344200 |
16-Feb-2019 |
nyan |
MFC: r343011
Use ${SRCTOP}/contrib/com_err/com_err.h instead of the installed com_err.h. This fixes build when com_err.h is not installed.
PR: 234691 |
302408 |
08-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
287216 |
27-Aug-2015 |
ume |
Move setting of LDFLAGS to the modules which require it actually, as other kerberos5 modules do so.
|
284345 |
13-Jun-2015 |
sjg |
Add META_MODE support.
Off by default, build behaves normally. WITH_META_MODE we get auto objdir creation, the ability to start build from anywhere in the tree.
Still need to add real targets under targets/ to build packages.
Differential Revision: D2796 Reviewed by: brooks imp
|
275022 |
25-Nov-2014 |
bapt |
Convert kerberos to LIBADD and reduce overlinking of the kerberos binaries and libraries
|
270168 |
19-Aug-2014 |
bdrewery |
Revert r267233 for now. PIE support needs to be reworked.
1. 50+% of NO_PIE use is fixed by adding -fPIC to INTERNALLIB and other build-only utility libraries. 2. Another 40% is fixed by generating _pic.a variants of various libraries. 3. Some of the NO_PIE use is a bit absurd as it is disabling PIE (and ASLR) where it never would work anyhow, such as csu or loader. This suggests there may be better ways of adding support to the tree. Many of these cases can be fixed such that -fPIE will work but there is really no reason to have it in those cases. 4. Some of the uses are working around hacks done to some Makefiles that are really building libraries but have been using bsd.prog.mk because the code is cleaner. Had they been using bsd.lib.mk then NO_PIE would not have been needed.
We likely do want to enable PIE by default (opt-out) for non-tree consumers (such as ports). For in-tree though we probably want to only enable PIE (opt-in) for common attack targets such as remote service daemons and setuid utilities. This is also a great performance compromise since ASLR is expected to reduce performance. As such it does not make sense to enable it in all utilities such as ls(1) that have little benefit to having it enabled.
Reported by: kib
|
269648 |
06-Aug-2014 |
bapt |
Rework privatelib/internallib
Make sure everything linking to a privatelib and/or an internallib does it directly from the OBJDIR rather than DESTDIR. Add src.libnames.mk so bsd.libnames.mk is not polluted by libraries not existsing in final installation Introduce the LD* variable which is what ld(1) is expecting (via LDADD) to link to internal/privatelib Directly link to the .so in case of private library to avoid having to complexify LDFLAGS.
Phabric: https://phabric.freebsd.org/D553 Reviewed by: imp, emaste
|
267233 |
08-Jun-2014 |
bdrewery |
In preparation for ASLR [1] support add WITH_PIE to support building with -fPIE.
This is currently an opt-in build flag. Once ASLR support is ready and stable it should changed to opt-out and be enabled by default along with ASLR.
Each application Makefile uses opt-out to ensure that ASLR will be enabled by default in new directories when the system is compiled with PIE/ASLR. [2]
Mark known build failures as NO_PIE for now.
The only known runtime failure was rtld.
[1] http://www.bsdcan.org/2014/schedule/events/452.en.html Submitted by: Shawn Webb <lattera@gmail.com> Discussed between: des@ and Shawn Webb [2]
|
264400 |
13-Apr-2014 |
imp |
NO_MAN= has been deprecated in favor of MAN= for some time, go ahead and finish the job. ncurses is now the only Makefile in the tree that uses it since it wasn't a simple mechanical change, and will be addressed in a future commit.
|
255455 |
10-Sep-2013 |
des |
Clean up the Kerberos build by turning libheimipcc and libheimipcs into private shared libraries, instead of hacked-together archives of PIC objects. This makes it possible to build a static libkrb5 that works.
Reviewed by: stas Approved by: re (gjb)
|
246657 |
11-Feb-2013 |
brooks |
Add -lheimntlm to LDADD directly.
With the current binutils, symbols from libheimtlm.so are loaded because it is referenced by DT_NEEDED. This feature is not implemented in mclinker (https://code.google.com/p/mclinker/issues/detail?id=104). I encountered the same issue when linking with a recent devel/binutils invoked via clang. This was the only use of DT_NEEDED in the tree so removing it simplifies toolchain requirements.
Submitted by: Pete Chou <petechou@gmail.com> (mclinker issue)
|
233294 |
22-Mar-2012 |
stas |
- Update FreeBSD Heimdal distribution to version 1.5.1. This also brings several new kerberos related libraries and applications to FreeBSD: o kgetcred(1) allows one to manually get a ticket for a particular service. o kf(1) securily forwards ticket to another host through an authenticated and encrypted stream. o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1) and other user kerberos operations. klist and kswitch are just symlinks to kcc(1) now. o kswitch(1) allows you to easily switch between kerberos credentials if you're running KCM. o hxtool(1) is a certificate management tool to use with PKINIT. o string2key(1) maps a password into key. o kdigest(8) is a userland tool to access the KDC's digest interface. o kimpersonate(8) creates a "fake" ticket for a service.
We also now install manpages for some lirbaries that were not installed before, libheimntlm and libhx509.
- The new HEIMDAL version no longer supports Kerberos 4. All users are recommended to switch to Kerberos 5.
- Weak ciphers are now disabled by default. To enable DES support (used by telnet(8)), use "allow_weak_crypto" option in krb5.conf.
- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings disabled due to the function they use (krb5_get_err_text(3)) being deprecated. I plan to work on this next.
- Heimdal's KDC now require sqlite to operate. We use the bundled version and install it as libheimsqlite. If some other FreeBSD components will require it in the future we can rename it to libbsdsqlite and use for these components as well.
- This is not a latest Heimdal version, the new one was released while I was working on the update. I will update it to 1.5.2 soon, as it fixes some important bugs and security issues.
|