From 82d0e434b7e59e92893711225011e942629b3080 Mon Sep 17 00:00:00 2001
From: "Eric S. Raymond" <esr@thyrsus.com>
Date: Mon, 2 Aug 1999 17:47:14 +0000
Subject: Heimdal GSSAPI patches.

svn path=/trunk/; revision=2533
---
 NEWS         |  2 ++
 acconfig.h   |  6 ++++++
 configure.in | 48 ++++++++++++++++++++++++++++++++++++++++++------
 driver.c     |  7 +++++++
 imap.c       | 30 ++++++++++++++++++++++++++----
 5 files changed, 83 insertions(+), 10 deletions(-)

diff --git a/NEWS b/NEWS
index 1dd73163..023b5b64 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,8 @@ fetchmail-5.0.6 ():
 * In UID files, split on *rightmost* @ as some dialups actually embed
   @ in usernames.
 * Detect Intermail server's "wait a few minutes" message and cope.
+* Patches for Heimdal implementation of GSSAPI from Leif Johansson 
+  <leifj@matematik.su.se>.  Somebody should test this against the MIT version.
 
 Warning: CompuServe changed their POP3 system on 31 July 1999.  In doing
 so, they broke fetchmail's RPA support.  Nobody has sent me either code that
diff --git a/acconfig.h b/acconfig.h
index d0f1c611..48cd9abc 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -109,6 +109,12 @@
 /* Define if you want GSSAPI authentication */
 #undef GSSAPI
 
+/* Define if you have HEIMDAL kerberos 5 */
+#undef HEIMDAL
+
+/* Define if you have MIT kerberos */
+#undef HAVE_GSS_C_NT_HOSTBASED_SERVICE
+
 /* Define if you want built-in SOCKS support */
 #undef HAVE_SOCKS
 
diff --git a/configure.in b/configure.in
index c2255954..642d45e9 100644
--- a/configure.in
+++ b/configure.in
@@ -147,6 +147,9 @@ AC_CHECK_FUNC(res_search,
     AC_CHECK_LIB(resolv,res_search, 
 	[AC_DEFINE(HAVE_RES_SEARCH) AC_MSG_RESULT(found resolver functions in libresolv); LIBS="$LIBS -lresolv"], AC_MSG_RESULT(no resolver calls found)))
 
+dnl Check for libcrypt
+AC_CHECK_LIB(crypt,crypt)
+
 dnl AC_FUNC_SETVBUF_REVERSED
 
 dnl Check for usable void pointer type
@@ -307,7 +310,13 @@ then
     # Path given
     CEFLAGS="$CEFLAGS -DKERBEROS_V5 -I$with_kerberos5/include"
     LDEFLAGS="$LDEFLAGS -L$with_kerberos5/lib"
-    LIBS="$LIBS -lkrb5 -lcrypto -lcom_err"
+    if test -f "$with_kerberos5/include/roken.h"
+    then
+       AC_DEFINE(HEIMDAL)
+       LIBS="$LIBS -lkrb5 -lasn1 -ldes -lroken -lcom_err"
+    else
+       LIBS="$LIBS -lkrb5 -lcrypto -lcom_err"
+    fi
 else
   if test "$with_kerberos5" != "no" ; then
     for dir in /usr/kerberos /usr/local/krb5 /usr/athena
@@ -316,7 +325,13 @@ else
       then
         CEFLAGS="$CEFLAGS -DKERBEROS_V5 -I$dir/include"
         LDEFLAGS="$LDEFLAGS -L$dir/lib"
-        LIBS="$LIBS -lkrb5 -lcrypto -lcom_err"
+	if test -f "$dir/include/roken.h"
+	then
+           AC_DEFINE(HEIMDAL)
+           LIBS="$LIBS -lkrb5 -lasn1 -ldes -lcom_err"
+        else
+           LIBS="$LIBS -lkrb5 -lcrypto -lcom_err"
+        fi
         with_kerberos5=$dir
         break
       fi
@@ -341,7 +356,13 @@ elif test -n "$with_kerberos" -a -n "$with_kerberos5"
 then
     CEFLAGS="$CEFLAGS -DKERBEROS_V4 -I$with_kerberos/include"
     LDEFLAGS="$LDEFLAGS -L$with_kerberos/lib"
-    LIBS="-lkrb4 -ldes425 $LIBS"
+    if test -f "$with_kerberos5/roken.h"
+    then
+       AC_DEFINE(HEIMDAL)
+       LIBS="-lkrb4 -l45 $LIBS" 
+    else
+       LIBS="-lkrb4 -ldes425 $LIBS"
+    fi
 elif test -n "$with_kerberos5"
 then
     for dir in /usr/kerberos /usr/kerberosIV /usr/athena
@@ -435,10 +456,25 @@ then
 
