Try to fix the same problem again (#452186 by Thomas Beinicke)

Package-Manager: portage-2.1.11.40/cvs/Linux x86_64 Manifest-Sign-Key: 0xA188FBD4
author: Pacho Ramos <pacho@gentoo.org> 2013-01-15 21:32:06 +0000
committer: Pacho Ramos <pacho@gentoo.org> 2013-01-15 21:32:06 +0000
commit: 9588a5630f1e20308e0de4102caa61a5218f91f8 (patch)
tree: 1efc909bc38898e82ab3c96cc78f0ce82650c6d9 /www-apache
parent: Remove dev-python/sphinx mask after replacing the broken rev with a new one. (diff)
download: historical-9588a5630f1e20308e0de4102caa61a5218f91f8.tar.gz
historical-9588a5630f1e20308e0de4102caa61a5218f91f8.tar.bz2
historical-9588a5630f1e20308e0de4102caa61a5218f91f8.zip
4 files changed, 604 insertions, 8 deletions
diff --git a/www-apache/mod_auth_kerb/ChangeLog b/www-apache/mod_auth_kerb/ChangeLog
index 51f8b99396dd..f3edb79f8596 100644
--- a/www-apache/mod_auth_kerb/ChangeLog
+++ b/www-apache/mod_auth_kerb/ChangeLog
@@ -1,6 +1,10 @@
 # ChangeLog for www-apache/mod_auth_kerb
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_auth_kerb/ChangeLog,v 1.13 2013/01/11 20:41:59 pacho Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_auth_kerb/ChangeLog,v 1.14 2013/01/15 21:32:01 pacho Exp $
+
+  15 Jan 2013; Pacho Ramos <pacho@gentoo.org>
+  +files/mod_auth_kerb-5.4-s4u2proxy-r1.patch, mod_auth_kerb-5.4-r1.ebuild:
+  Try to fix the same problem again (#452186 by Thomas Beinicke)
 
   11 Jan 2013; Pacho Ramos <pacho@gentoo.org>
   files/mod_auth_kerb-5.4-s4u2proxy.patch:
diff --git a/www-apache/mod_auth_kerb/Manifest b/www-apache/mod_auth_kerb/Manifest
index 19e70879fd79..07441604c296 100644
--- a/www-apache/mod_auth_kerb/Manifest
+++ b/www-apache/mod_auth_kerb/Manifest
@@ -7,18 +7,19 @@ AUX mod_auth_kerb-5.4-delegation.patch 2589 SHA256 1c4625e1de2904957ac156df220d8
 AUX mod_auth_kerb-5.4-fixes.patch 1098 SHA256 1f9a21ff56473783c27cf69d78bb0618768447c71749522e39ba83c727c81335 SHA512 4881deb0accbd1ebff88a210036f2c66d443625727580ca25a8a403a96a8fa39edc2a01769584a474d1a1dbf028438a754319c3e318b2bef9114db754d542112 WHIRLPOOL 3685d3934e3a5032fafc5acae83f5574e6f493530f5d4a5c95cb8e982d6c5a1f7dc2bed0b5a6ec9004dc903c43fa80d7ee88bd60cbd5564481b80db7cd7902b1
 AUX mod_auth_kerb-5.4-httpd24.patch 2622 SHA256 b98c3a8720fac455f1cf78d1bf4219aef0bc49ce269d79de783db6401bed2668 SHA512 739ffc704286630af557487f93f9cbb0786ab62401fcf20b0d22dcc991388a0691bb94422f80db9fa85bfe926b28bbf96dcb5149e48118f978a38aff52856bf7 WHIRLPOOL 6c8fafa301d041b7d7816122511df9243a6f5bb947c219d35618eafcbedffb576fdff7f4a368f6ecd27eae1222f3449731baee44caa9b46757f5e0b074a16ffa
 AUX mod_auth_kerb-5.4-rcopshack.patch 2244 SHA256 813ad49f9c0aa8495e716a7ed902bfcef4282cb10793112ad0e92b667620e33c SHA512 4da4e51baec036fdf035ee6f215453129b4b93a7733887834c08c0c5a7610ebe8e0981ad34a5cd5ed86af58c926bd65417fe09f64ce42d56b41e5051b96f6ca5 WHIRLPOOL 18ee97dc4bab314b1943778c74c660878a8477520e5cad69e78d0e2b2c39076254cd81973987e42ee1ed8b113dcee4949b81de0976f7e4d025e29753cd952b3a
+AUX mod_auth_kerb-5.4-s4u2proxy-r1.patch 20326 SHA256 41994ae5bd2dd0ddbb0080444791b9029093df0fc382f169a71bec38fec37ebe SHA512 461807dce410467ca9b06da56d85994e59c70627f4f2579c8a8b54cfec229ab4f07a4eea2d0fa018e1e2ece6ef039e4023dd8b4900efafd6b1c23aa36baa210e WHIRLPOOL cec8ce8f9f98c912a060e7f061257ded113aa558bdc81421a6803c3e4e2a345ccefe3d7d890fed1daec14f74047d24d7e1e68a2d2f748576354983e4ac6afcb7
 AUX mod_auth_kerb-5.4-s4u2proxy.patch 20358 SHA256 0ced12b7cb97302118d3f991e241237ec6df5d146bb6b3f479c12890b3fc8bef SHA512 a105463b277a73460fb820973d78f44d5f88961b92317a4bab13b357b8dbf5560afa4e6263b9c66ff69d1d3bf03356d3e56806b437ae6a6d8002a3549a8544e5 WHIRLPOOL f90032ae76c0e6ce4019cffc62ed26c833b6063af79e16ea989317daab7d8b8673a1660a3e27cdb5b99e83a3fc62e91d7174c5adec895bf6dc68c098594c20fa
 DIST mod_auth_kerb-5.3.tar.gz 73530 SHA256 89cd779a94405521770cbcb169af5af61e7f2aad91c4f4b82efaae35df7595ec
 DIST mod_auth_kerb-5.4.tar.gz 93033 SHA256 690ddd66c6d941e2fa2dada46588329a6f57d0a3b9b2fd9bf055ebc427558265 SHA512 93fdf0e43af1c24e8c8204d09240b708747068ef99dd8d21b45cb4d132d31e6d582d49ea5e23b905f55cb0d4a20b1ecb58de1bcbfdad1d016e536fc622b63214 WHIRLPOOL 1b92217b7cf66d731a72cf9d58f188002ccadd75fc3d9075290347e6b4f1511111d3cff147fab73616951cbdb9430e8038adf5c4e204d374886bec3be69ff51c
 EBUILD mod_auth_kerb-5.3.ebuild 770 SHA256 8e2df5d22503796e5af2736639feb8089d418acb9ebbba80eab9c737a796e943 SHA512 7b2ce8a9521fc5155bfe2e33cc27417d70133a131452716991ffd2f790dce039eb15c0765e3afa38d8a3b6ab4e2d02fe78f6b02aedddd5ab147106c10244f920 WHIRLPOOL fc55900c86ac8b2ea65f38471e0c485eab6f0f2180760d41a961ea0d29333d8a3916c0e0627d11540eacf45f5b0aa934659985accbcd7e4631108b174c4be19c
-EBUILD mod_auth_kerb-5.4-r1.ebuild 1078 SHA256 d571593f9c5ba44d596821de04ba9e95222b67480e4e45b70723e22aa44c0cee SHA512 d1dcbfa6395d6c3a53345264279886f998d652bc52b3c0685bcdfc3debfcb43eeeccd2f175f2fac4b6c84dc7fd56278fc34e50555220674b40f9b992b3be78f5 WHIRLPOOL a104c93de0d4f86032fc81b9032419fb20d97eb69e41d516abc83cdebd1fcf2f0b4b878ad655b5e3ea0136cbec90ab989d98ce6448089557e3cf765bc985c001
+EBUILD mod_auth_kerb-5.4-r1.ebuild 1081 SHA256 36c3d9a1a763f42ef9281916972fe5e8ce31195e5406c95669fe808a13894e74 SHA512 4b25deb1d7acd9dc2c83030604363fa8b1287924c6ce04bb6fe366a9edca9dfbaf3fcf4e2cd635969be05ed0dcc2c5982d67d2ca0b9ed17cbcb742eb371caf90 WHIRLPOOL 8658f877086240024f16c57729da1b44e12d9db726ac50fcdccce432a5f155b9119b2575175c4011206b166d2b6fafca58cb390141429e7ce804b50490b75a1c
 EBUILD mod_auth_kerb-5.4.ebuild 771 SHA256 cadc91b8b24b434f70c7d34c82b9151999b7b0038d5ea3f3cc5023799f6ae232 SHA512 a516f0186db0e2a34d55aacb9d8f0bec631f4cbeda44de98a0bc3e3d1b66d1c16a1ff3f431f3a82f3ee639a42c856baccd4e746fd643af32f3431c1902958177 WHIRLPOOL b7bedc71f596ebdbe8b9d29e2ebc748dea7f877d8c597aaf996f0042c2c7339e8aba25a614620216115d6010bc4bfc5f5af5ab7bcc75cd7169a66ad4cefe9fa7
-MISC ChangeLog 5927 SHA256 f652b7881e0bddc2132fa9207e25421e5e7581202f46894d1a0e59c8d87537db SHA512 6a4176cbd67f0dff8ea55bee8c97b37302bae0db48cd47f2de9ae101d1a6f34d5f283db282c9a4e27f2d079cfb68354fbea6384ea9b91051d9ab451782bea326 WHIRLPOOL 4021916f062598be2c79db732886d52a7251f6fd8c148f6a0887a34e27dc79b52d08ccd1782a1b0a25ed8df0d92de7b1a69d76d14b833af29acef23069257e4a
+MISC ChangeLog 6115 SHA256 e4a5b1c88254e9a9a8863906ec44dd847a571399377d72caf360637883545f16 SHA512 aec9636da73aecd8d33c30b36d4e8f6776fa2277e06a2f3e2ff33a5178927239c4b007faa92bfc070e476c90ddbd067f3b54423eb0803ef4450b279564f97163 WHIRLPOOL 2369b29775ac14ca76a3703a12deb9581dd8d9c2cd6c56b03ecca295335cbfe5dcc0878418cbc2e17520dd611c057e7e204e6e1fa69be0d526181697d98d4589
 MISC metadata.xml 208 SHA256 98f8aa3fb70533eeab6b09d5bc30bd8f649ec13d9b04363490082fb87bb6032e SHA512 d5a7f3cb2fe57f8d7783ba358068648b122d9f5de81a17bff61ce600e42b6487e6f7e2a62c8be95cc7021cb3ea88716824b1ad0565da922ea753bea2417b3d3d WHIRLPOOL e38a6cdef2acb3efdc182efde482593790f773ab3bb9b66cced3af47e4ab39368757e17c4352c6cacaefa338341db88c3bcc3ffcd32aabd7984c5b19051a7bb7
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
-iEYEAREIAAYFAlDweRgACgkQCaWpQKGI+9Qz4wCeMyvTv380D3o+KyUB9MJgXlHS
-CzQAn1XNUvXTGoMfXdljxdu7JzaN/K1H
-=ffge
+iEYEAREIAAYFAlD1ytIACgkQCaWpQKGI+9SlyQCfVEtAf8bKsgwki+8gQpi7MOi6
+FM0AmwdrcTGTiUyf6Y1u0j1lZu1q2wLJ
+=BtL3
 -----END PGP SIGNATURE-----
diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy-r1.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy-r1.patch
new file mode 100644
index 000000000000..031f87eb4c41
--- /dev/null
+++ b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-s4u2proxy-r1.patch
@@ -0,0 +1,591 @@
+
+Add S4U2Proxy feature:
+
+http://sourceforge.net/mailarchive/forum.php?thread_name=4EE665D1.3000308%40redhat.com&forum_name=modauthkerb-help
+
+The attached patches add support for using s4u2proxy 
+(http://k5wiki.kerberos.org/wiki/Projects/Services4User) to allow the 
+web service to obtain credentials on behalf of the authenticated user.
+
+The first patch adds basic support for s4u2proxy. This requires the web 
+administrator to manually create and manage the credentails cache for 
+the apache user (via a cron job, for example).
+
+The second patch builds on this and makes mod_auth_kerb manage the 
+ccache instead.
+
+These are patches against the current CVS HEAD (mod_auth_krb 5.4).
+
+I've added a new module option to enable this support, 
+KrbConstrainedDelegation. The default is off.
+
+--- mod_auth_kerb-5.4.orig/README	2008-11-26 11:51:05.000000000 -0500
++++ mod_auth_kerb-5.4/README	2012-01-04 11:17:22.000000000 -0500
+@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be 
+ credential cache that will be available for the request handler. The ticket
+ file will be removed after request is handled.
+ 
++Constrained Delegation
++----------------------
++S4U2Proxy, or constrained delegation, enables a service to use a client's
++ticket to itself to request another ticket for delegation. The KDC
++checks krbAllowedToDelegateTo to decide if it will issue a new ticket.
++If KrbConstrainedDelegation is enabled the server will use its own credentials
++to retrieve a delegated ticket for the user. For this to work the user must
++have a forwardable ticket (though the delegation flag need not be set).
++The server needs a valid credentials cache for this to work.
++
++The module itself will obtain and manage the necessary credentials.
++
+ $Id: README,v 1.12 2008/09/17 14:01:55 baalberith Exp $
+diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.4/src/mod_auth_kerb.c
+--- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c	2011-12-09 17:55:05.000000000 -0500
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c	2012-03-01 14:19:40.000000000 -0500
+@@ -42,6 +42,31 @@
+  * POSSIBILITY OF SUCH DAMAGE.
+  */
+ 
++/*
++ * Locking mechanism inspired by mod_rewrite.
++ *
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements.  See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License.  You may obtain a copy of the License at
++ *
++ *     http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++/*
++ * S4U2Proxy code
++ *
++ * Copyright (C) 2012  Red Hat
++ */
++
+ #ident "$Id: mod_auth_kerb.c,v 1.150 2008/12/04 10:14:03 baalberith Exp $"
+ 
+ #include "config.h"
+@@ -49,6 +74,7 @@
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <stdarg.h>
++#include <unixd.h>
+ 
+ #define MODAUTHKERB_VERSION "5.4"
+ 
+@@ -131,6 +157,12 @@ module AP_MODULE_DECLARE_DATA auth_kerb_
+ module auth_kerb_module;
+ #endif
+ 
++#ifdef STANDARD20_MODULE_STUFF
++/* s4u2proxy only supported in 2.0+ */
++static const char *lockname;
++static apr_global_mutex_t *s4u2proxy_lock = NULL;
++#endif
++
+ /*************************************************************************** 
+  Macros To Ease Compatibility
+  ***************************************************************************/
+@@ -165,6 +197,7 @@ typedef struct {
+ 	int krb_method_gssapi;
+ 	int krb_method_k5pass;
+ 	int krb5_do_auth_to_local;
++       int krb5_s4u2proxy;
+ #endif
+ #ifdef KRB4
+ 	char *krb_4_srvtab;
+@@ -185,6 +218,11 @@ set_kerb_auth_headers(request_rec *r, co
+ 
+ static const char*
+ krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg);
++static const char *
++cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1);
++
++static int
++obtain_server_credentials(request_rec *r, const char *service_name);
+ 
+ #ifdef STANDARD20_MODULE_STUFF
+ #define command(name, func, var, type, usage)           \
+@@ -237,6 +275,12 @@ static const command_rec kerb_auth_cmds[
+ 
+    command("KrbLocalUserMapping", ap_set_flag_slot, krb5_do_auth_to_local,
+      FLAG, "Set to 'on' to have Kerberos do auth_to_local mapping of principal names to system user names."),
++
++   command("KrbConstrainedDelegation", ap_set_flag_slot, krb5_s4u2proxy,
++     FLAG, "Set to 'on' to have Kerberos use S4U2Proxy delegation."),
++
++    AP_INIT_TAKE1("KrbConstrainedDelegationLock", cmd_delegationlock, NULL,
++     RSRC_CONF, "the filename of a lockfile used for inter-process synchronization"),
+ #endif 
+ 
+ #ifdef KRB4
+@@ -302,6 +346,7 @@ static void *kerb_dir_create_config(MK_P
+ #endif
+ #ifdef KRB5
+   ((kerb_auth_config *)rec)->krb5_do_auth_to_local = 0;
++	((kerb_auth_config *)rec)->krb5_s4u2proxy = 0;
+ 	((kerb_auth_config *)rec)->krb_method_k5pass = 1;
+ 	((kerb_auth_config *)rec)->krb_method_gssapi = 1;
+ #endif
+@@ -319,6 +364,24 @@ krb5_save_realms(cmd_parms *cmd, void *v
+    return NULL;
+ }
+ 
++static const char *
++cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1)
++{
++    const char *error;
++
++    if ((error = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
++        return error;
++
++    /* fixup the path, especially for s4u2proxylock_remove() */
++    lockname = ap_server_root_relative(cmd->pool, a1);
++
++    if (!lockname) {
++        return apr_pstrcat(cmd->pool, "Invalid KrbConstrainedDelegationLock path ", a1, NULL);
++    }
++
++    return NULL;
++}
++
+ static void
+ log_rerror(const char *file, int line, int level, int status,
+            const request_rec *r, const char *fmt, ...)
+@@ -1170,6 +1233,7 @@ get_gss_creds(request_rec *r,
+    gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
+    OM_uint32 major_status, minor_status, minor_status2;
+    gss_name_t server_name = GSS_C_NO_NAME;
++   gss_cred_usage_t usage = GSS_C_ACCEPT;
+    char buf[1024];
+    int have_server_princ;
+ 
+@@ -1212,10 +1276,14 @@ get_gss_creds(request_rec *r,
+ 
+    log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s",
+ 	      token.value);
++   if (conf->krb5_s4u2proxy) {
++       usage = GSS_C_BOTH;
++       obtain_server_credentials(r, conf->krb_service_name);
++   }
+    gss_release_buffer(&minor_status, &token);
+    
+    major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
+-			           GSS_C_NO_OID_SET, GSS_C_ACCEPT,
++			           GSS_C_NO_OID_SET, usage,
+ 				   server_creds, NULL, NULL);
+    gss_release_name(&minor_status2, &server_name);
+    if (GSS_ERROR(major_status)) {
+@@ -1257,6 +1325,293 @@ cmp_gss_type(gss_buffer_t token, gss_OID
+ }
+ #endif
+ 
++/* Renew the ticket if it will expire in under a minute */
++#define RENEWAL_TIME 60
++
++/*
++ * Services4U2Proxy lets a server prinicipal request another service
++ * principal on behalf of a user. To do this the Apache service needs
++ * to have its own ccache. This will ensure that the ccache has a valid
++ * principal and will initialize or renew new credentials when needed.
++ */
++
++static int
++verify_server_credentials(request_rec *r,
++                          krb5_context kcontext,
++                          krb5_ccache ccache,
++                          krb5_principal princ,
++                          int *renew
++)
++{
++    krb5_creds match_cred;
++    krb5_creds creds;
++    char * princ_name = NULL;
++    char *tgs_princ_name = NULL;
++    krb5_timestamp now;
++    krb5_error_code kerr = 0;
++
++    *renew = 0;
++
++    memset (&match_cred, 0, sizeof(match_cred));
++    memset (&creds, 0, sizeof(creds));
++
++    if (NULL == ccache || NULL == princ) {
++        /* Nothing to verify */
++        *renew = 1;
++        goto cleanup;
++    }
++
++    if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                   "Could not unparse principal %s (%d)",
++                   error_message(kerr), kerr);
++        goto cleanup;
++    }
++
++    log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++        "Using principal %s for s4u2proxy", princ_name);
++
++    tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,
++                                  krb5_princ_realm(kcontext, princ)->length,
++                                  krb5_princ_realm(kcontext, princ)->data,
++                                  krb5_princ_realm(kcontext, princ)->length,
++                                  krb5_princ_realm(kcontext, princ)->data);
++
++    if ((kerr = krb5_parse_name(kcontext, tgs_princ_name, &match_cred.server))) 
++    {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                        "Could not parse principal %s: %s (%d)",
++                        tgs_princ_name, error_message(kerr), kerr);
++        goto cleanup;
++    }
++
++    match_cred.client = princ;
++
++    if ((kerr = krb5_cc_retrieve_cred(kcontext, ccache, 0, &match_cred, &creds)))
++    {
++        krb5_unparse_name(kcontext, princ, &princ_name);
++        log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++                   "Could not unparse principal %s: %s (%d)",
++                   princ_name, error_message(kerr), kerr);
++        goto cleanup;
++    }
++
++    if ((kerr = krb5_timeofday(kcontext, &now))) {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                        "Could not get current time: %d (%s)",
++                        kerr, error_message(kerr));
++        goto cleanup;
++    }
++
++    if (now > (creds.times.endtime + RENEWAL_TIME)) {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                   "Credentials for %s have expired or will soon "
++                   "expire - now %d endtime %d",
++                   princ_name, now, creds.times.endtime);
++        *renew = 1;
++    } else {
++        log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++                   "Credentials for %s will expire at "
++                   "%d, it is now %d", princ_name, creds.times.endtime, now);
++    }
++
++cleanup:
++    /* Closing context, ccache, etc happens elsewhere */
++    if (match_cred.server) {
++        krb5_free_principal(kcontext, match_cred.server);
++    }
++    if (creds.client) {
++        krb5_free_cred_contents(kcontext, &creds);
++    }
++
++    return kerr;
++}
++
++static int
++obtain_server_credentials(request_rec *r,
++                          const char *service_name)
++{
++    krb5_context kcontext = NULL;
++    krb5_keytab keytab = NULL;
++    krb5_ccache ccache = NULL;
++    char * princ_name = NULL;
++    char *tgs_princ_name = NULL;
++    krb5_error_code kerr = 0;
++    krb5_principal princ = NULL;
++    krb5_creds creds;
++    krb5_get_init_creds_opt gicopts;
++    int renew = 0;
++    apr_status_t rv = 0;
++
++    memset(&creds, 0, sizeof(creds));
++
++    if ((kerr = krb5_init_context(&kcontext))) {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++            "Kerberos context initialization failed: %s (%d)", error_message(kerr), kerr);
++        goto done;
++    }
++
++    if ((kerr = krb5_cc_default(kcontext, &ccache))) {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                        "Could not get default Kerberos ccache: %s (%d)",
++                        error_message(kerr), kerr);
++        goto done;
++    }
++
++    if ((kerr = krb5_cc_get_principal(kcontext, ccache, &princ))) {
++        char * name = NULL;
++
++        if ((asprintf(&name, "%s:%s", krb5_cc_get_type(kcontext, ccache),
++          krb5_cc_get_name(kcontext, ccache))) == -1) {
++            kerr = KRB5_CC_NOMEM;
++            goto done;
++        }
++
++        if (KRB5_FCC_NOFILE == kerr) {
++            log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++                       "Credentials cache %s not found, create one", name);
++            krb5_cc_close(kcontext, ccache);
++            ccache = NULL;
++            free(name);
++        } else {
++            log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                       "Failure to open credentials cache %s: %s (%d)",
++                       name, error_message(kerr), kerr);
++            free(name);
++            goto done;
++        }
++    }
++
++    kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);
++
++    if (kerr || !renew) {
++        goto done;
++    }
++
++#ifdef STANDARD20_MODULE_STUFF
++    if (s4u2proxy_lock) {
++        rv = apr_global_mutex_lock(s4u2proxy_lock);
++        if (rv != APR_SUCCESS) {
++            ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
++                          "apr_global_mutex_lock(s4u2proxy_lock) "
++                          "failed");
++        }
++    }
++#endif
++
++    /* We have the lock, check again to be sure another process hasn't already
++     * renewed the ticket.
