diff options
| author |   Pacho Ramos <pacho@gentoo.org> | 2015-05-23 12:42:06 +0000 |
|---|---|---|
| committer | Pacho Ramos <pacho@gentoo.org> | 2015-05-23 12:42:06 +0000 |
| commit | 9bc3b5e5b03691b062bf98d2af4c6a4dc2a7fe92 (patch) | |
| tree | 8ca3138060e8a9395e6787aa3b01a5cf692a5f34 /www-apache | |
| parent | Mask for removal (diff) | |
| download | historical-9bc3b5e5b03691b062bf98d2af4c6a4dc2a7fe92.tar.gz historical-9bc3b5e5b03691b062bf98d2af4c6a4dc2a7fe92.tar.bz2 historical-9bc3b5e5b03691b062bf98d2af4c6a4dc2a7fe92.zip | |
drop old
Package-Manager: portage-2.2.19/cvs/Linux x86_64
Manifest-Sign-Key: 0xA188FBD4
Diffstat (limited to 'www-apache')
| -rw-r--r-- | www-apache/mod_auth_kerb/ChangeLog | 7 | ||||
| -rw-r--r-- | www-apache/mod_auth_kerb/Manifest | 10 | ||||
| -rw-r--r-- | www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy-r1.patch | 591 | ||||
| -rw-r--r-- | www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy-r2.patch | 603 |
4 files changed, 10 insertions, 1201 deletions
diff --git a/www-apache/mod_auth_kerb/ChangeLog b/www-apache/mod_auth_kerb/ChangeLog index f397d149283e..7844af953f2e 100644 --- a/www-apache/mod_auth_kerb/ChangeLog +++ b/www-apache/mod_auth_kerb/ChangeLog @@ -1,6 +1,11 @@ # ChangeLog for www-apache/mod_auth_kerb # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_auth_kerb/ChangeLog,v 1.19 2015/05/17 10:55:22 pacho Exp $ +# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_auth_kerb/ChangeLog,v 1.20 2015/05/23 12:42:05 pacho Exp $ + + 23 May 2015; Pacho Ramos <pacho@gentoo.org> + -files/mod_auth_kerb-5.4-s4u2proxy-r1.patch, + -files/mod_auth_kerb-5.4-s4u2proxy-r2.patch: + drop old 17 May 2015; Pacho Ramos <pacho@gentoo.org> +files/mod_auth_kerb-5.4-s4u2proxy-r3.patch, mod_auth_kerb-5.4-r2.ebuild: diff --git a/www-apache/mod_auth_kerb/Manifest b/www-apache/mod_auth_kerb/Manifest index a892bf5b3b37..a798e4f6cdeb 100644 --- a/www-apache/mod_auth_kerb/Manifest +++ b/www-apache/mod_auth_kerb/Manifest @@ -9,20 +9,18 @@ AUX mod_auth_kerb-5.4-handle-continue.patch 735 SHA256 24d1cc7f12be73a3f99f3943a AUX mod_auth_kerb-5.4-httpd24.patch 2622 SHA256 b98c3a8720fac455f1cf78d1bf4219aef0bc49ce269d79de783db6401bed2668 SHA512 739ffc704286630af557487f93f9cbb0786ab62401fcf20b0d22dcc991388a0691bb94422f80db9fa85bfe926b28bbf96dcb5149e48118f978a38aff52856bf7 WHIRLPOOL 6c8fafa301d041b7d7816122511df9243a6f5bb947c219d35618eafcbedffb576fdff7f4a368f6ecd27eae1222f3449731baee44caa9b46757f5e0b074a16ffa AUX mod_auth_kerb-5.4-longuser.patch 1007 SHA256 3de2bdab5980381ba8a65f4f04931edddf1ff35f345a30ea65383a7368e01f8b SHA512 0ffd82fddb6bd9eff466c7a11f5221c5006814e8ca99aef1de48dae4537ce0d11c718506d84be572f116e74d10bb9031021ddc17a65bfc86e42edbaf77063617 WHIRLPOOL 307cef9246fe5ecdf62730898798e1af4beb2f55ff5d27017562d8f53398233cc66b9f035fa3281e47702ae2bd9ea967d28f2f71274a2a60565417c5721599c3 AUX mod_auth_kerb-5.4-rcopshack.patch 2244 SHA256 813ad49f9c0aa8495e716a7ed902bfcef4282cb10793112ad0e92b667620e33c SHA512 4da4e51baec036fdf035ee6f215453129b4b93a7733887834c08c0c5a7610ebe8e0981ad34a5cd5ed86af58c926bd65417fe09f64ce42d56b41e5051b96f6ca5 WHIRLPOOL 18ee97dc4bab314b1943778c74c660878a8477520e5cad69e78d0e2b2c39076254cd81973987e42ee1ed8b113dcee4949b81de0976f7e4d025e29753cd952b3a -AUX mod_auth_kerb-5.4-s4u2proxy-r1.patch 20326 SHA256 41994ae5bd2dd0ddbb0080444791b9029093df0fc382f169a71bec38fec37ebe SHA512 461807dce410467ca9b06da56d85994e59c70627f4f2579c8a8b54cfec229ab4f07a4eea2d0fa018e1e2ece6ef039e4023dd8b4900efafd6b1c23aa36baa210e WHIRLPOOL cec8ce8f9f98c912a060e7f061257ded113aa558bdc81421a6803c3e4e2a345ccefe3d7d890fed1daec14f74047d24d7e1e68a2d2f748576354983e4ac6afcb7 -AUX mod_auth_kerb-5.4-s4u2proxy-r2.patch 21037 SHA256 a659c054aa3739a28d21369a63921408219b434f7291d5a0806e8919ad8be4d7 SHA512 85e39f8b843bdcc10530c5eda26d24c00574235fbe9f04915c9c6273aac13b97a5729c791a9603e4f77d83801933cbb0d22aa6b2a3caf7f9cc91e46bf6530d2c WHIRLPOOL 0049d338a4381fdaa0903f3fece61e5dbd36c7f14bb2b5eec0c46e06b0d0b7f43a352c72972cc658e73d4c1c400f55853713c402af98ab91e4561fc2448959d7 AUX mod_auth_kerb-5.4-s4u2proxy-r3.patch 21037 SHA256 a659c054aa3739a28d21369a63921408219b434f7291d5a0806e8919ad8be4d7 SHA512 85e39f8b843bdcc10530c5eda26d24c00574235fbe9f04915c9c6273aac13b97a5729c791a9603e4f77d83801933cbb0d22aa6b2a3caf7f9cc91e46bf6530d2c WHIRLPOOL 0049d338a4381fdaa0903f3fece61e5dbd36c7f14bb2b5eec0c46e06b0d0b7f43a352c72972cc658e73d4c1c400f55853713c402af98ab91e4561fc2448959d7 AUX mod_auth_kerb-5.4-s4u2proxy.patch 20358 SHA256 0ced12b7cb97302118d3f991e241237ec6df5d146bb6b3f479c12890b3fc8bef SHA512 a105463b277a73460fb820973d78f44d5f88961b92317a4bab13b357b8dbf5560afa4e6263b9c66ff69d1d3bf03356d3e56806b437ae6a6d8002a3549a8544e5 WHIRLPOOL f90032ae76c0e6ce4019cffc62ed26c833b6063af79e16ea989317daab7d8b8673a1660a3e27cdb5b99e83a3fc62e91d7174c5adec895bf6dc68c098594c20fa DIST mod_auth_kerb-5.3.tar.gz 73530 SHA256 89cd779a94405521770cbcb169af5af61e7f2aad91c4f4b82efaae35df7595ec DIST mod_auth_kerb-5.4.tar.gz 93033 SHA256 690ddd66c6d941e2fa2dada46588329a6f57d0a3b9b2fd9bf055ebc427558265 SHA512 93fdf0e43af1c24e8c8204d09240b708747068ef99dd8d21b45cb4d132d31e6d582d49ea5e23b905f55cb0d4a20b1ecb58de1bcbfdad1d016e536fc622b63214 WHIRLPOOL 1b92217b7cf66d731a72cf9d58f188002ccadd75fc3d9075290347e6b4f1511111d3cff147fab73616951cbdb9430e8038adf5c4e204d374886bec3be69ff51c EBUILD mod_auth_kerb-5.3.ebuild 772 SHA256 e579fc44d7eb8416fca362be39b5dfdc86c6e44c3a3241ac41b7606f61064f78 SHA512 e62f1cd2b7edf88180afcb77843310da9405e4f660d31117f5d5363bc8695da277a504c6527d75f8026c69c66d900c612c0d61e5636e6629eca89238325e9fb9 WHIRLPOOL 7f2191d861256d78bcc99dd5c8b2de81d334712eb80d9bd252e73270ec76e320b2e3c0d747b52f466b8d5dd31b67f73842774402fa01c8850315c43a6a3a87c9 EBUILD mod_auth_kerb-5.4-r2.ebuild 1229 SHA256 d3dded067f62d6738bb507d42ec051eae1e9b4026591bbd06b0b854b7332a95a SHA512 3ef57d1788c7484734dd35c78d209a859ea80234738198495c5934149452d03d2b91116e88b25f2134ae629c46ca031d1388af81d7d37024380aa4927411996c WHIRLPOOL 68fd3b66716c37c617c96f424d40f53ce775b29328da8d0222d0ff0407b5f3253ace838380dead035a0a0b2ce3011d6ddfa387abd64a956fbfab166297dc7906 -MISC ChangeLog 7131 SHA256 016d7cf7e73a3735355ee219acc271cf7310558d5d7ee7776ce30f9c82f98f9a SHA512 10b02480672da7c89159f48ad1c7d35d19ba2e35b77ec9d043f768ef50e134594b164fb07f7149686c6850ff2dfddb28392e8ff326312c527d580e363372e3fe WHIRLPOOL 333d488ea02d6308b564cd647c2cc7e5b020244f62df83c71a427ff81cdae080b9b86f7742efdadd5f132f0dfa7b73931f380ea1e3482a0a6df57bcbbb24bfb7 +MISC ChangeLog 7283 SHA256 07e37f53346ceab20aaaa448dca9cac13e9daa94c6d31e2a600e45d423ad4dbb SHA512 d813e61c84d9dcf1cc7e4f832d3624d0d4951a12fbf17770b431654063d4626f44991fe1ea080f289d0ee4550aafc3be06833b6cd8bbee0ff964437b539725a0 WHIRLPOOL fdcee2f3d89f14466d8c5b2832e2027bb0eafa8ca9fed2d0f51a6aaa28f51b18ffbe22d0ad63d22b81e9c17ff45d4b22b65b273936cba3c1d45c3285b55a1e24 MISC metadata.xml 208 SHA256 98f8aa3fb70533eeab6b09d5bc30bd8f649ec13d9b04363490082fb87bb6032e SHA512 d5a7f3cb2fe57f8d7783ba358068648b122d9f5de81a17bff61ce600e42b6487e6f7e2a62c8be95cc7021cb3ea88716824b1ad0565da922ea753bea2417b3d3d WHIRLPOOL e38a6cdef2acb3efdc182efde482593790f773ab3bb9b66cced3af47e4ab39368757e17c4352c6cacaefa338341db88c3bcc3ffcd32aabd7984c5b19051a7bb7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 -iEYEAREIAAYFAlVYc5sACgkQCaWpQKGI+9TF4QCfai/isbyMhZrz37VZojuH86M0 -7VsAnjvckPcRAUCiat97b8ijDgGvxHRi -=BGy7 +iEYEAREIAAYFAlVgdZ4ACgkQCaWpQKGI+9TIdACfYzbL86BdXI/SZ9GRQfuvOmKT +wT0An1ZCFK2VeZ8fa4LK3zkD0o/IKWq8 +=A7nv -----END PGP SIGNATURE----- diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy-r1.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy-r1.patch deleted file mode 100644 index 031f87eb4c41..000000000000 --- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy-r1.patch +++ /dev/null @@ -1,591 +0,0 @@ - -Add S4U2Proxy feature: - -http://sourceforge.net/mailarchive/forum.php?thread_name=4EE665D1.3000308%40redhat.com&forum_name=modauthkerb-help - -The attached patches add support for using s4u2proxy -(http://k5wiki.kerberos.org/wiki/Projects/Services4User) to allow the -web service to obtain credentials on behalf of the authenticated user. - -The first patch adds basic support for s4u2proxy. This requires the web -administrator to manually create and manage the credentails cache for -the apache user (via a cron job, for example). - -The second patch builds on this and makes mod_auth_kerb manage the -ccache instead. - -These are patches against the current CVS HEAD (mod_auth_krb 5.4). - -I've added a new module option to enable this support, -KrbConstrainedDelegation. The default is off. - ---- mod_auth_kerb-5.4.orig/README 2008-11-26 11:51:05.000000000 -0500 -+++ mod_auth_kerb-5.4/README 2012-01-04 11:17:22.000000000 -0500 -@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be - credential cache that will be available for the request handler. The ticket - file will be removed after request is handled. - -+Constrained Delegation -+---------------------- -+S4U2Proxy, or constrained delegation, enables a service to use a client's -+ticket to itself to request another ticket for delegation. The KDC -+checks krbAllowedToDelegateTo to decide if it will issue a new ticket. -+If KrbConstrainedDelegation is enabled the server will use its own credentials -+to retrieve a delegated ticket for the user. For this to work the user must -+have a forwardable ticket (though the delegation flag need not be set). -+The server needs a valid credentials cache for this to work. -+ -+The module itself will obtain and manage the necessary credentials. -+ - $Id: README,v 1.12 2008/09/17 14:01:55 baalberith Exp $ -diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.4/src/mod_auth_kerb.c ---- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2011-12-09 17:55:05.000000000 -0500 -+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c 2012-03-01 14:19:40.000000000 -0500 -@@ -42,6 +42,31 @@ - * POSSIBILITY OF SUCH DAMAGE. - */ - -+/* -+ * Locking mechanism inspired by mod_rewrite. -+ * -+ * Licensed to the Apache Software Foundation (ASF) under one or more -+ * contributor license agreements. See the NOTICE file distributed with -+ * this work for additional information regarding copyright ownership. -+ * The ASF licenses this file to You under the Apache License, Version 2.0 -+ * (the "License"); you may not use this file except in compliance with -+ * the License. You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ */ -+ -+/* -+ * S4U2Proxy code -+ * -+ * Copyright (C) 2012 Red Hat -+ */ -+ - #ident "$Id: mod_auth_kerb.c,v 1.150 2008/12/04 10:14:03 baalberith Exp $" - - #include "config.h" -@@ -49,6 +74,7 @@ - #include <stdlib.h> - #include <stdio.h> - #include <stdarg.h> -+#include <unixd.h> - - #define MODAUTHKERB_VERSION "5.4" - -@@ -131,6 +157,12 @@ module AP_MODULE_DECLARE_DATA auth_kerb_ - module auth_kerb_module; - #endif - -+#ifdef STANDARD20_MODULE_STUFF -+/* s4u2proxy only supported in 2.0+ */ -+static const char *lockname; -+static apr_global_mutex_t *s4u2proxy_lock = NULL; -+#endif -+ - /*************************************************************************** - Macros To Ease Compatibility - ***************************************************************************/ -@@ -165,6 +197,7 @@ typedef struct { - int krb_method_gssapi; - int krb_method_k5pass; - int krb5_do_auth_to_local; -+ int krb5_s4u2proxy; - #endif - #ifdef KRB4 - char *krb_4_srvtab; -@@ -185,6 +218,11 @@ set_kerb_auth_headers(request_rec *r, co - - static const char* - krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg); -+static const char * -+cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1); -+ -+static int -+obtain_server_credentials(request_rec *r, const char *service_name); - - #ifdef STANDARD20_MODULE_STUFF - #define command(name, func, var, type, usage) \ -@@ -237,6 +275,12 @@ static const command_rec kerb_auth_cmds[ - - command("KrbLocalUserMapping", ap_set_flag_slot, krb5_do_auth_to_local, - FLAG, "Set to 'on' to have Kerberos do auth_to_local mapping of principal names to system user names."), -+ -+ command("KrbConstrainedDelegation", ap_set_flag_slot, krb5_s4u2proxy, -+ FLAG, "Set to 'on' to have Kerberos use S4U2Proxy delegation."), -+ -+ AP_INIT_TAKE1("KrbConstrainedDelegationLock", cmd_delegationlock, NULL, -+ RSRC_CONF, "the filename of a lockfile used for inter-process synchronization"), - #endif - - #ifdef KRB4 -@@ -302,6 +346,7 @@ static void *kerb_dir_create_config(MK_P - #endif - #ifdef KRB5 - ((kerb_auth_config *)rec)->krb5_do_auth_to_local = 0; -+ ((kerb_auth_config *)rec)->krb5_s4u2proxy = 0; - ((kerb_auth_config *)rec)->krb_method_k5pass = 1; - ((kerb_auth_config *)rec)->krb_method_gssapi = 1; - #endif -@@ -319,6 +364,24 @@ krb5_save_realms(cmd_parms *cmd, void *v - return NULL; - } - -+static const char * -+cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1) -+{ -+ const char *error; -+ -+ if ((error = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL) -+ return error; -+ -+ /* fixup the path, especially for s4u2proxylock_remove() */ -+ lockname = ap_server_root_relative(cmd->pool, a1); -+ -+ if (!lockname) { -+ return apr_pstrcat(cmd->pool, "Invalid KrbConstrainedDelegationLock path ", a1, NULL); -+ } -+ -+ return NULL; -+} -+ - static void - log_rerror(const char *file, int line, int level, int status, - const request_rec *r, const char *fmt, ...) -@@ -1170,6 +1233,7 @@ get_gss_creds(request_rec *r, - gss_buffer_desc token = GSS_C_EMPTY_BUFFER; - OM_uint32 major_status, minor_status, minor_status2; - gss_name_t server_name = GSS_C_NO_NAME; -+ gss_cred_usage_t usage = GSS_C_ACCEPT; - char buf[1024]; - int have_server_princ; - -@@ -1212,10 +1276,14 @@ get_gss_creds(request_rec *r, - - log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s", - token.value); -+ if (conf->krb5_s4u2proxy) { -+ usage = GSS_C_BOTH; -+ obtain_server_credentials(r, conf->krb_service_name); -+ } - gss_release_buffer(&minor_status, &token); - - major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE, -- GSS_C_NO_OID_SET, GSS_C_ACCEPT, -+ GSS_C_NO_OID_SET, usage, - server_creds, NULL, NULL); - gss_release_name(&minor_status2, &server_name); - if (GSS_ERROR(major_status)) { -@@ -1257,6 +1325,293 @@ cmp_gss_type(gss_buffer_t token, gss_OID - } - #endif - -+/* Renew the ticket if it will expire in under a minute */ -+#define RENEWAL_TIME 60 -+ -+/* -+ * Services4U2Proxy lets a server prinicipal request another service -+ * principal on behalf of a user. To do this the Apache service needs -+ * to have its own ccache. This will ensure that the ccache has a valid -+ * principal and will initialize or renew new credentials when needed. -+ */ -+ -+static int -+verify_server_credentials(request_rec *r, -+ krb5_context kcontext, -+ krb5_ccache ccache, -+ krb5_principal princ, -+ int *renew -+) -+{ -+ krb5_creds match_cred; -+ krb5_creds creds; -+ char * princ_name = NULL; -+ char *tgs_princ_name = NULL; -+ krb5_timestamp now; -+ krb5_error_code kerr = 0; -+ -+ *renew = 0; -+ -+ memset (&match_cred, 0, sizeof(match_cred)); -+ memset (&creds, 0, sizeof(creds)); -+ -+ if (NULL == ccache || NULL == princ) { -+ /* Nothing to verify */ -+ *renew = 1; -+ goto cleanup; -+ } -+ -+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) { -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "Could not unparse principal %s (%d)", -+ error_message(kerr), kerr); -+ goto cleanup; -+ } -+ -+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, -+ "Using principal %s for s4u2proxy", princ_name); -+ -+ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME, -+ krb5_princ_realm(kcontext, princ)->length, -+ krb5_princ_realm(kcontext, princ)->data, -+ krb5_princ_realm(kcontext, princ)->length, -+ krb5_princ_realm(kcontext, princ)->data); -+ -+ if ((kerr = krb5_parse_name(kcontext, tgs_princ_name, &match_cred.server))) -+ { -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "Could not parse principal %s: %s (%d)", -+ tgs_princ_name, error_message(kerr), kerr); -+ goto cleanup; -+ } -+ -+ match_cred.client = princ; -+ -+ if ((kerr = krb5_cc_retrieve_cred(kcontext, ccache, 0, &match_cred, &creds))) -+ { -+ krb5_unparse_name(kcontext, princ, &princ_name); -+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, -+ "Could not unparse principal %s: %s (%d)", -+ princ_name, error_message(kerr), kerr); -+ goto cleanup; -+ } -+ -+ if ((kerr = krb5_timeofday(kcontext, &now))) { -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "Could not get current time: %d (%s)", -+ kerr, error_message(kerr)); -+ goto cleanup; -+ } -+ -+ if (now > (creds.times.endtime + RENEWAL_TIME)) { -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "Credentials for %s have expired or will soon " -+ "expire - now %d endtime %d", -+ princ_name, now, creds.times.endtime); -+ *renew = 1; -+ } else { -+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, -+ "Credentials for %s will expire at " -+ "%d, it is now %d", princ_name, creds.times.endtime, now); -+ } -+ -+cleanup: -+ /* Closing context, ccache, etc happens elsewhere */ -+ if (match_cred.server) { -+ krb5_free_principal(kcontext, match_cred.server); -+ } -+ if (creds.client) { -+ krb5_free_cred_contents(kcontext, &creds); -+ } -+ -+ return kerr; -+} -+ -+static int -+obtain_server_credentials(request_rec *r, -+ const char *service_name) -+{ -+ krb5_context kcontext = NULL; -+ krb5_keytab keytab = NULL; -+ krb5_ccache ccache = NULL; -+ char * princ_name = NULL; -+ char *tgs_princ_name = NULL; -+ krb5_error_code kerr = 0; -+ krb5_principal princ = NULL; -+ krb5_creds creds; -+ krb5_get_init_creds_opt gicopts; -+ int renew = 0; -+ apr_status_t rv = 0; -+ -+ memset(&creds, 0, sizeof(creds)); -+ -+ if ((kerr = krb5_init_context(&kcontext))) { -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "Kerberos context initialization failed: %s (%d)", error_message(kerr), kerr); -+ goto done; -+ } -+ -+ if ((kerr = krb5_cc_default(kcontext, &ccache))) { -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "Could not get default Kerberos ccache: %s (%d)", -+ error_message(kerr), kerr); -+ goto done; -+ } -+ -+ if ((kerr = krb5_cc_get_principal(kcontext, ccache, &princ))) { -+ char * name = NULL; -+ -+ if ((asprintf(&name, "%s:%s", krb5_cc_get_type(kcontext, ccache), -+ krb5_cc_get_name(kcontext, ccache))) == -1) { -+ kerr = KRB5_CC_NOMEM; -+ goto done; -+ } -+ -+ if (KRB5_FCC_NOFILE == kerr) { -+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, -+ "Credentials cache %s not found, create one", name); -+ krb5_cc_close(kcontext, ccache); -+ ccache = NULL; -+ free(name); -+ } else { -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "Failure to open credentials cache %s: %s (%d)", -+ name, error_message(kerr), kerr); -+ free(name); -+ goto done; -+ } -+ } -+ -+ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew); -+ -+ if (kerr || !renew) { -+ goto done; -+ } -+ -+#ifdef STANDARD20_MODULE_STUFF -+ if (s4u2proxy_lock) { -+ rv = apr_global_mutex_lock(s4u2proxy_lock); -+ if (rv != APR_SUCCESS) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, -+ "apr_global_mutex_lock(s4u2proxy_lock) " -+ "failed"); -+ } -+ } -+#endif -+ -+ /* We have the lock, check again to be sure another process hasn't already -+ * renewed the ticket. -+ */ -+ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew); -+ if (kerr || !renew) { -+ goto unlock; -+ } -+ -+ if (NULL == princ) { -+ princ_name = apr_psprintf(r->pool, "%s/%s", -+ (service_name) ? service_name : SERVICE_NAME, -+ ap_get_server_name(r)); -+ -+ if ((kerr = krb5_parse_name(kcontext, princ_name, &princ))) { -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "Could not parse principal %s: %s (%d) ", -+ princ_name, error_message(kerr), kerr); -+ goto unlock; -+ } -+ } else if (NULL == princ_name) { -+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) { -+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, -+ "Could not unparse principal %s: %s (%d)", -+ princ_name, error_message(kerr), kerr); -+ goto unlock; -+ } -+ } -+ -+ if ((kerr = krb5_kt_default(kcontext, &keytab))) { -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "Unable to get default keytab: %s (%d)", -+ error_message(kerr), kerr); -+ goto unlock; -+ } -+ -+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, -+ "Obtaining new credentials for %s", princ_name); -+ krb5_get_init_creds_opt_init(&gicopts); -+ krb5_get_init_creds_opt_set_forwardable(&gicopts, 1); -+ -+ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME, -+ krb5_princ_realm(kcontext, princ)->length, -+ krb5_princ_realm(kcontext, princ)->data, -+ krb5_princ_realm(kcontext, princ)->length, -+ krb5_princ_realm(kcontext, princ)->data); -+ -+ if ((kerr = krb5_get_init_creds_keytab(kcontext, &creds, princ, keytab, -+ 0, tgs_princ_name, &gicopts))) { -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "Failed to obtain credentials for principal %s: " -+ "%s (%d)", princ_name, error_message(kerr), kerr); -+ goto unlock; -+ } -+ -+ krb5_kt_close(kcontext, keytab); -+ keytab = NULL; -+ -+ if (NULL == ccache) { -+ if ((kerr = krb5_cc_default(kcontext, &ccache))) { -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "Failed to open default ccache: %s (%d)", -+ error_message(kerr), kerr); -+ goto unlock; -+ } -+ } -+ -+ if ((kerr = krb5_cc_initialize(kcontext, ccache, princ))) { -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "Failed to initialize ccache for %s: %s (%d)", -+ princ_name, error_message(kerr), kerr); -+ goto unlock; -+ } -+ -+ if ((kerr = krb5_cc_store_cred(kcontext, ccache, &creds))) { -+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "Failed to store %s in ccache: %s (%d)", -+ princ_name, error_message(kerr), kerr); -+ goto unlock; -+ } -+ -+unlock: -+#ifdef STANDARD20_MODULE_STUFF -+ if (s4u2proxy_lock) { -+ apr_global_mutex_unlock(s4u2proxy_lock); -+ if (rv != APR_SUCCESS) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, -+ "apr_global_mutex_unlock(s4u2proxy_lock) " -+ "failed"); -+ } -+ } -+#endif -+ -+done: -+ if (0 == kerr) -+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, -+ "Done obtaining credentials for s4u2proxy"); -+ else -+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, -+ "Failed to obtain credentials for s4u2proxy"); -+ -+ if (creds.client) { -+ krb5_free_cred_contents(kcontext, &creds); -+ } -+ if (ccache) { -+ krb5_cc_close(kcontext, ccache); -+ } -+ if (kcontext) { -+ krb5_free_context(kcontext); -+ } -+ -+ return kerr; -+} -+ - static int - authenticate_user_gss(request_rec *r, kerb_auth_config *conf, - const char *auth_line, char **negotiate_ret_value) -@@ -1697,10 +2052,60 @@ have_rcache_type(const char *type) - /*************************************************************************** - Module Setup/Configuration - ***************************************************************************/ -+#ifdef STANDARD20_MODULE_STUFF -+static apr_status_t -+s4u2proxylock_create(server_rec *s, apr_pool_t *p) -+{ -+ apr_status_t rc; -+ -+ /* only operate if a lockfile is used */ -+ if (lockname == NULL || *(lockname) == '\0') { -+ return APR_SUCCESS; -+ } -+ -+ /* create the lockfile */ -+ rc = apr_global_mutex_create(&s4u2proxy_lock, lockname, -+ APR_LOCK_DEFAULT, p); -+ if (rc != APR_SUCCESS) { -+ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s, -+ "Parent could not create lock file %s", lockname); -+ return rc; -+ } -+ -+#ifdef AP_NEED_SET_MUTEX_PERMS -+ rc = unixd_set_global_mutex_perms(s4u2proxy_lock); -+ if (rc != APR_SUCCESS) { -+ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s, -+ "mod_auth_kerb: Parent could not set permissions " -+ "on lock; check User and Group directives"); -+ return rc; -+ } -+#endif -+ -+ return APR_SUCCESS; -+} -+ -+static apr_status_t -+s4u2proxylock_remove(void *unused) -+{ -+ /* only operate if a lockfile is used */ -+ if (lockname == NULL || *(lockname) == '\0') { -+ return APR_SUCCESS; -+ } -+ -+ /* destroy the rewritelock */ -+ apr_global_mutex_destroy(s4u2proxy_lock); -+ s4u2proxy_lock = NULL; -+ lockname = NULL; -+ return APR_SUCCESS; -+} -+#endif -+ - #ifndef STANDARD20_MODULE_STUFF - static void - kerb_module_init(server_rec *dummy, pool *p) - { -+ apr_status_t status; - #ifndef HEIMDAL - /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. - 1.3.x are covered by the hack overiding the replay calls */ -@@ -1741,6 +2146,7 @@ static int - kerb_init_handler(apr_pool_t *p, apr_pool_t *plog, - apr_pool_t *ptemp, server_rec *s) - { -+ apr_status_t rv; - ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION); - #ifndef HEIMDAL - /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. -@@ -1748,14 +2154,41 @@ kerb_init_handler(apr_pool_t *p, apr_poo - if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none")) - putenv(strdup("KRB5RCACHETYPE=none")); - #endif -+#ifdef STANDARD20_MODULE_STUFF -+ rv = s4u2proxylock_create(s, p); -+ if (rv != APR_SUCCESS) { -+ return HTTP_INTERNAL_SERVER_ERROR; -+ } -+ -+ apr_pool_cleanup_register(p, (void *)s, s4u2proxylock_remove, -+ apr_pool_cleanup_null); -+#endif - - return OK; - } - - static void -+initialize_child(apr_pool_t *p, server_rec *s) -+{ -+ apr_status_t rv = 0; -+ -+#ifdef STANDARD20_MODULE_STUFF -+ if (lockname != NULL && *(lockname) != '\0') { -+ rv = apr_global_mutex_child_init(&s4u2proxy_lock, lockname, p); -+ if (rv != APR_SUCCESS) { -+ ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s, -+ "mod_auth_kerb: could not init s4u2proxy_lock" -+ " in child"); -+ } -+ } -+#endif -+} -+ -+static void - kerb_register_hooks(apr_pool_t *p) - { - ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE); -+ ap_hook_child_init(initialize_child, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE); - } - diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy-r2.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy-r2.patch deleted file mode 100644 index f56d36278b1b..000000000000 --- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy-r2.patch +++ /dev/null @@ -1,603 +0,0 @@ -
-Add S4U2Proxy feature:
-
-http://sourceforge.net/mailarchive/forum.php?thread_name=4EE665D1.3000308%40redhat.com&forum_name=modauthkerb-help
-
-The attached patches add support for using s4u2proxy
-(http://k5wiki.kerberos.org/wiki/Projects/Services4User) to allow the
-web service to obtain credentials on behalf of the authenticated user.
-
-The first patch adds basic support for s4u2proxy. This requires the web
-administrator to manually create and manage the credentails cache for
-the apache user (via a cron job, for example).
-
-The second patch builds on this and makes mod_auth_kerb manage the
-ccache instead.
