From c227279d33da06f42133f2fd6b0317d34635bef7 Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Thu, 9 Jan 2020 13:34:06 +0100
Subject: packet-kerberos: try to fix the build on macOS 10.14

/usr/lib/libkrb5.dylib doesn't have krb5_pac_verify().

This hopefully fixes the build problem introduced by commit
d9aab840a75ededc286b8e9894e5af7ce6298bbc

Change-Id: Ib354a59cbc20c6bf97ddc029d8b042d4aea6dae9
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/35713
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
---
 cmake/modules/FindKERBEROS.cmake                   |  1 +
 cmakeconfig.h.in                                   |  3 +++
 .../asn1/kerberos/packet-kerberos-template.c       | 25 ++++++++++++-----
 epan/dissectors/packet-kerberos.c                  | 31 +++++++++++++++-------
 4 files changed, 43 insertions(+), 17 deletions(-)

diff --git a/cmake/modules/FindKERBEROS.cmake b/cmake/modules/FindKERBEROS.cmake
index 008aad442b..dbdf4d5bc5 100644
--- a/cmake/modules/FindKERBEROS.cmake
+++ b/cmake/modules/FindKERBEROS.cmake
@@ -87,6 +87,7 @@ if(KERBEROS_FOUND)
   set(CMAKE_REQUIRED_INCLUDES ${KERBEROS_INCLUDE_DIRS})
   set(CMAKE_REQUIRED_LIBRARIES ${KERBEROS_LIBRARIES})
   check_symbol_exists("heimdal_version" "krb5.h" HAVE_HEIMDAL_KERBEROS)
+  check_symbol_exists("krb5_pac_verify" "krb5.h" HAVE_KRB5_PAC_VERIFY)
   set(CMAKE_REQUIRED_INCLUDES)
   set(CMAKE_REQUIRED_LIBRARIES)
   if(NOT HAVE_HEIMDAL_KERBEROS)
diff --git a/cmakeconfig.h.in b/cmakeconfig.h.in
index f117da675b..0135d1bfdc 100644
--- a/cmakeconfig.h.in
+++ b/cmakeconfig.h.in
@@ -88,6 +88,9 @@
 /* Define to use heimdal kerberos */
 #cmakedefine HAVE_HEIMDAL_KERBEROS 1
 
+/* Define to 1 if you have the `krb5_pac_verify' function. */
+#cmakedefine HAVE_KRB5_PAC_VERIFY 1
+
 /* Define to 1 if you have the `inflatePrime' function. */
 #cmakedefine HAVE_INFLATEPRIME 1
 
diff --git a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c
index 55f70c73e0..24498bea34 100644
--- a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c
+++ b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c
@@ -296,7 +296,11 @@ static void used_encryption_key(proto_tree *tree, packet_info *pinfo,
 				     ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF);
 }
 
-#ifdef HAVE_MIT_KERBEROS
+#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
+
+#if defined(HAVE_MIT_KERBEROS)
+
+#ifdef HAVE_KRB5_PAC_VERIFY
 static void used_signing_key(proto_tree *tree, packet_info *pinfo,
 			     enc_key_t *ek, tvbuff_t *tvb,
 			     krb5_cksumtype checksum,
@@ -310,11 +314,7 @@ static void used_signing_key(proto_tree *tree, packet_info *pinfo,
 				     ek->keyvalue[0] & 0xFF, ek->keyvalue[1] & 0xFF,
 				     ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF);
 }
-#endif /* HAVE_MIT_KERBEROS */
-
-#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
-
-#if defined(HAVE_MIT_KERBEROS)
+#endif /* HAVE_KRB5_PAC_VERIFY */
 
 static krb5_context krb5_ctx;
 
@@ -460,6 +460,16 @@ decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo,
 }
 USES_APPLE_RST
 
+#ifdef HAVE_KRB5_PAC_VERIFY
+/*
+ * macOS up to 10.14.5 only has a MIT shim layer on top
+ * of heimdal. It means that krb5_pac_verify() is not available
+ * in /usr/lib/libkrb5.dylib
+ *
+ * https://opensource.apple.com/tarballs/Heimdal/Heimdal-520.260.1.tar.gz
+ * https://opensource.apple.com/tarballs/MITKerberosShim/MITKerberosShim-71.200.1.tar.gz
+ */
+
 extern krb5_error_code
 krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *);
 
@@ -554,6 +564,7 @@ verify_krb5_pac(proto_tree *tree _U_, asn1_ctx_t *actx, tvbuff_t *pactvb)
 
 	krb5_pac_free(krb5_ctx, pac);
 }
+#endif /* HAVE_KRB5_PAC_VERIFY */
 
 #elif defined(HAVE_HEIMDAL_KERBEROS)
 static krb5_context krb5_ctx;
@@ -2009,7 +2020,7 @@ dissect_krb5_AD_WIN2K_PAC(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset,
 	guint32 version;
 	guint32 i;
 
