Commit Graph

54 Commits

Author SHA1 Message Date
Cy Schubert f74173b5da krb5: Remove extraneous exports file
We use version.map in the FreeBSD MIT KRB5 build. The exports file is
a lefteover from when the version map file was created.

MFC after:	1 week
2025-12-18 10:16:39 -08:00
Cy Schubert f825427c0a krb5: Add missing symbol
Submitted by:	lampa@fit.vutbr.cz
PR:		291565
MFC after:	1 day
2025-12-11 06:02:37 -08:00
Mark Johnston 6739241224 krb5: Use sh to run mk_cmds
Otherwise etcupdate apparently can fail if its private object directory
under /var/db is in a filesystem mounted noexec.  We shouldn't be
building this target at all, but for now, just apply this workaround.

PR:		291043
Reviewed by:	ivy, cy, des
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D53861
2025-11-24 14:28:42 +00:00
Lexi Winter 707507c27f libkadm5clnt: Fix library symlink install
libkadm5clnt_mit installs a symlink from libkadm5clnt.so for backward
compatibility, but it neglected to include the package tags, so the
symlink was missing from pkgbase builds.  Add ${DEV_TAG_ARGS} to the
install command.

Reported by:	Mark Millard <marklmi@yahoo.com>
MFC after:	1 day
Reviewed by:	emaste
Sponsored by:	https://www.patreon.com/bsdivy
Differential Revision:	https://reviews.freebsd.org/D53574
2025-11-05 00:38:07 +00:00
Jessica Clarke 34e7a57673 krb5: Include <features.h> on Linux so __GLIBC__ can be checked
__GLIBC__ is not pre-defined by the toolchain, it comes from features.h,
so we need to make sure that's included by this point.

Fixes:	4dd2b869cd ("krb5: Fix -Wint-conversion when bootstrapping on GNU/Linux")
2025-10-22 21:06:02 +01:00
Jessica Clarke 4dd2b869cd krb5: Fix -Wint-conversion when bootstrapping on GNU/Linux
This shows up in GitHub Actions as a warning, and some compilers can
default to it being an error.
2025-10-22 20:50:50 +01:00
Cy Schubert b0e7b55a0e krb5: Enable PRINC_LOOK_AHEAD in ksu
PRINC_LOOK_AHEAD is the upstream default. Normally ksu determines the
target princiapl by (quoted from the man page)

a. default principal of the source cache

b. target_user@local_realm

c. source_user@local_realm

With PRINC_LOOK_AHEAD emabled, for each candidate in the above
list, select an authorized principal that has the same realm name
and first part of the principal name equal to the prefix of the
candidate. For example if candidate a) is jqpublic@ISI.EDU and
jqpublic/secure@ISI.EDU is authorized to access the target account
then the default principal is set to jqpublic/secure@ISI.EDU.

Case 2: source user is root.

If the target user is non-root then the default principal name
is target_user@local_realm.  Else, if the source cache exists
the default principal name is set to the default principal of
the source cache.  If the source cache does not exist, default
principal name is set to root\@local_realm.

This commit restores the same behaviour as Heimdal ksu.

Reported by:		Dan Mahoney <dmahoney@isc.org>
Requested by:		Dan Mahoney <dmahoney@isc.org>
MFC after:		3 days
MFC to:			15/stable
Differential revision:	 https://reviews.freebsd.org/D52478
2025-09-12 07:32:48 -07:00
Cy Schubert 621e0e7f27 krb5: Update to 1.22.1
Reviewed by:		des
Differential revision:	https://reviews.freebsd.org/D52100

Merge commit 'e5fe63eaf1d35ebbeac17eeed04cf873fbb9b3da' into main
2025-08-26 07:33:03 -07:00
Lexi Winter 929f5966a9 packages: Improve handling of -lib packages
For some packages (OpenSSL, Kerberos) we want to ship runtime libraries
in a separate package, e.g. openssl and openssl-lib.  Currently this is
done using PACKAGE=openssl-lib, but that creates packages with strange
names like openssl-lib-lib32.

