From a3ee0ce255c7acb7abf58e70b75025b5fefdb275 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 3 Nov 2022 17:35:35 +1300
Subject: [PATCH] wscript: Correctly determine dependencies for system Heimdal
 build

Previously, the call to CHECK_BUNDLED_SYSTEM() in
check_system_heimdal_lib() could have us pick up MIT Kerberos headers
when we should only be using system Heimdal headers. Now, we just
perform an explicit check for the functions we require, which should
avoid any use of the MIT libraries.

We also remove some library checks for Heimdal components that we don't
use directly, restricting the checks to only the functions we need.

Finally, we no longer need to recurse into third_party/heimdal_build
when performing a system Heimdal build.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 wscript_build_system_heimdal     |  8 ++++++-
 wscript_configure_system_heimdal | 41 ++++----------------------------
 2 files changed, 12 insertions(+), 37 deletions(-)

diff --git a/wscript_build_system_heimdal b/wscript_build_system_heimdal
index 1fc738ea69c..16ed3ed9ed8 100644
--- a/wscript_build_system_heimdal
+++ b/wscript_build_system_heimdal
@@ -1,4 +1,10 @@
 from waflib import Logs
 
 Logs.info("\tSelected system Heimdal build")
-bld.RECURSE('third_party/heimdal_build')
+
+# Alias subsystem to allow common kerberos code that will
+# otherwise link against MIT's gssapi_krb5 and k5crypto
+#
+# Note: that we also need this if we use system heimdal libraries
+bld.SAMBA_SUBSYSTEM('gssapi_krb5', '', deps='gssapi')
+bld.SAMBA_SUBSYSTEM('k5crypto', '', deps='krb5')
diff --git a/wscript_configure_system_heimdal b/wscript_configure_system_heimdal
index 6033dad08dc..5dbb5e4b3f7 100644
--- a/wscript_configure_system_heimdal
+++ b/wscript_configure_system_heimdal
@@ -24,35 +24,20 @@ if krb5_config:
     finally:
         f.close()
 
-def check_system_heimdal_lib(name, functions='', headers='', onlyif=None):
+def check_system_heimdal_lib(name, functions='', headers=''):
     # Only use system library if the user requested the bundled one not be
     # used.
     if conf.LIB_MAY_BE_BUNDLED(name):
         return False
     setattr(conf.env, "CPPPATH_%s" % name.upper(), heimdal_includedirs)
     setattr(conf.env, "LIBPATH_%s" % name.upper(), heimdal_libdirs)
-    if not conf.CHECK_BUNDLED_SYSTEM(name, checkfunctions=functions, headers=headers,
-                                     onlyif=onlyif):
-        return False
-    conf.define('USING_SYSTEM_%s' % name.upper(), 1)
-    return True
-
-def check_system_heimdal_binary(name):
-    if conf.LIB_MAY_BE_BUNDLED(name):
-        return False
-    if not conf.find_program(name, var=name.upper()):
+    if not conf.CHECK_FUNCS_IN(functions, name, headers=headers, empty_decl=False, set_target=True):
         return False
     conf.define('USING_SYSTEM_%s' % name.upper(), 1)
     return True
 
 check_system_heimdal_lib("com_err", "com_right_r com_err", "com_err.h")
 
-if check_system_heimdal_lib("roken", "rk_socket_set_reuseaddr", "roken.h"):
-    conf.env.CPPPATH_ROKEN_HOSTCC = conf.env.CPPPATH_ROKEN
-    conf.env.LIBPATH_ROKEN_HOSTCC = conf.env.LIBPATH_ROKEN
-    conf.env.LIB_ROKEN_HOSTCC = "roken"
-    conf.SET_TARGET_TYPE("ROKEN_HOSTCC", 'SYSLIB')
-
 # Make sure HAVE_CONFIG_H is unset, as the system Heimdal headers use it
 # and include config.h if it is set, resulting in failure (since config.h
 # doesn't yet exist)
@@ -62,23 +47,10 @@ conf.undefine("HAVE_CONFIG_H")
 while "HAVE_CONFIG_H=1" in conf.env.DEFINES:
     conf.env.DEFINES.remove("HAVE_CONFIG_H=1")
 try:
-    check_system_heimdal_lib("wind", "wind_stringprep", "wind.h", onlyif="roken")
-    check_system_heimdal_lib("hx509", "hx509_bitstring_print", "hx509.h", onlyif="roken wind")
-    check_system_heimdal_lib("asn1", "initialize_asn1_error_table", "asn1_err.h", onlyif="roken com_err")
-    check_system_heimdal_lib("heimbase", "heim_cmp", "heimbase.h", onlyif="roken")
-    check_system_heimdal_lib("hcrypto", "MD4_Init", "hcrypto/md4.h",
-        onlyif="asn1 roken com_err")
-    if check_system_heimdal_lib("krb5", "krb5_anyaddr", "krb5.h",
-        onlyif="roken wind asn1 hx509 hcrypto com_err heimbase"):
+    check_system_heimdal_lib("asn1", "decode_Ticket", "krb5_asn1.h")
+    if check_system_heimdal_lib("krb5", "krb5_anyaddr", "krb5.h"):
         conf.CHECK_FUNCS_IN('krb5_free_unparsed_name', 'krb5', headers="krb5.h")
-    check_system_heimdal_lib("gssapi", "gss_oid_to_name", "gssapi.h",
-        onlyif="hcrypto asn1 roken krb5 com_err wind")
-    check_system_heimdal_lib("heimntlm", "heim_ntlm_ntlmv2_key", "heimntlm.h",
-        onlyif="roken hcrypto krb5")
-    check_system_heimdal_lib("hdb", "hdb_db_dir", "krb5.h hdb.h",
-        onlyif="roken krb5 hcrypto com_err wind")
-    check_system_heimdal_lib("kdc", "kdc_log", "kdc.h",
-        onlyif="roken krb5 hdb asn1 heimntlm hcrypto com_err wind heimbase")
+    check_system_heimdal_lib("gssapi", "gss_oid_to_name", "gssapi.h")
 finally:
     conf.env.DEFINES = DEFINES
 
@@ -86,9 +58,6 @@ finally:
 #if conf.CHECK_BUNDLED_SYSTEM('tommath', checkfunctions='mp_init', headers='tommath.h'):
 #    conf.define('USING_SYSTEM_TOMMATH', 1)
 
-check_system_heimdal_binary("compile_et")
-check_system_heimdal_binary("asn1_compile")
-
 conf.env.KRB5_VENDOR = 'heimdal'
 conf.define('USING_SYSTEM_KRB5', 1)
 conf.define('USING_SYSTEM_HEIMDAL', 1)