Обсуждение: openssl and krb5 problems with cvs HEAD

On my Red Hat 9 machine I'm getting the following error during compile 
when configured --with-krb5=/usr/kerberos:

i386-redhat-linux-gcc -O2 -g -Wall -Wmissing-prototypes 
-Wmissing-declarations -fpic -I. -I../../../src/include 
-I/usr/kerberos/include -DFRONTEND -DSYSCONFDIR='"/etc/sysconfig/pgsql"'  -c -o fe-auth.o fe-auth.c -MMD
fe-auth.c: In function `pg_krb5_sendauth':
fe-auth.c:392: parse error before ')' token
fe-auth.c:368: warning: unused variable `auth_context'
fe-auth.c:369: warning: unused variable `err_ret'
fe-auth.c: At top level:
fe-auth.c:400: warning: type defaults to `int' in declaration of `retval'
fe-auth.c:400: `auth_context' undeclared here (not in a function)
fe-auth.c:401: `sock' undeclared here (not in a function)
fe-auth.c:402: `server' undeclared here (not in a function)
fe-auth.c:405: `err_ret' undeclared here (not in a function)
fe-auth.c:405: initializer element is not constant
fe-auth.c:405: warning: data definition has no type or storage class
fe-auth.c:406: parse error before "if"
fe-auth.c:432: warning: type defaults to `int' in declaration of `ret'
fe-auth.c:432: warning: data definition has no type or storage class
fe-auth.c:433: parse error before '}' token
fe-auth.c:435: warning: type defaults to `int' in declaration of 
`krb5_free_principal'
fe-auth.c:435: warning: parameter names (without types) in function 
declaration
fe-auth.c:435: conflicting types for `krb5_free_principal'
/usr/kerberos/include/krb5.h:1923: previous declaration of 
`krb5_free_principal'
fe-auth.c:435: warning: data definition has no type or storage class
fe-auth.c:437: parse error before "if"
fe-auth.c:442: warning: type defaults to `int' in declaration of `ret'
fe-auth.c:442: redefinition of `ret'
fe-auth.c:432: `ret' previously defined here
fe-auth.c:442: warning: data definition has no type or storage class
fe-auth.c:443: parse error before '}' token
make[3]: *** [fe-auth.o] Error 1
make[3]: Leaving directory `/opt/src/pgsql/src/interfaces/libpq'


Looks like it must be related to Bruce's commit from earlier today right 
at line 392:
/pgsql-server/src/interfaces/libpq/fe-auth.c
version 1.77, 2003/05/15 16:35:30

(I'd post a link to webcvs, but it seems to be down for the past few hours)


I also noticed that if I try to configure --with-openssl but *not* 
--with-krb5=/usr/kerberos, I get configure errors. The error occurs on a 
test involving /usr/include/openssl/kssl.h when <krb5.h> cannot be 
found. In /usr/include/openssl/kssl.h I see this:

#ifndef OPENSSL_NO_KRB5
#include <stdio.h>
#include <ctype.h>
#include <krb5.h>

And indeed, if I define CPPFLAGS=-DOPENSSL_NO_KRB5 explicitly all goes 
fine. It seems Red Hat puts krb5.h here -- /usr/kerberos/include/krb5.h 
-- and that is only found when --with-krb5=/usr/kerberos is specified.

I'm not sure what the proper fix for this is. Perhaps a test in 
configure.in like this?

if test "$with_openssl" = yes ; then if test "$with_krb5" = no ; then  AC_DEFINE(OPENSSL_NO_KRB5, 1,   [Define to build
withOpenSSL but not Kerberos 5 support.   (--with-openssl --without-krb5)]) fi
 
fi

Joe

Joe Conway <mail@joeconway.com> writes:
> Looks like it must be related to Bruce's commit from earlier today right 
> at line 392:
> /pgsql-server/src/interfaces/libpq/fe-auth.c
> version 1.77, 2003/05/15 16:35:30

Looks like a simple typo --- I've reverted it.

> I also noticed that if I try to configure --with-openssl but *not* 
> --with-krb5=/usr/kerberos, I get configure errors.

Is that a new problem?

> And indeed, if I define CPPFLAGS=-DOPENSSL_NO_KRB5 explicitly all goes 
> fine.

It's not clear to me that we should be mucking with OpenSSL's
configuration symbols.  I think filing this as an OpenSSL bug would be
a better choice.
        regards, tom lane

Tom Lane wrote:
> Looks like a simple typo --- I've reverted it.

Thanks.

> 
>>I also noticed that if I try to configure --with-openssl but *not* 
>>--with-krb5=/usr/kerberos, I get configure errors.
> 
> Is that a new problem?

Dunno -- this was the first time I tried that combo (due to the krb5 
related failure).


>>And indeed, if I define CPPFLAGS=-DOPENSSL_NO_KRB5 explicitly all goes 
>>fine.
> 
> It's not clear to me that we should be mucking with OpenSSL's
> configuration symbols.  I think filing this as an OpenSSL bug would be
> a better choice.

OK. I'll see about contacting them.

Joe

> >>I also noticed that if I try to configure --with-openssl but *not* 
> >>--with-krb5=/usr/kerberos, I get configure errors.
> >
> >Is that a new problem?
> 
> Dunno -- this was the first time I tried that combo (due to the krb5
> related failure).

It's a namespace problem, iirc.  Where ever the problem actually lies,
FreeBSD works around with with the below fix to CPPFLAGS and it seems
to be the generally accepted "way" to deal with openssl.  I actually
find it surprising that we haven't run across this sooner.

> >>And indeed, if I define CPPFLAGS=-DOPENSSL_NO_KRB5 explicitly all goes 
> >>fine.
> >
> >It's not clear to me that we should be mucking with OpenSSL's
> >configuration symbols.  I think filing this as an OpenSSL bug would be
> >a better choice.
> 
> OK. I'll see about contacting them.

-- 
Sean Chittenden

Tom Lane wrote:
> 
>>And indeed, if I define CPPFLAGS=-DOPENSSL_NO_KRB5 explicitly all goes 
>>fine.
> 
> 
> It's not clear to me that we should be mucking with OpenSSL's
> configuration symbols.  I think filing this as an OpenSSL bug would be
> a better choice.

It's a problem with RedHat 9, I've faced few days ago trying to compile 
Apache+SSL and PHP+SSL.

More details on:

http://bugzilla.redhat.com/bugzilla/long_list.cgi?buglist=84331

A quick workaround is to define before ./configure

CFLAGS=-I/usr/kerberos/include

Bye.

--  Daniele Orlandi Planet Srl