Instead, add a new LIB_PACKAGE option to bsd.lib.mk that causes runtime
libraries to be placed in a new -lib subpackage.  This significantly
improves the set of packages we create; for example, OpenSSL goes from:

	FreeBSD-openssl
	FreeBSD-openssl-dbg
	FreeBSD-openssl-lib
	FreeBSD-openssl-lib-dbg
	FreeBSD-openssl-lib-dbg-lib32
	FreeBSD-openssl-lib-dev
	FreeBSD-openssl-lib-dev-lib32
	FreeBSD-openssl-lib-lib32
	FreeBSD-openssl-lib-man
	FreeBSD-openssl-man

to:

	FreeBSD-openssl
	FreeBSD-openssl-dbg
	FreeBSD-openssl-dbg-lib32
	FreeBSD-openssl-dev
	FreeBSD-openssl-dev-lib32
	FreeBSD-openssl-lib
	FreeBSD-openssl-lib32
	FreeBSD-openssl-man

While here, move /usr/bin/krb5-config and /usr/bin/compile_et into
the kerberos-dev package.

Reviewed by:	des
Differential Revision:	https://reviews.freebsd.org/D51925
2025-08-23 01:57:23 +01:00
Mark Johnston b9b0e105c3 krb5: Remove some stray FreeBSD version tags 2025-08-19 13:20:21 +00:00
Mark Johnston 5105e1ebec krb5: Fix the installed compile_et
We now build compile_et from krb5/util/compile_et.  The compile_et make
target runs compile_et.sh through a preprocessor that does some
substitution on the script, in particular it defines the directory where
compile_et can find et_h.awk and et_c.awk.

We build compile_et as a bootstrap tool since it's used to build krb5.
It also gets installed by installworld, presumably because we did that
with Heimdal Kerberos too and there's some chance that third-party
projects are using it.

There are two problems, both fixed by this patch:

First, we don't actually install those awk scripts anywhere, so
/usr/sbin/compile_et isn't usable on an installed system.  Let's simply
install them to /usr/share/et, which is where upstream puts them.

Second, compile_et is a bootstrap tool and gets installed into WORLDTMP
during the bootstrap phase of the build.  At that point we preprocess it
to set the directory where it can find those awk scripts.  That
directory is currently set with `KRB5_ETDIR?= ${DESTDIR}/usr/share/et`,
but DESTDIR points into the object directory, so this value is bogus.

Since all build-time invocations of compile_et explicitly specify the
script directory with the -d option, let's just update the path to point
to the installed script directory.  In particular, avoid fixing DESTDIR
in the script, since we don't do that generally.

PR:		288929
Reviewed by:	ivy, cy
Sponsored by:	The FreeBSD Foundation
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D52004
2025-08-19 13:20:16 +00:00
Cy Schubert cb3eac927b krb5: Update version strings
Fixes:	f1c4c3dacc
2025-08-18 19:03:18 -07:00
Lexi Winter ce9c325a2e krb5: Build pkgconfig files with libraries
For various reasons, trying to build 32-bit compatibility PCFILES
outside of a directory which is not a library doesn't work. Add a
new krb5/Makefile.pc with the build rule for .pc.in.pc, and use
this to build each pc file along with the library it's associated
with.

This means we automatically get 32-bit pcfiles in /usr/lib32, and
is arguably more correct anyway since if we don't build a library
for some reason, we also won't build its pcfiles.

Reviewed by:	des
Differential Revision:	https://reviews.freebsd.org/D51986
2025-08-18 19:57:59 +01:00
Lexi Winter 18a870751b krb5: Fix typo "SPDX-License-Idendifier"
sed -e s/SPDX-License-Idendifier/SPDX-License-Identifier/
2025-08-17 22:17:06 +01:00
Cy Schubert 89c82750da krb5 ksu: Enable prompt for password
Enable prompt for password when no TGT is available.

Reported by:	Dan Mahoney <dmahoney@isc.org>
2025-08-11 15:12:09 -07:00
Lexi Winter 0c13e9c3c4 krb5: Install pkgconfig data
Users of MIT Kerberos expect the MIT pkgconfig files to be installed,
and won't work without them.  For example, this breaks anything that
links against libcurl (ftp/curl) when curl is built with base GSSAPI.

