Author: Markus Moeller huaraz@moeller.plus.com>

Improve squid_kerb_auth portability

diff --git a/configure.in b/configure.in
index c5fbab44ed7819eda04a536a0474979028ff2a4e..cd910676ca73ff3cf1b501a4d2d912475ff7415e 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -1876,7 +1876,9 @@ if test -n "$DIGEST_AUTH_HELPERS"; then
 fi
 AC_SUBST(DIGEST_AUTH_HELPERS)
 
-dnl Check Kerberos
+dnl
+dnl Check Kerberos/GSSAPI/SPNEGO
+dnl
 SAVED_CPPFLAGS=$CPPFLAGS
 SAVED_LIBS=$LIBS
 AC_ARG_WITH(krb5-config,
@@ -1927,23 +1929,56 @@ if test "$ac_krb5_config" = "yes" ; then
     AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h gssapi/gssapi_krb5.h)
     if test "x$ac_heimdal" == "x" ; then
         AC_CHECK_HEADERS(gssapi/gssapi_generic.h)
+        AC_CHECK_HEADERS(profile.h)
     fi
     AC_CHECK_HEADERS(krb5.h com_err.h et/com_err.h)
-    AC_MSG_CHECKING([for max_skew in struct krb5_context])
-AC_TRY_COMPILE([
+    AC_CACHE_CHECK([for broken Solaris krb5.h],squid_cv_broken_krb5_h, [
+        AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 #include <krb5.h>
-                ],
-                [ krb5_context kc; kc->max_skew = 1; ],
-                [ AC_DEFINE(HAVE_MAX_SKEW_IN_KRB5_CONTEXT, 1, [Define to 1 if max_skew in struct krb5_context])
-                  AC_MSG_RESULT(yes) ],
-                [ AC_MSG_RESULT(no) ]
-        )
+int i;
+]])], [ squid_cv_broken_krb5_h=no ],
+      [ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#if defined(__cplusplus)
+#define KRB5INT_BEGIN_DECLS     extern "C" {
+#define KRB5INT_END_DECLS
+KRB5INT_BEGIN_DECLS
+#endif
+#include <krb5.h>
+int i;
+]])], [ squid_cv_broken_krb5_h=yes ], [ squid_cv_broken_krb5_h=no ])])])
+    if test x"$squid_cv_broken_krb5_h" = x"yes"; then
+       AC_DEFINE(HAVE_BROKEN_SOLARIS_KRB5_H, 1, [Define to 1 if krb5.h is broken for C++])
+    fi
 
-    if test "x$ac_heimdal" == "x" ; then
-        AC_CHECK_HEADERS(profile.h)
+    ac_com_error_message=no
+    if test "x$ac_cv_header_com_err_h" == "xyes" ; then
+        AC_EGREP_HEADER(error_message,com_err.h,ac_com_error_message=yes)
+    elif test "x$ac_cv_header_et_com_err_h" == "xyes" ; then
+        AC_EGREP_HEADER(error_message,et/com_err.h,ac_com_error_message=yes)
+    fi
+    AC_CACHE_CHECK([for max_skew in struct krb5_context],squid_cv_max_skew_context, [
+        AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#if HAVE_BROKEN_SOLARIS_KRB5_H
+#if defined(__cplusplus)
+#define KRB5INT_BEGIN_DECLS     extern "C" {
+#define KRB5INT_END_DECLS
+KRB5INT_BEGIN_DECLS
+#endif
+#endif
+#include <krb5.h>
+krb5_context kc; kc->max_skew = 1;
+]])],[ squid_cv_max_skew_context=yes ], [ squid_cv_max_skew_context=no ])])
+    if test x"$squid_cv_max_skew_context" = x"yes"; then
+       AC_DEFINE(HAVE_MAX_SKEW_IN_KRB5_CONTEXT, 1, [Define to 1 if max_skew in struct krb5_context])
+    fi
+
+    if test `echo $KRB5LIBS | grep -c com_err` -ne 0 -a "x$ac_com_error_message" == "xyes" ; then
+        AC_CHECK_LIB(com_err,error_message,
+            AC_DEFINE(HAVE_ERROR_MESSAGE,1,[Define to 1 if you have error_message]),)
+    elif test  "x$ac_com_error_message" == "xyes" ; then
+        AC_CHECK_LIB(krb5,error_message,
+            AC_DEFINE(HAVE_ERROR_MESSAGE,1,[Define to 1 if you have error_message]),)
     fi
-    AC_CHECK_LIB(com_err,error_message,
-        AC_DEFINE(HAVE_ERROR_MESSAGE,1,[Define to 1 if you have error_message]),)
     AC_CHECK_LIB(krb5,krb5_get_err_text,
         AC_DEFINE(HAVE_KRB5_GET_ERR_TEXT,1,[Define to 1 if you have krb5_get_err_text]),)
     AC_CHECK_LIB(krb5,krb5_get_error_message,
@@ -1960,8 +1995,15 @@ AC_TRY_COMPILE([
         AC_DEFINE(HAVE_PROFILE_GET_INTEGER,1,[Define to 1 if you have profile_get_integer]),)
     AC_CHECK_LIB(krb5,profile_release,
         AC_DEFINE(HAVE_PROFILE_RELEASE,1,[Define to 1 if you have profile_release]),)
-    AC_MSG_CHECKING([for memory cache])
-    AC_TRY_RUN([
+    AC_CACHE_CHECK([for memory cache], squid_cv_memory_cache, [
+        AC_RUN_IFELSE([AC_LANG_SOURCE([[
+#if HAVE_BROKEN_SOLARIS_KRB5_H
+#if defined(__cplusplus)
+#define KRB5INT_BEGIN_DECLS     extern "C" {
+#define KRB5INT_END_DECLS
+KRB5INT_BEGIN_DECLS
+#endif
+#endif
 #include<krb5.h>
 main()
 {
@@ -1970,13 +2012,13 @@ main()
 
