gssapi,krb5: Replace libgssapi with the MIT version

lib/libgssapi is based on Heimdal. As on Linux systems, the MIT
libgssapi_krb5 replaces it. With both gssapi libraries and header files
installed results in broken buildworld (gssd) and ports that will not
build without modifications to support the MIT gssapi in an alternate
location.

73ed0c7992 removed the MIT GSSAPI headers from /usr/include. Apps using
MIT KRB5 gssapi functions and structures will fail to build without this
patch.

This patch includes a temporary patch to usr.sbin/gssd to allow it
to build with this patch. rmacklem@ has a patch for this and for
kgssapi that uses this patch to resolve kgssapi issues for NFS with
Kerberos.

This patch is an updated version of D51661 to allow it to build following
additional patchs to the tree.

This should have been implmented with 7e35117eb0.

Fixes:			7e35117eb0, 73ed0c7992
Differential Revision:	https://reviews.freebsd.org/D51661

Makefile.inc1

@@ -3379,8 +3379,8 @@ secure/lib/libssh__L: lib/libldns__L
 
 .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
 .if ${MK_MITKRB5} != "no"
-secure/lib/libssh__L: lib/libgssapi__L krb5/lib/krb5__L \
-    krb5/util/et__L lib/libmd__L krb5/util/support__L
+secure/lib/libssh__L: krb5/lib/gssapi__L krb5/lib/krb5__L \
+     krb5/lib/crypto__L krb5/util/et__L lib/libmd__L krb5/util/support__L
 .else
 secure/lib/libssh__L: lib/libgssapi__L kerberos5/lib/libkrb5__L \
     kerberos5/lib/libhx509__L kerberos5/lib/libasn1__L lib/libcom_err__L \
@@ -3437,8 +3437,10 @@ kerberos5/lib/libheimipcc__L: kerberos5/lib/libroken__L kerberos5/lib/libheimbas
 lib/libsqlite3__L: lib/libthr__L
 
 .if ${MK_GSSAPI} != "no"
+.if ${MK_MITKRB5} == "no"
 _lib_libgssapi=	lib/libgssapi
 .endif
+.endif
 
 .if ${MK_KERBEROS} != "no"
 .if ${MK_MITKRB5} != "no"

ObsoleteFiles.inc

@@ -51,6 +51,12 @@
 #   xargs -n1 | sort | uniq -d;
 # done
 
+# 20250807: Replace lib/libgssapi with krb5/lib/gssapi
+OLD_FILES+=usr/include/gssapi_krb5/gssapi/gssapi.h
+OLD_DIRS+=usr/include/gssapi_krb5/gssapi
+OLD_DIRS+=usr/include/gssapi_krb5
+OLD_FILES+=etc/gssapi/qop
+
 # 20250802: libutil bumped to 10
 OLD_LIBS+=lib/libutil.so.9
 

etc/gss-krb5/Makefile

@@ -1,4 +1,4 @@
-FILES=	mech qop
+FILES=	mech
 NO_OBJ=
 FILESDIR= /etc/gss
 

etc/gss-krb5/qop

@@ -1 +0,0 @@
-GSS_KRB5_CONF_C_QOP_DES3_KD	0x0200	kerberosv5

etc/mtree/BSD.include.dist

@@ -258,10 +258,6 @@
     ..
     gssapi
     ..
-    gssapi_krb5
-        gssapi
-        ..
-    ..
     gssrpc
     ..
     infiniband

include/Makefile

@@ -293,7 +293,7 @@ LSUBSUBDIRS+=	netgraph/bluetooth/include
 LSUBDIRS+=	fs/cuse
 .endif
 
