From 9b04053eddd676de68cde9e5c549409aee2282b3 Mon Sep 17 00:00:00 2001
From: Ken Raeburn <raeburn@mit.edu>
Date: Wed, 13 Aug 2008 23:32:11 +0000
Subject: [PATCH] Don't build PKINIT ASN.1 support code if not building PKINIT
 plugin

If --disable-pkinit is given at configure time, don't build the PKINIT
plugin.

If the PKINIT plugin is not going to be built, define DISABLE_PKINIT.

If DISABLE_PKINIT is defined, don't build the PKINIT-related ASN.1
encoding and decoding routines, and fill their slots in the accessor
function table with null pointers.

Tweak the accessor table initialization to use conditionally-varying
macros rather than conditionally selecting between two blocks of
invocations of fixed macros.

ticket: new

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20652 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/configure.in                   |  18 +++--
 src/lib/krb5/asn.1/asn1_k_decode.c |   2 +
 src/lib/krb5/asn.1/asn1_k_encode.c |   4 +-
 src/lib/krb5/os/accessor.c         | 101 ++++++++++++++++-------------
 4 files changed, 74 insertions(+), 51 deletions(-)

diff --git a/src/configure.in b/src/configure.in
index bba5a2dd4..b29082320 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -925,18 +925,26 @@ changequote([, ])
 AC_SUBST(PASS)
 
 dnl for pkinit
-AC_CACHE_CHECK(for a recent enough OpenSSL, k5_cv_openssl_version_okay,
+AC_ARG_ENABLE([pkinit],
+[  --disable-pkinit        disable PKINIT plugin support],,
+enable_pkinit=yes)
+if test "$enable_pkinit" = yes; then
+  AC_CACHE_CHECK(for a recent enough OpenSSL, k5_cv_openssl_version_okay,
 [AC_COMPILE_IFELSE([#include <openssl/opensslv.h>
 #if OPENSSL_VERSION_NUMBER < 0x00908000L
 # error openssl is too old, need 0.9.8
 #endif
 int i = 1;
 ], k5_cv_openssl_version_okay=yes, k5_cv_openssl_version_okay=no)])
-old_LIBS="$LIBS"
-AC_CHECK_LIB(crypto, PKCS7_get_signer_info)
-LIBS="$old_LIBS"
-if test "$k5_cv_openssl_version_okay" = yes; then
+  old_LIBS="$LIBS"
+  AC_CHECK_LIB(crypto, PKCS7_get_signer_info)
+  LIBS="$old_LIBS"
+fi
+if test "$k5_cv_openssl_version_okay" = yes && test "$enable_pkinit" = yes; then
   K5_GEN_MAKEFILE(plugins/preauth/pkinit)
+else
+  AC_DEFINE([DISABLE_PKINIT], 1, [Define to disable PKINIT plugin support])
+  AC_MSG_NOTICE([Disabling PKINIT support.])
 fi
 
 dnl for lib/apputils
diff --git a/src/lib/krb5/asn.1/asn1_k_decode.c b/src/lib/krb5/asn.1/asn1_k_decode.c
index 10d0a05f8..213bb3b1e 100644
--- a/src/lib/krb5/asn.1/asn1_k_decode.c
+++ b/src/lib/krb5/asn.1/asn1_k_decode.c
@@ -1185,6 +1185,7 @@ asn1_error_code asn1_decode_predicted_sam_response(asn1buf *buf, krb5_predicted_
   cleanup();
 }
 
+#ifndef DISABLE_PKINIT
 /* PKINIT */
 
 asn1_error_code asn1_decode_external_principal_identifier(asn1buf *buf, krb5_external_principal_identifier *val)
@@ -1589,3 +1590,4 @@ asn1_error_code asn1_decode_typed_data(asn1buf *buf, krb5_typed_data *val)
   }
   cleanup();
 }
+#endif /* DISABLE_PKINIT */
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index 4869ea732..4cd9f0572 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -1,7 +1,7 @@
 /*
  * src/lib/krb5/asn.1/asn1_k_encode.c
  * 
- * Copyright 1994 by the Massachusetts Institute of Technology.
+ * Copyright 1994, 2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -1004,6 +1004,7 @@ asn1_error_code asn1_encode_krb_saved_safe_body(asn1buf *buf, const krb5_data *b
   return 0;
 }
 
+#ifndef DISABLE_PKINIT
 /*
  * PKINIT
  */
@@ -1393,3 +1394,4 @@ asn1_error_code asn1_encode_typed_data(asn1buf *buf, const krb5_typed_data *val,
   asn1_makeseq();
   asn1_cleanup();
 }
+#endif /* DISABLE_PKINIT */
diff --git a/src/lib/krb5/os/accessor.c b/src/lib/krb5/os/accessor.c
index d4637699c..cd345ff56 100644
--- a/src/lib/krb5/os/accessor.c
+++ b/src/lib/krb5/os/accessor.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/os/accessor.c
  *
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990, 2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -57,59 +57,70 @@ krb5int_accessor(krb5int_access *internals, krb5_int32 version)
 	    S (arcfour_enc_provider, &krb5int_enc_arcfour),
 	    S (sendto_udp, &krb5int_sendto),
 	    S (add_host_to_list, krb5int_add_host_to_list),
+
 #ifdef KRB5_DNS_LOOKUP
-	    S (make_srv_query_realm, krb5int_make_srv_query_realm),
-	    S (free_srv_dns_data, krb5int_free_srv_dns_data),
-	    S (use_dns_kdc, _krb5_use_dns_kdc),
-#else
-	    S (make_srv_query_realm, 0),
-	    S (free_srv_dns_data, 0),
-	    S (use_dns_kdc, 0),
+#define SC(FIELD, VAL)	S(FIELD, VAL)
+#else /* disable */
+#define SC(FIELD, VAL)	S(FIELD, 0)
 #endif
+	    SC (make_srv_query_realm, krb5int_make_srv_query_realm),
+	    SC (free_srv_dns_data, krb5int_free_srv_dns_data),
+	    SC (use_dns_kdc, _krb5_use_dns_kdc),
+#undef SC
+
 #ifdef KRB5_KRB4_COMPAT
-	    S (krb_life_to_time, krb5int_krb_life_to_time),
-	    S (krb_time_to_life, krb5int_krb_time_to_life),
-	    S (krb524_encode_v4tkt, krb5int_encode_v4tkt),
-#else
-	    S (krb_life_to_time, 0),
-	    S (krb_time_to_life, 0),
-	    S (krb524_encode_v4tkt, 0),
+#define SC(FIELD, VAL)	S(FIELD, VAL)
+#else /* disable */
+#define SC(FIELD, VAL)	S(FIELD, 0)
 #endif
+	    SC (krb_life_to_time, krb5int_krb_life_to_time),
+	    SC (krb_time_to_life, krb5int_krb_time_to_life),
+	    SC (krb524_encode_v4tkt, krb5int_encode_v4tkt),
+#undef SC
+
 	    S (krb5int_c_mandatory_cksumtype, krb5int_c_mandatory_cksumtype),
 	    S (krb5_ser_pack_int64, krb5_ser_pack_int64),
 	    S (krb5_ser_unpack_int64, krb5_ser_unpack_int64),
 	    S (asn1_ldap_encode_sequence_of_keys, krb5int_ldap_encode_sequence_of_keys),
 	    S (asn1_ldap_decode_sequence_of_keys, krb5int_ldap_decode_sequence_of_keys),
-	    S (encode_krb5_pa_pk_as_req, encode_krb5_pa_pk_as_req),
-	    S (encode_krb5_pa_pk_as_req_draft9, encode_krb5_pa_pk_as_req_draft9),
-            S (encode_krb5_pa_pk_as_rep, encode_krb5_pa_pk_as_rep),
-	    S (encode_krb5_pa_pk_as_rep_draft9, encode_krb5_pa_pk_as_rep_draft9),
-	    S (encode_krb5_auth_pack, encode_krb5_auth_pack),
-	    S (encode_krb5_auth_pack_draft9, encode_krb5_auth_pack_draft9),
-	    S (encode_krb5_kdc_dh_key_info, encode_krb5_kdc_dh_key_info),
-	    S (encode_krb5_reply_key_pack, encode_krb5_reply_key_pack),
-	    S (encode_krb5_reply_key_pack_draft9, encode_krb5_reply_key_pack_draft9),
-	    S (encode_krb5_typed_data, encode_krb5_typed_data),
-	    S (encode_krb5_td_trusted_certifiers, encode_krb5_td_trusted_certifiers),
-	    S (encode_krb5_td_dh_parameters, encode_krb5_td_dh_parameters),
-	    S (decode_krb5_pa_pk_as_req, decode_krb5_pa_pk_as_req),
-	    S (decode_krb5_pa_pk_as_req_draft9, decode_krb5_pa_pk_as_req_draft9),
