Welcome the new security/krb5-115 port. This port follows MIT's

KRB5 1.15 releases.

To support this new ports:

- The security/krb5 port includes an option to use this port instead
  of krb5-114 as its base. krb5-114 will remain the default until the
  next release of KRB5 1.15 (if it's stable of course).

- MIT by default deprecates KRB5 two versions back from the current
  release. krb5-113 has been deprecated and will expire one year from
  now.

8 files changed, 220 insertions, 0 deletions

diff --git a/security/krb5-112/files/README.FreeBSD b/security/krb5-112/files/README.FreeBSD
new file mode 100644
index 000000000000..e888e689eb04
--- /dev/null
+++ b/security/krb5-112/files/README.FreeBSD
@@ -0,0 +1,32 @@
+The MIT KRB5 port provides its own login program at
+${PREFIX}/sbin/login.krb5.  However, login.krb5 does not make use of
+the FreeBSD login.conf and login.access files that provide a means of
+setting up and controlling sessions under FreeBSD.  To overcome this,
+the MIT KRB5 port uses the FreeBSD /usr/bin/login program to provide
+interactive login password authentication instead of the login.krb5
+program provided by MIT KRB5.  The FreeBSD /usr/bin/login program does
+not have support for Kerberos V password authentication,
+e.g. authentication at the console.  The pam_krb5 port must be used to
+provide Kerberos V password authentication.
+
+For more information about pam_krb5, please see pam(8) and pam_krb5(8).
+
+If you wish to use login.krb5 that is provided by the MIT KRB5 port,
+the arguments "-L ${PREFIX}/sbin/login.krb5" must be
+specified as arguments to klogind and KRB5 telnetd, e.g.
+
+klogin	stream	tcp	nowait	root	${PREFIX}/sbin/klogind	klogind -k -c -L ${PREFIX}/sbin/login.krb5
+eklogin	stream	tcp	nowait	root	${PREFIX}/sbin/klogind	klogind -k -c -e -L ${PREFIX}/sbin/login.krb5
+telnet	stream	tcp	nowait	root	${PREFIX}/sbin/telnetd	telnetd -a none -L ${PREFIX}/sbin/login.krb5
+
+Additionally, if you wish to use the MIT KRB5 provided login.krb5 instead
+of the FreeBSD provided /usr/bin/login for local tty logins,
+"lo=${PREFIX}/sbin/login.krb5" must be specified in /etc/gettytab, e.g.,
+
+default:\
+	:cb:ce:ck:lc:fd#1000:im=\r\n%s/%m (%h) (%t)\r\n\r\n:sp#1200:\
+	:if=/etc/issue:\
+	:lo=${PREFIX}/sbin/login.krb5:
+
+It is recommended that the FreeBSD /usr/bin/login be used with the
+pam_krb5 port instead of the MIT KRB5 provided login.krb5.
diff --git a/security/krb5-112/files/kpropd.in b/security/krb5-112/files/kpropd.in
new file mode 100644
index 000000000000..faa27dc7dbba
--- /dev/null
+++ b/security/krb5-112/files/kpropd.in
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# $FreeBSD$
+#
+# PROVIDE: kpropd
+# REQUIRE: LOGIN
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# kpropd_enable (bool):      Set to NO by default.
+#                            Set it to YES to enable kpropd.
+# kpropd_flags (str):        Set to "" by default.
+
+. /etc/rc.subr
+
+name=kpropd
+rcvar=kpropd_enable
+
+load_rc_config $name
+
+: ${kpropd_enable:="NO"}
+: ${kpropd_flags=""}
+
+command=%%PREFIX%%/sbin/${name}
+
+run_rc_command "$1"
diff --git a/security/krb5-112/files/patch-clients__ksu__Makefile.in b/security/krb5-112/files/patch-clients__ksu__Makefile.in
new file mode 100644
index 000000000000..7ec54abdc076
--- /dev/null
+++ b/security/krb5-112/files/patch-clients__ksu__Makefile.in
