Update mod_auth_mellon after lasso upgrade. Approved by wiz@

NEWS since last version imported in pkgsrc

Version 0.10.0
---------------------------------------------------------------------------

* Make sure that we fail in the unlikely case where OpenSSL is not able
  to provide us with a secure session id.

* Increase the number of key-value pairs in the session to 2048.

* Add MellonMergeEnvVars-option to store multi-valued attributes in
  a single environment variable, separated with ';'.

* Bugfixes:

  * Fix the [MAP] option for MellonCond.

  * Fix cookie deletion for the session cookie. (Logout is not dependent
    on the cookie being deleted, so this only fixes the cookie showing
    up after the session is deleted.)

Version 0.9.1
---------------------------------------------------------------------------

* Bugfixes:

  * Fix session offset calculation that prevented us from having
    active sessions at once.

  * Run mod_auth_mellon request handler before most other handlers,
    so that other handlers cannot block it by accident.


Version 0.9.0
---------------------------------------------------------------------------

* Set the AssertionConsumerServiceURL attribute in authentication
  requests.

* Bugfixes:

  * Fix use of uninitialized data during logout.

  * Fix session entry overflow leading to segmentation faults.

  * Fix looking up sessions by NameID, which is used during logout.


Version 0.8.1
---------------------------------------------------------------------------

This is a security release with fixes backported from version 0.9.1.

It turned out that session overflow bugs fixes in version 0.9.0 and
0.9.1 can lead to information disclosure, where data from one session
is leaked to another session. Depending on how this data is used by the
web application, this may lead to data from one session being disclosed
to an user in a different session. (CVE-2014-8566)

In addition to the information disclosure, this release contains some
fixes for logout processing, where logout requests would crash the
Apache web server. (CVE-2014-8567)


Version 0.8.0
---------------------------------------------------------------------------

* Add support for receiving HTTP-Artifact identifiers as POST data.

* Simplify caching headers.

* Map login errors into more appropriate HTTP error codes than
  400 Bad Request.

* Add MellonNoSuccessErrorPage option to redirect to a error page on login
  failure.

* Turn session storage into a dynamic pool of memory, which means that
  attribute values (and other items) can have arbitrary sizes as long as
  they fit in the session as a whole.

* Various bugfixes:

  * Fix for compatibility with recent versions of CURL.

  * Fix broken option MellonDoNotVerifyLogoutSignature.

  * Fix deadlock that could occur during logout processing.

  * Fix some compile warnings.

  * Fix some NULL derefernce bugs that may lead to segmentation faults.

  * Fix a minor memory leak during IdP metadata loading.


Version 0.7.0
---------------------------------------------------------------------------

* Add MellonSPentityId to control entityId in autogenerated metadata

* Fix compatibility with Apache 2.4.

* Handle empty RelayState the same as missing RelayState.

* Add MellonSetEvnNoPrefix directive to set environment variables
  without "MELLON_"-prefix.

4 files changed, 11 insertions, 120 deletions

diff --git a/www/ap2-auth-mellon/MESSAGE b/www/ap2-auth-mellon/MESSAGE
index 49bcbe11a46..02169a003ea 100644
--- a/www/ap2-auth-mellon/MESSAGE
+++ b/www/ap2-auth-mellon/MESSAGE
@@ -1,5 +1,5 @@
 ===========================================================================
-$NetBSD: MESSAGE,v 1.2 2013/04/15 15:35:01 manu Exp $
+$NetBSD: MESSAGE,v 1.3 2015/04/01 14:08:13 manu Exp $
 
 In order to use this module in your Apache installation, you need to
 add the following to your httpd.conf file:
@@ -14,7 +14,7 @@ backward-incompatible changes:
   removed. If you want to use the POST replay functionality, create a
   directory accessible only by the apache user (e.g.: /var/spool/mellon)
   and add this after the LoadModule for mod_auth_mellon.so:
-  
+
   MellonPostDirectory /var/spool/mellon
 
