1 |
commit: bbc26ed7549d91670a993e6208d98eebdc6c2ade |
2 |
Author: Michał Górny <mgorny <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Oct 15 11:40:11 2017 +0000 |
4 |
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Oct 15 12:35:55 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bbc26ed7 |
7 |
|
8 |
www-apache/mod_auth_kerb: Move patches to a dist tarball |
9 |
|
10 |
Closes: https://bugs.gentoo.org/620644 |
11 |
|
12 |
www-apache/mod_auth_kerb/Manifest | 1 + |
13 |
.../files/mod_auth_kerb-5.4-cachedir.patch | 15 - |
14 |
.../files/mod_auth_kerb-5.4-delegation.patch | 68 --- |
15 |
.../files/mod_auth_kerb-5.4-fixes.patch | 40 -- |
16 |
.../files/mod_auth_kerb-5.4-handle-continue.patch | 20 - |
17 |
.../files/mod_auth_kerb-5.4-heimdal.patch | 10 - |
18 |
.../files/mod_auth_kerb-5.4-httpd24.patch | 75 --- |
19 |
.../files/mod_auth_kerb-5.4-longuser.patch | 31 -- |
20 |
.../files/mod_auth_kerb-5.4-rcopshack.patch | 73 --- |
21 |
.../files/mod_auth_kerb-5.4-s4u2proxy.patch | 601 --------------------- |
22 |
.../mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild | 21 +- |
23 |
11 files changed, 12 insertions(+), 943 deletions(-) |
24 |
|
25 |
diff --git a/www-apache/mod_auth_kerb/Manifest b/www-apache/mod_auth_kerb/Manifest |
26 |
index 2d942c7502e..772f8adc7b7 100644 |
27 |
--- a/www-apache/mod_auth_kerb/Manifest |
28 |
+++ b/www-apache/mod_auth_kerb/Manifest |
29 |
@@ -1 +1,2 @@ |
30 |
+DIST mod_auth_kerb-5.4-gentoo-patchset.tar.bz2 8717 SHA256 bc0445e337c88906bd254c26726ad3a1e45e613cf2058b402c944209550d9160 SHA512 3909c2677b30790cc17c0d8843feaa00d9acd14a012672443a887c0e88473d6b1572ba045e1491bcab53cbacff193c11cfe15e63ef1046cfcdf1f4ab60e0ac57 WHIRLPOOL 27bcb65e03d5148861a806f0bbb29550e8ab06145281fdf09064328be12a6c2242d46d3e69042be2b2ee6f17198acbdc3ec6c3709ea4341c08e4cc12fe1f4492 |
31 |
DIST mod_auth_kerb-5.4.tar.gz 93033 SHA256 690ddd66c6d941e2fa2dada46588329a6f57d0a3b9b2fd9bf055ebc427558265 SHA512 93fdf0e43af1c24e8c8204d09240b708747068ef99dd8d21b45cb4d132d31e6d582d49ea5e23b905f55cb0d4a20b1ecb58de1bcbfdad1d016e536fc622b63214 WHIRLPOOL 1b92217b7cf66d731a72cf9d58f188002ccadd75fc3d9075290347e6b4f1511111d3cff147fab73616951cbdb9430e8038adf5c4e204d374886bec3be69ff51c |
32 |
|
33 |
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-cachedir.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-cachedir.patch |
34 |
deleted file mode 100644 |
35 |
index ebc435824c4..00000000000 |
36 |
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-cachedir.patch |
37 |
+++ /dev/null |
38 |
@@ -1,15 +0,0 @@ |
39 |
- |
40 |
-Per https://bugzilla.redhat.com//show_bug.cgi?id=796430 |
41 |
-switch the cache dir to be relative to runtimedir. |
42 |
- |
43 |
---- mod_auth_kerb-5.4/src/mod_auth_kerb.c.cachedir |
44 |
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c |
45 |
-@@ -891,7 +891,7 @@ create_krb5_ccache(krb5_context kcontext |
46 |
- int ret; |
47 |
- krb5_ccache tmp_ccache = NULL; |
48 |
- |
49 |
-- ccname = apr_psprintf(r->connection->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir); |
50 |
-+ ccname = apr_pstrdup(r->connection->pool, "FILE:/run/httpd/krbcache/krb5cc_apache_XXXXXX"); |
51 |
- fd = mkstemp(ccname + strlen("FILE:")); |
52 |
- if (fd < 0) { |
53 |
- log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
54 |
|
55 |
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-delegation.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-delegation.patch |
56 |
deleted file mode 100644 |
57 |
index a01e9f21e43..00000000000 |
58 |
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-delegation.patch |
59 |
+++ /dev/null |
60 |
@@ -1,68 +0,0 @@ |
61 |
- |
62 |
-https://bugzilla.redhat.com/show_bug.cgi?id=688210 |
63 |
- |
64 |
---- mod_auth_kerb-5.4/src/mod_auth_kerb.c.delegation |
65 |
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c |
66 |
-@@ -209,6 +209,7 @@ typedef struct krb5_conn_data { |
67 |
- char *authline; |
68 |
- char *user; |
69 |
- char *mech; |
70 |
-+ char *ccname; |
71 |
- int last_return; |
72 |
- } krb5_conn_data; |
73 |
- |
74 |
-@@ -875,7 +876,7 @@ create_krb5_ccache(krb5_context kcontext |
75 |
- int ret; |
76 |
- krb5_ccache tmp_ccache = NULL; |
77 |
- |
78 |
-- ccname = apr_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir); |
79 |
-+ ccname = apr_psprintf(r->connection->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir); |
80 |
- fd = mkstemp(ccname + strlen("FILE:")); |
81 |
- if (fd < 0) { |
82 |
- log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
83 |
-@@ -905,7 +906,7 @@ create_krb5_ccache(krb5_context kcontext |
84 |
- } |
85 |
- |
86 |
- apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname); |
87 |
-- apr_pool_cleanup_register(r->pool, ccname, krb5_cache_cleanup, |
88 |
-+ apr_pool_cleanup_register(r->connection->pool, ccname, krb5_cache_cleanup, |
89 |
- apr_pool_cleanup_null); |
90 |
- |
91 |
- *ccache = tmp_ccache; |
92 |
-@@ -1866,10 +1868,15 @@ already_succeeded(request_rec *r, char * |
93 |
- if (apr_pool_userdata_get((void**)&conn_data, keyname, r->connection->pool) != 0) |
94 |
- return NULL; |
95 |
- |
96 |
-- if(conn_data) { |
97 |
-- if(strcmp(conn_data->authline, auth_line) == 0) { |
98 |
-- log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "matched previous auth request"); |
99 |
-- return conn_data; |
100 |
-+ if(conn_data && conn_data->ccname != NULL) { |
101 |
-+ apr_finfo_t finfo; |
102 |
-+ |
103 |
-+ if (apr_stat(&finfo, conn_data->ccname + strlen("FILE:"), |
104 |
-+ APR_FINFO_NORM, r->pool) == APR_SUCCESS |
105 |
