packet-kerberos: try to fix the build on macOS 10.14

/usr/lib/libkrb5.dylib doesn't have krb5_pac_verify().

This hopefully fixes the build problem introduced by commit
d9aab840a7

Change-Id: Ib354a59cbc20c6bf97ddc029d8b042d4aea6dae9
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/35713
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>

cmake/modules/FindKERBEROS.cmake

@@ -87,6 +87,7 @@ if(KERBEROS_FOUND)
   set(CMAKE_REQUIRED_INCLUDES ${KERBEROS_INCLUDE_DIRS})
   set(CMAKE_REQUIRED_LIBRARIES ${KERBEROS_LIBRARIES})
   check_symbol_exists("heimdal_version" "krb5.h" HAVE_HEIMDAL_KERBEROS)
+  check_symbol_exists("krb5_pac_verify" "krb5.h" HAVE_KRB5_PAC_VERIFY)
   set(CMAKE_REQUIRED_INCLUDES)
   set(CMAKE_REQUIRED_LIBRARIES)
   if(NOT HAVE_HEIMDAL_KERBEROS)

cmakeconfig.h.in

@@ -88,6 +88,9 @@
 /* Define to use heimdal kerberos */
 #cmakedefine HAVE_HEIMDAL_KERBEROS 1
 
+/* Define to 1 if you have the `krb5_pac_verify' function. */
+#cmakedefine HAVE_KRB5_PAC_VERIFY 1
+
 /* Define to 1 if you have the `inflatePrime' function. */
 #cmakedefine HAVE_INFLATEPRIME 1
 

epan/dissectors/asn1/kerberos/packet-kerberos-template.c

@@ -296,7 +296,11 @@ static void used_encryption_key(proto_tree *tree, packet_info *pinfo,
 				     ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF);
 }
 
-#ifdef HAVE_MIT_KERBEROS
+#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
+
+#if defined(HAVE_MIT_KERBEROS)
+
+#ifdef HAVE_KRB5_PAC_VERIFY
 static void used_signing_key(proto_tree *tree, packet_info *pinfo,
 			     enc_key_t *ek, tvbuff_t *tvb,
 			     krb5_cksumtype checksum,
@@ -310,11 +314,7 @@ static void used_signing_key(proto_tree *tree, packet_info *pinfo,
 				     ek->keyvalue[0] & 0xFF, ek->keyvalue[1] & 0xFF,
 				     ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF);
 }
-#endif /* HAVE_MIT_KERBEROS */
-
-#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
-
-#if defined(HAVE_MIT_KERBEROS)
+#endif /* HAVE_KRB5_PAC_VERIFY */
 
 static krb5_context krb5_ctx;
 
@@ -460,6 +460,16 @@ decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo,
 }
 USES_APPLE_RST
 
+#ifdef HAVE_KRB5_PAC_VERIFY
+/*
+ * macOS up to 10.14.5 only has a MIT shim layer on top
+ * of heimdal. It means that krb5_pac_verify() is not available
+ * in /usr/lib/libkrb5.dylib
+ *
+ * https://opensource.apple.com/tarballs/Heimdal/Heimdal-520.260.1.tar.gz
+ * https://opensource.apple.com/tarballs/MITKerberosShim/MITKerberosShim-71.200.1.tar.gz
+ */
+
 extern krb5_error_code
 krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *);
 
@@ -554,6 +564,7 @@ verify_krb5_pac(proto_tree *tree _U_, asn1_ctx_t *actx, tvbuff_t *pactvb)
 
 	krb5_pac_free(krb5_ctx, pac);
 }
+#endif /* HAVE_KRB5_PAC_VERIFY */
 
 #elif defined(HAVE_HEIMDAL_KERBEROS)
 static krb5_context krb5_ctx;
@@ -2009,7 +2020,7 @@ dissect_krb5_AD_WIN2K_PAC(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset,
 	guint32 version;
 	guint32 i;
 
