Commit Graph

189 Commits

Author SHA1 Message Date
Bryan Drewery
5608fd23c2 Revert r267233 for now. PIE support needs to be reworked.
1. 50+% of NO_PIE use is fixed by adding -fPIC to INTERNALLIB and other
   build-only utility libraries.
2. Another 40% is fixed by generating _pic.a variants of various libraries.
3. Some of the NO_PIE use is a bit absurd as it is disabling PIE (and ASLR)
   where it never would work anyhow, such as csu or loader. This suggests
   there may be better ways of adding support to the tree. Many of these
   cases can be fixed such that -fPIE will work but there is really no
   reason to have it in those cases.
4. Some of the uses are working around hacks done to some Makefiles that are
   really building libraries but have been using bsd.prog.mk because the code
   is cleaner. Had they been using bsd.lib.mk then NO_PIE would not have
   been needed.

We likely do want to enable PIE by default (opt-out) for non-tree consumers
(such as ports). For in-tree though we probably want to only enable PIE
(opt-in) for common attack targets such as remote service daemons and setuid
utilities. This is also a great performance compromise since ASLR is expected
to reduce performance. As such it does not make sense to enable it in all
utilities such as ls(1) that have little benefit to having it enabled.

Reported by:	kib
2014-08-19 15:04:32 +00:00
Baptiste Daroussin
d029c3aa25 Rework privatelib/internallib
Make sure everything linking to a privatelib and/or an internallib does it directly
from the OBJDIR rather than DESTDIR.
Add src.libnames.mk so bsd.libnames.mk is not polluted by libraries not existsing
in final installation
Introduce the LD* variable which is what ld(1) is expecting (via LDADD) to link to
internal/privatelib
Directly link to the .so in case of private library to avoid having to complexify
LDFLAGS.

Phabric:	https://phabric.freebsd.org/D553
Reviewed by:	imp, emaste
2014-08-06 22:17:26 +00:00
Brooks Davis
80189b3b09 Replace all uses of libncurses and libtermcap with their wide character
variants.  This allows usable file system images (i.e. those with both a
shell and an editor) to be created with only one copy of the curses library.

Exp-run:	antoine
PR:		189842
Discussed with:	bapt
Sponsored by:	DARPA, AFRL
2014-07-17 18:24:34 +00:00
Bryan Drewery
864c53ead8 In preparation for ASLR [1] support add WITH_PIE to support building with -fPIE.
This is currently an opt-in build flag. Once ASLR support is ready and stable
it should changed to opt-out and be enabled by default along with ASLR.

Each application Makefile uses opt-out to ensure that ASLR will be enabled by
default in new directories when the system is compiled with PIE/ASLR. [2]

Mark known build failures as NO_PIE for now.

The only known runtime failure was rtld.

[1] http://www.bsdcan.org/2014/schedule/events/452.en.html
Submitted by:		Shawn Webb <lattera@gmail.com>
Discussed between:	des@ and Shawn Webb [2]
2014-06-08 17:29:31 +00:00
Warner Losh
c6063d0da8 Use src.opts.mk in preference to bsd.own.mk except where we need stuff
from the latter.
2014-05-06 04:22:01 +00:00
Warner Losh
f6092768b1 Use MK_OPENLDAP in preference to WITH_OPENLDAP and make it a default
NO option to match the opt-in nature of the historical nature of this
option.
2014-04-24 23:17:31 +00:00
Ed Maste
79aae9e1c2 Fix installworld failure when kerberos source files have new timestamps
If a kerberos .hx source file is newer than the .h copy, but the content
is the same, then during buildworld the "cmp -s || cp" command in the
.hx.h rule would do nothing, leaving the .h copy with the older
timestamp.  During installworld the rule would again be invoked, causing
a failure as neither cmp or cp would exist in the temporary path.

As the underlying issue should be resolved by r262209, unconditionally
copy the file.

No objection:	peter@
Tested by:	gjb@
Sponsored by:	The FreeBSD Foundation
2014-04-22 20:37:07 +00:00
Warner Losh
3bdf775801 NO_MAN= has been deprecated in favor of MAN= for some time, go ahead
and finish the job. ncurses is now the only Makefile in the tree that
uses it since it wasn't a simple mechanical change, and will be
addressed in a future commit.
2014-04-13 05:21:56 +00:00
Warner Losh
3f483dacb3 use MK_KERBEROS=no in preference to WITHOUT_KERBEROS 2014-04-05 17:54:50 +00:00
Peter Wemm
93c4e6d498 Revert my commit in r261253; the real problem was tackled in r262209. 2014-02-20 20:53:29 +00:00
Peter Wemm
f0258c45f2 Really (I think) fix the sporadic heimdal build failures with high -j
levels. The root of the problem was that make was attempting to run up
to three concurrent asn1_compile commands to produce the three outputs
that it was declared to produce.  The failure was caused when the
asn1_compiles were started out of sync and a later one was truncating
the files that another thread was trying to copy.  In reality it is
supposed to be run exactly once and all three outputs are produced in
one pass.

