Mercurial > dovecot > original-hg > dovecot-1.2
changeset 8094:641d761219a6 HEAD
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Based on a patch by Jason Gunthorpe.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Wed, 13 Aug 2008 16:22:53 -0400 |
parents | 9ca5e8f66d10 |
children | 1f948670f274 |
files | configure.in src/auth/mech-gssapi.c src/auth/mech.c |
diffstat | 3 files changed, 68 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/configure.in Wed Aug 13 14:59:10 2008 -0400 +++ b/configure.in Wed Aug 13 16:22:53 2008 -0400 @@ -1805,6 +1805,41 @@ old_LIBS=$LIBS LIBS="$LIBS $KRB5_LIBS" AC_CHECK_FUNCS(gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity) + + # does the kerberos library support SPNEGO? + AC_CACHE_CHECK([whether GSSAPI supports SPNEGO],i_cv_gssapi_spnego,[ + AC_TRY_RUN([ + #ifdef HAVE_GSSAPI_H + # include <gssapi.h> + #else + # include <gssapi/gssapi.h> + #endif + #include <krb5.h> + #include <string.h> + int main(void) { + OM_uint32 minor_status; + gss_OID_set mech_set; + unsigned char spnego_oid[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x02 }; + unsigned int i; + + gss_indicate_mechs(&minor_status, &mech_set); + for (i = 0; i < mech_set->count; i++) { + if (mech_set->elements[i].length == 6 && + memcmp(mech_set->elements[i].elements, + spnego_oid, 6) == 0) + return 0; + } + return 1; + } + ], [ + i_cv_gssapi_spnego=yes + ], [ + i_cv_gssapi_spnego=no + ]) + ]) + if test "$i_cv_gssapi_spnego" = "yes"; then + AC_DEFINE(HAVE_GSSAPI_SPNEGO,, GSSAPI supports SPNEGO) + fi LIBS=$old_LIBS if test x$want_gssapi_plugin != xyes; then
--- a/src/auth/mech-gssapi.c Wed Aug 13 14:59:10 2008 -0400 +++ b/src/auth/mech-gssapi.c Wed Aug 13 16:22:53 2008 -0400 @@ -552,6 +552,24 @@ mech_gssapi_auth_free }; +/* MTI Kerberos v1.5+ and Heimdal v0.7+ supports SPNEGO for Kerberos tickets + internally. Nothing else needs to be done here. Note however that this does + not support SPNEGO when the only available credential is NTLM.. */ +const struct mech_module mech_gssapi_spnego = { + "GSS-SPNEGO", + + MEMBER(flags) 0, + + MEMBER(passdb_need_plain) FALSE, + MEMBER(passdb_need_credentials) FALSE, + MEMBER(passdb_need_set_credentials) FALSE, + + mech_gssapi_auth_new, + mech_gssapi_auth_initial, + mech_gssapi_auth_continue, + mech_gssapi_auth_free +}; + #ifndef BUILTIN_GSSAPI void mech_gssapi_init(void); void mech_gssapi_deinit(void); @@ -559,11 +577,17 @@ void mech_gssapi_init(void) { mech_register_module(&mech_gssapi); +#ifdef HAVE_GSSAPI_SPNEGO + mech_register_module(&mech_gssapi_spnego); +#endif } void mech_gssapi_deinit(void) { mech_unregister_module(&mech_gssapi); +#ifdef HAVE_GSSAPI_SPNEGO + mech_unregister_module(&mech_gssapi_spnego); +#endif } #endif
--- a/src/auth/mech.c Wed Aug 13 14:59:10 2008 -0400 +++ b/src/auth/mech.c Wed Aug 13 16:22:53 2008 -0400 @@ -75,6 +75,9 @@ #ifdef HAVE_GSSAPI extern const struct mech_module mech_gssapi; #endif +#ifdef HAVE_GSSAPI_SPNEGO +extern const struct mech_module mech_gssapi_spnego; +#endif extern const struct mech_module mech_winbind_ntlm; extern const struct mech_module mech_winbind_spnego; @@ -96,6 +99,9 @@ mech_register_module(&mech_anonymous); #ifdef BUILTIN_GSSAPI mech_register_module(&mech_gssapi); +#ifdef HAVE_GSSAPI_SPNEGO + mech_register_module(&mech_gssapi_spnego); +#endif #endif } @@ -117,5 +123,8 @@ mech_unregister_module(&mech_anonymous); #ifdef BUILTIN_GSSAPI mech_unregister_module(&mech_gssapi); +#ifdef HAVE_GSSAPI_SPNEGO + mech_unregister_module(&mech_gssapi_spnego); +#endif #endif }