From nobody Mon Jul 28 22:04:46 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4brXb6492hz63Wx2; Mon, 28 Jul 2025 22:05:06 +0000 (UTC) (envelope-from bjkfbsd@gmail.com) Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4brXb50vBBz49nq; Mon, 28 Jul 2025 22:05:05 +0000 (UTC) (envelope-from bjkfbsd@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=doWMJz5K; spf=pass (mx1.freebsd.org: domain of bjkfbsd@gmail.com designates 2607:f8b0:4864:20::530 as permitted sender) smtp.mailfrom=bjkfbsd@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-pg1-x530.google.com with SMTP id 41be03b00d2f7-b271f3ae786so4091097a12.3; Mon, 28 Jul 2025 15:05:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1753740298; x=1754345098; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=a2zQV2Xx0EpZewBwZWeCF42OPKIulu6/RAYQYIegvz4=; b=doWMJz5KG+NorZC8CLHMHu962hd9x2Uo/N0Awy32fqVd0pkDRxCZ7WiFY23ZE6FiCU 4oN1Lovf26w5W8P6rWlqUJ+Dzl0qv0t3Pk5m66ZspZSSlwiqbrXiH4CzIP+5QaJypHux exUW6NyHIaYAaMqJCXd60Qciqj+NBY3F6Y7XhPvabjUIWSR1edSnPlHXZWbWkQSkfsga pnsmEbaeDA4TbqKGnE6s+wCkrJ/EFmQnfj1S20NFAfdEoFCPnpkieF8S6LrRHNAwd98M R8DMQ/gmMHJrF64zA359RHl82kjkuxtyIbQh5pHi2ysLRTyk6O9RFTQv3uJ+gRffXV5m C4qA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1753740298; x=1754345098; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=a2zQV2Xx0EpZewBwZWeCF42OPKIulu6/RAYQYIegvz4=; b=uCsNc6qOBsMAakomR/6HAd321bqwztLEfxGjcXAvCPw7NroNfD5ZhapaILIjCkqqM9 mZ2UsXcf6SW1tDcp4/77ieDTqjp7FOUFZ2N/sXbWKEEv7hVCzfUZQVu15g9cjuDoTSU1 k7TutPj2CKxGe8JLSrorjMP68iScQvQW3+3bm7Wx+lkQ7SYBhdOg2AvgPGtX1MFAxIlU GAbcxu+TsAHh1/w0Mv2K5uvQtUIJ5oZHZw5+Xq6pI5/2bc1BY5/SFEB6OLYtBB2c9beb /U2QfMnOL300wifhP4/tV7hdRQUSbOlO3xSLfCPRWXs5hjYbtS7mumr1ENxVh8EE52iB GT4A== X-Forwarded-Encrypted: i=1; AJvYcCUHnpWloKyNoUYGQzHj3CDRJiA8AcaVAtHKCpUVuK7qofnB5X2p8D2/d4eCM5cRu/YADaggQPeQ@freebsd.org, AJvYcCUltgmSLvdwnbDjVszStksDT0YA25I5hL+arzQoDZirwD6Ki7vtkv8lnMVlTnMb5FWD8RnK9sDMdfHYQHgdETGxoHD+zg==@freebsd.org, AJvYcCVyC1wAQ+Zm1x7bHnBF0AeQokVkoPOgaVSryTi3mxE1FWKRh4CpDBfw9dEnHRpfNCV/uSthKgtOPGoF6YyR61NVbdF5KxI=@freebsd.org, AJvYcCXIgRlIh2mhtqeL8H4Yi+Ac5lUJXAiT5OEPDu+PtOzjni7fq3Lzrm6kJQyUBFFan1b6bvY8XNFbsQfywM8Iqiw=@freebsd.org, AJvYcCXJLArQ4LylAqPj6Tra50fGRpyNxg/OPZKNFozMJbAmlEI0PoCv6xfcKD0DgCYe4FvqUQ==@freebsd.org X-Gm-Message-State: AOJu0YyXct85N1jSIOiPh6FDL2oaXCqVjPkc9Hg3CFXDLIOLJ1hk7rDv FzeCuQKS9Pj2WW42EOSi9MD9O+Ekgg2eHlDy76433BUzgtW3Tt8fAWWdO0Pl8zQqnbQ7GHVizAl 29LsQ829pVFXaMfTCPdEmrsnp32hll0A= X-Gm-Gg: ASbGnct4+TZXn1otacouBRoi7Cw6Z0DPwaCYBEf10DuhmCRNXPr+OTyZcEH6y8PtENH lAxzgoFlx6jckqd2dEjhQ75kDBgUaLF/zZYOZuzvH1IOLakx2XJpIoOk8nKV5oBLJSOrY7CrYGV zrcsJj22AkbX5CVFEmtGKwKKAg799KwylfcngpdsjZNw3+qmEwVc+zWJMhzZoir/y7+lGhcWkIO ysimBjGEAZzPi5v2Q== X-Google-Smtp-Source: AGHT+IEE+BAtmU/RO0RaAmyCeoFX9sefmTz70GC6aRbdHByvfB5PYK99jDfRAGeaaQHHj9/hR1mixuoBMTJPGEOwbpQ= X-Received: by 2002:a17:90b:2e51:b0:31e:cc6b:321f with SMTP id 98e67ed59e1d1-31ecc6b330bmr9681849a91.29.1753740298231; Mon, 28 Jul 2025 15:04:58 -0700 (PDT) List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 References: <202507211410.56LEAD6J066633@gitrepo.freebsd.org> <47C3CC37-6F32-4376-900A-B5387B9817D5@freebsd.org> <20250721144645.3BA391BE@slippy.cwsent.com> <20250722155941.AC7EB121@slippy.cwsent.com> In-Reply-To: From: Benjamin Kaduk Date: Mon, 28 Jul 2025 15:04:46 -0700 X-Gm-Features: Ac12FXxExj7WsYPOtitS39AmfCx0QuZb9eCzulmcCxGE1BaVvOt_whBZijkNEqU Message-ID: Subject: Re: git: c7da9fb90b0b - main - KRB5: Enable MIT KRB5 by default To: Rick Macklem Cc: Konstantin Belousov , Cy Schubert , Jessica Clarke , Cy