Attachment 240415 Details for Bug 330193 – Patch that adds Apache 2.2 compatibility to mod_auth_kerb

[patch] Patch that adds Apache 2.2 compatibility to mod_auth_kerb

mod_auth_kerb-5.4-apache-2.2.patch (text/plain), 6.12 KB, created by Christian Meyer on 2010-07-28 12:26:27 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Christian Meyer

Created: 2010-07-28 12:26:27 UTC

Size: 6.12 KB

patch

obsolete

>--- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c	2008-12-04 11:14:03.000000000 +0100
>+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c	2009-04-27 12:11:48.000000000 +0200
>@@ -62,6 +62,11 @@
> #include <http_protocol.h>
> #include <http_request.h>
> 
>+#if AP_SERVER_MAJORVERSION_NUMBER == 2 && AP_SERVER_MINORVERSION_NUMBER== 2
>+#define APACHE22
>+#include "mod_auth.h"
>+#endif
>+
> #ifdef STANDARD20_MODULE_STUFF
> #include <apr_strings.h>
> #include <apr_base64.h>
>@@ -1802,11 +1812,176 @@
>    return OK;
> }
> 
>+#ifdef APACHE22
>+static authn_status authenticate_user_krb5pwd22(request_rec *r, const char *sent_name,
>+                                   const char *sent_pw)
>+{
>+    const char      *realms = NULL;
>+    const char      *realm = NULL;
>+    krb5_context    kcontext = NULL;
>+    krb5_error_code code;
>+    krb5_principal  client = NULL;
>+    krb5_principal  server = NULL;
>+    krb5_ccache     ccache = NULL;
>+    krb5_keytab     keytab = NULL;
>+    int             ret;
>+    char            *name = NULL;
>+    int             all_principals_unkown;
>+    char            *p = NULL;
>+
>+    kerb_auth_config *conf = 
>+    (kerb_auth_config *) ap_get_module_config(r->per_dir_config,
>+                                              &auth_kerb_module);
>+
>+    
>+    code = krb5_init_context(&kcontext);
>+    if (code) {
>+        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
>+                   "Cannot initialize Kerberos5 context (%d)", code);
>+        return AUTH_GENERAL_ERROR;
>+    }
>+
>+    if (sent_pw == NULL || *sent_pw == '\0') {
>+        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
>+                   "empty passwords are not accepted");
>+        ret = AUTH_DENIED;
>+        goto end;
>+    }
>+    
>+    if (conf->krb_5_keytab)
>+        krb5_kt_resolve(kcontext, conf->krb_5_keytab, &keytab);
>+    
>+    if (conf->krb_service_name && strchr(conf->krb_service_name, '/') != NULL)
>+        ret = krb5_parse_name (kcontext, conf->krb_service_name, &server);
>+    else
>+        ret = krb5_sname_to_principal(kcontext, ap_get_server_name(r),
>+                                      (conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME,
>+                                      KRB5_NT_SRV_HST, &server);
>+    
>+    if (ret) {
>+        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
>+                   "Error parsing server name (%s): %s",
>+                   (conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME,
>+                   krb5_get_err_text(kcontext, ret));
>+        ret = AUTH_DENIED;
>+        goto end;
>+    }
>+    
>+    code = krb5_unparse_name(kcontext, server, &name);
>+    if (code) {
>+        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
>+                   "krb5_unparse_name() failed: %s",
>+                   krb5_get_err_text(kcontext, code));
>+        ret = AUTH_DENIED;
>+        goto end;
>+    }
>+    log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Using %s as server principal for password verification", name);
>+    free(name);
>+    name = NULL;
>+    
>+    p = strchr(sent_name, '@');
>+    if (p) {
>+        *p++ = '\0';
>+        if (conf->krb_auth_realms && !ap_find_token(r->pool, conf->krb_auth_realms, p)) {
>+            log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
>+                       "Specified realm `%s' not allowed by configuration", p);
>+            ret = AUTH_DENIED;
>+            goto end;
>+        }
>+    }
>+    
>+    realms = (p) ? p : conf->krb_auth_realms;
>+    all_principals_unkown = 1;
>+    do {
>+        name = (char *) sent_name;
>+        if (realms && (realm = ap_getword_white(r->pool, &realms)))
>+            name = apr_psprintf(r->pool, "%s@%s", sent_name, realm);
>+        
>+        if (client) {
>+            krb5_free_principal(kcontext, client);
>+            client = NULL;
>+        }
>+        
>+        code = krb5_parse_name(kcontext, name, &client);
>+        if (code) {
>+            log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
>+                       "krb5_parse_name() failed: %s",
>+                       krb5_get_err_text(kcontext, code));
>+            continue;
>+        }
>+        
>+        code = verify_krb5_user(r, kcontext, client, sent_pw,
>+                                server, keytab, conf->krb_verify_kdc, conf->krb_service_name, &ccache);
>+        if (code == 0)
>+            break;
>+        
>+        /* ap_getword_white() used above shifts the parameter, so it's not
>+         needed to touch the realms variable */
>+    } while (realms && *realms);
>+    
>+    memset((char *)sent_pw, 0, strlen(sent_pw));
>+    
>+    if (code) {
>+        if (all_principals_unkown == 1 && code == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN)
>+            ret = AUTH_USER_NOT_FOUND;
>+        else
>+            ret = AUTH_DENIED;
>+        
>+        goto end;
>+    }
>+    
>+    code = krb5_unparse_name(kcontext, client, &name);
>+    if (code) {
>+        log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "krb5_unparse_name() failed: %s",
>+                   krb5_get_err_text(kcontext, code));
>+        ret = AUTH_DENIED;
>+        goto end;
>+    }
>+    MK_USER = apr_pstrdup (r->pool, name);
>+    MK_AUTH_TYPE = "Basic";
>+    free(name);
>+    
>+    if (conf->krb_save_credentials)
>+        store_krb5_creds(kcontext, r, conf, ccache);
>+    
>+    ret = AUTH_GRANTED;
>+    
>+end:
>+    log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
>+               "kerb_authenticate_user_krb5pwd22 ret=%d user=%s authtype=%s",
>+               ret, (MK_USER)?MK_USER:"(NULL)", (MK_AUTH_TYPE)?MK_AUTH_TYPE:"(NULL)");
>+    if (client)
>+        krb5_free_principal(kcontext, client);
>+    if (server)
>+        krb5_free_principal(kcontext, server);
>+    if (ccache)
>+        krb5_cc_destroy(kcontext, ccache);
>+    if (keytab)
>+        krb5_kt_close(kcontext, keytab);
>+    krb5_free_context(kcontext);
>+    
>+    return ret;
>+    
>+}    
>+
>+static const authn_provider authn_kerberos_provider =
>+{
>+    &authenticate_user_krb5pwd22,
>+    NULL
>+};
>+
>+
>+#endif
>+
> static void
> kerb_register_hooks(apr_pool_t *p)
> {
>    ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
>    ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);
>+#ifdef APACHE22
>+    ap_register_provider(p, AUTHN_PROVIDER_GROUP, "kerberos", "0",
>+                         &authn_kerberos_provider);
>+#endif    
> }
> 
> module AP_MODULE_DECLARE_DATA auth_kerb_module =

Actions: View | Diff

Attachments on bug 330193: 240413 | 240415