Re: [Dovecot] [PATCH] Support GSS-SPNEGO natively

12 Aug 2008


      On Tue, Aug 12, 2008 at 01:11:47PM -0400, Timo Sirainen wrote:
...
On Aug 12, 2008, at 2:44 AM, Jason Gunthorpe wrote:
...
This is how the SPNEGO works in libapache-mod-auth-kerb-5.3 which
simply passes SPNEGO packets directly to gssapi if the library is new
enough. There is even a configure feature test for the gssapi library
in that packages configure script. Note that Debian etch's standard
kerb libaries (1.4) are not good enough for this.
Any thoughts on how exactly to detect that it's MIT kerberos (not Heimdal)
and the version is new enough?
It has been ages since I touched autoconf, but this is the test that
libapace-mod-auth-kerb uses:
# If SPNEGO is supported by the gssapi libraries, we shouln't build our support.
# SPNEGO is supported as of Heimdal 0.7, and MIT 1.5.
gssapi_supports_spnego=""
AC_MSG_CHECKING(whether the GSSAPI libraries support SPNEGO)
 ac_save_CFLAGS="$CFLAGS"
 CFLAGS="$KRB5_CPPFLAGS"
 ac_save_LDFLAGS="$LDFLAGS"
 LDFLAGS=$KRB5_LDFLAGS

 AC_TRY_RUN([
#include 
#include 
#ifdef HEIMDAL
#include 
#else
#include 
#endif
int main(int argc, char** argv)
{
OM_uint32 major_status, minor_status;
gss_OID_set mech_set;
gss_OID_desc spnego_oid_desc = {6, (void *)"\x2b\x06\x01\x05\x05\x02"};
int SPNEGO = 0;
major_status = gss_indicate_mechs(&minor_status, &mech_set);
if (GSS_ERROR(major_status))
return 1;
else {
unsigned int i;
for (i=0; i < mech_set->count && !SPNEGO; i++) {
gss_OID tmp_oid = &mech_set->elements[i];
if (tmp_oid->length == spnego_oid_desc.length &&
!memcmp(tmp_oid->elements, spnego_oid_desc.elements,
tmp_oid->length)) {
SPNEGO = 1;
break;
}
}
gss_release_oid_set(&minor_status, &mech_set);
return (!SPNEGO);
}
}],
[ if test $? -eq 0; then
AC_MSG_RESULT(yes)
AC_DEFINE(GSSAPI_SUPPORTS_SPNEGO)
gssapi_supports_spnego=yes
else
AC_MSG_RESULT(no)
fi],
[AC_MSG_RESULT(no)])
Jason