Commit Graph

76 Commits

Author SHA1 Message Date
ngie
e5967c31f5 Build libexec/kadmind when MK_GSSAPI != no because it requires gssapi
MFC after:	1 week
2017-01-02 19:02:00 +00:00
bdrewery
2a891f1feb DIRDEPS_BUILD: Regenerate without local dependencies.
These are no longer needed after the recent 'beforebuild: depend' changes
and hooking DIRDEPS_BUILD into a subset of FAST_DEPEND which supports
skipping 'make depend'.

Sponsored by:	EMC / Isilon Storage Division
2016-02-24 17:20:11 +00:00
bdrewery
9f214ef5c9 DIRDEPS_BUILD: Add some missing build dependencies for kerberos5.
Sponsored by:	EMC / Isilon Storage Division
2016-02-24 17:18:43 +00:00
bdrewery
8f7e12f5af Add more SUBDIR_PARALLEL.
MFC after:	3 weeks
Sponsored by:	EMC / Isilon Storage Division
2015-09-26 14:13:51 +00:00
bdrewery
2d6831faf2 Remove unneeded dependency of '.o: .h' that bsd.prog.mk already handles.
MFC after:	2 weeks
X-MFC-With:	r288198
Sponsored by:	EMC / Isilon Storage Division
2015-09-24 23:23:58 +00:00
bdrewery
71fccfc30f Add missing CLEANFILES.
MFC after:	1 week
Sponsored by:	EMC / Isilon Storage Division
2015-09-24 23:15:24 +00:00
ume
fc5f5f6363 Move setting of LDFLAGS to the modules which require it actually, as
other kerberos5 modules do so.
2015-08-27 17:16:18 +00:00
sjg
008d7c831f Add META_MODE support.
Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.

Still need to add real targets under targets/ to build packages.

Differential Revision:       D2796
Reviewed by: brooks imp
2015-06-13 19:20:56 +00:00
sjg
75a137820d dirdeps.mk now sets DEP_RELDIR 2015-06-08 23:35:17 +00:00
sjg
65145fa4c8 Merge sync of head 2015-05-27 01:19:58 +00:00
bapt
3200f33f24 Convert kerberos to LIBADD and reduce overlinking of the kerberos binaries and
libraries
2014-11-25 09:57:42 +00:00
sjg
b137080f19 Merge from head@274682 2014-11-19 01:07:58 +00:00
bdrewery
b619f0c747 Revert r267233 for now. PIE support needs to be reworked.
1. 50+% of NO_PIE use is fixed by adding -fPIC to INTERNALLIB and other
   build-only utility libraries.
2. Another 40% is fixed by generating _pic.a variants of various libraries.
3. Some of the NO_PIE use is a bit absurd as it is disabling PIE (and ASLR)
   where it never would work anyhow, such as csu or loader. This suggests
   there may be better ways of adding support to the tree. Many of these
   cases can be fixed such that -fPIE will work but there is really no
   reason to have it in those cases.
4. Some of the uses are working around hacks done to some Makefiles that are
   really building libraries but have been using bsd.prog.mk because the code
   is cleaner. Had they been using bsd.lib.mk then NO_PIE would not have
   been needed.

We likely do want to enable PIE by default (opt-out) for non-tree consumers
(such as ports). For in-tree though we probably want to only enable PIE
(opt-in) for common attack targets such as remote service daemons and setuid
utilities. This is also a great performance compromise since ASLR is expected
to reduce performance. As such it does not make sense to enable it in all
utilities such as ls(1) that have little benefit to having it enabled.

Reported by:	kib
2014-08-19 15:04:32 +00:00
sjg
d7cd1d425c Merge head from 7/28 2014-08-19 06:50:54 +00:00
bapt
8a9380f42c Rework privatelib/internallib
Make sure everything linking to a privatelib and/or an internallib does it directly
from the OBJDIR rather than DESTDIR.
Add src.libnames.mk so bsd.libnames.mk is not polluted by libraries not existsing
in final installation
Introduce the LD* variable which is what ld(1) is expecting (via LDADD) to link to
internal/privatelib
Directly link to the .so in case of private library to avoid having to complexify
LDFLAGS.

Phabric:	https://phabric.freebsd.org/D553
Reviewed by:	imp, emaste
2014-08-06 22:17:26 +00:00
bdrewery
989e2c6000 In preparation for ASLR [1] support add WITH_PIE to support building with -fPIE.
This is currently an opt-in build flag. Once ASLR support is ready and stable
it should changed to opt-out and be enabled by default along with ASLR.

Each application Makefile uses opt-out to ensure that ASLR will be enabled by
default in new directories when the system is compiled with PIE/ASLR. [2]

Mark known build failures as NO_PIE for now.

The only known runtime failure was rtld.

[1] http://www.bsdcan.org/2014/schedule/events/452.en.html
Submitted by:		Shawn Webb <lattera@gmail.com>
Discussed between:	des@ and Shawn Webb [2]
2014-06-08 17:29:31 +00:00
sjg
5860f0d106 Updated dependencies 2014-05-16 14:09:51 +00:00
sjg
5e568154a0 Merge head 2014-04-28 07:50:45 +00:00
imp
c39e6fc2c9 NO_MAN= has been deprecated in favor of MAN= for some time, go ahead
and finish the job. ncurses is now the only Makefile in the tree that
uses it since it wasn't a simple mechanical change, and will be
addressed in a future commit.
2014-04-13 05:21:56 +00:00
sjg
292ec5d301 Updated dependencies 2013-10-13 00:24:00 +00:00
sjg
ff87b5d147 Merge head 2013-09-11 18:16:18 +00:00
des
c3bd228383 Clean up the Kerberos build by turning libheimipcc and libheimipcs into
private shared libraries, instead of hacked-together archives of PIC
objects.  This makes it possible to build a static libkrb5 that works.

Reviewed by:	stas
Approved by:	re (gjb)
2013-09-10 18:40:43 +00:00
sjg
97d8b94956 sync from head 2013-04-12 20:48:55 +00:00
sjg
6d37b86f2b Updated dependencies 2013-03-11 17:21:52 +00:00
sjg
0ee5295509 Updated dependencies 2013-02-16 01:23:54 +00:00
brooks
da973a9cc0 Add -lheimntlm to LDADD directly.
With the current binutils, symbols from libheimtlm.so are loaded because
it is referenced by DT_NEEDED.  This feature is not implemented in
mclinker (https://code.google.com/p/mclinker/issues/detail?id=104).
I encountered the same issue when linking with a recent devel/binutils
invoked via clang.  This was the only use of DT_NEEDED in the tree so
removing it simplifies toolchain requirements.

Submitted by:	Pete Chou <petechou@gmail.com> (mclinker issue)
2013-02-11 09:45:24 +00:00
marcel
9dd41e3647 Sync FreeBSD's bmake branch with Juniper's internal bmake branch.
Requested by: Simon Gerraty <sjg@juniper.net>
2012-08-22 19:25:57 +00:00
obrien
2948183cec Centralize the specification of the krb5 build tools. 2012-06-01 21:26:28 +00:00
obrien
928a481c65 * Remove headers from SRCS that are not generated
(and are in /usr/src/crypto/heimdal/).

* Avoid race conditions with 'make -j<N>'.
2012-05-30 22:21:25 +00:00
stas
e7e0b34988 - Update FreeBSD Heimdal distribution to version 1.5.1. This also brings
several new kerberos related libraries and applications to FreeBSD:
  o kgetcred(1) allows one to manually get a ticket for a particular service.
  o kf(1) securily forwards ticket to another host through an authenticated
    and encrypted stream.
  o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1)
    and other user kerberos operations. klist and kswitch are just symlinks
    to kcc(1) now.
  o kswitch(1) allows you to easily switch between kerberos credentials if
    you're running KCM.
  o hxtool(1) is a certificate management tool to use with PKINIT.
  o string2key(1) maps a password into key.
  o kdigest(8) is a userland tool to access the KDC's digest interface.
  o kimpersonate(8) creates a "fake" ticket for a service.

  We also now install manpages for some lirbaries that were not installed
  before, libheimntlm and libhx509.

- The new HEIMDAL version no longer supports Kerberos 4.  All users are
  recommended to switch to Kerberos 5.

- Weak ciphers are now disabled by default.  To enable DES support (used
  by telnet(8)), use "allow_weak_crypto" option in krb5.conf.

- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings
  disabled due to the function they use (krb5_get_err_text(3)) being
  deprecated.  I plan to work on this next.

- Heimdal's KDC now require sqlite to operate.  We use the bundled version
  and install it as libheimsqlite.  If some other FreeBSD components will
  require it in the future we can rename it to libbsdsqlite and use for these
  components as well.

- This is not a latest Heimdal version, the new one was released while I was
  working on the update.  I will update it to 1.5.2 soon, as it fixes some
  important bugs and security issues.
2012-03-22 08:48:42 +00:00
dfr
be0348cb75 Fix conflicts after heimdal-1.1 import and add build infrastructure. Import
all non-style changes made by heimdal to our own libgssapi.
2008-05-07 13:53:12 +00:00
ru
cec60429bb Start the dreaded NOFOO -> NO_FOO conversion.
OK'ed by:	core
2004-12-21 08:47:35 +00:00
ru
ad7b0104a3 style.Makefile(5).
OK'ed by:	nectar
2004-02-05 18:51:52 +00:00
ru
d8d438a5ea Unbreak build with OpenLDAP.
Forgotten by:	mr
2004-02-04 16:42:36 +00:00
ru
70146d9d56 Put libraries in the link order.
Reported by:	lorder(1) (modified to work with libraries)
2004-02-04 10:23:09 +00:00
ru
ad18fb995c Overhaul of kerberos5/ makefiles. Most significant changes are:
- Dropped support for standalone builds, this was only partially
  supported anyway, and required so much magic in makefiles that
  made life dangerous (e.g., by using the custom yacc rules).

- Got rid of .OBJDIR in makefiles -- makes building of individual
  files possible again.

- Made the .x.c transformations -j safe.

- Reprogrammed LDADD to fix static build of some utilities that
  was broken.

- Fixed LDFLAGS and DPADD in the WITH_OPENLDAP case -- positively
  affects the contents of .depend files.

- Removed redundant .h's from SRCS, only kept those that are
  generated.

- libkrb5/ INCS were bogusly installed again with libgssapi/.

- Made build-tools real tools with their own makefiles in
  separate directories.  This allows us to properly track
  their dependencies, etc.

- Faster build, 21% less of makefile code!

Approved by:	nectar
Reviewed by:	markm
Silence on:	arch
2004-01-31 08:15:57 +00:00
mr
91983f91e1 add hprop to the build and add LDAP mods to hprop.
add kadmind.8

Submitted by:	Alex Deiter <tiamat@komi.mts.ru>
2004-01-30 11:06:48 +00:00
nectar
9d50fa1c54 Update build infrastructure for Heimdal 0.6. 2003-10-09 19:48:47 +00:00
markm
522acafcec Big fixup of the makefiles. Sort out the dependancies so that "make"
without "make depend" works, "make -j N" works, and lists of source
files are made vertical to reduce future diffs.
2003-07-18 13:21:58 +00:00
markm
d6aec2b6d6 Very big makeover in the way telnet, telnetd and libtelnet are built.
Previously, there were two copies of telnet; a non-crypto version
that lived in the usual places, and a crypto version that lived in
crypto/telnet/. The latter was built in a broken manner somewhat akin
to other "contribified" sources. This meant that there were 4 telnets
competing with each other at build time - KerberosIV, Kerberos5,
plain-old-secure and base. KerberosIV is no longer in the running, but
the other three took it in turns to jump all over each other during a
"make buildworld".

As the crypto issue has been clarified, and crypto _calls_ are not
a problem, crypto/telnet has been repo-copied to contrib/telnet,
and with this commit, all telnets are now "contribified". The contrib
path was chosen to not destroy history in the repository, and differs
from other contrib/ entries in that it may be worked on as "normal"
BSD code. There is no dangerous crypto in these sources, only a
very weak system less strong than enigma(1).

Kerberos5 telnet and Secure telnet are now selected by using the usual
macros in /etc/make.conf, and the build process is unsurprising and
less treacherous.
2003-07-16 20:59:15 +00:00
ru
495eff2a20 Fixed "make checkdpadd".
OK'ed by:	markm
2003-07-02 23:46:39 +00:00
mr
de0f8d4cff Add (optional, default off) support to kerberos5 for supporting openldap.
Tests with openldap20 where successful whereas openldap21 didn't like
the way hdb-ldap accessed openldap (doesn't like non-bind access).
To activate the support put a USE_OPENLDAP=yes in your make.conf.
The OPENLDAPBASE is also optional and points to /usr/local as default.

Approved by:	markm
MFC after:	2 weeks
2003-06-18 09:11:34 +00:00
markm
2abe88edc1 Post KerberosIV de-orbit: Clean up Kerberos5. We dont need KerberosIV
compatiblity mode anymore. Rename the k5foo utils to kfoo (after
repo-copy).
2003-03-09 21:56:55 +00:00
marcel
71eb06a12b Don't copy headers from the source tree to the object tree without
making sure the copies in the object tree are writable. When files
in the source tree are not writable (as would be the case for a p4
tree) then a buildworld -DNOCLEAN will try to copy over the existing
non-writable headers. This fails. Instead we cat the headers with
redirection. This is just one of the possibilities.
2003-03-08 08:57:56 +00:00
nectar
c4f823a8ba Unbreak Kerberos 5 authentication in telnet.
(Credential forwarding is still broken.)

PR:	bin/45397
2003-03-06 13:41:53 +00:00
nectar
5012a39145 Fix k5admind by dropping libkadm5clnt from LDADD. 2002-09-20 17:31:03 +00:00
nectar
296dd3ab99 Reorder libraries in LDADD in case some wants to statically
link these applications.
2002-09-20 17:09:38 +00:00
nectar
2658a0653c Make ipropd-slave/ipropd-master actually work. These applications
were being linked against the client Kerberos administration library,
when they must be linked against the server library, resulting in
segfaults early in the game.  I suspect these have never been tested
before :-(
2002-09-20 17:07:59 +00:00
nectar
5510fffec8 Update build infrastructure after import of Heimdal Kerberos 2002/08/29. 2002-08-30 21:33:20 +00:00
fjoe
e1a15dd5a4 Kerberos 5 no longer needs -lmd
Approved by:	nectar
2002-08-04 22:23:48 +00:00