Conditionalize the Camellia-CCM code, requiring the builder to define

local-use enctype and cksumtype numbers at build time in order to
enable it.  Disable tests which aren't easily conditionalized on C
preprocessor defines.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/camellia-ccm@24293 dc483132-0cff-0310-8789-dd5450dbe970

26 files changed, 166 insertions, 38 deletions

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 66eb8f6..e620917 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -2559,6 +2559,25 @@ krb5int_camellia_cbc_mac(krb5_key key, const krb5_crypto_iov *data,
                          size_t num_data, const krb5_data *iv,
                          krb5_data *output);
 
+#if 0
+/*
+ * There are no IANA assignments for these enctypes or cksumtypes yet.  They
+ * must be defined to local-use negative numbers at build time for Camellia-CCM
+ * support to function at the moment.  If one is defined, they should all be
+ * defined.  When IANA assignments exist, these definitions should move to the
+ * appropriate places in krb5.hin and all CAMELLIA_CCM conditional code should
+ * be made unconditional.
+ */
+#define ENCTYPE_CAMELLIA128_CCM_128 -XXX /* Camellia CCM mode, 128-bit key */
+#define ENCTYPE_CAMELLIA256_CCM_128 -YYY /* Camellia CCM mode, 256-bit key */
+#define CKSUMTYPE_CMAC_128_CAMELLIA128  -XXX  /* CMAC, 128-bit Camellia key */
+#define CKSUMTYPE_CMAC_128_CAMELLIA256  -YYY  /* CMAC, 256-bit Camellia key */
+#endif
+
+#ifdef ENCTYPE_CAMELLIA128_CCM_128
+#define CAMELLIA_CCM
+#endif
+
 struct _krb5_kt {       /* should move into k5-int.h */
     krb5_magic magic;
     const struct _krb5_kt_ops *ops;
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index c05e4b8..7d7e425 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -421,8 +421,6 @@ typedef struct _krb5_crypto_iov {
 #define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012
 #define ENCTYPE_ARCFOUR_HMAC    0x0017
 #define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018
-#define ENCTYPE_CAMELLIA128_CCM_128 -66 /* Camellia CCM mode, 128-bit key */
-#define ENCTYPE_CAMELLIA256_CCM_128 -67 /* Camellia CCM mode, 256-bit key */
 #define ENCTYPE_UNKNOWN         0x01ff
 
 #define CKSUMTYPE_CRC32         0x0001
@@ -437,8 +435,6 @@ typedef struct _krb5_crypto_iov {
 #define CKSUMTYPE_HMAC_SHA1_DES3        0x000c
 #define CKSUMTYPE_HMAC_SHA1_96_AES128   0x000f
 #define CKSUMTYPE_HMAC_SHA1_96_AES256   0x0010
-#define CKSUMTYPE_CMAC_128_CAMELLIA128  -66  /* CMAC, 128-bit Camellia key */
-#define CKSUMTYPE_CMAC_128_CAMELLIA256  -67  /* CMAC, 256-bit Camellia key */
 #define CKSUMTYPE_MD5_HMAC_ARCFOUR -137 /*Microsoft netlogon cksumtype*/
 #define CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /*Microsoft md5 hmac cksumtype*/
 
diff --git a/src/lib/crypto/builtin/enc_provider/camellia_ctr.c b/src/lib/crypto/builtin/enc_provider/camellia_ctr.c
index 5a201bd..8171ab6 100644
--- a/src/lib/crypto/builtin/enc_provider/camellia_ctr.c
+++ b/src/lib/crypto/builtin/enc_provider/camellia_ctr.c
@@ -30,6 +30,8 @@
 #include <aead.h>
 #include <rand2key.h>
 
