Re: longfin missing gssapi_ext.h

Stephen Frost Fri, 07 Apr 2023 20:06:22 -0700

Greetings,

* Tom Lane (t...@sss.pgh.pa.us) wrote:
> Stephen Frost <sfr...@snowman.net> writes:
> > Looks like buildfarm animal hake, at least, has a version recent enough
> > to have gssapi_ext.h ... but still older than 1.11 and therefore
> > doesn't have the type gss_key_value_element_desc defined, so maybe the
> > check for gss_store_cred_into would be better?
> 
> Well, now we're getting into value judgements about which gssapi
> versions are still worth supporting.  Are you really willing to toss
> overboard all versions that don't support gss_store_cred_into?  Or
> should credential delegation be viewed as an incremental feature that
> we can support or not?


I'm open to considering support for older versions, however ...

> TBH, committing things with significant portability hazards ten hours
> before feature freeze is not high on my list of good development
> practices.

but as pointed out, these APIs are all over a decade old and systems
which don't support them have a pretty high risk of having security
issues due to shipping these out-dated libraries.

I agree it's a value judgement and something to consider but I don't see
Apple changing their mind any time soon on actually updating the
Kerberos version they ship and no one should really be using what they
do ship.  The same is true for any other system that's shipping a
version of a core security library that's not been updated in over a
decade.

We are currently requiring at least OpenSSL 1.0.1 which was released in
2012.  Having a similar requirement for MIT Kerberos, for our release of
PG in 2023, doesn't strike me as unreasonable.

Attached is a more fully-formed patch with a regenerated configure that
adds in a check for gssapi_ext.h and updates the function check to look
for gss_store_cred_into().

Thanks!

Stephen

diff --git a/configure b/configure
index 905be9568b..1ccdc5ca2c 100755
--- a/configure
+++ b/configure
@@ -12635,9 +12635,9 @@ fi
 
 if test "$with_gssapi" = yes ; then
   if test "$PORTNAME" != "win32"; then
-    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing gss_init_sec_context" >&5
-$as_echo_n "checking for library containing gss_init_sec_context... " >&6; }
-if ${ac_cv_search_gss_init_sec_context+:} false; then :
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing gss_store_cred_into" >&5
+$as_echo_n "checking for library containing gss_store_cred_into... " >&6; }
+if ${ac_cv_search_gss_store_cred_into+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_func_search_save_LIBS=$LIBS
@@ -12650,11 +12650,11 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 #ifdef __cplusplus
 extern "C"
 #endif
-char gss_init_sec_context ();
+char gss_store_cred_into ();
 int
 main ()
 {
-return gss_init_sec_context ();
+return gss_store_cred_into ();
   ;
   return 0;
 }
@@ -12667,30 +12667,30 @@ for ac_lib in '' gssapi_krb5 gss 'gssapi -lkrb5 -lcrypto'; do
     LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
   fi
   if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_search_gss_init_sec_context=$ac_res
+  ac_cv_search_gss_store_cred_into=$ac_res
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext
-  if ${ac_cv_search_gss_init_sec_context+:} false; then :
+  if ${ac_cv_search_gss_store_cred_into+:} false; then :
   break
 fi
 done
-if ${ac_cv_search_gss_init_sec_context+:} false; then :
+if ${ac_cv_search_gss_store_cred_into+:} false; then :
 
 else
-  ac_cv_search_gss_init_sec_context=no
+  ac_cv_search_gss_store_cred_into=no
 fi
 rm conftest.$ac_ext
 LIBS=$ac_func_search_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_gss_init_sec_context" >&5
-$as_echo "$ac_cv_search_gss_init_sec_context" >&6; }
-ac_res=$ac_cv_search_gss_init_sec_context
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_gss_store_cred_into" >&5
+$as_echo "$ac_cv_search_gss_store_cred_into" >&6; }
+ac_res=$ac_cv_search_gss_store_cred_into
 if test "$ac_res" != no; then :
   test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
 
 else
-  as_fn_error $? "could not find function 'gss_init_sec_context' required for GSSAPI" "$LINENO" 5
+  as_fn_error $? "could not find function 'gss_store_cred_into' required for GSSAPI" "$LINENO" 5
 fi
 
   else
@@ -14104,6 +14104,33 @@ done
 
 fi
 
+done
+
+  for ac_header in gssapi/gssapi_ext.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "gssapi/gssapi_ext.h" "ac_cv_header_gssapi_gssapi_ext_h" "$ac_includes_default"
+if test "x$ac_cv_header_gssapi_gssapi_ext_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_GSSAPI_GSSAPI_EXT_H 1
+_ACEOF
+
+else
+  for ac_header in gssapi_ext.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "gssapi_ext.h" "ac_cv_header_gssapi_ext_h" "$ac_includes_default"
+if test "x$ac_cv_header_gssapi_ext_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_GSSAPI_EXT_H 1
+_ACEOF
+
+else
+  as_fn_error $? "gssapi_ext.h header file is required for GSSAPI" "$LINENO" 5
+fi
+
+done
+
+fi
+
 done
 
 fi
@@ -15321,7 +15348,7 @@ else
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@@ -15367,7 +15394,7 @@ else
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@@ -15391,7 +15418,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@@ -15436,7 +15463,7 @@ else
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@@ -15460,7 +15487,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
diff --git a/configure.ac b/configure.ac
index 8095dfcf1d..7ba969b1b1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1340,8 +1340,8 @@ fi
 
 if test "$with_gssapi" = yes ; then
   if test "$PORTNAME" != "win32"; then
-    AC_SEARCH_LIBS(gss_init_sec_context, [gssapi_krb5 gss 'gssapi -lkrb5 -lcrypto'], [],
-                   [AC_MSG_ERROR([could not find function 'gss_init_sec_context' required for GSSAPI])])
+    AC_SEARCH_LIBS(gss_store_cred_into, [gssapi_krb5 gss 'gssapi -lkrb5 -lcrypto'], [],
+                   [AC_MSG_ERROR([could not find function 'gss_store_cred_into' required for GSSAPI])])
   else
     LIBS="$LIBS -lgssapi32"
   fi
@@ -1562,6 +1562,8 @@ fi
 if test "$with_gssapi" = yes ; then
   AC_CHECK_HEADERS(gssapi/gssapi.h, [],
 	[AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])])
+  AC_CHECK_HEADERS(gssapi/gssapi_ext.h, [],
+	[AC_CHECK_HEADERS(gssapi_ext.h, [], [AC_MSG_ERROR([gssapi_ext.h header file is required for GSSAPI])])])
 fi
 
 PGAC_PATH_PROGS(OPENSSL, openssl)
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index 3665e799e7..6d572c3820 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -196,6 +196,12 @@
 /* Define to 1 if you have the `getpeerucred' function. */
 #undef HAVE_GETPEERUCRED
 
+/* Define to 1 if you have the <gssapi_ext.h> header file. */
+#undef HAVE_GSSAPI_EXT_H
+
+/* Define to 1 if you have the <gssapi/gssapi_ext.h> header file. */
+#undef HAVE_GSSAPI_GSSAPI_EXT_H
+
 /* Define to 1 if you have the <gssapi/gssapi.h> header file. */
 #undef HAVE_GSSAPI_GSSAPI_H

signature.asc
Description: PGP signature

Re: longfin missing gssapi_ext.h

Reply via email to