diff options
| author |   Pacho Ramos <pacho@gentoo.org> | 2015-05-17 10:55:23 +0000 |
|---|---|---|
| committer | Pacho Ramos <pacho@gentoo.org> | 2015-05-17 10:55:23 +0000 |
| commit | 9ff3c0101db3eb6e9ce722f6632a6e2da25e3aaf (patch) | |
| tree | 03e0b0554f74e09a83dcef431f9b535b10cccb9f /www-apache | |
| parent | Try to commit the patch properly (diff) | |
| download | historical-9ff3c0101db3eb6e9ce722f6632a6e2da25e3aaf.tar.gz historical-9ff3c0101db3eb6e9ce722f6632a6e2da25e3aaf.tar.bz2 historical-9ff3c0101db3eb6e9ce722f6632a6e2da25e3aaf.zip | |
Try to commit the patch properly
Package-Manager: portage-2.2.19/cvs/Linux x86_64
Manifest-Sign-Key: 0xA188FBD4
Diffstat (limited to 'www-apache')
| -rw-r--r-- | www-apache/mod_auth_kerb/Manifest | 11 | ||||
| -rw-r--r-- | www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy-r3.patch | 603 | ||||
| -rw-r--r-- | www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild | 4 |
3 files changed, 611 insertions, 7 deletions
diff --git a/www-apache/mod_auth_kerb/Manifest b/www-apache/mod_auth_kerb/Manifest index 801d0a6c1fe5..a892bf5b3b37 100644 --- a/www-apache/mod_auth_kerb/Manifest +++ b/www-apache/mod_auth_kerb/Manifest @@ -11,17 +11,18 @@ AUX mod_auth_kerb-5.4-longuser.patch 1007 SHA256 3de2bdab5980381ba8a65f4f04931ed AUX mod_auth_kerb-5.4-rcopshack.patch 2244 SHA256 813ad49f9c0aa8495e716a7ed902bfcef4282cb10793112ad0e92b667620e33c SHA512 4da4e51baec036fdf035ee6f215453129b4b93a7733887834c08c0c5a7610ebe8e0981ad34a5cd5ed86af58c926bd65417fe09f64ce42d56b41e5051b96f6ca5 WHIRLPOOL 18ee97dc4bab314b1943778c74c660878a8477520e5cad69e78d0e2b2c39076254cd81973987e42ee1ed8b113dcee4949b81de0976f7e4d025e29753cd952b3a AUX mod_auth_kerb-5.4-s4u2proxy-r1.patch 20326 SHA256 41994ae5bd2dd0ddbb0080444791b9029093df0fc382f169a71bec38fec37ebe SHA512 461807dce410467ca9b06da56d85994e59c70627f4f2579c8a8b54cfec229ab4f07a4eea2d0fa018e1e2ece6ef039e4023dd8b4900efafd6b1c23aa36baa210e WHIRLPOOL cec8ce8f9f98c912a060e7f061257ded113aa558bdc81421a6803c3e4e2a345ccefe3d7d890fed1daec14f74047d24d7e1e68a2d2f748576354983e4ac6afcb7 AUX mod_auth_kerb-5.4-s4u2proxy-r2.patch 21037 SHA256 a659c054aa3739a28d21369a63921408219b434f7291d5a0806e8919ad8be4d7 SHA512 85e39f8b843bdcc10530c5eda26d24c00574235fbe9f04915c9c6273aac13b97a5729c791a9603e4f77d83801933cbb0d22aa6b2a3caf7f9cc91e46bf6530d2c WHIRLPOOL 0049d338a4381fdaa0903f3fece61e5dbd36c7f14bb2b5eec0c46e06b0d0b7f43a352c72972cc658e73d4c1c400f55853713c402af98ab91e4561fc2448959d7 +AUX mod_auth_kerb-5.4-s4u2proxy-r3.patch 21037 SHA256 a659c054aa3739a28d21369a63921408219b434f7291d5a0806e8919ad8be4d7 SHA512 85e39f8b843bdcc10530c5eda26d24c00574235fbe9f04915c9c6273aac13b97a5729c791a9603e4f77d83801933cbb0d22aa6b2a3caf7f9cc91e46bf6530d2c WHIRLPOOL 0049d338a4381fdaa0903f3fece61e5dbd36c7f14bb2b5eec0c46e06b0d0b7f43a352c72972cc658e73d4c1c400f55853713c402af98ab91e4561fc2448959d7 AUX mod_auth_kerb-5.4-s4u2proxy.patch 20358 SHA256 