diff --git a/0001-Escape-principal-name-to-remove-the-path-separator.patch b/0001-Escape-principal-name-to-remove-the-path-separator.patch deleted file mode 100644 index b33e1cc..0000000 --- a/0001-Escape-principal-name-to-remove-the-path-separator.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 286e3dac69c3d4b32db93de1f9937f434383588f Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Thu, 26 Mar 2015 16:30:56 -0400 -Subject: [PATCH] Escape principal name to remove the path separator - -The principla name is used as a file name, any embedded path separators -are going to cause trouble if used in the file name, so we need to escape -them away. Usee ~ as the escape chracter (~~ to escape ~ itself) - -Fixes #14 ---- - src/mod_auth_gssapi.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 53 insertions(+), 1 deletion(-) - -diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c -index 4f21123a4caa56d748307055be73099cc9a63dc0..c7881bf9e149bb190ad73741250d94541abfd0e8 100644 ---- a/src/mod_auth_gssapi.c -+++ b/src/mod_auth_gssapi.c -@@ -119,6 +119,48 @@ static bool mag_conn_is_https(conn_rec *c) - return false; - } - -+static char *escape(apr_pool_t *pool, const char *name, -+ char find, const char *replace) -+{ -+ char *escaped = NULL; -+ char *namecopy; -+ char *n; -+ char *p; -+ -+ namecopy = apr_pstrdup(pool, name); -+ if (!namecopy) goto done; -+ -+ p = strchr(namecopy, find); -+ if (!p) return namecopy; -+ -+ /* first segment */ -+ n = namecopy; -+ while (p) { -+ /* terminate previous segment */ -+ *p = '\0'; -+ if (escaped) { -+ escaped = apr_pstrcat(pool, escaped, n, replace, NULL); -+ } else { -+ escaped = apr_pstrcat(pool, n, replace, NULL); -+ } -+ if (!escaped) goto done; -+ /* move to next segment */ -+ n = p + 1; -+ p = strchr(n, find); -+ } -+ /* append last segment if any */ -+ if (*n) { -+ escaped = apr_pstrcat(pool, escaped, n, NULL); -+ } -+ -+done: -+ if (!escaped) { -+ ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL, -+ "OOM escaping name"); -+ } -+ return escaped; -+} -+ - static void mag_store_deleg_creds(request_rec *req, - char *dir, char *clientname, - gss_cred_id_t delegated_cred, -@@ -128,8 +170,18 @@ static void mag_store_deleg_creds(request_rec *req, - gss_key_value_set_desc store; - char *value; - uint32_t maj, min; -+ char *escaped; - -- value = apr_psprintf(req->pool, "FILE:%s/%s", dir, clientname); -+ /* We need to escape away '/', we can't have path separators in -+ * a ccache file name */ -+ /* first double escape the esacping char (~) if any */ -+ escaped = escape(req->pool, clientname, '~', "~~"); -+ if (!escaped) return; -+ /* then escape away the separator (/) if any */ -+ escaped = escape(req->pool, escaped, '/', "~"); -+ if (!escaped) return; -+ -+ value = apr_psprintf(req->pool, "FILE:%s/%s", dir, escaped); - if (!value) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL, - "OOM storing delegated credentials"); --- -2.1.0 - diff --git a/0001-Fix-checks-on-allowed-mechs.patch b/0001-Fix-checks-on-allowed-mechs.patch new file mode 100644 index 0000000..d3f1908 --- /dev/null +++ b/0001-Fix-checks-on-allowed-mechs.patch @@ -0,0 +1,62 @@ +From 4e7967e797e5c8912a67c0de8f172bb95b5172ff Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 7 Jul 2015 13:23:57 -0400 +Subject: [PATCH] Fix checks on allowed mechs + +We need to check if a mech is allowed against the desired_mechs set. +Otherwise in case the admin does not explicitly specify an allowed set +then all mechs are allowed, including NTLM. This causes annoying issues +with browsers like Firefox and Chrome/ium which end up popping up an +authentication dialog if they see NTLM is supported and they have no +Kerberos tickets around. +Authentication will then simply fail because NTLM is not actually supported. +By using desired_mechs we use a list of mechanism the machine actually +has a chance to support in the default case. + +Signed-off-by: Simo Sorce +--- + src/mod_auth_gssapi.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c +index 6cb8d3a532370212f8fc2e708b066511575fbd7e..763b625cef106923afca753e4c3e192df24bb49e 100644 +--- a/src/mod_auth_gssapi.c ++++ b/src/mod_auth_gssapi.c +@@ -292,12 +292,12 @@ static bool parse_auth_header(apr_pool_t *pool, const char **auth_header, + return true; + } + +-static bool is_mech_allowed(struct mag_config *cfg, gss_const_OID mech) ++static bool is_mech_allowed(gss_OID_set allowed_mechs, gss_const_OID mech) + { +- if (cfg->allowed_mechs == GSS_C_NO_OID_SET) return true; ++ if (allowed_mechs == GSS_C_NO_OID_SET) return true; + +- for (int i = 0; i < cfg->allowed_mechs->count; i++) { +- if (gss_oid_equal(&cfg->allowed_mechs->elements[i], mech)) { ++ for (int i = 0; i < allowed_mechs->count; i++) { ++ if (gss_oid_equal(&allowed_mechs->elements[i], mech)) { + return true; + } + } +@@ -785,7 +785,7 @@ static int mag_auth(request_rec *req) + break; + + case AUTH_TYPE_RAW_NTLM: +- if (!is_mech_allowed(cfg, &gss_mech_ntlmssp)) { ++ if (!is_mech_allowed(desired_mechs, &gss_mech_ntlmssp)) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, + "NTLM Authentication is not allowed!"); + goto done; +@@ -945,7 +945,7 @@ done: + } + } else if (ret == HTTP_UNAUTHORIZED) { + apr_table_add(req->err_headers_out, "WWW-Authenticate", "Negotiate"); +- if (is_mech_allowed(cfg, &gss_mech_ntlmssp)) { ++ if (is_mech_allowed(desired_mechs, &gss_mech_ntlmssp)) { + apr_table_add(req->err_headers_out, "WWW-Authenticate", "NTLM"); + } + if (cfg->use_basic_auth) { +-- +2.4.2 + diff --git a/0001-Handle-authentication-on-subrequests.patch b/0001-Handle-authentication-on-subrequests.patch deleted file mode 100644 index 4cc6fb7..0000000 --- a/0001-Handle-authentication-on-subrequests.patch +++ /dev/null @@ -1,70 +0,0 @@ -From e5db7c1f5738c7874e73869a2f4511193f956b81 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Mon, 30 Mar 2015 12:48:30 -0400 -Subject: [PATCH] Handle authentication on subrequests - -In some cases (like during directory listing) Apache will re-run the -authentication code. Many GSSAPI mechanism have replay detection so -we cannot simply rerun the accept_sec_context phase. Others require -multiple steps. When authntication has already been estalished just -implicitly consider the authentication successfully performed and -copy the user name. Otherwise fail. -If a subrequest hits a location with a different mod_auth_gssapi -configuration warn but do not error off right away. - -Fixes #15 ---- - src/mod_auth_gssapi.c | 35 ++++++++++++++++++++++++++++++----- - 1 file changed, 30 insertions(+), 5 deletions(-) - -diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c -index c7881bf9e149bb190ad73741250d94541abfd0e8..e2331107b89734bd5da3a742a884c6a92489d5a8 100644 ---- a/src/mod_auth_gssapi.c -+++ b/src/mod_auth_gssapi.c -@@ -245,13 +245,38 @@ static int mag_auth(request_rec *req) - return DECLINED; - } - -- /* ignore auth for subrequests */ -- if (!ap_is_initial_req(req)) { -- return OK; -- } -- - cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module); - -+ /* implicit auth for subrequests if main auth already happened */ -+ if (!ap_is_initial_req(req)) { -+ type = ap_auth_type(req->main); -+ if ((type != NULL) && (strcasecmp(type, "GSSAPI") == 0)) { -+ /* warn if the subrequest location and the main request -+ * location have different configs */ -+ if (cfg != ap_get_module_config(req->main->per_dir_config, -+ &auth_gssapi_module)) { -+ ap_log_rerror(APLOG_MARK, APLOG_WARNING||APLOG_NOERRNO, 0, -+ req, "Subrequest authentication bypass on " -+ "location with different configuration!"); -+ } -+ if (req->main->user) { -+ req->user = apr_pstrdup(req->pool, req->main->user); -+ return OK; -+ } else { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, -+ "The main request is tasked to establish the " -+ "security context, can't proceed!"); -+ return HTTP_UNAUTHORIZED; -+ } -+ } else { -+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req, -+ "Subrequest GSSAPI auth with no auth on the main " -+ "request. This operation may fail if other " -+ "subrequests already established a context or the " -+ "mechanism requires multiple roundtrips."); -+ } -+ } -+ - if (cfg->ssl_only) { - if (!mag_conn_is_https(req->connection)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, --- -2.1.0 - diff --git a/mod_auth_gssapi.spec b/mod_auth_gssapi.spec index 4d890be..7d8980f 100644 --- a/mod_auth_gssapi.spec +++ b/mod_auth_gssapi.spec @@ -1,6 +1,6 @@ Name: mod_auth_gssapi Version: 1.3.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A GSSAPI Authentication module for Apache Group: System Environment/Daemons @@ -13,6 +13,7 @@ BuildRequires: gssntlmssp-devel Requires: httpd-mmn = %{_httpd_mmn} Requires: krb5-libs >= 1.11.5 +Patch01: 0001-Fix-checks-on-allowed-mechs.patch %description The mod_auth_gssapi module is an authentication service that implements the @@ -20,6 +21,7 @@ SPNEGO based HTTP Authentication protocol defined in RFC4559. %prep %setup -q +%patch01 -p1 %build export APXS=%{_httpd_apxs} @@ -44,6 +46,10 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir} %{_httpd_moddir}/mod_auth_gssapi.so %changelog +* Tue Jul 7 2015 Simo Sorce 1.3.0-2 +- Fix annoying incorrect behavior with simple configuration where + GssapiAllowedMech is not used. + * Sat Jul 4 2015 Simo Sorce 1.3.0-1 - US Independence Day Release