Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Michał Górny" <mgorny@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: www-apache/mod_auth_kerb/, www-apache/mod_auth_kerb/files/
Date: Sun, 15 Oct 2017 12:36:32
Message-Id: 1508070955.bbc26ed7549d91670a993e6208d98eebdc6c2ade.mgorny@gentoo
1 commit: bbc26ed7549d91670a993e6208d98eebdc6c2ade
2 Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
3 AuthorDate: Sun Oct 15 11:40:11 2017 +0000
4 Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
5 CommitDate: Sun Oct 15 12:35:55 2017 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bbc26ed7
7
8 www-apache/mod_auth_kerb: Move patches to a dist tarball
9
10 Closes: https://bugs.gentoo.org/620644
11
12 www-apache/mod_auth_kerb/Manifest | 1 +
13 .../files/mod_auth_kerb-5.4-cachedir.patch | 15 -
14 .../files/mod_auth_kerb-5.4-delegation.patch | 68 ---
15 .../files/mod_auth_kerb-5.4-fixes.patch | 40 --
16 .../files/mod_auth_kerb-5.4-handle-continue.patch | 20 -
17 .../files/mod_auth_kerb-5.4-heimdal.patch | 10 -
18 .../files/mod_auth_kerb-5.4-httpd24.patch | 75 ---
19 .../files/mod_auth_kerb-5.4-longuser.patch | 31 --
20 .../files/mod_auth_kerb-5.4-rcopshack.patch | 73 ---
21 .../files/mod_auth_kerb-5.4-s4u2proxy.patch | 601 ---------------------
22 .../mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild | 21 +-
23 11 files changed, 12 insertions(+), 943 deletions(-)
24
25 diff --git a/www-apache/mod_auth_kerb/Manifest b/www-apache/mod_auth_kerb/Manifest
26 index 2d942c7502e..772f8adc7b7 100644
27 --- a/www-apache/mod_auth_kerb/Manifest
28 +++ b/www-apache/mod_auth_kerb/Manifest
29 @@ -1 +1,2 @@
30 +DIST mod_auth_kerb-5.4-gentoo-patchset.tar.bz2 8717 SHA256 bc0445e337c88906bd254c26726ad3a1e45e613cf2058b402c944209550d9160 SHA512 3909c2677b30790cc17c0d8843feaa00d9acd14a012672443a887c0e88473d6b1572ba045e1491bcab53cbacff193c11cfe15e63ef1046cfcdf1f4ab60e0ac57 WHIRLPOOL 27bcb65e03d5148861a806f0bbb29550e8ab06145281fdf09064328be12a6c2242d46d3e69042be2b2ee6f17198acbdc3ec6c3709ea4341c08e4cc12fe1f4492
31 DIST mod_auth_kerb-5.4.tar.gz 93033 SHA256 690ddd66c6d941e2fa2dada46588329a6f57d0a3b9b2fd9bf055ebc427558265 SHA512 93fdf0e43af1c24e8c8204d09240b708747068ef99dd8d21b45cb4d132d31e6d582d49ea5e23b905f55cb0d4a20b1ecb58de1bcbfdad1d016e536fc622b63214 WHIRLPOOL 1b92217b7cf66d731a72cf9d58f188002ccadd75fc3d9075290347e6b4f1511111d3cff147fab73616951cbdb9430e8038adf5c4e204d374886bec3be69ff51c
32
33 diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-cachedir.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-cachedir.patch
34 deleted file mode 100644
35 index ebc435824c4..00000000000
36 --- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-cachedir.patch
37 +++ /dev/null
38 @@ -1,15 +0,0 @@
39 -
40 -Per https://bugzilla.redhat.com//show_bug.cgi?id=796430
41 -switch the cache dir to be relative to runtimedir.
42 -
43 ---- mod_auth_kerb-5.4/src/mod_auth_kerb.c.cachedir
44 -+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
45 -@@ -891,7 +891,7 @@ create_krb5_ccache(krb5_context kcontext
46 - int ret;
47 - krb5_ccache tmp_ccache = NULL;
48 -
49 -- ccname = apr_psprintf(r->connection->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir);
50 -+ ccname = apr_pstrdup(r->connection->pool, "FILE:/run/httpd/krbcache/krb5cc_apache_XXXXXX");
51 - fd = mkstemp(ccname + strlen("FILE:"));
52 - if (fd < 0) {
53 - log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
54
55 diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-delegation.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-delegation.patch
56 deleted file mode 100644
57 index a01e9f21e43..00000000000
58 --- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-delegation.patch
59 +++ /dev/null
60 @@ -1,68 +0,0 @@
61 -
62 -https://bugzilla.redhat.com/show_bug.cgi?id=688210
63 -
64 ---- mod_auth_kerb-5.4/src/mod_auth_kerb.c.delegation
65 -+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
66 -@@ -209,6 +209,7 @@ typedef struct krb5_conn_data {
67 - char *authline;
68 - char *user;
69 - char *mech;
70 -+ char *ccname;
71 - int last_return;
72 - } krb5_conn_data;
73 -
74 -@@ -875,7 +876,7 @@ create_krb5_ccache(krb5_context kcontext
75 - int ret;
76 - krb5_ccache tmp_ccache = NULL;
77 -
78 -- ccname = apr_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir);
79 -+ ccname = apr_psprintf(r->connection->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir);
80 - fd = mkstemp(ccname + strlen("FILE:"));
81 - if (fd < 0) {
82 - log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
83 -@@ -905,7 +906,7 @@ create_krb5_ccache(krb5_context kcontext
84 - }
85 -
86 - apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
87 -- apr_pool_cleanup_register(r->pool, ccname, krb5_cache_cleanup,
88 -+ apr_pool_cleanup_register(r->connection->pool, ccname, krb5_cache_cleanup,
89 - apr_pool_cleanup_null);
90 -
91 - *ccache = tmp_ccache;
92 -@@ -1866,10 +1868,15 @@ already_succeeded(request_rec *r, char *
93 - if (apr_pool_userdata_get((void**)&conn_data, keyname, r->connection->pool) != 0)
94 - return NULL;
95 -
96 -- if(conn_data) {
97 -- if(strcmp(conn_data->authline, auth_line) == 0) {
