git: 4de9547f322b - main - Revert "kgssapi: Fix the kgssapi so that it can use MIT Kerberos"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 07 Aug 2025 00:06:35 UTC
The branch main has been updated by rmacklem:
URL: https://cgit.FreeBSD.org/src/commit/?id=4de9547f322bb26f146ddd4139610e927afc5ef0
commit 4de9547f322bb26f146ddd4139610e927afc5ef0
Author: Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-08-07 00:03:20 +0000
Commit: Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2025-08-07 00:03:20 +0000
Revert "kgssapi: Fix the kgssapi so that it can use MIT Kerberos"
This broke the build and will have to wait for cy@'s commit.
This reverts commit 554651ebf1c1798fa8fb2560cab761ac3d219555.
---
sys/kgssapi/gss_accept_sec_context.c | 145 +---------
sys/kgssapi/gss_impl.c | 8 +-
sys/kgssapi/gss_init_sec_context.c | 145 +---------
sys/kgssapi/gssapi.h | 42 ---
sys/kgssapi/gssapi_impl.h | 2 +-
sys/kgssapi/gssd.x | 79 +-----
sys/kgssapi/krb5/krb5_mech.c | 80 ------
sys/rpc/rpcsec_gss/rpcsec_gss.c | 50 +---
sys/rpc/rpcsec_gss/rpcsec_gss_int.h | 6 -
sys/rpc/rpcsec_gss/svc_rpcsec_gss.c | 122 ++-------
usr.sbin/Makefile | 2 -
usr.sbin/gssd/Makefile | 9 +-
usr.sbin/gssd/gssd.c | 506 +++--------------------------------
13 files changed, 86 insertions(+), 1110 deletions(-)
diff --git a/sys/kgssapi/gss_accept_sec_context.c b/sys/kgssapi/gss_accept_sec_context.c
index 8a49b85be852..723ed9db9072 100644
--- a/sys/kgssapi/gss_accept_sec_context.c
+++ b/sys/kgssapi/gss_accept_sec_context.c
@@ -41,11 +41,6 @@
#include "gssd.h"
#include "kgss_if.h"
-/*
- * This function should only be called when the gssd
- * daemon running on the system is an old one that
- * does not use gss_krb5_export_lucid_sec_context().
- */
OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
const gss_cred_id_t acceptor_cred_handle,
@@ -143,145 +138,7 @@ OM_uint32 gss_accept_sec_context(OM_uint32 *minor_status,
* etc.) to the kernel implementation.
*/
if (res.major_status == GSS_S_COMPLETE)
- res.major_status = kgss_transfer_context(ctx, NULL);
-
- return (res.major_status);
-}
-
-/*
- * This function should be called when the gssd daemon is
- * one that uses gss_krb5_export_lucid_sec_context().
- * There is a lot of code common with
- * gss_accept_sec_context(). However, the structures used
- * are not the same and future changes may be needed for
- * this one. As such, I have not factored out the common
- * code.
- * gss_supports_lucid() may be used to check to see if the
- * gssd daemon uses gss_krb5_export_lucid_sec_context().
- */
-OM_uint32 gss_accept_sec_context_lucid_v1(OM_uint32 *minor_status,
- gss_ctx_id_t *context_handle,
- const gss_cred_id_t acceptor_cred_handle,
- const gss_buffer_t input_token,
- const gss_channel_bindings_t input_chan_bindings,
- gss_name_t *src_name,
- gss_OID *mech_type,
- gss_buffer_t output_token,
- OM_uint32 *ret_flags,
- OM_uint32 *time_rec,
- gss_cred_id_t *delegated_cred_handle,
- gss_buffer_t exported_name,
- uid_t *uidp,
- gid_t *gidp,
- int *numgroups,
- gid_t *groups)
-{
- struct accept_sec_context_lucid_v1_res res;
- struct accept_sec_context_lucid_v1_args args;
- enum clnt_stat stat;
- gss_ctx_id_t ctx = *context_handle;
- gss_name_t name;
- gss_cred_id_t cred;
- CLIENT *cl;
-
- cl = kgss_gssd_client();
- if (cl == NULL) {
- *minor_status = 0;
- return (GSS_S_FAILURE);
- }
-
- if (ctx)
- args.ctx = ctx->handle;
- else
- args.ctx = 0;
- if (acceptor_cred_handle)
- args.cred = acceptor_cred_handle->handle;
- else
- args.cred = 0;
- args.input_token = *input_token;
- args.input_chan_bindings = input_chan_bindings;
-
