git: e26259f48afe - main - gssapi,krb5: Replace libgssapi with the MIT version
Date: Thu, 07 Aug 2025 17:17:37 UTC
The branch main has been updated by cy:
URL: https://cgit.FreeBSD.org/src/commit/?id=e26259f48afe98022d885f02fbb8abcd7878e41a
commit e26259f48afe98022d885f02fbb8abcd7878e41a
Author: Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2025-07-31 16:51:20 +0000
Commit: Cy Schubert <cy@FreeBSD.org>
CommitDate: 2025-08-07 17:17:00 +0000
gssapi,krb5: Replace libgssapi with the MIT version
lib/libgssapi is based on Heimdal. As on Linux systems, the MIT
libgssapi_krb5 replaces it. With both gssapi libraries and header files
installed results in broken buildworld (gssd) and ports that will not
build without modifications to support the MIT gssapi in an alternate
location.
73ed0c7992fd removed the MIT GSSAPI headers from /usr/include. Apps using
MIT KRB5 gssapi functions and structures will fail to build without this
patch.
This patch includes a temporary patch to usr.sbin/gssd to allow it
to build with this patch. rmacklem@ has a patch for this and for
kgssapi that uses this patch to resolve kgssapi issues for NFS with
Kerberos.
This patch is an updated version of D51661 to allow it to build following
additional patchs to the tree.
This should have been implmented with 7e35117eb07f.
Fixes: 7e35117eb07f, 73ed0c7992fd
Differential Revision: https://reviews.freebsd.org/D51661
---
Makefile.inc1 | 6 ++++--
ObsoleteFiles.inc | 6 ++++++
etc/gss-krb5/Makefile | 2 +-
etc/gss-krb5/qop | 1 -
etc/mtree/BSD.include.dist | 4 ----
include/Makefile | 2 +-
krb5/include/Makefile | 5 ++---
krb5/include/gssapi/Makefile | 9 ++-------
krb5/lib/gssapi/generic/Makefile.inc | 2 +-
lib/Makefile | 7 ++++++-
lib/librpcsec_gss/Makefile | 6 ++++++
secure/libexec/sshd-session/Makefile | 9 ++++-----
secure/usr.bin/ssh/Makefile | 4 ++++
secure/usr.sbin/sshd/Makefile | 4 ++++
share/mk/src.libnames.mk | 4 ++++
tools/build/mk/OptionalObsoleteFiles.inc | 3 +++
usr.sbin/gssd/Makefile | 5 ++---
usr.sbin/gssd/gssd.c | 3 +++
18 files changed, 53 insertions(+), 29 deletions(-)
diff --git a/Makefile.inc1 b/Makefile.inc1
index e6c9b49eefa3..9128d1d8ee77 100644
--- a/Makefile.inc1
+++ b/Makefile.inc1
@@ -3379,8 +3379,8 @@ secure/lib/libssh__L: lib/libldns__L
.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
.if ${MK_MITKRB5} != "no"
-secure/lib/libssh__L: lib/libgssapi__L krb5/lib/krb5__L \
- krb5/util/et__L lib/libmd__L krb5/util/support__L
+secure/lib/libssh__L: krb5/lib/gssapi__L krb5/lib/krb5__L \
+ krb5/lib/crypto__L krb5/util/et__L lib/libmd__L krb5/util/support__L
.else
secure/lib/libssh__L: lib/libgssapi__L kerberos5/lib/libkrb5__L \
kerberos5/lib/libhx509__L kerberos5/lib/libasn1__L lib/libcom_err__L \
