From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Sat, 28 Oct 2023 05:03:23 +0000 (+0200)
Subject: auth: sasl-server-mech-gssapi - Implement mechanism-specific settings
X-Git-Tag: 2.4.2~176
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=304b49b05d904944fdd74fcac4076b06bd980600;p=thirdparty%2Fdovecot%2Fcore.git

auth: sasl-server-mech-gssapi - Implement mechanism-specific settings
---

diff --git a/src/auth/Makefile.am b/src/auth/Makefile.am
index 2dba3a4dce..4331791ff7 100644
--- a/src/auth/Makefile.am
+++ b/src/auth/Makefile.am
@@ -152,7 +152,8 @@ if HAVE_GSSAPI
 if !GSSAPI_PLUGIN
 auth_common_sources += \
 	auth-sasl-mech-gssapi.c \
-	auth-sasl-mech-gss-spnego.c
+	auth-sasl-mech-gss-spnego.c \
+	auth-sasl-gssapi.c
 endif
 endif
 
@@ -201,6 +202,7 @@ libmech_gssapi_la_LIBADD = $(KRB5_LIBS)
 libmech_gssapi_la_CPPFLAGS = $(AM_CPPFLAGS) $(KRB5_CFLAGS) -DPLUGIN_BUILD
 libmech_gssapi_la_SOURCES = \
 	sasl-server-mech-gssapi.c \
+	auth-sasl-gssapi.c \
 	auth-sasl-mech-gssapi.c
 
 libmech_gss_spnego_la_LDFLAGS = -module -avoid-version
@@ -208,6 +210,7 @@ libmech_gss_spnego_la_LIBADD = $(KRB5_LIBS)
 libmech_gss_spnego_la_CPPFLAGS = $(AM_CPPFLAGS) $(KRB5_CFLAGS) -DPLUGIN_BUILD
 libmech_gss_spnego_la_SOURCES = \
 	sasl-server-mech-gssapi.c \
+	auth-sasl-gssapi.c \
 	auth-sasl-mech-gss-spnego.c
 endif
 
diff --git a/src/auth/auth-sasl-gssapi.c b/src/auth/auth-sasl-gssapi.c
new file mode 100644
index 0000000000..9b692d3e36
--- /dev/null
+++ b/src/auth/auth-sasl-gssapi.c
@@ -0,0 +1,15 @@
+/* Copyright (c) 2023 Dovecot authors, see the included COPYING file */
+
+#include "auth-common.h"
+#include "sasl-server.h"
+#include "auth-sasl.h"
+#include "auth-sasl-gssapi.h"
+
+void auth_sasl_mech_gssapi_settings_init(
+	const struct auth_settings *set,
+	struct sasl_server_gssapi_settings *gss_set_r)
+{
+	i_zero(gss_set_r);
+	gss_set_r->hostname = set->gssapi_hostname;
+	gss_set_r->krb5_keytab = set->krb5_keytab;
+}
diff --git a/src/auth/auth-sasl-gssapi.h b/src/auth/auth-sasl-gssapi.h
index 71f61071cb..fc90cd8b43 100644
--- a/src/auth/auth-sasl-gssapi.h
+++ b/src/auth/auth-sasl-gssapi.h
@@ -1,6 +1,12 @@
 #ifndef AUTH_SASL_MECH_GSSAPI_H
 #define AUTH_SASL_MECH_GSSAPI_H
 
+#include "sasl-server-gssapi.h"
+
+void auth_sasl_mech_gssapi_settings_init(
+	const struct auth_settings *set,
+	struct sasl_server_gssapi_settings *gss_set_r);
+
 #ifdef BUILTIN_GSSAPI
 void auth_sasl_mech_gssapi_register(void);
 void auth_sasl_mech_gss_spnego_register(void);
diff --git a/src/auth/auth-sasl-mech-gss-spnego.c b/src/auth/auth-sasl-mech-gss-spnego.c
index 787160796f..cd73579f6c 100644
--- a/src/auth/auth-sasl-mech-gss-spnego.c
+++ b/src/auth/auth-sasl-mech-gss-spnego.c
@@ -12,9 +12,12 @@ static struct auth_sasl_mech_module mech_gss_spnego;
 