- bzero(&res, sizeof(res));
- stat = gssd_accept_sec_context_lucid_v1_1(&args, &res, cl);
- CLNT_RELEASE(cl);
- if (stat != RPC_SUCCESS) {
- *minor_status = stat;
- return (GSS_S_FAILURE);
- }
-
- if (res.major_status != GSS_S_COMPLETE
- && res.major_status != GSS_S_CONTINUE_NEEDED) {
- *minor_status = res.minor_status;
- xdr_free((xdrproc_t) xdr_accept_sec_context_res, &res);
- return (res.major_status);
- }
-
- *minor_status = res.minor_status;
-
- if (!ctx) {
- ctx = kgss_create_context(res.mech_type);
- if (!ctx) {
- xdr_free((xdrproc_t) xdr_accept_sec_context_res, &res);
- *minor_status = 0;
- return (GSS_S_BAD_MECH);
- }
- }
- *context_handle = ctx;
-
- ctx->handle = res.ctx;
- name = malloc(sizeof(struct _gss_name_t), M_GSSAPI, M_WAITOK);
- name->handle = res.src_name;
- if (src_name) {
- *src_name = name;
- } else {
- OM_uint32 junk;
- gss_release_name(&junk, &name);
- }
- if (mech_type)
- *mech_type = KGSS_MECH_TYPE(ctx);
- kgss_copy_buffer(&res.output_token, output_token);
- if (ret_flags)
- *ret_flags = res.ret_flags;
- if (time_rec)
- *time_rec = res.time_rec;
- cred = malloc(sizeof(struct _gss_cred_id_t), M_GSSAPI, M_WAITOK);
- cred->handle = res.delegated_cred_handle;
- if (delegated_cred_handle) {
- *delegated_cred_handle = cred;
- } else {
- OM_uint32 junk;
- gss_release_cred(&junk, &cred);
- }
-
- /*
- * If the context establishment is complete, export it from
- * userland and hand the result (which includes key material
- * etc.) to the kernel implementation.
- */
- if (res.major_status == GSS_S_COMPLETE) {
- int i, n;
-
- /* First, get the unix credentials. */
- *uidp = res.uid;
- *gidp = res.gid;
- n = res.gidlist.gidlist_len;
- if (n > *numgroups)
- n = *numgroups;
- for (i = 0; i < n; i++)
- groups[i] = res.gidlist.gidlist_val[i];
- *numgroups = n;
-
- /* Next, get the exported_name. */
- kgss_copy_buffer(&res.exported_name, exported_name);
-
- /* Now, handle the lucid credential setup. */
- res.major_status = kgss_transfer_context(ctx, &res.lucid);
- if (res.major_status != GSS_S_COMPLETE)
- printf("gss_accept_sec_context_lucid_v1: "
- "transfer failed\n");
- }
-
- xdr_free((xdrproc_t) xdr_accept_sec_context_res, &res);
+ res.major_status = kgss_transfer_context(ctx);
return (res.major_status);
}
diff --git a/sys/kgssapi/gss_impl.c b/sys/kgssapi/gss_impl.c
index c9cd4d880695..e2569bea61f9 100644
--- a/sys/kgssapi/gss_impl.c
+++ b/sys/kgssapi/gss_impl.c
@@ -192,19 +192,13 @@ kgss_delete_context(gss_ctx_id_t ctx, gss_buffer_t output_token)
}
OM_uint32
-kgss_transfer_context(gss_ctx_id_t ctx, void *lctx)
+kgss_transfer_context(gss_ctx_id_t ctx)
{
struct export_sec_context_res res;
struct export_sec_context_args args;
enum clnt_stat stat;
OM_uint32 maj_stat;
- if (lctx != NULL) {
- maj_stat = KGSS_IMPORT(ctx, MIT_V1, lctx);
- ctx->handle = 0;
- return (maj_stat);
- }
-
KGSS_CURVNET_SET_QUIET(KGSS_TD_TO_VNET(curthread));
if (!KGSS_VNET(kgss_gssd_handle)) {
KGSS_CURVNET_RESTORE();
diff --git a/sys/kgssapi/gss_init_sec_context.c b/sys/kgssapi/gss_init_sec_context.c
index a0f48fda8b29..fa0d3fb2ae19 100644
--- a/sys/kgssapi/gss_init_sec_context.c
+++ b/sys/kgssapi/gss_init_sec_context.c
@@ -42,11 +42,6 @@
#include "gssd.h"
#include "kgss_if.h"
-/*
- * This function should only be called when the gssd
- * daemon running on the system is an old one that
- * does not use gss_krb5_export_lucid_sec_context().
- */
OM_uint32
gss_init_sec_context(OM_uint32 * minor_status,
const gss_cred_id_t initiator_cred_handle,
@@ -138,145 +133,7 @@ gss_init_sec_context(OM_uint32 * minor_status,
* etc.) to the kernel implementation.