@@ -3437,8 +3437,10 @@ kerberos5/lib/libheimipcc__L: kerberos5/lib/libroken__L kerberos5/lib/libheimbas
lib/libsqlite3__L: lib/libthr__L
.if ${MK_GSSAPI} != "no"
+.if ${MK_MITKRB5} == "no"
_lib_libgssapi= lib/libgssapi
.endif
+.endif
.if ${MK_KERBEROS} != "no"
.if ${MK_MITKRB5} != "no"
diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc
index 86a449c80a76..2f63bbea5a49 100644
--- a/ObsoleteFiles.inc
+++ b/ObsoleteFiles.inc
@@ -51,6 +51,12 @@
# xargs -n1 | sort | uniq -d;
# done
+# 20250807: Replace lib/libgssapi with krb5/lib/gssapi
+OLD_FILES+=usr/include/gssapi_krb5/gssapi/gssapi.h
+OLD_DIRS+=usr/include/gssapi_krb5/gssapi
+OLD_DIRS+=usr/include/gssapi_krb5
+OLD_FILES+=etc/gssapi/qop
+
# 20250802: libutil bumped to 10
OLD_LIBS+=lib/libutil.so.9
diff --git a/etc/gss-krb5/Makefile b/etc/gss-krb5/Makefile
index 301a8e074e8c..8886ed35e281 100644
--- a/etc/gss-krb5/Makefile
+++ b/etc/gss-krb5/Makefile
@@ -1,4 +1,4 @@
-FILES= mech qop
+FILES= mech
NO_OBJ=
FILESDIR= /etc/gss
diff --git a/etc/gss-krb5/qop b/etc/gss-krb5/qop
deleted file mode 100644
index 7d5b6b8f33dd..000000000000
--- a/etc/gss-krb5/qop
+++ /dev/null
@@ -1 +0,0 @@
-GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200 kerberosv5
diff --git a/etc/mtree/BSD.include.dist b/etc/mtree/BSD.include.dist
index 0e9f739425a1..28c4d91ac1c0 100644
--- a/etc/mtree/BSD.include.dist
+++ b/etc/mtree/BSD.include.dist
@@ -258,10 +258,6 @@
..
gssapi
..
- gssapi_krb5
- gssapi
- ..
- ..
gssrpc
..
infiniband
diff --git a/include/Makefile b/include/Makefile
index af7ef2337941..2792d594a888 100644
--- a/include/Makefile
+++ b/include/Makefile
@@ -293,7 +293,7 @@ LSUBSUBDIRS+= netgraph/bluetooth/include
LSUBDIRS+= fs/cuse
.endif
-.if ${MK_GSSAPI} != "no"
+.if ${MK_GSSAPI} != "no" && ${MK_MITKRB5} == "no"
SUBDIR+= gssapi
INCS+= gssapi.h
.endif
diff --git a/krb5/include/Makefile b/krb5/include/Makefile
index 699211b9c3c9..64c5d39b867b 100644
--- a/krb5/include/Makefile
+++ b/krb5/include/Makefile
@@ -17,13 +17,12 @@ SUBDIR= krb5 gssrpc gssapi
SUBDIR_PARALLEL=
-INCSGROUPS= INCS
-
INCSDIR= ${INCLUDEDIR}
.PATH: ${KRB5_DIR}/include
-INCS= kdb.h \
+INCS= gssapi.h \
+ kdb.h \
krad.h \
krb5.h
diff --git a/krb5/include/gssapi/Makefile b/krb5/include/gssapi/Makefile
index 4959bf78944d..b181187e9d95 100644
--- a/krb5/include/gssapi/Makefile
+++ b/krb5/include/gssapi/Makefile
@@ -15,16 +15,11 @@
INCSGROUPS= INCS GSSAPI_KRB5
INCSDIR= ${INCLUDEDIR}/gssapi
-GSSAPI_KRB5DIR= ${INCLUDEDIR}/gssapi_krb5
-INCS= gssapi_alloc.h \
+INCS= gssapi.h \
+ gssapi_alloc.h \
gssapi_ext.h \
gssapi_generic.h \
gssapi_krb5.h
-# This gssapi header file is only needed should an app need
-# to build using the MIT KRB5 GSSAPI library.