     krb5_init_context(&context);
     return krb5_cc_resolve(context, "MEMORY:test_cache", &cc);
-}],
-    [AC_DEFINE(HAVE_KRB5_MEMORY_CACHE,1, [Define to 1 if you have MEMORY: cache support])
-     AC_MSG_RESULT(yes)],
-    AC_MSG_RESULT(no))
-
-    AC_MSG_CHECKING([for working gssapi])
-    AC_TRY_RUN([
+}
+]])], [ squid_cv_memory_cache=yes ], [ squid_cv_memory_cache=no ])])
+    if test "$squid_cv_memory_cache" = "yes" ; then
+        AC_DEFINE(HAVE_KRB5_MEMORY_CACHE,1, [Define to 1 if you have MEMORY: cache support])
+    fi
+    AC_CACHE_CHECK([for working gssapi], squid_cv_working_gssapi, [
+        AC_RUN_IFELSE([AC_LANG_SOURCE([[
 #ifdef HAVE_GSSAPI_GSSAPI_H
 #include <gssapi/gssapi.h>
 #elif HAVE_GSSAPI_H
@@ -2004,11 +2046,13 @@ main(void)
 
         return 0;
 }
-],  [AC_DEFINE(HAVE_GSSAPI, 1, [GSSAPI support])
-     AC_MSG_RESULT(yes)],
-    AC_MSG_RESULT(no))
-    AC_MSG_CHECKING([for spnego support])
-    AC_TRY_RUN([
+]])],  [ squid_cv_working_gssapi=yes ], [ squid_cv_working_gssapi=no ])])
+    if test "$squid_cv_working_gssapi" = "yes" ; then
+        AC_DEFINE(HAVE_GSSAPI, 1, [GSSAPI support])
+    fi
+
+    AC_CACHE_CHECK([for spnego support], squid_cv_have_spnego, [
+        AC_RUN_IFELSE([AC_LANG_SOURCE([[
 #ifdef HAVE_HEIMDAL_KERBEROS
 #ifdef HAVE_GSSAPI_GSSAPI_H
 #include <gssapi/gssapi.h>
@@ -2046,15 +2090,22 @@ gss_OID gss_mech_spnego = &_gss_mech_spnego;
  }
 
  return 1;
-}],
-    [ac_cv_have_spnego=yes
+}
+]])],  [ squid_cv_have_spnego=yes ], [ squid_cv_have_spnego=no ])])
+
+    if test "$squid_cv_have_spnego" = "yes" ; then
      AC_DEFINE(HAVE_SPNEGO,1, [Define to 1 if you have SPNEGO support])
-     AC_MSG_RESULT(yes)],
-    [ac_cv_have_spnego=no
-     AC_MSG_RESULT(no)])
-    AC_MSG_CHECKING([for working krb5])
-    AC_TRY_RUN([
+    fi
+    AC_CACHE_CHECK([for working krb5], squid_cv_working_krb5, [
+        AC_RUN_IFELSE([AC_LANG_SOURCE([[
 #ifdef HAVE_KRB5_H
+#if HAVE_BROKEN_SOLARIS_KRB5_H
+#if defined(__cplusplus)
+#define KRB5INT_BEGIN_DECLS     extern "C" {
+#define KRB5INT_END_DECLS
+KRB5INT_BEGIN_DECLS
+#endif
+#endif
 #include <krb5.h>
 #endif
 
@@ -2067,15 +2118,17 @@ main(void)
 
         return 0;
 }
-],  [AC_DEFINE(HAVE_KRB5, 1, [KRB5 support])
-     AC_MSG_RESULT(yes)],
-    AC_MSG_RESULT(no))
+]])], [ squid_cv_working_krb5=yes ], [ squid_cv_working_krb5=no ])])
+    if test "$squid_cv_working_krb5" = "yes" ; then
+        AC_DEFINE(HAVE_KRB5, 1, [KRB5 support])
+    fi
+
    LIBS=$SAVED_LIBS
    CPPFLAGS=$SAVED_CPPFLAGS
    AC_SUBST(KRB5INCS)
    AC_SUBST(KRB5LIBS)
 fi
-AM_CONDITIONAL(HAVE_SPNEGO, test x"$ac_cv_have_spnego" = x"yes" )
+AM_CONDITIONAL(HAVE_SPNEGO, test x"$squid_cv_have_spnego" = x"yes" )
 
 dnl Enable "NTLM fail open"
 AC_ARG_ENABLE(ntlm-fail-open,

diff --git a/helpers/negotiate_auth/kerberos/Makefile.am b/helpers/negotiate_auth/kerberos/Makefile.am
index 5ad1cf2832aca0c2b53a159fa6ea84ceb7177b67..8c8f2011b5b2ad99151dc741f5fcf8137c8f4d9e 100644 (file)
--- a/helpers/negotiate_auth/kerberos/Makefile.am
+++ b/helpers/negotiate_auth/kerberos/Makefile.am
@@ -24,6 +24,6 @@ negotiate_kerberos_auth_test_SOURCES = $(SOURCE_test)
 
 
 negotiate_kerberos_auth_LDFLAGS = 
-negotiate_kerberos_auth_LDADD = $(COMPAT_LIB) $(XTRA_LIBS) $(KRB5LIBS)
+negotiate_kerberos_auth_LDADD = $(COMPAT_LIB) $(XTRA_LIBS) @KRB5LIBS@
 negotiate_kerberos_auth_test_LDFLAGS = 
-negotiate_kerberos_auth_test_LDADD = $(COMPAT_LIB) $(XTRA_LIBS) $(KRB5LIBS)
+negotiate_kerberos_auth_test_LDADD = $(COMPAT_LIB) $(XTRA_LIBS) @KRB5LIBS@

diff --git a/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc b/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc
index 24b3c1867d1b8e05f829061a392098ce12ead27f..65d4b2a56bcbfe83247a4e5650c0d3026b3b75d8 100644 (file)
--- a/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc
+++ b/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc
@@ -63,13 +63,6 @@
 #include "spnegohelp.h"
 #endif
 
-#if HAVE_HEIMDAL_KERBEROS
-#if HAVE_GSSAPI_GSSAPI_H
-#include <gssapi/gssapi.h>
-#elif HAVE_GSSAPI_H
-#include <gssapi.h>
-#endif /* HAVE_GSSAPI_GSSAPI_H */
-#else /* HAVE_HEIMDAL_KERBEROS */
 #if HAVE_GSSAPI_GSSAPI_H
 #include <gssapi/gssapi.h>
 #elif HAVE_GSSAPI_H
@@ -81,7 +74,6 @@
 #if HAVE_GSSAPI_GSSAPI_GENERIC_H
 #include <gssapi/gssapi_generic.h>
 #endif /* HAVE_GSSAPI_GSSAPI_GENERIC_H */
-#endif /* HAVE_HEIMDAL_KERBEROS */
 #ifndef gss_nt_service_name
 #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
 #endif
@@ -92,7 +84,7 @@
 #define MAX_AUTHTOKEN_LEN   65535
 #endif
 #ifndef SQUID_KERB_AUTH_VERSION
-#define SQUID_KERB_AUTH_VERSION "3.0.1sq"
+#define SQUID_KERB_AUTH_VERSION "3.0.2sq"
 #endif
 
 int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status,
@@ -122,7 +114,10 @@ LogTime()
 char *
 gethost_name(void)
 {
+/*
     char hostname[sysconf(_SC_HOST_NAME_MAX)];
+*/
+    char hostname[1024];
     struct addrinfo *hres = NULL, *hres_list;
     int rc, count;
 
@@ -425,7 +420,7 @@ main(int argc, char *const argv[])
 
 
 #if !HAVE_SPNEGO
-        if ((rc = parseNegTokenInit(input_token.value,
+        if ((rc = parseNegTokenInit((const unsigned char*)input_token.value,
                                     input_token.length,
                                     &kerberosToken, &kerberosTokenLength)) != 0) {
             if (debug)
@@ -514,7 +509,7 @@ main(int argc, char *const argv[])
         if (output_token.length) {
 #if !HAVE_SPNEGO
             if (spnego_flag) {
-                if ((rc = makeNegTokenTarg(output_token.value,
+                if ((rc = makeNegTokenTarg((const unsigned char*)output_token.value,
                                            output_token.length,
                                            &spnegoToken, &spnegoTokenLength)) != 0) {
                     if (debug)
@@ -526,11 +521,11 @@ main(int argc, char *const argv[])
                     goto cleanup;
                 }
             } else {
-                spnegoToken = output_token.value;
+                spnegoToken = (const unsigned char*)output_token.value;
                 spnegoTokenLength = output_token.length;
             }
 #else
-            spnegoToken = (unsigned char *)output_token.value;
+            spnegoToken = (const unsigned char*)output_token.value;
             spnegoTokenLength = output_token.length;
 #endif
             token = (char*)xmalloc(ska_base64_encode_len(spnegoTokenLength));

diff --git a/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc b/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc
index 3dea5a298637d2edf3033a95ec377561830af5ca..62c3c51a3c6700d1b7384348cbb9f8b240c40a2c 100644 (file)
--- a/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc
+++ b/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc
@@ -57,14 +57,6 @@
 #include "base64.h"
 #include "util.h"
 
-#if HAVE_HEIMDAL_KERBEROS
-#if HAVE_GSSAPI_GSSAPI_H
-#include <gssapi/gssapi.h>
-#elif HAVE_GSSAPI_H
-#include <gssapi.h>
-#endif /* HAVE_GSSAPI_GSSAPI_H */
-#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
-#else /* HAVE_HEIMDAL_KERBEROS */
 #if HAVE_GSSAPI_GSSAPI_H
 #include <gssapi/gssapi.h>
 #elif HAVE_GSSAPI_H
@@ -76,7 +68,9 @@
 #if HAVE_GSSAPI_GSSAPI_GENERIC_H
 #include <gssapi/gssapi_generic.h>
 #endif /* HAVE_GSSAPI_GSSAPI_GENERIC_H */
-#endif /* HAVE_HEIMDAL_KERBEROS */
+#ifndef gss_nt_service_name
+#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
+#endif
 
 static const char *LogTime(void);
 