-+ && (finfo.valid & APR_FINFO_TYPE) |
106 |
-+ && finfo.filetype == APR_REG) { |
107 |
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "matched previous auth request"); |
108 |
-+ return conn_data; |
109 |
- } |
110 |
- } |
111 |
- return NULL; |
112 |
-@@ -2001,6 +2008,8 @@ kerb_authenticate_user(request_rec *r) |
113 |
- ret = prevauth->last_return; |
114 |
- MK_USER = prevauth->user; |
115 |
- MK_AUTH_TYPE = prevauth->mech; |
116 |
-+ if (prevauth->ccname) |
117 |
-+ apr_table_setn(r->subprocess_env, "KRB5CCNAME", prevauth->ccname); |
118 |
- } |
119 |
- |
120 |
- /* |
121 |
-@@ -2011,6 +2020,7 @@ kerb_authenticate_user(request_rec *r) |
122 |
- prevauth->user = apr_pstrdup(r->connection->pool, MK_USER); |
123 |
- prevauth->authline = apr_pstrdup(r->connection->pool, auth_line); |
124 |
- prevauth->mech = apr_pstrdup(r->connection->pool, auth_type); |
125 |
-+ prevauth->ccname = apr_pstrdup(r->connection->pool, apr_table_get(r->subprocess_env, "KRB5CCNAME")); |
126 |
- prevauth->last_return = ret; |
127 |
- snprintf(keyname, sizeof(keyname) - 1, |
128 |
- "mod_auth_kerb::connection::%s::%ld", |
129 |
|
130 |
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-fixes.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-fixes.patch |
131 |
deleted file mode 100644 |
132 |
index b86be697ae0..00000000000 |
133 |
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-fixes.patch |
134 |
+++ /dev/null |
135 |
@@ -1,40 +0,0 @@ |
136 |
- |
137 |
-Compiler warning fixes. |
138 |
- |
139 |
---- mod_auth_kerb-5.4/src/mod_auth_kerb.c.fixes |
140 |
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c |
141 |
-@@ -677,7 +677,8 @@ end: |
142 |
- static krb5_error_code |
143 |
- verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal, |
144 |
- const char *password, krb5_principal server, |
145 |
-- krb5_keytab keytab, int krb_verify_kdc, char *krb_service_name, krb5_ccache *ccache) |
146 |
-+ krb5_keytab keytab, int krb_verify_kdc, |
147 |
-+ const char *krb_service_name, krb5_ccache *ccache) |
148 |
- { |
149 |
- krb5_creds creds; |
150 |
- krb5_get_init_creds_opt options; |
151 |
-@@ -1280,6 +1281,7 @@ get_gss_creds(request_rec *r, |
152 |
- return 0; |
153 |
- } |
154 |
- |
155 |
-+#ifndef GSSAPI_SUPPORTS_SPNEGO |
156 |
- static int |
157 |
- cmp_gss_type(gss_buffer_t token, gss_OID oid) |
158 |
- { |
159 |
-@@ -1306,6 +1308,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID |
160 |
- |
161 |
- return memcmp(p, oid->elements, oid->length); |
162 |
- } |
163 |
-+#endif |
164 |
- |
165 |
- static int |
166 |
- authenticate_user_gss(request_rec *r, kerb_auth_config *conf, |
167 |
-@@ -1722,7 +1725,7 @@ kerb_authenticate_user(request_rec *r) |
168 |
- return ret; |
169 |
- } |
170 |
- |
171 |
--int |
172 |
-+static int |
173 |
- have_rcache_type(const char *type) |
174 |
- { |
175 |
- krb5_error_code ret; |
176 |
|
177 |
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-handle-continue.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-handle-continue.patch |
178 |
deleted file mode 100644 |
179 |
index 4b77a497f4c..00000000000 |
180 |
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-handle-continue.patch |
181 |
+++ /dev/null |
182 |
@@ -1,20 +0,0 @@ |
183 |
-diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c |
184 |
-index 2aab5ee..ca81878 100644 |
185 |
---- a/src/mod_auth_kerb.c |
186 |
-+++ b/src/mod_auth_kerb.c |
187 |
-@@ -1744,7 +1744,6 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, |
188 |
- goto end; |
189 |
- } |
190 |
- |
191 |
--#if 0 |
192 |
- /* This is a _Kerberos_ module so multiple authentication rounds aren't |
193 |
- * supported. If we wanted a generic GSS authentication we would have to do |
194 |
- * some magic with exporting context etc. */ |
195 |
-@@ -1752,7 +1751,6 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, |
196 |
- ret = HTTP_UNAUTHORIZED; |
197 |
- goto end; |
198 |
- } |
199 |
--#endif |
200 |
- |
201 |
- major_status = gss_display_name(&minor_status, client_name, &output_token, NULL); |
202 |
- gss_release_name(&minor_status, &client_name); |
203 |
|
204 |
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-heimdal.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-heimdal.patch |
205 |
deleted file mode 100644 |
206 |
index a5d3d4ba62c..00000000000 |
207 |
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-heimdal.patch |
208 |
+++ /dev/null |
209 |
@@ -1,10 +0,0 @@ |
210 |
---- mod_auth_kerb-5.4/src/mod_auth_kerb.c 2010-10-04 16:21:22.169285716 +0200 |
211 |
-+++ mod_auth_kerb-5.4.new/src/mod_auth_kerb.c 2010-10-04 16:20:41.584250095 +0200 |
212 |
-@@ -89,6 +89,7 @@ |
213 |
- #include <krb5.h> |
214 |
- #ifdef HEIMDAL |
215 |
- # include <gssapi.h> |
216 |
-+# include <gssapi/gssapi_krb5.h> |
217 |
- #else |
218 |
- # include <gssapi/gssapi.h> |
219 |
- # include <gssapi/gssapi_generic.h> |
220 |
|
221 |
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-httpd24.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-httpd24.patch |
222 |
deleted file mode 100644 |
223 |
index 86c9b47d6bd..00000000000 |
224 |
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-httpd24.patch |
225 |
+++ /dev/null |
226 |
@@ -1,75 +0,0 @@ |
227 |
- |
228 |
-Fixes for 2.4 API. |
229 |
- |
230 |
---- mod_auth_kerb-5.4/src/mod_auth_kerb.c.httpd24 |
231 |
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c |
232 |
-@@ -179,6 +179,16 @@ static apr_global_mutex_t *s4u2proxy_loc |
233 |
- #define PROXYREQ_PROXY STD_PROXY |
234 |
- #endif |
235 |
- |
236 |
-+#if MODULE_MAGIC_NUMBER_MAJOR >= 20100606 |