-#ifdef HAVE_MIT_KERBEROS
+#if defined(HAVE_MIT_KERBEROS) && defined(HAVE_KRB5_PAC_VERIFY)
 	verify_krb5_pac(tree, actx, tvb);
 #endif
 

epan/dissectors/packet-kerberos.c

@@ -604,7 +604,11 @@ static void used_encryption_key(proto_tree *tree, packet_info *pinfo,
 				     ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF);
 }
 
-#ifdef HAVE_MIT_KERBEROS
+#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
+
+#if defined(HAVE_MIT_KERBEROS)
+
+#ifdef HAVE_KRB5_PAC_VERIFY
 static void used_signing_key(proto_tree *tree, packet_info *pinfo,
 			     enc_key_t *ek, tvbuff_t *tvb,
 			     krb5_cksumtype checksum,
@@ -618,11 +622,7 @@ static void used_signing_key(proto_tree *tree, packet_info *pinfo,
 				     ek->keyvalue[0] & 0xFF, ek->keyvalue[1] & 0xFF,
 				     ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF);
 }
-#endif /* HAVE_MIT_KERBEROS */
-
-#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
-
-#if defined(HAVE_MIT_KERBEROS)
+#endif /* HAVE_KRB5_PAC_VERIFY */
 
 static krb5_context krb5_ctx;
 
@@ -768,6 +768,16 @@ decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo,
 }
 USES_APPLE_RST
 
+#ifdef HAVE_KRB5_PAC_VERIFY
+/*
+ * macOS up to 10.14.5 only has a MIT shim layer on top
+ * of heimdal. It means that krb5_pac_verify() is not available
+ * in /usr/lib/libkrb5.dylib
+ *
+ * https://opensource.apple.com/tarballs/Heimdal/Heimdal-520.260.1.tar.gz
+ * https://opensource.apple.com/tarballs/MITKerberosShim/MITKerberosShim-71.200.1.tar.gz
+ */
+
 extern krb5_error_code
 krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *);
 
@@ -862,6 +872,7 @@ verify_krb5_pac(proto_tree *tree _U_, asn1_ctx_t *actx, tvbuff_t *pactvb)
 
 	krb5_pac_free(krb5_ctx, pac);
 }
+#endif /* HAVE_KRB5_PAC_VERIFY */
 
 #elif defined(HAVE_HEIMDAL_KERBEROS)
 static krb5_context krb5_ctx;
@@ -2317,7 +2328,7 @@ dissect_krb5_AD_WIN2K_PAC(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset,
 	guint32 version;
 	guint32 i;
 
-#ifdef HAVE_MIT_KERBEROS
+#if defined(HAVE_MIT_KERBEROS) && defined(HAVE_KRB5_PAC_VERIFY)
 	verify_krb5_pac(tree, actx, tvb);
 #endif
 
@@ -4773,7 +4784,7 @@ dissect_kerberos_EncryptedChallenge(gboolean implicit_tag _U_, tvbuff_t *tvb _U_
 
 
 /*--- End of included file: packet-kerberos-fn.c ---*/
-#line 2034 "./asn1/kerberos/packet-kerberos-template.c"
+#line 2045 "./asn1/kerberos/packet-kerberos-template.c"
 
 /* Make wrappers around exported functions for now */
 int
@@ -5981,7 +5992,7 @@ void proto_register_kerberos(void) {
         NULL, HFILL }},
 
 /*--- End of included file: packet-kerberos-hfarr.c ---*/
-#line 2421 "./asn1/kerberos/packet-kerberos-template.c"
+#line 2432 "./asn1/kerberos/packet-kerberos-template.c"
 	};
 
 	/* List of subtrees */
@@ -6071,7 +6082,7 @@ void proto_register_kerberos(void) {
     &ett_kerberos_KrbFastArmoredRep,
 
 /*--- End of included file: packet-kerberos-ettarr.c ---*/
-#line 2437 "./asn1/kerberos/packet-kerberos-template.c"
+#line 2448 "./asn1/kerberos/packet-kerberos-template.c"
 	};
 
 	static ei_register_info ei[] = {