+#ifdef CAMELLIA_CCM
+
 static void
 xorblock(unsigned char *out, const unsigned char *in)
 {
@@ -204,3 +206,20 @@ const struct krb5_enc_provider krb5int_enc_camellia256_ctr = {
     krb5int_default_free_state,
     NULL
 };
+
+#else /* CAMELLIA_CCM */
+
+/* These won't be used, but is still in the export table. */
+
+krb5_error_code
+krb5int_camellia_cbc_mac(krb5_key key, const krb5_crypto_iov *data,
+                         size_t num_data, const krb5_data *iv,
+			 krb5_data *output)
+{
+    return EINVAL;
+}
+
+const struct krb5_enc_provider krb5int_enc_camellia128_ctr = {
+};
+
+#endif /* CAMELLIA_CCM */
diff --git a/src/lib/crypto/builtin/enc_provider/enc_provider.h b/src/lib/crypto/builtin/enc_provider/enc_provider.h
index 19d4265..39175d1 100644
--- a/src/lib/crypto/builtin/enc_provider/enc_provider.h
+++ b/src/lib/crypto/builtin/enc_provider/enc_provider.h
@@ -32,5 +32,7 @@ extern const struct krb5_enc_provider krb5int_enc_des3;
 extern const struct krb5_enc_provider krb5int_enc_arcfour;
 extern const struct krb5_enc_provider krb5int_enc_aes128;
 extern const struct krb5_enc_provider krb5int_enc_aes256;
+#ifdef CAMELLIA_CCM
 extern const struct krb5_enc_provider krb5int_enc_camellia128_ctr;
 extern const struct krb5_enc_provider krb5int_enc_camellia256_ctr;
+#endif
diff --git a/src/lib/crypto/crypto_tests/Makefile.in b/src/lib/crypto/crypto_tests/Makefile.in
index 35ebf7e..a0cbb1d 100644
--- a/src/lib/crypto/crypto_tests/Makefile.in
+++ b/src/lib/crypto/crypto_tests/Makefile.in
@@ -31,6 +31,7 @@ EXTRADEPSRCS=\
 	$(srcdir)/t_mddriver.c	\
 	$(srcdir)/t_kperf.c	\
 	$(srcdir)/t_short.c	\
+	$(srcdir)/t_str2key.c	\
 	$(srcdir)/ytest.c	
 
 ##DOSBUILDTOP = ..\..\..
@@ -67,7 +68,8 @@ check-unix:: t_nfold t_encrypt t_prf t_prng t_cmac t_hmac \
 	$(RUN_SETUP) $(VALGRIND) ./aes-test > vt.txt
 	cmp vt.txt $(srcdir)/expect-vt.txt
 	$(RUN_SETUP) $(VALGRIND) ./camellia-test > camellia-vt.txt
-	cmp camellia-vt.txt $(srcdir)/camellia-expect-vt.txt
+# Enable this when Camellia-CCM becomes unconditional.
+#	cmp camellia-vt.txt $(srcdir)/camellia-expect-vt.txt
 	$(RUN_SETUP) $(VALGRIND) $(C)t_mddriver4 -x
 	$(RUN_SETUP) $(VALGRIND) $(C)t_mddriver -x
 	$(RUN_SETUP) $(VALGRIND) ./t_short
diff --git a/src/lib/crypto/crypto_tests/camellia-test.c b/src/lib/crypto/crypto_tests/camellia-test.c
index 41150f3..8ea8c46 100644
--- a/src/lib/crypto/crypto_tests/camellia-test.c
+++ b/src/lib/crypto/crypto_tests/camellia-test.c
@@ -31,6 +31,8 @@
 #include <stdio.h>
 #include "k5-int.h"
 
+#ifdef CAMELLIA_CCM
+
 static char key[32];
 static char plain[16], cipher[16], zero[16];
 
@@ -123,9 +125,11 @@ static void vt_test()
     vt_test_1(32);
 }
 
+#endif /* CAMELLIA_CCM */
 
 int main (int argc, char *argv[])
 {
+#ifdef CAMELLIA_CCM
     if (argc > 2 || (argc == 2 && strcmp(argv[1], "-k"))) {
 	fprintf(stderr,
 		"usage:\t%s -k\tfor variable-key tests\n"
@@ -138,5 +142,6 @@ int main (int argc, char *argv[])
 	vk_test();
     else
 	vt_test();
+#endif /* CAMELLIA_CCM */
     return 0;
 }
diff --git a/src/lib/crypto/crypto_tests/t_camellia_ccm.c b/src/lib/crypto/crypto_tests/t_camellia_ccm.c
index 329dcea..e3827ec 100644
--- a/src/lib/crypto/crypto_tests/t_camellia_ccm.c
+++ b/src/lib/crypto/crypto_tests/t_camellia_ccm.c
@@ -39,6 +39,8 @@
 
 #include "k5-int.h"
 
+#ifdef CAMELLIA_CCM
+
 static krb5_keyblock key_128 = {
     KV5M_KEYBLOCK,
     ENCTYPE_CAMELLIA128_CCM_128,
@@ -248,9 +250,12 @@ verify_cksum(krb5_context context)
     }
 }
 