-#ifdef HAVE_MIT_KERBEROS
+#if defined(HAVE_MIT_KERBEROS) && defined(HAVE_KRB5_PAC_VERIFY)
 	verify_krb5_pac(tree, actx, tvb);
 #endif
 
diff --git a/epan/dissectors/packet-kerberos.c b/epan/dissectors/packet-kerberos.c
index 2107f8b0a5..230d3f6c77 100644
--- a/epan/dissectors/packet-kerberos.c
+++ b/epan/dissectors/packet-kerberos.c
@@ -604,7 +604,11 @@ static void used_encryption_key(proto_tree *tree, packet_info *pinfo,
 				     ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF);
 }
 
-#ifdef HAVE_MIT_KERBEROS
+#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
+
+#if defined(HAVE_MIT_KERBEROS)
+
+#ifdef HAVE_KRB5_PAC_VERIFY
 static void used_signing_key(proto_tree *tree, packet_info *pinfo,
 			     enc_key_t *ek, tvbuff_t *tvb,
 			     krb5_cksumtype checksum,
@@ -618,11 +622,7 @@ static void used_signing_key(proto_tree *tree, packet_info *pinfo,
 				     ek->keyvalue[0] & 0xFF, ek->keyvalue[1] & 0xFF,
 				     ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF);
 }
-#endif /* HAVE_MIT_KERBEROS */
-
-#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
-
-#if defined(HAVE_MIT_KERBEROS)
+#endif /* HAVE_KRB5_PAC_VERIFY */
 
 static krb5_context krb5_ctx;
 
@@ -768,6 +768,16 @@ decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo,
 }
 USES_APPLE_RST
 
+#ifdef HAVE_KRB5_PAC_VERIFY
+/*
+ * macOS up to 10.14.5 only has a MIT shim layer on top
+ * of heimdal. It means that krb5_pac_verify() is not available
+ * in /usr/lib/libkrb5.dylib
+ *
+ * https://opensource.apple.com/tarballs/Heimdal/Heimdal-520.260.1.tar.gz
+ * https://opensource.apple.com/tarballs/MITKerberosShim/MITKerberosShim-71.200.1.tar.gz
+ */
+
 extern krb5_error_code
 krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *);
 
@@ -862,6 +872,7 @@ verify_krb5_pac(proto_tree *tree _U_, asn1_ctx_t *actx, tvbuff_t *pactvb)
 
 	krb5_pac_free(krb5_ctx, pac);
 }
+#endif /* HAVE_KRB5_PAC_VERIFY */
 
 #elif defined(HAVE_HEIMDAL_KERBEROS)
 static krb5_context krb5_ctx;
@@ -2317,7 +2328,7 @@ dissect_krb5_AD_WIN2K_PAC(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset,
 	guint32 version;
 	guint32 i;
 
-#ifdef HAVE_MIT_KERBEROS
+#if defined(HAVE_MIT_KERBEROS) && defined(HAVE_KRB5_PAC_VERIFY)
 	verify_krb5_pac(tree, actx, tvb);
 #endif
 
@@ -4773,7 +4784,7 @@ dissect_kerberos_EncryptedChallenge(gboolean implicit_tag _U_, tvbuff_t *tvb _U_
 
 
 /*--- End of included file: packet-kerberos-fn.c ---*/
-#line 2034 "./asn1/kerberos/packet-kerberos-template.c"
+#line 2045 "./asn1/kerberos/packet-kerberos-template.c"
 
 /* Make wrappers around exported functions for now */
 int
@@ -5981,7 +5992,7 @@ void proto_register_kerberos(void) {
         NULL, HFILL }},
 
 /*--- End of included file: packet-kerberos-hfarr.c ---*/
-#line 2421 "./asn1/kerberos/packet-kerberos-template.c"
+#line 2432 "./asn1/kerberos/packet-kerberos-template.c"
 	};
 
 	/* List of subtrees */
@@ -6071,7 +6082,7 @@ void proto_register_kerberos(void) {
     &ett_kerberos_KrbFastArmoredRep,
 
 /*--- End of included file: packet-kerberos-ettarr.c ---*/
-#line 2437 "./asn1/kerberos/packet-kerberos-template.c"
+#line 2448 "./asn1/kerberos/packet-kerberos-template.c"
 	};
 
 	static ei_register_info ei[] = {
-- 
cgit v1.2.3