dovecot: If __gss_userok() exists, use it to verify username. Pa...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot/rev/dfdedb187b26
changeset: 5859:dfdedb187b26
user:      Timo Sirainen <tss at iki.fi>
date:      Mon Jul 02 21:19:25 2007 +0300
description:
If __gss_userok() exists, use it to verify username. Patch by Peter Eriksson.

diffstat:

2 files changed, 40 insertions(+)
configure.in           |    7 +++++++
src/auth/mech-gssapi.c |   33 +++++++++++++++++++++++++++++++++

diffs (87 lines):

diff -r 7a71ede9334b -r dfdedb187b26 configure.in
--- a/configure.in	Mon Jul 02 17:56:18 2007 +0300
+++ b/configure.in	Mon Jul 02 21:19:25 2007 +0300
@@ -1550,12 +1550,19 @@ if test $want_gssapi = yes; then
 				AC_DEFINE(HAVE_GSSAPI_GSSAPI_H,, GSSAPI headers in gssapi/gssapi.h)
 				have_gssapi=yes
 			])
+			AC_CHECK_HEADER([gssapi/gssapi_ext.h], [
+				AC_DEFINE(HAVE_GSSAPI_GSSAPI_EXT_H,, GSSAPI headers in gssapi/gssapi_ext.h)
+			])
 			AC_CHECK_HEADER([gssapi.h], [
 				AC_DEFINE(HAVE_GSSAPI_H,, GSSAPI headers in gssapi.h)
 				have_gssapi=yes
 			])
 			if test $have_gssapi = yes; then
 				AC_DEFINE(HAVE_GSSAPI,, Build with GSSAPI support)
+				AC_CHECK_LIB(gss, __gss_userok, [
+					AC_DEFINE(HAVE___GSS_USEROK,,
+						Define if you have __gss_userok())
+				],, `krb5-config --libs gssapi`)
 			fi
 			CFLAGS=$old_CFLAGS
 		fi
diff -r 7a71ede9334b -r dfdedb187b26 src/auth/mech-gssapi.c
--- a/src/auth/mech-gssapi.c	Mon Jul 02 17:56:18 2007 +0300
+++ b/src/auth/mech-gssapi.c	Mon Jul 02 21:19:25 2007 +0300
@@ -29,6 +29,10 @@
 #  include <gssapi.h>
 #endif
 
+#ifdef HAVE_GSSAPI_GSSAPI_EXT_H
+#  include <gssapi/gssapi_ext.h>
+#endif
+
 /* Non-zero flags defined in RFC 2222 */
 enum sasl_gssapi_qop {
 	SASL_GSSAPI_QOP_UNSPECIFIED = 0x00,
@@ -273,6 +277,7 @@ static void gssapi_unwrap(struct gssapi_
 	OM_uint32 major_status, minor_status;
 	gss_buffer_desc outbuf;
 	int equal_authn_authz = 0;
+	const char *name;
 
 	major_status = gss_unwrap(&minor_status, request->gss_ctx, 
 				  &inbuf, &outbuf, NULL, NULL);
@@ -292,6 +297,33 @@ static void gssapi_unwrap(struct gssapi_
 		return;
 	}
 
+#ifdef HAVE___GSS_USEROK
+	/* Solaris __gss_userok() correctly handles cross-realm
+	   authentication. */
+	request->auth_request.user =
+		p_strndup(request->auth_request.pool,
+			  (unsigned char *)outbuf.value + 4,
+			  outbuf.length - 4);
+
+	major_status = __gss_userok(&minor_status, request->authn_name,
+				    request->auth_request.user,
+				    &equal_authn_authz);
+	if (GSS_ERROR(major_status)) {
+		auth_request_log_gss_error(&request->auth_request, major_status,
+					   GSS_C_GSS_CODE,
+					   "__gss_userok failed");
+		auth_request_fail(&request->auth_request);
+		return;
+	} 
+
+	if (equal_authn_authz == 0) {
+		auth_request_log_error(&request->auth_request, "gssapi",
+				       "credentials not valid");
+
+		auth_request_fail(&request->auth_request);
+		return;
+	}
+#else
 	request->authz_name = import_name(&request->auth_request,
 					  (unsigned char *)outbuf.value + 4,
 					  outbuf.length - 4);
@@ -319,6 +351,7 @@ static void gssapi_unwrap(struct gssapi_
 			  (unsigned char *)outbuf.value + 4,
 			  outbuf.length - 4);
 
+#endif
 	auth_request_success(&request->auth_request, NULL, 0);
 }