Home > mailing lists
Re: pg16 && GSSAPI && Heimdal/Macos - Mailing list pgsql-hackers

From	Todd M. Kover
Subject	Re: pg16 && GSSAPI && Heimdal/Macos
Date	April 8 03:03:05
Msg-id	202504080003.538035td016203@angelsenvy.omniscient.com Whole thread Raw
In response to	Re: pg16 && GSSAPI && Heimdal/Macos (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-hackers
Tree view
> "Todd M. Kover" <kovert@omniscient.com> writes:
 > > 2) some option that makes the code path for gss_store_cred_into optional
 > > (what would you want to call it?)
 >
 > If we do this, I see no need to call it anything.  Just make configure
 > probe for whether the selected GSS library has gss_store_cred_into.

patch attached. I tested it (runtime testing and "make check") on recent
darwin, freebsd, netbsd and ubuntus with and without gssapi enabled.  I
had to re-enable and change around some header checks to make things
work right under darwin.

This is definitely much more elegant than what I was originally proposing.

If this ends up being acceptable, it would be nice if it was also pulled
up to pg17 for the next point release (I also tested the patch against the
pg17 branch), but if not, hopefully it'll make it into pg18.

It looks like the right way to submit this is via an email to
pgsql-hackiers, but if I should do soemthing else, please let me know.

Thanks again,
-Todd
diff --git a/configure b/configure
index 93fddd69981..b4db627b399 100755
--- a/configure
+++ b/configure
@@ -12550,6 +12550,65 @@ fi

 if test "$with_gssapi" = yes ; then
   if test "$PORTNAME" != "win32"; then
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing gss_init_sec_context" >&5
+$as_echo_n "checking for library containing gss_init_sec_context... " >&6; }
+if ${ac_cv_search_gss_init_sec_context+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char gss_init_sec_context ();
+int
+main ()
+{
+return gss_init_sec_context ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' gssapi_krb5 gss 'gssapi -lkrb5 -lcrypto'; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_gss_init_sec_context=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if ${ac_cv_search_gss_init_sec_context+:} false; then :
+  break
+fi
+done
+if ${ac_cv_search_gss_init_sec_context+:} false; then :
+
+else
+  ac_cv_search_gss_init_sec_context=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_gss_init_sec_context" >&5
+$as_echo "$ac_cv_search_gss_init_sec_context" >&6; }
+ac_res=$ac_cv_search_gss_init_sec_context
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+
+else
+  as_fn_error $? "could not find function 'gss_init_sec_context' required for GSSAPI" "$LINENO" 5
+fi
+
+
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing gss_store_cred_into" >&5
 $as_echo_n "checking for library containing gss_store_cred_into... " >&6; }
 if ${ac_cv_search_gss_store_cred_into+:} false; then :
@@ -12604,8 +12663,8 @@ ac_res=$ac_cv_search_gss_store_cred_into
 if test "$ac_res" != no; then :
   test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"

-else
-  as_fn_error $? "could not find function 'gss_store_cred_into' required for GSSAPI" "$LINENO" 5
+$as_echo "#define HAVE_GSS_STORE_CRED_INTO 1" >>confdefs.h
+
 fi

   else
@@ -13806,8 +13865,6 @@ if test "x$ac_cv_header_gssapi_ext_h" = xyes; then :
 #define HAVE_GSSAPI_EXT_H 1
 _ACEOF