 static bool
 mech_gss_spnego_register(struct sasl_server_instance *sasl_inst,
-			 const struct auth_settings *set ATTR_UNUSED)
+			 const struct auth_settings *set)
 {
-	sasl_server_mech_register_gss_spnego(sasl_inst);
+	struct sasl_server_gssapi_settings gss_set;
+
+	auth_sasl_mech_gssapi_settings_init(set, &gss_set);
+	sasl_server_mech_register_gss_spnego(sasl_inst, &gss_set);
 	return TRUE;
 }
 
diff --git a/src/auth/auth-sasl-mech-gssapi.c b/src/auth/auth-sasl-mech-gssapi.c
index 3a04022330..ba7ce66567 100644
--- a/src/auth/auth-sasl-mech-gssapi.c
+++ b/src/auth/auth-sasl-mech-gssapi.c
@@ -8,9 +8,12 @@
 
 static bool
 mech_gssapi_register(struct sasl_server_instance *sasl_inst,
-		     const struct auth_settings *set ATTR_UNUSED)
+		     const struct auth_settings *set)
 {
-	sasl_server_mech_register_gssapi(sasl_inst);
+	struct sasl_server_gssapi_settings gss_set;
+
+	auth_sasl_mech_gssapi_settings_init(set, &gss_set);
+	sasl_server_mech_register_gssapi(sasl_inst, &gss_set);
 	return TRUE;
 }
 
diff --git a/src/auth/sasl-server-gssapi.h b/src/auth/sasl-server-gssapi.h
index e21533ef2e..0a6ef416f9 100644
--- a/src/auth/sasl-server-gssapi.h
+++ b/src/auth/sasl-server-gssapi.h
@@ -1,10 +1,19 @@
 #ifndef SASL_SERVER_GSSAPI_H
 #define SASL_SERVER_GSSAPI_H
 
-void sasl_server_mech_register_gssapi(struct sasl_server_instance *sinst);
+struct sasl_server_gssapi_settings {
+	const char *hostname;
+	const char *krb5_keytab;
+};
+
+void sasl_server_mech_register_gssapi(
+	struct sasl_server_instance *sinst,
+	const struct sasl_server_gssapi_settings *set);
 void sasl_server_mech_unregister_gssapi(struct sasl_server_instance *sinst);
 
-void sasl_server_mech_register_gss_spnego(struct sasl_server_instance *sinst);
+void sasl_server_mech_register_gss_spnego(
+	struct sasl_server_instance *sinst,
+	const struct sasl_server_gssapi_settings *set);
 void sasl_server_mech_unregister_gss_spnego(struct sasl_server_instance *sinst);
 
 #endif
diff --git a/src/auth/sasl-server-mech-gssapi.c b/src/auth/sasl-server-mech-gssapi.c
index afe8fce8d9..1eacc42f1b 100644
--- a/src/auth/sasl-server-mech-gssapi.c
+++ b/src/auth/sasl-server-mech-gssapi.c
@@ -22,8 +22,6 @@
 #include "sasl-server-protected.h"
 #include "sasl-server-gssapi.h"
 
-#if defined(BUILTIN_GSSAPI) || defined(PLUGIN_BUILD)
-
 #ifdef HAVE_GSSAPI_GSSAPI_H
 #  include <gssapi/gssapi.h>
 #elif defined (HAVE_GSSAPI_H)
@@ -65,14 +63,17 @@ struct gssapi_auth_request {
 	gss_name_t authz_name;
 };
 
-static bool gssapi_initialized = FALSE;
+struct gssapi_auth_mech {
+	struct sasl_server_mech mech;
+
+	const char *hostname;
+};
 
 static gss_OID_desc mech_gssapi_krb5_oid =
 	{ 9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
 
 static int
 mech_gssapi_wrap(struct gssapi_auth_request *request, gss_buffer_desc inbuf);
-static void mech_gssapi_initialize(const struct auth_settings *set);
 
 static void
 mech_gssapi_log_error(struct gssapi_auth_request *request,
@@ -115,17 +116,15 @@ obtain_service_credentials(struct gssapi_auth_request *request,
 			   gss_cred_id_t *ret_r)
 {
 	struct sasl_server_mech_request *auth_request = &request->auth_request;
+	const struct gssapi_auth_mech *gss_mech =
+		container_of(auth_request->mech,
+			     const struct gssapi_auth_mech, mech);
 	OM_uint32 major_status, minor_status;
 	string_t *principal_name;
 	gss_buffer_desc inbuf;
 	gss_name_t gss_principal;
 
