3 files changed, 25 insertions, 79 deletions

diff --git a/libcli/auth/krb5_wrap.c b/libcli/auth/krb5_wrap.c
index e7e071d484..8bd17670bb 100644
--- a/libcli/auth/krb5_wrap.c
+++ b/libcli/auth/krb5_wrap.c
@@ -241,71 +241,28 @@ krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
 {
 	krb5_error_code ret;
 
-	/* verify the checksum */
-
-	/* welcome to the wonderful world of samba's kerberos abstraction layer:
-	 * 
-	 * function			heimdal 0.6.1rc3	heimdal 0.7	MIT krb 1.4.2
-	 * -----------------------------------------------------------------------------
-	 * krb5_c_verify_checksum	-			works		works
-	 * krb5_verify_checksum		works (6 args)		works (6 args)	broken (7 args) 
-	 */
-
-#if defined(HAVE_KRB5_C_VERIFY_CHECKSUM)
-	{
-		krb5_boolean checksum_valid = false;
-		krb5_data input;
-
-		input.data = (char *)data;
-		input.length = length;
-
-		ret = krb5_c_verify_checksum(context, 
-					     keyblock, 
-					     usage,
-					     &input, 
-					     cksum,
-					     &checksum_valid);
-		if (ret) {
-			DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n", 
-				error_message(ret)));
-			return ret;
-		}
-
-		if (!checksum_valid)
-			ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-	}
-
-#elif KRB5_VERIFY_CHECKSUM_ARGS == 6 && defined(HAVE_KRB5_CRYPTO_INIT) && defined(HAVE_KRB5_CRYPTO) && defined(HAVE_KRB5_CRYPTO_DESTROY)
-
-	/* Warning: MIT's krb5_verify_checksum cannot be used as it will use a key
-	 * without enctype and it ignores any key_usage types - Guenther */
-
-	{
+	/* verify the checksum, heimdal 0.7 and MIT krb 1.4.2 and above */
 
-		krb5_crypto crypto;
-		ret = krb5_crypto_init(context,
-				       keyblock,
-				       0,
-				       &crypto);
-		if (ret) {
-			DEBUG(0,("smb_krb5_verify_checksum: krb5_crypto_init() failed: %s\n", 
-				error_message(ret)));
-			return ret;
-		}
-
-		ret = krb5_verify_checksum(context,
-					   crypto,
-					   usage,
-					   data,
-					   length,
-					   cksum);
-
-		krb5_crypto_destroy(context, crypto);
+	krb5_boolean checksum_valid = false;
+	krb5_data input;
+	
+	input.data = (char *)data;
+	input.length = length;
+	
+	ret = krb5_c_verify_checksum(context, 
+				     keyblock, 
+				     usage,
+				     &input, 
+				     cksum,
+				     &checksum_valid);
+	if (ret) {
+		DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n", 
+			 error_message(ret)));
+		return ret;
 	}
-
-#else
-#error UNKNOWN_KRB5_VERIFY_CHECKSUM_FUNCTION
-#endif
+	
+	if (!checksum_valid)
+		ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 
 	return ret;
 }
diff --git a/source3/configure.in b/source3/configure.in
index 1847ad2181..fd28a4bb1a 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3873,7 +3873,6 @@ if test x"$with_ads_support" != x"no"; then
   AC_CHECK_FUNC_EXT(krb5_crypto_destroy, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_decode_ap_req, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(free_AP_REQ, $KRB5_LIBS)
-  AC_CHECK_FUNC_EXT(krb5_verify_checksum, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_c_verify_checksum, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_principal_compare_any_realm, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_parse_name_norealm, $KRB5_LIBS)
@@ -4444,10 +4443,9 @@ if test x"$with_ads_support" != x"no"; then
     use_ads=no
   fi
 
-  if test x"$ac_cv_func_ext_krb5_c_verify_checksum" != x"yes" -a \
-          x"$ac_cv_func_ext_krb5_verify_checksum" != x"yes"
+  if test x"$ac_cv_func_ext_krb5_c_verify_checksum" != x"yes"
   then
-    AC_MSG_WARN(no KRB5_VERIFY_CHECKSUM_FUNCTION detected)
+    AC_MSG_WARN(krb5_c_verify_checksum not found in -lkrb5)
     use_ads=no
   fi
 
diff --git a/source3/wscript b/source3/wscript
index 903061db9d..690ae957e3 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -582,7 +582,7 @@ krb5_principal_get_comp_string krb5_free_unparsed_name
 krb5_free_keytab_entry_contents krb5_kt_free_entry krb5_krbhst_init
 krb5_krbhst_get_addrinfo krb5_c_enctype_compare
 krb5_crypto_init krb5_crypto_destroy krb5_decode_ap_req free_AP_REQ
-krb5_verify_checksum krb5_c_verify_checksum krb5_principal_compare_any_realm
+krb5_c_verify_checksum krb5_principal_compare_any_realm
 krb5_parse_name_norealm krb5_princ_size krb5_get_init_creds_opt_set_pac_request
 krb5_get_renewed_creds krb5_get_kdc_cred krb5_free_error_contents
 initialize_krb5_error_table krb5_get_init_creds_opt_alloc
@@ -696,14 +696,6 @@ int main(void) {
                         headers='krb5.h', lib='krb5',
                         addmain=False,
                         msg="Checking whether krb5_principal_get_realm is defined")
-        if conf.CHECK_CODE('''krb5_verify_checksum(0, 0, 0, 0, 0, 0, 0);''',
-                        'KRB5_VERIFY_CHECKSUM_ARGS',
-                        headers='krb5.h', lib='krb5',
-			msg="Checking whether krb5_verify_checksum takes 7 arguments"):
-            conf.DEFINE('KRB5_VERIFY_CHECKSUM_ARGS', '7')
-	else:
-            conf.DEFINE('KRB5_VERIFY_CHECKSUM_ARGS', '6')
-
 	conf.CHECK_CODE('''
 krb5_enctype enctype;
 enctype = ENCTYPE_ARCFOUR_HMAC_MD5;
@@ -770,9 +762,8 @@ return krb5_kt_resolve(context, "WRFILE:api", &keytab);
            not conf.CONFIG_SET('HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS'):
             Logs.warn("no KT_FREE_FUNCTION detected")
             use_ads=False
-        if not conf.CONFIG_SET('HAVE_KRB5_C_VERIFY_CHECKSUM') and \
-           not conf.CONFIG_SET('HAVE_KRB5_VERIFY_CHECKSUM'):
-            Logs.warn("no KRB5_VERIFY_CHECKSUM_FUNCTION detected")
+        if not conf.CONFIG_SET('HAVE_KRB5_C_VERIFY_CHECKSUM'):
+            Logs.warn("krb5_c_verify_checksum_compare not found in -lkrb5")
             use_ads=False
         if not conf.CONFIG_SET('KRB5_TICKET_HAS_KEYINFO'):
             # We only need the following functions if we can't get the enctype