++     */
++    kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);
++    if (kerr || !renew) {
++        goto unlock;
++    }
++
++    if (NULL == princ) {
++        princ_name = apr_psprintf(r->pool, "%s/%s",
++            (service_name) ? service_name : SERVICE_NAME,
++            ap_get_server_name(r));
++
++        if ((kerr = krb5_parse_name(kcontext, princ_name, &princ))) {
++            log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                       "Could not parse principal %s: %s (%d) ",
++                       princ_name, error_message(kerr), kerr);
++            goto unlock;
++        }
++    } else if (NULL == princ_name) {
++        if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
++            log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++                       "Could not unparse principal %s: %s (%d)",
++                       princ_name, error_message(kerr), kerr);
++            goto unlock;
++        }
++    }
++
++    if ((kerr = krb5_kt_default(kcontext, &keytab))) {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                   "Unable to get default keytab: %s (%d)",
++                   error_message(kerr), kerr);
++        goto unlock;
++    }
++
++    log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++               "Obtaining new credentials for %s", princ_name);
++    krb5_get_init_creds_opt_init(&gicopts);
++    krb5_get_init_creds_opt_set_forwardable(&gicopts, 1);
++
++    tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,
++                                  krb5_princ_realm(kcontext, princ)->length,
++                                  krb5_princ_realm(kcontext, princ)->data,
++                                  krb5_princ_realm(kcontext, princ)->length,
++                                  krb5_princ_realm(kcontext, princ)->data);
++
++    if ((kerr = krb5_get_init_creds_keytab(kcontext, &creds, princ, keytab,
++         0, tgs_princ_name, &gicopts))) {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                   "Failed to obtain credentials for principal %s: "
++                   "%s (%d)", princ_name, error_message(kerr), kerr);
++        goto unlock;
++    }
++
++    krb5_kt_close(kcontext, keytab);
++    keytab = NULL;
++
++    if (NULL == ccache) {
++        if ((kerr = krb5_cc_default(kcontext, &ccache))) {
++            log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                      "Failed to open default ccache: %s (%d)",
++                      error_message(kerr), kerr);
++            goto unlock;
++        }
++    }
++
++    if ((kerr = krb5_cc_initialize(kcontext, ccache, princ))) {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                   "Failed to initialize ccache for %s: %s (%d)",
++                   princ_name, error_message(kerr), kerr);
++        goto unlock;
++    }
++
++    if ((kerr = krb5_cc_store_cred(kcontext, ccache, &creds))) {
++        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                   "Failed to store %s in ccache: %s (%d)",
++                   princ_name, error_message(kerr), kerr);
++        goto unlock;
++    }
++
++unlock:
++#ifdef STANDARD20_MODULE_STUFF
++    if (s4u2proxy_lock) {
++        apr_global_mutex_unlock(s4u2proxy_lock);
++        if (rv != APR_SUCCESS) {
++            ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
++                          "apr_global_mutex_unlock(s4u2proxy_lock) "
++                          "failed");
++        }
++    }
++#endif
++
++done:
++    if (0 == kerr)
++        log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++                   "Done obtaining credentials for s4u2proxy");
++    else
++        log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++                   "Failed to obtain credentials for s4u2proxy");
++
++    if (creds.client) {
++        krb5_free_cred_contents(kcontext, &creds);
++    }
++    if (ccache) {
++        krb5_cc_close(kcontext, ccache);
++    }
++    if (kcontext) {
++        krb5_free_context(kcontext);
++    }
++
++    return kerr;
++}
++
+ static int
+ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
+ 		      const char *auth_line, char **negotiate_ret_value)
+@@ -1697,10 +2052,60 @@ have_rcache_type(const char *type)
+ /*************************************************************************** 
+  Module Setup/Configuration
+  ***************************************************************************/
++#ifdef STANDARD20_MODULE_STUFF
++static apr_status_t
++s4u2proxylock_create(server_rec *s, apr_pool_t *p)
++{
++    apr_status_t rc;
++
++    /* only operate if a lockfile is used */
++    if (lockname == NULL || *(lockname) == '\0') {
++        return APR_SUCCESS;
++    }
++
++    /* create the lockfile */
++    rc = apr_global_mutex_create(&s4u2proxy_lock, lockname,
++                                 APR_LOCK_DEFAULT, p);
++    if (rc != APR_SUCCESS) {
++        ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
++                     "Parent could not create lock file %s", lockname);
++        return rc;
++    }
++
++#ifdef AP_NEED_SET_MUTEX_PERMS
++    rc = unixd_set_global_mutex_perms(s4u2proxy_lock);
++    if (rc != APR_SUCCESS) {
++        ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
++                     "mod_auth_kerb: Parent could not set permissions "
++                     "on lock; check User and Group directives");
++        return rc;
++    }
++#endif
++
++    return APR_SUCCESS;
++}
++
++static apr_status_t
++s4u2proxylock_remove(void *unused)
++{
++    /* only operate if a lockfile is used */
++    if (lockname == NULL || *(lockname) == '\0') {
++        return APR_SUCCESS;
++    }
++
++    /* destroy the rewritelock */
++    apr_global_mutex_destroy(s4u2proxy_lock);
++    s4u2proxy_lock = NULL;
++    lockname = NULL;
++    return APR_SUCCESS;
++}
++#endif
++
+ #ifndef STANDARD20_MODULE_STUFF
+ static void
+ kerb_module_init(server_rec *dummy, pool *p)
+ {
++   apr_status_t status;
+ #ifndef HEIMDAL
+    /* Suppress the MIT replay cache.  Requires MIT Kerberos 1.4.0 or later.
