From b43ebf0f0adebab7df02ada88bf639ddd67e23e0 Mon Sep 17 00:00:00 2001
From: Robert Marshall <rmarshall@gitlab.com>
Date: Tue, 12 Mar 2019 23:20:06 -0400
Subject: [PATCH] Add option to build without libkeyutils

Add a --without-keyutils option to disable the keyring ccache, for
scenarios where minimizing libkrb5 dependencies is important.

[ghudson@mit.edu: moved processing to configure.ac; added error if
explicit --without-keyutils is given and libkeyutils is not found;
nested persistent keyring check for clarity; moved new documentation
to appropriate place and don't mention persistent keyrings; rephrased
commit message]

ticket: 8791 (new)
---
 doc/build/options2configure.rst |  4 ++++
 src/aclocal.m4                  | 22 ----------------------
 src/configure.ac                | 21 +++++++++++++++++++++
 3 files changed, 25 insertions(+), 22 deletions(-)

diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst
index ddbee2060..a8959626d 100644
--- a/doc/build/options2configure.rst
+++ b/doc/build/options2configure.rst
@@ -387,6 +387,10 @@ Optional packages
     ``--without-krb5-config`` to disable the use of krb5-config and
     use the usual built-in defaults.
 
+**-**\ **-without-keyutils**
+    Build without libkeyutils support.  This disables the KEYRING
+    credential cache type.
+
 
 Examples
 --------
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 3752d9bd5..c74755a35 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -93,8 +93,6 @@ KRB5_LIB_PARAMS
 KRB5_AC_INITFINI
 KRB5_AC_ENABLE_THREADS
 KRB5_AC_FIND_DLOPEN
-KRB5_AC_KEYRING_CCACHE
-KRB5_AC_PERSISTENT_KEYRING
 ])dnl
 
 dnl Maintainer mode, akin to what automake provides, 'cept we don't
@@ -1677,23 +1675,3 @@ if test "$with_ldap" = yes; then
   OPENLDAP_PLUGIN=yes
 fi
 ])dnl
-dnl
-dnl If libkeyutils exists (on Linux) include it and use keyring ccache
-AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
-  AC_CHECK_HEADERS([keyutils.h],
-    AC_CHECK_LIB(keyutils, add_key, 
-      [dnl Pre-reqs were found
-       AC_DEFINE(USE_KEYRING_CCACHE, 1, [Define if the keyring ccache should be enabled])
-       LIBS="-lkeyutils $LIBS"
-      ]))
-])dnl
-dnl
-dnl If libkeyutils supports persistent keyrings, use them
-AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[
-  AC_CHECK_HEADERS([keyutils.h],
-    AC_CHECK_LIB(keyutils, keyctl_get_persistent,
-      [AC_DEFINE(HAVE_PERSISTENT_KEYRING, 1,
-                 [Define if persistent keyrings are supported])
-      ]))
-])dnl
-dnl
diff --git a/src/configure.ac b/src/configure.ac
index 59193c601..ed5c0a737 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -323,6 +323,27 @@ AC_SUBST(TLS_IMPL)
 AC_SUBST(TLS_IMPL_CFLAGS)
 AC_SUBST(TLS_IMPL_LIBS)
 
+AC_ARG_WITH([keyutils],
+AC_HELP_STRING([--without-keyutils],[do not link with libkeyutils]),
+            [], [with_keyutils=check])
+if test "$with_keyutils" != no; then
+  have_keyutils=false
+  AC_CHECK_HEADERS([keyutils.h],
+    AC_CHECK_LIB(keyutils, add_key, [have_keyutils=true]))
+  if test "$have_keyutils" = true; then
+    AC_DEFINE(USE_KEYRING_CCACHE, 1,
+              [Define if the keyring ccache should be enabled])
+    LIBS="-lkeyutils $LIBS"
+    # If libkeyutils supports persistent keyrings, use them.
+    AC_CHECK_LIB(keyutils, keyctl_get_persistent,
+      [AC_DEFINE(HAVE_PERSISTENT_KEYRING, 1,
+                 [Define if persistent keyrings are supported])
+      ])
+  elif test "$with_keyutils" = yes; then
+    AC_MSG_ERROR([libkeyutils not found])
+  fi
+fi
+
 # The SPAKE preauth plugin currently supports edwards25519 natively,
 # and can support three NIST groups using OpenSSL.
 HAVE_SPAKE_OPENSSL=no
-- 
2.21.0