Re: git: 7ac276298b72 - main - Remove Secure RPC DES authentication
Date: Fri, 15 Aug 2025 04:50:08 UTC
On Sun, Aug 10, 2025 at 03:37:17PM +0000, Lexi Winter wrote:
> The branch main has been updated by ivy:
>
> URL: https://cgit.FreeBSD.org/src/commit/?id=7ac276298b72982189ac1a5b17461936dc00163e
>
> commit 7ac276298b72982189ac1a5b17461936dc00163e
> Author: Lexi Winter <ivy@FreeBSD.org>
> AuthorDate: 2025-08-10 12:57:36 +0000
> Commit: Lexi Winter <ivy@FreeBSD.org>
> CommitDate: 2025-08-10 15:36:40 +0000
>
> Remove Secure RPC DES authentication
>
> Following the earlier removal of keyserv, none of this functionality
> works since it requires keyserv.
>
> Remove the relevant symbols from libc's Symbol.map. Leave compatibility
> symbols for existing applications, but since the functions don't work
> without keyserv, stub them out to return an error.
>
> Remove some private symbols that were only used by keyserv; these don't
> get compatibility symbols.
>
> Remove the documentation for the old functions.
>
> Remove rpc.ypupdated since it requires DES authentication.
>
> Reviewed by: manu, des, emaste
> Differential Revision: https://reviews.freebsd.org/D50442
> ---
> ObsoleteFiles.inc | 4 +
> include/rpc/auth_des.h | 79 +----
> lib/libc/rpc/Symbol.map | 19 --
> lib/libc/rpc/auth_des.c | 455 +----------------------------
> lib/libc/rpc/authdes_prot.c | 44 +--
> lib/libc/rpc/key_call.c | 424 +++------------------------
> lib/libc/rpc/publickey.5 | 40 ---
> lib/libc/rpc/rpc_secure.3 | 177 +-----------
> lib/libc/rpc/rpc_soc.3 | 13 +-
> lib/libc/rpc/rpc_soc.c | 31 +-
> lib/libc/rpc/svc_auth.c | 8 -
> lib/libc/rpc/svc_auth_des.c | 460 +-----------------------------
> lib/librpcsvc/Makefile | 2 +-
> lib/librpcsvc/yp_update.c | 199 -------------
> libexec/rc/rc.conf | 1 -
> libexec/rc/rc.d/Makefile | 1 -
> libexec/rc/rc.d/ypupdated | 35 ---
> share/man/man5/rc.conf.5 | 9 +-
> sys/rpc/auth.h | 26 --
> tools/build/mk/OptionalObsoleteFiles.inc | 2 -
> usr.sbin/Makefile | 1 -
> usr.sbin/rpc.ypupdated/Makefile | 32 ---
> usr.sbin/rpc.ypupdated/Makefile.depend | 18 --
> usr.sbin/rpc.ypupdated/update.c | 328 ---------------------
> usr.sbin/rpc.ypupdated/yp_dbdelete.c | 68 -----
> usr.sbin/rpc.ypupdated/yp_dbupdate.c | 147 ----------
> usr.sbin/rpc.ypupdated/ypupdate | 32 ---
> usr.sbin/rpc.ypupdated/ypupdated_extern.h | 32 ---
> usr.sbin/rpc.ypupdated/ypupdated_main.c | 287 -------------------
> usr.sbin/rpc.ypupdated/ypupdated_server.c | 227 ---------------
> 30 files changed, 83 insertions(+), 3118 deletions(-)
>
> diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc
> index ec324e82f86d..a6662d31829f 100644
> --- a/ObsoleteFiles.inc
> +++ b/ObsoleteFiles.inc
> @@ -51,6 +51,10 @@
> # xargs -n1 | sort | uniq -d;
> # done
>
> +# 20250810: Removal of remaining Secure RPC (DES) bits
> +OLD_FILES+=usr/sbin/rpc.ypupdated
> +OLD_FILES+=etc/rc.d/ypupdated
> +
> # 20250808: nvmfd removed from base install
> OLD_FILES+=usr/sbin/nvmfd
> OLD_FILES+=usr/share/man/man8/nvmfd.8.gz
> diff --git a/include/rpc/auth_des.h b/include/rpc/auth_des.h
> index 0ff43c13139b..1b4943a74b8b 100644
> --- a/include/rpc/auth_des.h
> +++ b/include/rpc/auth_des.h
> @@ -33,91 +33,14 @@
> * Copyright (c) 1986 - 1991 by Sun Microsystems, Inc.
> */
>
> -/*
> - * auth_des.h, Protocol for DES style authentication for RPC
> - */
> +/* Note, RPC DES authentication was removed in FreeBSD 15.0. */
>
> #ifndef _AUTH_DES_
> #define _AUTH_DES_
>
> -/*
> - * There are two kinds of "names": fullnames and nicknames
> - */
> -enum authdes_namekind {
> - ADN_FULLNAME,
> - ADN_NICKNAME
> -};
> -
> -/*
> - * A fullname contains the network name of the client,
> - * a conversation key and the window
> - */
> -struct authdes_fullname {
> - char *name; /* network name of client, up to MAXNETNAMELEN */
> - des_block key; /* conversation key */
> - u_long window; /* associated window */
> -};
> -
> -
> -/*
> - * A credential
> - */
> -struct authdes_cred {
> - enum authdes_namekind adc_namekind;
> - struct authdes_fullname adc_fullname;
> - u_long adc_nickname;
> -};
> -
> -
> -
> -/*
> - * A des authentication verifier
> - */
> -struct authdes_verf {
> - union {
> - struct timeval adv_ctime; /* clear time */
> - des_block adv_xtime; /* crypt time */
> - } adv_time_u;
> - u_long adv_int_u;
> -};
> -
> -/*
> - * des authentication verifier: client variety
> - *
> - * adv_timestamp is the current time.
> - * adv_winverf is the credential window + 1.
> - * Both are encrypted using the conversation key.
> - */
> -#define adv_timestamp adv_time_u.adv_ctime
> -#define adv_xtimestamp adv_time_u.adv_xtime
> -#define adv_winverf adv_int_u
> -
> -/*
> - * des authentication verifier: server variety
> - *
> - * adv_timeverf is the client's timestamp + client's window
> - * adv_nickname is the server's nickname for the client.
> - * adv_timeverf is encrypted using the conversation key.
> - */
> -#define adv_timeverf adv_time_u.adv_ctime
> -#define adv_xtimeverf adv_time_u.adv_xtime
> -#define adv_nickname adv_int_u
> -
> -/*
> - * Map a des credential into a unix cred.
> - *
> - */
> -__BEGIN_DECLS
> -extern int authdes_getucred( struct authdes_cred *, uid_t *, gid_t *, int *, gid_t * );
> -__END_DECLS
> -
> __BEGIN_DECLS
> -extern bool_t xdr_authdes_cred(XDR *, struct authdes_cred *);
> -extern bool_t xdr_authdes_verf(XDR *, struct authdes_verf *);
> extern int rtime(dev_t, struct netbuf *, int, struct timeval *,
> struct timeval *);
> -extern void kgetnetname(char *);
> -extern enum auth_stat _svcauth_des(struct svc_req *, struct rpc_msg *);
> __END_DECLS
>
> #endif /* ndef _AUTH_DES_ */
> diff --git a/lib/libc/rpc/Symbol.map b/lib/libc/rpc/Symbol.map
> index 105d6fb6b54e..61e8e084b1e0 100644
> --- a/lib/libc/rpc/Symbol.map
> +++ b/lib/libc/rpc/Symbol.map
> @@ -8,13 +8,9 @@ FBSD_1.0 {
> xdr_desargs;
> xdr_desresp;
>
> - authdes_seccreate;
> - authdes_pk_seccreate;
> authnone_create;
> authunix_create;
> authunix_create_default;
> - xdr_authdes_cred;
> - xdr_authdes_verf;
> xdr_authunix_parms;
> bindresvport;
> bindresvport_sa;
The commit breaks libc ABI and must be reverted.
This email is the formal request to do so.