[mod_auth_kerb] handle GSS_S_CONTINUE_NEEDED returned by accept_sec_token, fixes error 500

Jan Kaluža jkaluza at fedoraproject.org
Tue Jul 9 09:05:00 UTC 2013 

commit 70f9011e517a302f40272f1402866be7bac9adbf
Author: Jan Kaluza <hanzz.k at gmail.com>
Date:   Tue Jul 9 11:04:11 2013 +0200

    handle GSS_S_CONTINUE_NEEDED returned by accept_sec_token, fixes error 500
    
      when trying to auth with expired token from Firefox

 mod_auth_kerb-5.4-handle-continue.patch |   20 ++++++++++++++++++++
 mod_auth_kerb.spec                      |    8 +++++++-
 2 files changed, 27 insertions(+), 1 deletions(-)
---
diff --git a/mod_auth_kerb-5.4-handle-continue.patch b/mod_auth_kerb-5.4-handle-continue.patch
new file mode 100644
index 0000000..4b77a49
--- /dev/null
+++ b/mod_auth_kerb-5.4-handle-continue.patch
@@ -0,0 +1,20 @@
+diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
+index 2aab5ee..ca81878 100644
+--- a/src/mod_auth_kerb.c
++++ b/src/mod_auth_kerb.c
+@@ -1744,7 +1744,6 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
+      goto end;
+   }
+ 
+-#if 0
+   /* This is a _Kerberos_ module so multiple authentication rounds aren't
+    * supported. If we wanted a generic GSS authentication we would have to do
+    * some magic with exporting context etc. */
+@@ -1752,7 +1751,6 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
+      ret = HTTP_UNAUTHORIZED;
+      goto end;
+   }
+-#endif
+ 
+   major_status = gss_display_name(&minor_status, client_name, &output_token, NULL);
+   gss_release_name(&minor_status, &client_name); 
diff --git a/mod_auth_kerb.spec b/mod_auth_kerb.spec
index 2ff3b10..590dbcd 100644
--- a/mod_auth_kerb.spec
+++ b/mod_auth_kerb.spec
@@ -8,7 +8,7 @@
 Summary: Kerberos authentication module for HTTP
 Name: mod_auth_kerb
 Version: 5.4
-Release: 24%{?dist}
+Release: 25%{?dist}
 # src/mod_auth_kerb.c is under 3-clause BSD, ASL 2.0 code is patched in (-s4u2proxy.patch)
 # src/mit-internals.h contains MIT-licensed code.
 License: BSD and MIT and ASL 2.0
@@ -24,6 +24,7 @@ Patch4: mod_auth_kerb-5.4-httpd24.patch
 Patch5: mod_auth_kerb-5.4-delegation.patch
 Patch6: mod_auth_kerb-5.4-cachedir.patch
 Patch7: mod_auth_kerb-5.4-longuser.patch
+Patch8: mod_auth_kerb-5.4-handle-continue.patch
 BuildRequires: httpd-devel, krb5-devel
 Requires: httpd-mmn = %{_httpd_mmn}
 Requires(pre): httpd
@@ -47,6 +48,7 @@ authentication based on ticket exchanges.
 %patch5 -p1 -b .delegation
 %patch6 -p1 -b .cachedir
 %patch7 -p1 -b .longuser
+%patch8 -p1 -b .continue
 
 %build
 export APXS=%{_httpd_apxs}
@@ -88,6 +90,10 @@ cp -p %{SOURCE2} .
 %attr(0700,apache,apache) %dir /run/httpd/krbcache
 
 %changelog
+* Tue Jul 09 2013 Jan Kaluza <jkaluza at redhat.com> - 5.4-25
+- handle GSS_S_CONTINUE_NEEDED returned by accept_sec_token, fixes error 500
+  when trying to auth with expired token from Firefox
+
 * Tue Jun 04 2013 Jan Kaluza <jkaluza at redhat.com> - 5.4-24
 - don't truncate translated names with KrbLocalUserMapping

More information about the scm-commits mailing list