public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
@ 2015-10-29  4:37 Eray Aslan
  0 siblings, 0 replies; 14+ messages in thread
From: Eray Aslan @ 2015-10-29  4:37 UTC (permalink / raw
  To: gentoo-commits

commit:     f8a5e1f10568cd3f63fe5cbcfd28c46287270234
Author:     Eray Aslan <eras <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 29 04:24:07 2015 +0000
Commit:     Eray Aslan <eras <AT> gentoo <DOT> org>
CommitDate: Thu Oct 29 04:24:07 2015 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f8a5e1f1

app-crypt/mit-krb5: add confd files to kdc, kadmind and kpropd daemons

Gentoo-Bug: 539010
Thanks to Paul B. Henson

Package-Manager: portage-2.2.23

 app-crypt/mit-krb5/files/mit-krb5kadmind.confd    |   2 +
 app-crypt/mit-krb5/files/mit-krb5kadmind.initd-r2 |  25 ++++
 app-crypt/mit-krb5/files/mit-krb5kdc.confd        |   2 +
 app-crypt/mit-krb5/files/mit-krb5kdc.initd-r2     |  24 ++++
 app-crypt/mit-krb5/files/mit-krb5kpropd.confd     |   2 +
 app-crypt/mit-krb5/files/mit-krb5kpropd.initd-r2  |  24 ++++
 app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild      | 157 ++++++++++++++++++++++
 7 files changed, 236 insertions(+)

diff --git a/app-crypt/mit-krb5/files/mit-krb5kadmind.confd b/app-crypt/mit-krb5/files/mit-krb5kadmind.confd
new file mode 100644
index 0000000..f6029b6
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kadmind.confd
@@ -0,0 +1,2 @@
+# Define startup options for Kerberos administration server
+KADMIND_OPTS=""

diff --git a/app-crypt/mit-krb5/files/mit-krb5kadmind.initd-r2 b/app-crypt/mit-krb5/files/mit-krb5kadmind.initd-r2
new file mode 100644
index 0000000..54dcb87
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kadmind.initd-r2
@@ -0,0 +1,25 @@
+#!/sbin/runscript
+
+#---------------------------------------------------------------------------
+# This script starts/stops the MIT Kerberos 5 Admin daemon
+#---------------------------------------------------------------------------
+
+daemon="MIT Kerberos 5 Admin daemon"
+exec="/usr/sbin/kadmind"
+
+depend() {
+	need mit-krb5kdc
+	use net
+}
+
+start() {
+	ebegin "Starting $daemon"
+	start-stop-daemon --start --quiet --exec ${exec} -- "${KADMIND_OPTS}" 1>&2
+	eend $? "Error starting $daemon"
+}
+
+stop() {
+	ebegin "Stopping $daemon"
+	start-stop-daemon --stop --quiet --exec ${exec} 1>&2
+	eend $? "Error stopping $daemon"
+}

diff --git a/app-crypt/mit-krb5/files/mit-krb5kdc.confd b/app-crypt/mit-krb5/files/mit-krb5kdc.confd
new file mode 100644
index 0000000..887d3d8
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kdc.confd
@@ -0,0 +1,2 @@
+# Define startup options for Kerberos KDC
+KDC_OPTS=""

diff --git a/app-crypt/mit-krb5/files/mit-krb5kdc.initd-r2 b/app-crypt/mit-krb5/files/mit-krb5kdc.initd-r2
new file mode 100644
index 0000000..12bb47a
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kdc.initd-r2
@@ -0,0 +1,24 @@
+#!/sbin/runscript
+
+#---------------------------------------------------------------------------
+# This script starts/stops the MIT Kerberos 5 KDC
+#---------------------------------------------------------------------------
+
+daemon="MIT Kerberos 5 KDC"
+exec="/usr/sbin/krb5kdc"
+
+depend() {
+	use net
+}
+
+start() {
+	ebegin "Starting $daemon"
+	start-stop-daemon --start --quiet --exec ${exec} -- "${KDC_OPTS}" 1>&2
+	eend $? "Error starting $daemon"
+}
+
+stop() {
+	ebegin "Stopping $daemon"
+	start-stop-daemon --stop --quiet --exec ${exec} 1>&2
+	eend $? "Error stopping $daemon"
+}

diff --git a/app-crypt/mit-krb5/files/mit-krb5kpropd.confd b/app-crypt/mit-krb5/files/mit-krb5kpropd.confd
new file mode 100644
index 0000000..d75d41a
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kpropd.confd
@@ -0,0 +1,2 @@
+# Define startup options for Kerberos incremental propagation server
+KPROPD_OPTS=""

diff --git a/app-crypt/mit-krb5/files/mit-krb5kpropd.initd-r2 b/app-crypt/mit-krb5/files/mit-krb5kpropd.initd-r2
new file mode 100644
index 0000000..222c5f7
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kpropd.initd-r2
@@ -0,0 +1,24 @@
+#!/sbin/runscript
+
+#---------------------------------------------------------------------------
+# This script starts/stops the MIT Kerberos 5 kpropd
+#---------------------------------------------------------------------------
+
+daemon="MIT Kerberos 5 kpropd"
+exec="/usr/sbin/kpropd"
+
+depend() {
+	use net mit-krb5kdc mit-krb5kadmind
+}
+
+start() {
+	ebegin "Starting $daemon"
+	start-stop-daemon --start --quiet --exec ${exec} -- "${KPROPD_OPTS}" 1>&2
+	eend $? "Error starting $daemon"
+}
+
+stop() {
+	ebegin "Stopping $daemon"
+	start-stop-daemon --stop --quiet --exec ${exec} 1>&2
+	eend $? "Error stopping $daemon"
+}

diff --git a/app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild
new file mode 100644
index 0000000..d70cb3d
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild
@@ -0,0 +1,157 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+PYTHON_COMPAT=( python2_7 )
+
+inherit autotools eutils flag-o-matic multilib-minimal python-any-r1 versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="http://web.mit.edu/kerberos/www/"
+SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar"
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="doc +keyutils libressl openldap +pkinit selinux +threads test xinetd"
+
+CDEPEND="
+	!!app-crypt/heimdal
+	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
+	|| (
+		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
+	)
+	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
+	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+	pkinit? (
+		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0[${MULTILIB_USEDEP}] )
+		libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] )
+	)
+	xinetd? ( sys-apps/xinetd )
+	abi_x86_32? (
+		!<=app-emulation/emul-linux-x86-baselibs-20140508-r1
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+	)"
+DEPEND="${CDEPEND}
+	${PYTHON_DEPS}
+	virtual/yacc
+	doc? ( virtual/latex-base )
+	test? (
+		${PYTHON_DEPS}
+		dev-lang/tcl:0
+		dev-util/dejagnu
+	)"
+RDEPEND="${CDEPEND}
+	selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/krb5-config
+)
+
+src_unpack() {
+	unpack ${A}
+	unpack ./"${MY_P}".tar.gz
+}
+
+src_prepare() {
+	epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+	epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch"
+
+	eautoreconf
+}
+
+src_configure() {
+	append-cppflags "-I${EPREFIX}/usr/include/et"
+	# QA
+	append-flags -fno-strict-aliasing
+	append-flags -fno-strict-overflow
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use keyutils || export ac_cv_header_keyutils_h=no
+	ECONF_SOURCE=${S} \
+	WARN_CFLAGS="set" \
+	econf \
+		$(use_with openldap ldap) \
+		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+		$(use_enable pkinit) \
+		$(use_enable threads thread-support) \
+		--without-hesiod \
+		--enable-shared \
+		--with-system-et \
+		--with-system-ss \
+		--enable-dns-for-realm \
+		--enable-kdc-lookaside-cache \
+		--with-system-verto \
+		--disable-rpath
+}
+
+multilib_src_compile() {
+	emake -j1
+}
+
+multilib_src_test() {
+	multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+		install
+}
+
+multilib_src_install_all() {
+	# default database dir
+	keepdir /var/lib/krb5kdc
+
+	cd ..
+	dodoc README
+
+	if use doc; then
+		dohtml -r doc/html/*
+		docinto pdf
+		dodoc doc/pdf/*.pdf
+	fi
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
+	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
+	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
+	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
+	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
+
+	insinto /etc
+	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+	insinto /var/lib/krb5kdc
+	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+	if use openldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+	fi
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/kpropd.xinetd" kpropd
+	fi
+}
+
+pkg_preinst() {
+	if has_version "<${CATEGORY}/${PN}-1.8.0" ; then
+		elog "MIT split the Kerberos applications from the base Kerberos"
+		elog "distribution.  Kerberized versions of telnet, rlogin, rsh, rcp,"
+		elog "ftp clients and telnet, ftp deamons now live in"
+		elog "\"app-crypt/mit-krb5-appl\" package."
+	fi
+}


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
@ 2016-04-21 16:07 Eray Aslan
  0 siblings, 0 replies; 14+ messages in thread
From: Eray Aslan @ 2016-04-21 16:07 UTC (permalink / raw
  To: gentoo-commits

commit:     74ebaeed509febece37089ac12fe7127971b0b99
Author:     Eray Aslan <eras <AT> gentoo <DOT> org>
AuthorDate: Thu Apr 21 16:07:08 2016 +0000
Commit:     Eray Aslan <eras <AT> gentoo <DOT> org>
CommitDate: Thu Apr 21 16:07:08 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=74ebaeed

app-crypt/mit-krb5: Remove vulnerable versions

Package-Manager: portage-2.2.28

 app-crypt/mit-krb5/Manifest                       |   2 -
 app-crypt/mit-krb5/files/CVE-2015-2695.patch      | 564 -----------------
 app-crypt/mit-krb5/files/CVE-2015-2696.patch      | 731 ----------------------
 app-crypt/mit-krb5/files/CVE-2015-2697.patch      |  50 --
 app-crypt/mit-krb5/files/mit-krb5kadmind.initd-r1 |  25 -
 app-crypt/mit-krb5/files/mit-krb5kdc.initd-r1     |  24 -
 app-crypt/mit-krb5/files/mit-krb5kpropd.initd-r1  |  24 -
 app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild      | 160 -----
 app-crypt/mit-krb5/mit-krb5-1.13.2-r3.ebuild      | 160 -----
 app-crypt/mit-krb5/mit-krb5-1.14.ebuild           | 151 -----
 10 files changed, 1891 deletions(-)

diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index e3d2128..89c6183 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1,4 +1,2 @@
-DIST krb5-1.13.2-signed.tar 12113920 SHA256 e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1 SHA512 d3f8dde220876bd24703c488122ba8e54ffaa7f8f2c7d325e5d198a4e171248673fc1d5d3c997c6d2e66c314e2b7f4609eb980a789c3556a79458ab4411e61b5 WHIRLPOOL 9f29f4d76b7b2225f18707a95b217ce0eab7ae963ba547460fa6e7ffdc43e3c350ae070265c52b9751a70f80a95086e39c29dc2c44e0a22d17f9b48f7bf838f7
 DIST krb5-1.14.1.tar.gz 12259025 SHA256 c8faa44574246f5bd0ce5a3dedc48c32db48a74cc4323949bf70f0ac2d6f1a99 SHA512 5d64bb30ecb9e267e2494cea4995d8cc314916d8f6a9318fb80067ae6389ad7468656400d996698b6dc0bdb4c1355c13701b570521a7c40008cf1f83df24847d WHIRLPOOL 2d4ab7e8e65d27ce207bd1d254586f95c8b219c01d2deb2fe60f8d5f84e13cd52881bbc2b51c1ee2d40a81570afa15d46c8446e5c6ec052e7621b76d34b72a7d
 DIST krb5-1.14.2.tar.gz 12264762 SHA256 6bcad7e6778d1965e4ce4af21d2efdc15b274c5ce5c69031c58e4c954cda8b27 SHA512 8e0d8203740aac78b65a62c0f79998b56dae23725763f645ae13a92dc4263d193e7334f84e278ca873d2b72d425f47cd4b68b58690d029dccce41e8a157b16f0 WHIRLPOOL 18a3729f5bfb928318f5cc28c919cbc49ee9179199ee82445922a5f2e8afbf4ed5a31f7e710877f8c12ef75f326723e7410608ce538983ce1b811e16091d72a1
-DIST krb5-1.14.tar.gz 12255176 SHA256 cedb07fad8331e3ff2983d26e977a2ddba622f379c2b19bfea85bd695930f9e9 SHA512 b33a85b37f6038e34ba4038c9d1cc6a0df027652cbeccd24e39b323a1ed1bc16305099df04654c80ba7e6b56bd3d3c2df95758add888f9ef8535cb78443684ff WHIRLPOOL e049aea7bcc99fa61af353bb0e831f63512c0c1f9df06332f2aae9add356f0fb27ee46e2a2fab23b7875bb827b2aa2ff78314ffe50d07fc95f089fff5fde5113

diff --git a/app-crypt/mit-krb5/files/CVE-2015-2695.patch b/app-crypt/mit-krb5/files/CVE-2015-2695.patch
deleted file mode 100644
index 08bc8ab..0000000
--- a/app-crypt/mit-krb5/files/CVE-2015-2695.patch
+++ /dev/null
@@ -1,564 +0,0 @@
-From b51b33f2bc5d1497ddf5bd107f791c101695000d Mon Sep 17 00:00:00 2001
-From: Nicolas Williams <nico@twosigma.com>
-Date: Mon, 14 Sep 2015 12:27:52 -0400
-Subject: [PATCH] Fix SPNEGO context aliasing bugs [CVE-2015-2695]
-
-The SPNEGO mechanism currently replaces its context handle with the
-mechanism context handle upon establishment, under the assumption that
-most GSS functions are only called after context establishment.  This
-assumption is incorrect, and can lead to aliasing violations for some
-programs.  Maintain the SPNEGO context structure after context
-establishment and refer to it in all GSS methods.  Add initiate and
-opened flags to the SPNEGO context structure for use in
-gss_inquire_context() prior to context establishment.
-
-CVE-2015-2695:
-
-In MIT krb5 1.5 and later, applications which call
-gss_inquire_context() on a partially-established SPNEGO context can
-cause the GSS-API library to read from a pointer using the wrong type,
-generally causing a process crash.  This bug may go unnoticed, because
-the most common SPNEGO authentication scenario establishes the context
-after just one call to gss_accept_sec_context().  Java server
-applications using the native JGSS provider are vulnerable to this
-bug.  A carefully crafted SPNEGO packet might allow the
-gss_inquire_context() call to succeed with attacker-determined
-results, but applications should not make access control decisions
-based on gss_inquire_context() results prior to context establishment.
-
-    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
-
-[ghudson@mit.edu: several bugfixes, style changes, and edge-case
-behavior changes; commit message and CVE description]
-
-ticket: 8244
-target_version: 1.14
-tags: pullup
----
- src/lib/gssapi/spnego/gssapiP_spnego.h |   2 +
- src/lib/gssapi/spnego/spnego_mech.c    | 254 ++++++++++++++++++++++++---------
- 2 files changed, 192 insertions(+), 64 deletions(-)
-
-diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h
-index 57372de..5c82764 100644
---- a/src/lib/gssapi/spnego/gssapiP_spnego.h
-+++ b/src/lib/gssapi/spnego/gssapiP_spnego.h
-@@ -103,6 +103,8 @@ typedef struct {
- 	int firstpass;
- 	int mech_complete;
- 	int nego_done;
-+	int initiate;
-+	int opened;
- 	OM_uint32 ctx_flags;
- 	gss_name_t internal_name;
- 	gss_OID actual_mech;
-diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
-index ef76e1f..7849c85 100644
---- a/src/lib/gssapi/spnego/spnego_mech.c
-+++ b/src/lib/gssapi/spnego/spnego_mech.c
-@@ -102,7 +102,7 @@ static OM_uint32 get_negotiable_mechs(OM_uint32 *, spnego_gss_cred_id_t,
- 				      gss_cred_usage_t, gss_OID_set *);
- static void release_spnego_ctx(spnego_gss_ctx_id_t *);
- static void check_spnego_options(spnego_gss_ctx_id_t);
--static spnego_gss_ctx_id_t create_spnego_ctx(void);
-+static spnego_gss_ctx_id_t create_spnego_ctx(int);
- static int put_mech_set(gss_OID_set mechSet, gss_buffer_t buf);
- static int put_input_token(unsigned char **, gss_buffer_t, unsigned int);
- static int put_mech_oid(unsigned char **, gss_OID_const, unsigned int);
-@@ -454,7 +454,7 @@ check_spnego_options(spnego_gss_ctx_id_t spnego_ctx)
- }
- 
- static spnego_gss_ctx_id_t
--create_spnego_ctx(void)
-+create_spnego_ctx(int initiate)
- {
- 	spnego_gss_ctx_id_t spnego_ctx = NULL;
- 	spnego_ctx = (spnego_gss_ctx_id_t)
-@@ -477,6 +477,8 @@ create_spnego_ctx(void)
- 	spnego_ctx->mic_rcvd = 0;
- 	spnego_ctx->mech_complete = 0;
- 	spnego_ctx->nego_done = 0;
-+	spnego_ctx->opened = 0;
-+	spnego_ctx->initiate = initiate;
- 	spnego_ctx->internal_name = GSS_C_NO_NAME;
- 	spnego_ctx->actual_mech = GSS_C_NO_OID;
- 
-@@ -642,7 +644,7 @@ init_ctx_new(OM_uint32 *minor_status,
- 	OM_uint32 ret;
- 	spnego_gss_ctx_id_t sc = NULL;
- 
--	sc = create_spnego_ctx();
-+	sc = create_spnego_ctx(1);
- 	if (sc == NULL)
- 		return GSS_S_FAILURE;
- 
-@@ -659,10 +661,7 @@ init_ctx_new(OM_uint32 *minor_status,
- 		ret = GSS_S_FAILURE;
- 		goto cleanup;
- 	}
--	/*
--	 * The actual context is not yet determined, set the output
--	 * context handle to refer to the spnego context itself.
--	 */
-+
- 	sc->ctx_handle = GSS_C_NO_CONTEXT;
- 	*ctx = (gss_ctx_id_t)sc;
- 	sc = NULL;
-@@ -1108,16 +1107,11 @@ spnego_gss_init_sec_context(
- 	}
- 	gss_release_buffer(&tmpmin, &mechtok_out);
- 	if (ret == GSS_S_COMPLETE) {
--		/*
--		 * Now, switch the output context to refer to the
--		 * negotiated mechanism's context.
--		 */
--		*context_handle = (gss_ctx_id_t)spnego_ctx->ctx_handle;
-+		spnego_ctx->opened = 1;
- 		if (actual_mech != NULL)
- 			*actual_mech = spnego_ctx->actual_mech;
- 		if (ret_flags != NULL)
- 			*ret_flags = spnego_ctx->ctx_flags;
--		release_spnego_ctx(&spnego_ctx);
- 	} else if (ret != GSS_S_CONTINUE_NEEDED) {
- 		if (spnego_ctx != NULL) {
- 			gss_delete_sec_context(&tmpmin,
-@@ -1285,7 +1279,7 @@ acc_ctx_hints(OM_uint32 *minor_status,
- 	if (ret != GSS_S_COMPLETE)
- 		goto cleanup;
- 
--	sc = create_spnego_ctx();
-+	sc = create_spnego_ctx(0);
- 	if (sc == NULL) {
- 		ret = GSS_S_FAILURE;
- 		goto cleanup;
-@@ -1367,7 +1361,7 @@ acc_ctx_new(OM_uint32 *minor_status,
- 		gss_release_buffer(&tmpmin, &sc->DER_mechTypes);
- 		assert(mech_wanted != GSS_C_NO_OID);
- 	} else
--		sc = create_spnego_ctx();
-+		sc = create_spnego_ctx(0);
- 	if (sc == NULL) {
- 		ret = GSS_S_FAILURE;
- 		*return_token = NO_TOKEN_SEND;
-@@ -1750,13 +1744,12 @@ spnego_gss_accept_sec_context(
- 			ret = GSS_S_FAILURE;
- 	}
- 	if (ret == GSS_S_COMPLETE) {
--		*context_handle = (gss_ctx_id_t)sc->ctx_handle;
-+		sc->opened = 1;
- 		if (sc->internal_name != GSS_C_NO_NAME &&
- 		    src_name != NULL) {
- 			*src_name = sc->internal_name;
- 			sc->internal_name = GSS_C_NO_NAME;
- 		}
--		release_spnego_ctx(&sc);
- 	} else if (ret != GSS_S_CONTINUE_NEEDED) {
- 		if (sc != NULL) {
- 			gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
-@@ -2069,8 +2062,13 @@ spnego_gss_unwrap(
- 		gss_qop_t *qop_state)
- {
- 	OM_uint32 ret;
-+	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+		return (GSS_S_NO_CONTEXT);
-+
- 	ret = gss_unwrap(minor_status,
--			context_handle,
-+			sc->ctx_handle,
- 			input_message_buffer,
- 			output_message_buffer,
- 			conf_state,
-@@ -2090,8 +2088,13 @@ spnego_gss_wrap(
- 		gss_buffer_t output_message_buffer)
- {
- 	OM_uint32 ret;
-+	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+		return (GSS_S_NO_CONTEXT);
-+
- 	ret = gss_wrap(minor_status,
--		    context_handle,
-+		    sc->ctx_handle,
- 		    conf_req_flag,
- 		    qop_req,
- 		    input_message_buffer,
-@@ -2108,8 +2111,14 @@ spnego_gss_process_context_token(
- 				const gss_buffer_t token_buffer)
- {
- 	OM_uint32 ret;
-+	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+	/* SPNEGO doesn't have its own context tokens. */
-+	if (!sc->opened)
-+		return (GSS_S_DEFECTIVE_TOKEN);
-+
- 	ret = gss_process_context_token(minor_status,
--					context_handle,
-+					sc->ctx_handle,
- 					token_buffer);
- 
- 	return (ret);
-@@ -2133,19 +2142,9 @@ spnego_gss_delete_sec_context(
- 	if (*ctx == NULL)
- 		return (GSS_S_COMPLETE);
- 
--	/*
--	 * If this is still an SPNEGO mech, release it locally.
--	 */
--	if ((*ctx)->magic_num == SPNEGO_MAGIC_ID) {
--		(void) gss_delete_sec_context(minor_status,
--				    &(*ctx)->ctx_handle,
--				    output_token);
--		(void) release_spnego_ctx(ctx);
--	} else {
--		ret = gss_delete_sec_context(minor_status,
--				    context_handle,
--				    output_token);
--	}
-+	(void) gss_delete_sec_context(minor_status, &(*ctx)->ctx_handle,
-+				      output_token);
-+	(void) release_spnego_ctx(ctx);
- 
- 	return (ret);
- }
-@@ -2157,8 +2156,13 @@ spnego_gss_context_time(
- 			OM_uint32	*time_rec)
- {
- 	OM_uint32 ret;
-+	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+		return (GSS_S_NO_CONTEXT);
-+
- 	ret = gss_context_time(minor_status,
--			    context_handle,
-+			    sc->ctx_handle,
- 			    time_rec);
- 	return (ret);
- }
-@@ -2170,9 +2174,20 @@ spnego_gss_export_sec_context(
- 			    gss_buffer_t interprocess_token)
- {
- 	OM_uint32 ret;
-+	spnego_gss_ctx_id_t sc = *(spnego_gss_ctx_id_t *)context_handle;
-+
-+	/* We don't currently support exporting partially established
-+	 * contexts. */
-+	if (!sc->opened)
-+		return GSS_S_UNAVAILABLE;
-+
- 	ret = gss_export_sec_context(minor_status,
--				    context_handle,
-+				    &sc->ctx_handle,
- 				    interprocess_token);
-+	if (sc->ctx_handle == GSS_C_NO_CONTEXT) {
-+		release_spnego_ctx(&sc);
-+		*context_handle = GSS_C_NO_CONTEXT;
-+	}
- 	return (ret);
- }
- 
-@@ -2182,11 +2197,12 @@ spnego_gss_import_sec_context(
- 	const gss_buffer_t	interprocess_token,
- 	gss_ctx_id_t		*context_handle)
- {
--	OM_uint32 ret;
--	ret = gss_import_sec_context(minor_status,
--				    interprocess_token,
--				    context_handle);
--	return (ret);
-+	/*
-+	 * Until we implement partial context exports, there are no SPNEGO
-+	 * exported context tokens, only tokens for underlying mechs.  So just
-+	 * return an error for now.
-+	 */
-+	return GSS_S_UNAVAILABLE;
- }
- #endif /* LEAN_CLIENT */
- 
-@@ -2203,16 +2219,48 @@ spnego_gss_inquire_context(
- 			int		*opened)
- {
- 	OM_uint32 ret = GSS_S_COMPLETE;
-+	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+	if (src_name != NULL)
-+		*src_name = GSS_C_NO_NAME;
-+	if (targ_name != NULL)
-+		*targ_name = GSS_C_NO_NAME;
-+	if (lifetime_rec != NULL)
-+		*lifetime_rec = 0;
-+	if (mech_type != NULL)
-+		*mech_type = (gss_OID)gss_mech_spnego;
-+	if (ctx_flags != NULL)
-+		*ctx_flags = 0;
-+	if (locally_initiated != NULL)
-+		*locally_initiated = sc->initiate;
-+	if (opened != NULL)
-+		*opened = sc->opened;
-+
-+	if (sc->ctx_handle != GSS_C_NO_CONTEXT) {
-+		ret = gss_inquire_context(minor_status, sc->ctx_handle,
-+					  src_name, targ_name, lifetime_rec,
-+					  mech_type, ctx_flags, NULL, NULL);
-+	}
- 
--	ret = gss_inquire_context(minor_status,
--				context_handle,
--				src_name,
--				targ_name,
--				lifetime_rec,
--				mech_type,
--				ctx_flags,
--				locally_initiated,
--				opened);
-+	if (!sc->opened) {
-+		/*
-+		 * We are still doing SPNEGO negotiation, so report SPNEGO as
-+		 * the OID.  After negotiation is complete we will report the
-+		 * underlying mechanism OID.
-+		 */
-+		if (mech_type != NULL)
-+			*mech_type = (gss_OID)gss_mech_spnego;
-+
-+		/*
-+		 * Remove flags we don't support with partially-established
-+		 * contexts.  (Change this to keep GSS_C_TRANS_FLAG if we add
-+		 * support for exporting partial SPNEGO contexts.)
-+		 */
-+		if (ctx_flags != NULL) {
-+			*ctx_flags &= ~GSS_C_PROT_READY_FLAG;
-+			*ctx_flags &= ~GSS_C_TRANS_FLAG;
-+		}
-+	}
- 
- 	return (ret);
- }
-@@ -2227,8 +2275,13 @@ spnego_gss_wrap_size_limit(
- 	OM_uint32	*max_input_size)
- {
- 	OM_uint32 ret;
-+	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+		return (GSS_S_NO_CONTEXT);
-+
- 	ret = gss_wrap_size_limit(minor_status,
--				context_handle,
-+				sc->ctx_handle,
- 				conf_req_flag,
- 				qop_req,
- 				req_output_size,
-@@ -2245,8 +2298,13 @@ spnego_gss_get_mic(
- 		gss_buffer_t message_token)
- {
- 	OM_uint32 ret;
-+	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+		return (GSS_S_NO_CONTEXT);
-+
- 	ret = gss_get_mic(minor_status,
--		    context_handle,
-+		    sc->ctx_handle,
- 		    qop_req,
- 		    message_buffer,
- 		    message_token);
-@@ -2262,8 +2320,13 @@ spnego_gss_verify_mic(
- 		gss_qop_t *qop_state)
- {
- 	OM_uint32 ret;
-+	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+		return (GSS_S_NO_CONTEXT);
-+
- 	ret = gss_verify_mic(minor_status,
--			    context_handle,
-+			    sc->ctx_handle,
- 			    msg_buffer,
- 			    token_buffer,
- 			    qop_state);
-@@ -2278,8 +2341,14 @@ spnego_gss_inquire_sec_context_by_oid(
- 		gss_buffer_set_t *data_set)
- {
- 	OM_uint32 ret;
-+	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+	/* There are no SPNEGO-specific OIDs for this function. */
-+	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+		return (GSS_S_UNAVAILABLE);
-+
- 	ret = gss_inquire_sec_context_by_oid(minor_status,
--			    context_handle,
-+			    sc->ctx_handle,
- 			    desired_object,
- 			    data_set);
- 	return (ret);
-@@ -2359,8 +2428,15 @@ spnego_gss_set_sec_context_option(
- 		const gss_buffer_t value)
- {
- 	OM_uint32 ret;
-+	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)*context_handle;
-+
-+	/* There are no SPNEGO-specific OIDs for this function, and we cannot
-+	 * construct an empty SPNEGO context with it. */
-+	if (sc == NULL || sc->ctx_handle == GSS_C_NO_CONTEXT)
-+		return (GSS_S_UNAVAILABLE);
-+
- 	ret = gss_set_sec_context_option(minor_status,
--			    context_handle,
-+			    &sc->ctx_handle,
- 			    desired_object,
- 			    value);
- 	return (ret);
-@@ -2377,8 +2453,13 @@ spnego_gss_wrap_aead(OM_uint32 *minor_status,
- 		     gss_buffer_t output_message_buffer)
- {
- 	OM_uint32 ret;
-+	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+		return (GSS_S_NO_CONTEXT);
-+
- 	ret = gss_wrap_aead(minor_status,
--			    context_handle,
-+			    sc->ctx_handle,
- 			    conf_req_flag,
- 			    qop_req,
- 			    input_assoc_buffer,
-@@ -2399,8 +2480,13 @@ spnego_gss_unwrap_aead(OM_uint32 *minor_status,
- 		       gss_qop_t *qop_state)
- {
- 	OM_uint32 ret;
-+	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+		return (GSS_S_NO_CONTEXT);
-+
- 	ret = gss_unwrap_aead(minor_status,
--			      context_handle,
-+			      sc->ctx_handle,
- 			      input_message_buffer,
- 			      input_assoc_buffer,
- 			      output_payload_buffer,
-@@ -2419,8 +2505,13 @@ spnego_gss_wrap_iov(OM_uint32 *minor_status,
- 		    int iov_count)
- {
- 	OM_uint32 ret;
-+	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+		return (GSS_S_NO_CONTEXT);
-+
- 	ret = gss_wrap_iov(minor_status,
--			   context_handle,
-+			   sc->ctx_handle,
- 			   conf_req_flag,
- 			   qop_req,
- 			   conf_state,
-@@ -2438,8 +2529,13 @@ spnego_gss_unwrap_iov(OM_uint32 *minor_status,
- 		      int iov_count)
- {
- 	OM_uint32 ret;
-+	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+		return (GSS_S_NO_CONTEXT);
-+
- 	ret = gss_unwrap_iov(minor_status,
--			     context_handle,
-+			     sc->ctx_handle,
- 			     conf_state,
- 			     qop_state,
- 			     iov,
-@@ -2457,8 +2553,13 @@ spnego_gss_wrap_iov_length(OM_uint32 *minor_status,
- 			   int iov_count)
- {
- 	OM_uint32 ret;
-+	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+		return (GSS_S_NO_CONTEXT);
-+
- 	ret = gss_wrap_iov_length(minor_status,
--				  context_handle,
-+				  sc->ctx_handle,
- 				  conf_req_flag,
- 				  qop_req,
- 				  conf_state,
-@@ -2475,8 +2576,13 @@ spnego_gss_complete_auth_token(
- 		gss_buffer_t input_message_buffer)
- {
- 	OM_uint32 ret;
-+	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+		return (GSS_S_UNAVAILABLE);
-+
- 	ret = gss_complete_auth_token(minor_status,
--				      context_handle,
-+				      sc->ctx_handle,
- 				      input_message_buffer);
- 	return (ret);
- }
-@@ -2721,8 +2827,13 @@ spnego_gss_pseudo_random(OM_uint32 *minor_status,
- 			 gss_buffer_t prf_out)
- {
- 	OM_uint32 ret;
-+	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context;
-+
-+	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+		return (GSS_S_NO_CONTEXT);
-+
- 	ret = gss_pseudo_random(minor_status,
--				context,
-+				sc->ctx_handle,
- 				prf_key,
- 				prf_in,
- 				desired_output_len,
-@@ -2863,7 +2974,12 @@ spnego_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
- 		       gss_qop_t qop_req, gss_iov_buffer_desc *iov,
- 		       int iov_count)
- {
--    return gss_get_mic_iov(minor_status, context_handle, qop_req, iov,
-+    spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+    if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+	    return (GSS_S_NO_CONTEXT);
-+
-+    return gss_get_mic_iov(minor_status, sc->ctx_handle, qop_req, iov,
- 			   iov_count);
- }
- 
-@@ -2872,7 +2988,12 @@ spnego_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
- 			  gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
- 			  int iov_count)
- {
--    return gss_verify_mic_iov(minor_status, context_handle, qop_state, iov,
-+    spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+    if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+	    return (GSS_S_NO_CONTEXT);
-+
-+    return gss_verify_mic_iov(minor_status, sc->ctx_handle, qop_state, iov,
- 			      iov_count);
- }
- 
-@@ -2881,7 +3002,12 @@ spnego_gss_get_mic_iov_length(OM_uint32 *minor_status,
- 			      gss_ctx_id_t context_handle, gss_qop_t qop_req,
- 			      gss_iov_buffer_desc *iov, int iov_count)
- {
--    return gss_get_mic_iov_length(minor_status, context_handle, qop_req, iov,
-+    spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
-+
-+    if (sc->ctx_handle == GSS_C_NO_CONTEXT)
-+	    return (GSS_S_NO_CONTEXT);
-+
-+    return gss_get_mic_iov_length(minor_status, sc->ctx_handle, qop_req, iov,
- 				  iov_count);
- }
- 