237 |
-+/* 2.4.x or later */ |
238 |
-+#define WITH_HTTPD24 1 |
239 |
-+#define client_ip(r) ((r)->useragent_ip) |
240 |
-+APLOG_USE_MODULE(auth_kerb); |
241 |
-+#else |
242 |
-+#define client_ip(r) ((r)->connection->remote_ip) |
243 |
-+#define ap_unixd_set_global_mutex_perms unixd_set_global_mutex_perms |
244 |
-+#endif |
245 |
-+ |
246 |
- /*************************************************************************** |
247 |
- Auth Configuration Structure |
248 |
- ***************************************************************************/ |
249 |
-@@ -383,7 +393,11 @@ cmd_delegationlock(cmd_parms *cmd, void |
250 |
- } |
251 |
- |
252 |
- static void |
253 |
--log_rerror(const char *file, int line, int level, int status, |
254 |
-+log_rerror(const char *file, int line, |
255 |
-+#ifdef WITH_HTTPD24 |
256 |
-+ int module_index, |
257 |
-+#endif |
258 |
-+ int level, int status, |
259 |
- const request_rec *r, const char *fmt, ...) |
260 |
- { |
261 |
- char errstr[1024]; |
262 |
-@@ -394,7 +408,9 @@ log_rerror(const char *file, int line, i |
263 |
- va_end(ap); |
264 |
- |
265 |
- |
266 |
--#ifdef STANDARD20_MODULE_STUFF |
267 |
-+#if defined(WITH_HTTPD24) |
268 |
-+ ap_log_rerror(file, line, module_index, level, status, r, "%s", errstr); |
269 |
-+#elif defined(STANDARD20_MODULE_STUFF) |
270 |
- ap_log_rerror(file, line, level | APLOG_NOERRNO, status, r, "%s", errstr); |
271 |
- #else |
272 |
- ap_log_rerror(file, line, level | APLOG_NOERRNO, r, "%s", errstr); |
273 |
-@@ -1860,8 +1876,8 @@ already_succeeded(request_rec *r, char * |
274 |
- char keyname[1024]; |
275 |
- |
276 |
- snprintf(keyname, sizeof(keyname) - 1, |
277 |
-- "mod_auth_kerb::connection::%s::%ld", r->connection->remote_ip, |
278 |
-- r->connection->id); |
279 |
-+ "mod_auth_kerb::connection::%s::%ld", client_ip(r), |
280 |
-+ r->connection->id); |
281 |
- |
282 |
- if (apr_pool_userdata_get((void**)&conn_data, keyname, r->connection->pool) != 0) |
283 |
- return NULL; |
284 |
-@@ -2014,7 +2030,7 @@ kerb_authenticate_user(request_rec *r) |
285 |
- prevauth->last_return = ret; |
286 |
- snprintf(keyname, sizeof(keyname) - 1, |
287 |
- "mod_auth_kerb::connection::%s::%ld", |
288 |
-- r->connection->remote_ip, r->connection->id); |
289 |
-+ client_ip(r), r->connection->id); |
290 |
- apr_pool_userdata_set(prevauth, keyname, NULL, r->connection->pool); |
291 |
- } |
292 |
- |
293 |
-@@ -2073,7 +2089,7 @@ s4u2proxylock_create(server_rec *s, apr_ |
294 |
- } |
295 |
- |
296 |
- #ifdef AP_NEED_SET_MUTEX_PERMS |
297 |
-- rc = unixd_set_global_mutex_perms(s4u2proxy_lock); |
298 |
-+ rc = ap_unixd_set_global_mutex_perms(s4u2proxy_lock); |
299 |
- if (rc != APR_SUCCESS) { |
300 |
- ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s, |
301 |
- "mod_auth_kerb: Parent could not set permissions " |
302 |
|
303 |
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-longuser.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-longuser.patch |
304 |
deleted file mode 100644 |
305 |
index 100fd364af8..00000000000 |
306 |
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-longuser.patch |
307 |
+++ /dev/null |
308 |
@@ -1,31 +0,0 @@ |
309 |
- |
310 |
-https://bugzilla.redhat.com/show_bug.cgi?id=867153 |
311 |
- |
312 |
-Patch by: jkaluza |
313 |
- |
314 |
---- mod_auth_kerb-5.4/src/mod_auth_kerb.c.longuser |
315 |
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c |
316 |
-@@ -80,6 +80,7 @@ |
317 |
- |
318 |
- #define MECH_NEGOTIATE "Negotiate" |
319 |
- #define SERVICE_NAME "HTTP" |
320 |
-+#define MAX_LOCAL_USERNAME 255 |
321 |
- |
322 |
- #include <httpd.h> |
323 |
- #include <http_config.h> |
324 |
-@@ -1815,13 +1816,13 @@ do_krb5_an_to_ln(request_rec *r) { |
325 |
- krb5_get_err_text(kcontext, code)); |
326 |
- goto end; |
327 |
- } |
328 |
-- MK_USER_LNAME = apr_pcalloc(r->pool, strlen(MK_USER)+1); |
329 |
-+ MK_USER_LNAME = apr_pcalloc(r->pool, MAX_LOCAL_USERNAME+1); |
330 |
- if (MK_USER_LNAME == NULL) { |
331 |
- log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
332 |
- "ap_pcalloc() failed (not enough memory)"); |
333 |
- goto end; |
334 |
- } |
335 |
-- code = krb5_aname_to_localname(kcontext, client, strlen(MK_USER), MK_USER_LNAME); |
336 |
-+ code = krb5_aname_to_localname(kcontext, client, MAX_LOCAL_USERNAME, MK_USER_LNAME); |
337 |
- if (code) { |
338 |
- if (code != KRB5_LNAME_NOTRANS) { |
339 |
- log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
340 |
|
341 |
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-rcopshack.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-rcopshack.patch |
342 |
deleted file mode 100644 |
343 |
index abbf4dba47b..00000000000 |
344 |
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-rcopshack.patch |
345 |
+++ /dev/null |
346 |
@@ -1,73 +0,0 @@ |
347 |
- |
348 |
-Remove the Krb5 1.3.x-specific hack which mucks about with |
349 |
-libkrb5 internals, and shouldn't. |
350 |
- |
351 |
---- mod_auth_kerb-5.4/src/mod_auth_kerb.c.rcopshack |
352 |
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c |
353 |
-@@ -285,34 +285,6 @@ mkstemp(char *template) |
354 |
- } |
355 |
- #endif |
356 |
- |
357 |
--#if defined(KRB5) && !defined(HEIMDAL) |
358 |
--/* Needed to work around problems with replay caches */ |
359 |
--#include "mit-internals.h" |
360 |
-- |
361 |
--/* This is our replacement krb5_rc_store function */ |
362 |
--static krb5_error_code KRB5_LIB_FUNCTION |
363 |
--mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache, |
364 |
-- krb5_donot_replay_internal *donot_replay) |
