From: Amos Jeffries <yadij@users.noreply.github.com>
Date: Thu, 25 Dec 2025 15:11:28 +0000 (+0000)
Subject: Polish Kerberos PAC detection (#2330)
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=055cda5795fbfdd2a4e77e356c9e4841788a5647;p=thirdparty%2Fsquid.git

Polish Kerberos PAC detection (#2330)

PAC is only used with GSSAPI, no need to detect unless GSSAPI is
also found to be working.

Shuffle build-time predefine logic into autoconf to set
HAVE_KRB5_PAC_SUPPORT when needed.

AC_CHECK_FUNC automatically defines the HAVE_function. No need
to do that ourselves.

Also fixes unused HAVE_GSS_MAP_ANY_TO_ANY which looks like a
typo of the tested *_many_to_any().
---

diff --git a/acinclude/krb5.m4 b/acinclude/krb5.m4
index 0cb709896b..3624b6b2eb 100644
--- a/acinclude/krb5.m4
+++ b/acinclude/krb5.m4
@@ -88,6 +88,16 @@ int main(int argc, char *argv[])
   ])
 ])
 
+dnl check for PAC requirements
+AC_DEFUN([SQUID_CHECK_KRB5_PAC_SUPPORT],[
+  AC_CHECK_TYPE(krb5_pac,[
+    AC_CHECK_FUNC(gss_map_name_to_any)
+    AC_CHECK_FUNC(gsskrb5_extract_authz_data_from_sec_context)
+    AS_IF([test "x$ac_cv_func_gss_map_name_to_any" = "xyes" -o "x$ac_cv_func_gsskrb5_extract_authz_data_from_sec_context" = "xyes"],[
+      AC_DEFINE(HAVE_KRB5_PAC_SUPPORT,1,[Define to 1 if kerberos has PAC support])
+    ])
+  ],,[#include <krb5.h>])
+])
 
 dnl checks that gssapi is ok, and sets squid_cv_working_gssapi accordingly
 AC_DEFUN([SQUID_CHECK_WORKING_GSSAPI], [
@@ -121,7 +131,8 @@ main(void)
         return 0;
 }
   ]])],  [ squid_cv_working_gssapi=yes ], [ squid_cv_working_gssapi=no ], [:])])
-  AS_IF([test "x$squid_cv_working_gssapi" = "xno" -a `echo $LIBS | grep -i -c "(-)L"` -gt 0],[
+  AS_IF([test "x$squid_cv_working_gssapi" = "xyes"],[SQUID_CHECK_KRB5_PAC_SUPPORT],
+  [test "x$squid_cv_working_gssapi" = "xno" -a `echo $LIBS | grep -i -c "(-)L"` -gt 0],[
     AC_MSG_NOTICE([Check Runtime library path !])
   ])
 ])
@@ -225,10 +236,6 @@ AC_DEFUN([SQUID_CHECK_KRB5_FUNCS],[
     AC_DEFINE(HAVE_KRB5_FREE_ERROR_STRING,1,
       [Define to 1 if you have krb5_free_error_string]),)
   AC_CHECK_DECLS(krb5_kt_free_entry,,,[#include <krb5.h>])
-  AC_CHECK_TYPE(krb5_pac,
-    AC_DEFINE(HAVE_KRB5_PAC,1,
-      [Define to 1 if you have krb5_pac]),,
-      [#include <krb5.h>])
   AC_CHECK_LIB(krb5,krb5_kt_free_entry,
     AC_DEFINE(HAVE_KRB5_KT_FREE_ENTRY,1,
       [Define to 1 if you have krb5_kt_free_entry]),)
@@ -267,13 +274,6 @@ AC_DEFUN([SQUID_CHECK_KRB5_FUNCS],[
     ],[AC_MSG_RESULT(no)],[AC_MSG_RESULT(no)])
   SQUID_STATE_ROLLBACK(squid_krb5_test)
 
-  AC_CHECK_FUNCS(gss_map_name_to_any,
-    AC_DEFINE(HAVE_GSS_MAP_ANY_TO_ANY,1,
-      [Define to 1 if you have gss_map_name_to_any]),)
-  AC_CHECK_FUNCS(gsskrb5_extract_authz_data_from_sec_context,
-    AC_DEFINE(HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT,1,
-      [Define to 1 if you have gsskrb5_extract_authz_data_from_sec_context]),)
-
   SQUID_CHECK_KRB5_CONTEXT_MEMORY_CACHE
   SQUID_DEFINE_BOOL(HAVE_KRB5_MEMORY_CACHE,$squid_cv_memory_cache,
        [Define if kerberos has MEMORY: cache support])
diff --git a/src/auth/negotiate/kerberos/negotiate_kerberos.h b/src/auth/negotiate/kerberos/negotiate_kerberos.h
index d70e919f13..f290874f07 100644
--- a/src/auth/negotiate/kerberos/negotiate_kerberos.h
+++ b/src/auth/negotiate/kerberos/negotiate_kerberos.h
@@ -112,9 +112,7 @@ int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status,
 
 char *gethost_name(void);
 