diff --git a/app-crypt/mit-krb5/files/CVE-2015-2696.patch b/app-crypt/mit-krb5/files/CVE-2015-2696.patch
deleted file mode 100644
index c1f50a5..0000000
--- a/app-crypt/mit-krb5/files/CVE-2015-2696.patch
+++ /dev/null
@@ -1,731 +0,0 @@
-From e04f0283516e80d2f93366e0d479d13c9b5c8c2a Mon Sep 17 00:00:00 2001
-From: Nicolas Williams <nico@twosigma.com>
-Date: Mon, 14 Sep 2015 12:28:36 -0400
-Subject: [PATCH] Fix IAKERB context aliasing bugs [CVE-2015-2696]
-
-The IAKERB mechanism currently replaces its context handle with the
-krb5 mechanism handle upon establishment, under the assumption that
-most GSS functions are only called after context establishment.  This
-assumption is incorrect, and can lead to aliasing violations for some
-programs.  Maintain the IAKERB context structure after context
-establishment and add new IAKERB entry points to refer to it with that
-type.  Add initiate and established flags to the IAKERB context
-structure for use in gss_inquire_context() prior to context
-establishment.
-
-CVE-2015-2696:
-
-In MIT krb5 1.9 and later, applications which call
-gss_inquire_context() on a partially-established IAKERB context can
-cause the GSS-API library to read from a pointer using the wrong type,
-generally causing a process crash.  Java server applications using the
-native JGSS provider are vulnerable to this bug.  A carefully crafted
-IAKERB packet might allow the gss_inquire_context() call to succeed
-with attacker-determined results, but applications should not make
-access control decisions based on gss_inquire_context() results prior
-to context establishment.
-
-    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
-
-[ghudson@mit.edu: several bugfixes, style changes, and edge-case
-behavior changes; commit message and CVE description]
-
-ticket: 8244
-target_version: 1.14
-tags: pullup
----
- src/lib/gssapi/krb5/gssapiP_krb5.h | 114 ++++++++++++
- src/lib/gssapi/krb5/gssapi_krb5.c  | 105 +++++++++--
- src/lib/gssapi/krb5/iakerb.c       | 351 +++++++++++++++++++++++++++++++++----
- 3 files changed, 529 insertions(+), 41 deletions(-)
-
-diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
-index 9aae12a..97e090d 100644
---- a/src/lib/gssapi/krb5/gssapiP_krb5.h
-+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
-@@ -621,6 +621,21 @@ OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context_ext
- );
- #endif /* LEAN_CLIENT */
- 
-+OM_uint32 KRB5_CALLCONV krb5_gss_inquire_sec_context_by_oid
-+(OM_uint32*,       /* minor_status */
-+ const gss_ctx_id_t,
-+ /* context_handle */
-+ const gss_OID,    /* desired_object */
-+ gss_buffer_set_t* /* data_set */
-+);
-+
-+OM_uint32 KRB5_CALLCONV krb5_gss_set_sec_context_option
-+(OM_uint32*,       /* minor_status */
-+ gss_ctx_id_t*,    /* context_handle */
-+ const gss_OID,    /* desired_object */
-+ const gss_buffer_t/* value */
-+);
-+
- OM_uint32 KRB5_CALLCONV krb5_gss_process_context_token
- (OM_uint32*,       /* minor_status */
-  gss_ctx_id_t,     /* context_handle */
-@@ -1302,6 +1317,105 @@ OM_uint32 KRB5_CALLCONV
- krb5_gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token,
-                      gss_cred_id_t *cred_handle);
- 
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_process_context_token(OM_uint32 *minor_status,
-+                                 const gss_ctx_id_t context_handle,
-+                                 const gss_buffer_t token_buffer);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                        OM_uint32 *time_rec);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_inquire_context(OM_uint32 *minor_status,
-+                           gss_ctx_id_t context_handle, gss_name_t *src_name,
-+                           gss_name_t *targ_name, OM_uint32 *lifetime_rec,
-+                           gss_OID *mech_type, OM_uint32 *ctx_flags,
-+                           int *locally_initiated, int *opened);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                   gss_qop_t qop_req, gss_buffer_t message_buffer,
-+                   gss_buffer_t message_token);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                       gss_qop_t qop_req, gss_iov_buffer_desc *iov,
-+                       int iov_count);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status,
-+                              gss_ctx_id_t context_handle, gss_qop_t qop_req,
-+                              gss_iov_buffer_desc *iov, int iov_count);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                      gss_buffer_t msg_buffer, gss_buffer_t token_buffer,
-+                      gss_qop_t *qop_state);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                          gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
-+                          int iov_count);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                int conf_req_flag, gss_qop_t qop_req,
-+                gss_buffer_t input_message_buffer, int *conf_state,
-+                gss_buffer_t output_message_buffer);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                    int conf_req_flag, gss_qop_t qop_req, int *conf_state,
-+                    gss_iov_buffer_desc *iov, int iov_count);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_wrap_iov_length(OM_uint32 *minor_status,
-+                           gss_ctx_id_t context_handle, int conf_req_flag,
-+                           gss_qop_t qop_req, int *conf_state,
-+                           gss_iov_buffer_desc *iov, int iov_count);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                  gss_buffer_t input_message_buffer,
-+                  gss_buffer_t output_message_buffer, int *conf_state,
-+                  gss_qop_t *qop_state);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                      int *conf_state, gss_qop_t *qop_state,
-+                      gss_iov_buffer_desc *iov, int iov_count);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_wrap_size_limit(OM_uint32 *minor_status,
-+                           gss_ctx_id_t context_handle, int conf_req_flag,
-+                           gss_qop_t qop_req, OM_uint32 req_output_size,
-+                           OM_uint32 *max_input_size);
-+
-+#ifndef LEAN_CLIENT
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_export_sec_context(OM_uint32 *minor_status,
-+                              gss_ctx_id_t *context_handle,
-+                              gss_buffer_t interprocess_token);
-+#endif /* LEAN_CLIENT */
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status,
-+                                      const gss_ctx_id_t context_handle,
-+                                      const gss_OID desired_object,
-+                                      gss_buffer_set_t *data_set);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_set_sec_context_option(OM_uint32 *minor_status,
-+                                  gss_ctx_id_t *context_handle,
-+                                  const gss_OID desired_object,
-+                                  const gss_buffer_t value);
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                         int prf_key, const gss_buffer_t prf_in,
-+                         ssize_t desired_output_len, gss_buffer_t prf_out);
-+
- /* Magic string to identify exported krb5 GSS credentials.  Increment this if
-  * the format changes. */
- #define CRED_EXPORT_MAGIC "K5C1"
-diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
-index 0be92e4..c4dfdd6 100644
---- a/src/lib/gssapi/krb5/gssapi_krb5.c
-+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
-@@ -351,7 +351,7 @@ static struct {
-     }
- };
- 
--static OM_uint32 KRB5_CALLCONV
-+OM_uint32 KRB5_CALLCONV
- krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
-                                      const gss_ctx_id_t context_handle,
-                                      const gss_OID desired_object,
-@@ -465,7 +465,7 @@ static struct {
- };
- #endif
- 
--static OM_uint32 KRB5_CALLCONV
-+OM_uint32 KRB5_CALLCONV
- krb5_gss_set_sec_context_option (OM_uint32 *minor_status,
-                                  gss_ctx_id_t *context_handle,
-                                  const gss_OID desired_object,
-@@ -929,20 +929,103 @@ static struct gss_config krb5_mechanism = {
-     krb5_gss_get_mic_iov_length,
- };
- 
-+/* Functions which use security contexts or acquire creds are IAKERB-specific;
-+ * other functions can borrow from the krb5 mech. */
-+static struct gss_config iakerb_mechanism = {
-+    { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID },
-+    NULL,
-+    iakerb_gss_acquire_cred,
-+    krb5_gss_release_cred,
-+    iakerb_gss_init_sec_context,
-+#ifdef LEAN_CLIENT
-+    NULL,
-+#else
-+    iakerb_gss_accept_sec_context,
-+#endif
-+    iakerb_gss_process_context_token,
-+    iakerb_gss_delete_sec_context,
-+    iakerb_gss_context_time,
-+    iakerb_gss_get_mic,
-+    iakerb_gss_verify_mic,
-+#if defined(IOV_SHIM_EXERCISE_WRAP) || defined(IOV_SHIM_EXERCISE)
-+    NULL,
-+#else
-+    iakerb_gss_wrap,
-+#endif
-+#if defined(IOV_SHIM_EXERCISE_UNWRAP) || defined(IOV_SHIM_EXERCISE)
-+    NULL,
-+#else
-+    iakerb_gss_unwrap,
-+#endif
-+    krb5_gss_display_status,
-+    krb5_gss_indicate_mechs,
-+    krb5_gss_compare_name,
-+    krb5_gss_display_name,
-+    krb5_gss_import_name,
-+    krb5_gss_release_name,
-+    krb5_gss_inquire_cred,
-+    NULL,                /* add_cred */
-+#ifdef LEAN_CLIENT
-+    NULL,
-+    NULL,
-+#else
-+    iakerb_gss_export_sec_context,
-+    NULL,
-+#endif
-+    krb5_gss_inquire_cred_by_mech,
-+    krb5_gss_inquire_names_for_mech,
-+    iakerb_gss_inquire_context,
-+    krb5_gss_internal_release_oid,
-+    iakerb_gss_wrap_size_limit,
-+    krb5_gss_localname,
-+    krb5_gss_authorize_localname,
-+    krb5_gss_export_name,
-+    krb5_gss_duplicate_name,
-+    krb5_gss_store_cred,
-+    iakerb_gss_inquire_sec_context_by_oid,
-+    krb5_gss_inquire_cred_by_oid,
-+    iakerb_gss_set_sec_context_option,
-+    krb5_gssspi_set_cred_option,
-+    krb5_gssspi_mech_invoke,
-+    NULL,                /* wrap_aead */
-+    NULL,                /* unwrap_aead */
-+    iakerb_gss_wrap_iov,
-+    iakerb_gss_unwrap_iov,
-+    iakerb_gss_wrap_iov_length,
-+    NULL,               /* complete_auth_token */
-+    NULL,               /* acquire_cred_impersonate_name */
-+    NULL,               /* add_cred_impersonate_name */
-+    NULL,               /* display_name_ext */
-+    krb5_gss_inquire_name,
-+    krb5_gss_get_name_attribute,
-+    krb5_gss_set_name_attribute,
-+    krb5_gss_delete_name_attribute,
-+    krb5_gss_export_name_composite,
-+    krb5_gss_map_name_to_any,
-+    krb5_gss_release_any_name_mapping,
-+    iakerb_gss_pseudo_random,
-+    NULL,               /* set_neg_mechs */
-+    krb5_gss_inquire_saslname_for_mech,
-+    krb5_gss_inquire_mech_for_saslname,
-+    krb5_gss_inquire_attrs_for_mech,
-+    krb5_gss_acquire_cred_from,
-+    krb5_gss_store_cred_into,
-+    iakerb_gss_acquire_cred_with_password,
-+    krb5_gss_export_cred,
-+    krb5_gss_import_cred,
-+    NULL,               /* import_sec_context_by_mech */
-+    NULL,               /* import_name_by_mech */
-+    NULL,               /* import_cred_by_mech */
-+    iakerb_gss_get_mic_iov,
-+    iakerb_gss_verify_mic_iov,
-+    iakerb_gss_get_mic_iov_length,
-+};
-+
- #ifdef _GSS_STATIC_LINK
- #include "mglueP.h"
- static int gss_iakerbmechglue_init(void)
- {
-     struct gss_mech_config mech_iakerb;
--    struct gss_config iakerb_mechanism = krb5_mechanism;
--
--    /* IAKERB mechanism mirrors krb5, but with different context SPIs */
--    iakerb_mechanism.gss_accept_sec_context = iakerb_gss_accept_sec_context;
--    iakerb_mechanism.gss_init_sec_context   = iakerb_gss_init_sec_context;
--    iakerb_mechanism.gss_delete_sec_context = iakerb_gss_delete_sec_context;
--    iakerb_mechanism.gss_acquire_cred       = iakerb_gss_acquire_cred;
--    iakerb_mechanism.gssspi_acquire_cred_with_password
--                                    = iakerb_gss_acquire_cred_with_password;
- 
-     memset(&mech_iakerb, 0, sizeof(mech_iakerb));
-     mech_iakerb.mech = &iakerb_mechanism;
-diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
-index f30de32..4662bd9 100644
---- a/src/lib/gssapi/krb5/iakerb.c
-+++ b/src/lib/gssapi/krb5/iakerb.c
-@@ -47,6 +47,8 @@ struct _iakerb_ctx_id_rec {
-     gss_ctx_id_t gssc;
-     krb5_data conv;                     /* conversation for checksumming */
-     unsigned int count;                 /* number of round trips */
-+    int initiate;
-+    int established;
-     krb5_get_init_creds_opt *gic_opts;
- };
- 
-@@ -695,7 +697,7 @@ iakerb_get_initial_state(iakerb_ctx_id_t ctx,
-  * Allocate and initialise an IAKERB context
-  */
- static krb5_error_code
--iakerb_alloc_context(iakerb_ctx_id_t *pctx)
-+iakerb_alloc_context(iakerb_ctx_id_t *pctx, int initiate)
- {
-     iakerb_ctx_id_t ctx;
-     krb5_error_code code;
-@@ -709,6 +711,8 @@ iakerb_alloc_context(iakerb_ctx_id_t *pctx)
-     ctx->magic = KG_IAKERB_CONTEXT;
-     ctx->state = IAKERB_AS_REQ;
-     ctx->count = 0;
-+    ctx->initiate = initiate;
-+    ctx->established = 0;
- 
-     code = krb5_gss_init_context(&ctx->k5c);
-     if (code != 0)
-@@ -732,7 +736,7 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
-                               gss_ctx_id_t *context_handle,
-                               gss_buffer_t output_token)
- {
--    OM_uint32 major_status = GSS_S_COMPLETE;
-+    iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle;
- 
-     if (output_token != GSS_C_NO_BUFFER) {
-         output_token->length = 0;
-@@ -740,23 +744,10 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
-     }
- 
-     *minor_status = 0;
-+    *context_handle = GSS_C_NO_CONTEXT;
-+    iakerb_release_context(iakerb_ctx);
- 
--    if (*context_handle != GSS_C_NO_CONTEXT) {
--        iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle;
--
--        if (iakerb_ctx->magic == KG_IAKERB_CONTEXT) {
--            iakerb_release_context(iakerb_ctx);
--            *context_handle = GSS_C_NO_CONTEXT;
--        } else {
--            assert(iakerb_ctx->magic == KG_CONTEXT);
--
--            major_status = krb5_gss_delete_sec_context(minor_status,
--                                                       context_handle,
--                                                       output_token);
--        }
--    }
--
--    return major_status;
-+    return GSS_S_COMPLETE;
- }
- 
- static krb5_boolean
-@@ -802,7 +793,7 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
-     int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
- 
-     if (initialContextToken) {
--        code = iakerb_alloc_context(&ctx);
-+        code = iakerb_alloc_context(&ctx, 0);
-         if (code != 0)
-             goto cleanup;
- 
-@@ -854,11 +845,8 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
-                                                        time_rec,
-                                                        delegated_cred_handle,
-                                                        &exts);
--        if (major_status == GSS_S_COMPLETE) {
--            *context_handle = ctx->gssc;
--            ctx->gssc = NULL;
--            iakerb_release_context(ctx);
--        }
-+        if (major_status == GSS_S_COMPLETE)
-+            ctx->established = 1;
-         if (mech_type != NULL)
-             *mech_type = (gss_OID)gss_mech_krb5;
-     }
-@@ -897,7 +885,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
-     int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
- 
-     if (initialContextToken) {
--        code = iakerb_alloc_context(&ctx);
-+        code = iakerb_alloc_context(&ctx, 1);
-         if (code != 0) {
-             *minor_status = code;
-             goto cleanup;
-@@ -983,11 +971,8 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
-                                                      ret_flags,
-                                                      time_rec,
-                                                      &exts);
--        if (major_status == GSS_S_COMPLETE) {
--            *context_handle = ctx->gssc;
--            ctx->gssc = GSS_C_NO_CONTEXT;
--            iakerb_release_context(ctx);
--        }
-+        if (major_status == GSS_S_COMPLETE)
-+            ctx->established = 1;
-         if (actual_mech_type != NULL)
-             *actual_mech_type = (gss_OID)gss_mech_krb5;
-     } else {
-@@ -1010,3 +995,309 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
- 
-     return major_status;
- }
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                  gss_buffer_t input_message_buffer,
-+                  gss_buffer_t output_message_buffer, int *conf_state,
-+                  gss_qop_t *qop_state)
-+{
-+    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+    if (ctx->gssc == GSS_C_NO_CONTEXT)
-+        return GSS_S_NO_CONTEXT;
-+
-+    return krb5_gss_unwrap(minor_status, ctx->gssc, input_message_buffer,
-+                           output_message_buffer, conf_state, qop_state);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                int conf_req_flag, gss_qop_t qop_req,
-+                gss_buffer_t input_message_buffer, int *conf_state,
-+                gss_buffer_t output_message_buffer)
-+{
-+    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+    if (ctx->gssc == GSS_C_NO_CONTEXT)
-+        return GSS_S_NO_CONTEXT;
-+
-+    return krb5_gss_wrap(minor_status, ctx->gssc, conf_req_flag, qop_req,
-+                         input_message_buffer, conf_state,
-+                         output_message_buffer);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_process_context_token(OM_uint32 *minor_status,
-+                                 const gss_ctx_id_t context_handle,
-+                                 const gss_buffer_t token_buffer)
-+{
-+    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+    if (ctx->gssc == GSS_C_NO_CONTEXT)
-+        return GSS_S_DEFECTIVE_TOKEN;
-+
-+    return krb5_gss_process_context_token(minor_status, ctx->gssc,
-+                                          token_buffer);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                        OM_uint32 *time_rec)
-+{
-+    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+    if (ctx->gssc == GSS_C_NO_CONTEXT)
-+        return GSS_S_NO_CONTEXT;
-+
-+    return krb5_gss_context_time(minor_status, ctx->gssc, time_rec);
-+}
-+
-+#ifndef LEAN_CLIENT
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_export_sec_context(OM_uint32 *minor_status,
-+                              gss_ctx_id_t *context_handle,
-+                              gss_buffer_t interprocess_token)
-+{
-+    OM_uint32 maj;
-+    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+    /* We don't currently support exporting partially established contexts. */
-+    if (!ctx->established)
-+        return GSS_S_UNAVAILABLE;
-+
-+    maj = krb5_gss_export_sec_context(minor_status, &ctx->gssc,
-+                                      interprocess_token);
-+    if (ctx->gssc == GSS_C_NO_CONTEXT) {
-+        iakerb_release_context(ctx);
-+        *context_handle = GSS_C_NO_CONTEXT;
-+    }
-+    return maj;
-+}
-+
-+/*
-+ * Until we implement partial context exports, there are no SPNEGO exported
-+ * context tokens, only tokens for the underlying krb5 context.  So we do not
-+ * need to implement an iakerb_gss_import_sec_context() yet; it would be
-+ * unreachable except via a manually constructed token.
-+ */
-+
-+#endif /* LEAN_CLIENT */
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_inquire_context(OM_uint32 *minor_status,
-+                           gss_ctx_id_t context_handle, gss_name_t *src_name,
-+                           gss_name_t *targ_name, OM_uint32 *lifetime_rec,
-+                           gss_OID *mech_type, OM_uint32 *ctx_flags,
-+                           int *initiate, int *opened)
-+{
-+    OM_uint32 ret;
-+    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+    if (src_name != NULL)
-+        *src_name = GSS_C_NO_NAME;
-+    if (targ_name != NULL)
-+        *targ_name = GSS_C_NO_NAME;
-+    if (lifetime_rec != NULL)
-+        *lifetime_rec = 0;
-+    if (mech_type != NULL)
-+        *mech_type = (gss_OID)gss_mech_iakerb;
-+    if (ctx_flags != NULL)
-+        *ctx_flags = 0;
-+    if (initiate != NULL)
-+        *initiate = ctx->initiate;
-+    if (opened != NULL)
-+        *opened = ctx->established;
-+
-+    if (ctx->gssc == GSS_C_NO_CONTEXT)
-+        return GSS_S_COMPLETE;
-+
-+    ret = krb5_gss_inquire_context(minor_status, ctx->gssc, src_name,
-+                                   targ_name, lifetime_rec, mech_type,
-+                                   ctx_flags, initiate, opened);
-+
-+    if (!ctx->established) {
-+        /* Report IAKERB as the mech OID until the context is established. */
-+        if (mech_type != NULL)
-+            *mech_type = (gss_OID)gss_mech_iakerb;
-+
-+        /* We don't support exporting partially-established contexts. */
-+        if (ctx_flags != NULL)
-+            *ctx_flags &= ~GSS_C_TRANS_FLAG;
-+    }
-+
-+    return ret;
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_wrap_size_limit(OM_uint32 *minor_status,
-+                           gss_ctx_id_t context_handle, int conf_req_flag,
-+                           gss_qop_t qop_req, OM_uint32 req_output_size,
-+                           OM_uint32 *max_input_size)
-+{
-+    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+    if (ctx->gssc == GSS_C_NO_CONTEXT)
-+        return GSS_S_NO_CONTEXT;
-+
-+    return krb5_gss_wrap_size_limit(minor_status, ctx->gssc, conf_req_flag,
-+                                    qop_req, req_output_size, max_input_size);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                   gss_qop_t qop_req, gss_buffer_t message_buffer,
-+                   gss_buffer_t message_token)
-+{
-+    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+    if (ctx->gssc == GSS_C_NO_CONTEXT)
-+        return GSS_S_NO_CONTEXT;
-+
-+    return krb5_gss_get_mic(minor_status, ctx->gssc, qop_req, message_buffer,
-+                            message_token);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                      gss_buffer_t msg_buffer, gss_buffer_t token_buffer,
-+                      gss_qop_t *qop_state)
-+{
-+    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+    if (ctx->gssc == GSS_C_NO_CONTEXT)
-+        return GSS_S_NO_CONTEXT;
-+
-+    return krb5_gss_verify_mic(minor_status, ctx->gssc, msg_buffer,
-+                               token_buffer, qop_state);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status,
-+                                      const gss_ctx_id_t context_handle,
-+                                      const gss_OID desired_object,
-+                                      gss_buffer_set_t *data_set)
-+{
-+    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+    if (ctx->gssc == GSS_C_NO_CONTEXT)
-+        return GSS_S_UNAVAILABLE;
-+
-+    return krb5_gss_inquire_sec_context_by_oid(minor_status, ctx->gssc,
-+                                               desired_object, data_set);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_set_sec_context_option(OM_uint32 *minor_status,
-+                                  gss_ctx_id_t *context_handle,
-+                                  const gss_OID desired_object,
-+                                  const gss_buffer_t value)
-+{
-+    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
-+
-+    if (ctx == NULL || ctx->gssc == GSS_C_NO_CONTEXT)
-+        return GSS_S_UNAVAILABLE;
-+
-+    return krb5_gss_set_sec_context_option(minor_status, &ctx->gssc,
-+                                           desired_object, value);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                    int conf_req_flag, gss_qop_t qop_req, int *conf_state,
-+                    gss_iov_buffer_desc *iov, int iov_count)
-+{
-+    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+    if (ctx->gssc == GSS_C_NO_CONTEXT)
-+        return GSS_S_NO_CONTEXT;
-+
-+    return krb5_gss_wrap_iov(minor_status, ctx->gssc, conf_req_flag, qop_req,
-+                             conf_state, iov, iov_count);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                      int *conf_state, gss_qop_t *qop_state,
-+                      gss_iov_buffer_desc *iov, int iov_count)
-+{
-+    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+    if (ctx->gssc == GSS_C_NO_CONTEXT)
-+        return GSS_S_NO_CONTEXT;
-+
-+    return krb5_gss_unwrap_iov(minor_status, ctx->gssc, conf_state, qop_state,
-+                               iov, iov_count);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_wrap_iov_length(OM_uint32 *minor_status,
-+                           gss_ctx_id_t context_handle, int conf_req_flag,
-+                           gss_qop_t qop_req, int *conf_state,
-+                           gss_iov_buffer_desc *iov, int iov_count)
-+{
-+    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+    if (ctx->gssc == GSS_C_NO_CONTEXT)
-+        return GSS_S_NO_CONTEXT;
-+
-+    return krb5_gss_wrap_iov_length(minor_status, ctx->gssc, conf_req_flag,
-+                                    qop_req, conf_state, iov, iov_count);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                         int prf_key, const gss_buffer_t prf_in,
-+                         ssize_t desired_output_len, gss_buffer_t prf_out)
-+{
-+    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+    if (ctx->gssc == GSS_C_NO_CONTEXT)
-+        return GSS_S_NO_CONTEXT;
-+
-+    return krb5_gss_pseudo_random(minor_status, ctx->gssc, prf_key, prf_in,
-+                                  desired_output_len, prf_out);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                       gss_qop_t qop_req, gss_iov_buffer_desc *iov,
-+                       int iov_count)
-+{
-+    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+    if (ctx->gssc == GSS_C_NO_CONTEXT)
-+        return GSS_S_NO_CONTEXT;
-+
-+    return krb5_gss_get_mic_iov(minor_status, ctx->gssc, qop_req, iov,
-+                                iov_count);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
-+                          gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
-+                          int iov_count)
-+{
-+    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+    if (ctx->gssc == GSS_C_NO_CONTEXT)
-+        return GSS_S_NO_CONTEXT;
-+
-+    return krb5_gss_verify_mic_iov(minor_status, ctx->gssc, qop_state, iov,
-+                                   iov_count);
-+}
-+
-+OM_uint32 KRB5_CALLCONV
-+iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status,
-+                              gss_ctx_id_t context_handle, gss_qop_t qop_req,
-+                              gss_iov_buffer_desc *iov, int iov_count)
-+{
-+    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
-+
-+    if (ctx->gssc == GSS_C_NO_CONTEXT)
-+        return GSS_S_NO_CONTEXT;
-+
-+    return krb5_gss_get_mic_iov_length(minor_status, ctx->gssc, qop_req, iov,
-+                                       iov_count);
-+}