-	    S (decode_krb5_pa_pk_as_rep, decode_krb5_pa_pk_as_rep),
-	    S (decode_krb5_pa_pk_as_rep_draft9, decode_krb5_pa_pk_as_rep_draft9),
-	    S (decode_krb5_auth_pack, decode_krb5_auth_pack),
-	    S (decode_krb5_auth_pack_draft9, decode_krb5_auth_pack_draft9),
-	    S (decode_krb5_kdc_dh_key_info, decode_krb5_kdc_dh_key_info),
-	    S (decode_krb5_principal_name, decode_krb5_principal_name),
-	    S (decode_krb5_reply_key_pack, decode_krb5_reply_key_pack),
-	    S (decode_krb5_reply_key_pack_draft9, decode_krb5_reply_key_pack_draft9),
-	    S (decode_krb5_typed_data, decode_krb5_typed_data),
-	    S (decode_krb5_td_trusted_certifiers, decode_krb5_td_trusted_certifiers),
-	    S (decode_krb5_td_dh_parameters, decode_krb5_td_dh_parameters),
-	    S (decode_krb5_as_req, decode_krb5_as_req),
-	    S (encode_krb5_kdc_req_body, encode_krb5_kdc_req_body),
-	    S (krb5_free_kdc_req, krb5_free_kdc_req),
-	    S (krb5int_set_prompt_types, krb5int_set_prompt_types),
-	    S (encode_krb5_authdata_elt, encode_krb5_authdata_elt),
+
+#ifndef DISABLE_PKINIT
+#define SC(FIELD, VAL)	S(FIELD, VAL)
+#else /* disable */
+#define SC(FIELD, VAL)	S(FIELD, 0)
+#endif
+	    SC (encode_krb5_pa_pk_as_req, encode_krb5_pa_pk_as_req),
+	    SC (encode_krb5_pa_pk_as_req_draft9, encode_krb5_pa_pk_as_req_draft9),
+            SC (encode_krb5_pa_pk_as_rep, encode_krb5_pa_pk_as_rep),
+	    SC (encode_krb5_pa_pk_as_rep_draft9, encode_krb5_pa_pk_as_rep_draft9),
+	    SC (encode_krb5_auth_pack, encode_krb5_auth_pack),
+	    SC (encode_krb5_auth_pack_draft9, encode_krb5_auth_pack_draft9),
+	    SC (encode_krb5_kdc_dh_key_info, encode_krb5_kdc_dh_key_info),
+	    SC (encode_krb5_reply_key_pack, encode_krb5_reply_key_pack),
+	    SC (encode_krb5_reply_key_pack_draft9, encode_krb5_reply_key_pack_draft9),
+	    SC (encode_krb5_typed_data, encode_krb5_typed_data),
+	    SC (encode_krb5_td_trusted_certifiers, encode_krb5_td_trusted_certifiers),
+	    SC (encode_krb5_td_dh_parameters, encode_krb5_td_dh_parameters),
+	    SC (decode_krb5_pa_pk_as_req, decode_krb5_pa_pk_as_req),
+	    SC (decode_krb5_pa_pk_as_req_draft9, decode_krb5_pa_pk_as_req_draft9),
+	    SC (decode_krb5_pa_pk_as_rep, decode_krb5_pa_pk_as_rep),
+	    SC (decode_krb5_pa_pk_as_rep_draft9, decode_krb5_pa_pk_as_rep_draft9),
+	    SC (decode_krb5_auth_pack, decode_krb5_auth_pack),
+	    SC (decode_krb5_auth_pack_draft9, decode_krb5_auth_pack_draft9),
+	    SC (decode_krb5_kdc_dh_key_info, decode_krb5_kdc_dh_key_info),
+	    SC (decode_krb5_principal_name, decode_krb5_principal_name),
+	    SC (decode_krb5_reply_key_pack, decode_krb5_reply_key_pack),
+	    SC (decode_krb5_reply_key_pack_draft9, decode_krb5_reply_key_pack_draft9),
+	    SC (decode_krb5_typed_data, decode_krb5_typed_data),
+	    SC (decode_krb5_td_trusted_certifiers, decode_krb5_td_trusted_certifiers),
+	    SC (decode_krb5_td_dh_parameters, decode_krb5_td_dh_parameters),
+	    SC (decode_krb5_as_req, decode_krb5_as_req),
+	    SC (encode_krb5_kdc_req_body, encode_krb5_kdc_req_body),
+	    SC (krb5_free_kdc_req, krb5_free_kdc_req),
+	    SC (krb5int_set_prompt_types, krb5int_set_prompt_types),
+	    SC (encode_krb5_authdata_elt, encode_krb5_authdata_elt),
+#undef SC
+
 #if DESIGNATED_INITIALIZERS
 	};
 #else
-- 
2.26.2