From e26259f48afe98022d885f02fbb8abcd7878e41a Mon Sep 17 00:00:00 2001 From: Cy Schubert Date: Thu, 31 Jul 2025 09:51:20 -0700 Subject: [PATCH] gssapi,krb5: Replace libgssapi with the MIT version lib/libgssapi is based on Heimdal. As on Linux systems, the MIT libgssapi_krb5 replaces it. With both gssapi libraries and header files installed results in broken buildworld (gssd) and ports that will not build without modifications to support the MIT gssapi in an alternate location. 73ed0c7992fd removed the MIT GSSAPI headers from /usr/include. Apps using MIT KRB5 gssapi functions and structures will fail to build without this patch. This patch includes a temporary patch to usr.sbin/gssd to allow it to build with this patch. rmacklem@ has a patch for this and for kgssapi that uses this patch to resolve kgssapi issues for NFS with Kerberos. This patch is an updated version of D51661 to allow it to build following additional patchs to the tree. This should have been implmented with 7e35117eb07f. Fixes: 7e35117eb07f, 73ed0c7992fd Differential Revision: https://reviews.freebsd.org/D51661 --- Makefile.inc1 | 6 ++++-- ObsoleteFiles.inc | 6 ++++++ etc/gss-krb5/Makefile | 2 +- etc/gss-krb5/qop | 1 - etc/mtree/BSD.include.dist | 4 ---- include/Makefile | 2 +- krb5/include/Makefile | 5 ++--- krb5/include/gssapi/Makefile | 9 ++------- krb5/lib/gssapi/generic/Makefile.inc | 2 +- lib/Makefile | 7 ++++++- lib/librpcsec_gss/Makefile | 6 ++++++ secure/libexec/sshd-session/Makefile | 9 ++++----- secure/usr.bin/ssh/Makefile | 4 ++++ secure/usr.sbin/sshd/Makefile | 4 ++++ share/mk/src.libnames.mk | 4 ++++ tools/build/mk/OptionalObsoleteFiles.inc | 3 +++ usr.sbin/gssd/Makefile | 5 ++--- usr.sbin/gssd/gssd.c | 3 +++ 18 files changed, 53 insertions(+), 29 deletions(-) delete mode 100644 etc/gss-krb5/qop diff --git a/Makefile.inc1 b/Makefile.inc1 index e6c9b49eefa..9128d1d8ee7 100644 --- a/Makefile.inc1 +++ b/Makefile.inc1 @@ -3379,8 +3379,8 @@ secure/lib/libssh__L: lib/libldns__L .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no" .if ${MK_MITKRB5} != "no" -secure/lib/libssh__L: lib/libgssapi__L krb5/lib/krb5__L \ - krb5/util/et__L lib/libmd__L krb5/util/support__L +secure/lib/libssh__L: krb5/lib/gssapi__L krb5/lib/krb5__L \ + krb5/lib/crypto__L krb5/util/et__L lib/libmd__L krb5/util/support__L .else secure/lib/libssh__L: lib/libgssapi__L kerberos5/lib/libkrb5__L \ kerberos5/lib/libhx509__L kerberos5/lib/libasn1__L lib/libcom_err__L \ @@ -3437,8 +3437,10 @@ kerberos5/lib/libheimipcc__L: kerberos5/lib/libroken__L kerberos5/lib/libheimbas lib/libsqlite3__L: lib/libthr__L .if ${MK_GSSAPI} != "no" +.if ${MK_MITKRB5} == "no" _lib_libgssapi= lib/libgssapi .endif +.endif .if ${MK_KERBEROS} != "no" .if ${MK_MITKRB5} != "no" diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc index 86a449c80a7..2f63bbea5a4 100644 --- a/ObsoleteFiles.inc +++ b/ObsoleteFiles.inc @@ -51,6 +51,12 @@ # xargs -n1 | sort | uniq -d; # done +# 20250807: Replace lib/libgssapi with krb5/lib/gssapi +OLD_FILES+=usr/include/gssapi_krb5/gssapi/gssapi.h +OLD_DIRS+=usr/include/gssapi_krb5/gssapi +OLD_DIRS+=usr/include/gssapi_krb5 +OLD_FILES+=etc/gssapi/qop + # 20250802: libutil bumped to 10 OLD_LIBS+=lib/libutil.so.9 diff --git a/etc/gss-krb5/Makefile b/etc/gss-krb5/Makefile index 301a8e074e8..8886ed35e28 100644 --- a/etc/gss-krb5/Makefile +++ b/etc/gss-krb5/Makefile @@ -1,4 +1,4 @@ -FILES= mech qop +FILES= mech NO_OBJ= FILESDIR= /etc/gss diff --git a/etc/gss-krb5/qop b/etc/gss-krb5/qop deleted file mode 100644 index 7d5b6b8f33d..00000000000 --- a/etc/gss-krb5/qop +++ /dev/null @@ -1 +0,0 @@ -GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200 kerberosv5 diff --git a/etc/mtree/BSD.include.dist b/etc/mtree/BSD.include.dist index 0e9f739425a..28c4d91ac1c 100644 --- a/etc/mtree/BSD.include.dist +++ b/etc/mtree/BSD.include.dist @@ -258,10 +258,6 @@ .. gssapi .. - gssapi_krb5 - gssapi - .. - .. gssrpc .. infiniband diff --git a/include/Makefile b/include/Makefile index af7ef233794..2792d594a88 100644 --- a/include/Makefile +++ b/include/Makefile @@ -293,7 +293,7 @@ LSUBSUBDIRS+= netgraph/bluetooth/include LSUBDIRS+= fs/cuse .endif -.if ${MK_GSSAPI} != "no" +.if ${MK_GSSAPI} != "no" && ${MK_MITKRB5} == "no" SUBDIR+= gssapi INCS+= gssapi.h .endif diff --git a/krb5/include/Makefile b/krb5/include/Makefile index 699211b9c3c..64c5d39b867 100644 --- a/krb5/include/Makefile +++ b/krb5/include/Makefile @@ -17,13 +17,12 @@ SUBDIR= krb5 gssrpc gssapi SUBDIR_PARALLEL= -INCSGROUPS= INCS - INCSDIR= ${INCLUDEDIR} .PATH: ${KRB5_DIR}/include -INCS= kdb.h \ +INCS= gssapi.h \ + kdb.h \ krad.h \ krb5.h diff --git a/krb5/include/gssapi/Makefile b/krb5/include/gssapi/Makefile index 4959bf78944..b181187e9d9 100644 --- a/krb5/include/gssapi/Makefile +++ b/krb5/include/gssapi/Makefile @@ -15,16 +15,11 @@ INCSGROUPS= INCS GSSAPI_KRB5 INCSDIR= ${INCLUDEDIR}/gssapi -GSSAPI_KRB5DIR= ${INCLUDEDIR}/gssapi_krb5 -INCS= gssapi_alloc.h \ +INCS= gssapi.h \ + gssapi_alloc.h \ gssapi_ext.h \ gssapi_generic.h \ gssapi_krb5.h -# This gssapi header file is only needed should an app need -# to build using the MIT KRB5 GSSAPI library. - -GSSAPI_KRB5= gssapi.h - .include diff --git a/krb5/lib/gssapi/generic/Makefile.inc b/krb5/lib/gssapi/generic/Makefile.inc index 9de18079a34..ef76172655d 100644 --- a/krb5/lib/gssapi/generic/Makefile.inc +++ b/krb5/lib/gssapi/generic/Makefile.inc @@ -36,7 +36,7 @@ SRCS+= disp_com_err_status.c \ INCSGROUPS= GSSAPI_INCS GSSAPI_INCS= gssapi.h INCS+= ${GENI} -GSSAPI_INCSDIR= ${INCLUDEDIR}/gssapi_krb5/gssapi +GSSAPI_INCSDIR= ${INCLUDEDIR}/gssapi CLEANFILES+= gssapi.h ${GGEN} ${GGENI} diff --git a/lib/Makefile b/lib/Makefile index e5139b312a7..9447cc4551c 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -137,7 +137,9 @@ SUBDIR_DEPEND_libdevstat= libkvm SUBDIR_DEPEND_libdpv= libfigpar ncurses libutil SUBDIR_DEPEND_libedit= ncurses SUBDIR_DEPEND_libgeom= libexpat libsbuf +.if ${MK_MITKRB5} == "no" SUBDIR_DEPEND_librpcsec_gss= libgssapi +.endif SUBDIR_DEPEND_libmagic= libz SUBDIR_DEPEND_libmemstat= libkvm SUBDIR_DEPEND_libpam= libcrypt ${_libradius} librpcsvc libtacplus libutil ${_libypclnt} ${_libcom_err} @@ -176,7 +178,10 @@ SUBDIR.${MK_DIALOG}+= libdpv libfigpar SUBDIR.${MK_FDT}+= libfdt SUBDIR.${MK_FILE}+= libmagic SUBDIR.${MK_GPIO}+= libgpio -SUBDIR.${MK_GSSAPI}+= libgssapi librpcsec_gss +.if ${MK_MITKRB5} == "no" +SUBDIR.${MK_GSSAPI}+= libgssapi +.endif +SUBDIR.${MK_GSSAPI}+= librpcsec_gss SUBDIR.${MK_ICONV}+= libiconv_modules .if ${MK_MITKRB5} == "no" SUBDIR.${MK_KERBEROS_SUPPORT}+= libcom_err diff --git a/lib/librpcsec_gss/Makefile b/lib/librpcsec_gss/Makefile index a29d9780c1a..eebc975acbd 100644 --- a/lib/librpcsec_gss/Makefile +++ b/lib/librpcsec_gss/Makefile @@ -1,10 +1,16 @@ +.include + PACKAGE=lib${LIB} LIB= rpcsec_gss SHLIB_MAJOR= 1 SRCS+= rpcsec_gss.c rpcsec_gss_prot.c rpcsec_gss_conf.c rpcsec_gss_misc.c \ svc_rpcsec_gss.c +.if ${MK_MITKRB5} == "no" LIBADD= gssapi +.else +LIBADD= gssapi_krb5 +.endif VERSION_DEF= ${SRCTOP}/lib/libc/Versions.def SYMBOL_MAPS= ${.CURDIR}/Symbol.map diff --git a/secure/libexec/sshd-session/Makefile b/secure/libexec/sshd-session/Makefile index 8841cace523..37e099794bd 100644 --- a/secure/libexec/sshd-session/Makefile +++ b/secure/libexec/sshd-session/Makefile @@ -39,15 +39,14 @@ LDFLAGS+=-L${LIBBLACKLISTDIR} .endif .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no" -LIBADD+= gssapi_krb5 gssapi krb5 .if ${MK_MITKRB5} != "no" +LIBADD+= gssapi_krb5 krb5 .include "../../krb5/Makefile.inc" CFLAGS+= -I${KRB5_DIR}/include \ -I${KRB5_SRCTOP}/include \ - -I${KRB5_OBJTOP}/lib \ - -I${KRB5_DIR}/lib/gssapi/generic \ - -I${KRB5_DIR}/lib/gssapi/krb5 \ - -I${KRB5_DIR}/lib/gssapi/mechglue + -I${KRB5_OBJTOP}/lib +.else +LIBADD+= gssapi_krb5 gssapi krb5 .endif .endif diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile index acb1fd4eaa2..a4f36d0fe2d 100644 --- a/secure/usr.bin/ssh/Makefile +++ b/secure/usr.bin/ssh/Makefile @@ -18,7 +18,11 @@ SRCS+= gss-genr.c LIBADD= ssh .