diff --git a/app-crypt/mit-krb5/files/CVE-2015-2697.patch b/app-crypt/mit-krb5/files/CVE-2015-2697.patch
deleted file mode 100644
index af2f42a..0000000
--- a/app-crypt/mit-krb5/files/CVE-2015-2697.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From f0c094a1b745d91ef2f9a4eae2149aac026a5789 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Fri, 25 Sep 2015 12:51:47 -0400
-Subject: [PATCH] Fix build_principal memory bug [CVE-2015-2697]
-
-In build_principal_va(), use k5memdup0() instead of strdup() to make a
-copy of the realm, to ensure that we allocate the correct number of
-bytes and do not read past the end of the input string.  This bug
-affects krb5_build_principal(), krb5_build_principal_va(), and
-krb5_build_principal_alloc_va().  krb5_build_principal_ext() is not
-affected.
-
-CVE-2015-2697:
-
-In MIT krb5 1.7 and later, an authenticated attacker may be able to
-cause a KDC to crash using a TGS request with a large realm field
-beginning with a null byte.  If the KDC attempts to find a referral to
-answer the request, it constructs a principal name for lookup using
-krb5_build_principal() with the requested realm.  Due to a bug in this
-function, the null byte causes only one byte be allocated for the
-realm field of the constructed principal, far less than its length.
-Subsequent operations on the lookup principal may cause a read beyond
-the end of the mapped memory region, causing the KDC process to crash.
-
-CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
-
-ticket: 8252 (new)
-target_version: 1.14
-tags: pullup
----
- src/lib/krb5/krb/bld_princ.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c
-index ab6fed8..8604268 100644
---- a/src/lib/krb5/krb/bld_princ.c
-+++ b/src/lib/krb5/krb/bld_princ.c
-@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ,
-     data = malloc(size * sizeof(krb5_data));
-     if (!data) { retval = ENOMEM; }
- 
--    if (!retval) {
--        r = strdup(realm);
--        if (!r) { retval = ENOMEM; }
--    }
-+    if (!retval)
-+        r = k5memdup0(realm, rlen, &retval);
- 
-     while (!retval && (component = va_arg(ap, char *))) {
-         if (count == size) {

diff --git a/app-crypt/mit-krb5/files/mit-krb5kadmind.initd-r1 b/app-crypt/mit-krb5/files/mit-krb5kadmind.initd-r1
deleted file mode 100644
index 7b28fb2..0000000
--- a/app-crypt/mit-krb5/files/mit-krb5kadmind.initd-r1
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/sbin/runscript
-
-#---------------------------------------------------------------------------
-# This script starts/stops the MIT Kerberos 5 Admin daemon
-#---------------------------------------------------------------------------
-
-daemon="MIT Kerberos 5 Admin daemon"
-exec="/usr/sbin/kadmind"
-
-depend() {
-	need mit-krb5kdc
-	use net
-}
-
-start() {
-	ebegin "Starting $daemon"
-	start-stop-daemon --start --quiet --exec ${exec} 1>&2
-	eend $? "Error starting $daemon"
-}
-
-stop() {
-	ebegin "Stopping $daemon"
-	start-stop-daemon --stop --quiet --exec ${exec} 1>&2
-	eend $? "Error stopping $daemon"
-}

diff --git a/app-crypt/mit-krb5/files/mit-krb5kdc.initd-r1 b/app-crypt/mit-krb5/files/mit-krb5kdc.initd-r1
deleted file mode 100644
index 94f1f79..0000000
--- a/app-crypt/mit-krb5/files/mit-krb5kdc.initd-r1
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/sbin/runscript
-
-#---------------------------------------------------------------------------
-# This script starts/stops the MIT Kerberos 5 KDC
-#---------------------------------------------------------------------------
-
-daemon="MIT Kerberos 5 KDC"
-exec="/usr/sbin/krb5kdc"
-
-depend() {
-	use net
-}
-
-start() {
-	ebegin "Starting $daemon"
-	start-stop-daemon --start --quiet --exec ${exec} 1>&2
-	eend $? "Error starting $daemon"
-}
-
-stop() {
-	ebegin "Stopping $daemon"
-	start-stop-daemon --stop --quiet --exec ${exec} 1>&2
-	eend $? "Error stopping $daemon"
-}

diff --git a/app-crypt/mit-krb5/files/mit-krb5kpropd.initd-r1 b/app-crypt/mit-krb5/files/mit-krb5kpropd.initd-r1
deleted file mode 100644
index d800d66..0000000
--- a/app-crypt/mit-krb5/files/mit-krb5kpropd.initd-r1
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/sbin/runscript
-
-#---------------------------------------------------------------------------
-# This script starts/stops the MIT Kerberos 5 kpropd
-#---------------------------------------------------------------------------
-
-daemon="MIT Kerberos 5 kpropd"
-exec="/usr/sbin/kpropd"
-
-depend() {
-	use net mit-krb5kdc mit-krb5kadmind
-}
-
-start() {
-	ebegin "Starting $daemon"
-	start-stop-daemon --start --quiet --exec ${exec} -- -S 1>&2
-	eend $? "Error starting $daemon"
-}
-
-stop() {
-	ebegin "Stopping $daemon"
-	start-stop-daemon --stop --quiet --exec ${exec} 1>&2
-	eend $? "Error stopping $daemon"
-}

diff --git a/app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild
deleted file mode 100644
index 0fb1f89..0000000
--- a/app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild
+++ /dev/null
@@ -1,160 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=5
-
-PYTHON_COMPAT=( python2_7 )
-
-inherit autotools eutils flag-o-matic multilib-minimal python-any-r1 versionator
-
-MY_P="${P/mit-}"
-P_DIR=$(get_version_component_range 1-2)
-DESCRIPTION="MIT Kerberos V"
-HOMEPAGE="http://web.mit.edu/kerberos/www/"
-SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar"
-
-LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
-SLOT="0"
-KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86"
-IUSE="doc +keyutils libressl openldap +pkinit selinux +threads test xinetd"
-
-CDEPEND="
-	!!app-crypt/heimdal
-	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
-	|| (
-		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
-	)
-	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
-	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
-	pkinit? (
-		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0[${MULTILIB_USEDEP}] )
-		libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] )
-	)
-	xinetd? ( sys-apps/xinetd )
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508-r1
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)"
-DEPEND="${CDEPEND}
-	${PYTHON_DEPS}
-	virtual/yacc
-	doc? ( virtual/latex-base )
-	test? (
-		${PYTHON_DEPS}
-		dev-lang/tcl:0
-		dev-util/dejagnu
-	)"
-RDEPEND="${CDEPEND}
-	selinux? ( sec-policy/selinux-kerberos )"
-
-S=${WORKDIR}/${MY_P}/src
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/krb5-config
-)
-
-src_unpack() {
-	unpack ${A}
-	unpack ./"${MY_P}".tar.gz
-}
-
-src_prepare() {
-	epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
-	epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch"
-	epatch "${FILESDIR}/CVE-2015-2695.patch" \
-		"${FILESDIR}/CVE-2015-2696.patch" \
-		"${FILESDIR}/CVE-2015-2697.patch"
-
-	eautoreconf
-}
-
-src_configure() {
-	append-cppflags "-I${EPREFIX}/usr/include/et"
-	# QA
-	append-flags -fno-strict-aliasing
-	append-flags -fno-strict-overflow
-
-	multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
-	use keyutils || export ac_cv_header_keyutils_h=no
-	ECONF_SOURCE=${S} \
-	WARN_CFLAGS="set" \
-	econf \
-		$(use_with openldap ldap) \
-		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
-		$(use_enable pkinit) \
-		$(use_enable threads thread-support) \
-		--without-hesiod \
-		--enable-shared \
-		--with-system-et \
-		--with-system-ss \
-		--enable-dns-for-realm \
-		--enable-kdc-lookaside-cache \
-		--with-system-verto \
-		--disable-rpath
-}
-
-multilib_src_compile() {
-	emake -j1
-}
-
-multilib_src_test() {
-	multilib_is_native_abi && emake -j1 check
-}
-
-multilib_src_install() {
-	emake \
-		DESTDIR="${D}" \
-		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
-		install
-}
-
-multilib_src_install_all() {
-	# default database dir
-	keepdir /var/lib/krb5kdc
-
-	cd ..
-	dodoc README
-
-	if use doc; then
-		dohtml -r doc/html/*
-		docinto pdf
-		dodoc doc/pdf/*.pdf
-	fi
-
-	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
-	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
-	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
-	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
-	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
-	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
-
-	insinto /etc
-	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
-	insinto /var/lib/krb5kdc
-	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
-
-	if use openldap ; then
-		insinto /etc/openldap/schema
-		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
-	fi
-
-	if use xinetd ; then
-		insinto /etc/xinetd.d
-		newins "${FILESDIR}/kpropd.xinetd" kpropd
-	fi
-}
-
-pkg_preinst() {
-	if has_version "<${CATEGORY}/${PN}-1.8.0" ; then
-		elog "MIT split the Kerberos applications from the base Kerberos"
-		elog "distribution.  Kerberized versions of telnet, rlogin, rsh, rcp,"
-		elog "ftp clients and telnet, ftp deamons now live in"
-		elog "\"app-crypt/mit-krb5-appl\" package."
-	fi
-}

diff --git a/app-crypt/mit-krb5/mit-krb5-1.13.2-r3.ebuild b/app-crypt/mit-krb5/mit-krb5-1.13.2-r3.ebuild
deleted file mode 100644
index 76dfaeb..0000000
--- a/app-crypt/mit-krb5/mit-krb5-1.13.2-r3.ebuild
+++ /dev/null
@@ -1,160 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=5
-
-PYTHON_COMPAT=( python2_7 )
-
-inherit autotools eutils flag-o-matic multilib-minimal python-any-r1 versionator
-
-MY_P="${P/mit-}"
-P_DIR=$(get_version_component_range 1-2)
-DESCRIPTION="MIT Kerberos V"
-HOMEPAGE="http://web.mit.edu/kerberos/www/"
-SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar"
-
-LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
-IUSE="doc +keyutils libressl openldap +pkinit selinux +threads test xinetd"
-
-CDEPEND="
-	!!app-crypt/heimdal
-	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
-	|| (
-		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
-	)
-	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
-	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
-	pkinit? (
-		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0[${MULTILIB_USEDEP}] )
-		libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] )
-	)
-	xinetd? ( sys-apps/xinetd )
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508-r1
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)"
-DEPEND="${CDEPEND}
-	${PYTHON_DEPS}
-	virtual/yacc
-	doc? ( virtual/latex-base )
-	test? (
-		${PYTHON_DEPS}
-		dev-lang/tcl:0
-		dev-util/dejagnu
-	)"
-RDEPEND="${CDEPEND}
-	selinux? ( sec-policy/selinux-kerberos )"
-
-S=${WORKDIR}/${MY_P}/src
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/krb5-config
-)
-
-src_unpack() {
-	unpack ${A}
-	unpack ./"${MY_P}".tar.gz
-}
-
-src_prepare() {
-	epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
-	epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch"
-	epatch "${FILESDIR}/CVE-2015-2695.patch" \
-		"${FILESDIR}/CVE-2015-2696.patch" \
-		"${FILESDIR}/CVE-2015-2697.patch"
-
-	eautoreconf
-}
-
-src_configure() {
-	append-cppflags "-I${EPREFIX}/usr/include/et"
-	# QA
-	append-flags -fno-strict-aliasing
-	append-flags -fno-strict-overflow
-
-	multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
-	use keyutils || export ac_cv_header_keyutils_h=no
-	ECONF_SOURCE=${S} \
-	WARN_CFLAGS="set" \
-	econf \
-		$(use_with openldap ldap) \
-		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
-		$(use_enable pkinit) \
-		$(use_enable threads thread-support) \
-		--without-hesiod \
-		--enable-shared \
-		--with-system-et \
-		--with-system-ss \
-		--enable-dns-for-realm \
-		--enable-kdc-lookaside-cache \
-		--with-system-verto \
-		--disable-rpath
-}
-
-multilib_src_compile() {
-	emake -j1
-}
-
-multilib_src_test() {
-	multilib_is_native_abi && emake -j1 check
-}
-
-multilib_src_install() {
-	emake \
-		DESTDIR="${D}" \
-		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
-		install
-}
-
-multilib_src_install_all() {
-	# default database dir
-	keepdir /var/lib/krb5kdc
-
-	cd ..
-	dodoc README
-
-	if use doc; then
-		dohtml -r doc/html/*
-		docinto pdf
-		dodoc doc/pdf/*.pdf
-	fi
-
-	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
-	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
-	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
-	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
-	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
-	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
-
-	insinto /etc
-	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
-	insinto /var/lib/krb5kdc
-	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
-
-	if use openldap ; then
-		insinto /etc/openldap/schema
-		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
-	fi
-
-	if use xinetd ; then
-		insinto /etc/xinetd.d
-		newins "${FILESDIR}/kpropd.xinetd" kpropd
-	fi
-}
-
-pkg_preinst() {
-	if has_version "<${CATEGORY}/${PN}-1.8.0" ; then
-		elog "MIT split the Kerberos applications from the base Kerberos"
-		elog "distribution.  Kerberized versions of telnet, rlogin, rsh, rcp,"
-		elog "ftp clients and telnet, ftp deamons now live in"
-		elog "\"app-crypt/mit-krb5-appl\" package."
-	fi
-}

