Bug 245861 - www/squid: 4.11 fails to build: error: no member named 'keyblock' in 'krb5_creds'
Summary: www/squid: 4.11 fails to build: error: no member named 'keyblock' in 'krb5_cr...
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Kurt Jaeger
Depends on:
Reported: 2020-04-24 00:09 UTC by dewayne
Modified: 2020-05-18 09:09 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (timp87)
koobs: merge-quarterly?

patch (890 bytes, text/plain)
2020-05-09 13:35 UTC, timp87
no flags Details
port patch (2.77 KB, patch)
2020-05-10 08:12 UTC, timp87
timp87: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description dewayne 2020-04-24 00:09:29 UTC
Upgraded ports via source overnight.  Attempted to rebuild on 

FreeBSD 12.1-STABLE #0 r359973M: i386 1201513 1201513

# make -C /usr/ports/www/squid showconfig|grep =on
     DOCS=on: Build and/or install documentation
     EXAMPLES=on: Build and/or install examples
     FS_AUFS=on: AUFS (threaded-io) support
     FS_DISKD=on: DISKD storage engine controlled by separate service
     ICAP=on: the ICAP client
     IPV6=on: IPv6 protocol support
     KQUEUE=on: Kqueue(2) support
     PCRE=on: Use Perl Compatible Regular Expressions
     SSL=on: SSL gatewaying support
     SSL_CRTD=on: Use ssl_crtd to handle SSL cert requests
     AUTH_LDAP=on: Install LDAP authentication helpers
     AUTH_SASL=on: Install SASL authentication helpers
     AUTH_SMB=on: Install SMB auth. helpers (req. Samba)
     GSSAPI_HEIMDAL=on: GSSAPI support via security/heimdal

depbase=`echo support_krb5.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`; /usr/local/libexec/ccache/c++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\"/usr/local/etc/squid/squid.conf\"  -DDEFAULT_SQUID_DATA_DIR=\"/usr/local/etc/squid\"  -DDEFAULT_SQUID_CONFIG_DIR=\"/usr/local/etc/squid\"    -I../../../.. -I../../../../include  -I../../../../lib -I../../../../src  -I../../../../include  -I/usr/local/include/heimdal  -I../../../../libltdl -I. -I/usr/local/include -Wno-write-strings -Wno-error=unused-command-line-argument -Wno-ignored-optimization-argument -Wno-error=macro-redefined -fPIE -fPIC -I/usr/local/include -I/usr/local/include -D_REENTRANT -I/usr/local/include -I/usr/local/include -O2 -pipe -Wl,-m,elf_x86_64_fbsd -Wl,--strip-debug -Wl,--build-id=md5 -Wl,--hash-style=sysv -Wno-write-strings -Wno-unused-variable -Wno-error=unused-command-line-argument -Wno-ignored-optimization-argument -Wno-error=macro-redefined -fPIE -fPIC -fomit-frame-pointer -fPIE -fPIC -march=haswell   -I/usr/local/include -MT support_krb5.o -MD -MP -MF $depbase.Tpo -c -o support_krb5.o support_krb5.cc && mv -f $depbase.Tpo $depbase.Po
support_krb5.cc:470:24: error: no member named 'keyblock' in 'krb5_creds'
                creds->keyblock.enctype = 0;
                ~~~~~  ^
support_krb5.cc:471:28: error: no member named 'keyblock' in 'krb5_creds'
                if (creds->keyblock.contents)
                    ~~~~~  ^
support_krb5.cc:472:73: error: no member named 'keyblock' in 'krb5_creds'
                    krb5_free_keyblock_contents(kparam.context, &creds->keyblock);
                                                                 ~~~~~  ^
3 errors generated.
*** Error code 1

make[6]: stopped in /var/ports/usr/ports/www/squid/work/squid-4.11/src/acl/external/kerberos_ldap_group
*** Error code 1
Comment 1 timp87 2020-04-24 07:09:17 UTC
(In reply to dewayne from comment #0)
I'm wondering what build options your openldap and '*sasl*' have
Comment 2 timp87 2020-04-24 07:11:44 UTC
(In reply to dewayne from comment #0)
Could you please show /etc/make.conf content also?
Comment 3 user_bsd 2020-04-24 17:20:58 UTC
Hello, when updating a squid from 4.10 to 4.11
leads to errors as mentioned above comment #0.
An error occurs when AUTH_SASL is enabled.