+#endif /* CAMELLIA_CCM */
+
 int
 main(int argc, char **argv)
 {
+#ifdef CAMELLIA_CCM
     krb5_context context = NULL;
     krb5_data seed = string2data("seed");
 
@@ -263,5 +268,6 @@ main(int argc, char **argv)
         verify_enc(context);
         verify_cksum(context);
     }
+#endif /* CAMELLIA_CCM */
     return 0;
 }
diff --git a/src/lib/crypto/crypto_tests/t_cmac.c b/src/lib/crypto/crypto_tests/t_cmac.c
index 609c141..139372c 100644
--- a/src/lib/crypto/crypto_tests/t_cmac.c
+++ b/src/lib/crypto/crypto_tests/t_cmac.c
@@ -42,6 +42,8 @@
 #include "enc_provider.h"
 #include "cksumtypes.h"
 
+#ifdef CAMELLIA_CCM
+
 /* All examples use the following Camellia-128 key. */
 static unsigned char keybytes[] = {
     0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
@@ -98,9 +100,12 @@ check_result(const char *name, const unsigned char *result,
     }
 }
 
+#endif /* CAMELLIA_CCM */
+
 int
 main(int argc, char **argv)
 {
+#ifdef CAMELLIA_CCM
     krb5_context context = NULL;
     krb5_keyblock keyblock;
     krb5_key key;
@@ -139,5 +144,6 @@ main(int argc, char **argv)
 
     printf("All CMAC tests passed.\n");
     krb5_k_free_key(context, key);
+#endif /* CAMELLIA_CCM */
     return 0;
 }
diff --git a/src/lib/crypto/crypto_tests/t_encrypt.c b/src/lib/crypto/crypto_tests/t_encrypt.c
index c28b56b..c2d2be8 100644
--- a/src/lib/crypto/crypto_tests/t_encrypt.c
+++ b/src/lib/crypto/crypto_tests/t_encrypt.c
@@ -45,8 +45,10 @@ krb5_enctype interesting_enctypes[] = {
     ENCTYPE_ARCFOUR_HMAC_EXP,
     ENCTYPE_AES256_CTS_HMAC_SHA1_96,
     ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+#ifdef CAMELLIA_CCM
     ENCTYPE_CAMELLIA128_CCM_128,
     ENCTYPE_CAMELLIA256_CCM_128,
+#endif
     0
 };
 
diff --git a/src/lib/crypto/crypto_tests/t_short.c b/src/lib/crypto/crypto_tests/t_short.c
index 16af94d..3cdcf41 100644
--- a/src/lib/crypto/crypto_tests/t_short.c
+++ b/src/lib/crypto/crypto_tests/t_short.c
@@ -41,8 +41,10 @@ krb5_enctype interesting_enctypes[] = {
     ENCTYPE_ARCFOUR_HMAC_EXP,
     ENCTYPE_AES256_CTS_HMAC_SHA1_96,
     ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+#ifdef CAMELLIA_CCM
     ENCTYPE_CAMELLIA128_CCM_128,
     ENCTYPE_CAMELLIA256_CCM_128,
+#endif
     0
 };
 
diff --git a/src/lib/crypto/crypto_tests/t_str2key.c b/src/lib/crypto/crypto_tests/t_str2key.c
index 53d232d..d441e66 100644
--- a/src/lib/crypto/crypto_tests/t_str2key.c
+++ b/src/lib/crypto/crypto_tests/t_str2key.c
@@ -158,6 +158,7 @@ struct test {
           "\x57\x18\x48\xB7\x84\xA3\xD6\xBD\xC3\x46\x58\x9A\x3E\x39\x3F\x9E" }
     },
 
+#ifdef CAMELLIA_CCM
     /* The same inputs applied to camellia-ccm enctypes. */
     { 
         ENCTYPE_CAMELLIA128_CCM_128,
@@ -278,6 +279,7 @@ struct test {
           "\x6A\x1F\x10\xE5\x74\x4E\x32\xDD\x33\x49\x03\xA8\xEB\xD1\x42\x7E"
           "\x4C\x8D\x3D\x6D\xA5\x76\x77\x50\x4C\x38\x4C\x24\x33\x0B\x60\x3D" }
     }
+#endif /* CAMELLIA_CCM */
 };
 
 static void
diff --git a/src/lib/crypto/krb/checksum/cmac.c b/src/lib/crypto/krb/checksum/cmac.c
index 1477711..a0e249f 100644
--- a/src/lib/crypto/krb/checksum/cmac.c
+++ b/src/lib/crypto/krb/checksum/cmac.c
@@ -45,6 +45,8 @@
 #include "etypes.h"
 #include "cksumtypes.h"
 