-else
-  as_fn_error $? "gssapi_ext.h header file is required for GSSAPI" "$LINENO" 5
 fi

 done
diff --git a/configure.ac b/configure.ac
index b6d02f5ecc7..79be5f8851b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1337,8 +1337,9 @@ fi

 if test "$with_gssapi" = yes ; then
   if test "$PORTNAME" != "win32"; then
-    AC_SEARCH_LIBS(gss_store_cred_into, [gssapi_krb5 gss 'gssapi -lkrb5 -lcrypto'], [],
-                   [AC_MSG_ERROR([could not find function 'gss_store_cred_into' required for GSSAPI])])
+    AC_SEARCH_LIBS(gss_init_sec_context, [gssapi_krb5 gss 'gssapi -lkrb5 -lcrypto'], [], [AC_MSG_ERROR([could not find
function'gss_init_sec_context' required for GSSAPI])]) 
+
+    AC_SEARCH_LIBS(gss_store_cred_into, [gssapi_krb5 gss 'gssapi -lkrb5 -lcrypto'],
AC_DEFINE([HAVE_GSS_STORE_CRED_INTO],1, [Define to 1 to build with gss_store_cred_into support])) 
   else
     LIBS="$LIBS -lgssapi32"
   fi
@@ -1543,7 +1544,7 @@ if test "$with_gssapi" = yes ; then
   AC_CHECK_HEADERS(gssapi/gssapi.h, [],
     [AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])])
   AC_CHECK_HEADERS(gssapi/gssapi_ext.h, [],
-    [AC_CHECK_HEADERS(gssapi_ext.h, [], [AC_MSG_ERROR([gssapi_ext.h header file is required for GSSAPI])])])
+    [AC_CHECK_HEADERS(gssapi_ext.h, [], [])])
 fi

 PGAC_PATH_PROGS(OPENSSL, openssl)
diff --git a/src/backend/libpq/be-gssapi-common.c b/src/backend/libpq/be-gssapi-common.c
index 7adea3060e1..fd0ffc97fbf 100644
--- a/src/backend/libpq/be-gssapi-common.c
+++ b/src/backend/libpq/be-gssapi-common.c
@@ -107,6 +107,7 @@ pg_store_delegated_credential(gss_cred_id_t cred)
                 minor;
     gss_OID_set mech;
     gss_cred_usage_t usage;
+#ifdef HAVE_GSS_STORE_CRED_INTO
     gss_key_value_element_desc cc;
     gss_key_value_set_desc ccset;

@@ -132,6 +133,7 @@ pg_store_delegated_credential(gss_cred_id_t cred)
         pg_GSS_error("gss_store_cred", major, minor);
     }

+#endif
     /* Credential stored, so we can release our credential handle. */
     major = gss_release_cred(&minor, &cred);
     if (major != GSS_S_COMPLETE)
diff --git a/src/include/libpq/be-gssapi-common.h b/src/include/libpq/be-gssapi-common.h
index 72f05748b6d..36a58a1bb2e 100644
--- a/src/include/libpq/be-gssapi-common.h
+++ b/src/include/libpq/be-gssapi-common.h
@@ -18,11 +18,15 @@

 #if defined(HAVE_GSSAPI_H)
 #include <gssapi.h>
+#ifdef HAVE_GSSAPI_EXT_H
 #include <gssapi_ext.h>
+#endif
 #else
 #include <gssapi/gssapi.h>
+#ifdef HAVE_GSSAPI_GSSAPI_EXT_H
 #include <gssapi/gssapi_ext.h>
 #endif
+#endif

 extern void pg_GSS_error(const char *errmsg,
                          OM_uint32 maj_stat, OM_uint32 min_stat);
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index db6454090d2..a86cdae5094 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -48,6 +48,9 @@
 /* Define to build with GSSAPI support. (--with-gssapi) */
 #undef ENABLE_GSS

+/* Define if gss_store_cred_into is available */
+#undef HAVE_GSS_STORE_CRED_INTO
+
 /* Define to 1 if you want National Language Support. (--enable-nls) */
 #undef ENABLE_NLS
pgsql-hackers by date:
From: Michael Paquier
Date: 08 April, 02:41:28
Subject: Re: prevent 006_transfer_modes.pl from leaving files behind
From: Andres Freund
Date: 08 April, 03:03:36
Subject: Re: Enhancing Memory Context Statistics Reporting
Re: pg16 && GSSAPI && Heimdal/Macos - Mailing list pgsql-hackers

Previous

Next