-.if ${MK_GSSAPI} != "no"
+.if ${MK_GSSAPI} != "no" && ${MK_MITKRB5} == "no"
 SUBDIR+=	gssapi
 INCS+=		gssapi.h
 .endif

krb5/include/Makefile

@@ -17,13 +17,12 @@ SUBDIR=	krb5 gssrpc gssapi
 
 SUBDIR_PARALLEL=
 
-INCSGROUPS=	INCS
-
 INCSDIR=	${INCLUDEDIR}
 
 .PATH:	${KRB5_DIR}/include
 
-INCS=	kdb.h \
+INCS=	gssapi.h \
+	kdb.h \
 	krad.h \
 	krb5.h
 

krb5/include/gssapi/Makefile

@@ -15,16 +15,11 @@
 
 INCSGROUPS=	INCS GSSAPI_KRB5
 INCSDIR=	${INCLUDEDIR}/gssapi
-GSSAPI_KRB5DIR=	${INCLUDEDIR}/gssapi_krb5
 
-INCS=	gssapi_alloc.h \
+INCS=	gssapi.h \
+	gssapi_alloc.h \
 	gssapi_ext.h \
 	gssapi_generic.h \
 	gssapi_krb5.h
 
-# This gssapi header file is only needed should an app need
-# to build using the MIT KRB5 GSSAPI library.
-
-GSSAPI_KRB5=	gssapi.h
-
 .include <bsd.prog.mk>

krb5/lib/gssapi/generic/Makefile.inc

@@ -36,7 +36,7 @@ SRCS+=	disp_com_err_status.c \
 INCSGROUPS=	GSSAPI_INCS
 GSSAPI_INCS=	gssapi.h
 INCS+=		${GENI}
-GSSAPI_INCSDIR=	${INCLUDEDIR}/gssapi_krb5/gssapi
+GSSAPI_INCSDIR=	${INCLUDEDIR}/gssapi
 
 CLEANFILES+=	gssapi.h ${GGEN} ${GGENI}
 

lib/Makefile

@@ -137,7 +137,9 @@ SUBDIR_DEPEND_libdevstat= libkvm
 SUBDIR_DEPEND_libdpv= libfigpar ncurses libutil
 SUBDIR_DEPEND_libedit= ncurses
 SUBDIR_DEPEND_libgeom= libexpat libsbuf
+.if ${MK_MITKRB5} == "no"
 SUBDIR_DEPEND_librpcsec_gss= libgssapi
+.endif
 SUBDIR_DEPEND_libmagic= libz
 SUBDIR_DEPEND_libmemstat= libkvm
 SUBDIR_DEPEND_libpam= libcrypt ${_libradius} librpcsvc libtacplus libutil ${_libypclnt} ${_libcom_err}
@@ -176,7 +178,10 @@ SUBDIR.${MK_DIALOG}+=	libdpv libfigpar
 SUBDIR.${MK_FDT}+=	libfdt
 SUBDIR.${MK_FILE}+=	libmagic
 SUBDIR.${MK_GPIO}+=	libgpio
-SUBDIR.${MK_GSSAPI}+=	libgssapi librpcsec_gss
+.if ${MK_MITKRB5} == "no"
+SUBDIR.${MK_GSSAPI}+=	libgssapi
+.endif
+SUBDIR.${MK_GSSAPI}+=	librpcsec_gss
 SUBDIR.${MK_ICONV}+=	libiconv_modules
 .if ${MK_MITKRB5} == "no"
 SUBDIR.${MK_KERBEROS_SUPPORT}+=	libcom_err

lib/librpcsec_gss/Makefile

@@ -1,10 +1,16 @@
+.include <src.opts.mk>
+
 PACKAGE=lib${LIB}
 LIB=	rpcsec_gss
 SHLIB_MAJOR= 1
 SRCS+=	rpcsec_gss.c rpcsec_gss_prot.c rpcsec_gss_conf.c rpcsec_gss_misc.c \
 	svc_rpcsec_gss.c
 
+.if ${MK_MITKRB5} == "no"
 LIBADD=	gssapi
+.else
+LIBADD=	gssapi_krb5
+.endif
 
 VERSION_DEF=	${SRCTOP}/lib/libc/Versions.def
 SYMBOL_MAPS=	${.CURDIR}/Symbol.map

secure/libexec/sshd-session/Makefile

@@ -39,15 +39,14 @@ LDFLAGS+=-L${LIBBLACKLISTDIR}
 .endif
 
 .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
-LIBADD+=	gssapi_krb5 gssapi krb5
 .if ${MK_MITKRB5} != "no"
+LIBADD+=	gssapi_krb5 krb5
 .include "../../krb5/Makefile.inc"
 CFLAGS+=	-I${KRB5_DIR}/include \
 		-I${KRB5_SRCTOP}/include \
-		-I${KRB5_OBJTOP}/lib \
-		-I${KRB5_DIR}/lib/gssapi/generic \
-		-I${KRB5_DIR}/lib/gssapi/krb5 \
-		-I${KRB5_DIR}/lib/gssapi/mechglue
+		-I${KRB5_OBJTOP}/lib
+.else
+LIBADD+=	gssapi_krb5 gssapi krb5
 .endif
 .endif
 