*/
if (res.major_status == GSS_S_COMPLETE)
- res.major_status = kgss_transfer_context(ctx, NULL);
-
- return (res.major_status);
-}
-
-OM_uint32
-gss_supports_lucid(uint32_t *minor_status, uint32_t *vers)
-{
- struct supports_lucid_res res;
- enum clnt_stat stat;
- CLIENT *cl;
-
- *minor_status = 0;
-
- cl = kgss_gssd_client();
- if (cl == NULL)
- return (GSS_S_FAILURE);
-
- bzero(&res, sizeof(res));
- stat = gssd_supports_lucid_1(NULL, &res, cl);
- CLNT_RELEASE(cl);
- if (stat != RPC_SUCCESS) {
- *minor_status = stat;
- return (GSS_S_FAILURE);
- }
-
- if (vers)
- *vers = res.vers;
-
- return (res.major_status);
-}
-
-/*
- * This function should be called when the gssd daemon is
- * one that uses gss_krb5_export_lucid_sec_context().
- * There is a lot of code common with
- * gss_init_sec_context(). However, the structures used
- * are not the same and future changes may be needed for
- * this one. As such, I have not factored out the common
- * code.
- * gss_supports_lucid() may be used to check to see if the
- * gssd daemon uses gss_krb5_export_lucid_sec_context().
- */
-OM_uint32
-gss_init_sec_context_lucid_v1(OM_uint32 * minor_status,
- const gss_cred_id_t initiator_cred_handle,
- gss_ctx_id_t * context_handle,
- const gss_name_t target_name,
- const gss_OID input_mech_type,
- OM_uint32 req_flags,
- OM_uint32 time_req,
- const gss_channel_bindings_t input_chan_bindings,
- const gss_buffer_t input_token,
- gss_OID * actual_mech_type,
- gss_buffer_t output_token,
- OM_uint32 * ret_flags,
- OM_uint32 * time_rec)
-{
- struct init_sec_context_lucid_v1_res res;
- struct init_sec_context_lucid_v1_args args;
- enum clnt_stat stat;
- gss_ctx_id_t ctx = *context_handle;
- CLIENT *cl;
-
- *minor_status = 0;
-
- cl = kgss_gssd_client();
- if (cl == NULL)
- return (GSS_S_FAILURE);
-
- args.uid = curthread->td_ucred->cr_uid;
- if (initiator_cred_handle)
- args.cred = initiator_cred_handle->handle;
- else
- args.cred = 0;
- if (ctx)
- args.ctx = ctx->handle;
- else
- args.ctx = 0;
- args.name = target_name->handle;
- args.mech_type = input_mech_type;
- args.req_flags = req_flags;
- args.time_req = time_req;
- args.input_chan_bindings = input_chan_bindings;
- if (input_token)
- args.input_token = *input_token;
- else {
- args.input_token.length = 0;
- args.input_token.value = NULL;
- }
-
- bzero(&res, sizeof(res));
- stat = gssd_init_sec_context_lucid_v1_1(&args, &res, cl);
- CLNT_RELEASE(cl);
- if (stat != RPC_SUCCESS) {
- *minor_status = stat;
- return (GSS_S_FAILURE);
- }
-
- if (res.major_status != GSS_S_COMPLETE
- && res.major_status != GSS_S_CONTINUE_NEEDED) {
- *minor_status = res.minor_status;
- xdr_free((xdrproc_t) xdr_init_sec_context_lucid_v1_res, &res);
- return (res.major_status);
- }
-
- *minor_status = res.minor_status;
-
- if (!ctx) {
- ctx = kgss_create_context(res.actual_mech_type);
- if (!ctx) {
- xdr_free((xdrproc_t) xdr_init_sec_context_lucid_v1_res, &res);
- *minor_status = 0;
- return (GSS_S_BAD_MECH);
- }
- }
- *context_handle = ctx;
- ctx->handle = res.ctx;
- if (actual_mech_type)
- *actual_mech_type = KGSS_MECH_TYPE(ctx);
- kgss_copy_buffer(&res.output_token, output_token);
- if (ret_flags)
- *ret_flags = res.ret_flags;
- if (time_rec)
- *time_rec = res.time_rec;
-
- /*
- * If the context establishment is complete, export it from
- * userland and hand the result (which includes key material
- * etc.) to the kernel implementation.