   AC_CHECK_LIB(krb5, krb5_init_context,,
                AC_MSG_ERROR([could not find libkrb5 which is needed for GSSAPI support]))
-  AC_CHECK_LIB(gssapi_krb5, gss_init_sec_context,,
-               AC_MSG_ERROR([could not find libgssapi_krb5 which is needed for GSSAPI support]), -lkrb5)
+  if test -f "$with_kerberos5/include/roken.h"
+  then
+     AC_CHECK_LIB(gssapi, gss_init_sec_context,LIBS="$LIBS -lgssapi",
+                  AC_MSG_ERROR([could not find libgssapi which is needed for GSSAPI support]), )
+     AC_DEFINE(HEIMDAL)
+  else
+     AC_CHECK_LIB(gssapi_krb5, gss_init_sec_context,LIBS="$LIBS -lgssapi_krb5",
+                  AC_MSG_ERROR([could not find libgssapi_krb5 which is needed for GSSAPI support]), -lkrb5)
+  fi
   AC_DEFINE(GSSAPI)
-  LIBS="$LIBS -lgssapi_krb5 -lkrb5"
+  save_CPPFLAGS=$CPPFLAGS
+  CPPFLAGS="-I$with_gssapi/include"
+  AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h gssapi/gssapi_generic.h)
+  if test "$ac_cv_header_gssapi_h" = "yes"; then
+    AC_EGREP_HEADER(GSS_C_NT_HOSTBASED_SERVICE, gssapi.h, AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE))
+  else
+    AC_EGREP_HEADER(GSS_C_NT_HOSTBASED_SERVICE, gssapi/gssapi.h, AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE))
+  fi
+  CPPFLAGS=$save_CPPFLAGS
 fi])
 
 AC_OUTPUT([Makefile intl/Makefile po/Makefile.in], [
diff --git a/driver.c b/driver.c
index 2be446c4..87a299da 100644
--- a/driver.c
+++ b/driver.c
@@ -1243,11 +1243,18 @@ const char *canonical;  /* server name */
     krb5_auth_con_free(context, auth_context);
 
     if (retval) {
+#ifdef HEIMDAL
+      if (err_ret && err_ret->e_text) {
+          report(stderr, _("krb5_sendauth: %s [server says '%*s'] \n"),
+                 error_message(retval),
+                 err_ret->e_text);
+#else
       if (err_ret && err_ret->text.length) {
           report(stderr, _("krb5_sendauth: %s [server says '%*s'] \n"),
 		 error_message(retval),
 		 err_ret->text.length,
 		 err_ret->text.data);
+#endif
 	  krb5_free_error(context, err_ret);
       } else
           report(stderr, "krb5_sendauth: %s\n", error_message(retval));
diff --git a/imap.c b/imap.c
index f017e5d9..c84af17d 100644
--- a/imap.c
+++ b/imap.c
@@ -33,9 +33,19 @@
 #include  "i18n.h"
 
 #ifdef GSSAPI
+#ifdef HAVE_GSSAPI_H
+#include <gssapi.h>
+#endif
+#ifdef HAVE_GSSAPI_GSSAPI_H
 #include <gssapi/gssapi.h>
+#endif
+#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H
 #include <gssapi/gssapi_generic.h>
 #endif
+#ifndef HAVE_GSS_C_NT_HOSTBASED_SERVICE
+#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
+#endif
+#endif
 
 #include "md5.h"
 
@@ -460,7 +470,7 @@ static int do_gssauth(int sock, char *hostname, char *username)
     sprintf(buf1, "imap@%s", hostname);
     request_buf.value = buf1;
     request_buf.length = strlen(buf1) + 1;
-    maj_stat = gss_import_name(&min_stat, &request_buf, gss_nt_service_name,
+    maj_stat = gss_import_name(&min_stat, &request_buf, GSS_C_NT_HOSTBASED_SERVICE,
         &target_name);
     if (maj_stat != GSS_S_COMPLETE) {
         report(stderr, _("Couldn't get service name for [%s]\n"), buf1);
@@ -487,9 +497,21 @@ static int do_gssauth(int sock, char *hostname, char *username)
     if (outlevel >= O_VERBOSE)
         report(stdout, _("Sending credentials\n"));
     do {
-        maj_stat = gss_init_sec_context(&min_stat, GSS_C_NO_CREDENTIAL, 
-            &context, target_name, NULL, 0, 0, NULL, sec_token, NULL,
-	    &send_token, &cflags, NULL);
+        send_token.length = 0;
+	send_token.value = NULL;
+        maj_stat = gss_init_sec_context(&min_stat, 
+				        GSS_C_NO_CREDENTIAL,
+            				&context, 
+					target_name, 
+					GSS_C_NO_OID, 
+					GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG, 
+					0, 
+					GSS_C_NO_CHANNEL_BINDINGS, 
+					sec_token, 
+					NULL, 
+					&send_token, 
+					NULL, 
+					NULL);
         if (maj_stat!=GSS_S_COMPLETE && maj_stat!=GSS_S_CONTINUE_NEEDED) {
             report(stderr, _("Error exchanging credentials\n"));
             gss_release_name(&min_stat, &target_name);
-- 
cgit v1.2.3