 * Start discovery service when accessing the login endpoint. We used
diff --git a/www/ap2-auth-mellon/Makefile b/www/ap2-auth-mellon/Makefile
index 9da855fd737..ac973bb9c7d 100644
--- a/www/ap2-auth-mellon/Makefile
+++ b/www/ap2-auth-mellon/Makefile
@@ -1,15 +1,14 @@
-# $NetBSD: Makefile,v 1.28 2014/02/12 23:18:43 tron Exp $
+# $NetBSD: Makefile,v 1.29 2015/04/01 14:08:13 manu Exp $
 #
 
-PKGNAME=	${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/}
-DISTNAME=	mod_auth_mellon-0.6.1
+DISTNAME=	mod_auth_mellon-0.10.0
+PKGNAME=	${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/g}
 #PKGREVISION=	1
-PKGREVISION=	2
 CATEGORIES=	www security
-MASTER_SITES=	http://modmellon.googlecode.com/files/
+MASTER_SITES=	https://github.com/UNINETT/mod_auth_mellon/releases/download/v${DISTNAME:C/.*-//}/
 
 MAINTAINER=	manu@NetBSD.org
-HOMEPAGE=	http://code.google.com/p/modmellon/
+HOMEPAGE=	http://modmellon.googlecode.com/files/
 COMMENT=	SAML 2.0 authentication for Apache
 LICENSE=	gnu-gpl-v2 # or later
 
@@ -21,13 +20,11 @@ USE_TOOLS+=	pkg-config
 CFLAGS+=	-DLASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT=0
 
 APACHE_MODULE=	YES
-APACHE_MODULE_NAME=	auth_mellon_module
 PKG_APACHE_ACCEPTED=	apache22
 .include "../../mk/apache.mk"
 BUILDLINK_API_DEPENDS.apache+=	apache>=2.0.47
 
 SUBST_CLASSES+=		pthflags
-SUBST_MESSAGES=		Remove -pthread flag
 SUBST_STAGE.pthflags=	post-configure
 SUBST_FILES.pthflags=	Makefile
 SUBST_SED.pthflags=	-e 's| -pthread | |g'
diff --git a/www/ap2-auth-mellon/distinfo b/www/ap2-auth-mellon/distinfo
index 2469b980414..bc365bfac97 100644
--- a/www/ap2-auth-mellon/distinfo
+++ b/www/ap2-auth-mellon/distinfo
@@ -1,6 +1,5 @@
-$NetBSD: distinfo,v 1.12 2013/04/15 15:35:01 manu Exp $
+$NetBSD: distinfo,v 1.13 2015/04/01 14:08:13 manu Exp $
 
