ messages in thread
From: Pacho Ramos @ 2017-06-04 18:32 UTC (permalink / raw
To: gentoo-commits
commit: 021b4128fab449a793151ee229d692b10ec248bf
Author: Pacho Ramos <pacho <AT> gentoo <DOT> org>
AuthorDate: Sun Jun 4 18:30:07 2017 +0000
Commit: Pacho Ramos <pacho <AT> gentoo <DOT> org>
CommitDate: Sun Jun 4 18:31:59 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=021b4128
www-apache/mod_auth_kerb: Fix building with heimdal (#327445)
Package-Manager: Portage-2.3.6, Repoman-2.3.2
www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-heimdal.patch | 10 ++++++++++
www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild | 3 ++-
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-heimdal.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-heimdal.patch
new file mode 100644
index 00000000000..a5d3d4ba62c
--- /dev/null
+++ b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-heimdal.patch
@@ -0,0 +1,10 @@
+--- mod_auth_kerb-5.4/src/mod_auth_kerb.c 2010-10-04 16:21:22.169285716 +0200
++++ mod_auth_kerb-5.4.new/src/mod_auth_kerb.c 2010-10-04 16:20:41.584250095 +0200
+@@ -89,6 +89,7 @@
+ #include <krb5.h>
+ #ifdef HEIMDAL
+ # include <gssapi.h>
++# include <gssapi/gssapi_krb5.h>
+ #else
+ # include <gssapi/gssapi.h>
+ # include <gssapi/gssapi_generic.h>
diff --git a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild
index 1b067a4769a..1d1b560367c 100644
--- a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild
+++ b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2016 Gentoo Foundation
+# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=5
@@ -32,6 +32,7 @@ PATCHES=(
"${FILESDIR}"/${P}-cachedir.patch
"${FILESDIR}"/${P}-longuser.patch
"${FILESDIR}"/${P}-handle-continue.patch
+ "${FILESDIR}"/${P}-heimdal.patch
)
src_prepare() {
^ permalink raw reply related [flat|nested] 4+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: www-apache/mod_auth_kerb/, www-apache/mod_auth_kerb/files/
@ 2016-08-18 16:56 Pacho Ramos
0 siblings, 0 replies; 4+ messages in thread
From: Pacho Ramos @ 2016-08-18 16:56 UTC (permalink / raw
To: gentoo-commits
commit: d429134c9c62729169a429f95704bb3882a96ffc
Author: Pacho Ramos <pacho <AT> gentoo <DOT> org>
AuthorDate: Thu Aug 18 16:55:53 2016 +0000
Commit: Pacho Ramos <pacho <AT> gentoo <DOT> org>
CommitDate: Thu Aug 18 16:56:42 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d429134c
www-apache/mod_auth_kerb: Properly provide and apply Fedora patches (#327445)
Package-Manager: portage-2.3.0
.../files/mod_auth_kerb-5.4-s4u2proxy-r3.patch | 603 ---------------------
.../files/mod_auth_kerb-5.4-s4u2proxy.patch | 46 +-
.../mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild | 22 +-
3 files changed, 41 insertions(+), 630 deletions(-)
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy-r3.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy-r3.patch
deleted file mode 100644
index efc183a..0000000
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy-r3.patch
+++ /dev/null
@@ -1,603 +0,0 @@
-
-Add S4U2Proxy feature:
-
-https://sourceforge.net/mailarchive/forum.php?thread_name=4EE665D1.3000308%40redhat.com&forum_name=modauthkerb-help
-
-The attached patches add support for using s4u2proxy
-(http://k5wiki.kerberos.org/wiki/Projects/Services4User) to allow the
-web service to obtain credentials on behalf of the authenticated user.
-
-The first patch adds basic support for s4u2proxy. This requires the web
-administrator to manually create and manage the credentails cache for
-the apache user (via a cron job, for example).
-
-The second patch builds on this and makes mod_auth_kerb manage the
-ccache instead.
-
-These are patches against the current CVS HEAD (mod_auth_krb 5.4).
-
-I've added a new module option to enable this support,
-KrbConstrainedDelegation. The default is off.
-
---- mod_auth_kerb-5.4.orig/README 2008-11-26 11:51:05.000000000 -0500
-+++ mod_auth_kerb-5.4/README 2012-01-04 11:17:22.000000000 -0500
-@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be
- credential cache that will be available for the request handler. The ticket
- file will be removed after request is handled.
