[Dovecot] [PATCH] Support GSS-SPNEGO natively

Jason Gunthorpe jgunthorpe at obsidianresearch.com
Tue Aug 12 20:31:20 EEST 2008 

On Tue, Aug 12, 2008 at 01:11:47PM -0400, Timo Sirainen wrote:
> On Aug 12, 2008, at 2:44 AM, Jason Gunthorpe wrote:
>
>> This is how the SPNEGO works in libapache-mod-auth-kerb-5.3 which
>> simply passes SPNEGO packets directly to gssapi if the library is new
>> enough. There is even a configure feature test for the gssapi library
>> in that packages configure script. Note that Debian etch's standard
>> kerb libaries (1.4) are not good enough for this.
>
> Any thoughts on how exactly to detect that it's MIT kerberos (not Heimdal) 
> and the version is new enough?

It has been ages since I touched autoconf, but this is the test that
libapace-mod-auth-kerb uses:

# If SPNEGO is supported by the gssapi libraries, we shouln't build our support.
# SPNEGO is supported as of Heimdal 0.7, and MIT 1.5.
     gssapi_supports_spnego=""
     AC_MSG_CHECKING(whether the GSSAPI libraries support SPNEGO)

     ac_save_CFLAGS="$CFLAGS"
     CFLAGS="$KRB5_CPPFLAGS"
     ac_save_LDFLAGS="$LDFLAGS"
     LDFLAGS=$KRB5_LDFLAGS

     AC_TRY_RUN([
#include <string.h>
#include <krb5.h>
#ifdef HEIMDAL
#include <gssapi.h>
#else
#include <gssapi/gssapi.h>
#endif
int main(int argc, char** argv)
{
       OM_uint32 major_status, minor_status;
       gss_OID_set mech_set;
       gss_OID_desc spnego_oid_desc = {6, (void *)"\x2b\x06\x01\x05\x05\x02"};
       int SPNEGO = 0;
                                                                               
       major_status = gss_indicate_mechs(&minor_status, &mech_set);
       if (GSS_ERROR(major_status))
               return 1;
       else {
               unsigned int i;
               for (i=0; i < mech_set->count && !SPNEGO; i++) {
                       gss_OID tmp_oid = &mech_set->elements[i];
                      if (tmp_oid->length == spnego_oid_desc.length &&
                           !memcmp(tmp_oid->elements, spnego_oid_desc.elements, 
                                   tmp_oid->length)) {
                               SPNEGO = 1;
                               break;
                       }
               }
               gss_release_oid_set(&minor_status, &mech_set);
               return (!SPNEGO);
       }
}],
                [ if test $? -eq 0; then 
                     AC_MSG_RESULT(yes)
                     AC_DEFINE(GSSAPI_SUPPORTS_SPNEGO)
                     gssapi_supports_spnego=yes 
                  else
                     AC_MSG_RESULT(no)
                  fi],
                [AC_MSG_RESULT(no)])

Jason

More information about the dovecot mailing list