98 -- log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "matched previous auth request");
99 -- return conn_data;
100 -+ if(conn_data && conn_data->ccname != NULL) {
101 -+ apr_finfo_t finfo;
102 -+
103 -+ if (apr_stat(&finfo, conn_data->ccname + strlen("FILE:"),
104 -+ APR_FINFO_NORM, r->pool) == APR_SUCCESS
105 -+ && (finfo.valid & APR_FINFO_TYPE)
106 -+ && finfo.filetype == APR_REG) {
107 -+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "matched previous auth request");
108 -+ return conn_data;
109 - }
110 - }
111 - return NULL;
112 -@@ -2001,6 +2008,8 @@ kerb_authenticate_user(request_rec *r)
113 - ret = prevauth->last_return;
114 - MK_USER = prevauth->user;
115 - MK_AUTH_TYPE = prevauth->mech;
116 -+ if (prevauth->ccname)
117 -+ apr_table_setn(r->subprocess_env, "KRB5CCNAME", prevauth->ccname);
118 - }
119 -
120 - /*
121 -@@ -2011,6 +2020,7 @@ kerb_authenticate_user(request_rec *r)
122 - prevauth->user = apr_pstrdup(r->connection->pool, MK_USER);
123 - prevauth->authline = apr_pstrdup(r->connection->pool, auth_line);
124 - prevauth->mech = apr_pstrdup(r->connection->pool, auth_type);
125 -+ prevauth->ccname = apr_pstrdup(r->connection->pool, apr_table_get(r->subprocess_env, "KRB5CCNAME"));
126 - prevauth->last_return = ret;
127 - snprintf(keyname, sizeof(keyname) - 1,
128 - "mod_auth_kerb::connection::%s::%ld",
129
130 diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-fixes.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-fixes.patch
131 deleted file mode 100644
132 index b86be697ae0..00000000000
133 --- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-fixes.patch
134 +++ /dev/null
135 @@ -1,40 +0,0 @@
136 -
137 -Compiler warning fixes.
138 -
139 ---- mod_auth_kerb-5.4/src/mod_auth_kerb.c.fixes
140 -+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
141 -@@ -677,7 +677,8 @@ end:
142 - static krb5_error_code
143 - verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
144 - const char *password, krb5_principal server,
145 -- krb5_keytab keytab, int krb_verify_kdc, char *krb_service_name, krb5_ccache *ccache)
146 -+ krb5_keytab keytab, int krb_verify_kdc,
147 -+ const char *krb_service_name, krb5_ccache *ccache)
148 - {
149 - krb5_creds creds;
150 - krb5_get_init_creds_opt options;
151 -@@ -1280,6 +1281,7 @@ get_gss_creds(request_rec *r,
152 - return 0;
153 - }
154 -
155 -+#ifndef GSSAPI_SUPPORTS_SPNEGO
156 - static int
157 - cmp_gss_type(gss_buffer_t token, gss_OID oid)
158 - {
159 -@@ -1306,6 +1308,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID
160 -
161 - return memcmp(p, oid->elements, oid->length);
162 - }
163 -+#endif
164 -
165 - static int
166 - authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
167 -@@ -1722,7 +1725,7 @@ kerb_authenticate_user(request_rec *r)
168 - return ret;
169 - }
170 -
171 --int
172 -+static int
173 - have_rcache_type(const char *type)
174 - {
175 - krb5_error_code ret;
176
177 diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-handle-continue.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-handle-continue.patch
178 deleted file mode 100644
179 index 4b77a497f4c..00000000000
180 --- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-handle-continue.patch
181 +++ /dev/null
182 @@ -1,20 +0,0 @@
183 -diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
184 -index 2aab5ee..ca81878 100644
185 ---- a/src/mod_auth_kerb.c
186 -+++ b/src/mod_auth_kerb.c
187 -@@ -1744,7 +1744,6 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
188 - goto end;
189 - }
190 -
191 --#if 0
192 - /* This is a _Kerberos_ module so multiple authentication rounds aren't
193 - * supported. If we wanted a generic GSS authentication we would have to do
194 - * some magic with exporting context etc. */
195 -@@ -1752,7 +1751,6 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
196 - ret = HTTP_UNAUTHORIZED;
197 - goto end;
198 - }
199 --#endif
200 -
201 - major_status = gss_display_name(&minor_status, client_name, &output_token, NULL);
202 - gss_release_name(&minor_status, &client_name);
203
204 diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-heimdal.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-heimdal.patch
205 deleted file mode 100644
206 index a5d3d4ba62c..00000000000
207 --- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-heimdal.patch
208 +++ /dev/null
209 @@ -1,10 +0,0 @@
210 ---- mod_auth_kerb-5.4/src/mod_auth_kerb.c 2010-10-04 16:21:22.169285716 +0200
211 -+++ mod_auth_kerb-5.4.new/src/mod_auth_kerb.c 2010-10-04 16:20:41.584250095 +0200
212 -@@ -89,6 +89,7 @@
213 - #include <krb5.h>
214 - #ifdef HEIMDAL
215 - # include <gssapi.h>
216 -+# include <gssapi/gssapi_krb5.h>
217 - #else
218 - # include <gssapi/gssapi.h>
219 - # include <gssapi/gssapi_generic.h>
220
221 diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-httpd24.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-httpd24.patch
222 deleted file mode 100644
223 index 86c9b47d6bd..00000000000
224 --- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-httpd24.patch
225 +++ /dev/null
226 @@ -1,75 +0,0 @@
227 -
228 -Fixes for 2.4 API.
229 -
230 ---- mod_auth_kerb-5.4/src/mod_auth_kerb.c.httpd24
231 -+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
232 -@@ -179,6 +179,16 @@ static apr_global_mutex_t *s4u2proxy_loc
233 - #define PROXYREQ_PROXY STD_PROXY
234 - #endif
235 -
236 -+#if MODULE_MAGIC_NUMBER_MAJOR >= 20100606
237 -+/* 2.4.x or later */
238 -+#define WITH_HTTPD24 1
239 -+#define client_ip(r) ((r)->useragent_ip)
240 -+APLOG_USE_MODULE(auth_kerb);
241 -+#else
242 -+#define client_ip(r) ((r)->connection->remote_ip)
243 -+#define ap_unixd_set_global_mutex_perms unixd_set_global_mutex_perms
244 -+#endif
245 -+
246 - /***************************************************************************
247 - Auth Configuration Structure
248 - ***************************************************************************/
249 -@@ -383,7 +393,11 @@ cmd_delegationlock(cmd_parms *cmd, void
250 - }
251 -
252 - static void
253 --log_rerror(const char *file, int line, int level, int status,
254 -+log_rerror(const char *file, int line,
255 -+#ifdef WITH_HTTPD24
256 -+ int module_index,
257 -+#endif
258 -+ int level, int status,
259 - const request_rec *r, const char *fmt, ...)
260 - {
261 - char errstr[1024];
262 -@@ -394,7 +408,9 @@ log_rerror(const char *file, int line, i
263 - va_end(ap);
264 -
265 -
266 --#ifdef STANDARD20_MODULE_STUFF
267 -+#if defined(WITH_HTTPD24)
268 -+ ap_log_rerror(file, line, module_index, level, status, r, "%s", errstr);
269 -+#elif defined(STANDARD20_MODULE_STUFF)
270 - ap_log_rerror(file, line, level | APLOG_NOERRNO, status, r, "%s", errstr);
271 - #else
272 - ap_log_rerror(file, line, level | APLOG_NOERRNO, r, "%s", errstr);
273 -@@ -1860,8 +1876,8 @@ already_succeeded(request_rec *r, char *
274 - char keyname[1024];
275 -
276 - snprintf(keyname, sizeof(keyname) - 1,
277 -- "mod_auth_kerb::connection::%s::%ld", r->connection->remote_ip,
278 -- r->connection->id);
279 -+ "mod_auth_kerb::connection::%s::%ld", client_ip(r),
280 -+ r->connection->id);
281 -
282 - if (apr_pool_userdata_get((void**)&conn_data, keyname, r->connection->pool) != 0)
283 - return NULL;
284 -@@ -2014,7 +2030,7 @@ kerb_authenticate_user(request_rec *r)
285 - prevauth->last_return = ret;
286 - snprintf(keyname, sizeof(keyname) - 1,
287 - "mod_auth_kerb::connection::%s::%ld",
288 -- r->connection->remote_ip, r->connection->id);
289 -+ client_ip(r), r->connection->id);
290 - apr_pool_userdata_set(prevauth, keyname, NULL, r->connection->pool);
291 - }
292 -
293 -@@ -2073,7 +2089,7 @@ s4u2proxylock_create(server_rec *s, apr_
294 - }
295 -
296 - #ifdef AP_NEED_SET_MUTEX_PERMS
297 -- rc = unixd_set_global_mutex_perms(s4u2proxy_lock);
298 -+ rc = ap_unixd_set_global_mutex_perms(s4u2proxy_lock);
299 - if (rc != APR_SUCCESS) {
300 - ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
301 - "mod_auth_kerb: Parent could not set permissions "
302
303 diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-longuser.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-longuser.patch
304 deleted file mode 100644
305 index 100fd364af8..00000000000
306 --- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-longuser.patch
307 +++ /dev/null
308 @@ -1,31 +0,0 @@
309 -
310 -https://bugzilla.redhat.com/show_bug.cgi?id=867153
311 -
312 -Patch by: jkaluza
313 -
314 ---- mod_auth_kerb-5.4/src/mod_auth_kerb.c.longuser
315 -+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
316 -@@ -80,6 +80,7 @@
317 -
318 - #define MECH_NEGOTIATE "Negotiate"
319 - #define SERVICE_NAME "HTTP"
320 -+#define MAX_LOCAL_USERNAME 255
321 -
322 - #include <httpd.h>
323 - #include <http_config.h>
324 -@@ -1815,13 +1816,13 @@ do_krb5_an_to_ln(request_rec *r) {
325 - krb5_get_err_text(kcontext, code));
326 - goto end;
327 - }
328 -- MK_USER_LNAME = apr_pcalloc(r->pool, strlen(MK_USER)+1);
329 -+ MK_USER_LNAME = apr_pcalloc(r->pool, MAX_LOCAL_USERNAME+1);
330 - if (MK_USER_LNAME == NULL) {
331 - log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
332 - "ap_pcalloc() failed (not enough memory)");
333 - goto end;
334 - }
335 -- code = krb5_aname_to_localname(kcontext, client, strlen(MK_USER), MK_USER_LNAME);
336 -+ code = krb5_aname_to_localname(kcontext, client, MAX_LOCAL_USERNAME, MK_USER_LNAME);
337 - if (code) {
338 - if (code != KRB5_LNAME_NOTRANS) {
339 - log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
340
341 diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-rcopshack.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-rcopshack.patch
342 deleted file mode 100644
343 index abbf4dba47b..00000000000
344 --- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-rcopshack.patch
345 +++ /dev/null
346 @@ -1,73 +0,0 @@
347 -
348 -Remove the Krb5 1.3.x-specific hack which mucks about with
349 -libkrb5 internals, and shouldn't.