-
-GSSAPI_KRB5= gssapi.h
-
.include <bsd.prog.mk>
diff --git a/krb5/lib/gssapi/generic/Makefile.inc b/krb5/lib/gssapi/generic/Makefile.inc
index 9de18079a341..ef76172655d6 100644
--- a/krb5/lib/gssapi/generic/Makefile.inc
+++ b/krb5/lib/gssapi/generic/Makefile.inc
@@ -36,7 +36,7 @@ SRCS+= disp_com_err_status.c \
INCSGROUPS= GSSAPI_INCS
GSSAPI_INCS= gssapi.h
INCS+= ${GENI}
-GSSAPI_INCSDIR= ${INCLUDEDIR}/gssapi_krb5/gssapi
+GSSAPI_INCSDIR= ${INCLUDEDIR}/gssapi
CLEANFILES+= gssapi.h ${GGEN} ${GGENI}
diff --git a/lib/Makefile b/lib/Makefile
index e5139b312a75..9447cc4551c0 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -137,7 +137,9 @@ SUBDIR_DEPEND_libdevstat= libkvm
SUBDIR_DEPEND_libdpv= libfigpar ncurses libutil
SUBDIR_DEPEND_libedit= ncurses
SUBDIR_DEPEND_libgeom= libexpat libsbuf
+.if ${MK_MITKRB5} == "no"
SUBDIR_DEPEND_librpcsec_gss= libgssapi
+.endif
SUBDIR_DEPEND_libmagic= libz
SUBDIR_DEPEND_libmemstat= libkvm
SUBDIR_DEPEND_libpam= libcrypt ${_libradius} librpcsvc libtacplus libutil ${_libypclnt} ${_libcom_err}
@@ -176,7 +178,10 @@ SUBDIR.${MK_DIALOG}+= libdpv libfigpar
SUBDIR.${MK_FDT}+= libfdt
SUBDIR.${MK_FILE}+= libmagic
SUBDIR.${MK_GPIO}+= libgpio
-SUBDIR.${MK_GSSAPI}+= libgssapi librpcsec_gss
+.if ${MK_MITKRB5} == "no"
+SUBDIR.${MK_GSSAPI}+= libgssapi
+.endif
+SUBDIR.${MK_GSSAPI}+= librpcsec_gss
SUBDIR.${MK_ICONV}+= libiconv_modules
.if ${MK_MITKRB5} == "no"
SUBDIR.${MK_KERBEROS_SUPPORT}+= libcom_err
diff --git a/lib/librpcsec_gss/Makefile b/lib/librpcsec_gss/Makefile
index a29d9780c1ab..eebc975acbd2 100644
--- a/lib/librpcsec_gss/Makefile
+++ b/lib/librpcsec_gss/Makefile
@@ -1,10 +1,16 @@
+.include <src.opts.mk>
+
PACKAGE=lib${LIB}
LIB= rpcsec_gss
SHLIB_MAJOR= 1
SRCS+= rpcsec_gss.c rpcsec_gss_prot.c rpcsec_gss_conf.c rpcsec_gss_misc.c \
svc_rpcsec_gss.c
+.if ${MK_MITKRB5} == "no"
LIBADD= gssapi
+.else
+LIBADD= gssapi_krb5
+.endif
VERSION_DEF= ${SRCTOP}/lib/libc/Versions.def
SYMBOL_MAPS= ${.CURDIR}/Symbol.map
diff --git a/secure/libexec/sshd-session/Makefile b/secure/libexec/sshd-session/Makefile
index 8841cace5239..37e099794bd5 100644
--- a/secure/libexec/sshd-session/Makefile
+++ b/secure/libexec/sshd-session/Makefile
@@ -39,15 +39,14 @@ LDFLAGS+=-L${LIBBLACKLISTDIR}
.endif
.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
-LIBADD+= gssapi_krb5 gssapi krb5
.if ${MK_MITKRB5} != "no"
+LIBADD+= gssapi_krb5 krb5
.include "../../krb5/Makefile.inc"
CFLAGS+= -I${KRB5_DIR}/include \
-I${KRB5_SRCTOP}/include \
- -I${KRB5_OBJTOP}/lib \
- -I${KRB5_DIR}/lib/gssapi/generic \
- -I${KRB5_DIR}/lib/gssapi/krb5 \
- -I${KRB5_DIR}/lib/gssapi/mechglue
+ -I${KRB5_OBJTOP}/lib
+.else
+LIBADD+= gssapi_krb5 gssapi krb5
.endif
.endif
diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile
index acb1fd4eaa25..a4f36d0fe2df 100644
--- a/secure/usr.bin/ssh/Makefile