+#ifdef CAMELLIA_CCM
+
 #define BLOCK_SIZE 16
 
 static unsigned char const_Rb[BLOCK_SIZE] = {
@@ -223,3 +225,17 @@ krb5int_cmac_checksum(const struct krb5_enc_provider *enc, krb5_key key,
 
     return 0;
 }
+
+#else /* CAMELLIA_CCM */
+
+/* This won't be used, but is still in the export table. */
+
+krb5_error_code
+krb5int_cmac_checksum(const struct krb5_enc_provider *enc, krb5_key key,
+                      const krb5_crypto_iov *data, size_t num_data,
+                      krb5_data *output)
+{
+    return EINVAL;
+}
+
+#endif /* CAMELLIA_CCM */
diff --git a/src/lib/crypto/krb/cksumtypes.c b/src/lib/crypto/krb/cksumtypes.c
index a705d34..6744775 100644
--- a/src/lib/crypto/krb/cksumtypes.c
+++ b/src/lib/crypto/krb/cksumtypes.c
@@ -105,6 +105,7 @@ const struct krb5_cksumtypes krb5int_cksumtypes_list[] = {
       krb5int_hmacmd5_checksum, NULL,
       16, 16, 0 },
 
+#ifdef CAMELLIA_CCM
     { CKSUMTYPE_CMAC_128_CAMELLIA128,
       "cmac-128-camellia128", { 0 }, "CMAC Camellia128 key",
       &krb5int_enc_camellia128_ctr, NULL,
@@ -116,6 +117,7 @@ const struct krb5_cksumtypes krb5int_cksumtypes_list[] = {
       &krb5int_enc_camellia256_ctr, NULL,
       krb5int_dk_cmac_checksum, NULL,
       16, 16, 0 },
+#endif /* CAMELLIA_CCM */
 };
 
 const size_t krb5int_cksumtypes_length =
diff --git a/src/lib/crypto/krb/dk/checksum_cmac.c b/src/lib/crypto/krb/dk/checksum_cmac.c
index 9a87f1d..c2309b7 100644
--- a/src/lib/crypto/krb/dk/checksum_cmac.c
+++ b/src/lib/crypto/krb/dk/checksum_cmac.c
@@ -32,6 +32,8 @@
 
 #define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */
 
+#ifdef CAMELLIA_CCM
+
 krb5_error_code
 krb5int_dk_cmac_checksum(const struct krb5_cksumtypes *ctp,
                          krb5_key key, krb5_keyusage usage,
@@ -61,3 +63,4 @@ krb5int_dk_cmac_checksum(const struct krb5_cksumtypes *ctp,
     return ret;
 }
 
+#endif /* CAMELLIA_CCM */
diff --git a/src/lib/crypto/krb/dk/derive.c b/src/lib/crypto/krb/dk/derive.c
index 65423f1..a7ad2e3 100644
--- a/src/lib/crypto/krb/dk/derive.c
+++ b/src/lib/crypto/krb/dk/derive.c
@@ -129,6 +129,8 @@ cleanup:
     return ret;
 }
 
+#ifdef CAMELLIA_CCM
+
 /*
  * NIST SP800-108 KDF in feedback mode (section 5.2).
  * Parameters:
@@ -204,6 +206,8 @@ cleanup:
     return ret;
 }
 
