dovecot-1.2: Support GSS-SPNEGO mechanism if GSSAPI library supp...
dovecot at dovecot.org
dovecot at dovecot.org
Wed Aug 13 23:23:00 EEST 2008
details: http://hg.dovecot.org/dovecot-1.2/rev/641d761219a6
changeset: 8094:641d761219a6
user: Timo Sirainen <tss at iki.fi>
date: Wed Aug 13 16:22:53 2008 -0400
description:
Support GSS-SPNEGO mechanism if GSSAPI library supports it.
Based on a patch by Jason Gunthorpe.
diffstat:
3 files changed, 72 insertions(+), 4 deletions(-)
configure.in | 35 +++++++++++++++++++++++++++++++++++
src/auth/mech-gssapi.c | 32 ++++++++++++++++++++++++++++----
src/auth/mech.c | 9 +++++++++
diffs (128 lines):
diff -r 9ca5e8f66d10 -r 641d761219a6 configure.in
--- a/configure.in Wed Aug 13 14:59:10 2008 -0400
+++ b/configure.in Wed Aug 13 16:22:53 2008 -0400
@@ -1805,6 +1805,41 @@ if test $want_gssapi != no; then
old_LIBS=$LIBS
LIBS="$LIBS $KRB5_LIBS"
AC_CHECK_FUNCS(gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity)
+
+ # does the kerberos library support SPNEGO?
+ AC_CACHE_CHECK([whether GSSAPI supports SPNEGO],i_cv_gssapi_spnego,[
+ AC_TRY_RUN([
+ #ifdef HAVE_GSSAPI_H
+ # include <gssapi.h>
+ #else
+ # include <gssapi/gssapi.h>
+ #endif
+ #include <krb5.h>
+ #include <string.h>
+ int main(void) {
+ OM_uint32 minor_status;
+ gss_OID_set mech_set;
+ unsigned char spnego_oid[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x02 };
+ unsigned int i;
+
+ gss_indicate_mechs(&minor_status, &mech_set);
+ for (i = 0; i < mech_set->count; i++) {
+ if (mech_set->elements[i].length == 6 &&
+ memcmp(mech_set->elements[i].elements,
+ spnego_oid, 6) == 0)
+ return 0;
+ }
+ return 1;
+ }
+ ], [
+ i_cv_gssapi_spnego=yes
+ ], [
+ i_cv_gssapi_spnego=no
+ ])
+ ])
+ if test "$i_cv_gssapi_spnego" = "yes"; then
+ AC_DEFINE(HAVE_GSSAPI_SPNEGO,, GSSAPI supports SPNEGO)
+ fi
LIBS=$old_LIBS
if test x$want_gssapi_plugin != xyes; then
diff -r 9ca5e8f66d10 -r 641d761219a6 src/auth/mech-gssapi.c
--- a/src/auth/mech-gssapi.c Wed Aug 13 14:59:10 2008 -0400
+++ b/src/auth/mech-gssapi.c Wed Aug 13 16:22:53 2008 -0400
@@ -552,6 +552,24 @@ const struct mech_module mech_gssapi = {
mech_gssapi_auth_free
};
+/* MTI Kerberos v1.5+ and Heimdal v0.7+ supports SPNEGO for Kerberos tickets
+ internally. Nothing else needs to be done here. Note however that this does
+ not support SPNEGO when the only available credential is NTLM.. */
+const struct mech_module mech_gssapi_spnego = {
+ "GSS-SPNEGO",
+
+ MEMBER(flags) 0,
+
+ MEMBER(passdb_need_plain) FALSE,
+ MEMBER(passdb_need_credentials) FALSE,
+ MEMBER(passdb_need_set_credentials) FALSE,
+
+ mech_gssapi_auth_new,
+ mech_gssapi_auth_initial,
+ mech_gssapi_auth_continue,
+ mech_gssapi_auth_free
+};
+
#ifndef BUILTIN_GSSAPI
void mech_gssapi_init(void);
void mech_gssapi_deinit(void);
@@ -559,12 +577,18 @@ void mech_gssapi_init(void)
void mech_gssapi_init(void)
{
mech_register_module(&mech_gssapi);
+#ifdef HAVE_GSSAPI_SPNEGO
+ mech_register_module(&mech_gssapi_spnego);
+#endif
}
void mech_gssapi_deinit(void)
{
mech_unregister_module(&mech_gssapi);
-}
-#endif
-
-#endif
+#ifdef HAVE_GSSAPI_SPNEGO
+ mech_unregister_module(&mech_gssapi_spnego);
+#endif
+}
+#endif
+
+#endif
diff -r 9ca5e8f66d10 -r 641d761219a6 src/auth/mech.c
--- a/src/auth/mech.c Wed Aug 13 14:59:10 2008 -0400
+++ b/src/auth/mech.c Wed Aug 13 16:22:53 2008 -0400
@@ -75,6 +75,9 @@ extern const struct mech_module mech_ano
#ifdef HAVE_GSSAPI
extern const struct mech_module mech_gssapi;
#endif
+#ifdef HAVE_GSSAPI_SPNEGO
+extern const struct mech_module mech_gssapi_spnego;
+#endif
extern const struct mech_module mech_winbind_ntlm;
extern const struct mech_module mech_winbind_spnego;
@@ -96,6 +99,9 @@ void mech_init(void)
mech_register_module(&mech_anonymous);
#ifdef BUILTIN_GSSAPI
mech_register_module(&mech_gssapi);
+#ifdef HAVE_GSSAPI_SPNEGO
+ mech_register_module(&mech_gssapi_spnego);
+#endif
#endif
}
@@ -117,5 +123,8 @@ void mech_deinit(void)
mech_unregister_module(&mech_anonymous);
#ifdef BUILTIN_GSSAPI
mech_unregister_module(&mech_gssapi);
+#ifdef HAVE_GSSAPI_SPNEGO
+ mech_unregister_module(&mech_gssapi_spnego);
+#endif
#endif
}
More information about the dovecot-cvs
mailing list