Re: git: e447c252d0ec - main - krb5: Merge Heimdal common functions into version maps

From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Thu, 24 Jul 2025 17:34:12 UTC
In message <aIJtFpkPPpQqQDqK@kib.kiev.ua>, Konstantin Belousov writes:
> On Thu, Jul 24, 2025 at 05:14:15PM +0000, Cy Schubert wrote:
> > The branch main has been updated by cy:
> > 
> > URL: https://cgit.FreeBSD.org/src/commit/?id=e447c252d0eca8f1440996f2a3521c
> 75c06ae126
> > 
> > commit e447c252d0eca8f1440996f2a3521c75c06ae126
> > Author:     Cy Schubert <cy@FreeBSD.org>
> > AuthorDate: 2025-07-24 16:24:03 +0000
> > Commit:     Cy Schubert <cy@FreeBSD.org>
> > CommitDate: 2025-07-24 16:31:40 +0000
> > 
> >     krb5: Merge Heimdal common functions into version maps
> >     
> >     Requested by:   kib
> I do not remember that I ever asked to do this.
> More, I do not understand Kerberos to see such details.
>
> But see below.
>
> > ---
> >  krb5/lib/gssapi/version.map | 171 +++++++++---------
> >  krb5/lib/krb5/version.map   | 430 ++++++++++++++++++++++------------------
> ----
> >  krb5/util/et/version.map    |  12 +-
> >  3 files changed, 312 insertions(+), 301 deletions(-)
> > 
> > diff --git a/krb5/lib/gssapi/version.map b/krb5/lib/gssapi/version.map
> > index bd0d28df70a7..d52c0d3d1e36 100644
> > --- a/krb5/lib/gssapi/version.map
> > +++ b/krb5/lib/gssapi/version.map
> > @@ -1,3 +1,90 @@
> > +HEIMDAL_GSS_2.0 {
> > +	global:
> > +		gss_accept_sec_context;
> > +		gss_acquire_cred;
> > +		gss_acquire_cred_with_password;
> > +		gss_add_buffer_set_member;
> > +		gss_add_cred;
> > +		gss_add_cred_with_password;
> > +		gss_add_oid_set_member;
> > +		gss_authorize_localname;
> > +		gss_canonicalize_name;
> > +		gss_compare_name;
> > +		gss_context_time;
> > +		gss_create_empty_buffer_set;
> > +		gss_create_empty_oid_set;
> > +		gss_decapsulate_token;
> > +		gss_delete_name_attribute;
> > +		gss_delete_sec_context;
> > +		gss_display_mech_attr;
> > +		gss_display_name;
> > +		gss_display_name_ext;
> > +		gss_display_status;
> > +		gss_duplicate_name;
> > +		gss_encapsulate_token;
> > +		gss_export_cred;
> > +		gss_export_name;
> > +		gss_export_name_composite;
> > +		gss_export_sec_context;
> > +		gss_get_mic;
> > +		gss_get_name_attribute;
> > +		gss_import_cred;
> > +		gss_import_name;
> > +		gss_import_sec_context;
> > +		gss_indicate_mechs;
> > +		gss_indicate_mechs_by_attrs;
> > +		gss_init_sec_context;
> > +		gss_inquire_attrs_for_mech;
> > +		gss_inquire_context;
> > +		gss_inquire_cred;
> > +		gss_inquire_cred_by_mech;
> > +		gss_inquire_cred_by_oid;
> > +		gss_inquire_mech_for_saslname;
> > +		gss_inquire_mechs_for_name;
> > +		gss_inquire_name;
> > +		gss_inquire_names_for_mech;
> > +		gss_inquire_saslname_for_mech;
> > +		gss_krb5_ccache_name;
> > +		gss_krb5_copy_ccache;
> > +		gss_krb5_export_lucid_sec_context;
> > +		gss_krb5_free_lucid_sec_context;
> > +		gss_krb5_get_tkt_flags;
> > +		gss_krb5_import_cred;
> > +		gss_krb5_set_allowable_enctypes;
> > +		gss_oid_equal;
> > +		gss_oid_to_str;
> > +		gss_pname_to_uid;
> > +		gss_process_context_token;
> > +		gss_pseudo_random;
> > +		gss_release_buffer;
> > +		gss_release_buffer_set;
> > +		gss_release_cred;
> > +		gss_release_iov_buffer;
> > +		gss_release_name;
> > +		gss_release_oid;
> > +		gss_release_oid_set;
> > +		gss_seal;
> > +		gss_set_cred_option;
> > +		gss_set_name_attribute;
> > +		gss_set_sec_context_option;
> > +		gss_sign;
> > +		gss_store_cred;
> > +		gss_test_oid_set_member;
> > +		gss_unseal;
> > +		gss_unwrap;
> > +		gss_unwrap_iov;
> > +		gss_userok;
> > +		gss_verify;
> > +		gss_verify_mic;
> > +		gss_wrap;
> > +		gss_wrap_iov;
> > +		gss_wrap_iov_length;
> > +		gss_wrap_size_limit;
> > +		gsskrb5_extract_authtime_from_sec_context;
> > +		gsskrb5_extract_authz_data_from_sec_context;
> > +		krb5_gss_register_acceptor_identity;
> > +};
> > +
> >  gssapi_krb5_2_MIT {
> >  	global:
> >  		GSS_C_ATTR_LOCAL_LOGIN_USER;
> > @@ -46,67 +133,14 @@ gssapi_krb5_2_MIT {
> >  		GSS_C_MA_CTX_TRANS;
> >  		GSS_C_MA_NEGOEX_AND_SPNEGO;
> >  		GSS_C_SEC_CONTEXT_SASL_SSF;
> > -		gss_accept_sec_context;
> > -		gss_acquire_cred;
> > -		gss_acquire_cred_with_password;
> >  		gss_acquire_cred_impersonate_name;
> > -		gss_add_buffer_set_member;
> > -		gss_add_cred;
> >  		gss_add_cred_impersonate_name;
> > -		gss_add_cred_with_password;
> > -		gss_add_oid_set_member;
> > -		gss_authorize_localname;
> > -		gss_canonicalize_name;
> > -		gss_compare_name;
> >  		gss_complete_auth_token;
> > -		gss_context_time;
> > -		gss_create_empty_buffer_set;
> > -		gss_create_empty_oid_set;
> > -		gss_decapsulate_token;
> > -		gss_delete_name_attribute;
> > -		gss_delete_sec_context;
> > -		gss_display_mech_attr;
> > -		gss_display_name;
> > -		gss_display_name_ext;
> > -		gss_display_status;
> > -		gss_duplicate_name;
> > -		gss_encapsulate_token;
> > -		gss_export_cred;
> > -		gss_export_name;
> > -		gss_export_name_composite;
> > -		gss_export_sec_context;
> > -		gss_get_mic;
> >  		gss_get_mic_iov;
> >  		gss_get_mic_iov_length;
> > -		gss_get_name_attribute;
> > -		gss_import_cred;
> > -		gss_import_name;
> > -		gss_import_sec_context;
> > -		gss_indicate_mechs;
> > -		gss_init_sec_context;
> > -		gss_indicate_mechs_by_attrs;
> > -		gss_inquire_attrs_for_mech;
> > -		gss_inquire_context;
> > -		gss_inquire_cred;
> > -		gss_inquire_cred_by_mech;
> > -		gss_inquire_cred_by_oid;
> > -		gss_inquire_mech_for_saslname;
> > -		gss_inquire_mechs_for_name;
> > -		gss_inquire_names_for_mech;
> > -		gss_inquire_saslname_for_mech;
> > -		gss_inquire_sec_context_by_oid;
> > -		gss_krb5_ccache_name;
> > -		gss_krb5_copy_ccache;
> > -		gss_krb5_export_lucid_sec_context;
> > -		gss_krb5_free_lucid_sec_context;
> > -		gss_krb5_get_tkt_flags;
> > -		gss_krb5_import_cred;
> > -		gss_krb5_set_allowable_enctypes;
> >  		gss_krb5_set_cred_rcache;
> >  		gss_krb5int_make_seal_token_v3;
> >  		gss_krb5int_unseal_token_v3;
> > -		gsskrb5_extract_authtime_from_sec_context;
> > -		gsskrb5_extract_authz_data_from_sec_context;
> >  		gss_localname;
> >  		gss_map_name_to_any;
> >  		gss_mech_iakerb;
> > @@ -124,47 +158,16 @@ gssapi_krb5_2_MIT {
> >  		gss_nt_service_name_v2;
> >  		gss_nt_string_uid_name;
> >  		gss_nt_user_name;
> > -		gss_oid_equal;
> > -		gss_oid_to_str;
> > -		gss_pname_to_uid;
> > -		gss_pseudo_random;
> > -		gss_process_context_token;
> >  		gss_release_any_name_mapping;
> > -		gss_release_buffer_set;
> > -		gss_release_buffer;
> > -		gss_release_cred;
> > -		gss_release_iov_buffer;
> > -		gss_release_name;
> > -		gss_release_oid;
> > -		gss_release_oid_set;
> > -		gss_seal;
> > -		gss_set_name_attribute;
> >  		gss_set_neg_mechs;
> > -		gss_set_sec_context_option;
> > -		gss_sign;
> > -		gss_store_cred;
> >  		gss_str_to_oid;
> > -		gss_test_oid_set_member;
> > -		gss_unseal;
> > -		gss_unwrap;
> >  		gss_unwrap_aead;
> > -		gss_unwrap_iov;
> > -		gss_userok;
> > -		gss_verify;
> > -		gss_verify_mic;
> >  		gss_verify_mic_iov;
> > -		gss_wrap;
> >  		gss_wrap_aead;
> > -		gss_wrap_iov;
> > -		gss_wrap_iov_length;
> > -		gss_wrap_size_limit;
> > -		gss_set_cred_option;
> >  		gssspi_set_cred_option;
> >  		gssspi_mech_invoke;
> >  		krb5_gss_dbg_client_expcreds;
> > -		krb5_gss_register_acceptor_identity;
> >  		krb5_gss_use_kdc_context;
> > -		gss_inquire_name;
> >  		gss_acquire_cred_from;
> >  		gss_add_cred_from;
> >  		gss_store_cred_into;
>
> This breaks the ABI of _current_ libc on HEAD even more.
> Please do bump the dso versions for all libs from kerberos/gss
> with same current name as it was in Heimdal time.

In other words use Heimdal in the name instead of the names MIT uses?

This was certainly short sighted on our part when we put Heimdal in our DSO 
names at the time.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e**(i*pi)+1=0