+#endif /* CAMELLIA_CCM */
+
 krb5_error_code
 krb5int_derive_random(const struct krb5_enc_provider *enc,
                       krb5_key inkey, krb5_data *outrnd,
@@ -212,8 +216,10 @@ krb5int_derive_random(const struct krb5_enc_provider *enc,
     switch (alg) {
     case DERIVE_RFC3961:
         return derive_random_rfc3961(enc, inkey, outrnd, in_constant);
+#ifdef CAMELLIA_CCM
     case DERIVE_SP800_108_CMAC:
         return derive_random_sp800_108_cmac(enc, inkey, outrnd, in_constant);
+#endif
     default:
         return EINVAL;
     }
diff --git a/src/lib/crypto/krb/dk/dk.h b/src/lib/crypto/krb/dk/dk.h
index a9e1e53..fb6df88 100644
--- a/src/lib/crypto/krb/dk/dk.h
+++ b/src/lib/crypto/krb/dk/dk.h
@@ -66,7 +66,9 @@ krb5int_camellia_ccm_string_to_key(const struct krb5_keytypes *enc,
 
 enum deriv_alg {
     DERIVE_RFC3961,             /* RFC 3961 section 5.1 */
+#ifdef CAMELLIA_CCM
     DERIVE_SP800_108_CMAC       /* NIST SP 800-108 with CMAC as PRF */
+#endif
 };
 
 krb5_error_code
diff --git a/src/lib/crypto/krb/dk/dk_ccm.c b/src/lib/crypto/krb/dk/dk_ccm.c
index 8b7f1a1..284e362 100644
--- a/src/lib/crypto/krb/dk/dk_ccm.c
+++ b/src/lib/crypto/krb/dk/dk_ccm.c
@@ -28,6 +28,8 @@
 #include "dk.h"
 #include "aead.h"
 
+#ifdef CAMELLIA_CCM
+
 /*
  * Implement CCM-mode AEAD as described in section 5.3 and 5.4 of RFC 5116.
  * This is the CCM mode as described in NIST SP800-38C, with a 12 byte nonce
@@ -608,3 +610,5 @@ krb5int_dk_ccm_free_state(const struct krb5_keytypes *ktp,
     state->data = NULL;
     state->length = 0;
 }
+
+#endif /* CAMELLIA_CCM */
diff --git a/src/lib/crypto/krb/dk/stringtokey.c b/src/lib/crypto/krb/dk/stringtokey.c
index b8ed055..12ef67a 100644
--- a/src/lib/crypto/krb/dk/stringtokey.c
+++ b/src/lib/crypto/krb/dk/stringtokey.c
@@ -185,6 +185,7 @@ krb5int_aes_string_to_key(const struct krb5_keytypes *ktp,
                                 DERIVE_RFC3961);
 }
 
+#ifdef CAMELLIA_CCM
 krb5_error_code
 krb5int_camellia_ccm_string_to_key(const struct krb5_keytypes *ktp,
                                    const krb5_data *string,
@@ -197,4 +198,4 @@ krb5int_camellia_ccm_string_to_key(const struct krb5_keytypes *ktp,
     return pbkdf2_string_to_key(ktp, string, salt, &pepper, params, key,
                                 DERIVE_SP800_108_CMAC);
 }
-
+#endif
diff --git a/src/lib/crypto/krb/etypes.c b/src/lib/crypto/krb/etypes.c
index 102542b..7a8d6f1 100644
--- a/src/lib/crypto/krb/etypes.c
+++ b/src/lib/crypto/krb/etypes.c
@@ -164,6 +164,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
       krb5int_init_state_enc, krb5int_free_state_enc,
       CKSUMTYPE_HMAC_SHA1_96_AES256,
       0 /*flags*/ },
+#ifdef CAMELLIA_CCM
     { ENCTYPE_CAMELLIA128_CCM_128,
       "camellia128-ccm-128", { "camellia128-ccm" },
       "Camellia-128 CCM mode with 128-bit MAC",
@@ -186,6 +187,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
       krb5int_dk_ccm_init_state, krb5int_dk_ccm_free_state,
       CKSUMTYPE_CMAC_128_CAMELLIA256,
       0 /*flags */ },
+#endif /* CAMELLIA_CCM */
 };
 
 const int krb5int_enctypes_length =
diff --git a/src/lib/crypto/krb/prf/cmac_prf.c b/src/lib/crypto/krb/prf/cmac_prf.c
index b7c2851..a9ad09a 100644
--- a/src/lib/crypto/krb/prf/cmac_prf.c
+++ b/src/lib/crypto/krb/prf/cmac_prf.c
@@ -33,6 +33,8 @@
 #include "prf_int.h"
 #include <dk.h>
 
+#ifdef CAMELLIA_CCM
+
 krb5_error_code
 krb5int_dk_cmac_prf(const struct krb5_keytypes *ktp, krb5_key key,
                     const krb5_data *in, krb5_data *out)
@@ -64,3 +66,4 @@ cleanup:
     return ret;
 }
 
