Mercurial > dovecot > original-hg > dovecot-1.2

changeset 8094:641d761219a6 HEAD

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Support GSS-SPNEGO mechanism if GSSAPI library supports it. Based on a patch by Jason Gunthorpe.
author Timo Sirainen <tss@iki.fi>
date Wed, 13 Aug 2008 16:22:53 -0400
parents 9ca5e8f66d10
children 1f948670f274
files configure.in src/auth/mech-gssapi.c src/auth/mech.c
diffstat 3 files changed, 68 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/configure.in	Wed Aug 13 14:59:10 2008 -0400
+++ b/configure.in	Wed Aug 13 16:22:53 2008 -0400
@@ -1805,6 +1805,41 @@
 				old_LIBS=$LIBS
 				LIBS="$LIBS $KRB5_LIBS"
 				AC_CHECK_FUNCS(gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity)
+
+				# does the kerberos library support SPNEGO?
+				AC_CACHE_CHECK([whether GSSAPI supports SPNEGO],i_cv_gssapi_spnego,[
+				  AC_TRY_RUN([
+				    #ifdef HAVE_GSSAPI_H
+				    #  include <gssapi.h>
+				    #else
+				    #  include <gssapi/gssapi.h>
+				    #endif
+				    #include <krb5.h>
+				    #include <string.h>
+				    int main(void) {
+				      OM_uint32 minor_status;
+				      gss_OID_set mech_set;
+				      unsigned char spnego_oid[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x02 };
+				      unsigned int i;
+    
+				      gss_indicate_mechs(&minor_status, &mech_set);
+				      for (i = 0; i < mech_set->count; i++) {
+					if (mech_set->elements[i].length == 6 &&
+					    memcmp(mech_set->elements[i].elements,
+						   spnego_oid, 6) == 0)
+					      return 0;
+				      }
+				      return 1;
+				    }
+				  ], [
+				    i_cv_gssapi_spnego=yes
+				  ], [
+				    i_cv_gssapi_spnego=no
+				  ])
+				])
+				if test "$i_cv_gssapi_spnego" = "yes"; then
+				  AC_DEFINE(HAVE_GSSAPI_SPNEGO,, GSSAPI supports SPNEGO)
+				fi
 				LIBS=$old_LIBS
 
 				if test x$want_gssapi_plugin != xyes; then
--- a/src/auth/mech-gssapi.c	Wed Aug 13 14:59:10 2008 -0400
+++ b/src/auth/mech-gssapi.c	Wed Aug 13 16:22:53 2008 -0400
@@ -552,6 +552,24 @@
 	mech_gssapi_auth_free
 };
 
+/* MTI Kerberos v1.5+ and Heimdal v0.7+ supports SPNEGO for Kerberos tickets
+   internally. Nothing else needs to be done here. Note however that this does
+   not support SPNEGO when the only available credential is NTLM.. */
+const struct mech_module mech_gssapi_spnego = {
+	"GSS-SPNEGO",
+
+	MEMBER(flags) 0,
+
+	MEMBER(passdb_need_plain) FALSE,
+	MEMBER(passdb_need_credentials) FALSE,
+	MEMBER(passdb_need_set_credentials) FALSE,
+
+	mech_gssapi_auth_new,
+        mech_gssapi_auth_initial,
+        mech_gssapi_auth_continue,
+        mech_gssapi_auth_free
+};
+
 #ifndef BUILTIN_GSSAPI
 void mech_gssapi_init(void);
 void mech_gssapi_deinit(void);
@@ -559,11 +577,17 @@
 void mech_gssapi_init(void)
 {
 	mech_register_module(&mech_gssapi);
+#ifdef HAVE_GSSAPI_SPNEGO
+	mech_register_module(&mech_gssapi_spnego);
+#endif
 }
 
 void mech_gssapi_deinit(void)
 {
 	mech_unregister_module(&mech_gssapi);
+#ifdef HAVE_GSSAPI_SPNEGO
+	mech_unregister_module(&mech_gssapi_spnego);
+#endif
 }
 #endif
 
--- a/src/auth/mech.c	Wed Aug 13 14:59:10 2008 -0400
+++ b/src/auth/mech.c	Wed Aug 13 16:22:53 2008 -0400
@@ -75,6 +75,9 @@
 #ifdef HAVE_GSSAPI
 extern const struct mech_module mech_gssapi;
 #endif
+#ifdef HAVE_GSSAPI_SPNEGO
+extern const struct mech_module mech_gssapi_spnego;
+#endif
 extern const struct mech_module mech_winbind_ntlm;
 extern const struct mech_module mech_winbind_spnego;
 
@@ -96,6 +99,9 @@
 	mech_register_module(&mech_anonymous);
 #ifdef BUILTIN_GSSAPI
 	mech_register_module(&mech_gssapi);
+#ifdef HAVE_GSSAPI_SPNEGO
+	mech_register_module(&mech_gssapi_spnego);
+#endif
 #endif
 }
 
@@ -117,5 +123,8 @@
 	mech_unregister_module(&mech_anonymous);
 #ifdef BUILTIN_GSSAPI
 	mech_unregister_module(&mech_gssapi);
+#ifdef HAVE_GSSAPI_SPNEGO
+	mech_unregister_module(&mech_gssapi_spnego);
+#endif
 #endif
 }