- */
- if (res.major_status == GSS_S_COMPLETE) {
- res.major_status = kgss_transfer_context(ctx, &res.lucid);
- if (res.major_status != GSS_S_COMPLETE)
- printf("gss_init_sec_context_lucid_v1: "
- "transfer failed\n");
- }
-
- xdr_free((xdrproc_t) xdr_init_sec_context_lucid_v1_res, &res);
+ res.major_status = kgss_transfer_context(ctx);
return (res.major_status);
}
diff --git a/sys/kgssapi/gssapi.h b/sys/kgssapi/gssapi.h
index cd4a4b508cc5..37cc8a1a5a09 100644
--- a/sys/kgssapi/gssapi.h
+++ b/sys/kgssapi/gssapi.h
@@ -422,28 +422,6 @@ OM_uint32 gss_init_sec_context
OM_uint32 * /* time_rec */
);
-OM_uint32 gss_init_sec_context_lucid_v1
- (OM_uint32 *, /* minor_status */
- const gss_cred_id_t, /* initiator_cred_handle */
- gss_ctx_id_t *, /* context_handle */
- const gss_name_t, /* target_name */
- const gss_OID, /* mech_type */
- OM_uint32, /* req_flags */
- OM_uint32, /* time_req */
- const gss_channel_bindings_t,
- /* input_chan_bindings */
- const gss_buffer_t, /* input_token */
- gss_OID *, /* actual_mech_type */
- gss_buffer_t, /* output_token */
- OM_uint32 *, /* ret_flags */
- OM_uint32 * /* time_rec */
- );
-
-OM_uint32 gss_supports_lucid
- (OM_uint32 *, /* minor_status */
- OM_uint32 * /* vers */
- );
-
OM_uint32 gss_accept_sec_context
(OM_uint32 *, /* minor_status */
gss_ctx_id_t *, /* context_handle */
@@ -459,26 +437,6 @@ OM_uint32 gss_accept_sec_context
gss_cred_id_t * /* delegated_cred_handle */
);
-OM_uint32 gss_accept_sec_context_lucid_v1
- (OM_uint32 *, /* minor_status */
- gss_ctx_id_t *, /* context_handle */
- const gss_cred_id_t, /* acceptor_cred_handle */
- const gss_buffer_t, /* input_token_buffer */
- const gss_channel_bindings_t,
- /* input_chan_bindings */
- gss_name_t *, /* src_name */
- gss_OID *, /* mech_type */
- gss_buffer_t, /* output_token */
- OM_uint32 *, /* ret_flags */
- OM_uint32 *, /* time_rec */
- gss_cred_id_t *, /* delegated_cred_handle */
- gss_buffer_t, /* exported_name */
- uid_t *, /* Unix cred */
- gid_t *,
- int *, /* Number of groups */
- gid_t * /* groups list */
- );
-
OM_uint32 gss_delete_sec_context
(OM_uint32 *, /* minor_status */
gss_ctx_id_t *, /* context_handle */
diff --git a/sys/kgssapi/gssapi_impl.h b/sys/kgssapi/gssapi_impl.h
index d8a85f20a602..3279dc8da122 100644
--- a/sys/kgssapi/gssapi_impl.h
+++ b/sys/kgssapi/gssapi_impl.h
@@ -78,5 +78,5 @@ extern gss_OID kgss_find_mech_by_name(const char *name);
extern const char *kgss_find_mech_by_oid(const gss_OID oid);
extern gss_ctx_id_t kgss_create_context(gss_OID mech_type);
extern void kgss_delete_context(gss_ctx_id_t ctx, gss_buffer_t output_token);
-extern OM_uint32 kgss_transfer_context(gss_ctx_id_t ctx, void *lctx);
+extern OM_uint32 kgss_transfer_context(gss_ctx_id_t ctx);
extern void kgss_copy_buffer(const gss_buffer_t from, gss_buffer_t to);
diff --git a/sys/kgssapi/gssd.x b/sys/kgssapi/gssd.x
index bf63ba95f8df..b50f39b33554 100644
--- a/sys/kgssapi/gssd.x
+++ b/sys/kgssapi/gssd.x
@@ -48,21 +48,6 @@ typedef uint64_t gssd_ctx_id_t;
typedef uint64_t gssd_cred_id_t;
typedef uint64_t gssd_name_t;
-struct kgss_lucid_desc {
- uint32_t initiate;
- uint32_t endtime;
- uint64_t send_seq;
- uint64_t recv_seq;
- uint32_t protocol;
- uint32_t rfc_sign;
- uint32_t rfc_seal;
- uint32_t have_subkey;
- uint32_t ctx_type;
- gss_buffer_desc ctx_key;
- uint32_t subkey_type;
- gss_buffer_desc subkey_key;
-};
-
struct init_sec_context_res {
uint32_t major_status;
uint32_t minor_status;
@@ -85,29 +70,6 @@ struct init_sec_context_args {
gss_buffer_desc input_token;
};
-struct init_sec_context_lucid_v1_res {
- uint32_t major_status;
- uint32_t minor_status;
- gssd_ctx_id_t ctx;
- gss_OID actual_mech_type;
- gss_buffer_desc output_token;
- uint32_t ret_flags;
- uint32_t time_rec;
- kgss_lucid_desc lucid;
-};
-
-struct init_sec_context_lucid_v1_args {
- uint32_t uid;
- gssd_cred_id_t cred;
- gssd_ctx_id_t ctx;
- gssd_name_t name;
- gss_OID mech_type;
- uint32_t req_flags;
