Add SQUID_CHECK_KRB5_GET_MAX_TIME_SKEW

.. to simplify krb5_get_max_time_skew(3) definition.
squid-cache · Jul 31, 2024 · b650a36 · b650a36
1 parent 61ddaf9
commit b650a36
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 10 deletions.
diff --git a/acinclude/krb5.m4 b/acinclude/krb5.m4
@@ -122,6 +122,28 @@ krb5_context kc; kc->max_skew = 1;
   ])
 ])
 
+dnl ensure krb5_get_max_time_skew(3) is defined for old Heimdal libraries
+AC_DEFUN([SQUID_CHECK_KRB5_GET_MAX_TIME_SKEW],[
+  AC_CACHE_CHECK([how to access max_skew in struct krb5_context],squid_cv_krb5_get_max_time_skew,[
+    SQUID_STATE_SAVE(squid_krb5_test)
+    CPPFLAGS="-I${srcdir:-.} $CPPFLAGS"
+    AC_CHECK_LIB([krb5],[krb5_get_max_time_skew],
+      [squid_cv_krb5_get_max_time_skew="function"],[
+      AC_COMPILE_IFELSE(
+        [AC_LANG_PROGRAM([[#include "compat/krb5.h"]],[[krb5_context kc; kc->max_skew = 1;]])],
+        [squid_cv_krb5_get_max_time_skew="member"],
+        [squid_cv_krb5_get_max_time_skew="none"])
+    ])
+    SQUID_STATE_ROLLBACK(squid_krb5_test)
+  ])
+
+  AS_IF([test "x$squid_cv_krb5_get_max_time_skew" = "xmember"],[
+    AC_DEFINE([krb5_get_max_time_skew(context)],[(context)->max_skew])],
+  [test "x$squid_cv_krb5_get_max_time_skew" != "xfunction"],[
+    AC_DEFINE([krb5_get_max_time_skew(context)],[krb5_deltat(600)])
+  ])
+])
+
 dnl check whether the kerberos context has a memory cache. Sets
 dnl squid_cv_memory_cache if that's the case.
 AC_DEFUN([SQUID_CHECK_KRB5_CONTEXT_MEMORY_CACHE],[
@@ -315,9 +337,7 @@ AC_DEFUN([SQUID_CHECK_KRB5_FUNCS],[
   AC_CHECK_LIB(krb5,krb5_get_init_creds_keytab,
     AC_DEFINE(HAVE_GET_INIT_CREDS_KEYTAB,1,
       [Define to 1 if you have krb5_get_init_creds_keytab]),)
-  AC_CHECK_LIB(krb5,krb5_get_max_time_skew,
-    AC_DEFINE(HAVE_KRB5_GET_MAX_TIME_SKEW,1,
-      [Define to 1 if you have krb5_get_max_time_skew]),)
+  SQUID_CHECK_KRB5_GET_MAX_TIME_SKEW
   AC_CHECK_LIB(krb5,krb5_get_profile,
     AC_DEFINE(HAVE_KRB5_GET_PROFILE,1,
       [Define to 1 if you have krb5_get_profile]),)

diff --git a/src/peer_proxy_negotiate_auth.cc b/src/peer_proxy_negotiate_auth.cc
@@ -181,7 +181,6 @@ int krb5_create_cache(char *kf, char *pn) {
 
 #define KT_PATH_MAX 256
 #define MAX_RENEW_TIME "365d"
-#define DEFAULT_SKEW (krb5_deltat) 600
 
     static char *keytab_filename = nullptr, *principal_name = nullptr;
     static krb5_keytab keytab = nullptr;
@@ -307,13 +306,7 @@ int krb5_create_cache(char *kf, char *pn) {
                    error_message(code));
             return (1);
         }
-#elif HAVE_LIBHEIMDAL_KRB5 && HAVE_KRB5_GET_MAX_TIME_SKEW
         skew = krb5_get_max_time_skew(kparam.context);
-#elif HAVE_LIBHEIMDAL_KRB5 && HAVE_MAX_SKEW_IN_KRB5_CONTEXT
-        skew = kparam.context->max_skew;
-#else
-        skew = DEFAULT_SKEW;
-#endif
 
         if (!kf) {
             char buf[KT_PATH_MAX], *p;