0ced12b7cb97302118d3f991e241237ec6df5d146bb6b3f479c12890b3fc8bef SHA512 a105463b277a73460fb820973d78f44d5f88961b92317a4bab13b357b8dbf5560afa4e6263b9c66ff69d1d3bf03356d3e56806b437ae6a6d8002a3549a8544e5 WHIRLPOOL f90032ae76c0e6ce4019cffc62ed26c833b6063af79e16ea989317daab7d8b8673a1660a3e27cdb5b99e83a3fc62e91d7174c5adec895bf6dc68c098594c20fa DIST mod_auth_kerb-5.3.tar.gz 73530 SHA256 89cd779a94405521770cbcb169af5af61e7f2aad91c4f4b82efaae35df7595ec DIST mod_auth_kerb-5.4.tar.gz 93033 SHA256 690ddd66c6d941e2fa2dada46588329a6f57d0a3b9b2fd9bf055ebc427558265 SHA512 93fdf0e43af1c24e8c8204d09240b708747068ef99dd8d21b45cb4d132d31e6d582d49ea5e23b905f55cb0d4a20b1ecb58de1bcbfdad1d016e536fc622b63214 WHIRLPOOL 1b92217b7cf66d731a72cf9d58f188002ccadd75fc3d9075290347e6b4f1511111d3cff147fab73616951cbdb9430e8038adf5c4e204d374886bec3be69ff51c EBUILD mod_auth_kerb-5.3.ebuild 772 SHA256 e579fc44d7eb8416fca362be39b5dfdc86c6e44c3a3241ac41b7606f61064f78 SHA512 e62f1cd2b7edf88180afcb77843310da9405e4f660d31117f5d5363bc8695da277a504c6527d75f8026c69c66d900c612c0d61e5636e6629eca89238325e9fb9 WHIRLPOOL 7f2191d861256d78bcc99dd5c8b2de81d334712eb80d9bd252e73270ec76e320b2e3c0d747b52f466b8d5dd31b67f73842774402fa01c8850315c43a6a3a87c9 -EBUILD mod_auth_kerb-5.4-r2.ebuild 1229 SHA256 fd77dd05e701a3ed3bc79b947d351b9e78cddcf36c116a16f6e6a71a28744a1d SHA512 3ba29fbf840db6bbd2c137a1f4621770e94968a82cb679af9e5695b09345ccf13ed8fc7e7ecd88f550d80c2af61fc7a7b5586285a23cabb171b90b11a30e1f1c WHIRLPOOL b57409ddf724a854b4cf802c74de9b9c13d1c083e7743f887ecc20a08bb5b64bc20f3a890e04823a8dbc350af2a5982d290969252d9265408872dec41559c00f -MISC ChangeLog 6977 SHA256 5a9ba346ad5743e98a5fbfa3da16c066d53b6ac5b390c783d859956f69371067 SHA512 81e01f58894f1f8a62b9e3445f5c5b2eb69ec656b3c1f5e98d9ee2f745208265dff031ec208676c5d4f88867388e652ed9e7a1d700c2670c7ccec79ac90444dd WHIRLPOOL 7d62786721d3fd16fc6ac7134e9ce63f74f7e8e9b5ac0869f250857c50cd52d2d9b09c822cdb4499544bfe70438d9308207d6e1d3011971240389eadcf5b2899 +EBUILD mod_auth_kerb-5.4-r2.ebuild 1229 SHA256 d3dded067f62d6738bb507d42ec051eae1e9b4026591bbd06b0b854b7332a95a SHA512 3ef57d1788c7484734dd35c78d209a859ea80234738198495c5934149452d03d2b91116e88b25f2134ae629c46ca031d1388af81d7d37024380aa4927411996c WHIRLPOOL 68fd3b66716c37c617c96f424d40f53ce775b29328da8d0222d0ff0407b5f3253ace838380dead035a0a0b2ce3011d6ddfa387abd64a956fbfab166297dc7906 +MISC ChangeLog 7131 SHA256 016d7cf7e73a3735355ee219acc271cf7310558d5d7ee7776ce30f9c82f98f9a SHA512 10b02480672da7c89159f48ad1c7d35d19ba2e35b77ec9d043f768ef50e134594b164fb07f7149686c6850ff2dfddb28392e8ff326312c527d580e363372e3fe WHIRLPOOL 333d488ea02d6308b564cd647c2cc7e5b020244f62df83c71a427ff81cdae080b9b86f7742efdadd5f132f0dfa7b73931f380ea1e3482a0a6df57bcbbb24bfb7 MISC metadata.xml 208 SHA256 98f8aa3fb70533eeab6b09d5bc30bd8f649ec13d9b04363490082fb87bb6032e SHA512 d5a7f3cb2fe57f8d7783ba358068648b122d9f5de81a17bff61ce600e42b6487e6f7e2a62c8be95cc7021cb3ea88716824b1ad0565da922ea753bea2417b3d3d