krb5: Require krb5_c_verify_checksum is available to build with krb5

diff --git a/libcli/auth/krb5_wrap.c b/libcli/auth/krb5_wrap.c
index e7e071d48417b71f00345de9f9792068a8d48446..8bd17670bb5ee0deecf9fcde5ac7a0bcb1116c54 100644 (file)
--- a/libcli/auth/krb5_wrap.c
+++ b/libcli/auth/krb5_wrap.c
@@ -241,71 +241,28 @@ krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
 {
        krb5_error_code ret;
 
-       /* verify the checksum */
-
-       /* welcome to the wonderful world of samba's kerberos abstraction layer:
-        * 
-        * function                     heimdal 0.6.1rc3        heimdal 0.7     MIT krb 1.4.2
-        * -----------------------------------------------------------------------------
-        * krb5_c_verify_checksum       -                       works           works
-        * krb5_verify_checksum         works (6 args)          works (6 args)  broken (7 args) 
-        */
-
-#if defined(HAVE_KRB5_C_VERIFY_CHECKSUM)
-       {
-               krb5_boolean checksum_valid = false;
-               krb5_data input;
-
-               input.data = (char *)data;
-               input.length = length;
-
-               ret = krb5_c_verify_checksum(context, 
-                                            keyblock, 
-                                            usage,
-                                            &input, 
-                                            cksum,
-                                            &checksum_valid);
-               if (ret) {
-                       DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n", 
-                               error_message(ret)));
-                       return ret;
-               }
-
-               if (!checksum_valid)
-                       ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-       }
-
-#elif KRB5_VERIFY_CHECKSUM_ARGS == 6 && defined(HAVE_KRB5_CRYPTO_INIT) && defined(HAVE_KRB5_CRYPTO) && defined(HAVE_KRB5_CRYPTO_DESTROY)
-
-       /* Warning: MIT's krb5_verify_checksum cannot be used as it will use a key
-        * without enctype and it ignores any key_usage types - Guenther */
-
-       {
+       /* verify the checksum, heimdal 0.7 and MIT krb 1.4.2 and above */
 
-               krb5_crypto crypto;
-               ret = krb5_crypto_init(context,
-                                      keyblock,
-                                      0,
-                                      &crypto);
-               if (ret) {
-                       DEBUG(0,("smb_krb5_verify_checksum: krb5_crypto_init() failed: %s\n", 
-                               error_message(ret)));
-                       return ret;
-               }
-
-               ret = krb5_verify_checksum(context,
-                                          crypto,
-                                          usage,
-                                          data,
-                                          length,
-                                          cksum);
-
-               krb5_crypto_destroy(context, crypto);
+       krb5_boolean checksum_valid = false;
+       krb5_data input;
+       
+       input.data = (char *)data;
+       input.length = length;
+       
+       ret = krb5_c_verify_checksum(context, 
+                                    keyblock, 
+                                    usage,
+                                    &input, 
+                                    cksum,
+                                    &checksum_valid);
+       if (ret) {
+               DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n", 
+                        error_message(ret)));
+               return ret;
        }
-
-#else
-#error UNKNOWN_KRB5_VERIFY_CHECKSUM_FUNCTION
-#endif
+       
+       if (!checksum_valid)
+               ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 
        return ret;
 }

diff --git a/source3/configure.in b/source3/configure.in
index 1847ad2181958ca20279c9cb1281f638deda3a76..fd28a4bb1a395682e951b1959722ebc4e0142aa2 100644 (file)
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3873,7 +3873,6 @@ if test x"$with_ads_support" != x"no"; then
   AC_CHECK_FUNC_EXT(krb5_crypto_destroy, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_decode_ap_req, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(free_AP_REQ, $KRB5_LIBS)
-  AC_CHECK_FUNC_EXT(krb5_verify_checksum, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_c_verify_checksum, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_principal_compare_any_realm, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_parse_name_norealm, $KRB5_LIBS)
@@ -4444,10 +4443,9 @@ if test x"$with_ads_support" != x"no"; then
     use_ads=no
   fi
 
-  if test x"$ac_cv_func_ext_krb5_c_verify_checksum" != x"yes" -a \
-          x"$ac_cv_func_ext_krb5_verify_checksum" != x"yes"
+  if test x"$ac_cv_func_ext_krb5_c_verify_checksum" != x"yes"
   then
-    AC_MSG_WARN(no KRB5_VERIFY_CHECKSUM_FUNCTION detected)
+    AC_MSG_WARN(krb5_c_verify_checksum not found in -lkrb5)
     use_ads=no
   fi
 

diff --git a/source3/wscript b/source3/wscript
index 903061db9da9dde6a0a8103b77fbaae514b4b1d8..690ae957e380e6f0cac9f85c5e07b7f1f79cdd87 100644 (file)
--- a/source3/wscript
+++ b/source3/wscript
@@ -582,7 +582,7 @@ krb5_principal_get_comp_string krb5_free_unparsed_name
 krb5_free_keytab_entry_contents krb5_kt_free_entry krb5_krbhst_init
 krb5_krbhst_get_addrinfo krb5_c_enctype_compare
 krb5_crypto_init krb5_crypto_destroy krb5_decode_ap_req free_AP_REQ
-krb5_verify_checksum krb5_c_verify_checksum krb5_principal_compare_any_realm
+krb5_c_verify_checksum krb5_principal_compare_any_realm
 krb5_parse_name_norealm krb5_princ_size krb5_get_init_creds_opt_set_pac_request
 krb5_get_renewed_creds krb5_get_kdc_cred krb5_free_error_contents
 initialize_krb5_error_table krb5_get_init_creds_opt_alloc
@@ -696,14 +696,6 @@ int main(void) {
                         headers='krb5.h', lib='krb5',
                         addmain=False,
                         msg="Checking whether krb5_principal_get_realm is defined")
-        if conf.CHECK_CODE('''krb5_verify_checksum(0, 0, 0, 0, 0, 0, 0);''',
-                        'KRB5_VERIFY_CHECKSUM_ARGS',
-                        headers='krb5.h', lib='krb5',
-                       msg="Checking whether krb5_verify_checksum takes 7 arguments"):
-            conf.DEFINE('KRB5_VERIFY_CHECKSUM_ARGS', '7')
-       else:
-            conf.DEFINE('KRB5_VERIFY_CHECKSUM_ARGS', '6')
-
        conf.CHECK_CODE('''
 krb5_enctype enctype;
 enctype = ENCTYPE_ARCFOUR_HMAC_MD5;
@@ -770,9 +762,8 @@ return krb5_kt_resolve(context, "WRFILE:api", &keytab);
            not conf.CONFIG_SET('HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS'):
             Logs.warn("no KT_FREE_FUNCTION detected")
             use_ads=False
-        if not conf.CONFIG_SET('HAVE_KRB5_C_VERIFY_CHECKSUM') and \
-           not conf.CONFIG_SET('HAVE_KRB5_VERIFY_CHECKSUM'):
-            Logs.warn("no KRB5_VERIFY_CHECKSUM_FUNCTION detected")
+        if not conf.CONFIG_SET('HAVE_KRB5_C_VERIFY_CHECKSUM'):
+            Logs.warn("krb5_c_verify_checksum_compare not found in -lkrb5")
             use_ads=False
         if not conf.CONFIG_SET('KRB5_TICKET_HAS_KEYINFO'):
             # We only need the following functions if we can't get the enctype