-
-+Constrained Delegation
-+----------------------
-+S4U2Proxy, or constrained delegation, enables a service to use a client's
-+ticket to itself to request another ticket for delegation. The KDC
-+checks krbAllowedToDelegateTo to decide if it will issue a new ticket.
-+If KrbConstrainedDelegation is enabled the server will use its own credentials
-+to retrieve a delegated ticket for the user. For this to work the user must
-+have a forwardable ticket (though the delegation flag need not be set).
-+The server needs a valid credentials cache for this to work.
-+
-+The module itself will obtain and manage the necessary credentials.
-+
- $Id: README,v 1.12 2008/09/17 14:01:55 baalberith Exp $
-diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.4/src/mod_auth_kerb.c
---- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2011-12-09 17:55:05.000000000 -0500
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c 2012-03-01 14:19:40.000000000 -0500
-@@ -42,6 +42,31 @@
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-+/*
-+ * Locking mechanism inspired by mod_rewrite.
-+ *
-+ * Licensed to the Apache Software Foundation (ASF) under one or more
-+ * contributor license agreements. See the NOTICE file distributed with
-+ * this work for additional information regarding copyright ownership.
-+ * The ASF licenses this file to You under the Apache License, Version 2.0
-+ * (the "License"); you may not use this file except in compliance with
-+ * the License. You may obtain a copy of the License at
-+ *
-+ * http://www.apache.org/licenses/LICENSE-2.0
-+ *
-+ * Unless required by applicable law or agreed to in writing, software
-+ * distributed under the License is distributed on an "AS IS" BASIS,
-+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+ * See the License for the specific language governing permissions and
-+ * limitations under the License.
-+ */
-+
-+/*
-+ * S4U2Proxy code
-+ *
-+ * Copyright (C) 2012 Red Hat
-+ */
-+
- #ident "$Id: mod_auth_kerb.c,v 1.150 2008/12/04 10:14:03 baalberith Exp $"
-
- #include "config.h"
-@@ -49,6 +74,7 @@
- #include <stdlib.h>
- #include <stdio.h>
- #include <stdarg.h>
-+#include <unixd.h>
-
- #define MODAUTHKERB_VERSION "5.4"
-
-@@ -122,6 +148,12 @@
- module auth_kerb_module;
- #endif
-
-+#ifdef STANDARD20_MODULE_STUFF
-+/* s4u2proxy only supported in 2.0+ */
-+static const char *lockname;
-+static apr_global_mutex_t *s4u2proxy_lock = NULL;
-+#endif
-+
- /***************************************************************************
- Macros To Ease Compatibility
- ***************************************************************************/
-@@ -156,6 +188,7 @@
- int krb_method_gssapi;
- int krb_method_k5pass;
- int krb5_do_auth_to_local;
-+ int krb5_s4u2proxy;
- #endif
- #ifdef KRB4
- char *krb_4_srvtab;
-@@ -176,6 +209,11 @@
-
- static const char*
- krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg);
-+static const char *
-+cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1);
-+
-+static int
-+obtain_server_credentials(request_rec *r, const char *service_name);
-
- #ifdef STANDARD20_MODULE_STUFF
- #define command(name, func, var, type, usage) \
-@@ -228,6 +266,12 @@
-
- command("KrbLocalUserMapping", ap_set_flag_slot, krb5_do_auth_to_local,
- FLAG, "Set to 'on' to have Kerberos do auth_to_local mapping of principal names to system user names."),
-+
-+ command("KrbConstrainedDelegation", ap_set_flag_slot, krb5_s4u2proxy,
-+ FLAG, "Set to 'on' to have Kerberos use S4U2Proxy delegation."),
-+
-+ AP_INIT_TAKE1("KrbConstrainedDelegationLock", cmd_delegationlock, NULL,
-+ RSRC_CONF, "the filename of a lockfile used for inter-process synchronization"),
- #endif
-
- #ifdef KRB4
-@@ -293,6 +337,7 @@
- #endif
- #ifdef KRB5
- ((kerb_auth_config *)rec)->krb5_do_auth_to_local = 0;
-+ ((kerb_auth_config *)rec)->krb5_s4u2proxy = 0;
- ((kerb_auth_config *)rec)->krb_method_k5pass = 1;
- ((kerb_auth_config *)rec)->krb_method_gssapi = 1;
- #endif
-@@ -310,6 +355,24 @@
- return NULL;
- }
-
-+static const char *
-+cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1)
-+{
-+ const char *error;
-+
-+ if ((error = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
-+ return error;
-+
-+ /* fixup the path, especially for s4u2proxylock_remove() */
-+ lockname = ap_server_root_relative(cmd->pool, a1);
-+
-+ if (!lockname) {
-+ return apr_pstrcat(cmd->pool, "Invalid KrbConstrainedDelegationLock path ", a1, NULL);
-+ }
-+
-+ return NULL;
-+}
-+
- static void
- log_rerror(const char *file, int line, int level, int status,
- const request_rec *r, const char *fmt, ...)
-@@ -1161,6 +1224,7 @@
- gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
- OM_uint32 major_status, minor_status, minor_status2;
- gss_name_t server_name = GSS_C_NO_NAME;
-+ gss_cred_usage_t usage = GSS_C_ACCEPT;
- char buf[1024];
- int have_server_princ;
-
-@@ -1203,10 +1267,14 @@
-
- log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s",
- token.value);
-+ if (conf->krb5_s4u2proxy) {
-+ usage = GSS_C_BOTH;
-+ obtain_server_credentials(r, conf->krb_service_name);
-+ }
- gss_release_buffer(&minor_status, &token);
-
- major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
-- GSS_C_NO_OID_SET, GSS_C_ACCEPT,
-+ GSS_C_NO_OID_SET, usage,
- server_creds, NULL, NULL);
- gss_release_name(&minor_status2, &server_name);
- if (GSS_ERROR(major_status)) {
-@@ -1248,6 +1316,305 @@
- }
- #endif
-
-+/* Renew the ticket if it will expire in under a minute */
-+#define RENEWAL_TIME 60
-+
-+/*
-+ * Services4U2Proxy lets a server prinicipal request another service
-+ * principal on behalf of a user. To do this the Apache service needs
-+ * to have its own ccache. This will ensure that the ccache has a valid
-+ * principal and will initialize or renew new credentials when needed.
-+ */
-+
-+static int
-+verify_server_credentials(request_rec *r,
-+ krb5_context kcontext,
-+ krb5_ccache ccache,
-+ krb5_principal princ,
-+ int *renew
-+)
-+{
-+ krb5_creds match_cred;
-+ krb5_creds creds;
-+ char * princ_name = NULL;
-+ char *tgs_princ_name = NULL;
-+ krb5_timestamp now;
-+ krb5_error_code kerr = 0;
-+
-+ *renew = 0;
-+
-+ memset (&match_cred, 0, sizeof(match_cred));
-+ memset (&creds, 0, sizeof(creds));
-+
-+ if (NULL == ccache || NULL == princ) {
-+ /* Nothing to verify */
-+ *renew = 1;
-+ goto cleanup;
-+ }
-+
-+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Could not unparse principal %s (%d)",
-+ error_message(kerr), kerr);
-+ goto cleanup;
-+ }
-+
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Using principal %s for s4u2proxy", princ_name);
-+
-+#ifdef HEIMDAL
-+ tgs_princ_name = apr_psprintf(r->pool, "%s/%s@%s", KRB5_TGS_NAME,
-+ krb5_principal_get_realm(kcontext, princ),
-+ krb5_principal_get_realm(kcontext, princ));
-+#else
-+ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,
-+ krb5_princ_realm(kcontext, princ)->length,
-+ krb5_princ_realm(kcontext, princ)->data,
-+ krb5_princ_realm(kcontext, princ)->length,
-+ krb5_princ_realm(kcontext, princ)->data);
-+#endif
-+
-+ if ((kerr = krb5_parse_name(kcontext, tgs_princ_name, &match_cred.server)))
-+ {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Could not parse principal %s: %s (%d)",
-+ tgs_princ_name, error_message(kerr), kerr);
-+ goto cleanup;
-+ }
-+
-+ match_cred.client = princ;
-+
-+ if ((kerr = krb5_cc_retrieve_cred(kcontext, ccache, 0, &match_cred, &creds)))
-+ {
-+ krb5_unparse_name(kcontext, princ, &princ_name);
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Could not unparse principal %s: %s (%d)",
-+ princ_name, error_message(kerr), kerr);
-+ goto cleanup;
-+ }
-+
-+ if ((kerr = krb5_timeofday(kcontext, &now))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Could not get current time: %d (%s)",
-+ kerr, error_message(kerr));
-+ goto cleanup;
-+ }
-+
-+ if (now > (creds.times.endtime + RENEWAL_TIME)) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Credentials for %s have expired or will soon "
-+ "expire - now %d endtime %d",
-+ princ_name, now, creds.times.endtime);
-+ *renew = 1;
-+ } else {
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Credentials for %s will expire at "
-+ "%d, it is now %d", princ_name, creds.times.endtime, now);
-+ }
-+
-+cleanup:
-+ /* Closing context, ccache, etc happens elsewhere */
-+ if (match_cred.server) {
-+ krb5_free_principal(kcontext, match_cred.server);
-+ }
-+ if (creds.client) {
-+ krb5_free_cred_contents(kcontext, &creds);
-+ }
-+
-+ return kerr;
-+}
-+
-+static int
-+obtain_server_credentials(request_rec *r,
-+ const char *service_name)
-+{
-+ krb5_context kcontext = NULL;
-+ krb5_keytab keytab = NULL;
-+ krb5_ccache ccache = NULL;
-+ char * princ_name = NULL;
-+ char *tgs_princ_name = NULL;
-+ krb5_error_code kerr = 0;
-+ krb5_principal princ = NULL;
-+ krb5_creds creds;
-+ krb5_get_init_creds_opt gicopts;
-+ int renew = 0;
-+ apr_status_t rv = 0;
-+
-+ memset(&creds, 0, sizeof(creds));
-+
-+ if ((kerr = krb5_init_context(&kcontext))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Kerberos context initialization failed: %s (%d)", error_message(kerr), kerr);
-+ goto done;
-+ }
-+
-+ if ((kerr = krb5_cc_default(kcontext, &ccache))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Could not get default Kerberos ccache: %s (%d)",
-+ error_message(kerr), kerr);
-+ goto done;
-+ }
-+
-+ if ((kerr = krb5_cc_get_principal(kcontext, ccache, &princ))) {
-+ char * name = NULL;
-+
-+ if ((asprintf(&name, "%s:%s", krb5_cc_get_type(kcontext, ccache),
-+ krb5_cc_get_name(kcontext, ccache))) == -1) {
-+ kerr = KRB5_CC_NOMEM;
-+ goto done;
-+ }
-+
-+ if (KRB5_FCC_NOFILE == kerr) {
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Credentials cache %s not found, create one", name);
-+ krb5_cc_close(kcontext, ccache);
-+ ccache = NULL;
-+ free(name);
-+ } else {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Failure to open credentials cache %s: %s (%d)",
-+ name, error_message(kerr), kerr);
-+ free(name);
-+ goto done;
-+ }
-+ }
-+
-+ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);
-+
-+ if (kerr || !renew) {
-+ goto done;
-+ }
-+
-+#ifdef STANDARD20_MODULE_STUFF
-+ if (s4u2proxy_lock) {
-+ rv = apr_global_mutex_lock(s4u2proxy_lock);
-+ if (rv != APR_SUCCESS) {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
-+ "apr_global_mutex_lock(s4u2proxy_lock) "
-+ "failed");
-+ }
-+ }
-+#endif
-+
-+ /* We have the lock, check again to be sure another process hasn't already
-+ * renewed the ticket.
-+ */
-+ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);
-+ if (kerr || !renew) {
-+ goto unlock;
-+ }
-+
-+ if (NULL == princ) {
-+ princ_name = apr_psprintf(r->pool, "%s/%s",
-+ (service_name) ? service_name : SERVICE_NAME,
-+ ap_get_server_name(r));
-+
-+ if ((kerr = krb5_parse_name(kcontext, princ_name, &princ))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Could not parse principal %s: %s (%d) ",
-+ princ_name, error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+ } else if (NULL == princ_name) {
-+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Could not unparse principal %s: %s (%d)",
-+ princ_name, error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+ }
-+
-+ if ((kerr = krb5_kt_default(kcontext, &keytab))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Unable to get default keytab: %s (%d)",
-+ error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Obtaining new credentials for %s", princ_name);
-+ krb5_get_init_creds_opt_init(&gicopts);
-+ krb5_get_init_creds_opt_set_forwardable(&gicopts, 1);
-+
-+#ifdef HEIMDAL
-+ tgs_princ_name = apr_psprintf(r->pool, "%s/%s@%s", KRB5_TGS_NAME,
-+ krb5_principal_get_realm(kcontext, princ),
-+ krb5_principal_get_realm(kcontext, princ));
-+#else
-+ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,
-+ krb5_princ_realm(kcontext, princ)->length,
-+ krb5_princ_realm(kcontext, princ)->data,
-+ krb5_princ_realm(kcontext, princ)->length,
-+ krb5_princ_realm(kcontext, princ)->data);
-+#endif
-+
-+ if ((kerr = krb5_get_init_creds_keytab(kcontext, &creds, princ, keytab,
-+ 0, tgs_princ_name, &gicopts))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Failed to obtain credentials for principal %s: "
-+ "%s (%d)", princ_name, error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+
-+ krb5_kt_close(kcontext, keytab);
-+ keytab = NULL;
-+
-+ if (NULL == ccache) {
-+ if ((kerr = krb5_cc_default(kcontext, &ccache))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Failed to open default ccache: %s (%d)",
-+ error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+ }
-+
-+ if ((kerr = krb5_cc_initialize(kcontext, ccache, princ))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Failed to initialize ccache for %s: %s (%d)",
-+ princ_name, error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+
-+ if ((kerr = krb5_cc_store_cred(kcontext, ccache, &creds))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Failed to store %s in ccache: %s (%d)",
-+ princ_name, error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+
-+unlock:
-+#ifdef STANDARD20_MODULE_STUFF
-+ if (s4u2proxy_lock) {
-+ apr_global_mutex_unlock(s4u2proxy_lock);
-+ if (rv != APR_SUCCESS) {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
-+ "apr_global_mutex_unlock(s4u2proxy_lock) "
-+ "failed");
-+ }
-+ }
-+#endif
-+
-+done:
-+ if (0 == kerr)
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Done obtaining credentials for s4u2proxy");
-+ else
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Failed to obtain credentials for s4u2proxy");
-+
-+ if (creds.client) {
-+ krb5_free_cred_contents(kcontext, &creds);
-+ }
-+ if (ccache) {
-+ krb5_cc_close(kcontext, ccache);
-+ }
-+ if (kcontext) {
-+ krb5_free_context(kcontext);
-+ }
-+
-+ return kerr;
-+}
-+
- static int
- authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
- const char *auth_line, char **negotiate_ret_value)
-@@ -1688,10 +2055,60 @@
- /***************************************************************************
- Module Setup/Configuration
- ***************************************************************************/
-+#ifdef STANDARD20_MODULE_STUFF
-+static apr_status_t
-+s4u2proxylock_create(server_rec *s, apr_pool_t *p)
-+{
-+ apr_status_t rc;
-+
-+ /* only operate if a lockfile is used */
-+ if (lockname == NULL || *(lockname) == '\0') {
-+ return APR_SUCCESS;
-+ }
-+
-+ /* create the lockfile */
-+ rc = apr_global_mutex_create(&s4u2proxy_lock, lockname,
-+ APR_LOCK_DEFAULT, p);
-+ if (rc != APR_SUCCESS) {
-+ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
-+ "Parent could not create lock file %s", lockname);
-+ return rc;
-+ }
-+
-+#ifdef AP_NEED_SET_MUTEX_PERMS
-+ rc = unixd_set_global_mutex_perms(s4u2proxy_lock);
-+ if (rc != APR_SUCCESS) {
-+ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
-+ "mod_auth_kerb: Parent could not set permissions "
-+ "on lock; check User and Group directives");
-+ return rc;
-+ }
-+#endif
-+
-+ return APR_SUCCESS;
-+}
-+
-+static apr_status_t
-+s4u2proxylock_remove(void *unused)
-+{
-+ /* only operate if a lockfile is used */
-+ if (lockname == NULL || *(lockname) == '\0') {
-+ return APR_SUCCESS;
-+ }
-+
-+ /* destroy the rewritelock */
-+ apr_global_mutex_destroy(s4u2proxy_lock);
-+ s4u2proxy_lock = NULL;
-+ lockname = NULL;
-+ return APR_SUCCESS;
-+}
-+#endif
-+
- #ifndef STANDARD20_MODULE_STUFF
- static void
- kerb_module_init(server_rec *dummy, pool *p)
- {
-+ apr_status_t status;
- #ifndef HEIMDAL
- /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
- 1.3.x are covered by the hack overiding the replay calls */
-@@ -1732,6 +2149,7 @@
- kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,
- apr_pool_t *ptemp, server_rec *s)
- {
-+ apr_status_t rv;
- ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION);
- #ifndef HEIMDAL
- /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
-@@ -1739,14 +2157,41 @@
- if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
- putenv(strdup("KRB5RCACHETYPE=none"));
- #endif
-+#ifdef STANDARD20_MODULE_STUFF
-+ rv = s4u2proxylock_create(s, p);
-+ if (rv != APR_SUCCESS) {
-+ return HTTP_INTERNAL_SERVER_ERROR;
-+ }
-+
-+ apr_pool_cleanup_register(p, (void *)s, s4u2proxylock_remove,
-+ apr_pool_cleanup_null);
-+#endif
-
- return OK;
- }
-
- static void
-+initialize_child(apr_pool_t *p, server_rec *s)
-+{
-+ apr_status_t rv = 0;
-+
-+#ifdef STANDARD20_MODULE_STUFF
-+ if (lockname != NULL && *(lockname) != '\0') {
-+ rv = apr_global_mutex_child_init(&s4u2proxy_lock, lockname, p);
-+ if (rv != APR_SUCCESS) {
-+ ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
-+ "mod_auth_kerb: could not init s4u2proxy_lock"
-+ " in child");
-+ }
-+ }
-+#endif
-+}
-+
-+static void
- kerb_register_hooks(apr_pool_t *p)
- {
- ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
-+ ap_hook_child_init(initialize_child, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);
- }
-
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy.patch
index d947793..07a6e3b 100644
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy.patch
+++ b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy.patch
@@ -1,7 +1,7 @@
Add S4U2Proxy feature:
-https://sourceforge.net/mailarchive/forum.php?thread_name=4EE665D1.3000308%40redhat.com&forum_name=modauthkerb-help
+http://sourceforge.net/mailarchive/forum.php?thread_name=4EE665D1.3000308%40redhat.com&forum_name=modauthkerb-help
The attached patches add support for using s4u2proxy
(http://k5wiki.kerberos.org/wiki/Projects/Services4User) to allow the
@@ -19,9 +19,10 @@ These are patches against the current CVS HEAD (mod_auth_krb 5.4).
I've added a new module option to enable this support,
KrbConstrainedDelegation. The default is off.
+diff -up --recursive mod_auth_kerb-5.4.orig/README mod_auth_kerb-5.4/README
--- mod_auth_kerb-5.4.orig/README 2008-11-26 11:51:05.000000000 -0500
-+++ mod_auth_kerb-5.4/README 2012-01-04 11:17:22.000000000 -0500
-@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be
++++ mod_auth_kerb-5.4/README 2014-01-21 13:46:21.482223432 -0500
+@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be
credential cache that will be available for the request handler. The ticket
file will be removed after request is handled.
@@ -37,10 +38,10 @@ KrbConstrainedDelegation. The default is off.
+
+The module itself will obtain and manage the necessary credentials.
+
- $Id$
+ $Id: README,v 1.12 2008/09/17 14:01:55 baalberith Exp $
diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.4/src/mod_auth_kerb.c
---- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2011-12-09 17:55:05.000000000 -0500
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c 2012-03-01 14:19:40.000000000 -0500
+--- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2014-01-21 13:45:21.605538007 -0500
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c 2014-01-21 13:46:46.746668762 -0500
@@ -42,6 +42,31 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
@@ -70,7 +71,7 @@ diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.
+ * Copyright (C) 2012 Red Hat
+ */
+
- #ident "$Id$"
+ #ident "$Id: mod_auth_kerb.c,v 1.150 2008/12/04 10:14:03 baalberith Exp $"
#include "config.h"
@@ -49,6 +74,7 @@
@@ -184,7 +185,7 @@ diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.
server_creds, NULL, NULL);
gss_release_name(&minor_status2, &server_name);
if (GSS_ERROR(major_status)) {
-@@ -1257,6 +1325,293 @@ cmp_gss_type(gss_buffer_t token, gss_OID
+@@ -1257,6 +1325,302 @@ cmp_gss_type(gss_buffer_t token, gss_OID
}
#endif
@@ -371,16 +372,25 @@ diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.
+ }
+
+ if (NULL == princ) {
-+ princ_name = apr_psprintf(r->pool, "%s/%s",
-+ (service_name) ? service_name : SERVICE_NAME,
-+ ap_get_server_name(r));
-+
-+ if ((kerr = krb5_parse_name(kcontext, princ_name, &princ))) {
++ if (strchr(service_name, '/') != NULL)
++ kerr = krb5_parse_name(kcontext, service_name, &princ);
++ else
++ kerr = krb5_sname_to_principal(kcontext, ap_get_server_name(r),
++ (service_name) ? service_name : SERVICE_NAME,
++ KRB5_NT_SRV_HST, &princ);
++
++ if (kerr) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Could not parse principal %s: %s (%d) ",
-+ princ_name, error_message(kerr), kerr);
++ "Could not parse principal: %s (%d) ",
++ error_message(kerr), kerr);
+ goto unlock;
+ }
++
++ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Could not unparse principal %s: %s (%d)",
++ princ_name, error_message(kerr), kerr);
++ }
+ } else if (NULL == princ_name) {
+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
@@ -478,7 +488,7 @@ diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.
static int
authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
const char *auth_line, char **negotiate_ret_value)
-@@ -1697,10 +2052,60 @@ have_rcache_type(const char *type)
+@@ -1697,10 +2061,60 @@ have_rcache_type(const char *type)
/***************************************************************************
Module Setup/Configuration
***************************************************************************/
@@ -539,7 +549,7 @@ diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.
#ifndef HEIMDAL
/* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
1.3.x are covered by the hack overiding the replay calls */
-@@ -1741,6 +2146,7 @@ static int
+@@ -1741,6 +2155,7 @@ static int
kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,
apr_pool_t *ptemp, server_rec *s)
{
@@ -547,7 +557,7 @@ diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.
ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION);
#ifndef HEIMDAL
/* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
-@@ -1748,14 +2154,41 @@ kerb_init_handler(apr_pool_t *p, apr_poo
+@@ -1748,14 +2163,41 @@ kerb_init_handler(apr_pool_t *p, apr_poo
if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
putenv(strdup("KRB5RCACHETYPE=none"));
#endif
diff --git a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild
index 1463b5c..ed22e3e 100644
--- a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild
+++ b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2015 Gentoo Foundation
+# Copyright 1999-2016 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
@@ -24,15 +24,19 @@ DOCFILES="INSTALL README"
need_apache2
+PATCHES=(
+ "${FILESDIR}"/${P}-rcopshack.patch
+ "${FILESDIR}"/${P}-fixes.patch
+ "${FILESDIR}"/${P}-s4u2proxy.patch
+ "${FILESDIR}"/${P}-httpd24.patch
+ "${FILESDIR}"/${P}-delegation.patch
+ "${FILESDIR}"/${P}-cachedir.patch
+ "${FILESDIR}"/${P}-longuser.patch
+ "${FILESDIR}"/${P}-handle-continue.patch
+)
+
src_prepare() {
- epatch "${FILESDIR}"/${P}-rcopshack.patch
- epatch "${FILESDIR}"/${P}-fixes.patch
- epatch "${FILESDIR}"/${P}-s4u2proxy-r3.patch
- epatch "${FILESDIR}"/${P}-httpd24.patch
- epatch "${FILESDIR}"/${P}-delegation.patch
- epatch "${FILESDIR}"/${P}-cachedir.patch
- epatch "${FILESDIR}"/${P}-longuser.patch
- epatch "${FILESDIR}"/${P}-handle-continue.patch
+ epatch "${PATCHES[@]}"
}
src_configure() {
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-12-29 8:39 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-15 12:36 [gentoo-commits] repo/gentoo:master commit in: www-apache/mod_auth_kerb/, www-apache/mod_auth_kerb/files/ Michał Górny
-- strict thread matches above, loose matches on Subject: below --
2021-12-29 8:39 Sam James
2017-06-04 18:32 Pacho Ramos
2016-08-18 16:56 Pacho Ramos
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox