From 3a3679b196242f67d9aef867d5b914df8dfba1bd Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 02 2016 13:54:15 +0000 Subject: import mod_auth_gssapi-1.3.1-3.el7_2 --- diff --git a/SOURCES/0001-Implement-unique-ccache-names.patch b/SOURCES/0001-Implement-unique-ccache-names.patch new file mode 100644 index 0000000..1408cc9 --- /dev/null +++ b/SOURCES/0001-Implement-unique-ccache-names.patch @@ -0,0 +1,369 @@ +From 4b2643196c683b5ff300de2a1d41dd3cc900d4d1 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Sun, 8 May 2016 02:31:00 -0400 +Subject: [PATCH 1/2] Implement unique ccache names + +Unique ccache names may be requested using the GssapiDelegCcacheUnique +configuration option. This option is off by default. If both unique +ccache names and session use are enabled, then a mechanism for removing +old ccaches must be supplied. + +Signed-off-by: Robbie Harwood +Also-authored-by: Petr Vobornik +Reviewed-by: Simo Sorce +--- + README | 13 +++++++ + src/asn1c/GSSSessionData.c | 17 +++++++--- + src/asn1c/GSSSessionData.h | 2 +- + src/asn1c/Uint32.c | 1 - + src/asn1c/Uint32.h | 1 - + src/asn1c/session.asn1 | 3 +- + src/mod_auth_gssapi.c | 84 ++++++++++++++++++++++++++++++---------------- + src/mod_auth_gssapi.h | 4 +++ + src/sessions.c | 8 +++++ + 9 files changed, 96 insertions(+), 37 deletions(-) + +diff --git a/README b/README +index 9d25fb3fd774888c19a38100b256243c172e6f36..285a48f68379e2cb305af85737eefd85fbbaf025 100644 +--- a/README ++++ b/README +@@ -171,6 +171,19 @@ A user foo@EXAMPLE.COM delegating its credentials would cause the server to + create a ccache file named /var/run/httpd/clientcaches/foo@EXAMPLE.COM + + ++### GssapiDelegCcacheUnique ++ ++Enables using unique ccache names for delegation. ccache files will be placed ++in GssapiDelegCcacheDir and named using the principal and a six-digit unique ++suffix. ++ ++**Note:** Consuming application must delete the ccache otherwise it will ++litter the filesystem if sessions are used. An example sweeper can be found ++in the contrib directory. ++ ++#### Example ++ GssapiDelegCcacheUnique On ++ + ### GssapiUseS4U2Proxy + + Enables the use of the s4u2Proxy Kerberos extension also known as +diff --git a/src/asn1c/GSSSessionData.c b/src/asn1c/GSSSessionData.c +index 12a98e3f215c095131fe8a53453991f4134334f8..f0dcc2e721ac56b9c7741cc0e58de3e973be81c5 100644 +--- a/src/asn1c/GSSSessionData.c ++++ b/src/asn1c/GSSSessionData.c +@@ -2,7 +2,6 @@ + * Generated by asn1c-0.9.27 (http://lionet.info/asn1c) + * From ASN.1 module "GssapiSessionModule" + * found in "session.asn1" +- * `asn1c -fskeletons-copy` + */ + + #include "GSSSessionData.h" +@@ -62,6 +61,15 @@ static asn_TYPE_member_t asn_MBR_GSSSessionData_1[] = { + 0, + "basichash" + }, ++ { ATF_NOFLAGS, 0, offsetof(struct GSSSessionData, ccname), ++ (ASN_TAG_CLASS_CONTEXT | (6 << 2)), ++ +1, /* EXPLICIT tag at current level */ ++ &asn_DEF_OCTET_STRING, ++ 0, /* Defer constraints checking to the member type */ ++ 0, /* PER is not compiled, use -gen-PER */ ++ 0, ++ "ccname" ++ }, + }; + static ber_tlv_tag_t asn_DEF_GSSSessionData_tags_1[] = { + (ASN_TAG_CLASS_UNIVERSAL | (16 << 2)) +@@ -72,13 +80,14 @@ static asn_TYPE_tag2member_t asn_MAP_GSSSessionData_tag2el_1[] = { + { (ASN_TAG_CLASS_CONTEXT | (2 << 2)), 2, 0, 0 }, /* expiration */ + { (ASN_TAG_CLASS_CONTEXT | (3 << 2)), 3, 0, 0 }, /* username */ + { (ASN_TAG_CLASS_CONTEXT | (4 << 2)), 4, 0, 0 }, /* gssname */ +- { (ASN_TAG_CLASS_CONTEXT | (5 << 2)), 5, 0, 0 } /* basichash */ ++ { (ASN_TAG_CLASS_CONTEXT | (5 << 2)), 5, 0, 0 }, /* basichash */ ++ { (ASN_TAG_CLASS_CONTEXT | (6 << 2)), 6, 0, 0 } /* ccname */ + }; + static asn_SEQUENCE_specifics_t asn_SPC_GSSSessionData_specs_1 = { + sizeof(struct GSSSessionData), + offsetof(struct GSSSessionData, _asn_ctx), + asn_MAP_GSSSessionData_tag2el_1, +- 6, /* Count of tags in the map */ ++ 7, /* Count of tags in the map */ + 0, 0, 0, /* Optional elements (not needed) */ + -1, /* Start extensions */ + -1 /* Stop extensions */ +@@ -103,7 +112,7 @@ asn_TYPE_descriptor_t asn_DEF_GSSSessionData = { + /sizeof(asn_DEF_GSSSessionData_tags_1[0]), /* 1 */ + 0, /* No PER visible constraints */ + asn_MBR_GSSSessionData_1, +- 6, /* Elements count */ ++ 7, /* Elements count */ + &asn_SPC_GSSSessionData_specs_1 /* Additional specs */ + }; + +diff --git a/src/asn1c/GSSSessionData.h b/src/asn1c/GSSSessionData.h +index 53556d886347107d66bd640fea1241452e37b07a..4ae224f1bfacb47ec5567fda7ff38210cbc1abbb 100644 +--- a/src/asn1c/GSSSessionData.h ++++ b/src/asn1c/GSSSessionData.h +@@ -2,7 +2,6 @@ + * Generated by asn1c-0.9.27 (http://lionet.info/asn1c) + * From ASN.1 module "GssapiSessionModule" + * found in "session.asn1" +- * `asn1c -fskeletons-copy` + */ + + #ifndef _GSSSessionData_H_ +@@ -29,6 +28,7 @@ typedef struct GSSSessionData { + OCTET_STRING_t username; + OCTET_STRING_t gssname; + OCTET_STRING_t basichash; ++ OCTET_STRING_t ccname; + + /* Context for parsing across buffer boundaries */ + asn_struct_ctx_t _asn_ctx; +diff --git a/src/asn1c/Uint32.c b/src/asn1c/Uint32.c +index 794f98b54838466234fdca75def963e814c31ffd..f5d125aec0dfffa6f87a69569550bfa1739bd9b1 100644 +--- a/src/asn1c/Uint32.c ++++ b/src/asn1c/Uint32.c +@@ -2,7 +2,6 @@ + * Generated by asn1c-0.9.27 (http://lionet.info/asn1c) + * From ASN.1 module "GssapiSessionModule" + * found in "session.asn1" +- * `asn1c -fskeletons-copy` + */ + + #include "Uint32.h" +diff --git a/src/asn1c/Uint32.h b/src/asn1c/Uint32.h +index a0ed87608505e5ddc7b1ae86b70710ee39788753..436e26ea73af1a194bc81387d6edcbf8be898c68 100644 +--- a/src/asn1c/Uint32.h ++++ b/src/asn1c/Uint32.h +@@ -2,7 +2,6 @@ + * Generated by asn1c-0.9.27 (http://lionet.info/asn1c) + * From ASN.1 module "GssapiSessionModule" + * found in "session.asn1" +- * `asn1c -fskeletons-copy` + */ + + #ifndef _Uint32_H_ +diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c +index a480997bfccb57641fb0d9d86cd7fdb39c392ee3..48eb76f982b1b0f053fe6d8de41dfdc5c3faf8b6 100644 +--- a/src/mod_auth_gssapi.c ++++ b/src/mod_auth_gssapi.c +@@ -225,10 +225,11 @@ static char *escape(apr_pool_t *pool, const char *name, + return escaped; + } + +-static char *mag_gss_name_to_ccache_name(request_rec *req, +- char *dir, const char *gss_name) ++static char *get_ccache_name(request_rec *req, char *dir, const char *gss_name, ++ bool use_unique, struct mag_conn *mc) + { +- char *escaped; ++ char *ccname, *escaped; ++ int ccachefd; + + /* We need to escape away '/', we can't have path separators in + * a ccache file name */ +@@ -237,10 +238,24 @@ static char *mag_gss_name_to_ccache_name(request_rec *req, + /* then escape away the separator (/) if any */ + escaped = escape(req->pool, escaped, '/', "~"); + +- return apr_psprintf(req->pool, "%s/%s", dir, escaped); ++ if (use_unique == false) { ++ return apr_psprintf(req->pool, "%s/%s", dir, escaped); ++ } ++ ++ ccname = apr_psprintf(mc->pool, "%s/%s-XXXXXX", dir, escaped); ++ ++ ccachefd = mkstemp(ccname); ++ if (ccachefd == -1) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, ++ "creating unique ccache file %s failed", ccname); ++ return NULL; ++ } ++ close(ccachefd); ++ return ccname; + } + +-static void mag_set_KRB5CCANME(request_rec *req, char *ccname) ++static void mag_set_KRB5CCNAME(request_rec *req, const char *dir, ++ const char *ccname) + { + apr_status_t status; + apr_finfo_t finfo; +@@ -253,24 +268,20 @@ static void mag_set_KRB5CCANME(request_rec *req, char *ccname) + "KRB5CCNAME file (%s) lookup failed!", ccname); + } + +- value = apr_psprintf(req->pool, "FILE:%s", ccname); ++ value = apr_psprintf(req->pool, "FILE:%s/%s", dir, ccname); + apr_table_set(req->subprocess_env, "KRB5CCNAME", value); + } + +-static void mag_store_deleg_creds(request_rec *req, +- char *dir, char *clientname, +- gss_cred_id_t delegated_cred, +- char **ccachefile) ++static void mag_store_deleg_creds(request_rec *req, const char *ccname, ++ gss_cred_id_t delegated_cred) + { + gss_key_value_element_desc element; + gss_key_value_set_desc store; +- char *ccname; + uint32_t maj, min; + element.key = "ccache"; + store.elements = &element; + store.count = 1; + +- ccname = mag_gss_name_to_ccache_name(req, dir, clientname); + element.value = apr_psprintf(req->pool, "FILE:%s", ccname); + + maj = gss_store_cred_into(&min, delegated_cred, GSS_C_INITIATE, +@@ -280,8 +291,6 @@ static void mag_store_deleg_creds(request_rec *req, + mag_error(req, "failed to store delegated creds", + maj, min)); + } +- +- *ccachefile = ccname; + } + #endif + +@@ -339,14 +348,8 @@ static void mag_set_req_data(request_rec *req, + req->ap_auth_type = apr_pstrdup(req->pool, + auth_types[mc->auth_type]); + req->user = apr_pstrdup(req->pool, mc->user_name); +- if (cfg->deleg_ccache_dir && mc->delegated) { +- char *ccname; +- ccname = mag_gss_name_to_ccache_name(req, +- cfg->deleg_ccache_dir, +- mc->gss_name); +- if (ccname) { +- mag_set_KRB5CCANME(req, ccname); +- } ++ if (cfg->deleg_ccache_dir && mc->delegated && mc->ccname) { ++ mag_set_KRB5CCNAME(req, cfg->deleg_ccache_dir, mc->ccname); + } + } + +@@ -943,18 +946,30 @@ complete: + + #ifdef HAVE_CRED_STORE + if (cfg->deleg_ccache_dir && delegated_cred != GSS_C_NO_CREDENTIAL) { +- char *ccachefile = NULL; ++ char *ccache_path; + +- mag_store_deleg_creds(req, cfg->deleg_ccache_dir, clientname, +- delegated_cred, &ccachefile); ++ mc->ccname = 0; ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, ++ "requester: %s", mc->gss_name); + +- if (ccachefile) { +- mag_set_KRB5CCANME(req, ccachefile); ++ ccache_path = get_ccache_name(req, cfg->deleg_ccache_dir, mc->gss_name, ++ cfg->deleg_ccache_unique, mc); ++ if (ccache_path == NULL) { ++ goto done; + } + +- if (mc) { +- mc->delegated = true; ++ mag_store_deleg_creds(req, ccache_path, delegated_cred); ++ mc->delegated = true; ++ ++ if (!req_cfg->use_sessions && cfg->deleg_ccache_unique) { ++ /* queue removing ccache to avoid littering filesystem */ ++ apr_pool_cleanup_register(mc->pool, ccache_path, ++ (int (*)(void *)) unlink, ++ apr_pool_cleanup_null); + } ++ ++ /* extract filename from full path */ ++ mc->ccname = strrchr(ccache_path, '/') + 1; + } + #endif + +@@ -1084,6 +1099,15 @@ static const char *mag_use_s4u2p(cmd_parms *parms, void *mconfig, int on) + + return NULL; + } ++ ++static const char *mag_deleg_ccache_unique(cmd_parms *parms, void *mconfig, ++ int on) ++{ ++ struct mag_config *cfg = (struct mag_config *)mconfig; ++ cfg->deleg_ccache_unique = on ? true : false; ++ return NULL; ++} ++ + #endif + + static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w) +@@ -1338,6 +1362,8 @@ static const command_rec mag_commands[] = { + "Credential Store"), + AP_INIT_RAW_ARGS("GssapiDelegCcacheDir", mag_deleg_ccache_dir, NULL, + OR_AUTHCFG, "Directory to store delegated credentials"), ++ AP_INIT_FLAG("GssapiDelegCcacheUnique", mag_deleg_ccache_unique, NULL, ++ OR_AUTHCFG, "Use unique ccaches for delgation"), + #endif + #ifdef HAVE_GSS_ACQUIRE_CRED_WITH_PASSWORD + AP_INIT_FLAG("GssapiBasicAuth", mag_use_basic_auth, NULL, OR_AUTHCFG, +diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h +index d73036b2473f0e8da66de699194eacc8e6f7d83a..b5032def3c1835105b4d0909ce19b5be795ae33d 100644 +--- a/src/mod_auth_gssapi.h ++++ b/src/mod_auth_gssapi.h +@@ -2,7 +2,9 @@ + + #include + #include ++#include + #include ++#include + + #define APR_WANT_STRFUNC + #include "apr_want.h" +@@ -56,6 +58,7 @@ struct mag_config { + bool use_s4u2proxy; + char *deleg_ccache_dir; + gss_key_value_set_desc *cred_store; ++ bool deleg_ccache_unique;; + #endif + struct seal_key *mag_skey; + +@@ -90,6 +93,7 @@ struct mag_conn { + int auth_type; + bool delegated; + struct databuf basic_hash; ++ const char *ccname; + }; + + #define discard_const(ptr) ((void *)((uintptr_t)(ptr))) +diff --git a/src/sessions.c b/src/sessions.c +index 70f39a291d4bcfa0117635cdd8c2fbb4ee8df305..c785d2784cd99845fff64529cf60a03892179242 100644 +--- a/src/sessions.c ++++ b/src/sessions.c +@@ -177,6 +177,12 @@ void mag_check_session(struct mag_req_cfg *cfg, struct mag_conn **conn) + memcpy(mc->basic_hash.value, + gsessdata->basichash.buf, gsessdata->basichash.size); + ++ /* ccname */ ++ mc->ccname = apr_pstrndup(mc->pool, ++ (char *)gsessdata->ccname.buf, ++ gsessdata->ccname.size); ++ if (!mc->ccname) goto done; ++ + /* OK we have a valid token */ + mc->established = true; + +@@ -222,6 +228,8 @@ void mag_attempt_session(struct mag_req_cfg *cfg, struct mag_conn *mc) + (const char *)mc->basic_hash.value, + mc->basic_hash.length) != 0) + goto done; ++ if (OCTET_STRING_fromString(&gsessdata.ccname, mc->ccname) != 0) ++ goto done; + ret = encode_GSSSessionData(req->pool, &gsessdata, + &plainbuf.value, &plainbuf.length); + if (ret == false) { +-- +2.5.5 + diff --git a/SOURCES/0002-Fix-cred-cache-detection.patch b/SOURCES/0002-Fix-cred-cache-detection.patch new file mode 100644 index 0000000..90822b8 --- /dev/null +++ b/SOURCES/0002-Fix-cred-cache-detection.patch @@ -0,0 +1,44 @@ +From 20ac4be6af9c3f5608063e96b5f1b4a04a9bc593 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 7 Jun 2016 09:57:26 -0400 +Subject: [PATCH 2/2] Fix cred cache detection + +The stat call was not using the full path name, therefore it was always +failing. + +Signed-off-by: Simo Sorce +Reviewed-by: Jan Pazdziora +Close #91 +--- + src/mod_auth_gssapi.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c +index 48eb76f982b1b0f053fe6d8de41dfdc5c3faf8b6..7e2e7a83481386e8c4ee25e40913b42390b1d81a 100644 +--- a/src/mod_auth_gssapi.c ++++ b/src/mod_auth_gssapi.c +@@ -259,16 +259,19 @@ static void mag_set_KRB5CCNAME(request_rec *req, const char *dir, + { + apr_status_t status; + apr_finfo_t finfo; ++ char *path; + char *value; + +- status = apr_stat(&finfo, ccname, APR_FINFO_MIN, req->pool); ++ path = apr_psprintf(req->pool, "%s/%s", dir, ccname); ++ ++ status = apr_stat(&finfo, path, APR_FINFO_MIN, req->pool); + if (status != APR_SUCCESS && status != APR_INCOMPLETE) { + /* set the file cache anyway, but warn */ + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + "KRB5CCNAME file (%s) lookup failed!", ccname); + } + +- value = apr_psprintf(req->pool, "FILE:%s/%s", dir, ccname); ++ value = apr_psprintf(req->pool, "FILE:%s", path); + apr_table_set(req->subprocess_env, "KRB5CCNAME", value); + } + +-- +2.5.5 + diff --git a/SOURCES/Fix-backport.patch b/SOURCES/Fix-backport.patch new file mode 100644 index 0000000..9d216ed --- /dev/null +++ b/SOURCES/Fix-backport.patch @@ -0,0 +1,85 @@ +diff -uPr mod_auth_gssapi-1.3.1.orig/src/mod_auth_gssapi.c mod_auth_gssapi-1.3.1.new/src/mod_auth_gssapi.c +--- mod_auth_gssapi-1.3.1.orig/src/mod_auth_gssapi.c 2016-06-30 12:30:36.364868486 -0400 ++++ mod_auth_gssapi-1.3.1.new/src/mod_auth_gssapi.c 2016-06-30 13:24:26.042162365 -0400 +@@ -711,12 +711,10 @@ + uint32_t maj, min; + char *reply; + size_t replen; +- char *clientname; + gss_OID mech_type = GSS_C_NO_OID; + gss_OID_set desired_mechs = GSS_C_NO_OID_SET; + gss_buffer_desc lname = GSS_C_EMPTY_BUFFER; + struct mag_conn *mc = NULL; +- time_t expiration; + int i; + + type = ap_auth_type(req); +@@ -877,8 +875,6 @@ + mag_conn_clear(mc); + } + +- req->ap_auth_type = apr_pstrdup(req->pool, auth_types[auth_type]); +- + #ifdef HAVE_CRED_STORE + if (use_s4u2proxy(req_cfg)) { + cred_usage = GSS_C_BOTH; +@@ -941,11 +937,15 @@ + maj, min)); + goto done; + } +- clientname = apr_pstrndup(req->pool, name.value, name.length); +- apr_table_set(req->subprocess_env, "GSS_NAME", clientname); +- expiration = time(NULL) + vtime; +- apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION", +- apr_psprintf(req->pool, "%ld", (long)expiration)); ++ ++ if (!mc) { ++ mc = mag_new_conn_ctx(req->pool); ++ } ++ mc->gss_name = apr_pstrndup(req->pool, name.value, name.length); ++ if (vtime == GSS_C_INDEFINITE || vtime < MIN_SESS_EXP_TIME) { ++ vtime = MIN_SESS_EXP_TIME; ++ } ++ mc->expiration = time(NULL) + vtime; + + #ifdef HAVE_CRED_STORE + if (cfg->deleg_ccache_dir && delegated_cred != GSS_C_NO_CREDENTIAL) { +@@ -983,27 +983,21 @@ + mag_error(req, "gss_localname() failed", maj, min)); + goto done; + } +- req->user = apr_pstrndup(req->pool, lname.value, lname.length); ++ mc->user_name = apr_pstrndup(req->pool, lname.value, lname.length); + } else { +- req->user = clientname; ++ mc->user_name = mc->gss_name; + } + +- if (mc) { +- mc->user_name = apr_pstrdup(mc->pool, req->user); +- mc->gss_name = apr_pstrdup(mc->pool, clientname); +- mc->established = true; +- if (vtime == GSS_C_INDEFINITE || vtime < MIN_SESS_EXP_TIME) { +- vtime = MIN_SESS_EXP_TIME; +- } +- mc->expiration = expiration; +- mc->auth_type = auth_type; +- if (auth_type == AUTH_TYPE_BASIC) { +- mag_basic_cache(req_cfg, mc, ba_user, ba_pwd); +- } +- if (req_cfg->use_sessions) { +- mag_attempt_session(req_cfg, mc); +- } ++ mc->established = true; ++ mc->auth_type = auth_type; ++ if (auth_type == AUTH_TYPE_BASIC) { ++ mag_basic_cache(req_cfg, mc, ba_user, ba_pwd); + } ++ if (req_cfg->use_sessions) { ++ mag_attempt_session(req_cfg, mc); ++ } ++ ++ mag_set_req_data(req, cfg, mc); + + if (req_cfg->send_persist) + apr_table_set(req->headers_out, "Persistent-Auth", diff --git a/SPECS/mod_auth_gssapi.spec b/SPECS/mod_auth_gssapi.spec index a829a08..3a60a9e 100644 --- a/SPECS/mod_auth_gssapi.spec +++ b/SPECS/mod_auth_gssapi.spec @@ -1,6 +1,6 @@ Name: mod_auth_gssapi Version: 1.3.1 -Release: 1%{?dist} +Release: 3%{?dist} Summary: A GSSAPI Authentication module for Apache Group: System Environment/Daemons @@ -8,6 +8,10 @@ License: MIT URL: https://github.com/modauthgssapi/mod_auth_gssapi Source0: https://github.com/modauthgssapi/%{name}/releases/download/v%{version}/%name-%{version}.tar.gz +Patch0: 0001-Implement-unique-ccache-names.patch +Patch1: 0002-Fix-cred-cache-detection.patch +Patch2: Fix-backport.patch + BuildRequires: httpd-devel, krb5-devel, openssl-devel, autoconf, automake, libtool Requires: httpd-mmn = %{_httpd_mmn} Requires: krb5-libs >= 1.11.5 @@ -18,6 +22,9 @@ SPNEGO based HTTP Authentication protocol defined in RFC4559. %prep %setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build export APXS=%{_httpd_apxs} @@ -43,6 +50,14 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir} %{_httpd_moddir}/mod_auth_gssapi.so %changelog +* Thu Jun 30 2016 Simo Sorce 1.3.1-3 +- Fix backport issue +- related: #1347175 + +* Wed Jun 15 2016 Simo Sorce 1.3.1-2 +- Add Unique ccache support +- resolves: #1347175 + * Thu Sep 3 2015 Simo Sorce 1.3.1-1 - Various bugfixes and minor new features - resolves: #1258168