A couple of different people have now written me wanting to know what changes I had to do to get both MIT krb5 with krb4 compatability built in along with OpenSSL. I never resubmitted the changes, because it was such a kludgy hack that I wasn't sure anyone else would want to do it. In fact, it's so off the wall I couldn't possibly come up with a "how-to" for other people -- the best I can do is give a description of what we did, and if you're feeling brave, you can go from there. Unfortunately, I made the changes to the configure.in file and a couple of others, and since then I've been copying the configure.in over from old distributions and getting it to work that way, so a diff against a current configure.in shows more distribution changes than my own changes. Anyway, here's what I can come up with.
Fundamentally, the problem is that both OpenSSL and MIT Kerberos V5/V4 compat libraries define not only a library called -ldes, but a series of functions with the same name in those libraries. All of them are called des_something_or_other. Thus, when you try to link things together, you're going to run into problems, because you've got duplicate symbol names that the linker isn't going to be able to resolve. (Before I go any further, I should mention that the OpenSSL folks plan for 0.9.7 to change all of their functions to DES_something, which will eliminate this problem completely, and allow me to compile a cyrus server somewhat like a normal person, rather than jumping through all of these hoops. So, if you can be a little patient, this will all become unnecessary.) Fortunately, the functions are close enough to being binarily compatable that you can use one in place of the other. As it stands, the OpenSSL function set is a superset of the MIT one, so with a little trickery, you can slip the OpenSSL one into place. You'll get a few compile warnings on the way there, but things will work fine once you get there. As Robert Cochran mentioned in an earlier message, one of the first things you have to do is to change -lkrb to -lkrb4. You'll also want to get rid of -ldes, because you'll be getting all of your des_* functions from -lcrypto in the OpenSSL distribution. Now, here's where it gets a little crazy. Part of this was made easier for us by the fact that we hardly ever link to anything out of /usr/local/*. For various local architectural reasons (some good, some way out of date), we install almost all packages in a /usr/pkg tree, so that we can have programs loading different versions of the same shared library on the same machine, for instance. This normally makes things much more difficult to compile, sadly, and requires us to go through configure scripts and eliminate references to /usr/local, and since we run Solaris and use shared libraries, we have to find all of the -Lfoo's and replace them with -Lfoo -Rfoo. In this case, though, it makes things easier. The problem is that you have to come up with a custom des.h specially for the include path -- one that will get all of the stuff needed for SSL and all of the stuff needed for Kerberos. One would think that since we're using the SSL shared library, we could just use the ssh des.h file. One would be wrong. MIT, for some reason, puts some definitions in des.h, that if not included before krb.h, will result in massive compilation errors. So, we need to get a des.h that has the funky macro definitions for MIT, but none of MIT's function declarations, and all of SSL's stuff. In order to handle all of this, I created an entirely separate instalation of krb5-1.2.2 (actually creating a tree of symlinks, as it were). It was identical to a normal krb5-1.2.2 installation in every respect except in the include/kerberosIV directory. There, I moved des.h to krb-des.h, copied des.h from the SSL distribution to ssl-des.h, and also brought over opensslconf.h and e_os2.h from the SSL stuff, because they're required in ssl-des.h. Finally, I created the attached des.h file, which has the needed Kerberos stuff, then includes "ssl-des.h". There were several other small changes I had to make along the way, and I don't remember all of them, so you may have to hack your way through them. I'll tell you one thing, though, I understand autoconf better now than I did before (or ever wanted to). If it helps anyone, this is what our IMAP_LIBS line looks like in the imap/Makefile IMAP_LIBS = -L/usr/pkg/cyrus-sasl-1.5.24/sun4x_56/lib -R/usr/pkg/cyrus-sasl-1.5.24/sun4x_56/lib -lsasl -ldl -lkrb4 -lkrb5 -lk5crypto -lcom_err -lnsl -lsocket -lresolv -ldb-3 -lsocket -lnsl -lssl -lcrypto Good luck, and feel free to write either the list or me personally with any questions, although I make no guarantees that I'll be able to solve them. Michael Bacon Duke University [EMAIL PROTECTED] P.S. Larry, blame Princeton. They started the whole CIO stealing thing...
des.h
Description: Binary data