diff --git a/app-crypt/mit-krb5/mit-krb5-1.14.ebuild b/app-crypt/mit-krb5/mit-krb5-1.14.ebuild
deleted file mode 100644
index c073adb..0000000
--- a/app-crypt/mit-krb5/mit-krb5-1.14.ebuild
+++ /dev/null
@@ -1,151 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=5
-
-PYTHON_COMPAT=( python2_7 )
-inherit autotools eutils flag-o-matic multilib-minimal python-any-r1 versionator
-
-MY_P="${P/mit-}"
-P_DIR=$(get_version_component_range 1-2)
-DESCRIPTION="MIT Kerberos V"
-HOMEPAGE="http://web.mit.edu/kerberos/www/"
-SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
-
-LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
-IUSE="doc +keyutils libressl openldap +pkinit selinux +threads test xinetd"
-
-CDEPEND="
-	!!app-crypt/heimdal
-	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
-	|| (
-		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
-	)
-	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
-	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
-	pkinit? (
-		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0[${MULTILIB_USEDEP}] )
-		libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] )
-	)
-	xinetd? ( sys-apps/xinetd )
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508-r1
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)"
-DEPEND="${CDEPEND}
-	${PYTHON_DEPS}
-	virtual/yacc
-	doc? ( virtual/latex-base )
-	test? (
-		${PYTHON_DEPS}
-		dev-lang/tcl:0
-		dev-util/dejagnu
-	)"
-RDEPEND="${CDEPEND}
-	selinux? ( sec-policy/selinux-kerberos )"
-
-S=${WORKDIR}/${MY_P}/src
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/krb5-config
-)
-
-src_prepare() {
-	epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
-	epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch"
-
-	eautoreconf
-}
-
-src_configure() {
-	append-cppflags "-I${EPREFIX}/usr/include/et"
-	# QA
-	append-flags -fno-strict-aliasing
-	append-flags -fno-strict-overflow
-
-	multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
-	use keyutils || export ac_cv_header_keyutils_h=no
-	ECONF_SOURCE=${S} \
-	WARN_CFLAGS="set" \
-	econf \
-		$(use_with openldap ldap) \
-		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
-		$(use_enable pkinit) \
-		$(use_enable threads thread-support) \
-		--without-hesiod \
-		--enable-shared \
-		--with-system-et \
-		--with-system-ss \
-		--enable-dns-for-realm \
-		--enable-kdc-lookaside-cache \
-		--with-system-verto \
-		--disable-rpath
-}
-
-multilib_src_compile() {
-	emake -j1
-}
-
-multilib_src_test() {
-	multilib_is_native_abi && emake -j1 check
-}
-
-multilib_src_install() {
-	emake \
-		DESTDIR="${D}" \
-		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
-		install
-}
-
-multilib_src_install_all() {
-	# default database dir
-	keepdir /var/lib/krb5kdc
-
-	cd ..
-	dodoc README
-
-	if use doc; then
-		dohtml -r doc/html/*
-		docinto pdf
-		dodoc doc/pdf/*.pdf
-	fi
-
-	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
-	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
-	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
-	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
-	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
-	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
-
-	insinto /etc
-	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
-	insinto /var/lib/krb5kdc
-	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
-
-	if use openldap ; then
-		insinto /etc/openldap/schema
-		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
-	fi
-
-	if use xinetd ; then
-		insinto /etc/xinetd.d
-		newins "${FILESDIR}/kpropd.xinetd" kpropd
-	fi
-}
-
-pkg_preinst() {
-	if has_version "<${CATEGORY}/${PN}-1.8.0" ; then
-		elog "MIT split the Kerberos applications from the base Kerberos"
-		elog "distribution.  Kerberized versions of telnet, rlogin, rsh, rcp,"
-		elog "ftp clients and telnet, ftp deamons now live in"
-		elog "\"app-crypt/mit-krb5-appl\" package."
-	fi
-}


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
@ 2017-12-05 10:00 Eray Aslan
  0 siblings, 0 replies; 14+ messages in thread
From: Eray Aslan @ 2017-12-05 10:00 UTC (permalink / raw
  To: gentoo-commits

commit:     e6232da235fc02eabf2dc7ee0790a51f5e811e0d
Author:     Eray Aslan <eras <AT> gentoo <DOT> org>
AuthorDate: Tue Dec  5 10:00:13 2017 +0000
Commit:     Eray Aslan <eras <AT> gentoo <DOT> org>
CommitDate: Tue Dec  5 10:00:13 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e6232da2

app-crypt/mit-krb5: security bump to 1.15.2-r1.  Bug 639702

Package-Manager: Portage-2.3.16, Repoman-2.3.6

 .../files/mit-krb5-1.15.2-fix-pkinit.patch         |  98 ++++++++++++++
 app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild       | 149 +++++++++++++++++++++
 2 files changed, 247 insertions(+)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch b/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch
new file mode 100644
index 00000000000..4f721d4d961
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch
@@ -0,0 +1,98 @@
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index 74fffbf321..4b86a6f302 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -5145,33 +5145,29 @@ crypto_retieve_X509_key_usage(krb5_context context,
+     return retval;
+ }
+ 
+-/*
+- * Return a string format of an X509_NAME in buf where
+- * size is an in/out parameter.  On input it is the size
+- * of the buffer, and on output it is the actual length
+- * of the name.
+- * If buf is NULL, returns the length req'd to hold name
+- */
+-static char *
+-X509_NAME_oneline_ex(X509_NAME * a,
+-                     char *buf,
+-                     unsigned int *size,
+-                     unsigned long flag)
++static krb5_error_code
++rfc2253_name(X509_NAME *name, char **str_out)
+ {
+-    BIO *out = NULL;
++    BIO *b = NULL;
++    char *str;
+ 
+-    out = BIO_new(BIO_s_mem ());
+-    if (X509_NAME_print_ex(out, a, 0, flag) > 0) {
+-        if (buf != NULL && (*size) >  (unsigned int) BIO_number_written(out)) {
+-            memset(buf, 0, *size);
+-            BIO_read(out, buf, (int) BIO_number_written(out));
+-        }
+-        else {
+-            *size = BIO_number_written(out);
+-        }
+-    }
+-    BIO_free(out);
+-    return (buf);
++    *str_out = NULL;
++    b = BIO_new(BIO_s_mem());
++    if (b == NULL)
++        return ENOMEM;
++    if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0)
++        goto error;
++    str = calloc(BIO_number_written(b) + 1, 1);
++    if (str == NULL)
++        goto error;
++    BIO_read(b, str, BIO_number_written(b));
++    BIO_free(b);
++    *str_out = str;
++    return 0;
++
++error:
++    BIO_free(b);
++    return ENOMEM;
+ }
+ 
+ /*
+@@ -5187,8 +5183,6 @@ crypto_cert_get_matching_data(krb5_context context,
+     krb5_principal *pkinit_sans =NULL, *upn_sans = NULL;
+     struct _pkinit_cert_data *cd = (struct _pkinit_cert_data *)ch;
+     unsigned int i, j;
+-    char buf[DN_BUF_LEN];
+-    unsigned int bufsize = sizeof(buf);
+ 
+     if (cd == NULL || cd->magic != CERT_MAGIC)
+         return EINVAL;
+@@ -5201,23 +5195,14 @@ crypto_cert_get_matching_data(krb5_context context,
+ 
+     md->ch = ch;
+ 
+-    /* get the subject name (in rfc2253 format) */
+-    X509_NAME_oneline_ex(X509_get_subject_name(cd->cred->cert),
+-                         buf, &bufsize, XN_FLAG_SEP_COMMA_PLUS);
+-    md->subject_dn = strdup(buf);
+-    if (md->subject_dn == NULL) {
+-        retval = ENOMEM;
++    retval = rfc2253_name(X509_get_subject_name(cd->cred->cert),
++                          &md->subject_dn);
++    if (retval)
+         goto cleanup;
+-    }
+-
+-    /* get the issuer name (in rfc2253 format) */
+-    X509_NAME_oneline_ex(X509_get_issuer_name(cd->cred->cert),
+-                         buf, &bufsize, XN_FLAG_SEP_COMMA_PLUS);
+-    md->issuer_dn = strdup(buf);
+-    if (md->issuer_dn == NULL) {
+-        retval = ENOMEM;
++    retval = rfc2253_name(X509_get_issuer_name(cd->cred->cert),
++                          &md->issuer_dn);
++    if (retval)
+         goto cleanup;
+-    }
+ 
+     /* get the san data */
+     retval = crypto_retrieve_X509_sans(context, cd->plgctx, cd->reqctx,

diff --git a/app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild
new file mode 100644
index 00000000000..1f9cfda9466
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild
@@ -0,0 +1,149 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="http://web.mit.edu/kerberos/www/"
+SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
+
+CDEPEND="
+	!!app-crypt/heimdal
+	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
+	|| (
+		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
+	)
+	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
+	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+	pkinit? (
+		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0[${MULTILIB_USEDEP}] )
+		libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] )
+	)
+	xinetd? ( sys-apps/xinetd )
+	abi_x86_32? (
+		!<=app-emulation/emul-linux-x86-baselibs-20140508-r1
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+	)"
+DEPEND="${CDEPEND}
+	${PYTHON_DEPS}
+	virtual/yacc
+	doc? ( virtual/latex-base )
+	test? (
+		${PYTHON_DEPS}
+		dev-lang/tcl:0
+		dev-util/dejagnu
+	)"
+RDEPEND="${CDEPEND}
+	selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/krb5-config
+)
+
+src_prepare() {
+	eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+	eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch"
+	eapply -p0 "${FILESDIR}/${PN}-1.14.2-redeclared-ttyname.patch"
+	eapply "${FILESDIR}/${PN}-1.14.4-disable-nls.patch"
+	eapply -p2 "${FILESDIR}/${PN}-1.15.2-fix-pkinit.patch"
+
+	# Make sure we always use the system copies.
+	rm -rf util/{et,ss,verto}
+	sed -i 's:^[[:space:]]*util/verto$::' configure.in || die
+
+	eapply_user
+	eautoreconf
+}
+
+src_configure() {
+	# QA
+	append-flags -fno-strict-aliasing
+	append-flags -fno-strict-overflow
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use keyutils || export ac_cv_header_keyutils_h=no
+	ECONF_SOURCE=${S} \
+	WARN_CFLAGS="set" \
+	econf \
+		$(use_with openldap ldap) \
+		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+		$(use_enable nls) \
+		$(use_enable pkinit) \
+		$(use_enable threads thread-support) \
+		--without-hesiod \
+		--enable-shared \
+		--with-system-et \
+		--with-system-ss \
+		--enable-dns-for-realm \
+		--enable-kdc-lookaside-cache \
+		--with-system-verto \
+		--disable-rpath
+}
+
+multilib_src_compile() {
+	emake -j1
+}
+
+multilib_src_test() {
+	multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+		install
+}
+
+multilib_src_install_all() {
+	# default database dir
+	keepdir /var/lib/krb5kdc
+
+	cd ..
+	dodoc README
+
+	if use doc; then
+		dodoc -r doc/html
+		docinto pdf
+		dodoc doc/pdf/*.pdf
+	fi
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
+	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
+	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
+	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
+	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
+
+	insinto /etc
+	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+	insinto /var/lib/krb5kdc
+	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+	if use openldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+	fi
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/kpropd.xinetd" kpropd
+	fi
+}


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
@ 2018-01-26 21:07 Thomas Deutschmann
  0 siblings, 0 replies; 14+ messages in thread
From: Thomas Deutschmann @ 2018-01-26 21:07 UTC (permalink / raw
  To: gentoo-commits

commit:     f4a050c738af81bb82e7b640667f08e3199c5ca1
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Fri Jan 26 21:07:00 2018 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Fri Jan 26 21:07:29 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4a050c7

app-crypt/mit-krb5: bump, fixes CVE-2017-7562

Ebuild changes:
===============
- Dropped the following upstreamed patches which are now included in v1.16:

  - mit-krb5-1.14.2-redeclared-ttyname.patch
  - mit-krb5-1.14.4-disable-nls.patch
  - mit-krb5-1.15.2-fix-pkinit.patch

- We are now installing systemd services. [Bug 524412]

- Tests are now restricted because they are requiring network access.

Closes: https://bugs.gentoo.org/524412
Bug: https://bugs.gentoo.org/628936
Package-Manager: Portage-2.3.20, Repoman-2.3.6

 app-crypt/mit-krb5/Manifest                        |   1 +
 app-crypt/mit-krb5/files/mit-krb5kadmind.service   |   8 ++
 app-crypt/mit-krb5/files/mit-krb5kdc.service       |   9 ++
 app-crypt/mit-krb5/files/mit-krb5kpropd.service    |   8 ++
 app-crypt/mit-krb5/files/mit-krb5kpropd.socket     |   9 ++
 app-crypt/mit-krb5/files/mit-krb5kpropd_at.service |   8 ++
 app-crypt/mit-krb5/mit-krb5-1.16.ebuild            | 155 +++++++++++++++++++++
 7 files changed, 198 insertions(+)

diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index 58df981b5a6..ef54ec04904 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1 +1,2 @@
 DIST krb5-1.15.2.tar.gz 9380755 BLAKE2B 3f5d00a70bf44ef077872bde282e4753e82acb70632e136b8f9f8d3a192e3e7b692840803e5a3f67ddb202d53631767ea9eb8b7615d45a3479389a01a6390ac4 SHA512 e5814bb66384b13637c37918df694c6b9933c29c2d952da0ed0dcd2e623b269060b4c16b6c02162039dadebdab99ff1085e37e7621ae4748dafb036424e612c2
+DIST krb5-1.16.tar.gz 9474479 BLAKE2B 0c5caa0a0d2308a447d47ab94d7b8dc92a67ad78b3bac1678c3f3ece3905f27feda5a23d28b3c13ebd64d1760726888c759fb19da82ad960c6f84a433b753873 SHA512 7e162467b95dad2b6aaa11686d08a00f1cc4eb08247fca8f0e5a8bcaa5f9f7b42cdf00db69c5c6111bdf9eb8063d53cef3bb207ce5d6a287615ca10b710153f9

diff --git a/app-crypt/mit-krb5/files/mit-krb5kadmind.service b/app-crypt/mit-krb5/files/mit-krb5kadmind.service
new file mode 100644
index 00000000000..f3836c89862
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kadmind.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Kerberos 5 administration server
+
+[Service]
+ExecStart=/usr/sbin/kadmind -nofork
+
+[Install]
+WantedBy=multi-user.target

diff --git a/app-crypt/mit-krb5/files/mit-krb5kdc.service b/app-crypt/mit-krb5/files/mit-krb5kdc.service
new file mode 100644
index 00000000000..6ec93bb7232
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kdc.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Kerberos 5 KDC
+
+[Service]
+ExecStart=/usr/sbin/krb5kdc -n
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

diff --git a/app-crypt/mit-krb5/files/mit-krb5kpropd.service b/app-crypt/mit-krb5/files/mit-krb5kpropd.service
new file mode 100644
index 00000000000..a7c5b579d2b
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kpropd.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Kerberos 5 propagation server
+
+[Service]
+ExecStart=/usr/sbin/kpropd -S
+
+[Install]
+WantedBy=multi-user.target

diff --git a/app-crypt/mit-krb5/files/mit-krb5kpropd.socket b/app-crypt/mit-krb5/files/mit-krb5kpropd.socket
new file mode 100644
index 00000000000..4389290c0b1
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kpropd.socket
@@ -0,0 +1,9 @@
+[Unit]
+Description=Kerberos 5 propagation server
+
+[Socket]
+ListenStream=754
+Accept=yes
+
+[Install]
+WantedBy=sockets.target

diff --git a/app-crypt/mit-krb5/files/mit-krb5kpropd_at.service b/app-crypt/mit-krb5/files/mit-krb5kpropd_at.service
new file mode 100644
index 00000000000..f826eb33cb3
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kpropd_at.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Kerberos 5 propagation server
+Conflicts=mit-krb5kpropd.service
+
+[Service]
+ExecStart=/usr/sbin/kpropd
+StandardInput=socket
+StandardError=syslog

diff --git a/app-crypt/mit-krb5/mit-krb5-1.16.ebuild b/app-crypt/mit-krb5/mit-krb5-1.16.ebuild
new file mode 100644
index 00000000000..acd4a3ed3b7
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.16.ebuild
@@ -0,0 +1,155 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/"
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
+
+# Test suite require network access
+RESTRICT="test"
+
+CDEPEND="
+	!!app-crypt/heimdal
+	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
+	|| (
+		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
+	)
+	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
+	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+	pkinit? (
+		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0[${MULTILIB_USEDEP}] )
+		libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] )
+	)
+	xinetd? ( sys-apps/xinetd )
+	abi_x86_32? (
+		!<=app-emulation/emul-linux-x86-baselibs-20140508-r1
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+	)"
+DEPEND="${CDEPEND}
+	${PYTHON_DEPS}
+	virtual/yacc
+	doc? ( virtual/latex-base )
+	test? (
+		${PYTHON_DEPS}
+		dev-lang/tcl:0
+		dev-util/dejagnu
+	)"
+RDEPEND="${CDEPEND}
+	selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/krb5-config
+)
+
+src_prepare() {
+	eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+	eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch"
+
+	# Make sure we always use the system copies.
+	rm -rf util/{et,ss,verto}
+	sed -i 's:^[[:space:]]*util/verto$::' configure.in || die
+
+	eapply_user
+	eautoreconf
+}
+
+src_configure() {
+	# QA
+	append-flags -fno-strict-aliasing
+	append-flags -fno-strict-overflow
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use keyutils || export ac_cv_header_keyutils_h=no
+	ECONF_SOURCE=${S} \
+	WARN_CFLAGS="set" \
+	econf \
+		$(use_with openldap ldap) \
+		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+		$(use_enable nls) \
+		$(use_enable pkinit) \
+		$(use_enable threads thread-support) \
+		--without-hesiod \
+		--enable-shared \
+		--with-system-et \
+		--with-system-ss \
+		--enable-dns-for-realm \
+		--enable-kdc-lookaside-cache \
+		--with-system-verto \
+		--disable-rpath
+}
+
+multilib_src_compile() {
+	emake -j1
+}
+
+multilib_src_test() {
+	multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+		install
+}
+
+multilib_src_install_all() {
+	# default database dir
+	keepdir /var/lib/krb5kdc
+
+	cd ..
+	dodoc README
+
+	if use doc; then
+		dodoc -r doc/html
+		docinto pdf
+		dodoc doc/pdf/*.pdf
+	fi
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
+	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
+	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
+	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
+	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
+
+	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
+
+	insinto /etc
+	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+	insinto /var/lib/krb5kdc
+	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+	if use openldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+	fi
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/kpropd.xinetd" kpropd
+	fi
+}


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
@ 2018-04-12 21:26 Aaron Bauman
  0 siblings, 0 replies; 14+ messages in thread
From: Aaron Bauman @ 2018-04-12 21:26 UTC (permalink / raw
  To: gentoo-commits

commit:     e9f7afb1b75a3e78f0f3e468d3164f0eaf06eb10
Author:     Aaron Bauman <bman <AT> gentoo <DOT> org>
AuthorDate: Thu Apr 12 21:26:27 2018 +0000
Commit:     Aaron Bauman <bman <AT> gentoo <DOT> org>
CommitDate: Thu Apr 12 21:26:45 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9f7afb1

app-crypt/mit-krb5: properly detect LibreSSL version

Closes: https://bugs.gentoo.org/610854
Package-Manager: Portage-2.3.28, Repoman-2.3.9

 .../files/mit-krb5-libressl-version-check.patch    |  31 ++++
 app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild         | 156 +++++++++++++++++++++
 2 files changed, 187 insertions(+)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch b/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch
new file mode 100644
index 00000000000..5c979cfd1ef
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch
@@ -0,0 +1,31 @@
+--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -191,7 +191,7 @@ pkinit_pkcs11_code_to_text(int err);
+     (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si)
+ #endif
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ /* 1.1 standardizes constructor and destructor names, renaming
+  * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */
+@@ -3059,7 +3059,7 @@ cleanup:
+     return retval;
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 
+ /*
+  * We need to decode DomainParameters from RFC 3279 section 2.3.3.  We would
+--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
++++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
+@@ -46,7 +46,7 @@
+ #include <openssl/asn1.h>
+ #include <openssl/pem.h>
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ #include <openssl/asn1t.h>
+ #else
+ #include <openssl/asn1_mac.h>

diff --git a/app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild
new file mode 100644
index 00000000000..c1f7a782063
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild
@@ -0,0 +1,156 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/"
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
+
+# Test suite require network access
+RESTRICT="test"
+
+CDEPEND="
+	!!app-crypt/heimdal
+	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
+	|| (
+		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
+	)
+	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
+	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+	pkinit? (
+		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
+		libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] )
+	)
+	xinetd? ( sys-apps/xinetd )
+	abi_x86_32? (
+		!<=app-emulation/emul-linux-x86-baselibs-20140508-r1
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+	)"
+DEPEND="${CDEPEND}
+	${PYTHON_DEPS}
+	virtual/yacc
+	doc? ( virtual/latex-base )
+	test? (
+		${PYTHON_DEPS}
+		dev-lang/tcl:0
+		dev-util/dejagnu
+	)"
+RDEPEND="${CDEPEND}
+	selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/krb5-config
+)
+
+src_prepare() {
+	eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+	eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch"
+	eapply "${FILESDIR}/${PN}-libressl-version-check.patch"
+	
+	# Make sure we always use the system copies.
+	rm -rf util/{et,ss,verto}
+	sed -i 's:^[[:space:]]*util/verto$::' configure.in || die
+
+	eapply_user
+	eautoreconf
+}
+
+src_configure() {
+	# QA
+	append-flags -fno-strict-aliasing
+	append-flags -fno-strict-overflow
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use keyutils || export ac_cv_header_keyutils_h=no
+	ECONF_SOURCE=${S} \
+	WARN_CFLAGS="set" \
+	econf \
+		$(use_with openldap ldap) \
+		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+		$(use_enable nls) \
+		$(use_enable pkinit) \
+		$(use_enable threads thread-support) \
+		--without-hesiod \
+		--enable-shared \
+		--with-system-et \
+		--with-system-ss \
+		--enable-dns-for-realm \
+		--enable-kdc-lookaside-cache \
+		--with-system-verto \
+		--disable-rpath
+}
+
+multilib_src_compile() {
+	emake -j1
+}
+
+multilib_src_test() {
+	multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+		install
+}
+
+multilib_src_install_all() {
+	# default database dir
+	keepdir /var/lib/krb5kdc
+
+	cd ..
+	dodoc README
+
+	if use doc; then
+		dodoc -r doc/html
+		docinto pdf
+		dodoc doc/pdf/*.pdf
+	fi
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
+	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
+	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
+	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
+	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
+
+	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
+
+	insinto /etc
+	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+	insinto /var/lib/krb5kdc
+	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+	if use openldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+	fi
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/kpropd.xinetd" kpropd
+	fi
+}