Reviewed by:		ngie, des, cy
Differential Revision:	https://reviews.freebsd.org/D51842
2025-08-11 13:08:49 +01:00
Lexi Winter 10eecc467f krb5: Don't install gssapi.h twice
Currently we install /usr/include/gssapi/gssapi.h twice, once in
krb5/include/gssapi and once in krb5/lib/gssapi.

The version in krb5/include/gssapi is wrong: make searches ${.PATH} and
picks crypto/krb5/src/include/gssapi.h to install, but this is the file
which is supposed to be installed in /usr/include/gssapi.h.

The problem was masked by the fact that we install the correct
gssapi/gssapi.h later in krb5/lib/gssapi.

Remove gssapi.h and the unneeded ${.PATH} entry from krb/include/gssapi
and while here, remove the unused GSSAPI_KRB5 include group.

This change does not affect the ultimate result of installworld,
it just avoids installing the same file twice with different content.

PR:			288594
Reviewed by:		brooks, des
Differential Revision:	https://reviews.freebsd.org/D51840
2025-08-10 16:36:39 +01:00
Cy Schubert f1c4c3dacc krb5: Update MIT KRB5 from 1.21 to 1.22
Merge commit 'd82a140dad3a571d66abb2da24acbba90191f168'
2025-08-09 22:29:02 -07:00
John Baldwin 619feb9dd0 krb5: Don't add -Wno-macro-redefined to CFLAGS
This doesn't exist on GCC and masked warnings in OpenSSH.

Reviewed by:	des
Differential Revision:	https://reviews.freebsd.org/D51811
2025-08-08 13:44:15 -04:00
Lexi Winter 7d2cfb27d6 krb5: Move headers to the kerberos-lib package
Reviewed by:		manu
Differential Revision:	https://reviews.freebsd.org/D51826
2025-08-08 16:36:06 +01:00
Cy Schubert e26259f48a gssapi,krb5: Replace libgssapi with the MIT version
lib/libgssapi is based on Heimdal. As on Linux systems, the MIT
libgssapi_krb5 replaces it. With both gssapi libraries and header files
installed results in broken buildworld (gssd) and ports that will not
build without modifications to support the MIT gssapi in an alternate
location.

73ed0c7992 removed the MIT GSSAPI headers from /usr/include. Apps using
MIT KRB5 gssapi functions and structures will fail to build without this
patch.

This patch includes a temporary patch to usr.sbin/gssd to allow it
to build with this patch. rmacklem@ has a patch for this and for
kgssapi that uses this patch to resolve kgssapi issues for NFS with
Kerberos.

This patch is an updated version of D51661 to allow it to build following
additional patchs to the tree.

This should have been implmented with 7e35117eb0.

Fixes:			7e35117eb0, 73ed0c7992
Differential Revision:	https://reviews.freebsd.org/D51661
2025-08-07 10:17:00 -07:00
Cy Schubert a245dc5d68 krb5: Move include/krb5_private to include/krb5
This maintains the krb5.h to krb5/krb5.h relationship during build
while still maintaining no interference from the other Makefile's
variables.
2025-08-07 10:16:30 -07:00
Cy Schubert 9a726ef241 krb5: Move compile_et to /usr/bin as it was with Heimdal
Fixes:		ee3960cba1
2025-08-05 09:33:03 -07:00
Cy Schubert 383e7290c0 krb5: Add missing gssapi header
Fixes:		ee3960cba1
2025-08-05 09:32:42 -07:00
Brooks Davis c791ea80b5 kadm5srv: get common headers from kadm5clnt
Both were installing admin.h, chpass_util_strings.h, and kadm_err.h.
kadm5clnt is ordered first in krb5/lib/Makefile so pick it.

PR:		288594
Pull Request:	https://github.com/freebsd/freebsd-src/pull/1801
2025-08-04 13:58:47 +01:00
Brooks Davis 543b875a8e kadm5srv: remove unused HDRS entries
Pull Request:	https://github.com/freebsd/freebsd-src/pull/1801
2025-08-04 13:58:46 +01:00
Brooks Davis 40a5abfc3f krb5/include/Makefile: don't override *include targets
This was causing kdb.h, krad.h, and krb5.h to be installed twice.