WHIRLPOOL e38a6cdef2acb3efdc182efde482593790f773ab3bb9b66cced3af47e4ab39368757e17c4352c6cacaefa338341db88c3bcc3ffcd32aabd7984c5b19051a7bb7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 -iEYEAREIAAYFAlVYc24ACgkQCaWpQKGI+9RPSACdElrPD2kkfdYiyYx9WQsdpAY5 -2o8An3b3c0W2nUvbkUvqjzF5oK/Fa1Hw -=NfqD +iEYEAREIAAYFAlVYc5sACgkQCaWpQKGI+9TF4QCfai/isbyMhZrz37VZojuH86M0 +7VsAnjvckPcRAUCiat97b8ijDgGvxHRi +=BGy7 -----END PGP SIGNATURE----- diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy-r3.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy-r3.patch new file mode 100644 index 000000000000..202b402be561 --- /dev/null +++ b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy-r3.patch @@ -0,0 +1,603 @@ +
+Add S4U2Proxy feature:
+
+http://sourceforge.net/mailarchive/forum.php?thread_name=4EE665D1.3000308%40redhat.com&forum_name=modauthkerb-help
+
+The attached patches add support for using s4u2proxy
+(http://k5wiki.kerberos.org/wiki/Projects/Services4User) to allow the
+web service to obtain credentials on behalf of the authenticated user.
+
+The first patch adds basic support for s4u2proxy. This requires the web
+administrator to manually create and manage the credentails cache for
+the apache user (via a cron job, for example).
+
+The second patch builds on this and makes mod_auth_kerb manage the
+ccache instead.
+
+These are patches against the current CVS HEAD (mod_auth_krb 5.4).
+
+I've added a new module option to enable this support,
+KrbConstrainedDelegation. The default is off.
+
+--- mod_auth_kerb-5.4.orig/README 2008-11-26 11:51:05.000000000 -0500
++++ mod_auth_kerb-5.4/README 2012-01-04 11:17:22.000000000 -0500
+@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be
+ credential cache that will be available for the request handler. The ticket
+ file will be removed after request is handled.
+
++Constrained Delegation
++----------------------
++S4U2Proxy, or constrained delegation, enables a service to use a client's
++ticket to itself to request another ticket for delegation. The KDC
++checks krbAllowedToDelegateTo to decide if it will issue a new ticket.
++If KrbConstrainedDelegation is enabled the server will use its own credentials
++to retrieve a delegated ticket for the user. For this to work the user must
++have a forwardable ticket (though the delegation flag need not be set).
++The server needs a valid credentials cache for this to work.
++
++The module itself will obtain and manage the necessary credentials.
++
+ $Id: README,v 1.12 2008/09/17 14:01:55 baalberith Exp $
+diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.4/src/mod_auth_kerb.c
+--- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2011-12-09 17:55:05.000000000 -0500
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c 2012-03-01 14:19:40.000000000 -0500
+@@ -42,6 +42,31 @@
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
++/*
++ * Locking mechanism inspired by mod_rewrite.