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
@ 2018-04-13  7:02 Eray Aslan
  0 siblings, 0 replies; 14+ messages in thread
From: Eray Aslan @ 2018-04-13  7:02 UTC (permalink / raw
  To: gentoo-commits

commit:     95a08abb6dc4b1a0babe590527e19ce7a5c5bd10
Author:     Eray Aslan <eras <AT> gentoo <DOT> org>
AuthorDate: Fri Apr 13 07:01:47 2018 +0000
Commit:     Eray Aslan <eras <AT> gentoo <DOT> org>
CommitDate: Fri Apr 13 07:02:17 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=95a08abb

app-crypt/mit-krb5: security bump - bug 649610

Also fix gettext dependency
Closes: https://bugs.gentoo.org/652108
Package-Manager: Portage-2.3.28, Repoman-2.3.9

 app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch | 297 ++++++++++++++++++++++
 app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild        | 158 ++++++++++++
 2 files changed, 455 insertions(+)

diff --git a/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch b/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch
new file mode 100644
index 00000000000..114cfe688e7
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch
@@ -0,0 +1,297 @@
+diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
+index 2420f2c2be..a59a65e8f6 100644
+--- a/src/lib/kadm5/srv/svr_principal.c
++++ b/src/lib/kadm5/srv/svr_principal.c
+@@ -330,6 +330,13 @@ kadm5_create_principal_3(void *server_handle,
+         return KADM5_BAD_MASK;
+     if((mask & ~ALL_PRINC_MASK))
+         return KADM5_BAD_MASK;
++    if (mask & KADM5_TL_DATA) {
++        for (tl_data_tail = entry->tl_data; tl_data_tail != NULL;
++             tl_data_tail = tl_data_tail->tl_data_next) {
++            if (tl_data_tail->tl_data_type < 256)
++                return KADM5_BAD_TL_TYPE;
++        }
++    }
+ 
+     /*
+      * Check to see if the principal exists
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+index 535a1f309e..8b8420faa9 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
++++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+@@ -141,7 +141,7 @@ extern int set_ldap_error (krb5_context ctx, int st, int op);
+ #define UNSTORE16_INT(ptr, val) (val = load_16_be(ptr))
+ #define UNSTORE32_INT(ptr, val) (val = load_32_be(ptr))
+ 
+-#define  KDB_TL_USER_INFO      0x7ffe
++#define  KDB_TL_USER_INFO      0xff
+ 
+ #define KDB_TL_PRINCTYPE          0x01
+ #define KDB_TL_PRINCCOUNT         0x02
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+index 88a1704950..b7c9212cb2 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -651,6 +651,107 @@ update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry,
+     return ret;
+ }
+ 
++static krb5_error_code
++check_dn_in_container(krb5_context context, const char *dn,
++                      char *const *subtrees, unsigned int ntrees)
++{
++    unsigned int i;
++    size_t dnlen = strlen(dn), stlen;
++
++    for (i = 0; i < ntrees; i++) {
++        if (subtrees[i] == NULL || *subtrees[i] == '\0')
++            return 0;
++        stlen = strlen(subtrees[i]);
++        if (dnlen >= stlen &&
++            strcasecmp(dn + dnlen - stlen, subtrees[i]) == 0 &&
++            (dnlen == stlen || dn[dnlen - stlen - 1] == ','))
++            return 0;
++    }
++
++    k5_setmsg(context, EINVAL, _("DN is out of the realm subtree"));
++    return EINVAL;
++}
++
++static krb5_error_code
++check_dn_exists(krb5_context context,
++                krb5_ldap_server_handle *ldap_server_handle,
++                const char *dn, krb5_boolean nonkrb_only)
++{
++    krb5_error_code st = 0, tempst;
++    krb5_ldap_context *ldap_context = context->dal_handle->db_context;
++    LDAP *ld = ldap_server_handle->ldap_handle;
++    LDAPMessage *result = NULL, *ent;
++    char *attrs[] = { "krbticketpolicyreference", "krbprincipalname", NULL };
++    char **values;
++
++    LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attrs, IGNORE_STATUS);
++    if (st != LDAP_SUCCESS)
++        return set_ldap_error(context, st, OP_SEARCH);
++
++    ent = ldap_first_entry(ld, result);
++    CHECK_NULL(ent);
++
++    values = ldap_get_values(ld, ent, "krbticketpolicyreference");
++    if (values != NULL)
++        ldap_value_free(values);
++
++    values = ldap_get_values(ld, ent, "krbprincipalname");
++    if (values != NULL) {
++        ldap_value_free(values);
++        if (nonkrb_only) {
++            st = EINVAL;
++            k5_setmsg(context, st, _("ldap object is already kerberized"));
++            goto cleanup;
++        }
++    }
++
++cleanup:
++    ldap_msgfree(result);
++    return st;
++}
++
++static krb5_error_code
++validate_xargs(krb5_context context,
++               krb5_ldap_server_handle *ldap_server_handle,
++               const xargs_t *xargs, const char *standalone_dn,
++               char *const *subtrees, unsigned int ntrees)
++{
++    krb5_error_code st;
++
++    if (xargs->dn != NULL) {
++        /* The supplied dn must be within a realm container. */
++        st = check_dn_in_container(context, xargs->dn, subtrees, ntrees);
++        if (st)
++            return st;
++        /* The supplied dn must exist without Kerberos attributes. */
++        st = check_dn_exists(context, ldap_server_handle, xargs->dn, TRUE);
++        if (st)
++            return st;
++    }
++
++    if (xargs->linkdn != NULL) {
++        /* The supplied linkdn must be within a realm container. */
++        st = check_dn_in_container(context, xargs->linkdn, subtrees, ntrees);
++        if (st)
++            return st;
++        /* The supplied linkdn must exist. */
++        st = check_dn_exists(context, ldap_server_handle, xargs->linkdn,
++                             FALSE);
++        if (st)
++            return st;
++    }
++
++    if (xargs->containerdn != NULL && standalone_dn != NULL) {
++        /* standalone_dn (likely composed using containerdn) must be within a
++         * container. */
++        st = check_dn_in_container(context, standalone_dn, subtrees, ntrees);
++        if (st)
++            return st;
++    }
++
++    return 0;
++}
++
+ krb5_error_code
+ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
+                         char **db_args)
+@@ -662,12 +763,12 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
+     LDAPMessage                 *result=NULL, *ent=NULL;
+     char                        **subtreelist = NULL;
+     char                        *user=NULL, *subtree=NULL, *principal_dn=NULL;
+-    char                        **values=NULL, *strval[10]={NULL}, errbuf[1024];
++    char                        *strval[10]={NULL}, errbuf[1024];
+     char                        *filtuser=NULL;
+     struct berval               **bersecretkey=NULL;
+     LDAPMod                     **mods=NULL;
+     krb5_boolean                create_standalone=FALSE;
+-    krb5_boolean                krb_identity_exists=FALSE, establish_links=FALSE;
++    krb5_boolean                establish_links=FALSE;
+     char                        *standalone_principal_dn=NULL;
+     krb5_tl_data                *tl_data=NULL;
+     krb5_key_data               **keys=NULL;
+@@ -860,24 +961,6 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
+      * any of the subtrees
+      */
+     if (xargs.dn_from_kbd == TRUE) {
+-        /* make sure the DN falls in the subtree */
+-        int              dnlen=0, subtreelen=0;
+-        char             *dn=NULL;
+-        krb5_boolean     outofsubtree=TRUE;
+-
+-        if (xargs.dn != NULL) {
+-            dn = xargs.dn;
+-        } else if (xargs.linkdn != NULL) {
+-            dn = xargs.linkdn;
+-        } else if (standalone_principal_dn != NULL) {
+-            /*
+-             * Even though the standalone_principal_dn is constructed
+-             * within this function, there is the containerdn input
+-             * from the user that can become part of the it.
+-             */
+-            dn = standalone_principal_dn;
+-        }
+-
+         /* Get the current subtree list if we haven't already done so. */
+         if (subtreelist == NULL) {
+             st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees);
+@@ -885,81 +968,10 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
+                 goto cleanup;
+         }
+ 
+-        for (tre=0; tre<ntrees; ++tre) {
+-            if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) {
+-                outofsubtree = FALSE;
+-                break;
+-            } else {
+-                dnlen = strlen (dn);
+-                subtreelen = strlen(subtreelist[tre]);
+-                if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) {
+-                    outofsubtree = FALSE;
+-                    break;
+-                }
+-            }
+-        }
+-
+-        if (outofsubtree == TRUE) {
+-            st = EINVAL;
+-            k5_setmsg(context, st, _("DN is out of the realm subtree"));
++        st = validate_xargs(context, ldap_server_handle, &xargs,
++                            standalone_principal_dn, subtreelist, ntrees);
++        if (st)
+             goto cleanup;
+-        }
+-
+-        /*
+-         * dn value will be set either by dn, linkdn or the standalone_principal_dn
+-         * In the first 2 cases, the dn should be existing and in the last case we
+-         * are supposed to create the ldap object. so the below should not be
+-         * executed for the last case.
+-         */
+-
+-        if (standalone_principal_dn == NULL) {
+-            /*
+-             * If the ldap object is missing, this results in an error.
+-             */
+-
+-            /*
+-             * Search for krbprincipalname attribute here.
+-             * This is to find if a kerberos identity is already present
+-             * on the ldap object, in which case adding a kerberos identity
+-             * on the ldap object should result in an error.
+-             */
+-            char  *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL};
+-
+-            ldap_msgfree(result);
+-            result = NULL;
+-            LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS);
+-            if (st == LDAP_SUCCESS) {
+-                ent = ldap_first_entry(ld, result);
+-                if (ent != NULL) {
+-                    if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) {
+-                        ldap_value_free(values);
+-                    }
+-
+-                    if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
+-                        krb_identity_exists = TRUE;
+-                        ldap_value_free(values);
+-                    }
+-                }
+-            } else {
+-                st = set_ldap_error(context, st, OP_SEARCH);
+-                goto cleanup;
+-            }
+-        }
+-    }
+-
+-    /*
+-     * If xargs.dn is set then the request is to add a
+-     * kerberos principal on a ldap object, but if
+-     * there is one already on the ldap object this
+-     * should result in an error.
+-     */
+-
+-    if (xargs.dn != NULL && krb_identity_exists == TRUE) {
+-        st = EINVAL;
+-        snprintf(errbuf, sizeof(errbuf),
+-                 _("ldap object is already kerberized"));
+-        k5_setmsg(context, st, "%s", errbuf);
+-        goto cleanup;
+     }
+ 
+     if (xargs.linkdn != NULL) {
+diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
+index 217f2cdc3b..6e563b1032 100755
+--- a/src/tests/t_kdb.py
++++ b/src/tests/t_kdb.py
+@@ -203,6 +203,12 @@ def ldap_add(dn, objectclass, attrs=[]):
+ # in the test LDAP server.
+ realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'],
+           expected_code=1, expected_msg='DN is out of the realm subtree')
++# Check that the DN container check is a hierarchy test, not a simple
++# suffix match (CVE-2018-5730).  We expect this operation to fail
++# either way (because "xcn" isn't a valid DN tag) but the container
++# check should happen before the DN is parsed.
++realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=xcn=t1,cn=krb5', 'princ1'],
++          expected_code=1, expected_msg='DN is out of the realm subtree')
+ realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'princ1'])
+ realm.run([kadminl, 'getprinc', 'princ1'], expected_msg='Principal: princ1')
+ realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'again'],
+@@ -226,6 +232,11 @@ def ldap_add(dn, objectclass, attrs=[]):
+            'princ3'])
+ realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5', 'princ3'],
+           expected_code=1, expected_msg='containerdn option not supported')
++# Verify that containerdn is checked when linkdn is also supplied
++# (CVE-2018-5730).
++realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5',
++           '-x', 'linkdn=cn=t2,cn=krb5', 'princ4'], expected_code=1,
++          expected_msg='DN is out of the realm subtree')
+ 
+ # Create and modify a ticket policy.
+ kldaputil(['create_policy', '-maxtktlife', '3hour', '-maxrenewlife', '6hour',

diff --git a/app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild
new file mode 100644
index 00000000000..feec00d8627
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild
@@ -0,0 +1,158 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/"
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
+
+# Test suite require network access
+RESTRICT="test"
+
+CDEPEND="
+	!!app-crypt/heimdal
+	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
+	|| (
+		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
+	)
+	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
+	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
+	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+	pkinit? (
+		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
+		libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] )
+	)
+	xinetd? ( sys-apps/xinetd )
+	abi_x86_32? (
+		!<=app-emulation/emul-linux-x86-baselibs-20140508-r1
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+	)"
+DEPEND="${CDEPEND}
+	${PYTHON_DEPS}
+	virtual/yacc
+	doc? ( virtual/latex-base )
+	test? (
+		${PYTHON_DEPS}
+		dev-lang/tcl:0
+		dev-util/dejagnu
+	)"
+RDEPEND="${CDEPEND}
+	selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/krb5-config
+)
+
+src_prepare() {
+	eapply -p2 "${FILESDIR}/CVE-2018-5729-5730.patch"
+	eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+	eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch"
+	eapply "${FILESDIR}/${PN}-libressl-version-check.patch"
+
+	# Make sure we always use the system copies.
+	rm -rf util/{et,ss,verto}
+	sed -i 's:^[[:space:]]*util/verto$::' configure.in || die
+
+	eapply_user
+	eautoreconf
+}
+
+src_configure() {
+	# QA
+	append-flags -fno-strict-aliasing
+	append-flags -fno-strict-overflow
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use keyutils || export ac_cv_header_keyutils_h=no
+	ECONF_SOURCE=${S} \
+	WARN_CFLAGS="set" \
+	econf \
+		$(use_with openldap ldap) \
+		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+		$(use_enable nls) \
+		$(use_enable pkinit) \
+		$(use_enable threads thread-support) \
+		--without-hesiod \
+		--enable-shared \
+		--with-system-et \
+		--with-system-ss \
+		--enable-dns-for-realm \
+		--enable-kdc-lookaside-cache \
+		--with-system-verto \
+		--disable-rpath
+}
+
+multilib_src_compile() {
+	emake -j1
+}
+
+multilib_src_test() {
+	multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+		install
+}
+
+multilib_src_install_all() {
+	# default database dir
+	keepdir /var/lib/krb5kdc
+
+	cd ..
+	dodoc README
+
+	if use doc; then
+		dodoc -r doc/html
+		docinto pdf
+		dodoc doc/pdf/*.pdf
+	fi
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
+	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
+	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
+	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
+	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
+
+	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
+
+	insinto /etc
+	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+	insinto /var/lib/krb5kdc
+	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+	if use openldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+	fi
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/kpropd.xinetd" kpropd
+	fi
+}


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
@ 2018-05-10  6:41 Eray Aslan
  0 siblings, 0 replies; 14+ messages in thread
From: Eray Aslan @ 2018-05-10  6:41 UTC (permalink / raw
  To: gentoo-commits

commit:     f7248912b982989fc1aa142bdbbab3a375725fa5
Author:     Eray Aslan <eras <AT> gentoo <DOT> org>
AuthorDate: Thu May 10 06:41:26 2018 +0000
Commit:     Eray Aslan <eras <AT> gentoo <DOT> org>
CommitDate: Thu May 10 06:41:53 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7248912

app-crypt/mit-krb5: remove old

Package-Manager: Portage-2.3.36, Repoman-2.3.9

 app-crypt/mit-krb5/Manifest                        |   1 -
 .../files/mit-krb5-1.14.2-redeclared-ttyname.patch |  26 ----
 .../files/mit-krb5-1.14.4-disable-nls.patch        |  45 ------
 .../files/mit-krb5-1.15.2-fix-pkinit.patch         |  98 -------------
 app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild       | 145 --------------------
 app-crypt/mit-krb5/mit-krb5-1.15.2.ebuild          | 144 -------------------
 app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild         | 152 ---------------------
 7 files changed, 611 deletions(-)

diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index 2e79cf89fa3..80fe45536f5 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1,3 +1,2 @@
-DIST krb5-1.15.2.tar.gz 9380755 BLAKE2B 3f5d00a70bf44ef077872bde282e4753e82acb70632e136b8f9f8d3a192e3e7b692840803e5a3f67ddb202d53631767ea9eb8b7615d45a3479389a01a6390ac4 SHA512 e5814bb66384b13637c37918df694c6b9933c29c2d952da0ed0dcd2e623b269060b4c16b6c02162039dadebdab99ff1085e37e7621ae4748dafb036424e612c2
 DIST krb5-1.16.1.tar.gz 9477480 BLAKE2B 16bdd7d6d03ddbd4b070663c3a7a3d2331d54e8590b24f1dc162be2531bfbbbd65878d426a160c65ffc1ba4751f16bbbd177a8a91c01002fde0e886cc1bd91b9 SHA512 fa4ec14a4ffe690861e2dd7ea39d7698af2058ce181bb733ea891f80279f4dde4bb891adec5ccb0eaddf737306e6ceb1fe3744a2946e6189a7d7d2dd3bc5ba84
 DIST krb5-1.16.tar.gz 9474479 BLAKE2B 0c5caa0a0d2308a447d47ab94d7b8dc92a67ad78b3bac1678c3f3ece3905f27feda5a23d28b3c13ebd64d1760726888c759fb19da82ad960c6f84a433b753873 SHA512 7e162467b95dad2b6aaa11686d08a00f1cc4eb08247fca8f0e5a8bcaa5f9f7b42cdf00db69c5c6111bdf9eb8063d53cef3bb207ce5d6a287615ca10b710153f9

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.14.2-redeclared-ttyname.patch b/app-crypt/mit-krb5/files/mit-krb5-1.14.2-redeclared-ttyname.patch
deleted file mode 100644
index a76cd3a7f84..00000000000
--- a/app-crypt/mit-krb5/files/mit-krb5-1.14.2-redeclared-ttyname.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-Fixes the redeclaration of ttyname which was preventing
-enabling clang fortify.
-
-The error was;
-
-main.c:858:15: error: redeclaration of 'ttyname' must have the 'overloadable' attribute
-    char *p, *ttyname();
-              ^
-/build/samus/usr/include/unistd.h:784:14: note: previous overload of function is here
-extern char *ttyname (int __fd) __THROW __CLANG_NO_MANGLE (ttyname);
-
-https://github.com/krb5/krb5/pull/568
-
-Patch by Zentaro Kavanagh <zentaro@google.com>
-
---- clients/ksu/main.c
-+++ clients/ksu/main.c
-@@ -855,7 +855,7 @@
- 
- static char * ontty()
- {
--    char *p, *ttyname();
-+    char *p;
-     static char buf[MAXPATHLEN + 5];
-     int result;
- 

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.14.4-disable-nls.patch b/app-crypt/mit-krb5/files/mit-krb5-1.14.4-disable-nls.patch
deleted file mode 100644
index 63cb0fc0c55..00000000000
--- a/app-crypt/mit-krb5/files/mit-krb5-1.14.4-disable-nls.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Adds support for --(enable|disable)-nls configure option.
-
-This enables\disables the generation of language files and
-sets the ENABLE_NLS define appropriately.
-
-Default value is enabled to preserve current behavior.
-
-Patch by Zentaro Kavanagh <zentaro@google.com>
-https://crbug.com/654842
-
-https://github.com/krb5/krb5/pull/584
-
---- src/configure.in
-+++ src/configure.in
-@@ -118,15 +118,22 @@
- ])
- AC_SUBST(LIBUTIL)
- 
--AC_CHECK_HEADER(libintl.h, [
--	AC_SEARCH_LIBS(dgettext, intl, [
--		AC_DEFINE(ENABLE_NLS, 1,
--			[Define if translation functions should be used.])])])
--
--AC_CHECK_PROG(MSGFMT,msgfmt,msgfmt)
-+# Determine if NLS is desired and supported.
- po=
--if test x"$MSGFMT" != x; then
--	po=po
-+AC_ARG_ENABLE([nls],
-+AC_HELP_STRING([--disable-nls],
-+               [Disable Native Language Support(NLS).]), ,
-+               enableval=yes)
-+if test "$enableval" = yes ; then
-+        AC_CHECK_HEADER(libintl.h, [
-+                AC_SEARCH_LIBS(dgettext, intl, [
-+                        AC_DEFINE(ENABLE_NLS, 1,
-+                                [Define if translation functions should be used.])])])
-+
-+        AC_CHECK_PROG(MSGFMT,msgfmt,msgfmt)
-+        if test x"$MSGFMT" != x; then
-+                po=po
-+        fi
- fi
- AC_SUBST(po)
- 