@@ -0,0 +1,18 @@
+--- clients/ksu/Makefile.in.orig	2014-01-15 16:44:15.000000000 -0800
++++ clients/ksu/Makefile.in	2014-05-05 20:51:51.925985974 -0700
+@@ -1,6 +1,6 @@
+ mydir=clients$(S)ksu
+ BUILDTOP=$(REL)..$(S)..
+-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
++DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/bin /bin /usr/sbin /sbin"' -DDEBUG
+ 
+ KSU_LIBS=@KSU_LIBS@
+ 
+@@ -30,6 +30,6 @@
+ 
+ install::
+ 	-for f in ksu; do \
+-	  $(INSTALL_SETUID) $$f \
++	  $(INSTALL_PROGRAM) $$f \
+ 		$(DESTDIR)$(CLIENT_BINDIR)/`echo $$f|sed '$(transform)'`; \
+ 	done
diff --git a/security/krb5-112/files/patch-config__pre.in b/security/krb5-112/files/patch-config__pre.in
new file mode 100644
index 000000000000..06ddd412d618
--- /dev/null
+++ b/security/krb5-112/files/patch-config__pre.in
@@ -0,0 +1,23 @@
+--- config/pre.in.orig	2014-08-11 15:46:27.000000000 -0700
++++ config/pre.in	2015-02-04 19:23:51.174245898 -0800
+@@ -178,9 +178,9 @@
+ INSTALL=@INSTALL@
+ INSTALL_STRIP=
+ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP)
+-INSTALL_SCRIPT=@INSTALL_PROGRAM@
++INSTALL_SCRIPT=@INSTALL_SCRIPT@
+ INSTALL_DATA=@INSTALL_DATA@
+-INSTALL_SHLIB=@INSTALL_SHLIB@
++INSTALL_SHLIB=$(INSTALL_LIB)
+ INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root
+ ## This is needed because autoconf will sometimes define @exec_prefix@ to be
+ ## ${prefix}.
+@@ -197,7 +197,7 @@
+ ADMIN_BINDIR = @sbindir@
+ SERVER_BINDIR = @sbindir@
+ CLIENT_BINDIR =@bindir@
+-PKGCONFIG_DIR = @libdir@/pkgconfig
++PKGCONFIG_DIR = $(prefix)/libdata/pkgconfig
+ ADMIN_MANDIR = $(KRB5MANROOT)/man8
+ SERVER_MANDIR = $(KRB5MANROOT)/man8
+ CLIENT_MANDIR = $(KRB5MANROOT)/man1
diff --git a/security/krb5-112/files/patch-config__shlib.conf b/security/krb5-112/files/patch-config__shlib.conf
new file mode 100644
index 000000000000..805e56e91e7f
--- /dev/null
+++ b/security/krb5-112/files/patch-config__shlib.conf
@@ -0,0 +1,19 @@
+--- config/shlib.conf.orig	2013-12-10 14:49:15.000000000 -0800
++++ config/shlib.conf	2013-12-11 12:58:51.983110392 -0800
+@@ -315,13 +315,13 @@
+ 			;;
+ 	esac
+ 	SHLIBVEXT='.so.$(LIBMAJOR)'
+-	RPATH_FLAG='-Wl,--enable-new-dtags -Wl,-rpath -Wl,'
++	LDCOMBINE="libtool --mode=link cc -Xcompiler -shared"
++	RPATH_FLAG='-Wl,-rpath -Wl,'
+ 	PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
+ 	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
+ 	CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
+ 	SHLIBEXT=.so
+-	LDCOMBINE='ld -Bshareable'
+-	SHLIB_RPATH_FLAGS='--enable-new-dtags -rpath $(SHLIB_RDIRS)'
++	SHLIB_RPATH_FLAGS='-rpath $(SHLIB_RDIRS)'
+ 	SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+ 	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
+ 	CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
diff --git a/security/krb5-112/files/patch-lib-krb5-os-localaddr.c b/security/krb5-112/files/patch-lib-krb5-os-localaddr.c
new file mode 100644
index 000000000000..06b6043f22c9
--- /dev/null
+++ b/security/krb5-112/files/patch-lib-krb5-os-localaddr.c
@@ -0,0 +1,75 @@
+--- lib/krb5/os/localaddr.c.orig	2009-10-30 20:17:27.000000000 -0700
++++ lib/krb5/os/localaddr.c	2010-04-19 12:39:56.707090973 -0700
+@@ -175,6 +175,7 @@
+ }
+ #endif
+ 
++#if 0
+ static int
+ is_loopback_address(struct sockaddr *sa)
+ {
+@@ -191,6 +192,7 @@
+         return 0;
+     }
