Commit Graph

179 Commits

Author SHA1 Message Date
rmacklem
c33ddc827e Fix the getpwnam_r() call in the pname_to_uid() kerberos library function so
that it handles the ERANGE error return case. Without this fix, authentication
of users for certain system setups could fail unexpectedly.

Reported by:	Elias Martenson (lokedhs@gmail.com)
Tested by:	Elias Martenson (earlier version)
MFC after:	2 weeks
2013-05-02 12:52:49 +00:00
brooks
da973a9cc0 Add -lheimntlm to LDADD directly.
With the current binutils, symbols from libheimtlm.so are loaded because
it is referenced by DT_NEEDED.  This feature is not implemented in
mclinker (https://code.google.com/p/mclinker/issues/detail?id=104).
I encountered the same issue when linking with a recent devel/binutils
invoked via clang.  This was the only use of DT_NEEDED in the tree so
removing it simplifies toolchain requirements.

Submitted by:	Pete Chou <petechou@gmail.com> (mclinker issue)
2013-02-11 09:45:24 +00:00
brooks
f98d7b3151 Only try to install one link at each path.
Don't install verify_krb5_conf.8.  It is installed in
kerberos5/usr.bin/verify_krb5_conf.
2013-01-23 23:49:35 +00:00
marcel
52e7fd7c54 Add support for bmake. This includes:
1.  Don't do upgrade_checks when using bmake. As long as we have WITH_BMAKE,
    there's a bootstrap complication in ths respect. Avoid it. Make the
    necessary changes to have upgrade_checks work wth bmake anyway.
2.  Remove the use of -E. It's not needed in our build because we use ?= for
    the respective variables, which means that we'll take the environment
    value (if any) anyway.
3.  Properly declare phony targets as phony as bmake is a lot smarter (and
    thus agressive) about build avoidance.
4.  Make sure CLEANFILES is complete and use it on .NOPATH. bmake is a lot
    smarter about build avoidance and should not find files we generate in
    the source tree. We should not have files in the repository we want to
    generate, but this is an easier way to cross this hurdle.
5.  Have behavior under bmake the same as it is under make with respect to
    halting when sub-commands fail. Add "set -e" to compound commands so
    that bmake is informed when sub-commands fail.
6.  Make sure crunchgen uses the same make as the rest of the build. This
    is important when the make utility isn't called make (but bmake for
    example).
7.  While here, add support for using MAKEOBJDIR to set the object tree
    location. It's the second alternative bmake looks for when determining
    the actual object directory (= .OBJDIR).

Submitted by:	Simon Gerraty <sjg@juniper.net>
Submitted by:	John Van Horne <jvanhorne@juniper.net>
2012-10-06 20:01:05 +00:00
obrien
2948183cec Centralize the specification of the krb5 build tools. 2012-06-01 21:26:28 +00:00
obrien
928a481c65 * Remove headers from SRCS that are not generated
(and are in /usr/src/crypto/heimdal/).

* Avoid race conditions with 'make -j<N>'.
2012-05-30 22:21:25 +00:00
stas
e98d05b4f0 - Update FreeBSD's Heimdal distribution to 1.5.2. This is a bugfix
release, which fixes a DoS issue in libkrb5.
2012-04-08 08:19:17 +00:00
stas
dad1111000 - Add a "real" symbol version map to libasn1. The upstream version
of the version map just exported all the symbols, which caused a
  binutils bug being triggered when ld fails to link two objects, one
  of which exports a versioned version of the symbol, and another --
  unversioned. [1]
- Also add version map for libkafs5.

Submitted by:	jchandra@ (based on)
2012-04-08 04:22:09 +00:00
jmallett
4544b2987d Assume a big-endian default on MIPS and drop the "eb" suffix from MACHINE_ARCH.
This makes our naming scheme more closely match other systems and the
expectations of much third-party software.  MIPS builds which are little-endian
should require and exhibit no changes.  Big-endian TARGET_ARCHes must be
changed:
	From:		To:
	mipseb		mips
	mipsn32eb	mipsn32
	mips64eb	mips64

An entry has been added to UPDATING and some foot-shooting protection (complete
with warnings which should become errors in the near future) to the top-level
base system Makefile.
2012-03-29 02:54:35 +00:00
stas
fc5b106034 - Apply binutils workaround on mips.mips as well. Though this TARGET_ARCH
is deprecated, tinderbox uses it.
2012-03-24 00:42:38 +00:00
stas
e7e0b34988 - Update FreeBSD Heimdal distribution to version 1.5.1. This also brings
several new kerberos related libraries and applications to FreeBSD:
  o kgetcred(1) allows one to manually get a ticket for a particular service.
  o kf(1) securily forwards ticket to another host through an authenticated
    and encrypted stream.
  o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1)
    and other user kerberos operations. klist and kswitch are just symlinks
    to kcc(1) now.
  o kswitch(1) allows you to easily switch between kerberos credentials if
    you're running KCM.
  o hxtool(1) is a certificate management tool to use with PKINIT.
  o string2key(1) maps a password into key.
  o kdigest(8) is a userland tool to access the KDC's digest interface.
  o kimpersonate(8) creates a "fake" ticket for a service.

  We also now install manpages for some lirbaries that were not installed
  before, libheimntlm and libhx509.

- The new HEIMDAL version no longer supports Kerberos 4.  All users are
  recommended to switch to Kerberos 5.

- Weak ciphers are now disabled by default.  To enable DES support (used
  by telnet(8)), use "allow_weak_crypto" option in krb5.conf.

- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings
  disabled due to the function they use (krb5_get_err_text(3)) being
  deprecated.  I plan to work on this next.

- Heimdal's KDC now require sqlite to operate.  We use the bundled version
  and install it as libheimsqlite.  If some other FreeBSD components will
  require it in the future we can rename it to libbsdsqlite and use for these
  components as well.

- This is not a latest Heimdal version, the new one was released while I was
  working on the update.  I will update it to 1.5.2 soon, as it fixes some
  important bugs and security issues.
2012-03-22 08:48:42 +00:00
ume
e27fef4e5f Don't support OpenLDAP during lib32 build. 2011-12-06 12:03:01 +00:00
ume
7a41e563a7 - Make heimdal buildable with WITH_OPENLDAP defined, again.
- Our heimdal uses the deprecated OpenLDAP functions.
2011-12-05 16:38:52 +00:00
fjoe
72e217547f Link with -ledit instead of -lreadline. 2011-11-29 03:49:03 +00:00
stas
d35869ca7e - Add missing interdependencies to kerberos libraries. Some of the
kerberos libraries were not linked properly (missing dependencies),
  which causes 3rd party applications linking to fail when --as-needed
  ld flag is used.  I also added the --no-undefined ld(1) flag to make
  sure that there're no missing dependencies.

MFC after:	3 days
2011-09-27 07:14:12 +00:00
marius
1b609861c8 The kerberos5 tools are only used as build tools but not otherwise and
didn't get installed either.

MFC after:	1 week
2011-06-25 16:13:56 +00:00
antoine
36f3e22925 Fix a typo.
MFC after:	1 month
2010-01-09 18:53:03 +00:00
antoine
2c83252eff Fix a typo.
MFC after:	1 month
2010-01-09 18:51:50 +00:00
bland
41b941dc80 Link GSS mechanics modules against libgssapi so they will not fail due
unresolved symbol errors when in turn libgssapi was loaded with RTLD_LOCAL
flag set (which is the default).

Reviewed by:	dfr, jhb
MFC after:	3 days
2009-10-12 17:10:51 +00:00
delphij
f928371bf4 Disconnect closefrom.c as we have it as a system call. 2009-06-16 00:09:06 +00:00
delphij
56adb57f99 Now we have closefrom(). 2009-06-15 23:03:38 +00:00
kib
2e6f1edb43 Add strndup(3) prototype to string.h.
This change was erronously ommitted from the r185690, and attempt
to simply add the prototype to string.h has revealed that several
contributed programs defined local prototypes for strndup(), controlled
by autoconfed config.h. So, manually change #undef HAVE_STRNDUP to
#define HAVE_STRNDUP 1. Next import of the corresponding program would
regenerate config.h, overriding the changes in this commit.

No objections from: kan
2008-12-08 21:04:24 +00:00
dfr
ea3d7030c0 Add an implementation of the RPCSEC_GSS authentication protocol for RPC. This
is based on an old implementation from the University of Michigan with lots of
changes and fixes by me and the addition of a Solaris-compatible API.

Sponsored by:	Isilon Systems
Reviewed by:	alfred
2008-08-06 14:02:05 +00:00
marius
3807b1c27a Add roken.h to SRCS. This fixes the compilation of slc during a
buildworld on a host running a world built with WITHOUT_KERBEROS
defined.
2008-06-18 21:20:50 +00:00
dfr
5bf9c97013 Add the hx509 error table. 2008-05-15 08:53:31 +00:00
dfr
a3e613640d Add manpage links to krb5_principal.3. 2008-05-11 10:32:37 +00:00
dfr
a7865e4ffe Don't try to make links to manpages that no longer exist. Fixes installworld
Submitted by: phk
2008-05-11 08:27:17 +00:00
dfr
4f251e2f8c Update magic sed script for heimdal-1.1 2008-05-09 13:27:20 +00:00
dfr
72cd8a18af Update heimdal_version.
Pointed out by: antoine@
2008-05-08 13:11:34 +00:00
dfr
be0348cb75 Fix conflicts after heimdal-1.1 import and add build infrastructure. Import
all non-style changes made by heimdal to our own libgssapi.
2008-05-07 13:53:12 +00:00
kensmith
55889a3fe4 While checking over the libraries for 7.0-REL Kris found the following
libraries had not had their versions bumped relative to 6.3-REL but
had indeed been changed.  We need to bump their version so they can be
properly added to the compat6x port:

	libasn1.so.8 libgssapi.so.8 libhdb.so.8 libkadm5clnt.so.8
	libkadm5srv.so.8 libkafs5.so.8 libkrb5.so.8 libobjc.so.2

MFC After:	1 day
2007-11-20 04:20:32 +00:00
peter
225a92541b Remove _FREEFALL_CONFIG hacks 2007-10-18 19:42:50 +00:00
kan
20a6c9830c Fix generator glue to only expose extern struct units %s_units[] is
struct units defintition it known. The above construct is treated
as an incorrect C by GCC 4.2 otherwise.
2007-05-19 03:29:37 +00:00
yar
5be077d625 Kerberos/Heimdal doesn't really depend on the INET6 macro.
In the Heimdal distro, only kerberized telnet refers to INET6,
but we don't build it, we use contrib/telnet linked with the
Kerberos libs instead.

Tested with:	cmp(1)
2006-07-28 06:33:27 +00:00
ume
2d16d1ab8e Bump library majro version for gethostbyaddr(3). 2006-05-21 15:15:21 +00:00
ru
388e590f95 Reimplementation of world/kernel build options. For details, see:
http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html

The src.conf(5) manpage is to follow in a few days.

Brought to you by:	imp, jhb, kris, phk, ru (all bugs are mine)
2006-03-17 18:54:44 +00:00
ru
38ea5a1166 NO_MAN is not needed here. 2006-03-16 15:18:17 +00:00
dfr
d9cbcb50b5 Add a new extensible GSS-API layer which can support GSS-API plugins,
similar the the Solaris implementation. Repackage the krb5 GSS mechanism
as a plugin library for the new implementation. This also includes a
comprehensive set of manpages for the GSS-API functions with text mostly
taken from the RFC.

Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts)
2005-12-29 14:40:22 +00:00
ru
e6c93861cb Apply the .PHONY attribute to the ../make*/make* targets. This
causes them to be recreated (if needed) early, when doing "make
depend" here, before generating headers that depend on them.
This should fix breakages often seen while doing incremental
(NO_CLEAN) cross-builds.
2005-11-10 21:03:58 +00:00
kensmith
f97f77429f Bump the shared library version number of all libraries that have not
been bumped since RELENG_5.

Reviewed by:	ru
Approved by:	re (not needed for commit check but in principle...)
2005-07-22 17:19:05 +00:00
kensmith
28b7f562fc This is sort of an MFS. Peter made these changes to the RELENG_*
branches but missed HEAD.  This patch extends his a little bit,
setting it up via the Makefiles so that adding _FREEFALL_CONFIG
to /etc/make.conf is the only thing needed to cluster-ize things
(current setup also requires overriding CFLAGS).

From Peter's commit to the RELENG_* branches:
> Add the freebsd.org custer's source modifications under #ifdefs to aid
> keeping things in sync.  For ksu:
> * install suid-root by default
> * don't fall back to asking for a unix password (ie: be pure kerberos)
> * allow custom user instances for things like www and not just root

The Makefile tweaks will be MFC-ed, the rest is already done.

MFC after:      3 days
Approved by:    re (dwhite)
2005-07-07 14:16:38 +00:00
des
2bb8de20fe Remove kludges intended to support src trees with partial obj trees.
Discussed with:	ru
2005-06-10 06:12:53 +00:00
imp
66c4f5f8b4 Cope with the (unwise?) incompatible changes with make by adding
a comment before defined(SRCS).
2005-04-18 22:03:21 +00:00
nectar
3341256644 Update Heimdal 0.6.1 -> 0.6.3. 2005-02-24 22:24:24 +00:00
ru
74176cc161 NODOCCOMPRESS -> NO_DOCCOMPRESS
NOINFO -> NO_INFO
NOINFOCOMPRESS -> NO_INFOCOMPRESS
NOLINT -> NO_LINT
NOPIC -> NO_PIC
NOPROFILE -> NO_PROFILE
2004-12-21 09:33:47 +00:00
ru
cec60429bb Start the dreaded NOFOO -> NO_FOO conversion.
OK'ed by:	core
2004-12-21 08:47:35 +00:00
ru
f0fbc30e0d Introduce the PRECIOUSPROG knob in bsd.prog.mk, similar
to PRECIOUSLIB from bsd.lib.mk.  The side effect of this
is making installing the world under jail(8) possible by
using another knob, NOFSCHG.

Reviewed by:	oliver
2004-11-03 18:01:21 +00:00
cperciva
e629b37603 Join the 21st century: Cryptography is no longer an optional component
of releases.  The -DNOCRYPT build option still exists for anyone who
really wants to build non-cryptographic binaries, but the "crypto"
release distribution is now part of "base", and anyone installing from a
release will get cryptographic binaries.

Approved by:	re (scottl), markm
Discussed on:	freebsd-current, in late April 2004
2004-08-06 07:27:08 +00:00
nectar
e745908f35 Update version strings for Heimdal: 0.6 -> 0.6.1 2004-04-13 16:41:00 +00:00
nectar
2727e5bef6 Hookup `arcfour.c' to the build (missed during upgrade to heimdal 0.6.1). 2004-04-04 03:31:05 +00:00