From: Timo Sirainen Date: Wed, 13 Aug 2008 20:22:53 +0000 (-0400) Subject: Support GSS-SPNEGO mechanism if GSSAPI library supports it. X-Git-Tag: 1.2.alpha1~67 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=704fbadd78375da18dcaf2c5d93ac8cfe2c61358;p=thirdparty%2Fdovecot%2Fcore.git Support GSS-SPNEGO mechanism if GSSAPI library supports it. Based on a patch by Jason Gunthorpe. --HG-- branch : HEAD --- diff --git a/configure.in b/configure.in index 4bd2465551..2bebb27544 100644 --- a/configure.in +++ b/configure.in @@ -1805,6 +1805,41 @@ if test $want_gssapi != no; then old_LIBS=$LIBS LIBS="$LIBS $KRB5_LIBS" AC_CHECK_FUNCS(gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity) + + # does the kerberos library support SPNEGO? + AC_CACHE_CHECK([whether GSSAPI supports SPNEGO],i_cv_gssapi_spnego,[ + AC_TRY_RUN([ + #ifdef HAVE_GSSAPI_H + # include + #else + # include + #endif + #include + #include + int main(void) { + OM_uint32 minor_status; + gss_OID_set mech_set; + unsigned char spnego_oid[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x02 }; + unsigned int i; + + gss_indicate_mechs(&minor_status, &mech_set); + for (i = 0; i < mech_set->count; i++) { + if (mech_set->elements[i].length == 6 && + memcmp(mech_set->elements[i].elements, + spnego_oid, 6) == 0) + return 0; + } + return 1; + } + ], [ + i_cv_gssapi_spnego=yes + ], [ + i_cv_gssapi_spnego=no + ]) + ]) + if test "$i_cv_gssapi_spnego" = "yes"; then + AC_DEFINE(HAVE_GSSAPI_SPNEGO,, GSSAPI supports SPNEGO) + fi LIBS=$old_LIBS if test x$want_gssapi_plugin != xyes; then diff --git a/src/auth/mech-gssapi.c b/src/auth/mech-gssapi.c index 1817d47df7..f88ad54cbf 100644 --- a/src/auth/mech-gssapi.c +++ b/src/auth/mech-gssapi.c @@ -552,6 +552,24 @@ const struct mech_module mech_gssapi = { mech_gssapi_auth_free }; +/* MTI Kerberos v1.5+ and Heimdal v0.7+ supports SPNEGO for Kerberos tickets + internally. Nothing else needs to be done here. Note however that this does + not support SPNEGO when the only available credential is NTLM.. */ +const struct mech_module mech_gssapi_spnego = { + "GSS-SPNEGO", + + MEMBER(flags) 0, + + MEMBER(passdb_need_plain) FALSE, + MEMBER(passdb_need_credentials) FALSE, + MEMBER(passdb_need_set_credentials) FALSE, + + mech_gssapi_auth_new, + mech_gssapi_auth_initial, + mech_gssapi_auth_continue, + mech_gssapi_auth_free +}; + #ifndef BUILTIN_GSSAPI void mech_gssapi_init(void); void mech_gssapi_deinit(void); @@ -559,11 +577,17 @@ void mech_gssapi_deinit(void); void mech_gssapi_init(void) { mech_register_module(&mech_gssapi); +#ifdef HAVE_GSSAPI_SPNEGO + mech_register_module(&mech_gssapi_spnego); +#endif } void mech_gssapi_deinit(void) { mech_unregister_module(&mech_gssapi); +#ifdef HAVE_GSSAPI_SPNEGO + mech_unregister_module(&mech_gssapi_spnego); +#endif } #endif diff --git a/src/auth/mech.c b/src/auth/mech.c index 980326cdb5..f357602644 100644 --- a/src/auth/mech.c +++ b/src/auth/mech.c @@ -75,6 +75,9 @@ extern const struct mech_module mech_anonymous; #ifdef HAVE_GSSAPI extern const struct mech_module mech_gssapi; #endif +#ifdef HAVE_GSSAPI_SPNEGO +extern const struct mech_module mech_gssapi_spnego; +#endif extern const struct mech_module mech_winbind_ntlm; extern const struct mech_module mech_winbind_spnego; @@ -96,6 +99,9 @@ void mech_init(void) mech_register_module(&mech_anonymous); #ifdef BUILTIN_GSSAPI mech_register_module(&mech_gssapi); +#ifdef HAVE_GSSAPI_SPNEGO + mech_register_module(&mech_gssapi_spnego); +#endif #endif } @@ -117,5 +123,8 @@ void mech_deinit(void) mech_unregister_module(&mech_anonymous); #ifdef BUILTIN_GSSAPI mech_unregister_module(&mech_gssapi); +#ifdef HAVE_GSSAPI_SPNEGO + mech_unregister_module(&mech_gssapi_spnego); +#endif #endif }