+ }
++#endif
+ 
+ #ifdef HAVE_IFADDRS_H
+ #include <ifaddrs.h>
+@@ -467,12 +469,14 @@
+             ifp->ifa_flags &= ~IFF_UP;
+             continue;
+         }
++#if 0
+         if (is_loopback_address(ifp->ifa_addr)) {
+             /* Pretend it's not up, so the second pass will skip
+                it.  */
+             ifp->ifa_flags &= ~IFF_UP;
+             continue;
+         }
++#endif
+         /* If this address is a duplicate, punt.  */
+         match = 0;
+         for (ifp2 = ifp_head; ifp2 && ifp2 != ifp; ifp2 = ifp2->ifa_next) {
+@@ -601,11 +605,13 @@
+             }
+             /*@=moduncon@*/
+ 
++#if 0
+             /* None of the current callers want loopback addresses.  */
+             if (is_loopback_address((struct sockaddr *)&lifr->lifr_addr)) {
+                 Tprintf (("  loopback\n"));
+                 goto skip;
+             }
++#endif
+             /* Ignore interfaces that are down.  */
+             if ((lifreq.lifr_flags & IFF_UP) == 0) {
+                 Tprintf (("  down\n"));
+@@ -772,11 +778,13 @@
+             }
+             /*@=moduncon@*/
+ 
++#if 0
+             /* None of the current callers want loopback addresses.  */
+             if (is_loopback_address(&lifr->iflr_addr)) {
+                 Tprintf (("  loopback\n"));
+                 goto skip;
+             }
++#endif
+             /* Ignore interfaces that are down.  */
+             if ((lifreq.iflr_flags & IFF_UP) == 0) {
+                 Tprintf (("  down\n"));
+@@ -987,11 +995,13 @@
+         }
+         /*@=moduncon@*/
+ 
++#if 0
+         /* None of the current callers want loopback addresses.  */
+         if (is_loopback_address(&ifreq.ifr_addr)) {
+             Tprintf (("  loopback\n"));
+             goto skip;
+         }
++#endif
+         /* Ignore interfaces that are down.  */
+         if ((ifreq.ifr_flags & IFF_UP) == 0) {
+             Tprintf (("  down\n"));
diff --git a/security/krb5-112/files/patch-lib__gssapi__krb5__import_name.c b/security/krb5-112/files/patch-lib__gssapi__krb5__import_name.c
new file mode 100644
index 000000000000..40f116af2196
--- /dev/null
+++ b/security/krb5-112/files/patch-lib__gssapi__krb5__import_name.c
@@ -0,0 +1,14 @@
+--- lib/gssapi/krb5/import_name.c.orig	Mon Jul 18 15:12:42 2005
++++ lib/gssapi/krb5/import_name.c	Tue Nov  8 09:53:58 2005
+@@ -33,6 +33,11 @@
+ #endif
+ #endif
+ 
++#include <sys/param.h>
++#if __FreeBSD_version < 500100
++#include <stdio.h>
++#endif
++
+ #ifdef HAVE_STRING_H
+ #include <string.h>
+ #else
diff --git a/security/krb5-112/files/patch-plugins__preauth__pkinit__pkinit_crypto_openssl.c b/security/krb5-112/files/patch-plugins__preauth__pkinit__pkinit_crypto_openssl.c
new file mode 100644
index 000000000000..4d202a7d1c45
--- /dev/null
+++ b/security/krb5-112/files/patch-plugins__preauth__pkinit__pkinit_crypto_openssl.c
@@ -0,0 +1,11 @@
+--- plugins/preauth/pkinit/pkinit_crypto_openssl.c.orig	2015-02-18 23:31:13.000000000 +0100
++++ plugins/preauth/pkinit/pkinit_crypto_openssl.c	2015-02-28 22:05:52.151654774 +0100
+@@ -172,7 +172,7 @@
+ pkinit_pkcs11_code_to_text(int err);
+ 
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(OPENSSL_NO_CMS)
+ /* Use CMS support present in OpenSSL 1.0 and later. */
+ #include <openssl/cms.h>
+ #define pkinit_CMS_get0_content_signed(_cms) CMS_get0_content(_cms)