-SHA1 (mod_auth_mellon-0.6.1.tar.gz) = c1704daaafdb2105ee5f1d488f88ec914f2dd646
-RMD160 (mod_auth_mellon-0.6.1.tar.gz) = 0cef669feeb0fba516cd934f1fe8a93e6bc67239
-Size (mod_auth_mellon-0.6.1.tar.gz) = 108734 bytes
-SHA1 (patch-aj) = c8219d53538cf9e10acaec861a66a3f29e22a582
+SHA1 (mod_auth_mellon-0.10.0.tar.gz) = 853bd8506c3e70c9f0b7f7c6625a0c896dcf92bc
+RMD160 (mod_auth_mellon-0.10.0.tar.gz) = 7f8e40a9a7a5a7c5df772523dbb2c65e34658364
+Size (mod_auth_mellon-0.10.0.tar.gz) = 115727 bytes
diff --git a/www/ap2-auth-mellon/patches/patch-aj b/www/ap2-auth-mellon/patches/patch-aj
deleted file mode 100644
index 5adaad4d9bc..00000000000
--- a/www/ap2-auth-mellon/patches/patch-aj
+++ /dev/null
@@ -1,105 +0,0 @@
-$NetBSD: patch-aj,v 1.1 2013/04/15 15:35:02 manu Exp $ 
-
-MellonSPentityId option to control entityID in autogenerated metadata
-(patch from upstream)
-
-Index: auth_mellon_config.c
-===================================================================
---- auth_mellon_config.c	(revision 204)
-+++ auth_mellon_config.c	(working copy)
-@@ -1064,6 +1064,13 @@
-         OR_AUTHCFG,
-         "List of IdP entityId to ignore."
-         ),
-+    AP_INIT_TAKE1(
-+        "MellonSPentityId",
-+        ap_set_string_slot,
-+        (void *)APR_OFFSETOF(am_dir_cfg_rec, sp_entity_id),
-+        OR_AUTHCFG,
-+        "SP entity Id to be used for metadata auto generation."
-+        ),
-     AP_INIT_TAKE12(
-         "MellonOrganizationName",
-         am_set_langstring_slot,
-@@ -1231,6 +1238,7 @@
-     dir->probe_discovery_timeout = -1; /* -1 means no probe discovery */
-     dir->probe_discovery_idp = apr_table_make(p, 0);
- 
-+    dir->sp_entity_id = NULL;
-     dir->sp_org_name = apr_hash_make(p);
-     dir->sp_org_display_name = apr_hash_make(p);
-     dir->sp_org_url = apr_hash_make(p);
-@@ -1400,6 +1408,10 @@
-                           add_cfg->idp_ignore :
-                           base_cfg->idp_ignore;
- 
-+    new_cfg->sp_entity_id = (add_cfg->sp_entity_id ?
-+                             add_cfg->sp_entity_id :
-+                             base_cfg->sp_entity_id);
-+
-     new_cfg->sp_org_name = apr_hash_copy(p,
-                           (apr_hash_count(add_cfg->sp_org_name) > 0) ?
-                            add_cfg->sp_org_name : 
-Index: auth_mellon_handler.c
-===================================================================
---- auth_mellon_handler.c	(revision 204)
-+++ auth_mellon_handler.c	(working copy)
-@@ -117,7 +117,10 @@
-     am_dir_cfg_rec *cfg = am_get_dir_cfg(r);
-     char *url = am_get_endpoint_url(r);
-     char *cert = "";
-+    const char *sp_entity_id;
- 
-+    sp_entity_id = cfg->sp_entity_id ? cfg->sp_entity_id : url;
-+
-     if (cfg->sp_cert_file) {
- 	char *sp_cert_file;
-         char *cp;
-@@ -171,7 +174,7 @@
-     return apr_psprintf(p,
-       "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n\
- <EntityDescriptor\n\
-- entityID=\"%smetadata\"\n\
-+ entityID=\"%s%s\"\n\
-  xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\">\n\
-  <SPSSODescriptor\n\
-    AuthnRequestsSigned=\"true\"\n\
-@@ -197,7 +200,8 @@
-  </SPSSODescriptor>\n\
-  %s\n\
- </EntityDescriptor>",
--      url, cert, url, url, url, url, am_optional_metadata(p, r));
-+      sp_entity_id, cfg->sp_entity_id ? "" : "metadata", 
-+      cert, url, url, url, url, am_optional_metadata(p, r));
- }
- #endif /* HAVE_lasso_server_new_from_buffers */
- 
-Index: auth_mellon.h
-===================================================================
---- auth_mellon.h	(revision 204)
-+++ auth_mellon.h	(working copy)
-@@ -195,6 +195,7 @@
-     GList *idp_ignore;
- 
-     /* metadata autogeneration helper */
-+    char *sp_entity_id;
-     apr_hash_t *sp_org_name;
-     apr_hash_t *sp_org_display_name;
-     apr_hash_t *sp_org_url;
-Index: README
-===================================================================
---- README	(revision 204)
-+++ README	(working copy)
-@@ -332,7 +332,11 @@
-         # Default: None set.
-         MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml
- 
--        # If you choose to autogenerate metadata, these option 
-+        # If you choose to autogenerate metadata, this option
-+        # can be used to control the SP entityId
-+        # MellonSPentityId "https://www.example.net/foo"
-+        #
-+        # If you choose to autogenerate metadata, these options 
-         # can be used to fill the <Organization> element. They
-         # all follow the syntax "option [lang] value":
-         # MellonOrganizationName "random-service"