From 0bde14a7a6d74a44a7d4289e7a41bb31ed89d491 Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra@stanford.edu>
Date: Tue, 1 Oct 2013 21:44:40 -0700
Subject: [PATCH] Fix Heimdal pwcheck header probing

The configure probe was never going to work properly.  Fix that by
adding the correct includes.  Drop the fallback for versions of
Heimdal without the include file installed, which is not required
for Debian squeeze and later.
---
 NEWS                     |  3 ++-
 configure.ac             |  2 +-
 plugin/heimdal.c         | 29 +++-------------------
 tests/plugin/heimdal-t.c | 52 ++++++++++++++++------------------------
 4 files changed, 26 insertions(+), 60 deletions(-)

diff --git a/NEWS b/NEWS
index 1aef053..ab14e7d 100644
--- a/NEWS
+++ b/NEWS
@@ -46,7 +46,8 @@ krb5-strength 2.0 (unreleased)
 
     Expect the Heimdal password strength checking plugin header in
     kadm5/kadm5-pwcheck.h instead of outside of the kadm5 directory.  This
-    is the path used by current versions of Heimdal.
+    is the path used by current versions of Heimdal.  Drop support for
+    older versions of Heimdal that don't install this header file.
 
     Update to rra-c-util 4.9:
 
diff --git a/configure.ac b/configure.ac
index f22e21c..638c108 100644
--- a/configure.ac
+++ b/configure.ac
@@ -32,7 +32,7 @@ RRA_LIB_CRACKLIB
 RRA_LIB_KRB5
 RRA_LIB_KRB5_SWITCH
 AC_CHECK_HEADERS([kadm5/kadm5-pwcheck.h kadm5/kadm5_err.h], [], [],
-    [RRA_INCLUDE_KRB5])
+    [RRA_INCLUDES_KRB5])
 AC_CHECK_HEADERS([krb5/pwqual_plugin.h], [], [], [RRA_INCLUDES_KRB5])
 AC_CHECK_TYPES([krb5_realm], [], [], [RRA_INCLUDES_KRB5])
 AC_CHECK_FUNCS([krb5_free_default_realm \
diff --git a/plugin/heimdal.c b/plugin/heimdal.c
index fd50ccf..afbb668 100644
--- a/plugin/heimdal.c
+++ b/plugin/heimdal.c
@@ -23,6 +23,9 @@
 #include <portable/system.h>
 
 #include <errno.h>
+#ifdef HAVE_KADM5_KADM5_PWCHECK_H
+# include <kadm5/kadm5-pwcheck.h>
+#endif
 
 #include <plugin/internal.h>
 #include <util/macros.h>
@@ -30,32 +33,6 @@
 /* Skip this entire file if not building with Heimdal. */
 #ifdef HAVE_KRB5_REALM
 
-/* kadm5/kadm5-pwcheck.h isn't always installed by Heimdal. */
-# ifdef HAVE_KADM5_KADM5_PWCHECK_H
-#  include <kadm5/kadm5-pwcheck.h>
-# else
-#  define KADM5_PASSWD_VERSION_V1 1
-
-typedef int
-(*kadm5_passwd_quality_check_func)(krb5_context context,
-                                   krb5_principal principal,
-                                   krb5_data *password,
-                                   const char *tuning,
-                                   char *message,
-                                   size_t length);
-
-struct kadm5_pw_policy_check_func {
-    const char *name;
-    kadm5_passwd_quality_check_func func;
-};
-
-struct kadm5_pw_policy_verifier {
-    const char *name;
-    int version;
-    const char *vendor;
-    const struct kadm5_pw_policy_check_func *funcs;
-};
-# endif /* !HAVE_KADM5_PWCHECK_H */
 
 /*
  * This is the single check function that we provide.  It does the glue
diff --git a/tests/plugin/heimdal-t.c b/tests/plugin/heimdal-t.c
index 6227838..3d644fc 100644
--- a/tests/plugin/heimdal-t.c
+++ b/tests/plugin/heimdal-t.c
@@ -14,6 +14,9 @@
 
 #include <dlfcn.h>
 #include <errno.h>
+#ifdef HAVE_KADM5_KADM5_PWCHECK_H
+# include <kadm5/kadm5-pwcheck.h>
+#endif
 
 #include <tests/tap/basic.h>
 #include <tests/tap/kerberos.h>
@@ -21,33 +24,6 @@
 #include <tests/tap/string.h>
 #include <util/macros.h>
 
-/* kadm5-pwcheck.h isn't always installed by Heimdal. */
-#ifdef HAVE_KADM5_PWCHECK_H
-# include <kadm5-pwcheck.h>
-#else
-# define KADM5_PASSWD_VERSION_V1 1
-
-typedef int
-(*kadm5_passwd_quality_check_func)(krb5_context context,
-                                   krb5_principal principal,
-                                   krb5_data *password,
-                                   const char *tuning,
-                                   char *message,
-                                   size_t length);
-
-struct kadm5_pw_policy_check_func {
-    const char *name;
-    kadm5_passwd_quality_check_func func;
-};
-
-struct kadm5_pw_policy_verifier {
-    const char *name;
-    int version;
-    const char *vendor;
-    const struct kadm5_pw_policy_check_func *funcs;
-};
-#endif /* !HAVE_KADM5_PWCHECK_H */
-
 /*
  * The password test data, generated from the JSON source.  Defines an arrays
  * named cdb_tests, cracklib_tests, and generic_tests.
@@ -59,6 +35,21 @@ struct kadm5_pw_policy_verifier {
 #include <tests/data/passwords/length.c>
 
 
+#ifndef HAVE_KADM5_KADM5_PWCHECK_H
+/*
+ * If we're not building with Heimdal, we can't run this test and much of the
+ * test won't even compile.  Replace this test with a small program that just
+ * calls skip_all.
+ */
+int
+main(void)
+{
+    skip_all("not built against Heimdal libraries");
+    return 0;
+}
+
+#else
+
 /*
  * Loads the Heimdal password change plugin and tests that its metadata is
  * correct.  Returns a pointer to the kadm5_pw_policy_verifier struct or bails
@@ -158,11 +149,6 @@ main(void)
         " configured in krb5.conf",
     };
 
-    /* If we're not building with Heimdal, we can't run this test. */
-#ifndef HAVE_KRB5_REALM
-    skip_all("not built against Heimdal libraries");
-#endif
-
     /*
      * Calculate how many tests we have.  There are five tests for the module
      * metadata, one more password test than the list of password tests we
@@ -273,3 +259,5 @@ main(void)
     free(krb5_config);
     return 0;
 }
+
+#endif /* HAVE_KADM5_KADM5_PWCHECK_H */
-- 
2.39.2