365 |
--{ |
366 |
-- return 0; |
367 |
--} |
368 |
-- |
369 |
--/* And this is the operations vector for our replay cache */ |
370 |
--const krb5_rc_ops_internal mod_auth_kerb_rc_ops = { |
371 |
-- 0, |
372 |
-- "dfl", |
373 |
-- krb5_rc_dfl_init, |
374 |
-- krb5_rc_dfl_recover, |
375 |
-- krb5_rc_dfl_destroy, |
376 |
-- krb5_rc_dfl_close, |
377 |
-- mod_auth_kerb_rc_store, |
378 |
-- krb5_rc_dfl_expunge, |
379 |
-- krb5_rc_dfl_get_span, |
380 |
-- krb5_rc_dfl_get_name, |
381 |
-- krb5_rc_dfl_resolve |
382 |
--}; |
383 |
--#endif |
384 |
-- |
385 |
- /*************************************************************************** |
386 |
- Auth Configuration Initialization |
387 |
- ***************************************************************************/ |
388 |
-@@ -1252,31 +1224,6 @@ get_gss_creds(request_rec *r, |
389 |
- return HTTP_INTERNAL_SERVER_ERROR; |
390 |
- } |
391 |
- |
392 |
--#ifndef HEIMDAL |
393 |
-- /* |
394 |
-- * With MIT Kerberos 5 1.3.x the gss_cred_id_t is the same as |
395 |
-- * krb5_gss_cred_id_t and krb5_gss_cred_id_rec contains a pointer to |
396 |
-- * the replay cache. |
397 |
-- * This allows us to override the replay cache function vector with |
398 |
-- * our own one. |
399 |
-- * Note that this is a dirty hack to get things working and there may |
400 |
-- * well be unknown side-effects. |
401 |
-- */ |
402 |
-- { |
403 |
-- krb5_gss_cred_id_t gss_creds = (krb5_gss_cred_id_t) *server_creds; |
404 |
-- |
405 |
-- /* First we try to verify we are linked with 1.3.x to prevent from |
406 |
-- crashing when linked with 1.4.x */ |
407 |
-- if (gss_creds && (gss_creds->usage == GSS_C_ACCEPT)) { |
408 |
-- if (gss_creds->rcache && gss_creds->rcache->ops && |
409 |
-- gss_creds->rcache->ops->type && |
410 |
-- memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0) |
411 |
-- /* Override the rcache operations */ |
412 |
-- gss_creds->rcache->ops = &mod_auth_kerb_rc_ops; |
413 |
-- } |
414 |
-- } |
415 |
--#endif |
416 |
-- |
417 |
- return 0; |
418 |
- } |
419 |
- |
420 |
|
421 |
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy.patch |
422 |
deleted file mode 100644 |
423 |
index 07a6e3b7c8e..00000000000 |
424 |
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy.patch |
425 |
+++ /dev/null |
426 |
@@ -1,601 +0,0 @@ |
427 |
- |
428 |
-Add S4U2Proxy feature: |
429 |
- |
430 |
-http://sourceforge.net/mailarchive/forum.php?thread_name=4EE665D1.3000308%40redhat.com&forum_name=modauthkerb-help |
431 |
- |
432 |
-The attached patches add support for using s4u2proxy |
433 |
-(http://k5wiki.kerberos.org/wiki/Projects/Services4User) to allow the |
434 |
-web service to obtain credentials on behalf of the authenticated user. |
435 |
- |
436 |
-The first patch adds basic support for s4u2proxy. This requires the web |
437 |
-administrator to manually create and manage the credentails cache for |
438 |
-the apache user (via a cron job, for example). |
439 |
- |
440 |
-The second patch builds on this and makes mod_auth_kerb manage the |
441 |
-ccache instead. |
442 |
- |
443 |
-These are patches against the current CVS HEAD (mod_auth_krb 5.4). |
444 |
- |
445 |
-I've added a new module option to enable this support, |
446 |
-KrbConstrainedDelegation. The default is off. |
447 |
- |
448 |
-diff -up --recursive mod_auth_kerb-5.4.orig/README mod_auth_kerb-5.4/README |
449 |
---- mod_auth_kerb-5.4.orig/README 2008-11-26 11:51:05.000000000 -0500 |
450 |
-+++ mod_auth_kerb-5.4/README 2014-01-21 13:46:21.482223432 -0500 |
451 |
-@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be |
452 |
- credential cache that will be available for the request handler. The ticket |
453 |
- file will be removed after request is handled. |
454 |
- |
455 |
-+Constrained Delegation |
456 |
-+---------------------- |
457 |
-+S4U2Proxy, or constrained delegation, enables a service to use a client's |
458 |
-+ticket to itself to request another ticket for delegation. The KDC |
459 |
-+checks krbAllowedToDelegateTo to decide if it will issue a new ticket. |
460 |
-+If KrbConstrainedDelegation is enabled the server will use its own credentials |
461 |
-+to retrieve a delegated ticket for the user. For this to work the user must |
462 |
-+have a forwardable ticket (though the delegation flag need not be set). |
463 |
-+The server needs a valid credentials cache for this to work. |
464 |
-+ |
465 |
-+The module itself will obtain and manage the necessary credentials. |
466 |
-+ |
467 |
- $Id: README,v 1.12 2008/09/17 14:01:55 baalberith Exp $ |
468 |
-diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.4/src/mod_auth_kerb.c |
469 |
---- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2014-01-21 13:45:21.605538007 -0500 |
470 |
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c 2014-01-21 13:46:46.746668762 -0500 |
471 |
-@@ -42,6 +42,31 @@ |
472 |
- * POSSIBILITY OF SUCH DAMAGE. |
473 |
- */ |
474 |
- |
475 |
-+/* |
476 |
-+ * Locking mechanism inspired by mod_rewrite. |
477 |
-+ * |
478 |
-+ * Licensed to the Apache Software Foundation (ASF) under one or more |
479 |
-+ * contributor license agreements. See the NOTICE file distributed with |
480 |
-+ * this work for additional information regarding copyright ownership. |
481 |
-+ * The ASF licenses this file to You under the Apache License, Version 2.0 |
482 |
-+ * (the "License"); you may not use this file except in compliance with |
483 |
-+ * the License. You may obtain a copy of the License at |
484 |
-+ * |
485 |
-+ * http://www.apache.org/licenses/LICENSE-2.0 |
486 |
-+ * |