-
-These are patches against the current CVS HEAD (mod_auth_krb 5.4).
-
-I've added a new module option to enable this support,
-KrbConstrainedDelegation. The default is off.
-
---- mod_auth_kerb-5.4.orig/README 2008-11-26 11:51:05.000000000 -0500
-+++ mod_auth_kerb-5.4/README 2012-01-04 11:17:22.000000000 -0500
-@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be
- credential cache that will be available for the request handler. The ticket
- file will be removed after request is handled.
-
-+Constrained Delegation
-+----------------------
-+S4U2Proxy, or constrained delegation, enables a service to use a client's
-+ticket to itself to request another ticket for delegation. The KDC
-+checks krbAllowedToDelegateTo to decide if it will issue a new ticket.
-+If KrbConstrainedDelegation is enabled the server will use its own credentials
-+to retrieve a delegated ticket for the user. For this to work the user must
-+have a forwardable ticket (though the delegation flag need not be set).
-+The server needs a valid credentials cache for this to work.
-+
-+The module itself will obtain and manage the necessary credentials.
-+
- $Id: mod_auth_kerb-5.4-s4u2proxy-r2.patch,v 1.1 2015/05/08 18:21:14 pacho Exp $
-diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.4/src/mod_auth_kerb.c
---- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2011-12-09 17:55:05.000000000 -0500
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c 2012-03-01 14:19:40.000000000 -0500
-@@ -42,6 +42,31 @@
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-+/*
-+ * Locking mechanism inspired by mod_rewrite.
-+ *
-+ * Licensed to the Apache Software Foundation (ASF) under one or more
-+ * contributor license agreements. See the NOTICE file distributed with
-+ * this work for additional information regarding copyright ownership.
-+ * The ASF licenses this file to You under the Apache License, Version 2.0
-+ * (the "License"); you may not use this file except in compliance with
-+ * the License. You may obtain a copy of the License at
-+ *
-+ * http://www.apache.org/licenses/LICENSE-2.0
-+ *
-+ * Unless required by applicable law or agreed to in writing, software
-+ * distributed under the License is distributed on an "AS IS" BASIS,
-+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+ * See the License for the specific language governing permissions and
-+ * limitations under the License.
-+ */
-+
-+/*
-+ * S4U2Proxy code
-+ *
-+ * Copyright (C) 2012 Red Hat
-+ */
-+
- #ident "$Id: mod_auth_kerb-5.4-s4u2proxy-r2.patch,v 1.1 2015/05/08 18:21:14 pacho Exp $"
-
- #include "config.h"
-@@ -49,6 +74,7 @@
- #include <stdlib.h>
- #include <stdio.h>
- #include <stdarg.h>
-+#include <unixd.h>
-
- #define MODAUTHKERB_VERSION "5.4"
-
-@@ -122,6 +148,12 @@
- module auth_kerb_module;
- #endif
-
-+#ifdef STANDARD20_MODULE_STUFF
-+/* s4u2proxy only supported in 2.0+ */
-+static const char *lockname;
-+static apr_global_mutex_t *s4u2proxy_lock = NULL;
-+#endif
-+
- /***************************************************************************
- Macros To Ease Compatibility
- ***************************************************************************/
-@@ -156,6 +188,7 @@
- int krb_method_gssapi;
- int krb_method_k5pass;
- int krb5_do_auth_to_local;
-+ int krb5_s4u2proxy;
- #endif
- #ifdef KRB4
- char *krb_4_srvtab;
-@@ -176,6 +209,11 @@
-
- static const char*
- krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg);
-+static const char *
-+cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1);
-+
-+static int
-+obtain_server_credentials(request_rec *r, const char *service_name);
-
- #ifdef STANDARD20_MODULE_STUFF
- #define command(name, func, var, type, usage) \
-@@ -228,6 +266,12 @@
-
- command("KrbLocalUserMapping", ap_set_flag_slot, krb5_do_auth_to_local,
- FLAG, "Set to 'on' to have Kerberos do auth_to_local mapping of principal names to system user names."),
-+
-+ command("KrbConstrainedDelegation", ap_set_flag_slot, krb5_s4u2proxy,
-+ FLAG, "Set to 'on' to have Kerberos use S4U2Proxy delegation."),
-+
-+ AP_INIT_TAKE1("KrbConstrainedDelegationLock", cmd_delegationlock, NULL,
-+ RSRC_CONF, "the filename of a lockfile used for inter-process synchronization"),
- #endif
-
- #ifdef KRB4
-@@ -293,6 +337,7 @@
- #endif
- #ifdef KRB5
- ((kerb_auth_config *)rec)->krb5_do_auth_to_local = 0;
-+ ((kerb_auth_config *)rec)->krb5_s4u2proxy = 0;
- ((kerb_auth_config *)rec)->krb_method_k5pass = 1;
- ((kerb_auth_config *)rec)->krb_method_gssapi = 1;
- #endif
-@@ -310,6 +355,24 @@
- return NULL;
- }
-
-+static const char *
-+cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1)
-+{
-+ const char *error;
-+
-+ if ((error = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
-+ return error;
-+
-+ /* fixup the path, especially for s4u2proxylock_remove() */
-+ lockname = ap_server_root_relative(cmd->pool, a1);
-+
-+ if (!lockname) {
-+ return apr_pstrcat(cmd->pool, "Invalid KrbConstrainedDelegationLock path ", a1, NULL);
-+ }
-+
-+ return NULL;
-+}
-+
- static void
- log_rerror(const char *file, int line, int level, int status,
- const request_rec *r, const char *fmt, ...)
-@@ -1161,6 +1224,7 @@
- gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
- OM_uint32 major_status, minor_status, minor_status2;
- gss_name_t server_name = GSS_C_NO_NAME;
-+ gss_cred_usage_t usage = GSS_C_ACCEPT;
- char buf[1024];
- int have_server_princ;
-
-@@ -1203,10 +1267,14 @@
-
- log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s",
- token.value);
-+ if (conf->krb5_s4u2proxy) {
-+ usage = GSS_C_BOTH;
-+ obtain_server_credentials(r, conf->krb_service_name);
-+ }
- gss_release_buffer(&minor_status, &token);
-
- major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
-- GSS_C_NO_OID_SET, GSS_C_ACCEPT,
-+ GSS_C_NO_OID_SET, usage,
- server_creds, NULL, NULL);
- gss_release_name(&minor_status2, &server_name);
- if (GSS_ERROR(major_status)) {
-@@ -1248,6 +1316,305 @@
- }
- #endif
-
-+/* Renew the ticket if it will expire in under a minute */
-+#define RENEWAL_TIME 60
-+
-+/*
-+ * Services4U2Proxy lets a server prinicipal request another service
-+ * principal on behalf of a user. To do this the Apache service needs
-+ * to have its own ccache. This will ensure that the ccache has a valid
-+ * principal and will initialize or renew new credentials when needed.
-+ */
-+
-+static int
-+verify_server_credentials(request_rec *r,
-+ krb5_context kcontext,
-+ krb5_ccache ccache,
-+ krb5_principal princ,
-+ int *renew
-+)
-+{
-+ krb5_creds match_cred;
-+ krb5_creds creds;
-+ char * princ_name = NULL;
-+ char *tgs_princ_name = NULL;
-+ krb5_timestamp now;
-+ krb5_error_code kerr = 0;
-+
-+ *renew = 0;
-+
-+ memset (&match_cred, 0, sizeof(match_cred));
-+ memset (&creds, 0, sizeof(creds));
-+
-+ if (NULL == ccache || NULL == princ) {
-+ /* Nothing to verify */
-+ *renew = 1;
-+ goto cleanup;
-+ }
-+
-+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Could not unparse principal %s (%d)",
-+ error_message(kerr), kerr);
-+ goto cleanup;
-+ }
-+
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Using principal %s for s4u2proxy", princ_name);
-+
-+#ifdef HEIMDAL
-+ tgs_princ_name = apr_psprintf(r->pool, "%s/%s@%s", KRB5_TGS_NAME,
-+ krb5_principal_get_realm(kcontext, princ),
-+ krb5_principal_get_realm(kcontext, princ));
-+#else
-+ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,
-+ krb5_princ_realm(kcontext, princ)->length,
-+ krb5_princ_realm(kcontext, princ)->data,
-+ krb5_princ_realm(kcontext, princ)->length,
-+ krb5_princ_realm(kcontext, princ)->data);
-+#endif
-+
-+ if ((kerr = krb5_parse_name(kcontext, tgs_princ_name, &match_cred.server)))
-+ {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Could not parse principal %s: %s (%d)",
-+ tgs_princ_name, error_message(kerr), kerr);
-+ goto cleanup;
-+ }
-+
-+ match_cred.client = princ;
-+
-+ if ((kerr = krb5_cc_retrieve_cred(kcontext, ccache, 0, &match_cred, &creds)))
-+ {
-+ krb5_unparse_name(kcontext, princ, &princ_name);
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Could not unparse principal %s: %s (%d)",
-+ princ_name, error_message(kerr), kerr);
-+ goto cleanup;
-+ }
-+
-+ if ((kerr = krb5_timeofday(kcontext, &now))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Could not get current time: %d (%s)",
-+ kerr, error_message(kerr));
-+ goto cleanup;
-+ }
-+
-+ if (now > (creds.times.endtime + RENEWAL_TIME)) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Credentials for %s have expired or will soon "
-+ "expire - now %d endtime %d",
-+ princ_name, now, creds.times.endtime);
-+ *renew = 1;
-+ } else {
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Credentials for %s will expire at "
-+ "%d, it is now %d", princ_name, creds.times.endtime, now);
-+ }
-+
-+cleanup:
-+ /* Closing context, ccache, etc happens elsewhere */
-+ if (match_cred.server) {
-+ krb5_free_principal(kcontext, match_cred.server);
-+ }
-+ if (creds.client) {
-+ krb5_free_cred_contents(kcontext, &creds);
-+ }
-+
-+ return kerr;
-+}
-+
-+static int
-+obtain_server_credentials(request_rec *r,
-+ const char *service_name)
-+{
-+ krb5_context kcontext = NULL;
-+ krb5_keytab keytab = NULL;
-+ krb5_ccache ccache = NULL;
-+ char * princ_name = NULL;
-+ char *tgs_princ_name = NULL;
-+ krb5_error_code kerr = 0;
-+ krb5_principal princ = NULL;
-+ krb5_creds creds;
-+ krb5_get_init_creds_opt gicopts;
-+ int renew = 0;
-+ apr_status_t rv = 0;
-+
-+ memset(&creds, 0, sizeof(creds));
-+
-+ if ((kerr = krb5_init_context(&kcontext))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Kerberos context initialization failed: %s (%d)", error_message(kerr), kerr);
-+ goto done;
-+ }
-+
-+ if ((kerr = krb5_cc_default(kcontext, &ccache))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Could not get default Kerberos ccache: %s (%d)",
-+ error_message(kerr), kerr);
-+ goto done;
-+ }
-+
-+ if ((kerr = krb5_cc_get_principal(kcontext, ccache, &princ))) {
-+ char * name = NULL;
-+
-+ if ((asprintf(&name, "%s:%s", krb5_cc_get_type(kcontext, ccache),
-+ krb5_cc_get_name(kcontext, ccache))) == -1) {
-+ kerr = KRB5_CC_NOMEM;
-+ goto done;
-+ }
-+
-+ if (KRB5_FCC_NOFILE == kerr) {
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Credentials cache %s not found, create one", name);
-+ krb5_cc_close(kcontext, ccache);
-+ ccache = NULL;
-+ free(name);
-+ } else {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Failure to open credentials cache %s: %s (%d)",
-+ name, error_message(kerr), kerr);
-+ free(name);
-+ goto done;
-+ }
-+ }
-+
-+ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);
-+
-+ if (kerr || !renew) {
-+ goto done;
-+ }
-+
-+#ifdef STANDARD20_MODULE_STUFF
-+ if (s4u2proxy_lock) {
-+ rv = apr_global_mutex_lock(s4u2proxy_lock);
-+ if (rv != APR_SUCCESS) {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
-+ "apr_global_mutex_lock(s4u2proxy_lock) "
-+ "failed");
-+ }
-+ }
-+#endif
-+
-+ /* We have the lock, check again to be sure another process hasn't already
-+ * renewed the ticket.
-+ */
-+ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);
-+ if (kerr || !renew) {
-+ goto unlock;
-+ }
-+
-+ if (NULL == princ) {
-+ princ_name = apr_psprintf(r->pool, "%s/%s",
-+ (service_name) ? service_name : SERVICE_NAME,
-+ ap_get_server_name(r));
-+
-+ if ((kerr = krb5_parse_name(kcontext, princ_name, &princ))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Could not parse principal %s: %s (%d) ",
-+ princ_name, error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+ } else if (NULL == princ_name) {
-+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Could not unparse principal %s: %s (%d)",
-+ princ_name, error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+ }
-+
-+ if ((kerr = krb5_kt_default(kcontext, &keytab))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Unable to get default keytab: %s (%d)",
-+ error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Obtaining new credentials for %s", princ_name);
-+ krb5_get_init_creds_opt_init(&gicopts);
-+ krb5_get_init_creds_opt_set_forwardable(&gicopts, 1);
-+
-+#ifdef HEIMDAL
-+ tgs_princ_name = apr_psprintf(r->pool, "%s/%s@%s", KRB5_TGS_NAME,
-+ krb5_principal_get_realm(kcontext, princ),
-+ krb5_principal_get_realm(kcontext, princ));
-+#else
-+ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,
-+ krb5_princ_realm(kcontext, princ)->length,
-+ krb5_princ_realm(kcontext, princ)->data,
-+ krb5_princ_realm(kcontext, princ)->length,
-+ krb5_princ_realm(kcontext, princ)->data);
-+#endif
-+
-+ if ((kerr = krb5_get_init_creds_keytab(kcontext, &creds, princ, keytab,
-+ 0, tgs_princ_name, &gicopts))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Failed to obtain credentials for principal %s: "
-+ "%s (%d)", princ_name, error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+
-+ krb5_kt_close(kcontext, keytab);
-+ keytab = NULL;
-+
-+ if (NULL == ccache) {
-+ if ((kerr = krb5_cc_default(kcontext, &ccache))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Failed to open default ccache: %s (%d)",
-+ error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+ }
-+
-+ if ((kerr = krb5_cc_initialize(kcontext, ccache, princ))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Failed to initialize ccache for %s: %s (%d)",
-+ princ_name, error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+
-+ if ((kerr = krb5_cc_store_cred(kcontext, ccache, &creds))) {
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Failed to store %s in ccache: %s (%d)",
-+ princ_name, error_message(kerr), kerr);
-+ goto unlock;
-+ }
-+
-+unlock:
-+#ifdef STANDARD20_MODULE_STUFF
-+ if (s4u2proxy_lock) {
-+ apr_global_mutex_unlock(s4u2proxy_lock);
-+ if (rv != APR_SUCCESS) {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
-+ "apr_global_mutex_unlock(s4u2proxy_lock) "
-+ "failed");
-+ }
-+ }
-+#endif
-+
-+done:
-+ if (0 == kerr)
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Done obtaining credentials for s4u2proxy");
-+ else
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Failed to obtain credentials for s4u2proxy");
-+
-+ if (creds.client) {
-+ krb5_free_cred_contents(kcontext, &creds);
-+ }
-+ if (ccache) {
-+ krb5_cc_close(kcontext, ccache);
-+ }
-+ if (kcontext) {
-+ krb5_free_context(kcontext);
-+ }
-+
-+ return kerr;
-+}
-+
- static int
- authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
- const char *auth_line, char **negotiate_ret_value)
-@@ -1688,10 +2055,60 @@
- /***************************************************************************
- Module Setup/Configuration
- ***************************************************************************/
-+#ifdef STANDARD20_MODULE_STUFF
-+static apr_status_t
-+s4u2proxylock_create(server_rec *s, apr_pool_t *p)
-+{
-+ apr_status_t rc;
-+
-+ /* only operate if a lockfile is used */
-+ if (lockname == NULL || *(lockname) == '\0') {
-+ return APR_SUCCESS;
-+ }
-+
-+ /* create the lockfile */
-+ rc = apr_global_mutex_create(&s4u2proxy_lock, lockname,
-+ APR_LOCK_DEFAULT, p);
-+ if (rc != APR_SUCCESS) {
-+ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
-+ "Parent could not create lock file %s", lockname);
-+ return rc;
-+ }
-+
-+#ifdef AP_NEED_SET_MUTEX_PERMS
-+ rc = unixd_set_global_mutex_perms(s4u2proxy_lock);
-+ if (rc != APR_SUCCESS) {
-+ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
-+ "mod_auth_kerb: Parent could not set permissions "
-+ "on lock; check User and Group directives");
-+ return rc;
-+ }
-+#endif
-+
-+ return APR_SUCCESS;
-+}
-+
-+static apr_status_t
-+s4u2proxylock_remove(void *unused)
-+{
-+ /* only operate if a lockfile is used */
-+ if (lockname == NULL || *(lockname) == '\0') {
-+ return APR_SUCCESS;
-+ }
-+
-+ /* destroy the rewritelock */
-+ apr_global_mutex_destroy(s4u2proxy_lock);
-+ s4u2proxy_lock = NULL;
-+ lockname = NULL;
-+ return APR_SUCCESS;
-+}
-+#endif
-+
- #ifndef STANDARD20_MODULE_STUFF
- static void
- kerb_module_init(server_rec *dummy, pool *p)
- {
-+ apr_status_t status;
- #ifndef HEIMDAL
- /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
- 1.3.x are covered by the hack overiding the replay calls */
-@@ -1732,6 +2149,7 @@
- kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,
- apr_pool_t *ptemp, server_rec *s)
- {
-+ apr_status_t rv;
- ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION);
- #ifndef HEIMDAL
- /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
-@@ -1739,14 +2157,41 @@
- if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
- putenv(strdup("KRB5RCACHETYPE=none"));
- #endif
-+#ifdef STANDARD20_MODULE_STUFF
-+ rv = s4u2proxylock_create(s, p);
-+ if (rv != APR_SUCCESS) {
-+ return HTTP_INTERNAL_SERVER_ERROR;
-+ }
-+
-+ apr_pool_cleanup_register(p, (void *)s, s4u2proxylock_remove,
-+ apr_pool_cleanup_null);
-+#endif
-
- return OK;
- }
-
- static void
-+initialize_child(apr_pool_t *p, server_rec *s)
-+{
-+ apr_status_t rv = 0;
-+
-+#ifdef STANDARD20_MODULE_STUFF
-+ if (lockname != NULL && *(lockname) != '\0') {
-+ rv = apr_global_mutex_child_init(&s4u2proxy_lock, lockname, p);
-+ if (rv != APR_SUCCESS) {
-+ ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
-+ "mod_auth_kerb: could not init s4u2proxy_lock"
-+ " in child");
-+ }
-+ }
-+#endif
-+}
-+
-+static void
- kerb_register_hooks(apr_pool_t *p)
- {
- ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
-+ ap_hook_child_init(initialize_child, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);
- }
-
|