FreeBSD 11.3-RELEASE-p7 x86_64

If the following lines are commented out in the support_krb5.cc file, then no errors appear:

  // overwrite limitation of enctypes
   creds->keyblock.enctype = 0;
   if (creds->keyblock.contents)
       krb5_free_keyblock_contents(kparam.context, &creds->keyblock);
Comment 4 timp87 2020-04-24 18:33:29 UTC
(In reply to user_bsd from comment #3)
Thank you! Could you please tell me what kerberos implementation you used to complie cyrus-sasl-gssapi?
Comment 5 dewayne 2020-04-25 03:08:50 UTC
(In reply to timp87 from comment #2)
Umm - my make.conf is 1250 lines without comments...  The only thing I've changed in the last quarter was to add -fno-common to CFLAGS.  I use security/heimdal everywhere.

# kadmin -v
kadmin (Heimdal 7.7.0)

It appears to be a definition issue (ref: http://www.squid-cache.org/Versions/v4/squid-4.11.patch search for "overwrite limitation of enctypes")

The following CFLAGS and LDFLAGS for www/squid build are listed, cyrus-sasl and ldap are similar, on FreeBSD 12.1-STABLE #0 r359973M i386, we use

CFLAGS=-O2 -pipe -Wl,-m,elf_i386_fbsd -Wl,--strip-debug -Wl,--build-id=md5 -Wl,--hash-style=sysv -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -fno-math-errno -Wno-write-strings -Wno-unused-variable -Wno-error=unused-command-line-argument -Wno-ignored-optimization-argument -Wno-error=macro-redefined -fPIE -fPIC -fomit-frame-pointer -fno-asynchronous-unwind-tables -fno-common -march=prescott  -I/usr/local/include -I/usr/local/include -DLDAP_DEPRECATED -fno-strict-aliasing
LDFLAGS=-Wl,--strip-debug -Wl,--build-id=md5 -Wl,--hash-style=sysv -pie -L/usr/local/lib -pthread -lpcreposix -lpcre -Wl,-rpath,/usr/local/lib/heimdal:/usr/lib

while options are set with:
net_openldap24-client_SET=SASL GSSAPI
net_openldap24-sasl-client_SET=SASL GSSAPI



Though you're right as we rebuild everything in our ports tree in virgin jails, it is possible that something upstream is affecting squid 4.11.
Comment 6 user_bsd 2020-04-25 07:22:02 UTC
(In reply to timp87 from comment #4)


GSSAPI_HEIMDAL=on: GSSAPI support via security/heimdal
Comment 7 timp87 2020-05-01 09:24:56 UTC
(In reply to user_bsd from comment #6)
I gonna investigate it during next several days
Comment 8 timp87 2020-05-02 08:27:14 UTC
Seems like upstream broke heimdal compatibility for such build option set.
I tried the same build options with security/krb5 instead of base/ports heimdal and it built ok.
I'm preparing port for squid-5.0.2 now and it's also affected.

I'll open bug in upstream first.
Then I'll try to find a way to fix it myself, I'm not really good at C++ and krb however.
Comment 9 user_bsd 2020-05-03 06:38:01 UTC
Thank you.

Bug already created in bugs.squid-cache.org:
Comment 10 timp87 2020-05-03 07:04:51 UTC
(In reply to user_bsd from comment #9)
This is great! Thanks a lot!
Comment 11 timp87 2020-05-09 13:35:12 UTC
Created attachment 214309 [details]

I've got a patch from upstream.
Could you please place this file into www/squid/files directory and try it.
This built on my machine, but I have no working krb5 env to fully check its functionality.
Comment 12 user_bsd 2020-05-10 07:39:47 UTC
(In reply to timp87 from comment #11)
Now checked on one of the squid servers.
Yes, everything works with this patch.
Comment 13 timp87 2020-05-10 07:41:13 UTC
(In reply to user_bsd from comment #12)
Thanks a lot!
I'll report that back to upstream and prepare diff for the port.
Comment 14 timp87 2020-05-10 08:12:46 UTC
Created attachment 214338 [details]
port patch

- apply fix to kerberos_ldap_group helper to make it work with heimdal
- regenerate patch-src_acl_external_eDirectory__userip_ext__edirectory__userip__acl.cc to follow upstreamed version of the patch
Comment 15 timp87 2020-05-10 09:58:10 UTC
The same for www/squid-devel https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246355
Comment 16 Kurt Jaeger freebsd_committer 2020-05-18 07:57:28 UTC
Comment 17 commit-hook freebsd_committer 2020-05-18 09:09:50 UTC
A commit references this bug:

Author: pi
Date: Mon May 18 09:09:07 UTC 2020
New revision: 535732
URL: https://svnweb.freebsd.org/changeset/ports/535732

  www/squid: add patch to fix kerberos_ldap_group helper, fix pinger

  - add patch to fix kerberos_ldap_group helper work with heimdal
  - regenerate two patches to follow upstreamed versions
  - fix pinger permissions

  PR:		245861, 246410
  Submitted by:	Pavel Timofeev <timp87@gmail.com> (maintainer)