Greetings, * Tom Lane (t...@sss.pgh.pa.us) wrote: > Stephen Frost <sfr...@snowman.net> writes: > > Looks like buildfarm animal hake, at least, has a version recent enough > > to have gssapi_ext.h ... but still older than 1.11 and therefore > > doesn't have the type gss_key_value_element_desc defined, so maybe the > > check for gss_store_cred_into would be better? > > Well, now we're getting into value judgements about which gssapi > versions are still worth supporting. Are you really willing to toss > overboard all versions that don't support gss_store_cred_into? Or > should credential delegation be viewed as an incremental feature that > we can support or not?
I'm open to considering support for older versions, however ... > TBH, committing things with significant portability hazards ten hours > before feature freeze is not high on my list of good development > practices. but as pointed out, these APIs are all over a decade old and systems which don't support them have a pretty high risk of having security issues due to shipping these out-dated libraries. I agree it's a value judgement and something to consider but I don't see Apple changing their mind any time soon on actually updating the Kerberos version they ship and no one should really be using what they do ship. The same is true for any other system that's shipping a version of a core security library that's not been updated in over a decade. We are currently requiring at least OpenSSL 1.0.1 which was released in 2012. Having a similar requirement for MIT Kerberos, for our release of PG in 2023, doesn't strike me as unreasonable. Attached is a more fully-formed patch with a regenerated configure that adds in a check for gssapi_ext.h and updates the function check to look for gss_store_cred_into(). Thanks! Stephen
diff --git a/configure b/configure index 905be9568b..1ccdc5ca2c 100755 --- a/configure +++ b/configure @@ -12635,9 +12635,9 @@ fi if test "$with_gssapi" = yes ; then if test "$PORTNAME" != "win32"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing gss_init_sec_context" >&5 -$as_echo_n "checking for library containing gss_init_sec_context... " >&6; } -if ${ac_cv_search_gss_init_sec_context+:} false; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing gss_store_cred_into" >&5 +$as_echo_n "checking for library containing gss_store_cred_into... " >&6; } +if ${ac_cv_search_gss_store_cred_into+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS @@ -12650,11 +12650,11 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext #ifdef __cplusplus extern "C" #endif -char gss_init_sec_context (); +char gss_store_cred_into (); int main () { -return gss_init_sec_context (); +return gss_store_cred_into (); ; return 0; } @@ -12667,30 +12667,30 @@ for ac_lib in '' gssapi_krb5 gss 'gssapi -lkrb5 -lcrypto'; do LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_gss_init_sec_context=$ac_res + ac_cv_search_gss_store_cred_into=$ac_res fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext - if ${ac_cv_search_gss_init_sec_context+:} false; then : + if ${ac_cv_search_gss_store_cred_into+:} false; then : break fi done -if ${ac_cv_search_gss_init_sec_context+:} false; then : +if ${ac_cv_search_gss_store_cred_into+:} false; then : else - ac_cv_search_gss_init_sec_context=no + ac_cv_search_gss_store_cred_into=no fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_gss_init_sec_context" >&5 -$as_echo "$ac_cv_search_gss_init_sec_context" >&6; } -ac_res=$ac_cv_search_gss_init_sec_context +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_gss_store_cred_into" >&5 +$as_echo "$ac_cv_search_gss_store_cred_into" >&6; } +ac_res=$ac_cv_search_gss_store_cred_into if test "$ac_res" != no; then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" else - as_fn_error $? "could not find function 'gss_init_sec_context' required for GSSAPI" "$LINENO" 5 + as_fn_error $? "could not find function 'gss_store_cred_into' required for GSSAPI" "$LINENO" 5 fi else @@ -14104,6 +14104,33 @@ done fi +done + + for ac_header in gssapi/gssapi_ext.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "gssapi/gssapi_ext.h" "ac_cv_header_gssapi_gssapi_ext_h" "$ac_includes_default" +if test "x$ac_cv_header_gssapi_gssapi_ext_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_GSSAPI_GSSAPI_EXT_H 1 +_ACEOF + +else + for ac_header in gssapi_ext.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "gssapi_ext.h" "ac_cv_header_gssapi_ext_h" "$ac_includes_default" +if test "x$ac_cv_header_gssapi_ext_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_GSSAPI_EXT_H 1 +_ACEOF + +else + as_fn_error $? "gssapi_ext.h header file is required for GSSAPI" "$LINENO" 5 +fi + +done + +fi + done fi @@ -15321,7 +15348,7 @@ else We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) +#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; @@ -15367,7 +15394,7 @@ else We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) +#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; @@ -15391,7 +15418,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) +#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; @@ -15436,7 +15463,7 @@ else We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) +#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; @@ -15460,7 +15487,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ -#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) +#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; diff --git a/configure.ac b/configure.ac index 8095dfcf1d..7ba969b1b1 100644 --- a/configure.ac +++ b/configure.ac @@ -1340,8 +1340,8 @@ fi if test "$with_gssapi" = yes ; then if test "$PORTNAME" != "win32"; then - AC_SEARCH_LIBS(gss_init_sec_context, [gssapi_krb5 gss 'gssapi -lkrb5 -lcrypto'], [], - [AC_MSG_ERROR([could not find function 'gss_init_sec_context' required for GSSAPI])]) + AC_SEARCH_LIBS(gss_store_cred_into, [gssapi_krb5 gss 'gssapi -lkrb5 -lcrypto'], [], + [AC_MSG_ERROR([could not find function 'gss_store_cred_into' required for GSSAPI])]) else LIBS="$LIBS -lgssapi32" fi @@ -1562,6 +1562,8 @@ fi if test "$with_gssapi" = yes ; then AC_CHECK_HEADERS(gssapi/gssapi.h, [], [AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])]) + AC_CHECK_HEADERS(gssapi/gssapi_ext.h, [], + [AC_CHECK_HEADERS(gssapi_ext.h, [], [AC_MSG_ERROR([gssapi_ext.h header file is required for GSSAPI])])]) fi PGAC_PATH_PROGS(OPENSSL, openssl) diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in index 3665e799e7..6d572c3820 100644 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@ -196,6 +196,12 @@ /* Define to 1 if you have the `getpeerucred' function. */ #undef HAVE_GETPEERUCRED +/* Define to 1 if you have the <gssapi_ext.h> header file. */ +#undef HAVE_GSSAPI_EXT_H + +/* Define to 1 if you have the <gssapi/gssapi_ext.h> header file. */ +#undef HAVE_GSSAPI_GSSAPI_EXT_H + /* Define to 1 if you have the <gssapi/gssapi.h> header file. */ #undef HAVE_GSSAPI_GSSAPI_H
signature.asc
Description: PGP signature