- uint32_t time_req;
- gss_channel_bindings_t input_chan_bindings;
- gss_buffer_desc input_token;
-};
-
struct accept_sec_context_res {
uint32_t major_status;
uint32_t minor_status;
@@ -127,30 +89,6 @@ struct accept_sec_context_args {
gss_channel_bindings_t input_chan_bindings;
};
-struct accept_sec_context_lucid_v1_res {
- uint32_t major_status;
- uint32_t minor_status;
- gssd_ctx_id_t ctx;
- gssd_name_t src_name;
- gss_OID mech_type;
- gss_buffer_desc output_token;
- uint32_t ret_flags;
- uint32_t time_rec;
- gssd_cred_id_t delegated_cred_handle;
- kgss_lucid_desc lucid;
- gss_buffer_desc exported_name;
- uint32_t uid;
- uint32_t gid;
- uint32_t gidlist<>;
-};
-
-struct accept_sec_context_lucid_v1_args {
- gssd_ctx_id_t ctx;
- gssd_cred_id_t cred;
- gss_buffer_desc input_token;
- gss_channel_bindings_t input_chan_bindings;
-};
-
struct delete_sec_context_res {
uint32_t major_status;
uint32_t minor_status;
@@ -163,8 +101,7 @@ struct delete_sec_context_args {
enum sec_context_format {
KGSS_HEIMDAL_0_6,
- KGSS_HEIMDAL_1_1,
- MIT_V1
+ KGSS_HEIMDAL_1_1
};
struct export_sec_context_res {
@@ -292,11 +229,6 @@ struct ip_to_dns_args {
char ip_addr<NI_MAXHOST>;
};
-struct supports_lucid_res {
- uint32_t major_status;
- uint32_t vers;
-};
-
program GSSD {
version GSSDVERS {
void GSSD_NULL(void) = 0;
@@ -342,14 +274,5 @@ program GSSD {
ip_to_dns_res
GSSD_IP_TO_DNS(ip_to_dns_args) = 14;
-
- init_sec_context_lucid_v1_res
- GSSD_INIT_SEC_CONTEXT_LUCID_V1(init_sec_context_lucid_v1_args) = 15;
-
- accept_sec_context_lucid_v1_res
- GSSD_ACCEPT_SEC_CONTEXT_LUCID_V1(accept_sec_context_lucid_v1_args) = 16;
-
- supports_lucid_res
- GSSD_SUPPORTS_LUCID(void) = 17;
} = 1;
} = 0x40677373;
diff --git a/sys/kgssapi/krb5/krb5_mech.c b/sys/kgssapi/krb5/krb5_mech.c
index 59d5b120e4fb..0b8fbc90fcd1 100644
--- a/sys/kgssapi/krb5/krb5_mech.c
+++ b/sys/kgssapi/krb5/krb5_mech.c
@@ -217,18 +217,6 @@ copy_key(struct krb5_keyblock *from, struct krb5_keyblock **to)
*to = NULL;
}
-static void
-copy_lucid_key(gss_buffer_desc *from, uint32_t type, struct krb5_keyblock *to)
-{
-
- to->kk_type = type;
- to->kk_key.kd_length = from->length;
- if (from->length > 0) {
- to->kk_key.kd_data = malloc(from->length, M_GSSAPI, M_WAITOK);
- memcpy(to->kk_key.kd_data, from->value, from->length);
- }
-}
-
/*
* Return non-zero if we are initiator.
*/
@@ -413,70 +401,6 @@ krb5_init(gss_ctx_id_t ctx)
mtx_init(&kc->kc_lock, "krb5 gss lock", NULL, MTX_DEF);
}
-static OM_uint32
-krb5_lucid_import(gss_ctx_id_t ctx,
- enum sec_context_format format,
- const gss_buffer_t context_token)
-{
- struct krb5_context *kc = (struct krb5_context *)ctx;
- kgss_lucid_desc *lctx = (kgss_lucid_desc *)context_token;
- OM_uint32 res;
-
- kc->kc_more_flags = 0;
- if (lctx->protocol == 0) {
- kc->kc_cksumtype = lctx->rfc_sign;
- kc->kc_keytype = lctx->rfc_seal;
- copy_lucid_key(&lctx->ctx_key, lctx->ctx_type,
- &kc->kc_keyblock);
- } else if (lctx->protocol == 1) {
- if (lctx->have_subkey != 0) {
- if (lctx->initiate != 0)
- copy_lucid_key(&lctx->subkey_key,
- lctx->subkey_type,
- &kc->kc_remote_subkey);
- else
- copy_lucid_key(&lctx->subkey_key,
- lctx->subkey_type,
- &kc->kc_local_subkey);
- kc->kc_cksumtype = lctx->subkey_type;
- kc->kc_keytype = lctx->subkey_type;
- kc->kc_more_flags |= ACCEPTOR_SUBKEY;
- } else {
- if (lctx->initiate != 0)
- copy_lucid_key(&lctx->ctx_key,
- lctx->ctx_type,
- &kc->kc_remote_subkey);
- else
- copy_lucid_key(&lctx->ctx_key,
- lctx->ctx_type,
- &kc->kc_local_subkey);
- kc->kc_cksumtype = lctx->ctx_type;
- kc->kc_keytype = lctx->ctx_type;
- }
- } else {
- return (GSS_S_DEFECTIVE_TOKEN);
- }
- kc->kc_local_seqnumber = lctx->send_seq;
- kc->kc_remote_seqnumber = lctx->recv_seq;
- if (lctx->initiate != 0)
- kc->kc_more_flags |= LOCAL;
- kc->kc_lifetime = lctx->endtime;
- kc->kc_msg_order.km_flags = 0;
-
- res = get_keys(kc);
- if (GSS_ERROR(res))
- return (res);
-
- /*
- * We don't need these anymore.
