From nobody Mon Jun 16 02:51:47 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bLDzm0W2mz5yMsT; Mon, 16 Jun 2025 02:51:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bLDzl6J00z3S3y; Mon, 16 Jun 2025 02:51:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1750042307; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rze+hu7CNiidrRC6hlfOqnEkGFKblIAMqHpgu6hzgpU=; b=VAWneh1FQK9fhZdIaPla4uiTfQx/oah30dPPiXVoWkbDnQDRdiEcBdiwSoaCoFUTFQujmx o9rov8Xp1pNeoLfzxzCqPYlzyvnHXdR2jL9dT17OKSZUpqn2QF3fRzjKarStflc5KUFU8k qC8jHtv9ZV4g0Ratnbg/q4gc3WqsZfp8NX3wrQze/rp5DfWbYRAiy9Ua+A99hsQS5Eg+P8 amFAlUcl16TjnVUqg4au13KYhmvWN1budW/I/YdOj0pRzuU3ZY/dUtbpBS+pn/B0gyjeHj a1Ouq3U6+StXiprQ5Zjn20KUPrXkIcN/JSNX+saYQ1w5mG9QCe9NKRYDSuwFGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1750042307; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rze+hu7CNiidrRC6hlfOqnEkGFKblIAMqHpgu6hzgpU=; b=E5fx7xRZpsrsXMgnpl2oNiHU9hdya+7TdRJv+kZwlyQ+1+HM/lyCT6vy62T4c5SjROMtEE L0ZPp2EAZu6HktXoV/JW3HJmv+Hr4fsfTTttC4jfJ/+wCmaZzhgT3r0lPPYwiwAOmZP/e6 Z40OaEu42FyuSyxT8bBeN0tOqbFtD+cPAzS9LHUjQLhipNuNibUvV5ZG7056t5JYuE0TEz 15iaYGi5IVf7d2zm33CRg1j+spegAWJ4YQ0pXRpQAoO4G6lSFbvDDhx6QxlTAuRAqLSoBn hipsixAnrxROKNqotVRoetH6ZdM0d9GmV8s0ZbCf6Z5OGkbd7/xAKBHUK4UssA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1750042307; a=rsa-sha256; cv=none; b=V4bjHm2+h0GNKPlpIUFBp+L5Rfhy2nAKwoelDZIibNK4M/88G1eepIdNUTL/hyef+VlEwm gZKec3v6j190b2SIlbmV6k8KwmVSXSyRP4vPxiCSzrgVEdSnvwVZnYhj+fKNaBjiR/Uw01 N4Q8d0IeKVdkjR59kdck7FPqr8SKPJTiyl9WT508miKO+IwdMUuEF9MVOzcRy2XZgSDLAA 2VzqJvtVR21hzl/0CZfa3BsAmTmdcXSOPKZoMmUYChZJwEiNNdmh9vX6KHMOgaJ/FfgJVm XtZd23xX4vuhADJRgm9Y+pAkxO+DedPvShWv5y2U0hAoa06sPGY2lTKi3+1DHA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bLDzl5tfqzggd; Mon, 16 Jun 2025 02:51:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 55G2plRW062871; Mon, 16 Jun 2025 02:51:47 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 55G2plI3062868; Mon, 16 Jun 2025 02:51:47 GMT (envelope-from git) Date: Mon, 16 Jun 2025 02:51:47 GMT Message-Id: <202506160251.55G2plI3062868@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Cy Schubert Subject: git: bafe0e7edaee - main - pam_ksu: Proactively address MIT KRB5 build failure List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: bafe0e7edaee75f3fcfe6bf6c3e7b1e816361365 Auto-Submitted: auto-generated The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=bafe0e7edaee75f3fcfe6bf6c3e7b1e816361365 commit bafe0e7edaee75f3fcfe6bf6c3e7b1e816361365 Author: Cy Schubert AuthorDate: 2025-06-05 17:09:57 +0000 Commit: Cy Schubert CommitDate: 2025-06-16 02:49:35 +0000 pam_ksu: Proactively address MIT KRB5 build failure MIT KRB5 does not provide a krb5_make_principal() function. We need to provide this ourselves for now. We provide the function for now while MIT and Heimdal are both in the tree. When Heimdal is removed we can inline the calls to krb5_get_default_realm() and krb5_build_principal_va(). krb5_build_principal_va() is deprecated in MIT KRB5. Its replacement, krb5_build_principal_alloc_va() will be used instead at that time. Sponsored by: The FreeBSD Foundation Differential revision: https://reviews.freebsd.org/D50808 --- lib/libpam/modules/pam_ksu/Makefile | 11 +++++++ lib/libpam/modules/pam_ksu/pam_ksu.c | 61 ++++++++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+) diff --git a/lib/libpam/modules/pam_ksu/Makefile b/lib/libpam/modules/pam_ksu/Makefile index c5fd72d9db7d..953ca23d1416 100644 --- a/lib/libpam/modules/pam_ksu/Makefile +++ b/lib/libpam/modules/pam_ksu/Makefile @@ -25,10 +25,21 @@ PACKAGE= kerberos +.include + LIB= pam_ksu SRCS= pam_ksu.c MAN= pam_ksu.8 +WARNS?= 3 LIBADD+= krb5 +.if ${MK_MITKRB5} != "no" +WARNS= 2 +CFLAGS+= -I${SRCTOP}/crypto/krb5/src/include +CFLAGS+= -I${SRCTOP}/krb5/include +CFLAGS+= -include ${SRCTOP}/crypto/krb5/src/include/k5-int.h +CFLAGS+= -DMK_MITKRB5=yes +.endif + .include diff --git a/lib/libpam/modules/pam_ksu/pam_ksu.c b/lib/libpam/modules/pam_ksu/pam_ksu.c index 47362c835c12..a6b3f043d3f4 100644 --- a/lib/libpam/modules/pam_ksu/pam_ksu.c +++ b/lib/libpam/modules/pam_ksu/pam_ksu.c @@ -48,6 +48,61 @@ static long get_su_principal(krb5_context, const char *, const char *, static int auth_krb5(pam_handle_t *, krb5_context, const char *, krb5_principal); +#ifdef MK_MITKRB5 +/* For MIT KRB5 only. */ + +/* + * XXX This entire module will need to be rewritten when heimdal + * XXX compatidibility is no longer needed. + */ +#define KRB5_DEFAULT_CCFILE_ROOT "/tmp/krb5cc_" +#define KRB5_DEFAULT_CCROOT "FILE:" KRB5_DEFAULT_CCFILE_ROOT + +/* + * XXX We will replace krb5_build_principal_va() with + * XXX krb5_build_principal_alloc_va() when Heimdal is finally + * XXX removed. + */ +krb5_error_code KRB5_CALLCONV +krb5_build_principal_va(krb5_context context, + krb5_principal princ, + unsigned int rlen, + const char *realm, + va_list ap); +typedef char *heim_general_string; +typedef heim_general_string Realm; +typedef Realm krb5_realm; +typedef const char *krb5_const_realm; + +static krb5_error_code +krb5_make_principal(krb5_context context, krb5_principal principal, + krb5_const_realm realm, ...) +{ + krb5_error_code rc; + va_list ap; + if (realm == NULL) { + krb5_realm temp_realm = NULL; + if ((rc = krb5_get_default_realm(context, &temp_realm))) + return (rc); + realm=temp_realm; + if (temp_realm) + free(temp_realm); + } + va_start(ap, realm); + /* + * XXX Ideally we should be using krb5_build_principal_alloc_va() + * XXX here because krb5_build_principal_va() is deprecated. But, + * XXX this would require changes elsewhere in the calling code + * XXX to call krb5_free_principal() elsewhere to free the + * XXX principal. We can do that after Heimdal is removed from + * XXX our tree. + */ + rc = krb5_build_principal_va(context, principal, strlen(realm), realm, ap); + va_end(ap); + return (rc); +} +#endif + PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc __unused, const char *argv[] __unused) @@ -217,7 +272,13 @@ get_su_principal(krb5_context context, const char *target_user, const char *curr if (rv != 0) return (errno); if (default_principal == NULL) { +#ifdef MK_MITKRB5 + /* For MIT KRB5. */ + rv = krb5_make_principal(context, default_principal, NULL, current_user, NULL); +#else + /* For Heimdal. */ rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL); +#endif if (rv != 0) { PAM_LOG("Could not determine default principal name."); return (rv);