| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The "-f" dump option allows a dump of the Heimdal
KDC in a format that the MIT kdb5_util command can
load into a MIT KDC's database.
This makes transitioning from the Heimdal KDC to
the current MIT one feasible without having to
re-create the KDC database from scratch.
glebius@ did the initial work, cherry picking these
commits from the Heimdal sources on github and then doing
extensive merge conflict resolution and other fixes so
that it would build.
Heimdal commit fca5399 authored by Nico Williams:
Initial commit for second approach for multiple kvno. NOT TESTED!
Heimdal commit 57f1545 authored by Nico Williams:
Add support for writing to KDB and dumping HDB to MIT KDB dump format
Before this change Heimdal could read KDBs. Now it can write to
them too.
Heimdal can now also dump HDBs (including KDBs) in MIT format,
which can then be imported with kdb5_util load.
This is intended to help in migrations from MIT to Heimdal by
allowing migrations from Heimdal to MIT so that it is possible
to rollback from Heimdal to MIT should there be any issues. The
idea is to allow a) running Heimdal kdc/kadmind with a KDB, or
b) running Heimdal with an HDB converted from a KDB and then
rollback by dumping the HDB and loading a KDB.
Note that not all TL data types are supported, only two: last
password change and modify-by. This is the minimum necessary.
PKINIT users may need to add support for KRB5_TL_USER_CERTIFICATE,
and for databases with K/M history we may need to add KRB5_TL_MKVNO
support.
This resulted in a Heimdal kadmin that would dump
the KDC database in MIT format. However, there
were issues when this dump was loaded into the
current MIT KDC in FreeBSD current/15.0.
The changes I did to make the dump more useful are listed below:
When "-f MIT" is used for "kadmin -l dump" it writes
the dump out in MIT format. This dump format is understood
by the MIT kdb5_util command. The patch modifies the above
so that the MIT KDC's master key keytab file can be provided
as the argument to "-f" so that the principals are re-encrypted in
it. This allows any principal with at least one strong encryption
type key to work without needing a change_password.
The strong encryption types supported by the Heimdal KDC are:
aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
The issues my changes address are:
- If there are weak encryption keys in a principal's entry,
MIT's kadmin.local will report that the principcal's entry
is incomplete or corrupted.
- The keys are encrypted in Heimdal's master key. The
"-d" option can be used on the "kadmin -l dump" to
de-encrypt them, but the passwords will not work on the
current MIT KDC.
To try and deal with the above issues, this patch modied the above to:
- Does not dump the weak keys.
- Re-encrypts the strong keys in MIT's master key if the argument
to "-f" is actually a filename which holds the MIT KDC's
master key keytab and not "MIT".
- For principals that only have weak keys, it generates
a fake strong key. This key will not work on the MIT
KDC, but the principal entry will work once a
change_password is done to it.
- It always generates a "modified_by" entry, faking one if
not already present in the Heimdal KDC database.
This was necessary, since the MIT kadmin will
report that the principal entry is "incomplete or
corrupted" without one.
It also fixed a problem where "get principal" no longer
worked after the initial patch was applied.
A man page update will be done as a separate commit.
I believe this commit is acceptable since the Heimdal
sources are now essentially deprecated in favor of the
MIT sources and that this new "-f" patch simplifies
the transition to the MIT KDC.
Discussed with: glebius, cy
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When LIB_PACKAGE was added, MIT Kerberos was updated to use it but
Heimdal was not, so it still used PACKAGE=kerberos-lib. Since we
deleted kerberos-lib-all.ucl, this caused update-packages to fail
when WITHOUT_MITKRB5 is set.
Change the Heimdal libraries to use LIB_PACKAGE by setting this in
kerberos5/lib/Makefile.inc, and remove PACKAGE=kerberos-lib from the
individual Makefiles for each library. This means Heimdal gets the
same set of packages as MIT Kerberos, except for kerberos-kdc which
we don't create for Heimdal.
Fixes: 929f5966a9fd ("packages: Improve handling of -lib packages")
Reported by: jlduran
Reviewed by: jlduran, cy
Differential Revision: https://reviews.freebsd.org/D52371
|
| |
|
|
|
|
|
|
|
| |
- Bump the library version.
- Don't load the legacy provider. It is no longer enabled by default
and looks like kdc doesn't actually need it.
Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D52114
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of
Kerberos and is always built if MK_KERBEROS is enabled. Backport this
behaviour to Heimdal so it works the same way.
While here, change Heimdal's libcom_err and compile_et to be selected by
MK_KERBEROS, not MK_KERBEROS_SUPPORT, since these are part of Kerberos
and third-party users might need it even if Kerberos support is disabled
in the base system. This means MK_KERBEROS_SUPPORT installs the same
files with both MIT and Heimdal.
Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D51859
|
| |
|
|
|
|
|
|
|
| |
Commit 1cbb58886a47 (shipped in 12.0.0) removed all lint infrastructure.
A bunch of NO_LINT definitions remained (perhaps as a bootstrapping
measture). Remove them.