++ *
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++/*
++ * S4U2Proxy code
++ *
++ * Copyright (C) 2012 Red Hat
++ */
++
+ #ident "$Id: mod_auth_kerb.c,v 1.150 2008/12/04 10:14:03 baalberith Exp $"
+
+ #include "config.h"
+@@ -49,6 +74,7 @@
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <stdarg.h>
++#include <unixd.h>
+
+ #define MODAUTHKERB_VERSION "5.4"
+
+@@ -122,6 +148,12 @@
+ module auth_kerb_module;
+ #endif
+
++#ifdef STANDARD20_MODULE_STUFF
++/* s4u2proxy only supported in 2.0+ */
++static const char *lockname;
++static apr_global_mutex_t *s4u2proxy_lock = NULL;
++#endif
++
+ /***************************************************************************
+ Macros To Ease Compatibility
+ ***************************************************************************/
+@@ -156,6 +188,7 @@
+ int krb_method_gssapi;
+ int krb_method_k5pass;
+ int krb5_do_auth_to_local;
++ int krb5_s4u2proxy;
+ #endif
+ #ifdef KRB4
+ char *krb_4_srvtab;
+@@ -176,6 +209,11 @@
+
+ static const char*
+ krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg);
++static const char *
++cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1);
++
++static int
++obtain_server_credentials(request_rec *r, const char *service_name);
+
+ #ifdef STANDARD20_MODULE_STUFF
+ #define command(name, func, var, type, usage) \
+@@ -228,6 +266,12 @@
+
+ command("KrbLocalUserMapping", ap_set_flag_slot, krb5_do_auth_to_local,
+ FLAG, "Set to 'on' to have Kerberos do auth_to_local mapping of principal names to system user names."),
++
++ command("KrbConstrainedDelegation", ap_set_flag_slot, krb5_s4u2proxy,
++ FLAG, "Set to 'on' to have Kerberos use S4U2Proxy delegation."),
++
++ AP_INIT_TAKE1("KrbConstrainedDelegationLock", cmd_delegationlock, NULL,
++ RSRC_CONF, "the filename of a lockfile used for inter-process synchronization"),
+ #endif
+
+ #ifdef KRB4
+@@ -293,6 +337,7 @@
+ #endif
+ #ifdef KRB5
+ ((kerb_auth_config *)rec)->krb5_do_auth_to_local = 0;
++ ((kerb_auth_config *)rec)->krb5_s4u2proxy = 0;
+ ((kerb_auth_config *)rec)->krb_method_k5pass = 1;
+ ((kerb_auth_config *)rec)->krb_method_gssapi = 1;
+ #endif
+@@ -310,6 +355,24 @@
+ return NULL;
+ }
+
++static const char *
++cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1)
++{
++ const char *error;
++
++ if ((error = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
++ return error;
++
++ /* fixup the path, especially for s4u2proxylock_remove() */
++ lockname = ap_server_root_relative(cmd->pool, a1);
++
++ if (!lockname) {
++ return apr_pstrcat(cmd->pool, "Invalid KrbConstrainedDelegationLock path ", a1, NULL);
++ }
++
++ return NULL;
++}
++
+ static void
+ log_rerror(const char *file, int line, int level, int status,
+ const request_rec *r, const char *fmt, ...)
+@@ -1161,6 +1224,7 @@
+ gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
+ OM_uint32 major_status, minor_status, minor_status2;
+ gss_name_t server_name = GSS_C_NO_NAME;
++ gss_cred_usage_t usage = GSS_C_ACCEPT;
+ char buf[1024];
+ int have_server_princ;
+
+@@ -1203,10 +1267,14 @@
+
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s",
+ token.value);
++ if (conf->krb5_s4u2proxy) {
++ usage = GSS_C_BOTH;
++ obtain_server_credentials(r, conf->krb_service_name);
++ }
+ gss_release_buffer(&minor_status, &token);
+
+ major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
+- GSS_C_NO_OID_SET, GSS_C_ACCEPT,
++ GSS_C_NO_OID_SET, usage,
+ server_creds, NULL, NULL);
+ gss_release_name(&minor_status2, &server_name);
+ if (GSS_ERROR(major_status)) {
+@@ -1248,6 +1316,305 @@
+ }
+ #endif
+
++/* Renew the ticket if it will expire in under a minute */
++#define RENEWAL_TIME 60
++
++/*
++ * Services4U2Proxy lets a server prinicipal request another service
++ * principal on behalf of a user. To do this the Apache service needs
++ * to have its own ccache. This will ensure that the ccache has a valid
++ * principal and will initialize or renew new credentials when needed.