+       1.3.x are covered by the hack overiding the replay calls */
+@@ -1741,6 +2146,7 @@ static int
+ kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,
+       		  apr_pool_t *ptemp, server_rec *s)
+ {
++   apr_status_t rv;
+    ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION);
+ #ifndef HEIMDAL
+    /* Suppress the MIT replay cache.  Requires MIT Kerberos 1.4.0 or later.
+@@ -1748,14 +2154,41 @@ kerb_init_handler(apr_pool_t *p, apr_poo
+    if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
+       putenv(strdup("KRB5RCACHETYPE=none"));
+ #endif
++#ifdef STANDARD20_MODULE_STUFF
++    rv = s4u2proxylock_create(s, p);
++    if (rv != APR_SUCCESS) {
++        return HTTP_INTERNAL_SERVER_ERROR;
++    }
++
++    apr_pool_cleanup_register(p, (void *)s, s4u2proxylock_remove,
++                              apr_pool_cleanup_null);
++#endif
+    
+    return OK;
+ }
+ 
+ static void
++initialize_child(apr_pool_t *p, server_rec *s)
++{
++    apr_status_t rv = 0;
++
++#ifdef STANDARD20_MODULE_STUFF
++    if (lockname != NULL && *(lockname) != '\0') {
++        rv = apr_global_mutex_child_init(&s4u2proxy_lock, lockname, p);
++        if (rv != APR_SUCCESS) {
++            ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
++                         "mod_auth_kerb: could not init s4u2proxy_lock"
++                         " in child");
++        }
++    }
++#endif
++}
++
++static void
+ kerb_register_hooks(apr_pool_t *p)
+ {
+    ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
++   ap_hook_child_init(initialize_child, NULL, NULL, APR_HOOK_MIDDLE);
+    ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);
+ }
+ 
diff --git a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r1.ebuild b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r1.ebuild
index 2ace6a0dc875..214bf71c2407 100644
--- a/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r1.ebuild
+++ b/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r1.ebuild,v 1.1 2013/01/03 18:58:44 pacho Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r1.ebuild,v 1.2 2013/01/15 21:32:01 pacho Exp $
 
 inherit apache-module eutils
 
@@ -29,7 +29,7 @@ src_unpack() {
 
 	epatch "${FILESDIR}"/${P}-rcopshack.patch
 	epatch "${FILESDIR}"/${P}-fixes.patch
-	epatch "${FILESDIR}"/${P}-s4u2proxy.patch
+	epatch "${FILESDIR}"/${P}-s4u2proxy-r1.patch
 	epatch "${FILESDIR}"/${P}-httpd24.patch
 	epatch "${FILESDIR}"/${P}-delegation.patch
 	epatch "${FILESDIR}"/${P}-cachedir.patch
author	Pacho Ramos <pacho@gentoo.org>	2013-01-15 21:32:06 +0000
committer	Pacho Ramos <pacho@gentoo.org>	2013-01-15 21:32:06 +0000
commit	9588a5630f1e20308e0de4102caa61a5218f91f8 (patch)
tree	1efc909bc38898e82ab3c96cc78f0ce82650c6d9 /www-apache
parent	Remove dev-python/sphinx mask after replacing the broken rev with a new one. (diff)
download	historical-9588a5630f1e20308e0de4102caa61a5218f91f8.tar.gz historical-9588a5630f1e20308e0de4102caa61a5218f91f8.tar.bz2 historical-9588a5630f1e20308e0de4102caa61a5218f91f8.zip