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no" +.if ${MK_MITKRB5} == "no" LIBADD+= gssapi +.else +LIBADD+= gssapi_krb5 +.endif .endif LIBADD+= crypto diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile index e6913cd9d0d..f37dfe1c1b3 100644 --- a/secure/usr.sbin/sshd/Makefile +++ b/secure/usr.sbin/sshd/Makefile @@ -19,7 +19,11 @@ moduli: .MADE LIBADD= ssh util .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no" +.if ${MK_MITKRB5} == "no" LIBADD+= gssapi_krb5 gssapi krb5 +.else +LIBADD+= gssapi_krb5 krb5 +.endif .endif .if ${MK_TCP_WRAPPERS} != "no" diff --git a/share/mk/src.libnames.mk b/share/mk/src.libnames.mk index 283a99496b9..9ca043e7733 100644 --- a/share/mk/src.libnames.mk +++ b/share/mk/src.libnames.mk @@ -472,7 +472,11 @@ _DP_ncursesw= tinfow _DP_formw= ncursesw _DP_nvpair= spl _DP_panelw= ncursesw +.if ${MK_MITKRB5} == "no" _DP_rpcsec_gss= gssapi +.else +_DP_rpcsec_gss= gssapi_krb5 +.endif _DP_smb= kiconv _DP_ulog= md _DP_fifolog= z diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/OptionalObsoleteFiles.inc index aa6d04f1cc4..8e5ac7fa2a6 100644 --- a/tools/build/mk/OptionalObsoleteFiles.inc +++ b/tools/build/mk/OptionalObsoleteFiles.inc @@ -4836,6 +4836,7 @@ OLD_FILES+=usr/share/man/man8/sserver.8.gz .else .if ${MK_MITKRB5} != "no" # Remove Heimdal because we want MIT KRB5 but not Heimdal +OLD_FILES+=etc/gss/qop OLD_FILES+=etc/rc.d/ipropd_master OLD_FILES+=etc/rc.d/ipropd_slave OLD_FILES+=usr/bin/asn1_compile @@ -4921,6 +4922,8 @@ OLD_LIBS+=usr/lib/libasn1.so.11 OLD_FILES+=usr/lib/libasn1_p.a OLD_LIBS+=usr/lib/libcom_err.so.5 OLD_FILES+=usr/lib/libcom_err_p.a +OLD_LIBS+=usr/lib/libgssapi.a +OLD_LIBS+=usr/lib/libgssapi.so.10 OLD_LIBS+=usr/lib/libgssapi_krb5.so.10 OLD_FILES+=usr/lib/libgssapi_krb5_p.a OLD_FILES+=usr/lib/libgssapi_mech.a diff --git a/usr.sbin/gssd/Makefile b/usr.sbin/gssd/Makefile index 569e2c7e18f..336a1b49f69 100644 --- a/usr.sbin/gssd/Makefile +++ b/usr.sbin/gssd/Makefile @@ -9,15 +9,14 @@ SRCS= gssd.c gssd.h gssd_svc.c gssd_xdr.c gssd_prot.c CFLAGS+= -I. WARNS?= 1 -LIBADD= gssapi .if ${MK_KERBEROS_SUPPORT} != "no" .if ${MK_MITKRB5} != "no" # MIT KRB5 -LIBADD+= krb5 k5crypto krb5profile krb5support +LIBADD+= gssapi_krb5 krb5 k5crypto krb5profile krb5support CFLAGS+= -DMK_MITKRB5=yes .else # Heimdal -LIBADD+= krb5 roken +LIBADD+= gssapi krb5 roken .endif .else CFLAGS+= -DWITHOUT_KERBEROS diff --git a/usr.sbin/gssd/gssd.c b/usr.sbin/gssd/gssd.c index 94eb6ca575c..2a3af05496c 100644 --- a/usr.sbin/gssd/gssd.c +++ b/usr.sbin/gssd/gssd.c @@ -53,6 +53,9 @@ #include #include #include +#ifdef MK_MITKRB5 +#include +#endif #include #include