waf: move krb5 checks to a separate waf file

With PROCESS_SEPARATE_RULE in wafsamba it is now possible to simplify
configuration and checks for MIT/Heimdal Kerberos implementations.

1. Move MIT krb5 checks from source3/wscript to wscript_configure_krb5
2. Make sure they are called same way (--with-mit-krb5-checks)
3. If no configure checks identified MIT krb5 in system (or were disabled),
   make sure Heimdal build is selected, embedded (default) or system-provided.

This makes logic of configuration unchanged for Heimdal builds but adds
less hacky way to use MIT krb5 builds. The latter does not work yet as we
need to untangle more subsystems from HDB/Heimdal-specific details but
lays out a foundation for that.

Signed-off-by: Simo Sorce <idra@samba.org>

1 files changed, 187 insertions, 0 deletions

diff --git a/wscript_configure_krb5 b/wscript_configure_krb5
new file mode 100644
index 0000000000..2fb1c586fd
--- /dev/null
+++ b/wscript_configure_krb5
@@ -0,0 +1,187 @@
+import Logs, Options
+
+# Check for kerberos
+have_gssapi=False
+
+Logs.info("Looking for kerberos features")
+conf.find_program('krb5-config.heimdal', var='HEIMDAL_KRB5_CONFIG')
+conf.find_program('krb5-config', var='KRB5_CONFIG')
+if conf.env.KRB5_CONFIG:
+    conf.check_cfg(path="krb5-config", args="--cflags --libs",
+               package="gssapi", uselib_store="KRB5")
+    vendor = conf.cmd_and_log("%(path)s --vendor" % dict(path=conf.env.KRB5_CONFIG), dict())
+    conf.env.KRB5_VENDOR = vendor.strip().lower()
+    if conf.env.KRB5_VENDOR != 'heimdal':
+        conf.define('USING_SYSTEM_KRB5', 1)
+        del conf.env.HEIMDAL_KRB5_CONFIG
+
+conf.CHECK_HEADERS('krb5.h krb5/locate_plugin.h', lib='krb5')
+conf.CHECK_HEADERS('gssapi.h gssapi/gssapi_generic.h gssapi/gssapi.h gssapi/gssapi_ext.h gssapi/gssapi_krb5.h com_err.h', lib='krb5')
+
+if conf.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
+    conf.env['WINBIND_KRB5_LOCATOR'] = 'bin/winbind_krb5_locator.so'
+
+conf.CHECK_FUNCS_IN('_et_list', 'com_err')
+conf.CHECK_FUNCS_IN('krb5_encrypt_data', 'k5crypto')
+conf.CHECK_FUNCS_IN('des_set_key','crypto')
+conf.CHECK_FUNCS_IN('copy_Authenticator', 'asn1')
+conf.CHECK_FUNCS_IN('roken_getaddrinfo_hostspec', 'roken')
+if conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi') or \
+   conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi_krb5'):
+    have_gssapi=True
+conf.CHECK_FUNCS_IN('''
+       gss_wrap_iov
+       gss_krb5_import_cred
+       gss_get_name_attribute
+       gss_mech_krb5
+       gss_oid_equal
+       gss_inquire_sec_context_by_oid
+       gsskrb5_extract_authz_data_from_sec_context
+       gss_krb5_export_lucid_sec_context
+       ''', 'gssapi gssapi_krb5 krb5')
+conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5')
+conf.CHECK_FUNCS('''
+       krb5_set_default_in_tkt_etypes krb5_set_default_tgs_enctypes
+       krb5_set_default_tgs_ktypes krb5_principal2salt
+       krb5_c_string_to_key krb5_get_pw_salt krb5_string_to_key_salt krb5_auth_con_setkey
+       krb5_auth_con_setuseruserkey krb5_get_permitted_enctypes