Use the same hack as for the parent's Makefile.inc for the compile_et
multi-output rule.
2014-02-19 07:09:14 +00:00
Peter Wemm
a5e863c951 Speculatively replace a cp with a cat for gathering data on a
sporadic parallel build failure in the FreeBSD cluster on many-core
systems with ZFS.  cp uses mmap in this scenario, cat does not.
2014-01-28 22:23:39 +00:00
Ulrich Spörlein
3abde52372 Try and fix the dependency/bootstrap issues in kerberos5
libkafs5 needs a header from libkrb5, it includes this from
${.OBJDIR}/mumble, this used to work fine as long as you happen to have
a krb_err.h in your base system, this doesn't work for bootstrapping or
using a cross-compiler with a different sysroot. This is just a
best-effort bandaid, sufficient parallelism can still break it.

Fix a SRCS override that dropped krb5_err.h.

Discussed with:	stas
2013-12-23 14:23:17 +00:00
Dag-Erling Smørgrav
0d410def34 Clean up the Kerberos build by turning libheimipcc and libheimipcs into
private shared libraries, instead of hacked-together archives of PIC
objects.  This makes it possible to build a static libkrb5 that works.

Reviewed by:	stas
Approved by:	re (gjb)
2013-09-10 18:40:43 +00:00
Rick Macklem
4fb6bc364f Fix the getpwnam_r() call in the pname_to_uid() kerberos library function so
that it handles the ERANGE error return case. Without this fix, authentication
of users for certain system setups could fail unexpectedly.

Reported by:	Elias Martenson (lokedhs@gmail.com)
Tested by:	Elias Martenson (earlier version)
MFC after:	2 weeks
2013-05-02 12:52:49 +00:00
Brooks Davis
711781606d Add -lheimntlm to LDADD directly.
With the current binutils, symbols from libheimtlm.so are loaded because
it is referenced by DT_NEEDED.  This feature is not implemented in
mclinker (https://code.google.com/p/mclinker/issues/detail?id=104).
I encountered the same issue when linking with a recent devel/binutils
invoked via clang.  This was the only use of DT_NEEDED in the tree so
removing it simplifies toolchain requirements.

Submitted by:	Pete Chou <petechou@gmail.com> (mclinker issue)
2013-02-11 09:45:24 +00:00
Brooks Davis
b97ce46687 Only try to install one link at each path.
Don't install verify_krb5_conf.8.  It is installed in
kerberos5/usr.bin/verify_krb5_conf.
2013-01-23 23:49:35 +00:00
Marcel Moolenaar
0815243c39 Add support for bmake. This includes:
1.  Don't do upgrade_checks when using bmake. As long as we have WITH_BMAKE,
    there's a bootstrap complication in ths respect. Avoid it. Make the
    necessary changes to have upgrade_checks work wth bmake anyway.
2.  Remove the use of -E. It's not needed in our build because we use ?= for
    the respective variables, which means that we'll take the environment
    value (if any) anyway.
3.  Properly declare phony targets as phony as bmake is a lot smarter (and
    thus agressive) about build avoidance.
4.  Make sure CLEANFILES is complete and use it on .NOPATH. bmake is a lot
    smarter about build avoidance and should not find files we generate in
    the source tree. We should not have files in the repository we want to
    generate, but this is an easier way to cross this hurdle.
5.  Have behavior under bmake the same as it is under make with respect to
    halting when sub-commands fail. Add "set -e" to compound commands so
    that bmake is informed when sub-commands fail.
6.  Make sure crunchgen uses the same make as the rest of the build. This
    is important when the make utility isn't called make (but bmake for
    example).
7.  While here, add support for using MAKEOBJDIR to set the object tree
    location. It's the second alternative bmake looks for when determining
    the actual object directory (= .OBJDIR).

Submitted by:	Simon Gerraty <sjg@juniper.net>
Submitted by:	John Van Horne <jvanhorne@juniper.net>
2012-10-06 20:01:05 +00:00
David E. O'Brien
b5ae8dbaa5 Centralize the specification of the krb5 build tools. 2012-06-01 21:26:28 +00:00
David E. O'Brien
614304eccc * Remove headers from SRCS that are not generated
(and are in /usr/src/crypto/heimdal/).

* Avoid race conditions with 'make -j<N>'.
2012-05-30 22:21:25 +00:00
Stanislav Sedov
cf771f223b - Update FreeBSD's Heimdal distribution to 1.5.2. This is a bugfix
release, which fixes a DoS issue in libkrb5.
2012-04-08 08:19:17 +00:00
Stanislav Sedov
72c3f707a4 - Add a "real" symbol version map to libasn1. The upstream version
of the version map just exported all the symbols, which caused a
  binutils bug being triggered when ld fails to link two objects, one
  of which exports a versioned version of the symbol, and another --
  unversioned. [1]
- Also add version map for libkafs5.

Submitted by:	jchandra@ (based on)
2012-04-08 04:22:09 +00:00
Juli Mallett
84db023ec1 Assume a big-endian default on MIPS and drop the "eb" suffix from MACHINE_ARCH.
This makes our naming scheme more closely match other systems and the
expectations of much third-party software.  MIPS builds which are little-endian
should require and exhibit no changes.  Big-endian TARGET_ARCHes must be
changed:
	From:		To:
	mipseb		mips
	mipsn32eb	mipsn32
	mips64eb	mips64

An entry has been added to UPDATING and some foot-shooting protection (complete
with warnings which should become errors in the near future) to the top-level
base system Makefile.
2012-03-29 02:54:35 +00:00
Stanislav Sedov
ba5e340b5f - Apply binutils workaround on mips.mips as well. Though this TARGET_ARCH
is deprecated, tinderbox uses it.
2012-03-24 00:42:38 +00:00
Stanislav Sedov
ae77177087 - Update FreeBSD Heimdal distribution to version 1.5.1. This also brings
several new kerberos related libraries and applications to FreeBSD:
  o kgetcred(1) allows one to manually get a ticket for a particular service.
  o kf(1) securily forwards ticket to another host through an authenticated
    and encrypted stream.
  o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1)
    and other user kerberos operations. klist and kswitch are just symlinks
    to kcc(1) now.
  o kswitch(1) allows you to easily switch between kerberos credentials if
    you're running KCM.
  o hxtool(1) is a certificate management tool to use with PKINIT.
  o string2key(1) maps a password into key.
  o kdigest(8) is a userland tool to access the KDC's digest interface.
  o kimpersonate(8) creates a "fake" ticket for a service.

  We also now install manpages for some lirbaries that were not installed
  before, libheimntlm and libhx509.

- The new HEIMDAL version no longer supports Kerberos 4.  All users are
  recommended to switch to Kerberos 5.

- Weak ciphers are now disabled by default.  To enable DES support (used
  by telnet(8)), use "allow_weak_crypto" option in krb5.conf.

- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings
  disabled due to the function they use (krb5_get_err_text(3)) being
  deprecated.  I plan to work on this next.

- Heimdal's KDC now require sqlite to operate.  We use the bundled version
  and install it as libheimsqlite.  If some other FreeBSD components will
  require it in the future we can rename it to libbsdsqlite and use for these
  components as well.

- This is not a latest Heimdal version, the new one was released while I was
  working on the update.  I will update it to 1.5.2 soon, as it fixes some
  important bugs and security issues.
2012-03-22 08:48:42 +00:00
Hajimu UMEMOTO
525f4cadd0 Don't support OpenLDAP during lib32 build. 2011-12-06 12:03:01 +00:00
Hajimu UMEMOTO
782ed6d3d7 - Make heimdal buildable with WITH_OPENLDAP defined, again.
- Our heimdal uses the deprecated OpenLDAP functions.
2011-12-05 16:38:52 +00:00
Max Khon
1b7955541f Link with -ledit instead of -lreadline. 2011-11-29 03:49:03 +00:00
Stanislav Sedov
611ff617cf - Add missing interdependencies to kerberos libraries. Some of the
kerberos libraries were not linked properly (missing dependencies),
  which causes 3rd party applications linking to fail when --as-needed
  ld flag is used.  I also added the --no-undefined ld(1) flag to make
  sure that there're no missing dependencies.

MFC after:	3 days
2011-09-27 07:14:12 +00:00
Marius Strobl
2d2ad9724a The kerberos5 tools are only used as build tools but not otherwise and
didn't get installed either.

MFC after:	1 week
2011-06-25 16:13:56 +00:00
Antoine Brodin
70834576fb Fix a typo.
MFC after:	1 month
2010-01-09 18:53:03 +00:00
Antoine Brodin
003fe9d2ee Fix a typo.
MFC after:	1 month
2010-01-09 18:51:50 +00:00
Alexander Nedotsukov
e62aa473c5 Link GSS mechanics modules against libgssapi so they will not fail due
unresolved symbol errors when in turn libgssapi was loaded with RTLD_LOCAL
flag set (which is the default).

Reviewed by:	dfr, jhb
MFC after:	3 days
2009-10-12 17:10:51 +00:00
Xin LI
ebd972d211 Disconnect closefrom.c as we have it as a system call. 2009-06-16 00:09:06 +00:00
Xin LI
04b7709ccf Now we have closefrom(). 2009-06-15 23:03:38 +00:00
Konstantin Belousov
20e76cb365 Add strndup(3) prototype to string.h.
This change was erronously ommitted from the r185690, and attempt
to simply add the prototype to string.h has revealed that several
contributed programs defined local prototypes for strndup(), controlled
by autoconfed config.h. So, manually change #undef HAVE_STRNDUP to
#define HAVE_STRNDUP 1. Next import of the corresponding program would
regenerate config.h, overriding the changes in this commit.

No objections from: kan
2008-12-08 21:04:24 +00:00
Doug Rabson
8f55a568f6 Add an implementation of the RPCSEC_GSS authentication protocol for RPC. This
is based on an old implementation from the University of Michigan with lots of
changes and fixes by me and the addition of a Solaris-compatible API.

Sponsored by:	Isilon Systems
Reviewed by:	alfred
2008-08-06 14:02:05 +00:00
Marius Strobl
82abac5ecf Add roken.h to SRCS. This fixes the compilation of slc during a
buildworld on a host running a world built with WITHOUT_KERBEROS
defined.
2008-06-18 21:20:50 +00:00
Doug Rabson
ebe306f11c Add the hx509 error table. 2008-05-15 08:53:31 +00:00
Doug Rabson
1f95816c41 Add manpage links to krb5_principal.3. 2008-05-11 10:32:37 +00:00
Doug Rabson
ed62b7f321 Don't try to make links to manpages that no longer exist. Fixes installworld
Submitted by: phk
2008-05-11 08:27:17 +00:00
Doug Rabson
e5dc3b75b8 Update magic sed script for heimdal-1.1 2008-05-09 13:27:20 +00:00
Doug Rabson
d7135570b3 Update heimdal_version.
Pointed out by: antoine@
2008-05-08 13:11:34 +00:00
Doug Rabson
33f1219925 Fix conflicts after heimdal-1.1 import and add build infrastructure. Import
all non-style changes made by heimdal to our own libgssapi.
2008-05-07 13:53:12 +00:00
Ken Smith
c0bb7d9461 While checking over the libraries for 7.0-REL Kris found the following
libraries had not had their versions bumped relative to 6.3-REL but
had indeed been changed.  We need to bump their version so they can be
properly added to the compat6x port:

	libasn1.so.8 libgssapi.so.8 libhdb.so.8 libkadm5clnt.so.8
	libkadm5srv.so.8 libkafs5.so.8 libkrb5.so.8 libobjc.so.2

MFC After:	1 day
2007-11-20 04:20:32 +00:00
Peter Wemm
acba71341c Remove _FREEFALL_CONFIG hacks 2007-10-18 19:42:50 +00:00
Alexander Kabaev
a3c734cc52 Fix generator glue to only expose extern struct units %s_units[] is
struct units defintition it known. The above construct is treated
as an incorrect C by GCC 4.2 otherwise.
2007-05-19 03:29:37 +00:00
Yaroslav Tykhiy
ea8079033e Kerberos/Heimdal doesn't really depend on the INET6 macro.
In the Heimdal distro, only kerberized telnet refers to INET6,
but we don't build it, we use contrib/telnet linked with the
Kerberos libs instead.

Tested with:	cmp(1)
2006-07-28 06:33:27 +00:00
Hajimu UMEMOTO
794063c03f Bump library majro version for gethostbyaddr(3). 2006-05-21 15:15:21 +00:00
Ruslan Ermilov
e1fe3dba5c Reimplementation of world/kernel build options. For details, see:
http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html

The src.conf(5) manpage is to follow in a few days.

Brought to you by:	imp, jhb, kris, phk, ru (all bugs are mine)
2006-03-17 18:54:44 +00:00