+++ b/secure/usr.bin/ssh/Makefile
@@ -18,7 +18,11 @@ SRCS+= gss-genr.c
LIBADD= ssh
.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
+.if ${MK_MITKRB5} == "no"
LIBADD+= gssapi
+.else
+LIBADD+= gssapi_krb5
+.endif
.endif
LIBADD+= crypto
diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile
index e6913cd9d0d6..f37dfe1c1b3a 100644
--- a/secure/usr.sbin/sshd/Makefile
+++ b/secure/usr.sbin/sshd/Makefile
@@ -19,7 +19,11 @@ moduli: .MADE
LIBADD= ssh util
.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
+.if ${MK_MITKRB5} == "no"
LIBADD+= gssapi_krb5 gssapi krb5
+.else
+LIBADD+= gssapi_krb5 krb5
+.endif
.endif
.if ${MK_TCP_WRAPPERS} != "no"
diff --git a/share/mk/src.libnames.mk b/share/mk/src.libnames.mk
index 283a99496b9f..9ca043e7733c 100644
--- a/share/mk/src.libnames.mk
+++ b/share/mk/src.libnames.mk
@@ -472,7 +472,11 @@ _DP_ncursesw= tinfow
_DP_formw= ncursesw
_DP_nvpair= spl
_DP_panelw= ncursesw
+.if ${MK_MITKRB5} == "no"
_DP_rpcsec_gss= gssapi
+.else
+_DP_rpcsec_gss= gssapi_krb5
+.endif
_DP_smb= kiconv
_DP_ulog= md
_DP_fifolog= z
diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/OptionalObsoleteFiles.inc
index aa6d04f1cc43..8e5ac7fa2a63 100644
--- a/tools/build/mk/OptionalObsoleteFiles.inc
+++ b/tools/build/mk/OptionalObsoleteFiles.inc
@@ -4836,6 +4836,7 @@ OLD_FILES+=usr/share/man/man8/sserver.8.gz
.else
.if ${MK_MITKRB5} != "no"
# Remove Heimdal because we want MIT KRB5 but not Heimdal
+OLD_FILES+=etc/gss/qop
OLD_FILES+=etc/rc.d/ipropd_master
OLD_FILES+=etc/rc.d/ipropd_slave
OLD_FILES+=usr/bin/asn1_compile
@@ -4921,6 +4922,8 @@ OLD_LIBS+=usr/lib/libasn1.so.11
OLD_FILES+=usr/lib/libasn1_p.a
OLD_LIBS+=usr/lib/libcom_err.so.5
OLD_FILES+=usr/lib/libcom_err_p.a
+OLD_LIBS+=usr/lib/libgssapi.a
+OLD_LIBS+=usr/lib/libgssapi.so.10
OLD_LIBS+=usr/lib/libgssapi_krb5.so.10
OLD_FILES+=usr/lib/libgssapi_krb5_p.a
OLD_FILES+=usr/lib/libgssapi_mech.a
diff --git a/usr.sbin/gssd/Makefile b/usr.sbin/gssd/Makefile
index 569e2c7e18f5..336a1b49f696 100644
--- a/usr.sbin/gssd/Makefile
+++ b/usr.sbin/gssd/Makefile
@@ -9,15 +9,14 @@ SRCS= gssd.c gssd.h gssd_svc.c gssd_xdr.c gssd_prot.c
CFLAGS+= -I.
WARNS?= 1
-LIBADD= gssapi
.if ${MK_KERBEROS_SUPPORT} != "no"
.if ${MK_MITKRB5} != "no"
# MIT KRB5
-LIBADD+= krb5 k5crypto krb5profile krb5support
+LIBADD+= gssapi_krb5 krb5 k5crypto krb5profile krb5support
CFLAGS+= -DMK_MITKRB5=yes
.else
# Heimdal
-LIBADD+= krb5 roken
+LIBADD+= gssapi krb5 roken
.endif
.else
CFLAGS+= -DWITHOUT_KERBEROS
diff --git a/usr.sbin/gssd/gssd.c b/usr.sbin/gssd/gssd.c
index 94eb6ca575c8..2a3af05496cf 100644
--- a/usr.sbin/gssd/gssd.c
+++ b/usr.sbin/gssd/gssd.c
@@ -53,6 +53,9 @@
#include <arpa/inet.h>
#include <netinet/in.h>
#include <gssapi/gssapi.h>
+#ifdef MK_MITKRB5
+#include <gssapi/gssapi_krb5.h>
+#endif
#include <rpc/rpc.h>
#include <rpc/rpc_com.h>