+       krb5_get_default_in_tkt_etypes krb5_free_data_contents
+       krb5_principal_get_comp_string krb5_free_unparsed_name
+       krb5_free_keytab_entry_contents krb5_kt_free_entry krb5_krbhst_init
+       krb5_krbhst_get_addrinfo
+       krb5_crypto_init krb5_crypto_destroy
+       krb5_c_verify_checksum krb5_principal_compare_any_realm
+       krb5_parse_name_norealm krb5_princ_size krb5_get_init_creds_opt_set_pac_request
+       krb5_get_renewed_creds krb5_free_error_contents
+       initialize_krb5_error_table krb5_get_init_creds_opt_alloc
+       krb5_get_init_creds_opt_free krb5_get_init_creds_opt_get_error
+       krb5_enctype_to_string krb5_fwd_tgt_creds krb5_auth_con_set_req_cksumtype
+       krb5_get_creds_opt_alloc krb5_get_creds_opt_set_impersonate krb5_get_creds
+       krb5_get_credentials_for_user krb5_get_host_realm krb5_free_host_realm''',
+     lib='krb5 k5crypto')
+conf.CHECK_DECLS('''krb5_get_credentials_for_user
+                    krb5_auth_con_set_req_cksumtype''',
+                    headers='krb5.h', always=True)
+conf.CHECK_VARIABLE('AP_OPTS_USE_SUBKEY', headers='krb5.h')
+conf.CHECK_VARIABLE('KV5M_KEYTAB', headers='krb5.h')
+conf.CHECK_VARIABLE('KRB5_KU_OTHER_CKSUM', headers='krb5.h')
+conf.CHECK_VARIABLE('KRB5_KEYUSAGE_APP_DATA_CKSUM', headers='krb5.h')
+conf.CHECK_VARIABLE('ENCTYPE_AES128_CTS_HMAC_SHA1_96', headers='krb5.h')
+conf.CHECK_VARIABLE('ENCTYPE_AES256_CTS_HMAC_SHA1_96', headers='krb5.h')
+conf.CHECK_DECLS('KRB5_PDU_NONE', reverse=True, headers='krb5.h')
+conf.CHECK_STRUCTURE_MEMBER('krb5_keytab_entry', 'key', headers='krb5.h',
+                            define='HAVE_KRB5_KEYTAB_ENTRY_KEY')
+conf.CHECK_STRUCTURE_MEMBER('krb5_keytab_entry', 'keyblock', headers='krb5.h',
+                            define='HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK')
+conf.CHECK_STRUCTURE_MEMBER('krb5_address', 'magic', headers='krb5.h',
+                            define='HAVE_MAGIC_IN_KRB5_ADDRESS')
+conf.CHECK_STRUCTURE_MEMBER('krb5_address', 'addrtype', headers='krb5.h',
+                            define='HAVE_ADDRTYPE_IN_KRB5_ADDRESS')
+conf.CHECK_STRUCTURE_MEMBER('krb5_ap_req', 'ticket', headers='krb5.h',
+                            define='HAVE_TICKET_POINTER_IN_KRB5_AP_REQ')
+
+conf.CHECK_TYPE('krb5_encrypt_block', headers='krb5.h')
+
+conf.CHECK_CODE('''
+       krb5_context ctx;
+       krb5_get_init_creds_opt *opt = NULL;
+       krb5_get_init_creds_opt_free(ctx, opt);
+       ''',
+    'KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT',
+    headers='krb5.h', link=False,
+    msg="Checking whether krb5_get_init_creds_opt_free takes a context argument")
+conf.CHECK_CODE('''
+       const krb5_data *pkdata;
+       krb5_context context;
+       krb5_principal principal;
+       pkdata = krb5_princ_component(context, principal, 0);
+       ''',
+    'HAVE_KRB5_PRINC_COMPONENT',
+    headers='krb5.h', lib='krb5',
+    msg="Checking whether krb5_princ_component is available")
+
+conf.CHECK_CODE('''
+       int main(void) {
+       char buf[256];
+       krb5_enctype_to_string(1, buf, 256);