PR:		288594
Pull Request:	https://github.com/freebsd/freebsd-src/pull/1801
2025-08-04 13:58:46 +01:00
Brooks Davis 73ed0c7992 krb5: install gssapi_krb5/gssapi/gssapi.h once
Somewhat arbitrarily chose krb5/lib/gssapi/Makefile to install it.

PR:		288594
Pull Request:	https://github.com/freebsd/freebsd-src/pull/1801
2025-08-04 13:58:46 +01:00
Lexi Winter 04764f2185 krb5: only apply -Wno-alloc-size-larger-than to gcc
Otherwise, this breaks the clang build.
2025-08-04 02:59:04 +01:00
Lexi Winter 624b7beed5 kadm5: add -Wno-alloc-size-larger-than
This trips the gcc build in kadm5/srv/svr_principal.c:

/home/ivy/src/bsd/gcc/crypto/krb5/src/lib/kadm5/srv/svr_principal.c: In function 'apply_keysalt_policy':
/home/ivy/src/bsd/gcc/crypto/krb5/src/lib/kadm5/srv/svr_principal.c:208:14: error: argument 1 range [2147483648, 4294967295] exceeds maximum object size 2147483647 [-Werror=alloc-size-larger-than=]
  208 |     subset = calloc(n_ks_tuple, sizeof(*subset));
      |              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Differential Revision:	https://reviews.freebsd.org/D51577
2025-08-03 23:56:37 +01:00
Baptiste Daroussin 7b68893ffa krb5: remove libedit from the bootstrap tools
libedit breaks the bootstrap on MacOS and Linux.

Activate libedit only for the regular build not for the bootstrap
tools

While here fix the definition of the dependency chain between
libkrb5ss and libedit (and libtinfow) via src.libnames.mk

Remove a local patch to find the readline compatible header and
find them via proper CFLAGS.
2025-07-29 17:49:44 +02:00
Dag-Erling Smørgrav 6c4771c734 krb5: Remove includes from autoconf header.
These #include directives are neither present upstream nor needed.

Reviewed by:	ivy
Differential Revision:	https://reviews.freebsd.org/D51564
2025-07-27 20:19:32 +02:00
Cy Schubert dd0ec030f8 krb5: Bump DSO version for version map creation
Differential Revision:	https://reviews.freebsd.org/D51520
2025-07-27 05:59:34 -07:00
Lexi Winter fb1ccc04ad krb5: don't install libdb manual pages
This version of libdb is private to Kerberos and not intended for
external use, so avoid installing manual pages that may conflict
with another version of libdb.

Reviewed by:	des, cy
Differential Revision:	https://reviews.freebsd.org/D51418
2025-07-25 18:31:27 +01:00
Lexi Winter b98d0566b2 krb5: don't install /usr/include/import_err.h
This header is not installed by upstream krb5, and since it's part of
kdb5_util, installing it causes an unwanted krb5-dev package to be
created.

Reviewed by:	des
Differential Revision:	https://reviews.freebsd.org/D51419
2025-07-25 18:31:26 +01:00
Lexi Winter ca9ccf0ce9 krb5/usr.bin/kadmin: Fix typo kamdin -> kadmin
While here, remove some redundant SUFFIXES.

Reviewed by:	des, cy
Differential Revision:	https://reviews.freebsd.org/D51513
2025-07-25 18:31:26 +01:00
Lexi Winter 6b28571cb6 krb5: Move some manpages to other packages
Move KDC manpages to kerberos-kdc-man.

Move the generic Kerberos manpages (e.g., kerberos.7) to kerberos-man
instead of kerberos-lib-man.  Although they technically describe
behaviour implemented in the libraries, conceptually, they are more
associated with Kerberos in general.

While here, remove some redundant SUFFIXES.

Reviewed by:	manu, cy
Differential Revision:	https://reviews.freebsd.org/D51515
2025-07-25 18:31:26 +01:00
Lexi Winter 98d46e05ab krb5/util/profile: Do not install profile.5
I am not sure what this file from upstream is supposed to be, but it's
not a manual page.  Remove it and add to ObsoleteFiles.