-	if (!gssapi_initialized) {
-		gssapi_initialized = TRUE;
-		mech_gssapi_initialize(auth_request->request->set);
-	}
-
-	if (strcmp(auth_request->request->set->gssapi_hostname, "$ALL") == 0) {
+	if (strcmp(gss_mech->hostname, "$ALL") == 0) {
 		e_debug(auth_request->mech_event,
 			"Using all keytab entries");
 		*ret_r = GSS_C_NO_CREDENTIAL;
@@ -135,7 +134,7 @@ obtain_service_credentials(struct gssapi_auth_request *request,
 	principal_name = t_str_new(128);
 	str_append(principal_name, auth_request->protocol);
 	str_append_c(principal_name, '@');
-	str_append(principal_name, auth_request->request->set->gssapi_hostname);
+	str_append(principal_name, gss_mech->hostname);
 
 	e_debug(auth_request->mech_event,
 		"Obtaining credentials for %s", str_c(principal_name));
@@ -674,11 +673,22 @@ mech_gssapi_auth_free(struct sasl_server_mech_request *auth_request)
 		(void)gss_release_name(&minor_status, &request->authz_name);
 }
 
+static struct sasl_server_mech *mech_gssapi_mech_new(pool_t pool)
+{
+	struct gssapi_auth_mech *gss_mech;
+
+	gss_mech = p_new(pool, struct gssapi_auth_mech, 1);
+
+	return &gss_mech->mech;
+}
+
 static const struct sasl_server_mech_funcs mech_gssapi_funcs = {
 	.auth_new = mech_gssapi_auth_new,
 	.auth_initial = mech_gssapi_auth_initial,
 	.auth_continue = mech_gssapi_auth_continue,
 	.auth_free = mech_gssapi_auth_free,
+
+	.mech_new = mech_gssapi_mech_new,
 };
 
 static const struct sasl_server_mech_def mech_gssapi = {
@@ -702,8 +712,19 @@ static const struct sasl_server_mech_def mech_gss_spnego = {
 	.funcs = &mech_gssapi_funcs,
 };
 
-static void mech_gssapi_initialize(const struct auth_settings *set)
+static void
+mech_gssapi_register(struct sasl_server_instance *sinst,
+		     const struct sasl_server_mech_def *mech_def,
+		     const struct sasl_server_gssapi_settings *set)
 {
+	struct sasl_server_mech *mech;
+	struct gssapi_auth_mech *gss_mech;
+
+	mech = sasl_server_mech_register(sinst, mech_def);
+
+	gss_mech = container_of(mech, struct gssapi_auth_mech, mech);
+	gss_mech->hostname = p_strdup(mech->pool, set->hostname);
+
 	const char *path = set->krb5_keytab;
 
 	if (*path != '\0') {
@@ -717,9 +738,11 @@ static void mech_gssapi_initialize(const struct auth_settings *set)
 	}
 }
 
-void sasl_server_mech_register_gssapi(struct sasl_server_instance *sinst)
+void sasl_server_mech_register_gssapi(
+	struct sasl_server_instance *sinst,
+	const struct sasl_server_gssapi_settings *set)
 {
-	sasl_server_mech_register(sinst, &mech_gssapi);
+	mech_gssapi_register(sinst, &mech_gssapi, set);
 }
 
 void sasl_server_mech_unregister_gssapi(struct sasl_server_instance *sinst)
@@ -727,14 +750,14 @@ void sasl_server_mech_unregister_gssapi(struct sasl_server_instance *sinst)
 	sasl_server_mech_unregister(sinst, &mech_gssapi);
 }
 
-void sasl_server_mech_register_gss_spnego(struct sasl_server_instance *sinst)
+void sasl_server_mech_register_gss_spnego(
+	struct sasl_server_instance *sinst,
+	const struct sasl_server_gssapi_settings *set)
 {
-	sasl_server_mech_register(sinst, &mech_gss_spnego);
+	mech_gssapi_register(sinst, &mech_gss_spnego, set);
 }
 
 void sasl_server_mech_unregister_gss_spnego(struct sasl_server_instance *sinst)
 {
 	sasl_server_mech_unregister(sinst, &mech_gss_spnego);
 }
-
-#endif