secure/usr.bin/ssh/Makefile

@@ -18,7 +18,11 @@ SRCS+=	gss-genr.c
 LIBADD=	ssh
 
 .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
+.if ${MK_MITKRB5} == "no"
 LIBADD+=	gssapi
+.else
+LIBADD+=	gssapi_krb5
+.endif
 .endif
 
 LIBADD+=	crypto

secure/usr.sbin/sshd/Makefile

@@ -19,7 +19,11 @@ moduli: .MADE
 LIBADD=	ssh util
 
 .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
+.if ${MK_MITKRB5} == "no"
 LIBADD+=	gssapi_krb5 gssapi krb5
+.else
+LIBADD+=	gssapi_krb5 krb5
+.endif
 .endif
 
 .if ${MK_TCP_WRAPPERS} != "no"

share/mk/src.libnames.mk

@@ -472,7 +472,11 @@ _DP_ncursesw=	tinfow
 _DP_formw=	ncursesw
 _DP_nvpair=	spl
 _DP_panelw=	ncursesw
+.if ${MK_MITKRB5} == "no"
 _DP_rpcsec_gss=	gssapi
+.else
+_DP_rpcsec_gss=	gssapi_krb5
+.endif
 _DP_smb=	kiconv
 _DP_ulog=	md
 _DP_fifolog=	z

tools/build/mk/OptionalObsoleteFiles.inc

@@ -4836,6 +4836,7 @@ OLD_FILES+=usr/share/man/man8/sserver.8.gz
 .else
 .if ${MK_MITKRB5} != "no"
 # Remove Heimdal because we want MIT KRB5 but not Heimdal
+OLD_FILES+=etc/gss/qop
 OLD_FILES+=etc/rc.d/ipropd_master
 OLD_FILES+=etc/rc.d/ipropd_slave
 OLD_FILES+=usr/bin/asn1_compile
@@ -4921,6 +4922,8 @@ OLD_LIBS+=usr/lib/libasn1.so.11
 OLD_FILES+=usr/lib/libasn1_p.a
 OLD_LIBS+=usr/lib/libcom_err.so.5
 OLD_FILES+=usr/lib/libcom_err_p.a
+OLD_LIBS+=usr/lib/libgssapi.a
+OLD_LIBS+=usr/lib/libgssapi.so.10
 OLD_LIBS+=usr/lib/libgssapi_krb5.so.10
 OLD_FILES+=usr/lib/libgssapi_krb5_p.a
 OLD_FILES+=usr/lib/libgssapi_mech.a

usr.sbin/gssd/Makefile

@@ -9,15 +9,14 @@ SRCS=	gssd.c gssd.h gssd_svc.c gssd_xdr.c gssd_prot.c
 CFLAGS+= -I.
 WARNS?= 1
 
-LIBADD=	gssapi
 .if ${MK_KERBEROS_SUPPORT} != "no"
 .if ${MK_MITKRB5} != "no"
 # MIT KRB5
-LIBADD+=	krb5 k5crypto krb5profile krb5support
+LIBADD+=	gssapi_krb5 krb5 k5crypto krb5profile krb5support
 CFLAGS+= -DMK_MITKRB5=yes
 .else
 # Heimdal
-LIBADD+=	krb5 roken
+LIBADD+=	gssapi krb5 roken
 .endif
 .else
 CFLAGS+= -DWITHOUT_KERBEROS

usr.sbin/gssd/gssd.c

@@ -53,6 +53,9 @@
 #include <arpa/inet.h>
 #include <netinet/in.h>
 #include <gssapi/gssapi.h>
+#ifdef MK_MITKRB5
+#include <gssapi/gssapi_krb5.h>
+#endif
 #include <rpc/rpc.h>
 #include <rpc/rpc_com.h>