350 -
351 ---- mod_auth_kerb-5.4/src/mod_auth_kerb.c.rcopshack
352 -+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
353 -@@ -285,34 +285,6 @@ mkstemp(char *template)
354 - }
355 - #endif
356 -
357 --#if defined(KRB5) && !defined(HEIMDAL)
358 --/* Needed to work around problems with replay caches */
359 --#include "mit-internals.h"
360 --
361 --/* This is our replacement krb5_rc_store function */
362 --static krb5_error_code KRB5_LIB_FUNCTION
363 --mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache,
364 -- krb5_donot_replay_internal *donot_replay)
365 --{
366 -- return 0;
367 --}
368 --
369 --/* And this is the operations vector for our replay cache */
370 --const krb5_rc_ops_internal mod_auth_kerb_rc_ops = {
371 -- 0,
372 -- "dfl",
373 -- krb5_rc_dfl_init,
374 -- krb5_rc_dfl_recover,
375 -- krb5_rc_dfl_destroy,
376 -- krb5_rc_dfl_close,
377 -- mod_auth_kerb_rc_store,
378 -- krb5_rc_dfl_expunge,
379 -- krb5_rc_dfl_get_span,
380 -- krb5_rc_dfl_get_name,
381 -- krb5_rc_dfl_resolve
382 --};
383 --#endif
384 --
385 - /***************************************************************************
386 - Auth Configuration Initialization
387 - ***************************************************************************/
388 -@@ -1252,31 +1224,6 @@ get_gss_creds(request_rec *r,
389 - return HTTP_INTERNAL_SERVER_ERROR;
390 - }
391 -
392 --#ifndef HEIMDAL
393 -- /*
394 -- * With MIT Kerberos 5 1.3.x the gss_cred_id_t is the same as
395 -- * krb5_gss_cred_id_t and krb5_gss_cred_id_rec contains a pointer to
396 -- * the replay cache.
397 -- * This allows us to override the replay cache function vector with
398 -- * our own one.
399 -- * Note that this is a dirty hack to get things working and there may
400 -- * well be unknown side-effects.
401 -- */
402 -- {
403 -- krb5_gss_cred_id_t gss_creds = (krb5_gss_cred_id_t) *server_creds;
404 --
405 -- /* First we try to verify we are linked with 1.3.x to prevent from
406 -- crashing when linked with 1.4.x */
407 -- if (gss_creds && (gss_creds->usage == GSS_C_ACCEPT)) {
408 -- if (gss_creds->rcache && gss_creds->rcache->ops &&
409 -- gss_creds->rcache->ops->type &&
410 -- memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0)
411 -- /* Override the rcache operations */
412 -- gss_creds->rcache->ops = &mod_auth_kerb_rc_ops;
413 -- }
414 -- }
415 --#endif
416 --
417 - return 0;
418 - }
419 -
420
421 diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy.patch
422 deleted file mode 100644
423 index 07a6e3b7c8e..00000000000
424 --- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy.patch
425 +++ /dev/null
426 @@ -1,601 +0,0 @@
427 -
428 -Add S4U2Proxy feature:
429 -
430 -http://sourceforge.net/mailarchive/forum.php?thread_name=4EE665D1.3000308%40redhat.com&forum_name=modauthkerb-help
431 -
432 -The attached patches add support for using s4u2proxy
433 -(http://k5wiki.kerberos.org/wiki/Projects/Services4User) to allow the
434 -web service to obtain credentials on behalf of the authenticated user.
435 -
436 -The first patch adds basic support for s4u2proxy. This requires the web
437 -administrator to manually create and manage the credentails cache for
438 -the apache user (via a cron job, for example).
439 -
440 -The second patch builds on this and makes mod_auth_kerb manage the
441 -ccache instead.
442 -
443 -These are patches against the current CVS HEAD (mod_auth_krb 5.4).
444 -
445 -I've added a new module option to enable this support,
446 -KrbConstrainedDelegation. The default is off.
447 -
448 -diff -up --recursive mod_auth_kerb-5.4.orig/README mod_auth_kerb-5.4/README
449 ---- mod_auth_kerb-5.4.orig/README 2008-11-26 11:51:05.000000000 -0500
450 -+++ mod_auth_kerb-5.4/README 2014-01-21 13:46:21.482223432 -0500
451 -@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be
452 - credential cache that will be available for the request handler. The ticket
453 - file will be removed after request is handled.
454 -
455 -+Constrained Delegation
456 -+----------------------
457 -+S4U2Proxy, or constrained delegation, enables a service to use a client's
458 -+ticket to itself to request another ticket for delegation. The KDC
459 -+checks krbAllowedToDelegateTo to decide if it will issue a new ticket.
460 -+If KrbConstrainedDelegation is enabled the server will use its own credentials
461 -+to retrieve a delegated ticket for the user. For this to work the user must
462 -+have a forwardable ticket (though the delegation flag need not be set).
463 -+The server needs a valid credentials cache for this to work.
464 -+
465 -+The module itself will obtain and manage the necessary credentials.
466 -+
467 - $Id: README,v 1.12 2008/09/17 14:01:55 baalberith Exp $
468 -diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.4/src/mod_auth_kerb.c
469 ---- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2014-01-21 13:45:21.605538007 -0500
470 -+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c 2014-01-21 13:46:46.746668762 -0500
471 -@@ -42,6 +42,31 @@
472 - * POSSIBILITY OF SUCH DAMAGE.
473 - */
474 -
475 -+/*
476 -+ * Locking mechanism inspired by mod_rewrite.
477 -+ *
478 -+ * Licensed to the Apache Software Foundation (ASF) under one or more
479 -+ * contributor license agreements. See the NOTICE file distributed with
480 -+ * this work for additional information regarding copyright ownership.
481 -+ * The ASF licenses this file to You under the Apache License, Version 2.0
482 -+ * (the "License"); you may not use this file except in compliance with
483 -+ * the License. You may obtain a copy of the License at
484 -+ *
485 -+ * http://www.apache.org/licenses/LICENSE-2.0
486 -+ *
487 -+ * Unless required by applicable law or agreed to in writing, software
488 -+ * distributed under the License is distributed on an "AS IS" BASIS,
489 -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
490 -+ * See the License for the specific language governing permissions and
491 -+ * limitations under the License.