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch b/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch
deleted file mode 100644
index 4f721d4d961..00000000000
--- a/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-index 74fffbf321..4b86a6f302 100644
---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-@@ -5145,33 +5145,29 @@ crypto_retieve_X509_key_usage(krb5_context context,
-     return retval;
- }
- 
--/*
-- * Return a string format of an X509_NAME in buf where
-- * size is an in/out parameter.  On input it is the size
-- * of the buffer, and on output it is the actual length
-- * of the name.
-- * If buf is NULL, returns the length req'd to hold name
-- */
--static char *
--X509_NAME_oneline_ex(X509_NAME * a,
--                     char *buf,
--                     unsigned int *size,
--                     unsigned long flag)
-+static krb5_error_code
-+rfc2253_name(X509_NAME *name, char **str_out)
- {
--    BIO *out = NULL;
-+    BIO *b = NULL;
-+    char *str;
- 
--    out = BIO_new(BIO_s_mem ());
--    if (X509_NAME_print_ex(out, a, 0, flag) > 0) {
--        if (buf != NULL && (*size) >  (unsigned int) BIO_number_written(out)) {
--            memset(buf, 0, *size);
--            BIO_read(out, buf, (int) BIO_number_written(out));
--        }
--        else {
--            *size = BIO_number_written(out);
--        }
--    }
--    BIO_free(out);
--    return (buf);
-+    *str_out = NULL;
-+    b = BIO_new(BIO_s_mem());
-+    if (b == NULL)
-+        return ENOMEM;
-+    if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0)
-+        goto error;
-+    str = calloc(BIO_number_written(b) + 1, 1);
-+    if (str == NULL)
-+        goto error;
-+    BIO_read(b, str, BIO_number_written(b));
-+    BIO_free(b);
-+    *str_out = str;
-+    return 0;
-+
-+error:
-+    BIO_free(b);
-+    return ENOMEM;
- }
- 
- /*
-@@ -5187,8 +5183,6 @@ crypto_cert_get_matching_data(krb5_context context,
-     krb5_principal *pkinit_sans =NULL, *upn_sans = NULL;
-     struct _pkinit_cert_data *cd = (struct _pkinit_cert_data *)ch;
-     unsigned int i, j;
--    char buf[DN_BUF_LEN];
--    unsigned int bufsize = sizeof(buf);
- 
-     if (cd == NULL || cd->magic != CERT_MAGIC)
-         return EINVAL;
-@@ -5201,23 +5195,14 @@ crypto_cert_get_matching_data(krb5_context context,
- 
-     md->ch = ch;
- 
--    /* get the subject name (in rfc2253 format) */
--    X509_NAME_oneline_ex(X509_get_subject_name(cd->cred->cert),
--                         buf, &bufsize, XN_FLAG_SEP_COMMA_PLUS);
--    md->subject_dn = strdup(buf);
--    if (md->subject_dn == NULL) {
--        retval = ENOMEM;
-+    retval = rfc2253_name(X509_get_subject_name(cd->cred->cert),
-+                          &md->subject_dn);
-+    if (retval)
-         goto cleanup;
--    }
--
--    /* get the issuer name (in rfc2253 format) */
--    X509_NAME_oneline_ex(X509_get_issuer_name(cd->cred->cert),
--                         buf, &bufsize, XN_FLAG_SEP_COMMA_PLUS);
--    md->issuer_dn = strdup(buf);
--    if (md->issuer_dn == NULL) {
--        retval = ENOMEM;
-+    retval = rfc2253_name(X509_get_issuer_name(cd->cred->cert),
-+                          &md->issuer_dn);
-+    if (retval)
-         goto cleanup;
--    }
- 
-     /* get the san data */
-     retval = crypto_retrieve_X509_sans(context, cd->plgctx, cd->reqctx,

diff --git a/app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild
deleted file mode 100644
index 3f1ef7523d9..00000000000
--- a/app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild
+++ /dev/null
@@ -1,145 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-PYTHON_COMPAT=( python2_7 )
-inherit autotools flag-o-matic multilib-minimal python-any-r1 versionator
-
-MY_P="${P/mit-}"
-P_DIR=$(get_version_component_range 1-2)
-DESCRIPTION="MIT Kerberos V"
-HOMEPAGE="http://web.mit.edu/kerberos/www/"
-SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
-
-LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
-SLOT="0"
-KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh ~sparc x86"
-IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
-
-CDEPEND="
-	!!app-crypt/heimdal
-	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
-	|| (
-		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
-	)
-	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
-	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
-	pkinit? (
-		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
-		libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] )
-	)
-	xinetd? ( sys-apps/xinetd )"
-DEPEND="${CDEPEND}
-	${PYTHON_DEPS}
-	virtual/yacc
-	doc? ( virtual/latex-base )
-	test? (
-		${PYTHON_DEPS}
-		dev-lang/tcl:0
-		dev-util/dejagnu
-	)"
-RDEPEND="${CDEPEND}
-	selinux? ( sec-policy/selinux-kerberos )"
-
-S=${WORKDIR}/${MY_P}/src
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/krb5-config
-)
-
-src_prepare() {
-	eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
-	eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch"
-	eapply -p0 "${FILESDIR}/${PN}-1.14.2-redeclared-ttyname.patch"
-	eapply "${FILESDIR}/${PN}-1.14.4-disable-nls.patch"
-	eapply -p2 "${FILESDIR}/${PN}-1.15.2-fix-pkinit.patch"
-
-	# Make sure we always use the system copies.
-	rm -rf util/{et,ss,verto}
-	sed -i 's:^[[:space:]]*util/verto$::' configure.in || die
-
-	eapply_user
-	eautoreconf
-}
-
-src_configure() {
-	# QA
-	append-flags -fno-strict-aliasing
-	append-flags -fno-strict-overflow
-
-	multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
-	use keyutils || export ac_cv_header_keyutils_h=no
-	ECONF_SOURCE=${S} \
-	WARN_CFLAGS="set" \
-	econf \
-		$(use_with openldap ldap) \
-		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
-		$(use_enable nls) \
-		$(use_enable pkinit) \
-		$(use_enable threads thread-support) \
-		--without-hesiod \
-		--enable-shared \
-		--with-system-et \
-		--with-system-ss \
-		--enable-dns-for-realm \
-		--enable-kdc-lookaside-cache \
-		--with-system-verto \
-		--disable-rpath
-}
-
-multilib_src_compile() {
-	emake -j1
-}
-
-multilib_src_test() {
-	multilib_is_native_abi && emake -j1 check
-}
-
-multilib_src_install() {
-	emake \
-		DESTDIR="${D}" \
-		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
-		install
-}
-
-multilib_src_install_all() {
-	# default database dir
-	keepdir /var/lib/krb5kdc
-
-	cd ..
-	dodoc README
-
-	if use doc; then
-		dodoc -r doc/html
-		docinto pdf
-		dodoc doc/pdf/*.pdf
-	fi
-
-	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
-	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
-	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
-	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
-	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
-	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
-
-	insinto /etc
-	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
-	insinto /var/lib/krb5kdc
-	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
-
-	if use openldap ; then
-		insinto /etc/openldap/schema
-		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
-	fi
-
-	if use xinetd ; then
-		insinto /etc/xinetd.d
-		newins "${FILESDIR}/kpropd.xinetd" kpropd
-	fi
-}

diff --git a/app-crypt/mit-krb5/mit-krb5-1.15.2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.15.2.ebuild
deleted file mode 100644
index 9b63538a0b3..00000000000
--- a/app-crypt/mit-krb5/mit-krb5-1.15.2.ebuild
+++ /dev/null
@@ -1,144 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-PYTHON_COMPAT=( python2_7 )
-inherit autotools flag-o-matic multilib-minimal python-any-r1 versionator
-
-MY_P="${P/mit-}"
-P_DIR=$(get_version_component_range 1-2)
-DESCRIPTION="MIT Kerberos V"
-HOMEPAGE="http://web.mit.edu/kerberos/www/"
-SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
-
-LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
-SLOT="0"
-KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86"
-IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
-
-CDEPEND="
-	!!app-crypt/heimdal
-	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
-	|| (
-		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
-	)
-	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
-	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
-	pkinit? (
-		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
-		libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] )
-	)
-	xinetd? ( sys-apps/xinetd )"
-DEPEND="${CDEPEND}
-	${PYTHON_DEPS}
-	virtual/yacc
-	doc? ( virtual/latex-base )
-	test? (
-		${PYTHON_DEPS}
-		dev-lang/tcl:0
-		dev-util/dejagnu
-	)"
-RDEPEND="${CDEPEND}
-	selinux? ( sec-policy/selinux-kerberos )"
-
-S=${WORKDIR}/${MY_P}/src
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/krb5-config
-)
-
-src_prepare() {
-	eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
-	eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch"
-	eapply -p0 "${FILESDIR}/${PN}-1.14.2-redeclared-ttyname.patch"
-	eapply "${FILESDIR}/${PN}-1.14.4-disable-nls.patch"
-
-	# Make sure we always use the system copies.
-	rm -rf util/{et,ss,verto}
-	sed -i 's:^[[:space:]]*util/verto$::' configure.in || die
-
-	eapply_user
-	eautoreconf
-}
-
-src_configure() {
-	# QA
-	append-flags -fno-strict-aliasing
-	append-flags -fno-strict-overflow
-
-	multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
-	use keyutils || export ac_cv_header_keyutils_h=no
-	ECONF_SOURCE=${S} \
-	WARN_CFLAGS="set" \
-	econf \
-		$(use_with openldap ldap) \
-		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
-		$(use_enable nls) \
-		$(use_enable pkinit) \
-		$(use_enable threads thread-support) \
-		--without-hesiod \
-		--enable-shared \
-		--with-system-et \
-		--with-system-ss \
-		--enable-dns-for-realm \
-		--enable-kdc-lookaside-cache \
-		--with-system-verto \
-		--disable-rpath
-}
-
-multilib_src_compile() {
-	emake -j1
-}
-
-multilib_src_test() {
-	multilib_is_native_abi && emake -j1 check
-}
-
-multilib_src_install() {
-	emake \
-		DESTDIR="${D}" \
-		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
-		install
-}
-
-multilib_src_install_all() {
-	# default database dir
-	keepdir /var/lib/krb5kdc
-
-	cd ..
-	dodoc README
-
-	if use doc; then
-		dodoc -r doc/html
-		docinto pdf
-		dodoc doc/pdf/*.pdf
-	fi
-
-	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
-	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
-	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
-	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
-	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
-	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
-
-	insinto /etc
-	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
-	insinto /var/lib/krb5kdc
-	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
-
-	if use openldap ; then
-		insinto /etc/openldap/schema
-		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
-	fi
-
-	if use xinetd ; then
-		insinto /etc/xinetd.d
-		newins "${FILESDIR}/kpropd.xinetd" kpropd
-	fi
-}

diff --git a/app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild
deleted file mode 100644
index 94966e19df3..00000000000
--- a/app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild
+++ /dev/null
@@ -1,152 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-PYTHON_COMPAT=( python2_7 )
-inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd versionator
-
-MY_P="${P/mit-}"
-P_DIR=$(get_version_component_range 1-2)
-DESCRIPTION="MIT Kerberos V"
-HOMEPAGE="https://web.mit.edu/kerberos/www/"
-SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
-
-LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
-IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
-
-# Test suite require network access
-RESTRICT="test"
-
-CDEPEND="
-	!!app-crypt/heimdal
-	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
-	|| (
-		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
-	)
-	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
-	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
-	pkinit? (
-		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
-		libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] )
-	)
-	xinetd? ( sys-apps/xinetd )"
-DEPEND="${CDEPEND}
-	${PYTHON_DEPS}
-	virtual/yacc
-	doc? ( virtual/latex-base )
-	test? (
-		${PYTHON_DEPS}
-		dev-lang/tcl:0
-		dev-util/dejagnu
-	)"
-RDEPEND="${CDEPEND}
-	selinux? ( sec-policy/selinux-kerberos )"
-
-S=${WORKDIR}/${MY_P}/src
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/krb5-config
-)
-
-src_prepare() {
-	eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
-	eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch"
-	eapply "${FILESDIR}/${PN}-libressl-version-check.patch"
-	
-	# Make sure we always use the system copies.
-	rm -rf util/{et,ss,verto}
-	sed -i 's:^[[:space:]]*util/verto$::' configure.in || die
-
-	eapply_user
-	eautoreconf
-}
-
-src_configure() {
-	# QA
-	append-flags -fno-strict-aliasing
-	append-flags -fno-strict-overflow
-
-	multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
-	use keyutils || export ac_cv_header_keyutils_h=no
-	ECONF_SOURCE=${S} \
-	WARN_CFLAGS="set" \
-	econf \
-		$(use_with openldap ldap) \
-		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
-		$(use_enable nls) \
-		$(use_enable pkinit) \
-		$(use_enable threads thread-support) \
-		--without-hesiod \
-		--enable-shared \
-		--with-system-et \
-		--with-system-ss \
-		--enable-dns-for-realm \
-		--enable-kdc-lookaside-cache \
-		--with-system-verto \
-		--disable-rpath
-}
-
-multilib_src_compile() {
-	emake -j1
-}
-
-multilib_src_test() {
-	multilib_is_native_abi && emake -j1 check
-}
-
-multilib_src_install() {
-	emake \
-		DESTDIR="${D}" \
-		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
-		install
-}
-
-multilib_src_install_all() {
-	# default database dir
-	keepdir /var/lib/krb5kdc
-
-	cd ..
-	dodoc README
-
-	if use doc; then
-		dodoc -r doc/html
-		docinto pdf
-		dodoc doc/pdf/*.pdf
-	fi
-
-	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
-	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
-	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
-	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
-	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
-	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
-
-	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
-
-	insinto /etc
-	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
-	insinto /var/lib/krb5kdc
-	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
-
-	if use openldap ; then
-		insinto /etc/openldap/schema
-		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
-	fi
-
-	if use xinetd ; then
-		insinto /etc/xinetd.d
-		newins "${FILESDIR}/kpropd.xinetd" kpropd
-	fi
-}


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
@ 2019-04-25  3:31 Aaron Bauman
  0 siblings, 0 replies; 14+ messages in thread
From: Aaron Bauman @ 2019-04-25  3:31 UTC (permalink / raw
  To: gentoo-commits

commit:     bb54b6ddf7a0ba9ad911ea73b747743eb00759b0
Author:     Stefan Strogin <stefan.strogin <AT> gmail <DOT> com>
AuthorDate: Thu Apr 25 03:02:10 2019 +0000
Commit:     Aaron Bauman <bman <AT> gentoo <DOT> org>
CommitDate: Thu Apr 25 03:31:04 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb54b6dd

app-crypt/mit-krb5: update patch for LibreSSL 2.9.1

Closes: https://bugs.gentoo.org/684302
Package-Manager: Portage-2.3.64, Repoman-2.3.12
Signed-off-by: Stefan Strogin <stefan.strogin <AT> gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/11821
Signed-off-by: Aaron Bauman <bman <AT> gentoo.org>

 .../mit-krb5/files/mit-krb5-1.16.3-libressl.patch  | 101 +++++++++++++++++++++
 app-crypt/mit-krb5/mit-krb5-1.16.3.ebuild          |   2 +-
 2 files changed, 102 insertions(+), 1 deletion(-)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl.patch b/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl.patch
new file mode 100644
index 00000000000..7a655fb9a1d
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl.patch
@@ -0,0 +1,101 @@
+From 58263cbf3106f4c9c9a2252794093014a2f9c01f Mon Sep 17 00:00:00 2001
+From: Stefan Strogin <stefan.strogin@gmail.com>
+Date: Thu, 25 Apr 2019 03:48:10 +0300
+Subject: [PATCH] Fix build for LibreSSL 2.9.x
+
+asn1_mac.h is removed from LibreSSL 2.9.0, but static_ASN1_*() methods
+are not defined. Define them.
+
+Upstream-Status: Pending
+[Needs to be amended if
+https://github.com/libressl-portable/openbsd/pull/109 is accepted]
+Signed-off-by: Stefan Strogin <stefan.strogin@gmail.com>
+---
+ .../preauth/pkinit/pkinit_crypto_openssl.c    | 13 ++++++++----
+ .../preauth/pkinit/pkinit_crypto_openssl.h    | 20 ++++++++++++++++++-
+ 2 files changed, 28 insertions(+), 5 deletions(-)
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index 2064eb7bd..81d5d3cf2 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -188,14 +188,16 @@ pkinit_pkcs11_code_to_text(int err);
+     (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si)
+ #endif
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+-/* 1.1 standardizes constructor and destructor names, renaming
+- * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */
++/* 1.1 (and LibreSSL 2.7) standardizes constructor and destructor names,
++ * renaming EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */
+ 
++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
+ #define EVP_MD_CTX_new EVP_MD_CTX_create
+ #define EVP_MD_CTX_free EVP_MD_CTX_destroy
+ #define ASN1_STRING_get0_data ASN1_STRING_data
++#endif
+ 
+ /* 1.1 makes many handle types opaque and adds accessors.  Add compatibility
+  * versions of the new accessors we use for pre-1.1. */
+@@ -203,6 +205,7 @@ pkinit_pkcs11_code_to_text(int err);
+ #define OBJ_get0_data(o) ((o)->data)
+ #define OBJ_length(o) ((o)->length)
+ 
++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
+ #define DH_set0_pqg compat_dh_set0_pqg
+ static int compat_dh_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+ {
+@@ -235,6 +238,7 @@ static void compat_dh_get0_key(const DH *dh, const BIGNUM **pub,
+     if (priv != NULL)
+         *priv = dh->priv_key;
+ }
++#endif /* LIBRESSL_VERSION_NUMBER */
+ 
+ /* Return true if the cert c includes a key usage which doesn't include u.
+  * Define using direct member access for pre-1.1. */
+@@ -3040,7 +3044,8 @@ cleanup:
+     return retval;
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || \
++  LIBRESSL_VERSION_NUMBER >= 0x2090000fL
+ 
+ /*
+  * We need to decode DomainParameters from RFC 3279 section 2.3.3.  We would
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
+index 7411348fa..ac91408c4 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
+@@ -46,7 +46,25 @@
+ #include <openssl/asn1.h>
+ #include <openssl/pem.h>
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || \
++  LIBRESSL_VERSION_NUMBER >= 0x2090000fL
++
++#ifndef static_ASN1_SEQUENCE_END_name
++#define static_ASN1_ITEM_start(itname) \
++	static const ASN1_ITEM itname##_it = {
++#define static_ASN1_SEQUENCE_END_name(stname, tname) \
++	;\
++	static_ASN1_ITEM_start(tname) \
++		ASN1_ITYPE_SEQUENCE,\
++		V_ASN1_SEQUENCE,\
++		tname##_seq_tt,\
++		sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
++		NULL,\
++		sizeof(stname),\
++		#stname \
++	ASN1_ITEM_end(tname)
++#endif /* !defined(static_ASN1_SEQUENCE_END_name) */
++
+ #include <openssl/asn1t.h>
+ #else
+ #include <openssl/asn1_mac.h>
+-- 
+2.21.0
+

diff --git a/app-crypt/mit-krb5/mit-krb5-1.16.3.ebuild b/app-crypt/mit-krb5/mit-krb5-1.16.3.ebuild
index 4aeaa219ada..9d8b9911639 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.16.3.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.16.3.ebuild
@@ -63,7 +63,7 @@ MULTILIB_CHOST_TOOLS=(
 src_prepare() {
 	eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
 	eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch"
-	eapply "${FILESDIR}/${PN}-libressl-version-check.patch"
+	eapply -p2 "${FILESDIR}/${P}-libressl.patch"
 
 	# Make sure we always use the system copies.
 	rm -rf util/{et,ss,verto}


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
@ 2019-12-12  7:46 Eray Aslan
  0 siblings, 0 replies; 14+ messages in thread
From: Eray Aslan @ 2019-12-12  7:46 UTC (permalink / raw
  To: gentoo-commits

commit:     7be2eed6b6b41bfa1fd1769d3e9909f571851074
Author:     Eray Aslan <eras <AT> gentoo <DOT> org>
AuthorDate: Thu Dec 12 07:46:07 2019 +0000
Commit:     Eray Aslan <eras <AT> gentoo <DOT> org>
CommitDate: Thu Dec 12 07:46:07 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7be2eed6

app-crypt/mit-krb5: bump to 1.17.1

and dont create /run
Closes: https://bugs.gentoo.org/701430
Package-Manager: Portage-2.3.81, Repoman-2.3.20
Signed-off-by: Eray Aslan <eras <AT> gentoo.org>

 app-crypt/mit-krb5/Manifest                        |   1 +
 .../mit-krb5/files/mit-krb5_dont_create_run.patch  |  10 ++
 app-crypt/mit-krb5/mit-krb5-1.17.1.ebuild          | 164 +++++++++++++++++++++
 3 files changed, 175 insertions(+)

diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index 4b2ab0c10a3..4f15bcb4650 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1 +1,2 @@
+DIST krb5-1.17.1.tar.gz 8765399 BLAKE2B 46be864e2db9c70d164532d82776195bf57342ce4f1fd7dfcf3cf6bd72a3639a69954f742607a2b8950b4dea8acfac5d633aa379d669de20bafe54b407bab94b SHA512 e0c3dc0a6554ab3105ac32f3f01519f56064500213aa743816235d83250abc1db9a9ca38a2ba93a938d562b4af135a013017ce96346d6742bca0c812b842ceef
 DIST krb5-1.17.tar.gz 8761763 BLAKE2B 76f636836c67e9eefca91c9417118efdcf4437c1220691f43f3d246daf3eabd53b40a30956f0e57703c3fde5d7193b1d86b68becf3ae1c0c803d2462e79d3014 SHA512 7462a578b936bd17f155a362dbb5d388e157a80a096549028be6c55400b11361c7f8a28e424fd5674801873651df4e694d536cae66728b7ae5e840e532358c52

diff --git a/app-crypt/mit-krb5/files/mit-krb5_dont_create_run.patch b/app-crypt/mit-krb5/files/mit-krb5_dont_create_run.patch
new file mode 100644
index 00000000000..d68e13b0675
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5_dont_create_run.patch
@@ -0,0 +1,10 @@
+--- src/Makefile.in	2019-12-12 10:15:51.674552983 +0300
++++ src/Makefile.in	2019-12-12 10:16:33.205543490 +0300
+@@ -71,7 +71,6 @@
+ 		$(KRB5_AD_MODULE_DIR) \
+ 		$(KRB5_LIBKRB5_MODULE_DIR) $(KRB5_TLS_MODULE_DIR) \
+ 		@localstatedir@ @localstatedir@/krb5kdc \
+-		@runstatedir@ @runstatedir@/krb5kdc \
+ 		$(KRB5_INCSUBDIRS) $(datadir) $(EXAMPLEDIR) \
+ 		$(PKGCONFIG_DIR)
+ 

diff --git a/app-crypt/mit-krb5/mit-krb5-1.17.1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.17.1.ebuild
new file mode 100644
index 00000000000..1b7882df2d0
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.17.1.ebuild
@@ -0,0 +1,164 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{5,6,7} )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd
+
+MY_P="${P/mit-}"
+P_DIR=$(ver_cut 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/"
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="cpu_flags_x86_aes doc +keyutils libressl lmdb nls openldap +pkinit selinux +threads test xinetd"
+
+# Test suite requires network access
+#RESTRICT="test"
+
+DEPEND="
+	!!app-crypt/heimdal
+	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
+	|| (
+		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
+	)
+	keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] )
+	lmdb? ( dev-db/lmdb )
+	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
+	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+	pkinit? (
+		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
+		libressl? ( dev-libs/libressl:0=[${MULTILIB_USEDEP}] )
+	)
+	xinetd? ( sys-apps/xinetd )
+	"
+BDEPEND="
+	${PYTHON_DEPS}
+	virtual/yacc
+	cpu_flags_x86_aes? (
+		amd64? ( dev-lang/yasm )
+		x86? ( dev-lang/yasm )
+	)
+	doc? ( virtual/latex-base )
+	test? (
+		${PYTHON_DEPS}
+		dev-lang/tcl:0
+		dev-util/dejagnu
+		dev-util/cmocka
+	)"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+PATCHES=(
+	"${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+	"${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
+	"${FILESDIR}/${PN}-1.16.3-libressl-r1.patch"
+	"${FILESDIR}/${PN}_dont_create_run.patch"
+)
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/krb5-config
+)
+
+src_prepare() {
+	default
+	# Make sure we always use the system copies.
+	rm -rf util/{et,ss,verto}
+	sed -i 's:^[[:space:]]*util/verto$::' configure.in || die
+
+	eautoreconf
+}
+
+src_configure() {
+	# QA
+	append-flags -fno-strict-aliasing
+	append-flags -fno-strict-overflow
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use keyutils || export ac_cv_header_keyutils_h=no
+	ECONF_SOURCE=${S} \
+	WARN_CFLAGS="set" \
+	econf \
+		$(use_with openldap ldap) \
+		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+		$(use_enable nls) \
+		$(use_enable pkinit) \
+		$(use_enable threads thread-support) \
+		$(use_with lmdb) \
+		--without-hesiod \
+		--enable-shared \
+		--with-system-et \
+		--with-system-ss \
+		--enable-dns-for-realm \
+		--enable-kdc-lookaside-cache \
+		--with-system-verto \
+		--disable-rpath
+}
+
+multilib_src_compile() {
+	emake -j1
+}
+
+multilib_src_test() {
+	multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+		install
+}
+
+multilib_src_install_all() {
+	# default database dir
+	keepdir /var/lib/krb5kdc
+
+	cd ..
+	dodoc README
+
+	if use doc; then
+		dodoc -r doc/html
+		docinto pdf
+		dodoc doc/pdf/*.pdf
+	fi
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
+	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
+	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
+	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
+	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
+
+	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
+
+	insinto /etc
+	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+	insinto /var/lib/krb5kdc
+	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+	if use openldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+	fi
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/kpropd.xinetd" kpropd
+	fi
+}


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
@ 2020-02-15  8:56 Stefan Strogin
  0 siblings, 0 replies; 14+ messages in thread
From: Stefan Strogin @ 2020-02-15  8:56 UTC (permalink / raw
  To: gentoo-commits

commit:     96076573ffc3c9e64a31dd6258129bd5044bb9ee
Author:     Stefan Strogin <steils <AT> gentoo <DOT> org>
AuthorDate: Sat Feb 15 08:50:01 2020 +0000
Commit:     Stefan Strogin <steils <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 08:50:01 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96076573

app-crypt/mit-krb5: add patch for LibreSSL for 1.18

Closes: https://bugs.gentoo.org/709640
Package-Manager: Portage-2.3.88, Repoman-2.3.20
Signed-off-by: Stefan Strogin <steils <AT> gentoo.org>