++ */
++
++static int
++verify_server_credentials(request_rec *r,
++ krb5_context kcontext,
++ krb5_ccache ccache,
++ krb5_principal princ,
++ int *renew
++)
++{
++ krb5_creds match_cred;
++ krb5_creds creds;
++ char * princ_name = NULL;
++ char *tgs_princ_name = NULL;
++ krb5_timestamp now;
++ krb5_error_code kerr = 0;
++
++ *renew = 0;
++
++ memset (&match_cred, 0, sizeof(match_cred));
++ memset (&creds, 0, sizeof(creds));
++
++ if (NULL == ccache || NULL == princ) {
++ /* Nothing to verify */
++ *renew = 1;
++ goto cleanup;
++ }
++
++ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Could not unparse principal %s (%d)",
++ error_message(kerr), kerr);
++ goto cleanup;
++ }
++
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Using principal %s for s4u2proxy", princ_name);
++
++#ifdef HEIMDAL
++ tgs_princ_name = apr_psprintf(r->pool, "%s/%s@%s", KRB5_TGS_NAME,
++ krb5_principal_get_realm(kcontext, princ),
++ krb5_principal_get_realm(kcontext, princ));
++#else
++ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,
++ krb5_princ_realm(kcontext, princ)->length,
++ krb5_princ_realm(kcontext, princ)->data,
++ krb5_princ_realm(kcontext, princ)->length,
++ krb5_princ_realm(kcontext, princ)->data);
++#endif
++
++ if ((kerr = krb5_parse_name(kcontext, tgs_princ_name, &match_cred.server)))
++ {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Could not parse principal %s: %s (%d)",
++ tgs_princ_name, error_message(kerr), kerr);
++ goto cleanup;
++ }
++
++ match_cred.client = princ;
++
++ if ((kerr = krb5_cc_retrieve_cred(kcontext, ccache, 0, &match_cred, &creds)))
++ {
++ krb5_unparse_name(kcontext, princ, &princ_name);
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Could not unparse principal %s: %s (%d)",
++ princ_name, error_message(kerr), kerr);
++ goto cleanup;
++ }
++
++ if ((kerr = krb5_timeofday(kcontext, &now))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Could not get current time: %d (%s)",
++ kerr, error_message(kerr));
++ goto cleanup;
++ }
++
++ if (now > (creds.times.endtime + RENEWAL_TIME)) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Credentials for %s have expired or will soon "
++ "expire - now %d endtime %d",
++ princ_name, now, creds.times.endtime);
++ *renew = 1;
++ } else {
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Credentials for %s will expire at "
++ "%d, it is now %d", princ_name, creds.times.endtime, now);
++ }
++
++cleanup:
++ /* Closing context, ccache, etc happens elsewhere */
++ if (match_cred.server) {
++ krb5_free_principal(kcontext, match_cred.server);
++ }
++ if (creds.client) {
++ krb5_free_cred_contents(kcontext, &creds);
++ }
++
++ return kerr;
++}
++
++static int
++obtain_server_credentials(request_rec *r,
++ const char *service_name)
++{
++ krb5_context kcontext = NULL;
++ krb5_keytab keytab = NULL;
++ krb5_ccache ccache = NULL;
++ char * princ_name = NULL;
++ char *tgs_princ_name = NULL;
++ krb5_error_code kerr = 0;
++ krb5_principal princ = NULL;
++ krb5_creds creds;
++ krb5_get_init_creds_opt gicopts;
++ int renew = 0;
++ apr_status_t rv = 0;
++
++ memset(&creds, 0, sizeof(creds));
++
++ if ((kerr = krb5_init_context(&kcontext))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Kerberos context initialization failed: %s (%d)", error_message(kerr), kerr);
++ goto done;
++ }
++
++ if ((kerr = krb5_cc_default(kcontext, &ccache))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Could not get default Kerberos ccache: %s (%d)",
++ error_message(kerr), kerr);
++ goto done;
++ }
++
++ if ((kerr = krb5_cc_get_principal(kcontext, ccache, &princ))) {
++ char * name = NULL;
++
++ if ((asprintf(&name, "%s:%s", krb5_cc_get_type(kcontext, ccache),
++ krb5_cc_get_name(kcontext, ccache))) == -1) {
++ kerr = KRB5_CC_NOMEM;
++ goto done;
++ }
++
++ if (KRB5_FCC_NOFILE == kerr) {
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Credentials cache %s not found, create one", name);
++ krb5_cc_close(kcontext, ccache);
++ ccache = NULL;
++ free(name);
++ } else {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Failure to open credentials cache %s: %s (%d)",
++ name, error_message(kerr), kerr);
++ free(name);
++ goto done;
++ }
++ }
++
++ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);
++
++ if (kerr || !renew) {
++ goto done;
++ }
++
++#ifdef STANDARD20_MODULE_STUFF
++ if (s4u2proxy_lock) {
++ rv = apr_global_mutex_lock(s4u2proxy_lock);
++ if (rv != APR_SUCCESS) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
++ "apr_global_mutex_lock(s4u2proxy_lock) "
++ "failed");
++ }
++ }
++#endif
++
++ /* We have the lock, check again to be sure another process hasn't already
++ * renewed the ticket.