487 |
-+ * Unless required by applicable law or agreed to in writing, software |
488 |
-+ * distributed under the License is distributed on an "AS IS" BASIS, |
489 |
-+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
490 |
-+ * See the License for the specific language governing permissions and |
491 |
-+ * limitations under the License. |
492 |
-+ */ |
493 |
-+ |
494 |
-+/* |
495 |
-+ * S4U2Proxy code |
496 |
-+ * |
497 |
-+ * Copyright (C) 2012 Red Hat |
498 |
-+ */ |
499 |
-+ |
500 |
- #ident "$Id: mod_auth_kerb.c,v 1.150 2008/12/04 10:14:03 baalberith Exp $" |
501 |
- |
502 |
- #include "config.h" |
503 |
-@@ -49,6 +74,7 @@ |
504 |
- #include <stdlib.h> |
505 |
- #include <stdio.h> |
506 |
- #include <stdarg.h> |
507 |
-+#include <unixd.h> |
508 |
- |
509 |
- #define MODAUTHKERB_VERSION "5.4" |
510 |
- |
511 |
-@@ -131,6 +157,12 @@ module AP_MODULE_DECLARE_DATA auth_kerb_ |
512 |
- module auth_kerb_module; |
513 |
- #endif |
514 |
- |
515 |
-+#ifdef STANDARD20_MODULE_STUFF |
516 |
-+/* s4u2proxy only supported in 2.0+ */ |
517 |
-+static const char *lockname; |
518 |
-+static apr_global_mutex_t *s4u2proxy_lock = NULL; |
519 |
-+#endif |
520 |
-+ |
521 |
- /*************************************************************************** |
522 |
- Macros To Ease Compatibility |
523 |
- ***************************************************************************/ |
524 |
-@@ -165,6 +197,7 @@ typedef struct { |
525 |
- int krb_method_gssapi; |
526 |
- int krb_method_k5pass; |
527 |
- int krb5_do_auth_to_local; |
528 |
-+ int krb5_s4u2proxy; |
529 |
- #endif |
530 |
- #ifdef KRB4 |
531 |
- char *krb_4_srvtab; |
532 |
-@@ -185,6 +218,11 @@ set_kerb_auth_headers(request_rec *r, co |
533 |
- |
534 |
- static const char* |
535 |
- krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg); |
536 |
-+static const char * |
537 |
-+cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1); |
538 |
-+ |
539 |
-+static int |
540 |
-+obtain_server_credentials(request_rec *r, const char *service_name); |
541 |
- |
542 |
- #ifdef STANDARD20_MODULE_STUFF |
543 |
- #define command(name, func, var, type, usage) \ |
544 |
-@@ -237,6 +275,12 @@ static const command_rec kerb_auth_cmds[ |
545 |
- |
546 |
- command("KrbLocalUserMapping", ap_set_flag_slot, krb5_do_auth_to_local, |
547 |
- FLAG, "Set to 'on' to have Kerberos do auth_to_local mapping of principal names to system user names."), |
548 |
-+ |
549 |
-+ command("KrbConstrainedDelegation", ap_set_flag_slot, krb5_s4u2proxy, |
550 |
-+ FLAG, "Set to 'on' to have Kerberos use S4U2Proxy delegation."), |
551 |
-+ |
552 |
-+ AP_INIT_TAKE1("KrbConstrainedDelegationLock", cmd_delegationlock, NULL, |
553 |
-+ RSRC_CONF, "the filename of a lockfile used for inter-process synchronization"), |
554 |
- #endif |
555 |
- |
556 |
- #ifdef KRB4 |
557 |
-@@ -302,6 +346,7 @@ static void *kerb_dir_create_config(MK_P |
558 |
- #endif |
559 |
- #ifdef KRB5 |
560 |
- ((kerb_auth_config *)rec)->krb5_do_auth_to_local = 0; |
561 |
-+ ((kerb_auth_config *)rec)->krb5_s4u2proxy = 0; |
562 |
- ((kerb_auth_config *)rec)->krb_method_k5pass = 1; |
563 |
- ((kerb_auth_config *)rec)->krb_method_gssapi = 1; |
564 |
- #endif |
565 |
-@@ -319,6 +364,24 @@ krb5_save_realms(cmd_parms *cmd, void *v |
566 |
- return NULL; |
567 |
- } |
568 |
- |
569 |
-+static const char * |
570 |
-+cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1) |
571 |
-+{ |
572 |
-+ const char *error; |
573 |
-+ |
574 |
-+ if ((error = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL) |
575 |
-+ return error; |
576 |
-+ |
577 |
-+ /* fixup the path, especially for s4u2proxylock_remove() */ |
578 |
-+ lockname = ap_server_root_relative(cmd->pool, a1); |
579 |
-+ |
580 |
-+ if (!lockname) { |
581 |
-+ return apr_pstrcat(cmd->pool, "Invalid KrbConstrainedDelegationLock path ", a1, NULL); |
582 |
-+ } |
583 |
-+ |
584 |
-+ return NULL; |
585 |
-+} |
586 |
-+ |
587 |
- static void |
588 |
- log_rerror(const char *file, int line, int level, int status, |
589 |
- const request_rec *r, const char *fmt, ...) |
590 |
-@@ -1170,6 +1233,7 @@ get_gss_creds(request_rec *r, |
591 |
- gss_buffer_desc token = GSS_C_EMPTY_BUFFER; |
592 |
- OM_uint32 major_status, minor_status, minor_status2; |
593 |
- gss_name_t server_name = GSS_C_NO_NAME; |
594 |
-+ gss_cred_usage_t usage = GSS_C_ACCEPT; |
595 |
- char buf[1024]; |
596 |
- int have_server_princ; |
597 |
- |
598 |
-@@ -1212,10 +1276,14 @@ get_gss_creds(request_rec *r, |
599 |
- |
600 |
- log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s", |
601 |
- token.value); |
602 |
-+ if (conf->krb5_s4u2proxy) { |
603 |
-+ usage = GSS_C_BOTH; |
604 |
-+ obtain_server_credentials(r, conf->krb_service_name); |
605 |
-+ } |
606 |
- gss_release_buffer(&minor_status, &token); |
607 |
- |
608 |
- major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE, |
609 |
-- GSS_C_NO_OID_SET, GSS_C_ACCEPT, |
610 |
-+ GSS_C_NO_OID_SET, usage, |
611 |
- server_creds, NULL, NULL); |
612 |
- gss_release_name(&minor_status2, &server_name); |
613 |
- if (GSS_ERROR(major_status)) { |
614 |
-@@ -1257,6 +1325,302 @@ cmp_gss_type(gss_buffer_t token, gss_OID |
615 |
- } |
616 |
- #endif |
617 |
- |
618 |
-+/* Renew the ticket if it will expire in under a minute */ |
619 |
-+#define RENEWAL_TIME 60 |
620 |
-+ |
621 |
-+/* |
622 |
-+ * Services4U2Proxy lets a server prinicipal request another service |
623 |
-+ * principal on behalf of a user. To do this the Apache service needs |
624 |
-+ * to have its own ccache. This will ensure that the ccache has a valid |