- */
- delete_keyblock(&kc->kc_keyblock);
- delete_keyblock(&kc->kc_local_subkey);
- delete_keyblock(&kc->kc_remote_subkey);
-
- return (GSS_S_COMPLETE);
-}
-
static OM_uint32
krb5_import(gss_ctx_id_t ctx,
enum sec_context_format format,
@@ -489,10 +413,6 @@ krb5_import(gss_ctx_id_t ctx,
uint32_t flags;
int i;
- /* For MIT, just call krb5_lucid_import(). */
- if (format == MIT_V1)
- return (krb5_lucid_import(ctx, format, context_token));
-
/*
* We support heimdal 0.6 and heimdal 1.1
*/
diff --git a/sys/rpc/rpcsec_gss/rpcsec_gss.c b/sys/rpc/rpcsec_gss/rpcsec_gss.c
index 53770d139c61..983dd251f81f 100644
--- a/sys/rpc/rpcsec_gss/rpcsec_gss.c
+++ b/sys/rpc/rpcsec_gss/rpcsec_gss.c
@@ -746,7 +746,6 @@ rpc_gss_init(AUTH *auth, rpc_gss_options_ret_t *options_ret)
struct rpc_callextra ext;
gss_OID mech_oid;
gss_OID_set mechlist;
- static enum krb_imp my_krb_imp = KRBIMP_UNKNOWN;
rpc_gss_log_debug("in rpc_gss_refresh()");
@@ -853,14 +852,6 @@ rpc_gss_init(AUTH *auth, rpc_gss_options_ret_t *options_ret)
goto out;
}
- if (my_krb_imp == KRBIMP_UNKNOWN) {
- maj_stat = gss_supports_lucid(&min_stat, NULL);
- if (maj_stat == GSS_S_COMPLETE)
- my_krb_imp = KRBIMP_MIT;
- else
- my_krb_imp = KRBIMP_HESIOD1;
- }
-
/* GSS context establishment loop. */
memset(&recv_token, 0, sizeof(recv_token));
memset(&gr, 0, sizeof(gr));
@@ -871,34 +862,19 @@ rpc_gss_init(AUTH *auth, rpc_gss_options_ret_t *options_ret)
for (;;) {
crsave = td->td_ucred;
td->td_ucred = gd->gd_ucred;
- if (my_krb_imp == KRBIMP_MIT)
- maj_stat = gss_init_sec_context_lucid_v1(&min_stat,
- gd->gd_options.my_cred,
- &gd->gd_ctx,
- name,
- gd->gd_mech,
- gd->gd_options.req_flags,
- gd->gd_options.time_req,
- gd->gd_options.input_channel_bindings,
- recv_tokenp,
- &gd->gd_mech, /* used mech */
- &send_token,
- &options_ret->ret_flags,
- &options_ret->time_req);
- else
- maj_stat = gss_init_sec_context(&min_stat,
- gd->gd_options.my_cred,
- &gd->gd_ctx,
- name,
- gd->gd_mech,
- gd->gd_options.req_flags,
- gd->gd_options.time_req,
- gd->gd_options.input_channel_bindings,
- recv_tokenp,
- &gd->gd_mech, /* used mech */
- &send_token,
- &options_ret->ret_flags,
- &options_ret->time_req);
+ maj_stat = gss_init_sec_context(&min_stat,
+ gd->gd_options.my_cred,
+ &gd->gd_ctx,
+ name,
+ gd->gd_mech,
+ gd->gd_options.req_flags,
+ gd->gd_options.time_req,
+ gd->gd_options.input_channel_bindings,
+ recv_tokenp,
+ &gd->gd_mech, /* used mech */
+ &send_token,
+ &options_ret->ret_flags,
+ &options_ret->time_req);
td->td_ucred = crsave;
/*
diff --git a/sys/rpc/rpcsec_gss/rpcsec_gss_int.h b/sys/rpc/rpcsec_gss/rpcsec_gss_int.h
index 02a7767220de..3d643af8c498 100644
--- a/sys/rpc/rpcsec_gss/rpcsec_gss_int.h
+++ b/sys/rpc/rpcsec_gss/rpcsec_gss_int.h
@@ -73,12 +73,6 @@ struct rpc_gss_init_res {
/* Maximum sequence number value. */
#define MAXSEQ 0x80000000
-enum krb_imp {
- KRBIMP_UNKNOWN,
- KRBIMP_HESIOD1,
- KRBIMP_MIT
-};
-