++ */
++ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);
++ if (kerr || !renew) {
++ goto unlock;
++ }
++
++ if (NULL == princ) {
++ princ_name = apr_psprintf(r->pool, "%s/%s",
++ (service_name) ? service_name : SERVICE_NAME,
++ ap_get_server_name(r));
++
++ if ((kerr = krb5_parse_name(kcontext, princ_name, &princ))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Could not parse principal %s: %s (%d) ",
++ princ_name, error_message(kerr), kerr);
++ goto unlock;
++ }
++ } else if (NULL == princ_name) {
++ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Could not unparse principal %s: %s (%d)",
++ princ_name, error_message(kerr), kerr);
++ goto unlock;
++ }
++ }
++
++ if ((kerr = krb5_kt_default(kcontext, &keytab))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Unable to get default keytab: %s (%d)",
++ error_message(kerr), kerr);
++ goto unlock;
++ }
++
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Obtaining new credentials for %s", princ_name);
++ krb5_get_init_creds_opt_init(&gicopts);
++ krb5_get_init_creds_opt_set_forwardable(&gicopts, 1);
++
++#ifdef HEIMDAL
++ tgs_princ_name = apr_psprintf(r->pool, "%s/%s@%s", KRB5_TGS_NAME,
++ krb5_principal_get_realm(kcontext, princ),
++ krb5_principal_get_realm(kcontext, princ));
++#else
++ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,
++ krb5_princ_realm(kcontext, princ)->length,
++ krb5_princ_realm(kcontext, princ)->data,
++ krb5_princ_realm(kcontext, princ)->length,
++ krb5_princ_realm(kcontext, princ)->data);
++#endif
++
++ if ((kerr = krb5_get_init_creds_keytab(kcontext, &creds, princ, keytab,
++ 0, tgs_princ_name, &gicopts))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Failed to obtain credentials for principal %s: "
++ "%s (%d)", princ_name, error_message(kerr), kerr);
++ goto unlock;
++ }
++
++ krb5_kt_close(kcontext, keytab);
++ keytab = NULL;
++
++ if (NULL == ccache) {
++ if ((kerr = krb5_cc_default(kcontext, &ccache))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Failed to open default ccache: %s (%d)",
++ error_message(kerr), kerr);
++ goto unlock;
++ }
++ }
++
++ if ((kerr = krb5_cc_initialize(kcontext, ccache, princ))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Failed to initialize ccache for %s: %s (%d)",
++ princ_name, error_message(kerr), kerr);
++ goto unlock;
++ }
++
++ if ((kerr = krb5_cc_store_cred(kcontext, ccache, &creds))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Failed to store %s in ccache: %s (%d)",
++ princ_name, error_message(kerr), kerr);
++ goto unlock;
++ }
++
++unlock:
++#ifdef STANDARD20_MODULE_STUFF
++ if (s4u2proxy_lock) {
++ apr_global_mutex_unlock(s4u2proxy_lock);
++ if (rv != APR_SUCCESS) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
++ "apr_global_mutex_unlock(s4u2proxy_lock) "
++ "failed");
++ }
++ }
++#endif
++
++done:
++ if (0 == kerr)
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Done obtaining credentials for s4u2proxy");
++ else
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Failed to obtain credentials for s4u2proxy");
++
++ if (creds.client) {
++ krb5_free_cred_contents(kcontext, &creds);
++ }
++ if (ccache) {
++ krb5_cc_close(kcontext, ccache);
++ }
++ if (kcontext) {
++ krb5_free_context(kcontext);
++ }
++
++ return kerr;
++}
++
+ static int
+ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
+ const char *auth_line, char **negotiate_ret_value)
+@@ -1688,10 +2055,60 @@
+ /***************************************************************************
+ Module Setup/Configuration
+ ***************************************************************************/
++#ifdef STANDARD20_MODULE_STUFF