+#endif /* CAMELLIA_CCM */
diff --git a/src/lib/crypto/openssl/enc_provider/camellia_ctr.c b/src/lib/crypto/openssl/enc_provider/camellia_ctr.c
index ddaf882..0b6eee7 100644
--- a/src/lib/crypto/openssl/enc_provider/camellia_ctr.c
+++ b/src/lib/crypto/openssl/enc_provider/camellia_ctr.c
@@ -33,6 +33,7 @@
 #include <openssl/camellia.h>
 #include <openssl/modes.h>
 
+#ifdef CAMELLIA_CCM
 #define NUM_BITS 8
 
 static void
@@ -193,3 +194,20 @@ const struct krb5_enc_provider krb5int_enc_camellia256_ctr = {
     krb5int_default_free_state,
     NULL
 };
+
+#else /* CAMELLIA_CCM */
+
+/* These won't be used, but is still in the export table. */
+
+krb5_error_code
+krb5int_camellia_cbc_mac(krb5_key key, const krb5_crypto_iov *data,
+                         size_t num_data, const krb5_data *iv,
+			 krb5_data *output)
+{
+    return EINVAL;
+}
+
+const struct krb5_enc_provider krb5int_enc_camellia128_ctr = {
+};
+
+#endif /* CAMELLIA_CCM */
diff --git a/src/lib/crypto/openssl/enc_provider/enc_provider.h b/src/lib/crypto/openssl/enc_provider/enc_provider.h
index 98d935f..e8b552e 100644
--- a/src/lib/crypto/openssl/enc_provider/enc_provider.h
+++ b/src/lib/crypto/openssl/enc_provider/enc_provider.h
@@ -34,5 +34,8 @@ extern const struct krb5_enc_provider krb5int_enc_aes128;
 extern const struct krb5_enc_provider krb5int_enc_aes256;
 extern const struct krb5_enc_provider krb5int_enc_aes128_ctr;
 extern const struct krb5_enc_provider krb5int_enc_aes256_ctr;
+#ifdef CAMELLIA_CCM
 extern const struct krb5_enc_provider krb5int_enc_camellia128_ctr;
 extern const struct krb5_enc_provider krb5int_enc_camellia256_ctr;
+#endif
+
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index 1b0c090..a7f6100 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -430,9 +430,11 @@ krb5int_parse_enctype_list(krb5_context context, char *profstr,
             mod_list(ENCTYPE_AES128_CTS_HMAC_SHA1_96, sel, weak, &list);
         } else if (strcasecmp(token, "rc4") == 0) {
             mod_list(ENCTYPE_ARCFOUR_HMAC, sel, weak, &list);
+#ifdef CAMELLIA_CCM
         } else if (strcasecmp(token, "camellia") == 0) {
             mod_list(ENCTYPE_CAMELLIA256_CCM_128, sel, weak, &list);
             mod_list(ENCTYPE_CAMELLIA128_CCM_128, sel, weak, &list);
+#endif
         } else if (krb5_string_to_enctype(token, &etype) == 0) {
             /* Set a specific enctype. */
             mod_list(etype, sel, weak, &list);
diff --git a/src/lib/krb5/krb/t_etypes.c b/src/lib/krb5/krb/t_etypes.c
index 841bfa0..5d4ae0e 100644
--- a/src/lib/krb5/krb/t_etypes.c
+++ b/src/lib/krb5/krb/t_etypes.c
@@ -98,12 +98,14 @@ static struct {
         ENCTYPE_DES3_CBC_SHA1, 0 },
       0, 0
     },
+#ifdef CAMELLIA_CCM
     /* Family with enctype removed */
     { "camellia -camellia256-ccm-128",
       { 0 },
       { ENCTYPE_CAMELLIA128_CCM_128, 0 },
       { ENCTYPE_CAMELLIA128_CCM_128, 0 }
     },
+#endif
     /* Enctype followed by two families */
     { "+rc4-hmAC des3 +des",
       { 0 },
diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
index 20d670f..1ae02ea 100644
--- a/src/tests/dejagnu/config/default.exp
+++ b/src/tests/dejagnu/config/default.exp
@@ -261,32 +261,34 @@ set passes {
 	{dummy=[verbose -log \
 		"DES3 TGT, KDC permitting only des-cbc-crc"]}
     }
-    {
-	camellia-only
-	mode=udp
-	des3_krbtgt=0
-	{supported_enctypes=camellia256-ccm:normal}
-	{permitted_enctypes(kdc)=camellia256-ccm}
-	{permitted_enctypes(slave)=camellia256-ccm}
-	{permitted_enctypes(client)=camellia256-ccm}
-	{permitted_enctypes(server)=camellia256-ccm}
-	{default_tgs_enctypes(kdc)=camellia256-ccm}
-	{default_tgs_enctypes(slave)=camellia256-ccm}
-	{default_tgs_enctypes(client)=camellia256-ccm}
-	{default_tgs_enctypes(server)=camellia256-ccm}
-	{default_tkt_enctypes(kdc)=camellia256-ccm}
-	{default_tkt_enctypes(slave)=camellia256-ccm}
-	{default_tkt_enctypes(client)=camellia256-ccm}
-	{default_tkt_enctypes(server)=camellia256-ccm}
-	{allow_weak_crypto(kdc)=false}
-	{allow_weak_crypto(slave)=false}
-	{allow_weak_crypto(client)=false}
-	{allow_weak_crypto(server)=false}
-	{master_key_type=camellia256-ccm}
-	{dummy=[verbose -log "Camellia-256 enctype"]}
-    }
 }
 
