From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Fri, 3 Mar 2023 09:48:38 +0000 (+0200)
Subject: auth: mech-gssapi - Remove KRB5_USEROK check
X-Git-Tag: 2.4.0~2948
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=578740a489e97945b70bc1755394a5e30ae803d0;p=thirdparty%2Fdovecot%2Fcore.git

auth: mech-gssapi - Remove KRB5_USEROK check

It should be there always these days. Enables cross-realm
and cross-identity authentication always.
---

diff --git a/m4/want_gssapi.m4 b/m4/want_gssapi.m4
index c834333bb2..ae60473a78 100644
--- a/m4/want_gssapi.m4
+++ b/m4/want_gssapi.m4
@@ -40,11 +40,6 @@ AC_DEFUN([DOVECOT_WANT_GSSAPI], [
           ])
           AC_DEFINE(HAVE_GSSAPI,, [Build with GSSAPI support])
           AC_CHECK_HEADERS(gssapi/gssapi_ext.h gssapi_krb5.h gssapi/gssapi_krb5.h)
-          AC_CHECK_LIB(gss, __gss_userok, [
-            AC_DEFINE(HAVE___GSS_USEROK,,
-              [Define if you have __gss_userok()])
-            KRB5_LIBS="$KRB5_LIBS -lgss"
-          ],, $KRB5_LIBS)
 
           # MIT has a #define for Heimdal acceptor_identity, but it's way too
           # difficult to test for it..
diff --git a/src/auth/mech-gssapi.c b/src/auth/mech-gssapi.c
index 466cd4d508..66444a16df 100644
--- a/src/auth/mech-gssapi.c
+++ b/src/auth/mech-gssapi.c
@@ -24,11 +24,6 @@
 
 #if defined(BUILTIN_GSSAPI) || defined(PLUGIN_BUILD)
 
-#ifndef HAVE___GSS_USEROK
-#  define USE_KRB5_USEROK
-#  include <krb5.h>
-#endif
-
 #ifdef HAVE_GSSAPI_GSSAPI_H
 #  include <gssapi/gssapi.h>
 #elif defined (HAVE_GSSAPI_H)
@@ -39,8 +34,6 @@
 #  include <gssapi/gssapi_krb5.h>
 #elif defined (HAVE_GSSAPI_KRB5_H)
 #  include <gssapi_krb5.h>
-#else
-#  undef USE_KRB5_USEROK
 #endif
 
 #ifdef HAVE_GSSAPI_GSSAPI_EXT_H
@@ -403,7 +396,6 @@ mech_gssapi_wrap(struct gssapi_auth_request *request, gss_buffer_desc inbuf)
 	return 0;
 }
 
-#ifdef USE_KRB5_USEROK
 static bool
 k5_principal_is_authorized(struct auth_request *request, const char *name)
 {
@@ -480,7 +472,6 @@ mech_gssapi_krb5_userok(struct gssapi_auth_request *request,
 	krb5_free_context(ctx);
 	return authorized;
 }
-#endif
 
 static int
 mech_gssapi_userok(struct gssapi_auth_request *request, const char *login_user)
@@ -488,9 +479,6 @@ mech_gssapi_userok(struct gssapi_auth_request *request, const char *login_user)
 	struct auth_request *auth_request = &request->auth_request;
 	OM_uint32 major_status, minor_status;
 	int equal_authn_authz;
-#ifdef HAVE___GSS_USEROK
-	int login_ok;
-#endif
 
 	/* if authn and authz names equal, don't bother checking further. */
 	major_status = gss_compare_name(&minor_status,
@@ -507,24 +495,6 @@ mech_gssapi_userok(struct gssapi_auth_request *request, const char *login_user)
 	if (equal_authn_authz != 0)
 		return 0;
 
-	/* handle cross-realm authentication */
-#ifdef HAVE___GSS_USEROK
-	/* Solaris */
-	major_status = __gss_userok(&minor_status, request->authn_name,
-				    login_user, &login_ok);
-	if (GSS_ERROR(major_status) != 0) {
-		mech_gssapi_log_error(auth_request, major_status,
-				      GSS_C_GSS_CODE, "__gss_userok failed");
-		return -1;
-	}
-
-	if (login_ok == 0) {
-		e_info(auth_request->mech_event,
-		       "User not authorized to log in as %s", login_user);
-		return -1;
-	}
-	return 0;
-#elif defined(USE_KRB5_USEROK)
 	if (!mech_gssapi_krb5_userok(request, request->authn_name,
 				     login_user, TRUE)) {
 		e_info(auth_request->mech_event,
@@ -533,13 +503,6 @@ mech_gssapi_userok(struct gssapi_auth_request *request, const char *login_user)
 	}
 
 	return 0;
-#else
-	e_info(auth_request->mech_event,
-	       "Cross-realm authentication not supported "
-	       "(authn_name=%s, authz_name=%s)",
-	       request->auth_request.fields.original_username, login_user);
-	return -1;
-#endif
 }
 
 static void