++static apr_status_t
++s4u2proxylock_create(server_rec *s, apr_pool_t *p)
++{
++ apr_status_t rc;
++
++ /* only operate if a lockfile is used */
++ if (lockname == NULL || *(lockname) == '\0') {
++ return APR_SUCCESS;
++ }
++
++ /* create the lockfile */
++ rc = apr_global_mutex_create(&s4u2proxy_lock, lockname,
++ APR_LOCK_DEFAULT, p);
++ if (rc != APR_SUCCESS) {
++ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
++ "Parent could not create lock file %s", lockname);
++ return rc;
++ }
++
++#ifdef AP_NEED_SET_MUTEX_PERMS
++ rc = unixd_set_global_mutex_perms(s4u2proxy_lock);
++ if (rc != APR_SUCCESS) {
++ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
++ "mod_auth_kerb: Parent could not set permissions "
++ "on lock; check User and Group directives");
++ return rc;
++ }
++#endif
++
++ return APR_SUCCESS;
++}
++
++static apr_status_t
++s4u2proxylock_remove(void *unused)
++{
++ /* only operate if a lockfile is used */
++ if (lockname == NULL || *(lockname) == '\0') {
++ return APR_SUCCESS;
++ }
++
++ /* destroy the rewritelock */
++ apr_global_mutex_destroy(s4u2proxy_lock);
++ s4u2proxy_lock = NULL;
++ lockname = NULL;
++ return APR_SUCCESS;
++}
++#endif
++
+ #ifndef STANDARD20_MODULE_STUFF
+ static void
+ kerb_module_init(server_rec *dummy, pool *p)
+ {
++ apr_status_t status;
+ #ifndef HEIMDAL
+ /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
+ 1.3.x are covered by the hack overiding the replay calls */
+@@ -1732,6 +2149,7 @@
+ kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,
+ apr_pool_t *ptemp, server_rec *s)
+ {
++ apr_status_t rv;
+ ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION);
+ #ifndef HEIMDAL
+ /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
+@@ -1739,14 +2157,41 @@
+ if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
+ putenv(strdup("KRB5RCACHETYPE=none"));
+ #endif
++#ifdef STANDARD20_MODULE_STUFF
++ rv = s4u2proxylock_create(s, p);
++ if (rv != APR_SUCCESS) {
++ return HTTP_INTERNAL_SERVER_ERROR;
++ }
++
++ apr_pool_cleanup_register(p, (void *)s, s4u2proxylock_remove,
++ apr_pool_cleanup_null);
++#endif
+
+ return OK;
+ }
+
+ static void
++initialize_child(apr_pool_t *p, server_rec *s)
++{
++ apr_status_t rv = 0;
++
++#ifdef STANDARD20_MODULE_STUFF
++ if (lockname != NULL && *(lockname) != '\0') {
++ rv = apr_global_mutex_child_init(&s4u2proxy_lock, lockname, p);
++ if (rv != APR_SUCCESS) {
++ ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
++ "mod_auth_kerb: could not init s4u2proxy_lock"
++ " in child");
++ }
++ }
++#endif
++}
++
++static void
+ kerb_register_hooks(apr_pool_t *p)
+ {
+ ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
++ ap_hook_child_init(initialize_child, NULL, NULL, APR_HOOK_MIDDLE);
+ ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);
+ }
+
diff --git a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild index 3c26830c342e..2b375b77ef06 100644 --- a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild +++ b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2015 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild,v 1.1 2015/05/08 18:21:14 pacho Exp $ +# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild,v 1.2 2015/05/17 10:55:22 pacho Exp $ EAPI=5 inherit apache-module eutils systemd @@ -27,7 +27,7 @@ need_apache2 src_prepare() { epatch "${FILESDIR}"/${P}-rcopshack.patch epatch "${FILESDIR}"/${P}-fixes.patch - epatch "${FILESDIR}"/${P}-s4u2proxy-r2.patch + epatch "${FILESDIR}"/${P}-s4u2proxy-r3.patch epatch "${FILESDIR}"/${P}-httpd24.patch epatch "${FILESDIR}"/${P}-delegation.patch epatch "${FILESDIR}"/${P}-cachedir.patch |