Schubert , "src-committers@freebsd.org" , "dev-commits-src-all@freebsd.org" , "dev-commits-src-main@freebsd.org" Content-Type: multipart/alternative; boundary="000000000000812483063b047b97" X-Spamd-Result: default: False [-2.25 / 15.00]; SUSPICIOUS_RECIPS(1.50)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-0.999]; NEURAL_HAM_SHORT(-0.75)[-0.754]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; TO_DN_EQ_ADDR_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; TO_DN_SOME(0.00)[]; FREEMAIL_CC(0.00)[gmail.com,cschubert.com,freebsd.org]; MISSING_XM_UA(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; MLMMJ_DEST(0.00)[dev-commits-src-all@freebsd.org,dev-commits-src-main@freebsd.org]; TAGGED_RCPT(0.00)[]; RCPT_COUNT_SEVEN(0.00)[8]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::530:from] X-Rspamd-Queue-Id: 4brXb50vBBz49nq X-Spamd-Bar: -- --000000000000812483063b047b97 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Jul 28, 2025 at 7:04=E2=80=AFAM Rick Macklem wrote: > On Mon, Jul 28, 2025 at 1:20=E2=80=AFAM Konstantin Belousov > wrote: > > > > CAUTION: This email originated from outside of the University of Guelph= . > Do not click links or open attachments unless you recognize the sender an= d > know the content is safe. If in doubt, forward suspicious emails to > IThelp@uoguelph.ca. > > > > On Sun, Jul 27, 2025 at 08:26:03PM -0700, Rick Macklem wrote: > > > On Tue, Jul 22, 2025 at 9:00=E2=80=AFAM Cy Schubert > wrote: > > > > > > > > CAUTION: This email originated from outside of the University of > Guelph. Do not click links or open attachments unless you recognize the > sender and know the content is safe. If in doubt, forward suspicious emai= ls > to IThelp@uoguelph.ca. > > > > > > > I know diddly about how libraries are handled, but is it possible to > put the > > > old Heimdal 1.5.2 libraries somewhere (semi-private) under different > names? > > > > > > I ask because it is going to be very difficult to port the gssd to th= e > > > new libraries. > > > > > > The problem is that the KGSSAPI code assumes some stuff very specific > > > to Heimdal. Take a look at sys/kgssapi/krb5/krb5_mech.c and you'll se= e > > > what I mean. (There's code that parses the keys etc out of the > internally > > > generated tokens. I have no idea where to even find the information o= n > > > how/where the MIT code hides this stuff and it a large part of > krb5_mech.c > > > looks like it will have to be re-written to work with the MIT > libraries.) > > > > It might be better to extract the required bits and keep just them. > > Perhaps even moving that bits from vendor to FreeBSD-owned code area. > The problem is that the code in sys/kgssapi/krb5/krb5_mech.c does contain > bits extracted from the Heimdal code. Basically, a detailed knowledge of = an > internal structure that the keys are extracted from. > --> I am now thinking that adding an upcall to the gssd and letting it > extract > the keys might be a better plan. (At least it moves the maintenance > to > userland and, hopefully, library calls can replace the detailed > knowledge > about the internals of the implementation.) > > Note that MIT krb5 provides the gss_krb5_export_lucid_sec_context() API that does a lot of the work of getting useful bits out of an established GSS security context. > > > > I do not think that keeping large pieces of code in vendor without > updates > > is a good plan. > Agreed. I'll work on it. (But no guarantees w.r.t. timeline.) > > Maybe doing a transition to Heimdal 7.8 (or 8.n) would be less painful? > (It looks like Heimdal is getting maintenance these days. I think Debian > is using it, which suggests it will get at least some TLC?) > > I think adapting this to the MIT krb5 code is feasible. I think that kg_ctx_externalize() is where the actual exported security context token is produced (no structure, just bashing bytes out into the buffer). -Ben --000000000000812483063b047b97 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Mon, Jul 28, 2025 at 7:04=E2=80=AFAM R= ick Macklem <rick.macklem@gmai= l.com> wrote:
=
On Mon, Jul 28, 2025 at 1= :20=E2=80=AFAM Konstantin Belousov <kostikbel@gmail.com> wrote:
>
> CAUTION: This email originated from outside of the University of Guelp= h. Do not click links or open attachments unless you recognize the sender a= nd know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca.=
>
> On Sun, Jul 27, 2025 at 08:26:03PM -0700, Rick Macklem wrote:
> > On Tue, Jul 22, 2025 at 9:00=E2=80=AFAM Cy Schubert <Cy.Schubert@cschube= rt.com> wrote:
> > >
> > > CAUTION: This email originated from outside of the Universit= y of Guelph. Do not click links or open attachments unless you recognize th= e sender and know the content is safe. If in doubt, forward suspicious emai= ls to IThelp@uoguel= ph.ca.
> > >
> > I know diddly about how libraries are handled, = but is it possible to put the
> > old Heimdal 1.5.2 libraries somewhere (semi-private) under differ= ent names?
> >
> > I ask because it is going to be very difficult to port the gssd t= o the
> > new libraries.
> >
> > The problem is that the KGSSAPI code assumes some stuff very spec= ific
> > to Heimdal. Take a look at sys/kgssapi/krb5/krb5_mech.c and you&#= 39;ll see
> > what I mean. (There's code that parses the keys etc out of th= e internally
> > generated tokens. I have no idea where to even find the informati= on on
> > how/where the MIT code hides this stuff and it a large part of kr= b5_mech.c
> > looks like it will have to be re-written to work with the MIT lib= raries.)
>
> It might be better to extract the required bits and keep just them. > Perhaps even moving that bits from vendor to FreeBSD-owned code area.<= br> The problem is that the code in sys/kgssapi/krb5/krb5_mech.c does contain bits extracted from the Heimdal code. Basically, a detailed knowledge of an=
internal structure that the keys are extracted from.
--> I am now thinking that adding an upcall to the gssd and letting it e= xtract
=C2=A0 =C2=A0 =C2=A0 the keys might be a better plan. (At least it moves th= e maintenance to
=C2=A0 =C2=A0 =C2=A0 userland and, hopefully, library calls can replace the= detailed knowledge
=C2=A0 =C2=A0 =C2=A0 about the internals of the implementation.)



Note that MIT krb5 prov= ides the=C2=A0gss_krb5_export_lucid_sec_context() API that does a lot of th= e work of getting useful bits out of an established GSS security context.
=C2=A0
>
> I do not think that keeping large pieces of code in vendor without upd= ates
> is a good plan.
Agreed. I'll work on it. (But no guarantees w.r.t. timeline.)

Maybe doing a transition to Heimdal 7.8 (or 8.n) would be less painful?
(It looks like Heimdal is getting maintenance these days. I think Debian is using it, which suggests it will get at least some TLC?)


I think adapting this to the MIT krb5 code is feas= ible.
I think that kg_ctx_externalize() is where the actual expor= ted security context token is produced (no structure, just bashing bytes ou= t into the buffer).

-Ben=C2=A0
--000000000000812483063b047b97--