625 |
-+ * principal and will initialize or renew new credentials when needed. |
626 |
-+ */ |
627 |
-+ |
628 |
-+static int |
629 |
-+verify_server_credentials(request_rec *r, |
630 |
-+ krb5_context kcontext, |
631 |
-+ krb5_ccache ccache, |
632 |
-+ krb5_principal princ, |
633 |
-+ int *renew |
634 |
-+) |
635 |
-+{ |
636 |
-+ krb5_creds match_cred; |
637 |
-+ krb5_creds creds; |
638 |
-+ char * princ_name = NULL; |
639 |
-+ char *tgs_princ_name = NULL; |
640 |
-+ krb5_timestamp now; |
641 |
-+ krb5_error_code kerr = 0; |
642 |
-+ |
643 |
-+ *renew = 0; |
644 |
-+ |
645 |
-+ memset (&match_cred, 0, sizeof(match_cred)); |
646 |
-+ memset (&creds, 0, sizeof(creds)); |
647 |
-+ |
648 |
-+ if (NULL == ccache || NULL == princ) { |
649 |
-+ /* Nothing to verify */ |
650 |
-+ *renew = 1; |
651 |
-+ goto cleanup; |
652 |
-+ } |
653 |
-+ |
654 |
-+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) { |
655 |
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
656 |
-+ "Could not unparse principal %s (%d)", |
657 |
-+ error_message(kerr), kerr); |
658 |
-+ goto cleanup; |
659 |
-+ } |
660 |
-+ |
661 |
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
662 |
-+ "Using principal %s for s4u2proxy", princ_name); |
663 |
-+ |
664 |
-+ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME, |
665 |
-+ krb5_princ_realm(kcontext, princ)->length, |
666 |
-+ krb5_princ_realm(kcontext, princ)->data, |
667 |
-+ krb5_princ_realm(kcontext, princ)->length, |
668 |
-+ krb5_princ_realm(kcontext, princ)->data); |
669 |
-+ |
670 |
-+ if ((kerr = krb5_parse_name(kcontext, tgs_princ_name, &match_cred.server))) |
671 |
-+ { |
672 |
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
673 |
-+ "Could not parse principal %s: %s (%d)", |
674 |
-+ tgs_princ_name, error_message(kerr), kerr); |
675 |
-+ goto cleanup; |
676 |
-+ } |
677 |
-+ |
678 |
-+ match_cred.client = princ; |
679 |
-+ |
680 |
-+ if ((kerr = krb5_cc_retrieve_cred(kcontext, ccache, 0, &match_cred, &creds))) |
681 |
-+ { |
682 |
-+ krb5_unparse_name(kcontext, princ, &princ_name); |
683 |
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
684 |
-+ "Could not unparse principal %s: %s (%d)", |
685 |
-+ princ_name, error_message(kerr), kerr); |
686 |
-+ goto cleanup; |
687 |
-+ } |
688 |
-+ |
689 |
-+ if ((kerr = krb5_timeofday(kcontext, &now))) { |
690 |
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
691 |
-+ "Could not get current time: %d (%s)", |
692 |
-+ kerr, error_message(kerr)); |
693 |
-+ goto cleanup; |
694 |
-+ } |
695 |
-+ |
696 |
-+ if (now > (creds.times.endtime + RENEWAL_TIME)) { |
697 |
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
698 |
-+ "Credentials for %s have expired or will soon " |
699 |
-+ "expire - now %d endtime %d", |
700 |
-+ princ_name, now, creds.times.endtime); |
701 |
-+ *renew = 1; |
702 |
-+ } else { |
703 |
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
704 |
-+ "Credentials for %s will expire at " |
705 |
-+ "%d, it is now %d", princ_name, creds.times.endtime, now); |
706 |
-+ } |
707 |
-+ |
708 |
-+cleanup: |
709 |
-+ /* Closing context, ccache, etc happens elsewhere */ |
710 |
-+ if (match_cred.server) { |
711 |
-+ krb5_free_principal(kcontext, match_cred.server); |
712 |
-+ } |
713 |
-+ if (creds.client) { |
714 |
-+ krb5_free_cred_contents(kcontext, &creds); |
715 |
-+ } |
716 |
-+ |
717 |
-+ return kerr; |
718 |
-+} |
719 |
-+ |
720 |
-+static int |
721 |
-+obtain_server_credentials(request_rec *r, |
722 |
-+ const char *service_name) |
723 |
-+{ |
724 |
-+ krb5_context kcontext = NULL; |
725 |
-+ krb5_keytab keytab = NULL; |
726 |
-+ krb5_ccache ccache = NULL; |
727 |
-+ char * princ_name = NULL; |
728 |
-+ char *tgs_princ_name = NULL; |
729 |
-+ krb5_error_code kerr = 0; |
730 |
-+ krb5_principal princ = NULL; |
731 |
-+ krb5_creds creds; |
732 |
-+ krb5_get_init_creds_opt gicopts; |
733 |
-+ int renew = 0; |
734 |
-+ apr_status_t rv = 0; |
735 |
-+ |
736 |
-+ memset(&creds, 0, sizeof(creds)); |
737 |
-+ |
738 |
-+ if ((kerr = krb5_init_context(&kcontext))) { |
739 |
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
740 |
-+ "Kerberos context initialization failed: %s (%d)", error_message(kerr), kerr); |
741 |
-+ goto done; |
742 |
-+ } |
743 |
-+ |
744 |
-+ if ((kerr = krb5_cc_default(kcontext, &ccache))) { |
745 |
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
746 |
-+ "Could not get default Kerberos ccache: %s (%d)", |
747 |
-+ error_message(kerr), kerr); |
748 |
-+ goto done; |
749 |
-+ } |
750 |
-+ |
751 |
-+ if ((kerr = krb5_cc_get_principal(kcontext, ccache, &princ))) { |
752 |
-+ char * name = NULL; |
753 |
-+ |
754 |
-+ if ((asprintf(&name, "%s:%s", krb5_cc_get_type(kcontext, ccache), |
755 |
-+ krb5_cc_get_name(kcontext, ccache))) == -1) { |
756 |
-+ kerr = KRB5_CC_NOMEM; |
757 |
-+ goto done; |
758 |
-+ } |
759 |
-+ |
760 |
-+ if (KRB5_FCC_NOFILE == kerr) { |
761 |
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
762 |
-+ "Credentials cache %s not found, create one", name); |
763 |
-+ krb5_cc_close(kcontext, ccache); |
764 |
-+ ccache = NULL; |
765 |
-+ free(name); |
766 |
-+ } else { |
767 |
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
768 |
-+ "Failure to open credentials cache %s: %s (%d)", |
769 |
-+ name, error_message(kerr), kerr); |
770 |
-+ free(name); |
771 |
-+ goto done; |
772 |
-+ } |
773 |
-+ } |
774 |
-+ |
775 |
-+ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew); |
776 |
-+ |
777 |
-+ if (kerr || !renew) { |
778 |
-+ goto done; |
779 |
-+ } |
780 |
-+ |
781 |