-#if (HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT || HAVE_GSS_MAP_NAME_TO_ANY) && HAVE_KRB5_PAC
-#define HAVE_PAC_SUPPORT 1
-
+#if HAVE_KRB5_PAC_SUPPORT
 /**
 * MAX_PAC_GROUP_SIZE limits the string length, wherein group membership per
 * authenticated user is reported back to Squid, to a reasonable number
@@ -148,9 +146,8 @@ char *xstrcpy( char *src, const char*dst);
 char *xstrcat( char *src, const char*dst);
 int checkustr(RPC_UNICODE_STRING *string);
 char *get_ad_groups(char *ad_groups, krb5_context context, krb5_pac pac);
-#else
-#define HAVE_PAC_SUPPORT 0
-#endif
+#endif /* HAVE_KRB5_PAC_SUPPORT */
+
 int check_k5_err(krb5_context context, const char *msg, krb5_error_code code);
 
 #endif /* SQUID_SRC_AUTH_NEGOTIATE_KERBEROS_NEGOTIATE_KERBEROS_H */
diff --git a/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc b/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc
index acce0b0ee2..95d906a72b 100644
--- a/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc
+++ b/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc
@@ -324,7 +324,7 @@ main(int argc, char *const argv[])
     char *c, *p;
     char *user = nullptr;
     char *rfc_user = nullptr;
-#if HAVE_PAC_SUPPORT
+#if HAVE_KRB5_PAC_SUPPORT
     char ad_groups[MAX_PAC_GROUP_SIZE];
     char *ag=nullptr;
     krb5_pac pac;
@@ -333,7 +333,7 @@ main(int argc, char *const argv[])
 #else
     gss_buffer_desc type_id = GSS_C_EMPTY_BUFFER;
 #endif
-#endif
+#endif /* HAVE_KRB5_PAC_SUPPORT */
     krb5_context context = nullptr;
     krb5_error_code ret;
     long length = 0;
@@ -750,7 +750,7 @@ main(int argc, char *const argv[])
                 *p = '\0';
             }
 
-#if HAVE_PAC_SUPPORT
+#if HAVE_KRB5_PAC_SUPPORT
             ret = krb5_init_context(&context);
             if (!check_k5_err(context, "krb5_init_context", ret)) {
 #if HAVE_LIBHEIMDAL_KRB5
@@ -782,13 +782,15 @@ main(int argc, char *const argv[])
             if (ag) {
                 debug((char *) "%s| %s: DEBUG: Groups %s\n", LogTime(), PROGRAM, ag);
             }
-#endif
+#endif /* HAVE_KRB5_PAC_SUPPORT */
+
             rfc_user = rfc1738_escape(user);
-#if HAVE_PAC_SUPPORT
+#if HAVE_KRB5_PAC_SUPPORT
             fprintf(stdout, "OK token=%s user=%s %s\n", token, rfc_user, ag?ag:"group=");
 #else
             fprintf(stdout, "OK token=%s user=%s\n", token, rfc_user);
-#endif
+#endif /* HAVE_KRB5_PAC_SUPPORT */
+
             debug((char *) "%s| %s: DEBUG: OK token=%s user=%s\n", LogTime(), PROGRAM, token, rfc_user);
             if (log)
                 fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(),
@@ -825,11 +827,11 @@ main(int argc, char *const argv[])
                 *p = '\0';
             }
             rfc_user = rfc1738_escape(user);
-#if HAVE_PAC_SUPPORT
+#if HAVE_KRB5_PAC_SUPPORT
             fprintf(stdout, "OK token=%s user=%s %s\n", "AA==", rfc_user, ag?ag:"group=");
 #else
             fprintf(stdout, "OK token=%s user=%s\n", "AA==", rfc_user);
-#endif
+#endif /* HAVE_KRB5_PAC_SUPPORT */
             debug((char *) "%s| %s: DEBUG: OK token=%s user=%s\n", LogTime(), PROGRAM, "AA==", rfc_user);
             if (log)
                 fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(),
diff --git a/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc b/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc
index 0403fcfd7d..cbf382e6ee 100644
--- a/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc
+++ b/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc
@@ -40,7 +40,7 @@
 
 #include "negotiate_kerberos.h"
 
-#if HAVE_GSSAPI && HAVE_PAC_SUPPORT
+#if HAVE_GSSAPI && HAVE_KRB5_PAC_SUPPORT
 
 #define LOGON_EXTRA_SIDS 0x0020
 #define LOGON_RESOURCE_GROUPS 0x0200
@@ -649,5 +649,5 @@ k5clean:
     krb5_free_data(context, ad_data);
     return nullptr;
 }
-#endif
 
+#endif /* HAVE_GSSAPI && HAVE_KRB5_PAC_SUPPORT */