 .../mit-krb5/files/mit-krb5-1.18-libressl.patch    | 42 ++++++++++++++++++++++
 app-crypt/mit-krb5/mit-krb5-1.18.ebuild            |  1 +
 2 files changed, 43 insertions(+)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.18-libressl.patch b/app-crypt/mit-krb5/files/mit-krb5-1.18-libressl.patch
new file mode 100644
index 00000000000..1522d42a730
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.18-libressl.patch
@@ -0,0 +1,42 @@
+From e3e3bc2a20795becda6e130d511fe59f04635624 Mon Sep 17 00:00:00 2001
+From: Stefan Strogin <steils@gentoo.org>
+Date: Sat, 15 Feb 2020 10:27:20 +0200
+Subject: [PATCH] Fix compilation for LibreSSL 3.0.2
+
+RSA_PKCS1_OpenSSL() is provided in LibreSSL the master branch,
+expected to be in the next release.
+See: https://github.com/libressl-portable/openbsd/commit/3a8c41f3a84868337fde01ec1122198ec60bdc8e
+
+Bug: https://bugs.gentoo.org/709640
+Signed-off-by: Stefan Strogin <steils@gentoo.org>
+---
+ tests/softpkcs11/main.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/tests/softpkcs11/main.c b/tests/softpkcs11/main.c
+index 1cccdfb43..a5099fbe4 100644
+--- a/tests/softpkcs11/main.c
++++ b/tests/softpkcs11/main.c
+@@ -47,7 +47,6 @@
+ 
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
+ #define EVP_PKEY_get0_RSA(key) ((key)->pkey.rsa)
+-#define RSA_PKCS1_OpenSSL RSA_PKCS1_SSLeay
+ #define RSA_get0_key compat_rsa_get0_key
+ static void
+ compat_rsa_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e,
+@@ -62,6 +61,11 @@ compat_rsa_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e,
+ }
+ #endif
+ 
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
++    defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER <= 0x3000200fL)
++#define RSA_PKCS1_OpenSSL RSA_PKCS1_SSLeay
++#endif
++
+ #define OPENSSL_ASN1_MALLOC_ENCODE(T, B, BL, S, R)      \
+     {                                                   \
+         unsigned char *p;                               \
+-- 
+2.25.0
+

diff --git a/app-crypt/mit-krb5/mit-krb5-1.18.ebuild b/app-crypt/mit-krb5/mit-krb5-1.18.ebuild
index 393c85034b8..2c9031b2e10 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.18.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.18.ebuild
@@ -63,6 +63,7 @@ PATCHES=(
 	"${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
 	"${FILESDIR}/${PN}-1.16.3-libressl-r1.patch"
 	"${FILESDIR}/${PN}_dont_create_run.patch"
+	"${FILESDIR}/${P}-libressl.patch"
 )
 
 MULTILIB_CHOST_TOOLS=(


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
@ 2021-05-01 18:07 Sam James
  0 siblings, 0 replies; 14+ messages in thread
From: Sam James @ 2021-05-01 18:07 UTC (permalink / raw
  To: gentoo-commits

commit:     180ca9f16a555d6e4b66f13411c12fe3eea5eb5b
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Sat May  1 17:20:13 2021 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sat May  1 18:06:21 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=180ca9f1

app-crypt/mit-krb5: drop obsolete LibreSSL patches

Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../files/mit-krb5-1.16.3-libressl-r1.patch        | 101 ---------------------
 .../mit-krb5/files/mit-krb5-1.18-libressl.patch    |  42 ---------
 app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild       |   2 -
 app-crypt/mit-krb5/mit-krb5-1.18.3-r1.ebuild       |   2 -
 4 files changed, 147 deletions(-)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl-r1.patch b/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl-r1.patch
deleted file mode 100644
index ca74b88bb0f..00000000000
--- a/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl-r1.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From 58263cbf3106f4c9c9a2252794093014a2f9c01f Mon Sep 17 00:00:00 2001
-From: Stefan Strogin <stefan.strogin@gmail.com>
-Date: Thu, 25 Apr 2019 03:48:10 +0300
-Subject: [PATCH] Fix build for LibreSSL 2.9.x
-
-asn1_mac.h is removed from LibreSSL 2.9.0, but static_ASN1_*() methods
-are not defined. Define them.
-
-Upstream-Status: Pending
-[Needs to be amended if
-https://github.com/libressl-portable/openbsd/pull/109 is accepted]
-Signed-off-by: Stefan Strogin <stefan.strogin@gmail.com>
----
- .../preauth/pkinit/pkinit_crypto_openssl.c    | 13 ++++++++----
- .../preauth/pkinit/pkinit_crypto_openssl.h    | 20 ++++++++++++++++++-
- 2 files changed, 28 insertions(+), 5 deletions(-)
-
-diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-index 2064eb7bd..81d5d3cf2 100644
---- a/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-+++ b/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-@@ -188,14 +188,16 @@ pkinit_pkcs11_code_to_text(int err);
-     (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si)
- #endif
- 
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- 
--/* 1.1 standardizes constructor and destructor names, renaming
-- * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */
-+/* 1.1 (and LibreSSL 2.7) standardizes constructor and destructor names,
-+ * renaming EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */
- 
-+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
- #define EVP_MD_CTX_new EVP_MD_CTX_create
- #define EVP_MD_CTX_free EVP_MD_CTX_destroy
- #define ASN1_STRING_get0_data ASN1_STRING_data
-+#endif
- 
- /* 1.1 makes many handle types opaque and adds accessors.  Add compatibility
-  * versions of the new accessors we use for pre-1.1. */
-@@ -203,6 +205,7 @@ pkinit_pkcs11_code_to_text(int err);
- #define OBJ_get0_data(o) ((o)->data)
- #define OBJ_length(o) ((o)->length)
- 
-+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
- #define DH_set0_pqg compat_dh_set0_pqg
- static int compat_dh_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
- {
-@@ -235,6 +238,7 @@ static void compat_dh_get0_key(const DH *dh, const BIGNUM **pub,
-     if (priv != NULL)
-         *priv = dh->priv_key;
- }
-+#endif /* LIBRESSL_VERSION_NUMBER */
- 
- /* Return true if the cert c includes a key usage which doesn't include u.
-  * Define using direct member access for pre-1.1. */
-@@ -3040,7 +3044,8 @@ cleanup:
-     return retval;
- }
- 
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || \
-+  LIBRESSL_VERSION_NUMBER >= 0x2090000fL
- 
- /*
-  * We need to decode DomainParameters from RFC 3279 section 2.3.3.  We would
-diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
-index 7411348fa..ac91408c4 100644
---- a/plugins/preauth/pkinit/pkinit_crypto_openssl.h
-+++ b/plugins/preauth/pkinit/pkinit_crypto_openssl.h
-@@ -46,7 +46,25 @@
- #include <openssl/asn1.h>
- #include <openssl/pem.h>
- 
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || \
-+  LIBRESSL_VERSION_NUMBER >= 0x2090000fL
-+
-+#ifndef static_ASN1_SEQUENCE_END_name
-+#define static_ASN1_ITEM_start(itname) \
-+	static const ASN1_ITEM itname##_it = {
-+#define static_ASN1_SEQUENCE_END_name(stname, tname) \
-+	;\
-+	static_ASN1_ITEM_start(tname) \
-+		ASN1_ITYPE_SEQUENCE,\
-+		V_ASN1_SEQUENCE,\
-+		tname##_seq_tt,\
-+		sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
-+		NULL,\
-+		sizeof(stname),\
-+		#stname \
-+	ASN1_ITEM_end(tname)
-+#endif /* !defined(static_ASN1_SEQUENCE_END_name) */
-+
- #include <openssl/asn1t.h>
- #else
- #include <openssl/asn1_mac.h>
--- 
-2.21.0
-

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.18-libressl.patch b/app-crypt/mit-krb5/files/mit-krb5-1.18-libressl.patch
deleted file mode 100644
index 1522d42a730..00000000000
--- a/app-crypt/mit-krb5/files/mit-krb5-1.18-libressl.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From e3e3bc2a20795becda6e130d511fe59f04635624 Mon Sep 17 00:00:00 2001
-From: Stefan Strogin <steils@gentoo.org>
-Date: Sat, 15 Feb 2020 10:27:20 +0200
-Subject: [PATCH] Fix compilation for LibreSSL 3.0.2
-
-RSA_PKCS1_OpenSSL() is provided in LibreSSL the master branch,
-expected to be in the next release.
-See: https://github.com/libressl-portable/openbsd/commit/3a8c41f3a84868337fde01ec1122198ec60bdc8e
-
-Bug: https://bugs.gentoo.org/709640
-Signed-off-by: Stefan Strogin <steils@gentoo.org>
----
- tests/softpkcs11/main.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/tests/softpkcs11/main.c b/tests/softpkcs11/main.c
-index 1cccdfb43..a5099fbe4 100644
---- a/tests/softpkcs11/main.c
-+++ b/tests/softpkcs11/main.c
-@@ -47,7 +47,6 @@
- 
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
- #define EVP_PKEY_get0_RSA(key) ((key)->pkey.rsa)
--#define RSA_PKCS1_OpenSSL RSA_PKCS1_SSLeay
- #define RSA_get0_key compat_rsa_get0_key
- static void
- compat_rsa_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e,
-@@ -62,6 +61,11 @@ compat_rsa_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e,
- }
- #endif
- 
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
-+    defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER <= 0x3000200fL)
-+#define RSA_PKCS1_OpenSSL RSA_PKCS1_SSLeay
-+#endif
-+
- #define OPENSSL_ASN1_MALLOC_ENCODE(T, B, BL, S, R)      \
-     {                                                   \
-         unsigned char *p;                               \
--- 
-2.25.0
-

diff --git a/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild b/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild
index 3b7ff7d91e9..a80fe2ba685 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild
@@ -59,9 +59,7 @@ S=${WORKDIR}/${MY_P}/src
 PATCHES=(
 	"${FILESDIR}/${PN}-1.12_warn_cflags.patch"
 	"${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
-	"${FILESDIR}/${PN}-1.16.3-libressl-r1.patch"
 	"${FILESDIR}/${PN}_dont_create_run.patch"
-	"${FILESDIR}/${PN}-1.18-libressl.patch"
 	"${FILESDIR}/CVE-2020-28196.patch"
 	"${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
 	"${FILESDIR}/${PN}-1.18.2-autoconf-2.70.patch"

diff --git a/app-crypt/mit-krb5/mit-krb5-1.18.3-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.18.3-r1.ebuild
index 901b431b246..a20eb9604cb 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.18.3-r1.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.18.3-r1.ebuild
@@ -59,9 +59,7 @@ S=${WORKDIR}/${MY_P}/src
 PATCHES=(
 	"${FILESDIR}/${PN}-1.12_warn_cflags.patch"
 	"${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
-	"${FILESDIR}/${PN}-1.16.3-libressl-r1.patch"
 	"${FILESDIR}/${PN}_dont_create_run.patch"
-	"${FILESDIR}/${PN}-1.18-libressl.patch"
 	"${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
 )
 


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
@ 2021-08-02 10:36 Eray Aslan
  0 siblings, 0 replies; 14+ messages in thread
From: Eray Aslan @ 2021-08-02 10:36 UTC (permalink / raw
  To: gentoo-commits

commit:     98dc35e8c0f276aa167465b5e7636e8a975beaed
Author:     Eray Aslan <eras <AT> gentoo <DOT> org>
AuthorDate: Mon Aug  2 10:35:50 2021 +0000
Commit:     Eray Aslan <eras <AT> gentoo <DOT> org>
CommitDate: Mon Aug  2 10:35:50 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=98dc35e8

app-crypt/mit-krb5: cleanup

Bug: https://bugs.gentoo.org/803434
Package-Manager: Portage-3.0.20, Repoman-3.0.3
Signed-off-by: Eray Aslan <eras <AT> gentoo.org>

 app-crypt/mit-krb5/Manifest                        |   3 -
 app-crypt/mit-krb5/files/CVE-2020-28196.patch      |  71 ---------
 .../files/mit-krb5-1.18.2-autoconf-2.70.patch      |  35 -----
 .../mit-krb5/files/mit-krb5_dont_create_run.patch  |  10 --
 app-crypt/mit-krb5/mit-krb5-1.18.2-r4.ebuild       | 166 ---------------------
 app-crypt/mit-krb5/mit-krb5-1.18.3-r2.ebuild       | 164 --------------------
 app-crypt/mit-krb5/mit-krb5-1.19.1-r1.ebuild       | 161 --------------------
 7 files changed, 610 deletions(-)

diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index 57a2a337308..a5005ab76f7 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1,4 +1 @@
-DIST krb5-1.18.2.tar.gz 8713927 BLAKE2B f0eb34e67adcb86f347c59ec6ef74970a57530cc56336a84909f852cd6135079ea89828e77c906a272f54e0faf6a4a0497f2b648446eb9d048d1c51e4ec513af SHA512 7cbb1b28e677fea3e0794e93951f3caaa2c49bb1175dd187951e72a466cc69d96c3b833d838000fe911c1a437d96a558e550f27c53a8b332fb9dfc7cbb7ec44c
-DIST krb5-1.18.3.tar.gz 8715312 BLAKE2B 4f6ad4a529e7578e83d82b43c2cada33bce1dca5081ec826ee06a713f82520b783f72ec56d2ce289e10d1ddcfaa079491e43f21c035b214d244bb80e6b2a1c9f SHA512 cf0bf6cf8f622fa085954e6da998d952cf64dc7ccc319972ed81ea0542089cabf2d0e8243df84da01ad6f40584768ca2f02d108630c6741fa7b3d7d98c887c01
-DIST krb5-1.19.1.tar.gz 8738142 BLAKE2B 902dd08fe4b81b1cb0ec2bf1b95eeece0f8a87b87bae865272c7bf5dd028c01997ec4c5d24df605328db85e7cbfe9a38dd804b363b651aefa7b4eaec958a280c SHA512 36bf33802119ada4650a8f69f1daca95aaf882dc96bfa7061f0340a5decd588c31fc10108ddadf1042934e0e2c3bbd975deec565b0a7f0fc2baf8b8cc6d97491
 DIST krb5-1.19.2.tar.gz 8741053 BLAKE2B 963722721201e75381c91a2af6e982f569a5b1602beb2d1ded83d35f6f914235a6ed91e5d54f56c97e94921a32ed27c49aded258327966ee13d39485208c38d8 SHA512 b90d6ed0e1e8a87eb5cb2c36d88b823a6a6caabf85e5d419adb8a930f7eea09a5f8491464e7e454cca7ba88be09d19415962fe0036ad2e31fc584f9fc0bbd470

diff --git a/app-crypt/mit-krb5/files/CVE-2020-28196.patch b/app-crypt/mit-krb5/files/CVE-2020-28196.patch
deleted file mode 100644
index 486078437e8..00000000000
--- a/app-crypt/mit-krb5/files/CVE-2020-28196.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-diff --git a/src/lib/krb5/asn.1/asn1_encode.c b/src/lib/krb5/asn.1/asn1_encode.c
-index a160cf4fe8..cd6b879f77 100644
---- a/lib/krb5/asn.1/asn1_encode.c
-+++ b/lib/krb5/asn.1/asn1_encode.c
-@@ -356,7 +356,7 @@ make_tag(asn1buf *buf, const taginfo *t, size_t len)
- static krb5_error_code
- get_tag(const uint8_t *asn1, size_t len, taginfo *tag_out,
-         const uint8_t **contents_out, size_t *clen_out,
--        const uint8_t **remainder_out, size_t *rlen_out)
-+        const uint8_t **remainder_out, size_t *rlen_out, int recursion)
- {
-     krb5_error_code ret;
-     uint8_t o;
-@@ -394,9 +394,11 @@ get_tag(const uint8_t *asn1, size_t len, taginfo *tag_out,
-         /* Indefinite form (should not be present in DER, but we accept it). */
-         if (tag_out->construction != CONSTRUCTED)
-             return ASN1_MISMATCH_INDEF;
-+        if (recursion >= 32)
-+            return ASN1_OVERFLOW;
-         p = asn1;
-         while (!(len >= 2 && p[0] == 0 && p[1] == 0)) {
--            ret = get_tag(p, len, &t, &c, &clen, &p, &len);
-+            ret = get_tag(p, len, &t, &c, &clen, &p, &len, recursion + 1);
-             if (ret)
-                 return ret;
-         }
-@@ -613,7 +615,7 @@ split_der(asn1buf *buf, uint8_t *const *der, size_t len, taginfo *tag_out)
-     const uint8_t *contents, *remainder;
-     size_t clen, rlen;
- 
--    ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen);
-+    ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen, 0);
-     if (ret)
-         return ret;
-     if (rlen != 0)
-@@ -1199,7 +1201,7 @@ decode_atype(const taginfo *t, const uint8_t *asn1, size_t len,
-         const uint8_t *rem;
-         size_t rlen;
-         if (!tag->implicit) {
--            ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen);
-+            ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen, 0);
-             if (ret)
-                 return ret;
-             /* Note: we don't check rlen (it should be 0). */
-@@ -1420,7 +1422,7 @@ decode_sequence(const uint8_t *asn1, size_t len, const struct seq_info *seq,
-     for (i = 0; i < seq->n_fields; i++) {
-         if (len == 0)
-             break;
--        ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len);
-+        ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0);
-         if (ret)
-             goto error;
-         /*
-@@ -1478,7 +1480,7 @@ decode_sequence_of(const uint8_t *asn1, size_t len,
-     *seq_out = NULL;
-     *count_out = 0;
-     while (len > 0) {
--        ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len);
-+        ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0);
-         if (ret)
-             goto error;
-         if (!check_atype_tag(elemtype, &t)) {
-@@ -1584,7 +1586,7 @@ k5_asn1_full_decode(const krb5_data *code, const struct atype_info *a,
- 
-     *retrep = NULL;
-     ret = get_tag((uint8_t *)code->data, code->length, &t, &contents,
--                  &clen, &remainder, &rlen);
-+                  &clen, &remainder, &rlen, 0);
-     if (ret)
-         return ret;
-     /* rlen should be 0, but we don't check it (and due to padding in

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.18.2-autoconf-2.70.patch b/app-crypt/mit-krb5/files/mit-krb5-1.18.2-autoconf-2.70.patch
deleted file mode 100644
index 6741c47e0d1..00000000000
--- a/app-crypt/mit-krb5/files/mit-krb5-1.18.2-autoconf-2.70.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-https://bugs.gentoo.org/778167
-
-From f78edbe30816f049e1360cb6e203fabfdf7b98df Mon Sep 17 00:00:00 2001
-From: Sergei Trofimovich <slyfox@gentoo.org>
-Date: Fri, 6 Nov 2020 08:14:57 +0000
-Subject: [PATCH] Fix compatibility with upcoming autoconf 2.70
-
-Mainline autoconf generates no shell code for AC_CONFIG_AUX_DIR().
-Call it unconditionally to avoid a syntax error.
-
-[ghudson@mit.edu: rewrote commit message]
-
-ticket: 8960 (new)
-tags: pullup
-target_version: 1.18-next
-target_version: 1.17-next
----
- src/aclocal.m4 | 6 +-----
- 1 file changed, 1 insertion(+), 5 deletions(-)
-
---- src/aclocal.m4
-+++ src/aclocal.m4
-@@ -13,11 +13,7 @@ fi
- ac_topdir=$srcdir/$ac_reltopdir
- ac_config_fragdir=$ac_reltopdir/config
- # echo "Looking for $srcdir/$ac_config_fragdir"
--if test -d "$srcdir/$ac_config_fragdir"; then
--  AC_CONFIG_AUX_DIR(K5_TOPDIR/config)
--else
--  AC_MSG_ERROR([can not find config/ directory in $ac_reltopdir])
--fi
-+AC_CONFIG_AUX_DIR(K5_TOPDIR/config)
- ])dnl
- dnl
- dnl Version info.

diff --git a/app-crypt/mit-krb5/files/mit-krb5_dont_create_run.patch b/app-crypt/mit-krb5/files/mit-krb5_dont_create_run.patch
deleted file mode 100644
index d68e13b0675..00000000000
--- a/app-crypt/mit-krb5/files/mit-krb5_dont_create_run.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- src/Makefile.in	2019-12-12 10:15:51.674552983 +0300
-+++ src/Makefile.in	2019-12-12 10:16:33.205543490 +0300
-@@ -71,7 +71,6 @@
- 		$(KRB5_AD_MODULE_DIR) \
- 		$(KRB5_LIBKRB5_MODULE_DIR) $(KRB5_TLS_MODULE_DIR) \
- 		@localstatedir@ @localstatedir@/krb5kdc \
--		@runstatedir@ @runstatedir@/krb5kdc \
- 		$(KRB5_INCSUBDIRS) $(datadir) $(EXAMPLEDIR) \
- 		$(PKGCONFIG_DIR)
- 

diff --git a/app-crypt/mit-krb5/mit-krb5-1.18.2-r4.ebuild b/app-crypt/mit-krb5/mit-krb5-1.18.2-r4.ebuild
deleted file mode 100644
index 228d7891ac6..00000000000
--- a/app-crypt/mit-krb5/mit-krb5-1.18.2-r4.ebuild
+++ /dev/null
@@ -1,166 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-PYTHON_COMPAT=( python3_{7,8,9} )
-inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd toolchain-funcs
-
-MY_P="${P/mit-}"
-P_DIR=$(ver_cut 1-2)
-DESCRIPTION="MIT Kerberos V"
-HOMEPAGE="https://web.mit.edu/kerberos/www/"
-SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
-
-LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~s390 sparc x86"
-IUSE="cpu_flags_x86_aes doc +keyutils lmdb nls openldap +pkinit selinux +threads test xinetd"
-
-# Test suite requires network access
-RESTRICT="test"
-
-DEPEND="
-	!!app-crypt/heimdal
-	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
-	|| (
-		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
-	)
-	keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] )
-	lmdb? ( dev-db/lmdb )
-	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
-	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
-	pkinit? (
-		>=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}]
-	)
-	xinetd? ( sys-apps/xinetd )
-	"
-BDEPEND="
-	${PYTHON_DEPS}
-	virtual/yacc
-	cpu_flags_x86_aes? (
-		amd64? ( dev-lang/yasm )
-		x86? ( dev-lang/yasm )
-	)
-	doc? ( virtual/latex-base )
-	test? (
-		${PYTHON_DEPS}
-		dev-lang/tcl:0
-		dev-util/dejagnu
-		dev-util/cmocka
-	)"
-RDEPEND="${DEPEND}
-	selinux? ( sec-policy/selinux-kerberos )"
-
-S=${WORKDIR}/${MY_P}/src
-
-PATCHES=(
-	"${FILESDIR}/${PN}-1.12_warn_cflags.patch"
-	"${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
-	"${FILESDIR}/${PN}_dont_create_run.patch"
-	"${FILESDIR}/CVE-2020-28196.patch"
-	"${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
-	"${FILESDIR}/${PN}-1.18.2-autoconf-2.70.patch"
-)
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/krb5-config
-)
-
-src_prepare() {
-	default
-	# Make sure we always use the system copies.
-	rm -rf util/{et,ss,verto}
-	sed -i 's:^[[:space:]]*util/verto$::' configure.ac || die
-
-	eautoreconf
-}
-
-src_configure() {
-	# QA
-	append-flags -fno-strict-aliasing
-	append-flags -fno-strict-overflow
-
-	multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
-	ECONF_SOURCE=${S} \
-	WARN_CFLAGS="set" \
-	econf \
-		$(use_with openldap ldap) \
-		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
-		$(use_enable nls) \
-		$(use_enable pkinit) \
-		$(use_enable threads thread-support) \
-		$(use_with lmdb) \
-		$(use_with keyutils) \
-		--without-hesiod \
-		--enable-shared \
-		--with-system-et \
-		--with-system-ss \
-		--enable-dns-for-realm \
-		--enable-kdc-lookaside-cache \
-		--with-system-verto \
-		--disable-rpath \
-		\
-		AR="$(tc-getAR)"
-}
-
-multilib_src_compile() {
-	emake -j1
-}
-
-multilib_src_test() {
-	multilib_is_native_abi && emake -j1 check
-}
-
-multilib_src_install() {
-	emake \
-		DESTDIR="${D}" \
-		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
-		install
-}
-
-multilib_src_install_all() {
-	# default database dir
-	keepdir /var/lib/krb5kdc
-
-	cd ..
-	dodoc README
-
-	if use doc; then
-		dodoc -r doc/html
-		docinto pdf
-		dodoc doc/pdf/*.pdf
-	fi
-
-	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
-	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
-	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
-	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
-	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
-	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
-
-	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
-
-	insinto /etc
-	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
-	insinto /var/lib/krb5kdc
-	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
-
-	if use openldap ; then
-		insinto /etc/openldap/schema
-		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
-	fi
-
-	if use xinetd ; then
-		insinto /etc/xinetd.d
-		newins "${FILESDIR}/kpropd.xinetd" kpropd
-	fi
-}