+       return 0;
+       }''',
+    'HAVE_KRB5_ENCTYPE_TO_STRING_WITH_SIZE_T_ARG',
+    headers='krb5.h', lib='krb5 k5crypto',
+    addmain=False, cflags='-Werror',
+    msg="Checking whether krb5_enctype_to_string takes size_t argument")
+
+conf.CHECK_CODE('''
+       int main(void) {
+       krb5_context context = NULL;
+       char *str = NULL;
+       krb5_enctype_to_string(context, 1, &str);
+       if (str) free (str);
+       return 0;
+       }''',
+    'HAVE_KRB5_ENCTYPE_TO_STRING_WITH_KRB5_CONTEXT_ARG',
+    headers='krb5.h stdlib.h', lib='krb5',
+    addmain=False, cflags='-Werror',
+    msg="Checking whether krb5_enctype_to_string takes krb5_context argument")
+conf.CHECK_CODE('''
+       int main(void) {
+       krb5_context ctx = NULL;
+       krb5_principal princ = NULL;
+       const char *str = krb5_princ_realm(ctx, princ)->data;
+       return 0;
+       }''',
+    'HAVE_KRB5_PRINC_REALM',
+    headers='krb5.h', lib='krb5',
+    addmain=False,
+    msg="Checking whether the macro krb5_princ_realm is defined")
+conf.CHECK_CODE('''
+       int main(void) {
+           krb5_context context;
+           krb5_principal principal;
+           const char *realm; realm = krb5_principal_get_realm(context, principal);
+           return 0;
+       }''',
+    'HAVE_KRB5_PRINCIPAL_GET_REALM',
+    headers='krb5.h', lib='krb5',
+    addmain=False,
+    msg="Checking whether krb5_principal_get_realm is defined")
+conf.CHECK_CODE('''
+       krb5_enctype enctype;
+       enctype = ENCTYPE_ARCFOUR_HMAC_MD5;
+       ''',
+    '_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5',
+    headers='krb5.h', lib='krb5',
+    msg="Checking whether the ENCTYPE_ARCFOUR_HMAC_MD5 key type definition is available");
+conf.CHECK_CODE('''
+       krb5_keytype keytype;
+       keytype = KEYTYPE_ARCFOUR_56;
+       ''',
+    '_HAVE_KEYTYPE_ARCFOUR_56',
+    headers='krb5.h', lib='krb5',
+    msg="Checking whether the HAVE_KEYTYPE_ARCFOUR_56 key type definition is available");
+if conf.CONFIG_SET('_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5') and conf.CONFIG_SET('_HAVE_KEYTYPE_ARCFOUR_56'):
+    conf.DEFINE('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5', '1')
+
+conf.CHECK_CODE('''
+       krb5_enctype enctype;
+       enctype = ENCTYPE_ARCFOUR_HMAC;
+       ''',
+    'HAVE_ENCTYPE_ARCFOUR_HMAC',
+    headers='krb5.h', lib='krb5',
+    msg="Checking whether the ENCTYPE_ARCFOUR_HMAC key type definition is available");
+
+conf.CHECK_CODE('''
+       krb5_context context;
+       krb5_keytab keytab;
+       krb5_init_context(&context);
+       return krb5_kt_resolve(context, "WRFILE:api", &keytab);
+       ''',
+    'HAVE_WRFILE_KEYTAB',
+    headers='krb5.h', lib='krb5', execute=True,
+    msg="Checking whether the WRFILE:-keytab is supported");
+# Check for KRB5_DEPRECATED handling
+conf.CHECK_CODE('''#define KRB5_DEPRECATED 1
+       #include <krb5.h>''',
+   'HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER', addmain=False,
+    link=False,
+    msg="Checking for KRB5_DEPRECATED define taking an identifier")