/* Prototypes. */
__BEGIN_DECLS
diff --git a/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c b/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
index e047c557c712..51077c71822c 100644
--- a/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
+++ b/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
@@ -925,29 +925,9 @@ svc_rpc_gss_accept_sec_context(struct svc_rpc_gss_client *client,
OM_uint32 maj_stat = 0, min_stat = 0, ret_flags;
OM_uint32 cred_lifetime;
struct svc_rpc_gss_svc_name *sname;
- gss_buffer_desc export_name;
- rpc_gss_ucred_t *uc = &client->cl_ucred;
- int numgroups;
- static enum krb_imp my_krb_imp = KRBIMP_UNKNOWN;
rpc_gss_log_debug("in svc_rpc_gss_accept_context()");
- if (my_krb_imp == KRBIMP_UNKNOWN) {
- maj_stat = gss_supports_lucid(&min_stat, NULL);
- if (maj_stat == GSS_S_COMPLETE)
- my_krb_imp = KRBIMP_MIT;
- else
- my_krb_imp = KRBIMP_HESIOD1;
- min_stat = 0;
- }
-
- if (my_krb_imp == KRBIMP_MIT) {
- uc->uid = 65534;
- uc->gid = 65534;
- uc->gidlist = client->cl_gid_storage;
- numgroups = NGROUPS;
- }
-
/* Deserialize arguments. */
memset(&recv_tok, 0, sizeof(recv_tok));
@@ -969,38 +949,18 @@ svc_rpc_gss_accept_sec_context(struct svc_rpc_gss_client *client,
if (sname->sn_program == rqst->rq_prog
&& sname->sn_version == rqst->rq_vers) {
retry:
- if (my_krb_imp == KRBIMP_MIT)
- gr->gr_major =
- gss_accept_sec_context_lucid_v1(
- &gr->gr_minor,
- &client->cl_ctx,
- sname->sn_cred,
- &recv_tok,
- GSS_C_NO_CHANNEL_BINDINGS,
- &client->cl_cname,
- &mech,
- &gr->gr_token,
- &ret_flags,
- &cred_lifetime,
- &client->cl_creds,
- &export_name,
- &uc->uid,
- &uc->gid,
- &numgroups,
- &uc->gidlist[0]);
- else
- gr->gr_major = gss_accept_sec_context(
- &gr->gr_minor,
- &client->cl_ctx,
- sname->sn_cred,
- &recv_tok,
- GSS_C_NO_CHANNEL_BINDINGS,
- &client->cl_cname,
- &mech,
- &gr->gr_token,
- &ret_flags,
- &cred_lifetime,
- &client->cl_creds);
+ gr->gr_major = gss_accept_sec_context(
+ &gr->gr_minor,
+ &client->cl_ctx,
+ sname->sn_cred,
+ &recv_tok,
+ GSS_C_NO_CHANNEL_BINDINGS,
+ &client->cl_cname,
+ &mech,
+ &gr->gr_token,
+ &ret_flags,
+ &cred_lifetime,
+ &client->cl_creds);
if (gr->gr_major ==
GSS_S_CREDENTIALS_EXPIRED) {
/*
@@ -1022,37 +982,18 @@ svc_rpc_gss_accept_sec_context(struct svc_rpc_gss_client *client,
return (FALSE);
}
} else {
- if (my_krb_imp == KRBIMP_MIT)
- gr->gr_major = gss_accept_sec_context_lucid_v1(
- &gr->gr_minor,
- &client->cl_ctx,
- client->cl_sname->sn_cred,
- &recv_tok,
- GSS_C_NO_CHANNEL_BINDINGS,
- &client->cl_cname,
- &mech,
- &gr->gr_token,
- &ret_flags,
- &cred_lifetime,
- NULL,
- &export_name,
- &uc->uid,
- &uc->gid,
- &numgroups,
- &uc->gidlist[0]);
- else
- gr->gr_major = gss_accept_sec_context(
- &gr->gr_minor,
- &client->cl_ctx,
- client->cl_sname->sn_cred,
- &recv_tok,
- GSS_C_NO_CHANNEL_BINDINGS,
- &client->cl_cname,
- &mech,
- &gr->gr_token,
- &ret_flags,
- &cred_lifetime,
- NULL);
+ gr->gr_major = gss_accept_sec_context(
+ &gr->gr_minor,
+ &client->cl_ctx,
+ client->cl_sname->sn_cred,
+ &recv_tok,
+ GSS_C_NO_CHANNEL_BINDINGS,
+ &client->cl_cname,
+ &mech,
+ &gr->gr_token,
+ &ret_flags,
+ &cred_lifetime,
+ NULL);
}
sx_xunlock(&svc_rpc_gss_lock);
@@ -1068,12 +1009,8 @@ svc_rpc_gss_accept_sec_context(struct svc_rpc_gss_client *client,
rpc_gss_log_status("accept_sec_context", client->cl_mech,
gr->gr_major, gr->gr_minor);
client->cl_state = CLIENT_STALE;
- if (my_krb_imp == KRBIMP_MIT)
- uc->gidlen = 0;
return (TRUE);
}
- if (my_krb_imp == KRBIMP_MIT)
- uc->gidlen = numgroups;
gr->gr_handle.value = &client->cl_id;
gr->gr_handle.length = sizeof(client->cl_id);
@@ -1085,6 +1022,8 @@ svc_rpc_gss_accept_sec_context(struct svc_rpc_gss_client *client,
client->cl_done_callback = FALSE;
if (gr->gr_major == GSS_S_COMPLETE) {
+ gss_buffer_desc export_name;
+
/*
* Change client expiration time to be near when the
* client creds expire (or 24 hours if we can't figure
@@ -1107,10 +1046,8 @@ svc_rpc_gss_accept_sec_context(struct svc_rpc_gss_client *client,
*/
client->cl_rawcred.version = RPCSEC_GSS_VERSION;
rpc_gss_oid_to_mech(mech, &client->cl_rawcred.mechanism);
- maj_stat = GSS_S_COMPLETE;
- if (my_krb_imp != KRBIMP_MIT)
- maj_stat = gss_export_name(&min_stat, client->cl_cname,
- &export_name);
+ maj_stat = gss_export_name(&min_stat, client->cl_cname,
+ &export_name);
if (maj_stat != GSS_S_COMPLETE) {
rpc_gss_log_status("gss_export_name", client->cl_mech,
maj_stat, min_stat);
@@ -1131,8 +1068,7 @@ svc_rpc_gss_accept_sec_context(struct svc_rpc_gss_client *client,
* Use gss_pname_to_uid to map to unix creds. For
* kerberos5, this uses krb5_aname_to_localname.
*/
- if (my_krb_imp != KRBIMP_MIT)
- svc_rpc_gss_build_ucred(client, client->cl_cname);
+ svc_rpc_gss_build_ucred(client, client->cl_cname);
svc_rpc_gss_set_flavor(client);
gss_release_name(&min_stat, &client->cl_cname);
diff --git a/usr.sbin/Makefile b/usr.sbin/Makefile
index 51908818e550..c361c1e5866d 100644
--- a/usr.sbin/Makefile
+++ b/usr.sbin/Makefile
@@ -140,9 +140,7 @@ SUBDIR.${MK_FLOPPY}+= fdformat
SUBDIR.${MK_FLOPPY}+= fdread
SUBDIR.${MK_FLOPPY}+= fdwrite
SUBDIR.${MK_FREEBSD_UPDATE}+= freebsd-update
-.if ${MK_KERBEROS_SUPPORT} != "no"
SUBDIR.${MK_GSSAPI}+= gssd
-.endif
SUBDIR.${MK_GPIO}+= gpioctl
SUBDIR.${MK_HYPERV}+= hyperv
SUBDIR.${MK_INET6}+= ip6addrctl
diff --git a/usr.sbin/gssd/Makefile b/usr.sbin/gssd/Makefile
index 2cbe909c8178..569e2c7e18f5 100644
--- a/usr.sbin/gssd/Makefile
+++ b/usr.sbin/gssd/Makefile
@@ -9,13 +9,18 @@ SRCS= gssd.c gssd.h gssd_svc.c gssd_xdr.c gssd_prot.c
CFLAGS+= -I.
WARNS?= 1
+LIBADD= gssapi
+.if ${MK_KERBEROS_SUPPORT} != "no"
.if ${MK_MITKRB5} != "no"
# MIT KRB5
-LIBADD= krb5 k5crypto krb5profile krb5support gssapi_krb5
+LIBADD+= krb5 k5crypto krb5profile krb5support
CFLAGS+= -DMK_MITKRB5=yes
.else
# Heimdal
-LIBADD= gssapi krb5 roken
*** 661 LINES SKIPPED ***