Mercurial > dovecot > original-hg > dovecot-1.2
changeset 5859:dfdedb187b26 HEAD
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Mon, 02 Jul 2007 21:19:25 +0300 |
parents | 7a71ede9334b |
children | 159929f53161 |
files | configure.in src/auth/mech-gssapi.c |
diffstat | 2 files changed, 40 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/configure.in Mon Jul 02 17:56:18 2007 +0300 +++ b/configure.in Mon Jul 02 21:19:25 2007 +0300 @@ -1550,12 +1550,19 @@ AC_DEFINE(HAVE_GSSAPI_GSSAPI_H,, GSSAPI headers in gssapi/gssapi.h) have_gssapi=yes ]) + AC_CHECK_HEADER([gssapi/gssapi_ext.h], [ + AC_DEFINE(HAVE_GSSAPI_GSSAPI_EXT_H,, GSSAPI headers in gssapi/gssapi_ext.h) + ]) AC_CHECK_HEADER([gssapi.h], [ AC_DEFINE(HAVE_GSSAPI_H,, GSSAPI headers in gssapi.h) have_gssapi=yes ]) if test $have_gssapi = yes; then AC_DEFINE(HAVE_GSSAPI,, Build with GSSAPI support) + AC_CHECK_LIB(gss, __gss_userok, [ + AC_DEFINE(HAVE___GSS_USEROK,, + Define if you have __gss_userok()) + ],, `krb5-config --libs gssapi`) fi CFLAGS=$old_CFLAGS fi
--- a/src/auth/mech-gssapi.c Mon Jul 02 17:56:18 2007 +0300 +++ b/src/auth/mech-gssapi.c Mon Jul 02 21:19:25 2007 +0300 @@ -29,6 +29,10 @@ # include <gssapi.h> #endif +#ifdef HAVE_GSSAPI_GSSAPI_EXT_H +# include <gssapi/gssapi_ext.h> +#endif + /* Non-zero flags defined in RFC 2222 */ enum sasl_gssapi_qop { SASL_GSSAPI_QOP_UNSPECIFIED = 0x00, @@ -273,6 +277,7 @@ OM_uint32 major_status, minor_status; gss_buffer_desc outbuf; int equal_authn_authz = 0; + const char *name; major_status = gss_unwrap(&minor_status, request->gss_ctx, &inbuf, &outbuf, NULL, NULL); @@ -292,6 +297,33 @@ return; } +#ifdef HAVE___GSS_USEROK + /* Solaris __gss_userok() correctly handles cross-realm + authentication. */ + request->auth_request.user = + p_strndup(request->auth_request.pool, + (unsigned char *)outbuf.value + 4, + outbuf.length - 4); + + major_status = __gss_userok(&minor_status, request->authn_name, + request->auth_request.user, + &equal_authn_authz); + if (GSS_ERROR(major_status)) { + auth_request_log_gss_error(&request->auth_request, major_status, + GSS_C_GSS_CODE, + "__gss_userok failed"); + auth_request_fail(&request->auth_request); + return; + } + + if (equal_authn_authz == 0) { + auth_request_log_error(&request->auth_request, "gssapi", + "credentials not valid"); + + auth_request_fail(&request->auth_request); + return; + } +#else request->authz_name = import_name(&request->auth_request, (unsigned char *)outbuf.value + 4, outbuf.length - 4); @@ -319,6 +351,7 @@ (unsigned char *)outbuf.value + 4, outbuf.length - 4); +#endif auth_request_success(&request->auth_request, NULL, 0); }