492 -+ */
493 -+
494 -+/*
495 -+ * S4U2Proxy code
496 -+ *
497 -+ * Copyright (C) 2012 Red Hat
498 -+ */
499 -+
500 - #ident "$Id: mod_auth_kerb.c,v 1.150 2008/12/04 10:14:03 baalberith Exp $"
501 -
502 - #include "config.h"
503 -@@ -49,6 +74,7 @@
504 - #include <stdlib.h>
505 - #include <stdio.h>
506 - #include <stdarg.h>
507 -+#include <unixd.h>
508 -
509 - #define MODAUTHKERB_VERSION "5.4"
510 -
511 -@@ -131,6 +157,12 @@ module AP_MODULE_DECLARE_DATA auth_kerb_
512 - module auth_kerb_module;
513 - #endif
514 -
515 -+#ifdef STANDARD20_MODULE_STUFF
516 -+/* s4u2proxy only supported in 2.0+ */
517 -+static const char *lockname;
518 -+static apr_global_mutex_t *s4u2proxy_lock = NULL;
519 -+#endif
520 -+
521 - /***************************************************************************
522 - Macros To Ease Compatibility
523 - ***************************************************************************/
524 -@@ -165,6 +197,7 @@ typedef struct {
525 - int krb_method_gssapi;
526 - int krb_method_k5pass;
527 - int krb5_do_auth_to_local;
528 -+ int krb5_s4u2proxy;
529 - #endif
530 - #ifdef KRB4
531 - char *krb_4_srvtab;
532 -@@ -185,6 +218,11 @@ set_kerb_auth_headers(request_rec *r, co
533 -
534 - static const char*
535 - krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg);
536 -+static const char *
537 -+cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1);
538 -+
539 -+static int
540 -+obtain_server_credentials(request_rec *r, const char *service_name);
541 -
542 - #ifdef STANDARD20_MODULE_STUFF
543 - #define command(name, func, var, type, usage) \
544 -@@ -237,6 +275,12 @@ static const command_rec kerb_auth_cmds[
545 -
546 - command("KrbLocalUserMapping", ap_set_flag_slot, krb5_do_auth_to_local,
547 - FLAG, "Set to 'on' to have Kerberos do auth_to_local mapping of principal names to system user names."),
548 -+
549 -+ command("KrbConstrainedDelegation", ap_set_flag_slot, krb5_s4u2proxy,
550 -+ FLAG, "Set to 'on' to have Kerberos use S4U2Proxy delegation."),
551 -+
552 -+ AP_INIT_TAKE1("KrbConstrainedDelegationLock", cmd_delegationlock, NULL,
553 -+ RSRC_CONF, "the filename of a lockfile used for inter-process synchronization"),
554 - #endif
555 -
556 - #ifdef KRB4
557 -@@ -302,6 +346,7 @@ static void *kerb_dir_create_config(MK_P
558 - #endif
559 - #ifdef KRB5
560 - ((kerb_auth_config *)rec)->krb5_do_auth_to_local = 0;
561 -+ ((kerb_auth_config *)rec)->krb5_s4u2proxy = 0;
562 - ((kerb_auth_config *)rec)->krb_method_k5pass = 1;
563 - ((kerb_auth_config *)rec)->krb_method_gssapi = 1;
564 - #endif
565 -@@ -319,6 +364,24 @@ krb5_save_realms(cmd_parms *cmd, void *v
566 - return NULL;
567 - }
568 -
569 -+static const char *
570 -+cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1)
571 -+{
572 -+ const char *error;
573 -+
574 -+ if ((error = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
575 -+ return error;
576 -+
577 -+ /* fixup the path, especially for s4u2proxylock_remove() */
578 -+ lockname = ap_server_root_relative(cmd->pool, a1);
579 -+
580 -+ if (!lockname) {
581 -+ return apr_pstrcat(cmd->pool, "Invalid KrbConstrainedDelegationLock path ", a1, NULL);
582 -+ }
583 -+
584 -+ return NULL;
585 -+}
586 -+
587 - static void
588 - log_rerror(const char *file, int line, int level, int status,
589 - const request_rec *r, const char *fmt, ...)
590 -@@ -1170,6 +1233,7 @@ get_gss_creds(request_rec *r,
591 - gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
592 - OM_uint32 major_status, minor_status, minor_status2;
593 - gss_name_t server_name = GSS_C_NO_NAME;
594 -+ gss_cred_usage_t usage = GSS_C_ACCEPT;
595 - char buf[1024];
596 - int have_server_princ;
597 -
598 -@@ -1212,10 +1276,14 @@ get_gss_creds(request_rec *r,
599 -
600 - log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s",
601 - token.value);
602 -+ if (conf->krb5_s4u2proxy) {
603 -+ usage = GSS_C_BOTH;
604 -+ obtain_server_credentials(r, conf->krb_service_name);
605 -+ }
606 - gss_release_buffer(&minor_status, &token);
607 -
608 - major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
609 -- GSS_C_NO_OID_SET, GSS_C_ACCEPT,
610 -+ GSS_C_NO_OID_SET, usage,
611 - server_creds, NULL, NULL);
612 - gss_release_name(&minor_status2, &server_name);
613 - if (GSS_ERROR(major_status)) {
614 -@@ -1257,6 +1325,302 @@ cmp_gss_type(gss_buffer_t token, gss_OID
615 - }
616 - #endif
617 -
618 -+/* Renew the ticket if it will expire in under a minute */
619 -+#define RENEWAL_TIME 60
620 -+
621 -+/*
622 -+ * Services4U2Proxy lets a server prinicipal request another service
623 -+ * principal on behalf of a user. To do this the Apache service needs
624 -+ * to have its own ccache. This will ensure that the ccache has a valid
625 -+ * principal and will initialize or renew new credentials when needed.