Reviewed by:	cy
Differential Revision:	https://reviews.freebsd.org/D51517
2025-07-25 18:31:26 +01:00
Lexi Winter 2a454b05f2 krb5: remove private headers
I compared the contents of the FreeBSD-kerberos-lib-dev package with
the contents of the security/krb5 port.  Based on that, remove all
the headers which are installed by base krb5 but not by the port.
These all appear to be internal headers which are not meant to be
publicly visible.

This removes some headers with unfortunate conflict-prone names like
<internal.h> and <dyn.h>.

Reviewed by:	des, cy
Differential Revision:	https://reviews.freebsd.org/D51518
2025-07-25 18:31:26 +01:00
Cy Schubert 110111a6cc Revert "krb5: Use Heimdal DSO names"
This is incorrect.

This reverts commit 5f8493bbf4.
2025-07-24 11:58:39 -07:00
Cy Schubert 5f8493bbf4 krb5: Use Heimdal DSO names
Using MIT DSO names breaks the libc ABI, we are forced to use Heimdal
DSO names. This is not optimal but necessary.

Fixes:		e447c252d0
Requested by:	kib
2025-07-24 10:47:09 -07:00
Cy Schubert e447c252d0 krb5: Merge Heimdal common functions into version maps
Requested by:	kib
2025-07-24 09:31:40 -07:00
Cy Schubert 4680e7fcc7 krb5: Replace version maps with generated version maps
Suggested by:	jhb
Fixes:		ae07a5805b
2025-07-24 09:31:39 -07:00
Cy Schubert 188138106b krb5: Remove a duplicate include of error_tables/Makefile.inc
And move the aggregation of its generated sources to the correct
library, libkrb5.so.

Fixes:		ee3960cba1
2025-07-24 09:31:39 -07:00
Lexi Winter 4cb1baa7d8 krb5: use 'kerberos' as package name
Rename krb5 and krb5-lib to kerberos and kerberos-lib to match the
existing Heimdal package names.  Since it's not possible to build or
install both at the same time, and Heimdal will be removed anyway,
there's no benefit to using a different package name for MIT Kerberos
and doing so will create friction for pkgbase users.

Move a few things (e.g., headers) from kerberos to kerberos-lib.

Move the KDC to a new package, kerberos-kdc, so the client utilities
can be installed without the KDC.  As most systems won't have the KDC
running, this saves a bit of disk space for jails/containers.

Remove a few instances of 'PACKAGE=' in target-specific Makefiles
where we can set that in the parent's Makefile.inc instead.

Revert 01c587521d ("OCI: Attempt to fix "runtime" container")
which is no longer required.

The KDC init script is still installed in the 'rc' package for
compatibility with the security/krb5 port; we should fix this
at some point, possibly after Heimdal is removed.

Reviewed by:	manu, kevans, des
Approved by:	des (mentor), kevans (mentor)
Differential Revision:	https://reviews.freebsd.org/D51420
2025-07-24 11:35:35 +01:00
Cy Schubert 805498e49a KRB5: Add util version maps 2025-07-22 12:09:23 -07:00
Cy Schubert f58febc4ce krb5: Correct version maps
Fixes:		ae07a5805b
2025-07-22 12:09:23 -07:00
Cy Schubert ae07a5805b krb5: Add version maps
Shared objects must have version maps. These were copied from upstream's
*.exports files.

Reminded by:	kib
Fixes:		ee3960cba1
2025-07-22 08:48:40 -07:00
Cy Schubert 0559f30a88 krb5: Install the libkrb5clnt.so symlink with the .so
For 34 days the libclntkrb5.so symlink was installed as libclntkrb5.
Fix this and add the error to ObsoleteFiles.inc.

Noted and Makefile patch by fluffy@.

Fixes:		ee3960cba1
2025-07-08 06:54:27 -07:00
Cy Schubert cbb6e747af krb5/include: com_err.h and verto.h installed by krb5/util
krb5/util/et and krb5/util/verto install com_err.h and verto.h
respectively. Do not install them again. This causes pkgbase
conflicts.

Reported by:	fluffy
Fixes:		ee3960cba1
2025-06-24 08:06:00 -07:00