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D50704
|
| |
|
|
|
| |
Reviewed by: imp, emaste
Differential Revision: https://reviews.freebsd.org/D49548
|
| |
|
|
|
|
|
| |
This is a residual of the $FreeBSD$ removal.
MFC After: 3 days (though I'll just run the command on the branches)
Sponsored by: Netflix
|
| |
|
|
|
|
|
|
|
|
| |
By using the full library name (libcrypto.so.30) we avoid the exposure
of using an old, possibly vulnerable, library.
Reported by: jrtc27
MFC after: 3 days
X-MFC with: 476d63e091c2
Fixes: 476d63e091c2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Weak crypto is provided by the openssl legacy provider which is
not load by default. Load the legacy providers as needed.
When the legacy provider is loaded into the default context the default
provider will no longer be automatically loaded. Without the default
provider the various kerberos applicaions and functions will abort().
This is the second attempt at this patch. Instead of linking
secure/lib/libcrypto at build time we now link it at runtime, avoiding
buildworld failures under Linux and MacOS. This is because
TARGET_ENDIANNESS is undefined at pre-build time.
PR: 272835
MFC after: 3 days
X-MFC: only to stable/14
Tested by: netchild
Joerg Pulz <Joerg.Pulz@frm2.tum.de> (previous version)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This revision breaks Linux and MacOS cross builds because
TARGET_ENDIANNESS is not define during bootstrapping on these
platforms.
I think the correct approach would be to separate the new
fbsd_ossl_provider_load() and unload functions into their own
library (instead of libroken). This avoids the less desirable
option of including bsd.cpu.mk in secure/lib/Makefile.common,
which does build but could complicate future work.
Reported by: jrtc27
This reverts commit cb350ba7bf7ca7c4cb97ed2c20ab45af60382cfb.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Weak crypto is provided by the openssl legacy provider which is
not load by default. Load the legacy providers as needed.
When the legacy provider is loaded into the default context the default
provider will no longer be automatically loaded. Without the default
provider the various kerberos applicaions and functions will abort().
PR: 272835
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D43009
Tested by: netchild, Joerg Pulz <Joerg.Pulz@frm2.tum.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For the uncommon items: Go through the tree and remove sccs tags that
didn't fit any nice pattern. If in the neighborhood, other SCM tags were
removed when they were detritis of long-ago CVS somehow in the early
mists of the project. Some adjacent copyrights stringswere removed (they
duplicated the copyright notices in the file). This also removed
non-standard formations of omission of SCCS tags (usually by adding an
extra #if 0 somewhere.
After this commit, a number of strings tagged with the 'what' @(#)
prefix remain, but they are primarily copyright notices.
Sponsored by: Netflix
|
| |
|
|
| |
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
|
| |
|
|
| |
Remove /^/[*/]\s*\$FreeBSD\$.*\n/
|
| |
|
|
| |
Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
|
| |
|
|
|
|
|
|
| |
See commit 8fad2cda93c7 ("bsd.compat.mk: Provide new CPP and sub-make
variables") for the context behind this change.
Reviewed by: emaste, imp, brooks, jhb
Differential Revision: https://reviews.freebsd.org/D40926
|
| |
|
|
|
|
|
| |
This is needed to build with OpenSSL 3.0; a future update should switch
to using native OpenSSL 3 APIs.
Sponsored by: The FreeBSD Foundation
|
| |
|
|
|
|
|
|
|
| |
The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.
Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix
|
| | |
|
| |
|
|
|
|
|
|
| |
Heimdal's lib/hdb/db3.c is only built if DB3 is enabled, i.e. #if HAVE_DB3.
FreeBSD's bdb is DB1. Therefore the entire db3.c file is #ifdef'd out.
Let's avoid building a file that results in a useless object file.
MFC after: 1 week
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
This allows installing packages that depend on kerberos libraries
without pulling in all the binaries. It also moves libgssapi to runtime
to allow installing kerbereos libraries without adding a dependancy on
the large utilities package. It makes sense to put libgssapi in runtime
rather than kerberos-lib since this is a plugin layer which is intended
to support any GSS-API mechanisms, not just kerberos.
A good example of a package which uses kerberos libraries without
needing the kerberos utilities is sshd. This uses the kerberos GSS-API
libraries to implement its GSSAPIAuthentication option.
MFC after: 2 weeks
Subscribers: imp
Differential Revision: https://reviews.freebsd.org/D36028
|
| |
|
|
|
|
|
| |
This allows users to install or not kerberos related utilities
and libs.
Differential Revision: https://reviews.freebsd.org/D31801
|
| |
|
|
|
|
|
| |
Restore WARNS to its former glory prior to the global WARNS change to fix
the build.
MFC-after: 3 days
|
| |
|
|
|
|
|
|
|
| |
Building the kerberos5 subdirectory currently produces lots of warnings.
Since there are many instances of these warnings and it's contrib code,
this change silences the warnings instead of fixing them.