626 -+ */
627 -+
628 -+static int
629 -+verify_server_credentials(request_rec *r,
630 -+ krb5_context kcontext,
631 -+ krb5_ccache ccache,
632 -+ krb5_principal princ,
633 -+ int *renew
634 -+)
635 -+{
636 -+ krb5_creds match_cred;
637 -+ krb5_creds creds;
638 -+ char * princ_name = NULL;
639 -+ char *tgs_princ_name = NULL;
640 -+ krb5_timestamp now;
641 -+ krb5_error_code kerr = 0;
642 -+
643 -+ *renew = 0;
644 -+
645 -+ memset (&match_cred, 0, sizeof(match_cred));
646 -+ memset (&creds, 0, sizeof(creds));
647 -+
648 -+ if (NULL == ccache || NULL == princ) {
649 -+ /* Nothing to verify */
650 -+ *renew = 1;
651 -+ goto cleanup;
652 -+ }
653 -+
654 -+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
655 -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
656 -+ "Could not unparse principal %s (%d)",
657 -+ error_message(kerr), kerr);
658 -+ goto cleanup;
659 -+ }
660 -+
661 -+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
662 -+ "Using principal %s for s4u2proxy", princ_name);
663 -+
664 -+ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,
665 -+ krb5_princ_realm(kcontext, princ)->length,
666 -+ krb5_princ_realm(kcontext, princ)->data,
667 -+ krb5_princ_realm(kcontext, princ)->length,
668 -+ krb5_princ_realm(kcontext, princ)->data);
669 -+
670 -+ if ((kerr = krb5_parse_name(kcontext, tgs_princ_name, &match_cred.server)))
671 -+ {
672 -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
673 -+ "Could not parse principal %s: %s (%d)",
674 -+ tgs_princ_name, error_message(kerr), kerr);
675 -+ goto cleanup;
676 -+ }
677 -+
678 -+ match_cred.client = princ;
679 -+
680 -+ if ((kerr = krb5_cc_retrieve_cred(kcontext, ccache, 0, &match_cred, &creds)))
681 -+ {
682 -+ krb5_unparse_name(kcontext, princ, &princ_name);
683 -+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
684 -+ "Could not unparse principal %s: %s (%d)",
685 -+ princ_name, error_message(kerr), kerr);
686 -+ goto cleanup;
687 -+ }
688 -+
689 -+ if ((kerr = krb5_timeofday(kcontext, &now))) {
690 -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
691 -+ "Could not get current time: %d (%s)",
692 -+ kerr, error_message(kerr));
693 -+ goto cleanup;
694 -+ }
695 -+
696 -+ if (now > (creds.times.endtime + RENEWAL_TIME)) {
697 -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
698 -+ "Credentials for %s have expired or will soon "
699 -+ "expire - now %d endtime %d",
700 -+ princ_name, now, creds.times.endtime);
701 -+ *renew = 1;
702 -+ } else {
703 -+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
704 -+ "Credentials for %s will expire at "
705 -+ "%d, it is now %d", princ_name, creds.times.endtime, now);
706 -+ }
707 -+
708 -+cleanup:
709 -+ /* Closing context, ccache, etc happens elsewhere */
710 -+ if (match_cred.server) {
711 -+ krb5_free_principal(kcontext, match_cred.server);
712 -+ }
713 -+ if (creds.client) {
714 -+ krb5_free_cred_contents(kcontext, &creds);
715 -+ }
716 -+
717 -+ return kerr;
718 -+}
719 -+
720 -+static int
721 -+obtain_server_credentials(request_rec *r,
722 -+ const char *service_name)
723 -+{
724 -+ krb5_context kcontext = NULL;
725 -+ krb5_keytab keytab = NULL;
726 -+ krb5_ccache ccache = NULL;
727 -+ char * princ_name = NULL;
728 -+ char *tgs_princ_name = NULL;
729 -+ krb5_error_code kerr = 0;
730 -+ krb5_principal princ = NULL;
731 -+ krb5_creds creds;
732 -+ krb5_get_init_creds_opt gicopts;
733 -+ int renew = 0;
734 -+ apr_status_t rv = 0;
735 -+
736 -+ memset(&creds, 0, sizeof(creds));
737 -+
738 -+ if ((kerr = krb5_init_context(&kcontext))) {
739 -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
740 -+ "Kerberos context initialization failed: %s (%d)", error_message(kerr), kerr);
741 -+ goto done;
742 -+ }
743 -+
744 -+ if ((kerr = krb5_cc_default(kcontext, &ccache))) {
745 -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
746 -+ "Could not get default Kerberos ccache: %s (%d)",
747 -+ error_message(kerr), kerr);
748 -+ goto done;
749 -+ }
750 -+
751 -+ if ((kerr = krb5_cc_get_principal(kcontext, ccache, &princ))) {
752 -+ char * name = NULL;
753 -+
754 -+ if ((asprintf(&name, "%s:%s", krb5_cc_get_type(kcontext, ccache),
755 -+ krb5_cc_get_name(kcontext, ccache))) == -1) {
756 -+ kerr = KRB5_CC_NOMEM;
757 -+ goto done;
758 -+ }
759 -+
760 -+ if (KRB5_FCC_NOFILE == kerr) {
761 -+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
762 -+ "Credentials cache %s not found, create one", name);
763 -+ krb5_cc_close(kcontext, ccache);
764 -+ ccache = NULL;
765 -+ free(name);
766 -+ } else {
767 -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
768 -+ "Failure to open credentials cache %s: %s (%d)",
769 -+ name, error_message(kerr), kerr);
770 -+ free(name);
771 -+ goto done;
772 -+ }
773 -+ }
774 -+
775 -+ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);
776 -+
777 -+ if (kerr || !renew) {
778 -+ goto done;
779 -+ }
780 -+
781 -+#ifdef STANDARD20_MODULE_STUFF
782 -+ if (s4u2proxy_lock) {
783 -+ rv = apr_global_mutex_lock(s4u2proxy_lock);
784 -+ if (rv != APR_SUCCESS) {
785 -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
786 -+ "apr_global_mutex_lock(s4u2proxy_lock) "
787 -+ "failed");
788 -+ }
789 -+ }
790 -+#endif
791 -+
792 -+ /* We have the lock, check again to be sure another process hasn't already
793 -+ * renewed the ticket.