+# Add to above when Camellia-CCM support becomes unconditional.
+#    {
+#	camellia-only
+#	mode=udp
+#	des3_krbtgt=0
+#	{supported_enctypes=camellia256-ccm:normal}
+#	{permitted_enctypes(kdc)=camellia256-ccm}
+#	{permitted_enctypes(slave)=camellia256-ccm}
+#	{permitted_enctypes(client)=camellia256-ccm}
+#	{permitted_enctypes(server)=camellia256-ccm}
+#	{default_tgs_enctypes(kdc)=camellia256-ccm}
+#	{default_tgs_enctypes(slave)=camellia256-ccm}
+#	{default_tgs_enctypes(client)=camellia256-ccm}
+#	{default_tgs_enctypes(server)=camellia256-ccm}
+#	{default_tkt_enctypes(kdc)=camellia256-ccm}
+#	{default_tkt_enctypes(slave)=camellia256-ccm}
+#	{default_tkt_enctypes(client)=camellia256-ccm}
+#	{default_tkt_enctypes(server)=camellia256-ccm}
+#	{allow_weak_crypto(kdc)=false}
+#	{allow_weak_crypto(slave)=false}
+#	{allow_weak_crypto(client)=false}
+#	{allow_weak_crypto(server)=false}
+#	{master_key_type=camellia256-ccm}
+#	{dummy=[verbose -log "Camellia-256 enctype"]}
+#    }
+
 # des.md5-tgt is set as unused, since it won't trigger the error case
 # if SUPPORT_DESMD5 isn't honored.
 
diff --git a/src/util/k5test.py b/src/util/k5test.py
index b8fa696..ee7fbd0 100644
--- a/src/util/k5test.py
+++ b/src/util/k5test.py
@@ -1014,14 +1014,15 @@ _passes = [
                         'master_key_type' : 'aes128-cts'}}}}),
 
     # Exercise the camellia256-ccm enctype.
-    ('camellia256', None,
-      {'all' : {'libdefaults' : {
-                    'default_tgs_enctypes' : 'camellia256-ccm',
-                    'default_tkt_enctypes' : 'camellia256-ccm',
-                    'permitted_enctypes' : 'camellia256-ccm'}}},
-      {'master' : {'realms' : {'$realm' : {
-                        'supported_enctypes' : 'camellia256-ccm:normal',
-                        'master_key_type' : 'camellia256-ccm'}}}}),
+# Enable when Camellia-CCM support becomes unconditional.
+#    ('camellia256', None,
+#      {'all' : {'libdefaults' : {
+#                    'default_tgs_enctypes' : 'camellia256-ccm',
+#                    'default_tkt_enctypes' : 'camellia256-ccm',
+#                    'permitted_enctypes' : 'camellia256-ccm'}}},
+#      {'master' : {'realms' : {'$realm' : {
+#                        'supported_enctypes' : 'camellia256-ccm:normal',
+#                        'master_key_type' : 'camellia256-ccm'}}}}),
 
     # Test a setup with modern principal keys but an old TGT key.
     ('aes256.destgt', 'des-cbc-crc:normal',