src/kerberos5, branch main

heimdal-kadmin: Add support for the -f dump option

2025-10-05T16:18:35Z

The "-f" dump option allows a dump of the Heimdal KDC in a format that the MIT kdb5_util command can load into a MIT KDC's database. This makes transitioning from the Heimdal KDC to the current MIT one feasible without having to re-create the KDC database from scratch. glebius@ did the initial work, cherry picking these commits from the Heimdal sources on github and then doing extensive merge conflict resolution and other fixes so that it would build. Heimdal commit fca5399 authored by Nico Williams: Initial commit for second approach for multiple kvno. NOT TESTED! Heimdal commit 57f1545 authored by Nico Williams: Add support for writing to KDB and dumping HDB to MIT KDB dump format Before this change Heimdal could read KDBs. Now it can write to them too. Heimdal can now also dump HDBs (including KDBs) in MIT format, which can then be imported with kdb5_util load. This is intended to help in migrations from MIT to Heimdal by allowing migrations from Heimdal to MIT so that it is possible to rollback from Heimdal to MIT should there be any issues. The idea is to allow a) running Heimdal kdc/kadmind with a KDB, or b) running Heimdal with an HDB converted from a KDB and then rollback by dumping the HDB and loading a KDB. Note that not all TL data types are supported, only two: last password change and modify-by. This is the minimum necessary. PKINIT users may need to add support for KRB5_TL_USER_CERTIFICATE, and for databases with K/M history we may need to add KRB5_TL_MKVNO support. This resulted in a Heimdal kadmin that would dump the KDC database in MIT format. However, there were issues when this dump was loaded into the current MIT KDC in FreeBSD current/15.0. The changes I did to make the dump more useful are listed below: When "-f MIT" is used for "kadmin -l dump" it writes the dump out in MIT format. This dump format is understood by the MIT kdb5_util command. The patch modifies the above so that the MIT KDC's master key keytab file can be provided as the argument to "-f" so that the principals are re-encrypted in it. This allows any principal with at least one strong encryption type key to work without needing a change_password. The strong encryption types supported by the Heimdal KDC are: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 The issues my changes address are: - If there are weak encryption keys in a principal's entry, MIT's kadmin.local will report that the principcal's entry is incomplete or corrupted. - The keys are encrypted in Heimdal's master key. The "-d" option can be used on the "kadmin -l dump" to de-encrypt them, but the passwords will not work on the current MIT KDC. To try and deal with the above issues, this patch modied the above to: - Does not dump the weak keys. - Re-encrypts the strong keys in MIT's master key if the argument to "-f" is actually a filename which holds the MIT KDC's master key keytab and not "MIT". - For principals that only have weak keys, it generates a fake strong key. This key will not work on the MIT KDC, but the principal entry will work once a change_password is done to it. - It always generates a "modified_by" entry, faking one if not already present in the Heimdal KDC database. This was necessary, since the MIT kadmin will report that the principal entry is "incomplete or corrupted" without one. It also fixed a problem where "get principal" no longer worked after the initial patch was applied. A man page update will be done as a separate commit. I believe this commit is acceptable since the Heimdal sources are now essentially deprecated in favor of the MIT sources and that this new "-f" patch simplifies the transition to the MIT KDC. Discussed with: glebius, cy MFC after: 3 days

kerberos5: Fix the Heimdal pkgbase build

2025-09-04T13:53:02Z

When LIB_PACKAGE was added, MIT Kerberos was updated to use it but Heimdal was not, so it still used PACKAGE=kerberos-lib. Since we deleted kerberos-lib-all.ucl, this caused update-packages to fail when WITHOUT_MITKRB5 is set. Change the Heimdal libraries to use LIB_PACKAGE by setting this in kerberos5/lib/Makefile.inc, and remove PACKAGE=kerberos-lib from the individual Makefiles for each library. This means Heimdal gets the same set of packages as MIT Kerberos, except for kerberos-kdc which we don't create for Heimdal. Fixes: 929f5966a9fd ("packages: Improve handling of -lib packages") Reported by: jlduran Reviewed by: jlduran, cy Differential Revision: https://reviews.freebsd.org/D52371

heimdal: fix wrt OpenSSL 3.5

2025-08-25T17:12:52Z

- Bump the library version. - Don't load the legacy provider. It is no longer enabled by default and looks like kdc doesn't actually need it. Reviewed by: cy Differential Revision: https://reviews.freebsd.org/D52114

Remove MK_GSSAPI

2025-08-20T18:42:20Z

For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of Kerberos and is always built if MK_KERBEROS is enabled. Backport this behaviour to Heimdal so it works the same way. While here, change Heimdal's libcom_err and compile_et to be selected by MK_KERBEROS, not MK_KERBEROS_SUPPORT, since these are part of Kerberos and third-party users might need it even if Kerberos support is disabled in the base system. This means MK_KERBEROS_SUPPORT installs the same files with both MIT and Heimdal. Reviewed by: cy Differential Revision: https://reviews.freebsd.org/D51859

build: remove the last vestiges of lint support

2025-06-05T23:55:34Z

Commit 1cbb58886a47 (shipped in 12.0.0) removed all lint infrastructure. A bunch of NO_LINT definitions remained (perhaps as a bootstrapping measture). Remove them. Reviewed by: emaste Differential Revision: https://reviews.freebsd.org/D50704

kerberos5, libcom_err, others: append to LDFLAGS instead of replacing

2025-04-05T21:19:57Z

Reviewed by: imp, emaste Differential Revision: https://reviews.freebsd.org/D49548

Remove residual blank line at start of Makefile

2024-07-15T22:43:39Z

This is a residual of the $FreeBSD$ removal. MFC After: 3 days (though I'll just run the command on the branches) Sponsored by: Netflix

kerberos5: Mitigate the possibility of using an old libcrypto

2024-01-18T15:12:14Z

By using the full library name (libcrypto.so.30) we avoid the exposure of using an old, possibly vulnerable, library. Reported by: jrtc27 MFC after: 3 days X-MFC with: 476d63e091c2 Fixes: 476d63e091c2

kerberos: Fix numerous segfaults when using weak crypto

2024-01-18T07:46:57Z

Weak crypto is provided by the openssl legacy provider which is not load by default. Load the legacy providers as needed. When the legacy provider is loaded into the default context the default provider will no longer be automatically loaded. Without the default provider the various kerberos applicaions and functions will abort(). This is the second attempt at this patch. Instead of linking secure/lib/libcrypto at build time we now link it at runtime, avoiding buildworld failures under Linux and MacOS. This is because TARGET_ENDIANNESS is undefined at pre-build time. PR: 272835 MFC after: 3 days X-MFC: only to stable/14 Tested by: netchild Joerg Pulz (previous version)

Revert "kerberos: Fix numerous segfaults when using weak crypto"

2024-01-12T07:42:33Z

This revision breaks Linux and MacOS cross builds because TARGET_ENDIANNESS is not define during bootstrapping on these platforms. I think the correct approach would be to separate the new fbsd_ossl_provider_load() and unload functions into their own library (instead of libroken). This avoids the less desirable option of including bsd.cpu.mk in secure/lib/Makefile.common, which does build but could complicate future work. Reported by: jrtc27 This reverts commit cb350ba7bf7ca7c4cb97ed2c20ab45af60382cfb.