794 -+ */
795 -+ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);
796 -+ if (kerr || !renew) {
797 -+ goto unlock;
798 -+ }
799 -+
800 -+ if (NULL == princ) {
801 -+ if (strchr(service_name, '/') != NULL)
802 -+ kerr = krb5_parse_name(kcontext, service_name, &princ);
803 -+ else
804 -+ kerr = krb5_sname_to_principal(kcontext, ap_get_server_name(r),
805 -+ (service_name) ? service_name : SERVICE_NAME,
806 -+ KRB5_NT_SRV_HST, &princ);
807 -+
808 -+ if (kerr) {
809 -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
810 -+ "Could not parse principal: %s (%d) ",
811 -+ error_message(kerr), kerr);
812 -+ goto unlock;
813 -+ }
814 -+
815 -+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
816 -+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
817 -+ "Could not unparse principal %s: %s (%d)",
818 -+ princ_name, error_message(kerr), kerr);
819 -+ }
820 -+ } else if (NULL == princ_name) {
821 -+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
822 -+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
823 -+ "Could not unparse principal %s: %s (%d)",
824 -+ princ_name, error_message(kerr), kerr);
825 -+ goto unlock;
826 -+ }
827 -+ }
828 -+
829 -+ if ((kerr = krb5_kt_default(kcontext, &keytab))) {
830 -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
831 -+ "Unable to get default keytab: %s (%d)",
832 -+ error_message(kerr), kerr);
833 -+ goto unlock;
834 -+ }
835 -+
836 -+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
837 -+ "Obtaining new credentials for %s", princ_name);
838 -+ krb5_get_init_creds_opt_init(&gicopts);
839 -+ krb5_get_init_creds_opt_set_forwardable(&gicopts, 1);
840 -+
841 -+ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,
842 -+ krb5_princ_realm(kcontext, princ)->length,
843 -+ krb5_princ_realm(kcontext, princ)->data,
844 -+ krb5_princ_realm(kcontext, princ)->length,
845 -+ krb5_princ_realm(kcontext, princ)->data);
846 -+
847 -+ if ((kerr = krb5_get_init_creds_keytab(kcontext, &creds, princ, keytab,
848 -+ 0, tgs_princ_name, &gicopts))) {
849 -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
850 -+ "Failed to obtain credentials for principal %s: "
851 -+ "%s (%d)", princ_name, error_message(kerr), kerr);
852 -+ goto unlock;
853 -+ }
854 -+
855 -+ krb5_kt_close(kcontext, keytab);
856 -+ keytab = NULL;
857 -+
858 -+ if (NULL == ccache) {
859 -+ if ((kerr = krb5_cc_default(kcontext, &ccache))) {
860 -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
861 -+ "Failed to open default ccache: %s (%d)",
862 -+ error_message(kerr), kerr);
863 -+ goto unlock;
864 -+ }
865 -+ }
866 -+
867 -+ if ((kerr = krb5_cc_initialize(kcontext, ccache, princ))) {
868 -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
869 -+ "Failed to initialize ccache for %s: %s (%d)",
870 -+ princ_name, error_message(kerr), kerr);
871 -+ goto unlock;
872 -+ }
873 -+
874 -+ if ((kerr = krb5_cc_store_cred(kcontext, ccache, &creds))) {
875 -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
876 -+ "Failed to store %s in ccache: %s (%d)",
877 -+ princ_name, error_message(kerr), kerr);
878 -+ goto unlock;
879 -+ }
880 -+
881 -+unlock:
882 -+#ifdef STANDARD20_MODULE_STUFF
883 -+ if (s4u2proxy_lock) {
884 -+ apr_global_mutex_unlock(s4u2proxy_lock);
885 -+ if (rv != APR_SUCCESS) {
886 -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
887 -+ "apr_global_mutex_unlock(s4u2proxy_lock) "
888 -+ "failed");
889 -+ }
890 -+ }
891 -+#endif
892 -+
893 -+done:
894 -+ if (0 == kerr)
895 -+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
896 -+ "Done obtaining credentials for s4u2proxy");
897 -+ else
898 -+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
899 -+ "Failed to obtain credentials for s4u2proxy");
900 -+
901 -+ if (creds.client) {
902 -+ krb5_free_cred_contents(kcontext, &creds);
903 -+ }
904 -+ if (ccache) {
905 -+ krb5_cc_close(kcontext, ccache);
906 -+ }
907 -+ if (kcontext) {
908 -+ krb5_free_context(kcontext);
909 -+ }
910 -+
911 -+ return kerr;
912 -+}
913 -+
914 - static int
915 - authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
916 - const char *auth_line, char **negotiate_ret_value)
917 -@@ -1697,10 +2061,60 @@ have_rcache_type(const char *type)
918 - /***************************************************************************
919 - Module Setup/Configuration
920 - ***************************************************************************/
921 -+#ifdef STANDARD20_MODULE_STUFF
922 -+static apr_status_t
923 -+s4u2proxylock_create(server_rec *s, apr_pool_t *p)
924 -+{
925 -+ apr_status_t rc;
926 -+
927 -+ /* only operate if a lockfile is used */
928 -+ if (lockname == NULL || *(lockname) == '\0') {
929 -+ return APR_SUCCESS;
930 -+ }
931 -+
932 -+ /* create the lockfile */
933 -+ rc = apr_global_mutex_create(&s4u2proxy_lock, lockname,