diff --git a/helpers/negotiate_auth/kerberos/spnegohelp/spnego.cc b/helpers/negotiate_auth/kerberos/spnegohelp/spnego.cc
index 1bec85db5da49608efa5ee00c9804d1fa1a73c62..07fa846a68cb3e822dad991557d41a7970f0ccfe 100644 (file)
--- a/helpers/negotiate_auth/kerberos/spnegohelp/spnego.cc
+++ b/helpers/negotiate_auth/kerberos/spnegohelp/spnego.cc
@@ -540,8 +540,8 @@ spnegoGetNegotiationResult(SPNEGO_TOKEN_HANDLE hSpnegoToken,
         if (pSpnegoToken->aElementArray[SPNEGO_TARG_NEGRESULT_ELEMENT].iElementPresent == SPNEGO_TOKEN_ELEMENT_AVAILABLE) {
             // Must be 1 byte long and a valid value
             if (pSpnegoToken->aElementArray[SPNEGO_TARG_NEGRESULT_ELEMENT].nDatalength == SPNEGO_NEGTARG_MAXLEN_NEGRESULT
-                    && IsValidNegResult(*pSpnegoToken->aElementArray[SPNEGO_TARG_NEGRESULT_ELEMENT].pbData)) {
-                *pnegResult = static_cast<SPNGEO_RESULT>(*pSpnegoToken->aElementArray[SPNEGO_TARG_NEGRESULT_ELEMENT].pbData);
+                    && IsValidNegResult(static_cast<SPNEGO_NEGRESULT>(*pSpnegoToken->aElementArray[SPNEGO_TARG_NEGRESULT_ELEMENT].pbData))) {
+                *pnegResult = static_cast<SPNEGO_NEGRESULT>(*pSpnegoToken->aElementArray[SPNEGO_TARG_NEGRESULT_ELEMENT].pbData);
                 nReturn = SPNEGO_E_SUCCESS;
             } else {
                 nReturn = SPNEGO_E_INVALID_ELEMENT;
@@ -603,11 +603,11 @@ spnegoGetSupportedMechType(SPNEGO_TOKEN_HANDLE hSpnegoToken,
                 if ((nReturn =
                             ASNDerCheckOID(pSpnegoToken->
                                            aElementArray[SPNEGO_TARG_SUPPMECH_ELEMENT].pbData,
-                                           nCtr,
+                                           static_cast<SPNEGO_MECH_OID>(nCtr),
                                            pSpnegoToken->
                                            aElementArray[SPNEGO_TARG_SUPPMECH_ELEMENT].
                                            nDatalength, &nLength)) == SPNEGO_E_SUCCESS) {
-                    *pMechOID = nCtr;
+                    *pMechOID = static_cast<SPNEGO_MECH_OID>(nCtr);
                 }
 
             } // For enum MechOIDs

diff --git a/helpers/negotiate_auth/kerberos/spnegohelp/spnegohelp.cc b/helpers/negotiate_auth/kerberos/spnegohelp/spnegohelp.cc
index 8cf85f255718928090d814a84fb65f6a32508799..49add97d3eed2178ceb7a85dcd340de8c8ba5524 100644 (file)
--- a/helpers/negotiate_auth/kerberos/spnegohelp/spnegohelp.cc
+++ b/helpers/negotiate_auth/kerberos/spnegohelp/spnegohelp.cc
@@ -67,7 +67,7 @@ makeNegTokenTarg(const unsigned char *kerberosToken,
         goto cleanup;
     }
 
-    *negTokenTarg = malloc(*negTokenTargLength);
+    *negTokenTarg = static_cast<const unsigned char *>(malloc(*negTokenTargLength));
 
     if (!*negTokenTarg) {
         rc1 = abs(rc2) + 300;
@@ -189,7 +189,7 @@ parseNegTokenInit(const unsigned char *negTokenInit,
         goto cleanup;
     }
 
-    *kerberosToken = malloc(*kerberosTokenLength);
+    *kerberosToken = static_cast<const unsigned char *>(malloc(*kerberosTokenLength));
 
     if (!*kerberosToken) {
         rc1 = abs(rc2) + 700;

diff --git a/src/peer_proxy_negotiate_auth.cc b/src/peer_proxy_negotiate_auth.cc
index c0bf3591a3b3c62531806f415cb24a9b8d76ff59..7db4515120e85c8bd9a8f91c5c6080d5fe487c74 100644 (file)
--- a/src/peer_proxy_negotiate_auth.cc
+++ b/src/peer_proxy_negotiate_auth.cc
@@ -36,6 +36,13 @@ extern "C" {
 #include <profile.h>
 #endif                         /* HAVE_PROFILE_H */
 #if HAVE_KRB5_H
+#if HAVE_BROKEN_SOLARIS_KRB5_H
+#if defined(__cplusplus)
+#define KRB5INT_BEGIN_DECLS     extern "C" {
+#define KRB5INT_END_DECLS
+KRB5INT_BEGIN_DECLS
+#endif
+#endif
 #include <krb5.h>
 #elif HAVE_ET_COM_ERR_H
 #include <et/com_err.h>