Reviewed By: jhb, cy, bjk
Differential Revision: https://reviews.freebsd.org/D28025
|
| |
|
|
| |
Notes:
svn path=/head/; revision=366699
|
| |
|
|
| |
Notes:
svn path=/head/; revision=365581
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Update a bunch of Makefile.depend files as
a result of adding Makefile.depend.options files
Reviewed by: bdrewery
MFC after: 1 week
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D22494
Notes:
svn path=/head/; revision=355617
|
| |
|
|
|
|
|
|
|
|
|
| |
When building on MacOS with a UTF-8 locale sed will fail when reading
krb-config.in due to invalid characters. Forcing the "C" locale fixes this.
Reviewed By: emaste, cy
Differential Revision: https://reviews.freebsd.org/D16849
Notes:
svn path=/head/; revision=349576
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Building binaries as PIE allows the executable itself to be loaded at a
random address when ASLR is enabled (not just its shared libraries).
With this change PIE objects have a .pieo extension and INTERNALLIB
libraries libXXX_pie.a.
MK_PIE is disabled for some kerberos5 tools, Clang, and Subversion, as
they explicitly reference .a libraries in their Makefiles. These can
be addressed on an individual basis later. MK_PIE is also disabled for
rtld-elf because it is already position-independent using bespoke
Makefile rules.
Currently only dynamically linked binaries will be built as PIE.
Discussed with: dim
Reviewed by: kib
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D18423
Notes:
svn path=/head/; revision=344179
|
| |
|
|
|
|
|
|
|
|
| |
This fixes build when com_err.h is not installed.
PR: 234691
MFC after: 1 week
Notes:
svn path=/head/; revision=343011
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Existing work is underway to import a newer version of heimdal, but
this patchset gets us to a fully working tree to enable more wide
spread testing of OpenSSL 1.1 for now.
I've also enabled WARNS=1 for kerberos (which is the reason for the
change in libroken). Having -Werror enabled was useful during the
1.1 updates and we probably should have warnings enabled by default
for kerberos anyway.
This passes make tinderbox, and I have also done some very light
runtime testing on amd64.
Reviewed by: bjk, jkim, emaste
Differential Revision: https://reviews.freebsd.org/D17276
Notes:
svn path=/projects/openssl111/; revision=339198
|
| |
|
|
|
|
|
| |
MFC after: 1 week
Notes:
svn path=/head/; revision=337665
|
| |
|
|
|
|
|
| |
MFC after: 3 days
Notes:
svn path=/head/; revision=336151
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.
The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
No functional change intended.
Notes:
svn path=/head/; revision=326276
|
| |
|
|
|
|
|
| |
Sponsored by: Dell EMC Isilon
Notes:
svn path=/head/; revision=325188
|
| |
|
|
|
|
|
|
|
| |
with the rest of the Makefiles in kerberos5/.
MFC after: 1 week
Notes:
svn path=/head/; revision=322749
|
| |
|
|
|
|
|
| |
MFC after: 1 week
Notes:
svn path=/head/; revision=322113
|
| |
|
|
|
|
|
|
|
|
| |
As kerberos5/lib/krb5 include files are already referenced it makes
no sense to generate it again here.
MFC after: 1 month
Notes:
svn path=/head/; revision=322112
|
| |
|
|
| |
Notes:
svn path=/head/; revision=321504
|
| |
|
|
|
|
|
|
|
|
|
| |
using libc's version of qsort.
PR: bin/213922
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D10814
Notes:
svn path=/head/; revision=318917
|
| |
|
|
|
|
|
|
|
|
| |
This simplifies make logic/output
MFC after: 1 month
Sponsored by: Dell EMC Isilon
Notes:
svn path=/head/; revision=314657
|
| |
|
|
|
|
|
|
|
| |
if MK_GSSAPI != "no"
MFC after: 1 week
Notes:
svn path=/head/; revision=311115
|
| |
|
|
|
|
|
| |
MFC after: 1 week
Notes:
svn path=/head/; revision=311114
|
| |
|
|
|
|
|
|
|
| |
their building on the knob
MFC after: 1 week
Notes:
svn path=/head/; revision=311112
|
| |
|
|
|
|
|
|
| |
Approved by: re (gjb)
Sponsored by: EMC / Isilon Storage Division
Notes:
svn path=/head/; revision=301891
|
| |
|
|
|
|
|
|
|
|
| |
This is a NOP but is done for style and to reduce confusion.
Approved by: re (implicit)
Sponsored by: EMC / Isilon Storage Division
Notes:
svn path=/head/; revision=301883
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The first file in these lists will generate everything else so only
it should be getting a .meta file. With bmake's missing=yes meta
feature these would otherwise cause a rebuild without the
.NOMETA hint.
Sponsored by: EMC / Isilon Storage Division
Notes:
svn path=/head/; revision=301285
|
| |
|
|
|
|
|
| |
Sponsored by: EMC / Isilon Storage Division
Notes:
svn path=/head/; revision=301283
|
| |
|
|
|
|
|
|
|
|
| |
Reviewed by: emaste, hselasky (partial), brooks (brief)
Discussed on: arch@
Sponsored by: EMC / Isilon Storage Division
Differential Revision: https://reviews.freebsd.org/D5742
Notes:
svn path=/head/; revision=297434
|