934 -+ APR_LOCK_DEFAULT, p);
935 -+ if (rc != APR_SUCCESS) {
936 -+ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
937 -+ "Parent could not create lock file %s", lockname);
938 -+ return rc;
939 -+ }
940 -+
941 -+#ifdef AP_NEED_SET_MUTEX_PERMS
942 -+ rc = unixd_set_global_mutex_perms(s4u2proxy_lock);
943 -+ if (rc != APR_SUCCESS) {
944 -+ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
945 -+ "mod_auth_kerb: Parent could not set permissions "
946 -+ "on lock; check User and Group directives");
947 -+ return rc;
948 -+ }
949 -+#endif
950 -+
951 -+ return APR_SUCCESS;
952 -+}
953 -+
954 -+static apr_status_t
955 -+s4u2proxylock_remove(void *unused)
956 -+{
957 -+ /* only operate if a lockfile is used */
958 -+ if (lockname == NULL || *(lockname) == '\0') {
959 -+ return APR_SUCCESS;
960 -+ }
961 -+
962 -+ /* destroy the rewritelock */
963 -+ apr_global_mutex_destroy(s4u2proxy_lock);
964 -+ s4u2proxy_lock = NULL;
965 -+ lockname = NULL;
966 -+ return APR_SUCCESS;
967 -+}
968 -+#endif
969 -+
970 - #ifndef STANDARD20_MODULE_STUFF
971 - static void
972 - kerb_module_init(server_rec *dummy, pool *p)
973 - {
974 -+ apr_status_t status;
975 - #ifndef HEIMDAL
976 - /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
977 - 1.3.x are covered by the hack overiding the replay calls */
978 -@@ -1741,6 +2155,7 @@ static int
979 - kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,
980 - apr_pool_t *ptemp, server_rec *s)
981 - {
982 -+ apr_status_t rv;
983 - ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION);
984 - #ifndef HEIMDAL
985 - /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
986 -@@ -1748,14 +2163,41 @@ kerb_init_handler(apr_pool_t *p, apr_poo
987 - if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
988 - putenv(strdup("KRB5RCACHETYPE=none"));
989 - #endif
990 -+#ifdef STANDARD20_MODULE_STUFF
991 -+ rv = s4u2proxylock_create(s, p);
992 -+ if (rv != APR_SUCCESS) {
993 -+ return HTTP_INTERNAL_SERVER_ERROR;
994 -+ }
995 -+
996 -+ apr_pool_cleanup_register(p, (void *)s, s4u2proxylock_remove,
997 -+ apr_pool_cleanup_null);
998 -+#endif
999 -
1000 - return OK;
1001 - }
1002 -
1003 - static void
1004 -+initialize_child(apr_pool_t *p, server_rec *s)
1005 -+{
1006 -+ apr_status_t rv = 0;
1007 -+
1008 -+#ifdef STANDARD20_MODULE_STUFF
1009 -+ if (lockname != NULL && *(lockname) != '\0') {
1010 -+ rv = apr_global_mutex_child_init(&s4u2proxy_lock, lockname, p);
1011 -+ if (rv != APR_SUCCESS) {
1012 -+ ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
1013 -+ "mod_auth_kerb: could not init s4u2proxy_lock"
1014 -+ " in child");
1015 -+ }
1016 -+ }
1017 -+#endif
1018 -+}
1019 -+
1020 -+static void
1021 - kerb_register_hooks(apr_pool_t *p)
1022 - {
1023 - ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
1024 -+ ap_hook_child_init(initialize_child, NULL, NULL, APR_HOOK_MIDDLE);
1025 - ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);
1026 - }
1027 -
1028
1029 diff --git a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild
1030 index 1d1b560367c..9094681f3d4 100644
1031 --- a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild
1032 +++ b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild
1033 @@ -6,7 +6,8 @@ inherit apache-module eutils systemd
1034
1035 DESCRIPTION="An Apache authentication module using Kerberos"
1036 HOMEPAGE="http://modauthkerb.sourceforge.net/"
1037 -SRC_URI="mirror://sourceforge/modauthkerb/${P}.tar.gz"
1038 +SRC_URI="mirror://sourceforge/modauthkerb/${P}.tar.gz
1039 + https://dev.gentoo.org/~mgorny/dist/${P}-gentoo-patchset.tar.bz2"
1040
1041 LICENSE="BSD openafs-krb5-a HPND"
1042 SLOT="0"
1043 @@ -24,15 +25,15 @@ DOCFILES="INSTALL README"
1044 need_apache2
1045
1046 PATCHES=(
1047 - "${FILESDIR}"/${P}-rcopshack.patch
1048 - "${FILESDIR}"/${P}-fixes.patch
1049 - "${FILESDIR}"/${P}-s4u2proxy.patch
1050 - "${FILESDIR}"/${P}-httpd24.patch
1051 - "${FILESDIR}"/${P}-delegation.patch
1052 - "${FILESDIR}"/${P}-cachedir.patch
1053 - "${FILESDIR}"/${P}-longuser.patch
1054 - "${FILESDIR}"/${P}-handle-continue.patch
1055 - "${FILESDIR}"/${P}-heimdal.patch
1056 + "${WORKDIR}/${P}-gentoo-patchset"/${P}-rcopshack.patch
1057 + "${WORKDIR}/${P}-gentoo-patchset"/${P}-fixes.patch
1058 + "${WORKDIR}/${P}-gentoo-patchset"/${P}-s4u2proxy.patch
1059 + "${WORKDIR}/${P}-gentoo-patchset"/${P}-httpd24.patch
1060 + "${WORKDIR}/${P}-gentoo-patchset"/${P}-delegation.patch
1061 + "${WORKDIR}/${P}-gentoo-patchset"/${P}-cachedir.patch
1062 + "${WORKDIR}/${P}-gentoo-patchset"/${P}-longuser.patch
1063 + "${WORKDIR}/${P}-gentoo-patchset"/${P}-handle-continue.patch
1064 + "${WORKDIR}/${P}-gentoo-patchset"/${P}-heimdal.patch
1065 )
1066
1067 src_prepare() {
Report Message
Find on MARC Find on Google Groups