-+#ifdef STANDARD20_MODULE_STUFF |
782 |
-+ if (s4u2proxy_lock) { |
783 |
-+ rv = apr_global_mutex_lock(s4u2proxy_lock); |
784 |
-+ if (rv != APR_SUCCESS) { |
785 |
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, |
786 |
-+ "apr_global_mutex_lock(s4u2proxy_lock) " |
787 |
-+ "failed"); |
788 |
-+ } |
789 |
-+ } |
790 |
-+#endif |
791 |
-+ |
792 |
-+ /* We have the lock, check again to be sure another process hasn't already |
793 |
-+ * renewed the ticket. |
794 |
-+ */ |
795 |
-+ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew); |
796 |
-+ if (kerr || !renew) { |
797 |
-+ goto unlock; |
798 |
-+ } |
799 |
-+ |
800 |
-+ if (NULL == princ) { |
801 |
-+ if (strchr(service_name, '/') != NULL) |
802 |
-+ kerr = krb5_parse_name(kcontext, service_name, &princ); |
803 |
-+ else |
804 |
-+ kerr = krb5_sname_to_principal(kcontext, ap_get_server_name(r), |
805 |
-+ (service_name) ? service_name : SERVICE_NAME, |
806 |
-+ KRB5_NT_SRV_HST, &princ); |
807 |
-+ |
808 |
-+ if (kerr) { |
809 |
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
810 |
-+ "Could not parse principal: %s (%d) ", |
811 |
-+ error_message(kerr), kerr); |
812 |
-+ goto unlock; |
813 |
-+ } |
814 |
-+ |
815 |
-+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) { |
816 |
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
817 |
-+ "Could not unparse principal %s: %s (%d)", |
818 |
-+ princ_name, error_message(kerr), kerr); |
819 |
-+ } |
820 |
-+ } else if (NULL == princ_name) { |
821 |
-+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) { |
822 |
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
823 |
-+ "Could not unparse principal %s: %s (%d)", |
824 |
-+ princ_name, error_message(kerr), kerr); |
825 |
-+ goto unlock; |
826 |
-+ } |
827 |
-+ } |
828 |
-+ |
829 |
-+ if ((kerr = krb5_kt_default(kcontext, &keytab))) { |
830 |
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
831 |
-+ "Unable to get default keytab: %s (%d)", |
832 |
-+ error_message(kerr), kerr); |
833 |
-+ goto unlock; |
834 |
-+ } |
835 |
-+ |
836 |
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
837 |
-+ "Obtaining new credentials for %s", princ_name); |
838 |
-+ krb5_get_init_creds_opt_init(&gicopts); |
839 |
-+ krb5_get_init_creds_opt_set_forwardable(&gicopts, 1); |
840 |
-+ |
841 |
-+ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME, |
842 |
-+ krb5_princ_realm(kcontext, princ)->length, |
843 |
-+ krb5_princ_realm(kcontext, princ)->data, |
844 |
-+ krb5_princ_realm(kcontext, princ)->length, |
845 |
-+ krb5_princ_realm(kcontext, princ)->data); |
846 |
-+ |
847 |
-+ if ((kerr = krb5_get_init_creds_keytab(kcontext, &creds, princ, keytab, |
848 |
-+ 0, tgs_princ_name, &gicopts))) { |
849 |
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
850 |
-+ "Failed to obtain credentials for principal %s: " |
851 |
-+ "%s (%d)", princ_name, error_message(kerr), kerr); |
852 |
-+ goto unlock; |
853 |
-+ } |
854 |
-+ |
855 |
-+ krb5_kt_close(kcontext, keytab); |
856 |
-+ keytab = NULL; |
857 |
-+ |
858 |
-+ if (NULL == ccache) { |
859 |
-+ if ((kerr = krb5_cc_default(kcontext, &ccache))) { |
860 |
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
861 |
-+ "Failed to open default ccache: %s (%d)", |
862 |
-+ error_message(kerr), kerr); |
863 |
-+ goto unlock; |
864 |
-+ } |
865 |
-+ } |
866 |
-+ |
867 |
-+ if ((kerr = krb5_cc_initialize(kcontext, ccache, princ))) { |
868 |
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
869 |
-+ "Failed to initialize ccache for %s: %s (%d)", |
870 |
-+ princ_name, error_message(kerr), kerr); |
871 |
-+ goto unlock; |
872 |
-+ } |
873 |
-+ |
874 |
-+ if ((kerr = krb5_cc_store_cred(kcontext, ccache, &creds))) { |
875 |
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
876 |
-+ "Failed to store %s in ccache: %s (%d)", |
877 |
-+ princ_name, error_message(kerr), kerr); |
878 |
-+ goto unlock; |
879 |
-+ } |
880 |
-+ |
881 |
-+unlock: |
882 |
-+#ifdef STANDARD20_MODULE_STUFF |
883 |
-+ if (s4u2proxy_lock) { |
884 |
-+ apr_global_mutex_unlock(s4u2proxy_lock); |
885 |
-+ if (rv != APR_SUCCESS) { |
886 |
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, |
887 |
-+ "apr_global_mutex_unlock(s4u2proxy_lock) " |
888 |
-+ "failed"); |
889 |
-+ } |
890 |
-+ } |
891 |
-+#endif |
892 |
-+ |
893 |
-+done: |
894 |
-+ if (0 == kerr) |
895 |
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
896 |
-+ "Done obtaining credentials for s4u2proxy"); |
897 |
-+ else |
898 |
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
899 |
-+ "Failed to obtain credentials for s4u2proxy"); |
900 |
-+ |
901 |
-+ if (creds.client) { |
902 |
-+ krb5_free_cred_contents(kcontext, &creds); |
903 |
-+ } |
904 |
-+ if (ccache) { |
905 |
-+ krb5_cc_close(kcontext, ccache); |
906 |
-+ } |
907 |
-+ if (kcontext) { |
908 |
-+ krb5_free_context(kcontext); |
909 |
-+ } |
910 |
-+ |
911 |
-+ return kerr; |
912 |
-+} |
913 |
-+ |
914 |
- static int |
915 |
- authenticate_user_gss(request_rec *r, kerb_auth_config *conf, |
916 |
- const char *auth_line, char **negotiate_ret_value) |
917 |
-@@ -1697,10 +2061,60 @@ have_rcache_type(const char *type) |
918 |
- /*************************************************************************** |
919 |
- Module Setup/Configuration |
920 |
- ***************************************************************************/ |
921 |
-+#ifdef STANDARD20_MODULE_STUFF |
922 |
-+static apr_status_t |
923 |
-+s4u2proxylock_create(server_rec *s, apr_pool_t *p) |
924 |
-+{ |
925 |
-+ apr_status_t rc; |
926 |
-+ |
927 |
-+ /* only operate if a lockfile is used */ |
928 |
-+ if (lockname == NULL || *(lockname) == '\0') { |
929 |
-+ return APR_SUCCESS; |
930 |
-+ } |
931 |
-+ |
932 |
-+ /* create the lockfile */ |
933 |
-+ rc = apr_global_mutex_create(&s4u2proxy_lock, lockname, |
934 |
-+ APR_LOCK_DEFAULT, p); |
935 |
-+ if (rc != APR_SUCCESS) { |
936 |
-+ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s, |
937 |
-+ "Parent could not create lock file %s", lockname); |
938 |
-+ return rc; |
939 |
-+ } |
940 |
-+ |
941 |
-+#ifdef AP_NEED_SET_MUTEX_PERMS |
942 |
-+ rc = unixd_set_global_mutex_perms(s4u2proxy_lock); |
943 |
-+ if (rc != APR_SUCCESS) { |
944 |
-+ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s, |
945 |
-+ "mod_auth_kerb: Parent could not set permissions " |
946 |
-+ "on lock; check User and Group directives"); |
947 |
-+ return rc; |
948 |
-+ } |
949 |
-+#endif |
950 |
-+ |
951 |
-+ return APR_SUCCESS; |
952 |
-+} |
953 |
-+ |
954 |
-+static apr_status_t |
955 |
-+s4u2proxylock_remove(void *unused) |
956 |
-+{ |
957 |
-+ /* only operate if a lockfile is used */ |
958 |
-+ if (lockname == NULL || *(lockname) == '\0') { |
959 |
-+ return APR_SUCCESS; |
960 |
-+ } |
961 |
-+ |
962 |
-+ /* destroy the rewritelock */ |
963 |
-+ apr_global_mutex_destroy(s4u2proxy_lock); |
964 |
-+ s4u2proxy_lock = NULL; |
965 |
-+ lockname = NULL; |
966 |
-+ return APR_SUCCESS; |
967 |
-+} |
968 |
-+#endif |
969 |
-+ |
970 |
- #ifndef STANDARD20_MODULE_STUFF |
971 |
- static void |
972 |
- kerb_module_init(server_rec *dummy, pool *p) |
973 |
- { |
974 |
-+ apr_status_t status; |
975 |
- #ifndef HEIMDAL |
976 |
- /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. |
977 |
- 1.3.x are covered by the hack overiding the replay calls */ |
978 |
-@@ -1741,6 +2155,7 @@ static int |
979 |
- kerb_init_handler(apr_pool_t *p, apr_pool_t *plog, |
980 |
- apr_pool_t *ptemp, server_rec *s) |
981 |
- { |
982 |
-+ apr_status_t rv; |
983 |
- ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION); |
984 |
- #ifndef HEIMDAL |
985 |
- /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. |
986 |
-@@ -1748,14 +2163,41 @@ kerb_init_handler(apr_pool_t *p, apr_poo |
987 |
- if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none")) |
988 |
- putenv(strdup("KRB5RCACHETYPE=none")); |
989 |
- #endif |
990 |
-+#ifdef STANDARD20_MODULE_STUFF |
991 |
-+ rv = s4u2proxylock_create(s, p); |
992 |
-+ if (rv != APR_SUCCESS) { |
993 |
-+ return HTTP_INTERNAL_SERVER_ERROR; |
994 |
-+ } |
995 |
-+ |
996 |
-+ apr_pool_cleanup_register(p, (void *)s, s4u2proxylock_remove, |
997 |
-+ apr_pool_cleanup_null); |
998 |
-+#endif |
999 |
- |
1000 |
- return OK; |
1001 |
- } |
1002 |
- |
1003 |
- static void |
1004 |
-+initialize_child(apr_pool_t *p, server_rec *s) |
1005 |
-+{ |
1006 |
-+ apr_status_t rv = 0; |
1007 |
-+ |
1008 |
-+#ifdef STANDARD20_MODULE_STUFF |
1009 |
-+ if (lockname != NULL && *(lockname) != '\0') { |
1010 |
-+ rv = apr_global_mutex_child_init(&s4u2proxy_lock, lockname, p); |
1011 |
-+ if (rv != APR_SUCCESS) { |
1012 |
-+ ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s, |
1013 |
-+ "mod_auth_kerb: could not init s4u2proxy_lock" |
1014 |
-+ " in child"); |
1015 |
-+ } |
1016 |
-+ } |
1017 |
-+#endif |
1018 |
-+} |
1019 |
-+ |
1020 |
-+static void |
1021 |
- kerb_register_hooks(apr_pool_t *p) |
1022 |
- { |
1023 |
- ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE); |
1024 |
-+ ap_hook_child_init(initialize_child, NULL, NULL, APR_HOOK_MIDDLE); |
1025 |
- ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE); |
1026 |
- } |
1027 |
- |
1028 |
|
1029 |
diff --git a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild |
1030 |
index 1d1b560367c..9094681f3d4 100644 |
1031 |
--- a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild |
1032 |
+++ b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild |
1033 |
@@ -6,7 +6,8 @@ inherit apache-module eutils systemd |
1034 |
|
1035 |
DESCRIPTION="An Apache authentication module using Kerberos" |
1036 |
HOMEPAGE="http://modauthkerb.sourceforge.net/" |
1037 |
-SRC_URI="mirror://sourceforge/modauthkerb/${P}.tar.gz" |
1038 |
+SRC_URI="mirror://sourceforge/modauthkerb/${P}.tar.gz |
1039 |
+ https://dev.gentoo.org/~mgorny/dist/${P}-gentoo-patchset.tar.bz2" |
1040 |
|
1041 |
LICENSE="BSD openafs-krb5-a HPND" |
1042 |
SLOT="0" |
1043 |
@@ -24,15 +25,15 @@ DOCFILES="INSTALL README" |
1044 |
need_apache2 |
1045 |
|
1046 |
PATCHES=( |
1047 |
- "${FILESDIR}"/${P}-rcopshack.patch |
1048 |
- "${FILESDIR}"/${P}-fixes.patch |
1049 |
- "${FILESDIR}"/${P}-s4u2proxy.patch |
1050 |
- "${FILESDIR}"/${P}-httpd24.patch |
1051 |
- "${FILESDIR}"/${P}-delegation.patch |
1052 |
- "${FILESDIR}"/${P}-cachedir.patch |
1053 |
- "${FILESDIR}"/${P}-longuser.patch |
1054 |
- "${FILESDIR}"/${P}-handle-continue.patch |
1055 |
- "${FILESDIR}"/${P}-heimdal.patch |
1056 |
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-rcopshack.patch |
1057 |
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-fixes.patch |
1058 |
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-s4u2proxy.patch |
1059 |
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-httpd24.patch |
1060 |
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-delegation.patch |
1061 |
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-cachedir.patch |
1062 |
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-longuser.patch |
1063 |
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-handle-continue.patch |
1064 |
+ "${WORKDIR}/${P}-gentoo-patchset"/${P}-heimdal.patch |
1065 |
) |
1066 |
|
1067 |
src_prepare() { |