diff --git a/app-crypt/mit-krb5/mit-krb5-1.18.3-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.18.3-r2.ebuild
deleted file mode 100644
index c987ff85d93..00000000000
--- a/app-crypt/mit-krb5/mit-krb5-1.18.3-r2.ebuild
+++ /dev/null
@@ -1,164 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-PYTHON_COMPAT=( python3_{7,8,9} )
-inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd toolchain-funcs
-
-MY_P="${P/mit-}"
-P_DIR=$(ver_cut 1-2)
-DESCRIPTION="MIT Kerberos V"
-HOMEPAGE="https://web.mit.edu/kerberos/www/"
-SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
-
-LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86"
-IUSE="cpu_flags_x86_aes doc +keyutils lmdb nls openldap +pkinit selinux +threads test xinetd"
-
-# Test suite requires network access
-RESTRICT="test"
-
-DEPEND="
-	!!app-crypt/heimdal
-	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
-	|| (
-		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
-	)
-	keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] )
-	lmdb? ( dev-db/lmdb )
-	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
-	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
-	pkinit? (
-		>=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}]
-	)
-	xinetd? ( sys-apps/xinetd )
-	"
-BDEPEND="
-	${PYTHON_DEPS}
-	virtual/yacc
-	cpu_flags_x86_aes? (
-		amd64? ( dev-lang/yasm )
-		x86? ( dev-lang/yasm )
-	)
-	doc? ( virtual/latex-base )
-	test? (
-		${PYTHON_DEPS}
-		dev-lang/tcl:0
-		dev-util/dejagnu
-		dev-util/cmocka
-	)"
-RDEPEND="${DEPEND}
-	selinux? ( sec-policy/selinux-kerberos )"
-
-S=${WORKDIR}/${MY_P}/src
-
-PATCHES=(
-	"${FILESDIR}/${PN}-1.12_warn_cflags.patch"
-	"${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
-	"${FILESDIR}/${PN}_dont_create_run.patch"
-	"${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
-)
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/krb5-config
-)
-
-src_prepare() {
-	default
-	# Make sure we always use the system copies.
-	rm -rf util/{et,ss,verto}
-	sed -i 's:^[[:space:]]*util/verto$::' configure.ac || die
-
-	eautoreconf
-}
-
-src_configure() {
-	# QA
-	append-flags -fno-strict-aliasing
-	append-flags -fno-strict-overflow
-
-	multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
-	ECONF_SOURCE=${S} \
-	WARN_CFLAGS="set" \
-	econf \
-		$(use_with openldap ldap) \
-		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
-		$(use_enable nls) \
-		$(use_enable pkinit) \
-		$(use_enable threads thread-support) \
-		$(use_with lmdb) \
-		$(use_with keyutils) \
-		--without-hesiod \
-		--enable-shared \
-		--with-system-et \
-		--with-system-ss \
-		--enable-dns-for-realm \
-		--enable-kdc-lookaside-cache \
-		--with-system-verto \
-		--disable-rpath \
-		\
-		AR="$(tc-getAR)"
-}
-
-multilib_src_compile() {
-	emake -j1
-}
-
-multilib_src_test() {
-	multilib_is_native_abi && emake -j1 check
-}
-
-multilib_src_install() {
-	emake \
-		DESTDIR="${D}" \
-		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
-		install
-}
-
-multilib_src_install_all() {
-	# default database dir
-	keepdir /var/lib/krb5kdc
-
-	cd ..
-	dodoc README
-
-	if use doc; then
-		dodoc -r doc/html
-		docinto pdf
-		dodoc doc/pdf/*.pdf
-	fi
-
-	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
-	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
-	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
-	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
-	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
-	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
-
-	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
-
-	insinto /etc
-	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
-	insinto /var/lib/krb5kdc
-	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
-
-	if use openldap ; then
-		insinto /etc/openldap/schema
-		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
-	fi
-
-	if use xinetd ; then
-		insinto /etc/xinetd.d
-		newins "${FILESDIR}/kpropd.xinetd" kpropd
-	fi
-}

diff --git a/app-crypt/mit-krb5/mit-krb5-1.19.1-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.19.1-r1.ebuild
deleted file mode 100644
index 1353909124f..00000000000
--- a/app-crypt/mit-krb5/mit-krb5-1.19.1-r1.ebuild
+++ /dev/null
@@ -1,161 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-PYTHON_COMPAT=( python3_{7,8,9} )
-inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd toolchain-funcs
-
-MY_P="${P/mit-}"
-P_DIR=$(ver_cut 1-2)
-DESCRIPTION="MIT Kerberos V"
-HOMEPAGE="https://web.mit.edu/kerberos/www/"
-SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
-
-LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
-IUSE="cpu_flags_x86_aes doc +keyutils lmdb nls openldap +pkinit selinux +threads test xinetd"
-
-# Test suite requires network access
-RESTRICT="test"
-
-DEPEND="
-	!!app-crypt/heimdal
-	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
-	|| (
-		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
-	)
-	keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] )
-	lmdb? ( dev-db/lmdb )
-	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
-	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
-	pkinit? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
-	xinetd? ( sys-apps/xinetd )
-	"
-BDEPEND="
-	${PYTHON_DEPS}
-	virtual/yacc
-	cpu_flags_x86_aes? (
-		amd64? ( dev-lang/yasm )
-		x86? ( dev-lang/yasm )
-	)
-	doc? ( virtual/latex-base )
-	test? (
-		${PYTHON_DEPS}
-		dev-lang/tcl:0
-		dev-util/dejagnu
-		dev-util/cmocka
-	)"
-RDEPEND="${DEPEND}
-	selinux? ( sec-policy/selinux-kerberos )"
-
-S=${WORKDIR}/${MY_P}/src
-
-PATCHES=(
-	"${FILESDIR}/${PN}-1.12_warn_cflags.patch"
-	"${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
-	"${FILESDIR}/${PN}_dont_create_rundir.patch"
-	"${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
-)
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/krb5-config
-)
-
-src_prepare() {
-	default
-	# Make sure we always use the system copies.
-	rm -rf util/{et,ss,verto}
-	sed -i 's:^[[:space:]]*util/verto$::' configure.ac || die
-
-	eautoreconf
-}
-
-src_configure() {
-	# QA
-	append-flags -fno-strict-aliasing
-	append-flags -fno-strict-overflow
-
-	multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
-	ECONF_SOURCE=${S} \
-	AR="$(tc-getAR)" \
-	WARN_CFLAGS="set" \
-	econf \
-		$(use_with openldap ldap) \
-		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
-		$(use_enable nls) \
-		$(use_enable pkinit) \
-		$(use_enable threads thread-support) \
-		$(use_with lmdb) \
-		$(use_with keyutils) \
-		--without-hesiod \
-		--enable-shared \
-		--with-system-et \
-		--with-system-ss \
-		--enable-dns-for-realm \
-		--enable-kdc-lookaside-cache \
-		--with-system-verto \
-		--disable-rpath
-}
-
-multilib_src_compile() {
-	emake -j1
-}
-
-multilib_src_test() {
-	multilib_is_native_abi && emake -j1 check
-}
-
-multilib_src_install() {
-	emake \
-		DESTDIR="${D}" \
-		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
-		install
-}
-
-multilib_src_install_all() {
-	# default database dir
-	keepdir /var/lib/krb5kdc
-
-	cd ..
-	dodoc README
-
-	if use doc; then
-		dodoc -r doc/html
-		docinto pdf
-		dodoc doc/pdf/*.pdf
-	fi
-
-	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
-	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
-	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
-	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
-	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
-	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
-
-	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
-
-	insinto /etc
-	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
-	insinto /var/lib/krb5kdc
-	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
-
-	if use openldap ; then
-		insinto /etc/openldap/schema
-		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
-	fi
-
-	if use xinetd ; then
-		insinto /etc/xinetd.d
-		newins "${FILESDIR}/kpropd.xinetd" kpropd
-	fi
-}


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
@ 2022-11-07 10:43 Eray Aslan
  0 siblings, 0 replies; 14+ messages in thread
From: Eray Aslan @ 2022-11-07 10:43 UTC (permalink / raw
  To: gentoo-commits

commit:     3fb4979bc5980af0060e50e80ee5bea3ae72a713
Author:     Eray Aslan <eras <AT> gentoo <DOT> org>
AuthorDate: Mon Nov  7 10:43:02 2022 +0000
Commit:     Eray Aslan <eras <AT> gentoo <DOT> org>
CommitDate: Mon Nov  7 10:43:02 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3fb4979b

app-crypt/mit-krb5: drop 1.19.2-r4, 1.19.3-r2

Signed-off-by: Eray Aslan <eras <AT> gentoo.org>

 app-crypt/mit-krb5/Manifest                        |   2 -
 .../mit-krb5/files/mit-krb5-CVE-2021-37750.patch   |  43 ------
 app-crypt/mit-krb5/mit-krb5-1.19.2-r4.ebuild       | 162 ---------------------
 app-crypt/mit-krb5/mit-krb5-1.19.3-r2.ebuild       | 161 --------------------
 4 files changed, 368 deletions(-)

diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index 04c701bf322e..ed2f9ab88d2c 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1,3 +1 @@
-DIST krb5-1.19.2.tar.gz 8741053 BLAKE2B 963722721201e75381c91a2af6e982f569a5b1602beb2d1ded83d35f6f914235a6ed91e5d54f56c97e94921a32ed27c49aded258327966ee13d39485208c38d8 SHA512 b90d6ed0e1e8a87eb5cb2c36d88b823a6a6caabf85e5d419adb8a930f7eea09a5f8491464e7e454cca7ba88be09d19415962fe0036ad2e31fc584f9fc0bbd470
-DIST krb5-1.19.3.tar.gz 8741343 BLAKE2B 79e68237ee82affa85299060c509e303453c0fab965adc6b9ed305ab64a1f73bd51e65df1b3faadc60815cd506ffefaeed535765ca060d393a9141812f85b48a SHA512 18235440d6f7d8a72c5d7ca5cd8c6465e8adf091d85c483225c7b00d64b4688c1c7924cb800c2fc17e590b2709f1a9de48e6ec79f6debd11dcb7d6fa16c6f351
 DIST krb5-1.20.tar.gz 8660756 BLAKE2B fdaaab6c16dbe073c4308f312e321536b582b75fad10e5450be66b6b828825c8c775e56f5287d4a7df819d20889e5c0d9cc1d179d861c9caba185332c0db7387 SHA512 9aed84a971a4d74188468870260087ec7c3a614cceb5fe32ad7da1cb8db3d66e00df801c9f900f0131ac56eb828674b8be93df474c2d13b892b70c7977388604

diff --git a/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch b/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch
deleted file mode 100644
index 2f4c949e9f31..000000000000
--- a/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From d775c95af7606a51bf79547a94fa52ddd1cb7f49 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Tue, 3 Aug 2021 01:15:27 -0400
-Subject: [PATCH] Fix KDC null deref on TGS inner body null server
-
-After the KDC decodes a FAST inner body, it does not check for a null
-server.  Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
-would typically result in an error from krb5_unparse_name(), but with
-the addition of get_local_tgt() it results in a null dereference.  Add
-a null check.
-
-Reported by Joseph Sutton of Catalyst.
-
-CVE-2021-37750:
-
-In MIT krb5 releases 1.14 and later, an authenticated attacker can
-cause a null dereference in the KDC by sending a FAST TGS request with
-no server field.
-
-ticket: 9008 (new)
-tags: pullup
-target_version: 1.19-next
-target_version: 1.18-next
----
- src/kdc/do_tgs_req.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
-index 582e497cc9..32dc65fa8e 100644
---- a/kdc/do_tgs_req.c
-+++ b/kdc/do_tgs_req.c
-@@ -204,6 +204,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
-         status = "FIND_FAST";
-         goto cleanup;
-     }
-+    if (sprinc == NULL) {
-+        status = "NULL_SERVER";
-+        errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
-+        goto cleanup;
-+    }
- 
-     errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
-                             &local_tgt, &local_tgt_storage, &local_tgt_key);

diff --git a/app-crypt/mit-krb5/mit-krb5-1.19.2-r4.ebuild b/app-crypt/mit-krb5/mit-krb5-1.19.2-r4.ebuild
deleted file mode 100644
index a88217f5154c..000000000000
--- a/app-crypt/mit-krb5/mit-krb5-1.19.2-r4.ebuild
+++ /dev/null
@@ -1,162 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{8..10} )
-inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd toolchain-funcs
-
-MY_P="${P/mit-}"
-P_DIR=$(ver_cut 1-2)
-DESCRIPTION="MIT Kerberos V"
-HOMEPAGE="https://web.mit.edu/kerberos/www/"
-SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
-
-LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ~ppc ppc64 ~riscv ~s390 sparc x86"
-IUSE="cpu_flags_x86_aes doc +keyutils lmdb nls openldap +pkinit selinux +threads test xinetd"
-
-# some tests requires network access
-RESTRICT="test"
-
-DEPEND="
-	!!app-crypt/heimdal
-	>=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}]
-	|| (
-		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
-	)
-	keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] )
-	lmdb? ( dev-db/lmdb:= )
-	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
-	openldap? ( >=net-nds/openldap-2.4.38-r1:=[${MULTILIB_USEDEP}] )
-	pkinit? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
-	xinetd? ( sys-apps/xinetd )
-	"
-BDEPEND="
-	${PYTHON_DEPS}
-	virtual/yacc
-	cpu_flags_x86_aes? (
-		amd64? ( dev-lang/yasm )
-		x86? ( dev-lang/yasm )
-	)
-	doc? ( virtual/latex-base )
-	test? (
-		${PYTHON_DEPS}
-		dev-lang/tcl:0
-		dev-util/dejagnu
-		dev-util/cmocka
-	)"
-RDEPEND="${DEPEND}
-	selinux? ( sec-policy/selinux-kerberos )"
-
-S=${WORKDIR}/${MY_P}/src
-
-PATCHES=(
-	"${FILESDIR}/${PN}-1.12_warn_cflags.patch"
-	"${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
-	"${FILESDIR}/${PN}_dont_create_rundir.patch"
-	"${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
-	"${FILESDIR}/${PN}-CVE-2021-37750.patch"
-)
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/krb5-config
-)
-
-src_prepare() {
-	default
-	# Make sure we always use the system copies.
-	rm -rf util/{et,ss,verto}
-	sed -i 's:^[[:space:]]*util/verto$::' configure.ac || die
-
-	eautoreconf
-}
-
-src_configure() {
-	# QA
-	append-flags -fno-strict-aliasing
-	append-flags -fno-strict-overflow
-
-	multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
-	ECONF_SOURCE=${S} \
-	AR="$(tc-getAR)" \
-	WARN_CFLAGS="set" \
-	econf \
-		$(use_with openldap ldap) \
-		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
-		$(use_enable nls) \
-		$(use_enable pkinit) \
-		$(use_enable threads thread-support) \
-		$(use_with lmdb) \
-		$(use_with keyutils) \
-		--without-hesiod \
-		--enable-shared \
-		--with-system-et \
-		--with-system-ss \
-		--enable-dns-for-realm \
-		--enable-kdc-lookaside-cache \
-		--with-system-verto \
-		--disable-rpath
-}
-
-multilib_src_compile() {
-	emake -j1
-}
-
-multilib_src_test() {
-	multilib_is_native_abi && emake -j1 check
-}
-
-multilib_src_install() {
-	emake \
-		DESTDIR="${D}" \
-		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
-		install
-}
-
-multilib_src_install_all() {
-	# default database dir
-	keepdir /var/lib/krb5kdc
-
-	cd ..
-	dodoc README
-
-	if use doc; then
-		dodoc -r doc/html
-		docinto pdf
-		dodoc doc/pdf/*.pdf
-	fi
-
-	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
-	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
-	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
-	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
-	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
-	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
-
-	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
-
-	insinto /etc
-	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
-	insinto /var/lib/krb5kdc
-	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
-
-	if use openldap ; then
-		insinto /etc/openldap/schema
-		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
-	fi
-
-	if use xinetd ; then
-		insinto /etc/xinetd.d
-		newins "${FILESDIR}/kpropd.xinetd" kpropd
-	fi
-}

diff --git a/app-crypt/mit-krb5/mit-krb5-1.19.3-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.19.3-r2.ebuild
deleted file mode 100644
index e90b52a26ebe..000000000000
--- a/app-crypt/mit-krb5/mit-krb5-1.19.3-r2.ebuild
+++ /dev/null
@@ -1,161 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{8..10} )
-inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd toolchain-funcs
-
-MY_P="${P/mit-}"
-P_DIR=$(ver_cut 1-2)
-DESCRIPTION="MIT Kerberos V"
-HOMEPAGE="https://web.mit.edu/kerberos/www/"
-SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
-
-LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
-IUSE="cpu_flags_x86_aes doc +keyutils lmdb nls openldap +pkinit selinux +threads test xinetd"
-
-# some tests requires network access
-RESTRICT="test"
-
-DEPEND="
-	!!app-crypt/heimdal
-	>=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}]
-	|| (
-		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
-	)
-	keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] )
-	lmdb? ( dev-db/lmdb:= )
-	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
-	openldap? ( >=net-nds/openldap-2.4.38-r1:=[${MULTILIB_USEDEP}] )
-	pkinit? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
-	xinetd? ( sys-apps/xinetd )
-	"
-BDEPEND="
-	${PYTHON_DEPS}
-	virtual/yacc
-	cpu_flags_x86_aes? (
-		amd64? ( dev-lang/yasm )
-		x86? ( dev-lang/yasm )
-	)
-	doc? ( virtual/latex-base )
-	test? (
-		${PYTHON_DEPS}
-		dev-lang/tcl:0
-		dev-util/dejagnu
-		dev-util/cmocka
-	)"
-RDEPEND="${DEPEND}
-	selinux? ( sec-policy/selinux-kerberos )"
-
-S=${WORKDIR}/${MY_P}/src
-
-PATCHES=(
-	"${FILESDIR}/${PN}-1.12_warn_cflags.patch"
-	"${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
-	"${FILESDIR}/${PN}_dont_create_rundir.patch"
-	"${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
-)
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/krb5-config
-)
-
-src_prepare() {
-	default
-	# Make sure we always use the system copies.
-	rm -rf util/{et,ss,verto}
-	sed -i 's:^[[:space:]]*util/verto$::' configure.ac || die
-
-	eautoreconf
-}
-
-src_configure() {
-	# QA
-	append-flags -fno-strict-aliasing
-	append-flags -fno-strict-overflow
-
-	multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
-	ECONF_SOURCE=${S} \
-	AR="$(tc-getAR)" \
-	WARN_CFLAGS="set" \
-	econf \
-		$(use_with openldap ldap) \
-		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
-		$(use_enable nls) \
-		$(use_enable pkinit) \
-		$(use_enable threads thread-support) \
-		$(use_with lmdb) \
-		$(use_with keyutils) \
-		--without-hesiod \
-		--enable-shared \
-		--with-system-et \
-		--with-system-ss \
-		--enable-dns-for-realm \
-		--enable-kdc-lookaside-cache \
-		--with-system-verto \
-		--disable-rpath
-}
-
-multilib_src_compile() {
-	emake -j1
-}
-
-multilib_src_test() {
-	multilib_is_native_abi && emake -j1 check
-}
-
-multilib_src_install() {
-	emake \
-		DESTDIR="${D}" \
-		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
-		install
-}
-
-multilib_src_install_all() {
-	# default database dir
-	keepdir /var/lib/krb5kdc
-
-	cd ..
-	dodoc README
-
-	if use doc; then
-		dodoc -r doc/html
-		docinto pdf
-		dodoc doc/pdf/*.pdf
-	fi
-
-	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
-	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
-	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
-	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
-	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
-	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
-
-	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
-
-	insinto /etc
-	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
-	insinto /var/lib/krb5kdc
-	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
-
-	if use openldap ; then
-		insinto /etc/openldap/schema
-		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
-	fi
-
-	if use xinetd ; then
-		insinto /etc/xinetd.d
-		newins "${FILESDIR}/kpropd.xinetd" kpropd
-	fi
-}


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/
@ 2022-11-22  4:44 Sam James
  0 siblings, 0 replies; 14+ messages in thread
From: Sam James @ 2022-11-22  4:44 UTC (permalink / raw
  To: gentoo-commits

commit:     5163051e02908e8415eb36cbee56727e08c3b1c1
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 22 04:44:24 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Nov 22 04:44:24 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5163051e

app-crypt/mit-krb5: add autoconf 2.72 patch

Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../files/mit-krb5-1.20.1-autoconf-2.72.patch      | 31 ++++++++++++++++++++++
 app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild          |  1 +
 2 files changed, 32 insertions(+)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.20.1-autoconf-2.72.patch b/app-crypt/mit-krb5/files/mit-krb5-1.20.1-autoconf-2.72.patch
new file mode 100644
index 000000000000..b55193bcc7fa
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.20.1-autoconf-2.72.patch
@@ -0,0 +1,31 @@
+https://github.com/krb5/krb5/commit/d864d740d019fdf2c640460f2aa2760c7fa4d5e9
+
+From d864d740d019fdf2c640460f2aa2760c7fa4d5e9 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Thu, 17 Nov 2022 15:01:24 +0100
+Subject: [PATCH] Fix aclocal.m4 syntax error for autoconf 2.72
+
+An incorrect closure inside KRB5_AC_INET6 is innocuous with autoconf
+versions up to 2.71, but will cause an error at configure time with
+the forthcoming autoconf 2.72.
+
+[ghudson@mit.edu: added more context to commit message]
+
+ticket: 9077 (new)
+tags: pullup
+target_version: 1.20-next
+target_version: 1.19-next
+--- a/aclocal.m4
++++ b/aclocal.m4
+@@ -409,8 +409,8 @@ else
+       [[struct sockaddr_in6 in;
+         AF_INET6;
+         IN6_IS_ADDR_LINKLOCAL(&in.sin6_addr);]])],
+-    [krb5_cv_inet6=yes], [krb5_cv_inet6=no])])
+-fi
++    [krb5_cv_inet6=yes], [krb5_cv_inet6=no])
++fi])
+ AC_MSG_RESULT($krb5_cv_inet6)
+ if test "$krb5_cv_inet6" = no && test "$ac_cv_func_inet_ntop" = yes; then
+ AC_MSG_CHECKING(for IPv6 compile-time support with -DINET6)
+

diff --git a/app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild
index 1d7889bfab83..cd47708db88f 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild
@@ -54,6 +54,7 @@ PATCHES=(
 	"${FILESDIR}/${PN}_dont_create_rundir.patch"
 	"${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
 	"${FILESDIR}/${PN}-1.20-missing-time-include.patch"
+	"${FILESDIR}/${PN}-1.20.1-autoconf-2.72.patch"
 )
 
 MULTILIB_CHOST_TOOLS=(


^ permalink raw reply related	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2022-11-22  4:45 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-04-25  3:31 [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/ Aaron Bauman
  -- strict thread matches above, loose matches on Subject: below --
2022-11-22  4:44 Sam James
2022-11-07 10:43 Eray Aslan
2021-08-02 10:36 Eray Aslan
2021-05-01 18:07 Sam James
2020-02-15  8:56 Stefan Strogin
2019-12-12  7:46 Eray Aslan
2018-05-10  6:41 Eray Aslan
2018-04-13  7:02 Eray Aslan
2018-04-12 21:26 Aaron Bauman
2018-01-26 21:07 Thomas Deutschmann
2017-12-05 10:00 Eray Aslan
2016-04-21 16:07 Eray Aslan
2015-10-29  4:37 Eray Aslan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox