public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/
@ 2021-03-25 13:02 Sam James
  0 siblings, 0 replies; 9+ messages in thread
From: Sam James @ 2021-03-25 13:02 UTC (permalink / raw
  To: gentoo-commits

commit:     232b26749202346408c3757cc4c79af08208007a
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Thu Mar 25 12:50:15 2021 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Thu Mar 25 13:02:16 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=232b2674

app-crypt/mit-krb5: fix build with autoconf 2.70

Thanks-to: Sergei Trofimovich <slyfox <AT> gentoo.org>
Closes: https://bugs.gentoo.org/778167
Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../files/mit-krb5-1.18.2-autoconf-2.70.patch      | 35 ++++++++++++++++++++++
 app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild       |  1 +
 2 files changed, 36 insertions(+)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.18.2-autoconf-2.70.patch b/app-crypt/mit-krb5/files/mit-krb5-1.18.2-autoconf-2.70.patch
new file mode 100644
index 00000000000..6741c47e0d1
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.18.2-autoconf-2.70.patch
@@ -0,0 +1,35 @@
+https://bugs.gentoo.org/778167
+
+From f78edbe30816f049e1360cb6e203fabfdf7b98df Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich <slyfox@gentoo.org>
+Date: Fri, 6 Nov 2020 08:14:57 +0000
+Subject: [PATCH] Fix compatibility with upcoming autoconf 2.70
+
+Mainline autoconf generates no shell code for AC_CONFIG_AUX_DIR().
+Call it unconditionally to avoid a syntax error.
+
+[ghudson@mit.edu: rewrote commit message]
+
+ticket: 8960 (new)
+tags: pullup
+target_version: 1.18-next
+target_version: 1.17-next
+---
+ src/aclocal.m4 | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- src/aclocal.m4
++++ src/aclocal.m4
+@@ -13,11 +13,7 @@ fi
+ ac_topdir=$srcdir/$ac_reltopdir
+ ac_config_fragdir=$ac_reltopdir/config
+ # echo "Looking for $srcdir/$ac_config_fragdir"
+-if test -d "$srcdir/$ac_config_fragdir"; then
+-  AC_CONFIG_AUX_DIR(K5_TOPDIR/config)
+-else
+-  AC_MSG_ERROR([can not find config/ directory in $ac_reltopdir])
+-fi
++AC_CONFIG_AUX_DIR(K5_TOPDIR/config)
+ ])dnl
+ dnl
+ dnl Version info.

diff --git a/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild b/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild
index 15bd4e8cb41..8482b1acd95 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild
@@ -65,6 +65,7 @@ PATCHES=(
 	"${FILESDIR}/${PN}-1.18-libressl.patch"
 	"${FILESDIR}/CVE-2020-28196.patch"
 	"${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
+	"${FILESDIR}/${PN}-1.18.2-autoconf-2.70.patch"
 )
 
 MULTILIB_CHOST_TOOLS=(


^ permalink raw reply related	[flat|nested] 9+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/
@ 2024-04-05  7:15 Eray Aslan
  0 siblings, 0 replies; 9+ messages in thread
From: Eray Aslan @ 2024-04-05  7:15 UTC (permalink / raw
  To: gentoo-commits

commit:     804b1075226d5093c6541db7837efd767ab08bb2
Author:     Eray Aslan <eras <AT> gentoo <DOT> org>
AuthorDate: Fri Apr  5 07:11:53 2024 +0000
Commit:     Eray Aslan <eras <AT> gentoo <DOT> org>
CommitDate: Fri Apr  5 07:11:53 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=804b1075

app-crypt/mit-krb5: security cleanup

Bug: https://bugs.gentoo.org/917464
Signed-off-by: Eray Aslan <eras <AT> gentoo.org>

 app-crypt/mit-krb5/Manifest                        |   3 -
 .../files/mit-krb5-1.20-missing-time-include.patch |  20 ---
 .../files/mit-krb5-1.20.1-autoconf-2.72.patch      |  31 -----
 .../files/mit-krb5-config_LDFLAGS-r1.patch         |  12 --
 app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild          | 149 ---------------------
 app-crypt/mit-krb5/mit-krb5-1.20.2.ebuild          | 148 --------------------
 app-crypt/mit-krb5/mit-krb5-1.21.1.ebuild          | 146 --------------------
 7 files changed, 509 deletions(-)

diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index 1ed2bb5561f7..1ce7821058e3 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1,4 +1 @@
-DIST krb5-1.20.1.tar.gz 8661660 BLAKE2B ead16f8b1aec8bba3776628b74257c9aec891770c1fa6d5c5e66275db5f078ca59c9944cd2b017453b777ce080f8e5a322f735fab77691479cfad7b881b92830 SHA512 6f57479f13f107cd84f30de5c758eb6b9fc59171329c13e5da6073b806755f8d163eb7bd84767ea861ad6458ea0c9eeb00ee044d3bcad01ef136e9888564b6a2
-DIST krb5-1.20.2.tar.gz 8662259 BLAKE2B 35f9e82390b5ba7227d0b5c40ab08f128ff27e7264d48585e2bfd08a443cb4b06415216190a3c35c6bc505f33483bcbe11430d9e40c3907f838798b2dc492416 SHA512 69e263ef74116a3332c632a2a243499bcc47b01b1e57d02fe35aa6c2ff655674b6cf2b815457145f788bceac4d466d3f55f8c20ec9ee4a6051128417e1e7e99e
-DIST krb5-1.21.1.tar.gz 8623049 BLAKE2B d90a994b5d39dc88573e5cfca280565b0909b2e9aa8710a6d695e2c1faec37ea0c008d05894e8952dcf72348403f76fd8a124de8d8f34c70fad6de8866a92f0e SHA512 6f04216b0a151d6a9886bf009777bc95a7d3f9bcab30427cc8bbef3357e0130748c1d42b477be0eb2d469d9e0fb65bf5ac5ff05c22d6e1046795e161fe6afbcc
 DIST krb5-1.21.2.tar.gz 8622513 BLAKE2B 2afb3ff962a343bc07182fdab0c0ffb221632ff38baab74278cfc721ae72deacc260221470de36e420584f00b780e13221d2e511d4831bca8e1270b7f3d9e824 SHA512 4e09296b412383d53872661718dbfaa90201e0d85f69db48e57a8d4bd73c95a90c7ec7b6f0f325f6bc967f8d203b256b071c0191facf080aca0e2caec5d0ac49

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.20-missing-time-include.patch b/app-crypt/mit-krb5/files/mit-krb5-1.20-missing-time-include.patch
deleted file mode 100644
index a8a495699129..000000000000
--- a/app-crypt/mit-krb5/files/mit-krb5-1.20-missing-time-include.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-https://github.com/krb5/krb5/commit/c3958cec43b598b25484b9805224c56f25f7a755
-https://bugs.gentoo.org/854561
-
-From: Greg Hudson <ghudson@mit.edu>
-Date: Tue, 29 Mar 2022 16:27:55 -0400
-Subject: [PATCH] Include time.h in kdb.h
-
-kdb.h uses time_t, and therefore must include <time.h> to ensure its
-definition.  Noticed when building t_sort_key_data.c on macOS.
---- a/include/kdb.h
-+++ b/include/kdb.h
-@@ -65,6 +65,7 @@
- #ifndef KRB5_KDB5__
- #define KRB5_KDB5__
- 
-+#include <time.h>
- #include <krb5.h>
- 
- /* This version will be incremented when incompatible changes are made to the
-

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.20.1-autoconf-2.72.patch b/app-crypt/mit-krb5/files/mit-krb5-1.20.1-autoconf-2.72.patch
deleted file mode 100644
index b55193bcc7fa..000000000000
--- a/app-crypt/mit-krb5/files/mit-krb5-1.20.1-autoconf-2.72.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-https://github.com/krb5/krb5/commit/d864d740d019fdf2c640460f2aa2760c7fa4d5e9
-
-From d864d740d019fdf2c640460f2aa2760c7fa4d5e9 Mon Sep 17 00:00:00 2001
-From: Julien Rische <jrische@redhat.com>
-Date: Thu, 17 Nov 2022 15:01:24 +0100
-Subject: [PATCH] Fix aclocal.m4 syntax error for autoconf 2.72
-
-An incorrect closure inside KRB5_AC_INET6 is innocuous with autoconf
-versions up to 2.71, but will cause an error at configure time with
-the forthcoming autoconf 2.72.
-
-[ghudson@mit.edu: added more context to commit message]
-
-ticket: 9077 (new)
-tags: pullup
-target_version: 1.20-next
-target_version: 1.19-next
---- a/aclocal.m4
-+++ b/aclocal.m4
-@@ -409,8 +409,8 @@ else
-       [[struct sockaddr_in6 in;
-         AF_INET6;
-         IN6_IS_ADDR_LINKLOCAL(&in.sin6_addr);]])],
--    [krb5_cv_inet6=yes], [krb5_cv_inet6=no])])
--fi
-+    [krb5_cv_inet6=yes], [krb5_cv_inet6=no])
-+fi])
- AC_MSG_RESULT($krb5_cv_inet6)
- if test "$krb5_cv_inet6" = no && test "$ac_cv_func_inet_ntop" = yes; then
- AC_MSG_CHECKING(for IPv6 compile-time support with -DINET6)
-

diff --git a/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS-r1.patch b/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS-r1.patch
deleted file mode 100644
index 39bac974afca..000000000000
--- a/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS-r1.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Bug #448778
---- a/build-tools/krb5-config.in	2012-12-18 02:47:04.000000000 +0000
-+++ b/build-tools/krb5-config.in	2012-12-28 07:13:16.582693363 +0000
-@@ -217,7 +217,7 @@
- 	    -e 's#\$(PROG_RPATH)#'$libdir'#' \
- 	    -e 's#\$(PROG_LIBPATH)#'$libdirarg'#' \
- 	    -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
--	    -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
-+	    -e 's#\$(LDFLAGS)##' \
- 	    -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
- 	    -e 's#\$(CFLAGS)##'`
- 

diff --git a/app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild
deleted file mode 100644
index f3e57fc338b9..000000000000
--- a/app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild
+++ /dev/null
@@ -1,149 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{9..11} )
-inherit autotools python-any-r1 systemd toolchain-funcs multilib-minimal
-
-MY_P="${P/mit-}"
-P_DIR=$(ver_cut 1-2)
-DESCRIPTION="MIT Kerberos V"
-HOMEPAGE="https://web.mit.edu/kerberos/www/"
-SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
-
-LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~mips ~ppc ppc64 ~riscv ~s390 sparc x86"
-IUSE="cpu_flags_x86_aes doc +keyutils lmdb nls openldap +pkinit selinux +threads test xinetd"
-
-RESTRICT="!test? ( test )"
-
-DEPEND="
-	!!app-crypt/heimdal
-	>=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}]
-	|| (
-		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
-	)
-	keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] )
-	lmdb? ( dev-db/lmdb:= )
-	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
-	openldap? ( >=net-nds/openldap-2.4.38-r1:=[${MULTILIB_USEDEP}] )
-	pkinit? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
-	xinetd? ( sys-apps/xinetd )
-	"
-BDEPEND="
-	${PYTHON_DEPS}
-	app-alternatives/yacc
-	cpu_flags_x86_aes? (
-		amd64? ( dev-lang/yasm )
-		x86? ( dev-lang/yasm )
-	)
-	doc? ( virtual/latex-base )
-	test? ( dev-util/cmocka )
-	"
-RDEPEND="${DEPEND}
-	selinux? ( sec-policy/selinux-kerberos )"
-
-S=${WORKDIR}/${MY_P}/src
-
-PATCHES=(
-	"${FILESDIR}/${PN}-1.12_warn_cflags.patch"
-	"${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
-	"${FILESDIR}/${PN}_dont_create_rundir.patch"
-	"${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
-	"${FILESDIR}/${PN}-1.20-missing-time-include.patch"
-	"${FILESDIR}/${PN}-1.20.1-autoconf-2.72.patch"
-)
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/krb5-config
-)
-
-src_prepare() {
-	default
-	# Make sure we always use the system copies.
-	rm -rf util/{et,ss,verto}
-	sed -i 's:^[[:space:]]*util/verto$::' configure.ac || die
-
-	eautoreconf
-}
-
-multilib_src_configure() {
-	ECONF_SOURCE=${S} \
-	AR="$(tc-getAR)" \
-	WARN_CFLAGS="set" \
-	econf \
-		$(use_with openldap ldap) \
-		$(use_enable nls) \
-		$(use_enable pkinit) \
-		$(use_enable threads thread-support) \
-		$(use_with lmdb) \
-		$(use_with keyutils) \
-		--without-hesiod \
-		--enable-shared \
-		--with-system-et \
-		--with-system-ss \
-		--enable-dns-for-realm \
-		--enable-kdc-lookaside-cache \
-		--with-system-verto \
-		--disable-rpath
-}
-
-multilib_src_compile() {
-	emake -j1
-}
-
-multilib_src_test() {
-	multilib_is_native_abi && emake -j1 check
-}
-
-multilib_src_install() {
-	emake \
-		DESTDIR="${D}" \
-		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
-		install
-}
-
-multilib_src_install_all() {
-	# default database dir
-	keepdir /var/lib/krb5kdc
-
-	cd ..
-	dodoc README
-
-	if use doc; then
-		dodoc -r doc/html
-		docinto pdf
-		dodoc doc/pdf/*.pdf
-	fi
-
-	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
-	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
-	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
-	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
-	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
-	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
-
-	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
-
-	insinto /etc
-	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
-	insinto /var/lib/krb5kdc
-	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
-
-	if use openldap ; then
-		insinto /etc/openldap/schema
-		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
-	fi
-
-	if use xinetd ; then
-		insinto /etc/xinetd.d
-		newins "${FILESDIR}/kpropd.xinetd" kpropd
-	fi
-}

diff --git a/app-crypt/mit-krb5/mit-krb5-1.20.2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.20.2.ebuild
deleted file mode 100644
index cefab2c0bef0..000000000000
--- a/app-crypt/mit-krb5/mit-krb5-1.20.2.ebuild
+++ /dev/null
@@ -1,148 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{10..12} )
-inherit autotools python-any-r1 systemd toolchain-funcs multilib-minimal
-
-MY_P="${P/mit-}"
-P_DIR=$(ver_cut 1-2)
-DESCRIPTION="MIT Kerberos V"
-HOMEPAGE="https://web.mit.edu/kerberos/www/"
-SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
-
-LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
-IUSE="cpu_flags_x86_aes doc +keyutils lmdb nls openldap +pkinit selinux +threads test xinetd"
-
-RESTRICT="!test? ( test )"
-
-DEPEND="
-	!!app-crypt/heimdal
-	>=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}]
-	|| (
-		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
-	)
-	keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] )
-	lmdb? ( dev-db/lmdb:= )
-	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
-	openldap? ( >=net-nds/openldap-2.4.38-r1:=[${MULTILIB_USEDEP}] )
-	pkinit? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
-	xinetd? ( sys-apps/xinetd )
-	"
-BDEPEND="
-	${PYTHON_DEPS}
-	app-alternatives/yacc
-	cpu_flags_x86_aes? (
-		amd64? ( dev-lang/yasm )
-		x86? ( dev-lang/yasm )
-	)
-	doc? ( virtual/latex-base )
-	test? ( dev-util/cmocka )
-	"
-RDEPEND="${DEPEND}
-	selinux? ( sec-policy/selinux-kerberos )"
-
-S=${WORKDIR}/${MY_P}/src
-
-PATCHES=(
-	"${FILESDIR}/${PN}-1.12_warn_cflags.patch"
-	"${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
-	"${FILESDIR}/${PN}_dont_create_rundir.patch"
-	"${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
-	"${FILESDIR}/${PN}-1.20-missing-time-include.patch"
-)
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/krb5-config
-)
-
-src_prepare() {
-	default
-	# Make sure we always use the system copies.
-	rm -rf util/{et,ss,verto}
-	sed -i 's:^[[:space:]]*util/verto$::' configure.ac || die
-
-	eautoreconf
-}
-
-multilib_src_configure() {
-	ECONF_SOURCE=${S} \
-	AR="$(tc-getAR)" \
-	WARN_CFLAGS="set" \
-	econf \
-		$(use_with openldap ldap) \
-		$(use_enable nls) \
-		$(use_enable pkinit) \
-		$(use_enable threads thread-support) \
-		$(use_with lmdb) \
-		$(use_with keyutils) \
-		--without-hesiod \
-		--enable-shared \
-		--with-system-et \
-		--with-system-ss \
-		--enable-dns-for-realm \
-		--enable-kdc-lookaside-cache \
-		--with-system-verto \
-		--disable-rpath
-}
-
-multilib_src_compile() {
-	emake -j1
-}
-
-multilib_src_test() {
-	multilib_is_native_abi && emake -j1 check
-}
-
-multilib_src_install() {
-	emake \
-		DESTDIR="${D}" \
-		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
-		install
-}
-
-multilib_src_install_all() {
-	# default database dir
-	keepdir /var/lib/krb5kdc
-
-	cd ..
-	dodoc README
-
-	if use doc; then
-		dodoc -r doc/html
-		docinto pdf
-		dodoc doc/pdf/*.pdf
-	fi
-
-	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
-	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
-	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
-	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
-	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
-	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
-
-	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
-
-	insinto /etc
-	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
-	insinto /var/lib/krb5kdc
-	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
-
-	if use openldap ; then
-		insinto /etc/openldap/schema
-		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
-	fi
-
-	if use xinetd ; then
-		insinto /etc/xinetd.d
-		newins "${FILESDIR}/kpropd.xinetd" kpropd
-	fi
-}

diff --git a/app-crypt/mit-krb5/mit-krb5-1.21.1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.21.1.ebuild
deleted file mode 100644
index c941459ad5db..000000000000
--- a/app-crypt/mit-krb5/mit-krb5-1.21.1.ebuild
+++ /dev/null
@@ -1,146 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{10..12} )
-inherit autotools python-any-r1 systemd toolchain-funcs multilib-minimal
-
-MY_P="${P/mit-}"
-P_DIR=$(ver_cut 1-2)
-DESCRIPTION="MIT Kerberos V"
-HOMEPAGE="https://web.mit.edu/kerberos/www/"
-SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
-
-LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
-IUSE="cpu_flags_x86_aes doc +keyutils lmdb nls openldap +pkinit selinux +threads test xinetd"
-
-RESTRICT="!test? ( test )"
-
-DEPEND="
-	!!app-crypt/heimdal
-	>=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}]
-	|| (
-		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
-	)
-	keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] )
-	lmdb? ( dev-db/lmdb:= )
-	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
-	openldap? ( >=net-nds/openldap-2.4.38-r1:=[${MULTILIB_USEDEP}] )
-	pkinit? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
-	xinetd? ( sys-apps/xinetd )
-	"
-BDEPEND="
-	${PYTHON_DEPS}
-	app-alternatives/yacc
-	cpu_flags_x86_aes? (
-		amd64? ( dev-lang/yasm )
-		x86? ( dev-lang/yasm )
-	)
-	doc? ( virtual/latex-base )
-	test? ( dev-util/cmocka )
-	"
-RDEPEND="${DEPEND}
-	selinux? ( sec-policy/selinux-kerberos )"
-
-S=${WORKDIR}/${MY_P}/src
-
-PATCHES=(
-	"${FILESDIR}/${PN}-1.12_warn_cflags.patch"
-	"${FILESDIR}/${PN}_dont_create_rundir.patch"
-	"${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
-)
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/krb5-config
-)
-
-src_prepare() {
-	default
-	# Make sure we always use the system copies.
-	rm -rf util/{et,ss,verto}
-	sed -i 's:^[[:space:]]*util/verto$::' configure.ac || die
-
-	eautoreconf
-}
-
-multilib_src_configure() {
-	ECONF_SOURCE=${S} \
-	AR="$(tc-getAR)" \
-	WARN_CFLAGS="set" \
-	econf \
-		$(use_with openldap ldap) \
-		$(use_enable nls) \
-		$(use_enable pkinit) \
-		$(use_enable threads thread-support) \
-		$(use_with lmdb) \
-		$(use_with keyutils) \
-		--without-hesiod \
-		--enable-shared \
-		--with-system-et \
-		--with-system-ss \
-		--enable-dns-for-realm \
-		--enable-kdc-lookaside-cache \
-		--with-system-verto \
-		--disable-rpath
-}
-
-multilib_src_compile() {
-	emake -j1
-}
-
-multilib_src_test() {
-	multilib_is_native_abi && emake -j1 check
-}
-
-multilib_src_install() {
-	emake \
-		DESTDIR="${D}" \
-		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
-		install
-}
-
-multilib_src_install_all() {
-	# default database dir
-	keepdir /var/lib/krb5kdc
-
-	cd ..
-	dodoc README
-
-	if use doc; then
-		dodoc -r doc/html
-		docinto pdf
-		dodoc doc/pdf/*.pdf
-	fi
-
-	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
-	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
-	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
-	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
-	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
-	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
-
-	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
-
-	insinto /etc
-	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
-	insinto /var/lib/krb5kdc
-	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
-
-	if use openldap ; then
-		insinto /etc/openldap/schema
-		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
-	fi
-
-	if use xinetd ; then
-		insinto /etc/xinetd.d
-		newins "${FILESDIR}/kpropd.xinetd" kpropd
-	fi
-}


^ permalink raw reply related	[flat|nested] 9+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/
@ 2022-01-05  9:57 Eray Aslan
  0 siblings, 0 replies; 9+ messages in thread
From: Eray Aslan @ 2022-01-05  9:57 UTC (permalink / raw
  To: gentoo-commits

commit:     16e1279e1a0b87ab89031972ea5b9f5136a67e76
Author:     Eray Aslan <eras <AT> gentoo <DOT> org>
AuthorDate: Wed Jan  5 09:56:43 2022 +0000
Commit:     Eray Aslan <eras <AT> gentoo <DOT> org>
CommitDate: Wed Jan  5 09:56:43 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=16e1279e

app-crypt/mit-krb5: security bump

Bug: https://bugs.gentoo.org/809845
Package-Manager: Portage-3.0.30, Repoman-3.0.3
Signed-off-by: Eray Aslan <eras <AT> gentoo.org>

 .../mit-krb5/files/mit-krb5-CVE-2021-37750.patch   |  43 ++++++
 app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild       | 165 +++++++++++++++++++++
 2 files changed, 208 insertions(+)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch b/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch
new file mode 100644
index 000000000000..2f4c949e9f31
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch
@@ -0,0 +1,43 @@
+From d775c95af7606a51bf79547a94fa52ddd1cb7f49 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 3 Aug 2021 01:15:27 -0400
+Subject: [PATCH] Fix KDC null deref on TGS inner body null server
+
+After the KDC decodes a FAST inner body, it does not check for a null
+server.  Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
+would typically result in an error from krb5_unparse_name(), but with
+the addition of get_local_tgt() it results in a null dereference.  Add
+a null check.
+
+Reported by Joseph Sutton of Catalyst.
+
+CVE-2021-37750:
+
+In MIT krb5 releases 1.14 and later, an authenticated attacker can
+cause a null dereference in the KDC by sending a FAST TGS request with
+no server field.
+
+ticket: 9008 (new)
+tags: pullup
+target_version: 1.19-next
+target_version: 1.18-next
+---
+ src/kdc/do_tgs_req.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index 582e497cc9..32dc65fa8e 100644
+--- a/kdc/do_tgs_req.c
++++ b/kdc/do_tgs_req.c
+@@ -204,6 +204,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
+         status = "FIND_FAST";
+         goto cleanup;
+     }
++    if (sprinc == NULL) {
++        status = "NULL_SERVER";
++        errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
++        goto cleanup;
++    }
+ 
+     errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
+                             &local_tgt, &local_tgt_storage, &local_tgt_key);

diff --git a/app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild
new file mode 100644
index 000000000000..cd2e67613dd3
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.19.2-r2.ebuild
@@ -0,0 +1,165 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{8..10} )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd toolchain-funcs
+
+MY_P="${P/mit-}"
+P_DIR=$(ver_cut 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/"
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+IUSE="cpu_flags_x86_aes doc +keyutils lmdb nls openldap +pkinit selinux +threads test xinetd"
+
+# some tests requires network access
+RESTRICT="test"
+
+DEPEND="
+	!!app-crypt/heimdal
+	|| (
+		>=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}]
+		sys-libs/e2fsprogs-libs[${MULTILIB_USEDEP}]
+	)
+	|| (
+		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+	)
+	keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] )
+	lmdb? ( dev-db/lmdb )
+	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
+	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+	pkinit? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
+	xinetd? ( sys-apps/xinetd )
+	"
+BDEPEND="
+	${PYTHON_DEPS}
+	virtual/yacc
+	cpu_flags_x86_aes? (
+		amd64? ( dev-lang/yasm )
+		x86? ( dev-lang/yasm )
+	)
+	doc? ( virtual/latex-base )
+	test? (
+		${PYTHON_DEPS}
+		dev-lang/tcl:0
+		dev-util/dejagnu
+		dev-util/cmocka
+	)"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+PATCHES=(
+	"${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+	"${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
+	"${FILESDIR}/${PN}_dont_create_rundir.patch"
+	"${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
+	"${FILESDIR}/${PN}-CVE-2021-37750.patch"
+)
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/krb5-config
+)
+
+src_prepare() {
+	default
+	# Make sure we always use the system copies.
+	rm -rf util/{et,ss,verto}
+	sed -i 's:^[[:space:]]*util/verto$::' configure.ac || die
+
+	eautoreconf
+}
+
+src_configure() {
+	# QA
+	append-flags -fno-strict-aliasing
+	append-flags -fno-strict-overflow
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	ECONF_SOURCE=${S} \
+	AR="$(tc-getAR)" \
+	WARN_CFLAGS="set" \
+	econf \
+		$(use_with openldap ldap) \
+		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+		$(use_enable nls) \
+		$(use_enable pkinit) \
+		$(use_enable threads thread-support) \
+		$(use_with lmdb) \
+		$(use_with keyutils) \
+		--without-hesiod \
+		--enable-shared \
+		--with-system-et \
+		--with-system-ss \
+		--enable-dns-for-realm \
+		--enable-kdc-lookaside-cache \
+		--with-system-verto \
+		--disable-rpath
+}
+
+multilib_src_compile() {
+	emake -j1
+}
+
+multilib_src_test() {
+	multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+		install
+}
+
+multilib_src_install_all() {
+	# default database dir
+	keepdir /var/lib/krb5kdc
+
+	cd ..
+	dodoc README
+
+	if use doc; then
+		dodoc -r doc/html
+		docinto pdf
+		dodoc doc/pdf/*.pdf
+	fi
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
+	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
+	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
+	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
+	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
+
+	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
+
+	insinto /etc
+	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+	insinto /var/lib/krb5kdc
+	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+	if use openldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+	fi
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/kpropd.xinetd" kpropd
+	fi
+}


^ permalink raw reply related	[flat|nested] 9+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/
@ 2021-01-20 20:47 Conrad Kostecki
  0 siblings, 0 replies; 9+ messages in thread
From: Conrad Kostecki @ 2021-01-20 20:47 UTC (permalink / raw
  To: gentoo-commits

commit:     04bdab0f9da07f3c3242281135914029efe44caf
Author:     Conrad Kostecki <conikost <AT> gentoo <DOT> org>
AuthorDate: Wed Jan 20 20:30:20 2021 +0000
Commit:     Conrad Kostecki <conikost <AT> gentoo <DOT> org>
CommitDate: Wed Jan 20 20:47:22 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=04bdab0f

app-crypt/mit-krb5: don't hardcode libpath

If libpath is hardcoded for 'krb5-config --libs' this will fail the
compilation on 32-bit systems.

Closes: https://bugs.gentoo.org/634126
Package-Manager: Portage-3.0.12, Repoman-3.0.2
Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org>

 .../files/mit-krb5-1.18.2-krb5-config.patch        |  15 ++
 app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild       | 169 +++++++++++++++++++++
 app-crypt/mit-krb5/mit-krb5-1.18.3-r1.ebuild       | 168 ++++++++++++++++++++
 3 files changed, 352 insertions(+)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.18.2-krb5-config.patch b/app-crypt/mit-krb5/files/mit-krb5-1.18.2-krb5-config.patch
new file mode 100644
index 00000000000..ec901ce9c31
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.18.2-krb5-config.patch
@@ -0,0 +1,15 @@
+--- a/build-tools/krb5-config.in
++++ b/build-tools/krb5-config.in
+@@ -208,12 +208,6 @@
+ 
+ 
+ if test -n "$do_libs"; then
+-    # Assumes /usr/lib is the standard library directory everywhere...
+-    if test "$libdir" = /usr/lib; then
+-	libdirarg=
+-    else
+-	libdirarg="-L$libdir"
+-    fi
+     # Ugly gross hack for our build tree
+     lib_flags=`echo $CC_LINK | sed -e 's/\$(CC)//' \
+ 	    -e 's/\$(PURE)//' \

diff --git a/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild b/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild
new file mode 100644
index 00000000000..7bbe482d448
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild
@@ -0,0 +1,169 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{7,8,9} )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd toolchain-funcs
+
+MY_P="${P/mit-}"
+P_DIR=$(ver_cut 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/"
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86"
+IUSE="cpu_flags_x86_aes doc +keyutils libressl lmdb nls openldap +pkinit selinux +threads test xinetd"
+
+# Test suite requires network access
+RESTRICT="test"
+
+DEPEND="
+	!!app-crypt/heimdal
+	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
+	|| (
+		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
+	)
+	keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] )
+	lmdb? ( dev-db/lmdb )
+	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
+	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+	pkinit? (
+		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
+		libressl? ( dev-libs/libressl:0=[${MULTILIB_USEDEP}] )
+	)
+	xinetd? ( sys-apps/xinetd )
+	"
+BDEPEND="
+	${PYTHON_DEPS}
+	virtual/yacc
+	cpu_flags_x86_aes? (
+		amd64? ( dev-lang/yasm )
+		x86? ( dev-lang/yasm )
+	)
+	doc? ( virtual/latex-base )
+	test? (
+		${PYTHON_DEPS}
+		dev-lang/tcl:0
+		dev-util/dejagnu
+		dev-util/cmocka
+	)"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+PATCHES=(
+	"${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+	"${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
+	"${FILESDIR}/${PN}-1.16.3-libressl-r1.patch"
+	"${FILESDIR}/${PN}_dont_create_run.patch"
+	"${FILESDIR}/${PN}-1.18-libressl.patch"
+	"${FILESDIR}/CVE-2020-28196.patch"
+	"${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
+)
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/krb5-config
+)
+
+src_prepare() {
+	default
+	# Make sure we always use the system copies.
+	rm -rf util/{et,ss,verto}
+	sed -i 's:^[[:space:]]*util/verto$::' configure.ac || die
+
+	eautoreconf
+}
+
+src_configure() {
+	# QA
+	append-flags -fno-strict-aliasing
+	append-flags -fno-strict-overflow
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	ECONF_SOURCE=${S} \
+	WARN_CFLAGS="set" \
+	econf \
+		$(use_with openldap ldap) \
+		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+		$(use_enable nls) \
+		$(use_enable pkinit) \
+		$(use_enable threads thread-support) \
+		$(use_with lmdb) \
+		$(use_with keyutils) \
+		--without-hesiod \
+		--enable-shared \
+		--with-system-et \
+		--with-system-ss \
+		--enable-dns-for-realm \
+		--enable-kdc-lookaside-cache \
+		--with-system-verto \
+		--disable-rpath \
+		\
+		AR="$(tc-getAR)"
+}
+
+multilib_src_compile() {
+	emake -j1
+}
+
+multilib_src_test() {
+	multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+		install
+}
+
+multilib_src_install_all() {
+	# default database dir
+	keepdir /var/lib/krb5kdc
+
+	cd ..
+	dodoc README
+
+	if use doc; then
+		dodoc -r doc/html
+		docinto pdf
+		dodoc doc/pdf/*.pdf
+	fi
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
+	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
+	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
+	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
+	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
+
+	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
+
+	insinto /etc
+	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+	insinto /var/lib/krb5kdc
+	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+	if use openldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+	fi
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/kpropd.xinetd" kpropd
+	fi
+}

diff --git a/app-crypt/mit-krb5/mit-krb5-1.18.3-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.18.3-r1.ebuild
new file mode 100644
index 00000000000..b1742386374
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.18.3-r1.ebuild
@@ -0,0 +1,168 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{7,8,9} )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd toolchain-funcs
+
+MY_P="${P/mit-}"
+P_DIR=$(ver_cut 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/"
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86"
+IUSE="cpu_flags_x86_aes doc +keyutils libressl lmdb nls openldap +pkinit selinux +threads test xinetd"
+
+# Test suite requires network access
+RESTRICT="test"
+
+DEPEND="
+	!!app-crypt/heimdal
+	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
+	|| (
+		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
+	)
+	keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] )
+	lmdb? ( dev-db/lmdb )
+	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
+	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+	pkinit? (
+		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
+		libressl? ( dev-libs/libressl:0=[${MULTILIB_USEDEP}] )
+	)
+	xinetd? ( sys-apps/xinetd )
+	"
+BDEPEND="
+	${PYTHON_DEPS}
+	virtual/yacc
+	cpu_flags_x86_aes? (
+		amd64? ( dev-lang/yasm )
+		x86? ( dev-lang/yasm )
+	)
+	doc? ( virtual/latex-base )
+	test? (
+		${PYTHON_DEPS}
+		dev-lang/tcl:0
+		dev-util/dejagnu
+		dev-util/cmocka
+	)"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+PATCHES=(
+	"${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+	"${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
+	"${FILESDIR}/${PN}-1.16.3-libressl-r1.patch"
+	"${FILESDIR}/${PN}_dont_create_run.patch"
+	"${FILESDIR}/${PN}-1.18-libressl.patch"
+	"${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
+)
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/krb5-config
+)
+
+src_prepare() {
+	default
+	# Make sure we always use the system copies.
+	rm -rf util/{et,ss,verto}
+	sed -i 's:^[[:space:]]*util/verto$::' configure.ac || die
+
+	eautoreconf
+}
+
+src_configure() {
+	# QA
+	append-flags -fno-strict-aliasing
+	append-flags -fno-strict-overflow
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	ECONF_SOURCE=${S} \
+	WARN_CFLAGS="set" \
+	econf \
+		$(use_with openldap ldap) \
+		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+		$(use_enable nls) \
+		$(use_enable pkinit) \
+		$(use_enable threads thread-support) \
+		$(use_with lmdb) \
+		$(use_with keyutils) \
+		--without-hesiod \
+		--enable-shared \
+		--with-system-et \
+		--with-system-ss \
+		--enable-dns-for-realm \
+		--enable-kdc-lookaside-cache \
+		--with-system-verto \
+		--disable-rpath \
+		\
+		AR="$(tc-getAR)"
+}
+
+multilib_src_compile() {
+	emake -j1
+}
+
+multilib_src_test() {
+	multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+		install
+}
+
+multilib_src_install_all() {
+	# default database dir
+	keepdir /var/lib/krb5kdc
+
+	cd ..
+	dodoc README
+
+	if use doc; then
+		dodoc -r doc/html
+		docinto pdf
+		dodoc doc/pdf/*.pdf
+	fi
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
+	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
+	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
+	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
+	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
+
+	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
+
+	insinto /etc
+	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+	insinto /var/lib/krb5kdc
+	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+	if use openldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+	fi
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/kpropd.xinetd" kpropd
+	fi
+}


^ permalink raw reply related	[flat|nested] 9+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/
@ 2019-09-28 18:27 Matt Turner
  0 siblings, 0 replies; 9+ messages in thread
From: Matt Turner @ 2019-09-28 18:27 UTC (permalink / raw
  To: gentoo-commits

commit:     bd1940d2e752a50a37710fcec0984fc1ff0234e7
Author:     Matt Turner <mattst88 <AT> gentoo <DOT> org>
AuthorDate: Sat Sep 28 18:25:58 2019 +0000
Commit:     Matt Turner <mattst88 <AT> gentoo <DOT> org>
CommitDate: Sat Sep 28 18:27:13 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd1940d2

app-crypt/mit-krb5: Drop old versions

Signed-off-by: Matt Turner <mattst88 <AT> gentoo.org>

 app-crypt/mit-krb5/Manifest                        |   4 -
 app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch  | 297 ---------------------
 .../mit-krb5/files/mit-krb5-1.16.3-libressl.patch  | 101 -------
 .../mit-krb5/files/mit-krb5-config_LDFLAGS.patch   |  12 -
 .../files/mit-krb5-libressl-version-check.patch    |  31 ---
 app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild         | 154 -----------
 app-crypt/mit-krb5/mit-krb5-1.16.1.ebuild          | 153 -----------
 app-crypt/mit-krb5/mit-krb5-1.16.2.ebuild          | 161 -----------
 app-crypt/mit-krb5/mit-krb5-1.16.3.ebuild          | 161 -----------
 9 files changed, 1074 deletions(-)

diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index 0911382bd22..4b2ab0c10a3 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1,5 +1 @@
-DIST krb5-1.16.1.tar.gz 9477480 BLAKE2B 16bdd7d6d03ddbd4b070663c3a7a3d2331d54e8590b24f1dc162be2531bfbbbd65878d426a160c65ffc1ba4751f16bbbd177a8a91c01002fde0e886cc1bd91b9 SHA512 fa4ec14a4ffe690861e2dd7ea39d7698af2058ce181bb733ea891f80279f4dde4bb891adec5ccb0eaddf737306e6ceb1fe3744a2946e6189a7d7d2dd3bc5ba84
-DIST krb5-1.16.2.tar.gz 9652415 BLAKE2B 21c4d56e43476a9b87a4ca9a8b7d0dd5739d3d70731fb4727de5ae248d8638e2016581cd2462f5e2ec7950d9e216aa165199505e581fa10db81ce26062fc097e SHA512 738c071a90e0f38680bb17bdcf950310bc4549f3cb851e1d34de11239ae88178e6ee1a5e5d48c6d3efef544339b07d22dba5347dd763a4266d8d4df7cf47afc9
-DIST krb5-1.16.3.tar.gz 9656985 BLAKE2B 92e6d2b5f27e80f495d7bb3fb64acfb03530156fb8e1a07dbc8d045616fd2ac4be8047d844580e3aa01d5e8b733ceea9024290dcc53b691696201f02a31e3034 SHA512 77da5f8bb19108e158c3df5a17b9141b7cbbae7d01f9f0dca5c504dc4b468953d67a1f4566bed5a062d8ff8e0d80796094dea12d2e45bdda810a1633bb08318d
-DIST krb5-1.16.tar.gz 9474479 BLAKE2B 0c5caa0a0d2308a447d47ab94d7b8dc92a67ad78b3bac1678c3f3ece3905f27feda5a23d28b3c13ebd64d1760726888c759fb19da82ad960c6f84a433b753873 SHA512 7e162467b95dad2b6aaa11686d08a00f1cc4eb08247fca8f0e5a8bcaa5f9f7b42cdf00db69c5c6111bdf9eb8063d53cef3bb207ce5d6a287615ca10b710153f9
 DIST krb5-1.17.tar.gz 8761763 BLAKE2B 76f636836c67e9eefca91c9417118efdcf4437c1220691f43f3d246daf3eabd53b40a30956f0e57703c3fde5d7193b1d86b68becf3ae1c0c803d2462e79d3014 SHA512 7462a578b936bd17f155a362dbb5d388e157a80a096549028be6c55400b11361c7f8a28e424fd5674801873651df4e694d536cae66728b7ae5e840e532358c52

diff --git a/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch b/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch
deleted file mode 100644
index 114cfe688e7..00000000000
--- a/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch
+++ /dev/null
@@ -1,297 +0,0 @@
-diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
-index 2420f2c2be..a59a65e8f6 100644
---- a/src/lib/kadm5/srv/svr_principal.c
-+++ b/src/lib/kadm5/srv/svr_principal.c
-@@ -330,6 +330,13 @@ kadm5_create_principal_3(void *server_handle,
-         return KADM5_BAD_MASK;
-     if((mask & ~ALL_PRINC_MASK))
-         return KADM5_BAD_MASK;
-+    if (mask & KADM5_TL_DATA) {
-+        for (tl_data_tail = entry->tl_data; tl_data_tail != NULL;
-+             tl_data_tail = tl_data_tail->tl_data_next) {
-+            if (tl_data_tail->tl_data_type < 256)
-+                return KADM5_BAD_TL_TYPE;
-+        }
-+    }
- 
-     /*
-      * Check to see if the principal exists
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-index 535a1f309e..8b8420faa9 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
-@@ -141,7 +141,7 @@ extern int set_ldap_error (krb5_context ctx, int st, int op);
- #define UNSTORE16_INT(ptr, val) (val = load_16_be(ptr))
- #define UNSTORE32_INT(ptr, val) (val = load_32_be(ptr))
- 
--#define  KDB_TL_USER_INFO      0x7ffe
-+#define  KDB_TL_USER_INFO      0xff
- 
- #define KDB_TL_PRINCTYPE          0x01
- #define KDB_TL_PRINCCOUNT         0x02
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-index 88a1704950..b7c9212cb2 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-@@ -651,6 +651,107 @@ update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry,
-     return ret;
- }
- 
-+static krb5_error_code
-+check_dn_in_container(krb5_context context, const char *dn,
-+                      char *const *subtrees, unsigned int ntrees)
-+{
-+    unsigned int i;
-+    size_t dnlen = strlen(dn), stlen;
-+
-+    for (i = 0; i < ntrees; i++) {
-+        if (subtrees[i] == NULL || *subtrees[i] == '\0')
-+            return 0;
-+        stlen = strlen(subtrees[i]);
-+        if (dnlen >= stlen &&
-+            strcasecmp(dn + dnlen - stlen, subtrees[i]) == 0 &&
-+            (dnlen == stlen || dn[dnlen - stlen - 1] == ','))
-+            return 0;
-+    }
-+
-+    k5_setmsg(context, EINVAL, _("DN is out of the realm subtree"));
-+    return EINVAL;
-+}
-+
-+static krb5_error_code
-+check_dn_exists(krb5_context context,
-+                krb5_ldap_server_handle *ldap_server_handle,
-+                const char *dn, krb5_boolean nonkrb_only)
-+{
-+    krb5_error_code st = 0, tempst;
-+    krb5_ldap_context *ldap_context = context->dal_handle->db_context;
-+    LDAP *ld = ldap_server_handle->ldap_handle;
-+    LDAPMessage *result = NULL, *ent;
-+    char *attrs[] = { "krbticketpolicyreference", "krbprincipalname", NULL };
-+    char **values;
-+
-+    LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attrs, IGNORE_STATUS);
-+    if (st != LDAP_SUCCESS)
-+        return set_ldap_error(context, st, OP_SEARCH);
-+
-+    ent = ldap_first_entry(ld, result);
-+    CHECK_NULL(ent);
-+
-+    values = ldap_get_values(ld, ent, "krbticketpolicyreference");
-+    if (values != NULL)
-+        ldap_value_free(values);
-+
-+    values = ldap_get_values(ld, ent, "krbprincipalname");
-+    if (values != NULL) {
-+        ldap_value_free(values);
-+        if (nonkrb_only) {
-+            st = EINVAL;
-+            k5_setmsg(context, st, _("ldap object is already kerberized"));
-+            goto cleanup;
-+        }
-+    }
-+
-+cleanup:
-+    ldap_msgfree(result);
-+    return st;
-+}
-+
-+static krb5_error_code
-+validate_xargs(krb5_context context,
-+               krb5_ldap_server_handle *ldap_server_handle,
-+               const xargs_t *xargs, const char *standalone_dn,
-+               char *const *subtrees, unsigned int ntrees)
-+{
-+    krb5_error_code st;
-+
-+    if (xargs->dn != NULL) {
-+        /* The supplied dn must be within a realm container. */
-+        st = check_dn_in_container(context, xargs->dn, subtrees, ntrees);
-+        if (st)
-+            return st;
-+        /* The supplied dn must exist without Kerberos attributes. */
-+        st = check_dn_exists(context, ldap_server_handle, xargs->dn, TRUE);
-+        if (st)
-+            return st;
-+    }
-+
-+    if (xargs->linkdn != NULL) {
-+        /* The supplied linkdn must be within a realm container. */
-+        st = check_dn_in_container(context, xargs->linkdn, subtrees, ntrees);
-+        if (st)
-+            return st;
-+        /* The supplied linkdn must exist. */
-+        st = check_dn_exists(context, ldap_server_handle, xargs->linkdn,
-+                             FALSE);
-+        if (st)
-+            return st;
-+    }
-+
-+    if (xargs->containerdn != NULL && standalone_dn != NULL) {
-+        /* standalone_dn (likely composed using containerdn) must be within a
-+         * container. */
-+        st = check_dn_in_container(context, standalone_dn, subtrees, ntrees);
-+        if (st)
-+            return st;
-+    }
-+
-+    return 0;
-+}
-+
- krb5_error_code
- krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
-                         char **db_args)
-@@ -662,12 +763,12 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
-     LDAPMessage                 *result=NULL, *ent=NULL;
-     char                        **subtreelist = NULL;
-     char                        *user=NULL, *subtree=NULL, *principal_dn=NULL;
--    char                        **values=NULL, *strval[10]={NULL}, errbuf[1024];
-+    char                        *strval[10]={NULL}, errbuf[1024];
-     char                        *filtuser=NULL;
-     struct berval               **bersecretkey=NULL;
-     LDAPMod                     **mods=NULL;
-     krb5_boolean                create_standalone=FALSE;
--    krb5_boolean                krb_identity_exists=FALSE, establish_links=FALSE;
-+    krb5_boolean                establish_links=FALSE;
-     char                        *standalone_principal_dn=NULL;
-     krb5_tl_data                *tl_data=NULL;
-     krb5_key_data               **keys=NULL;
-@@ -860,24 +961,6 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
-      * any of the subtrees
-      */
-     if (xargs.dn_from_kbd == TRUE) {
--        /* make sure the DN falls in the subtree */
--        int              dnlen=0, subtreelen=0;
--        char             *dn=NULL;
--        krb5_boolean     outofsubtree=TRUE;
--
--        if (xargs.dn != NULL) {
--            dn = xargs.dn;
--        } else if (xargs.linkdn != NULL) {
--            dn = xargs.linkdn;
--        } else if (standalone_principal_dn != NULL) {
--            /*
--             * Even though the standalone_principal_dn is constructed
--             * within this function, there is the containerdn input
--             * from the user that can become part of the it.
--             */
--            dn = standalone_principal_dn;
--        }
--
-         /* Get the current subtree list if we haven't already done so. */
-         if (subtreelist == NULL) {
-             st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees);
-@@ -885,81 +968,10 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
-                 goto cleanup;
-         }
- 
--        for (tre=0; tre<ntrees; ++tre) {
--            if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) {
--                outofsubtree = FALSE;
--                break;
--            } else {
--                dnlen = strlen (dn);
--                subtreelen = strlen(subtreelist[tre]);
--                if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) {
--                    outofsubtree = FALSE;
--                    break;
--                }
--            }
--        }
--
--        if (outofsubtree == TRUE) {
--            st = EINVAL;
--            k5_setmsg(context, st, _("DN is out of the realm subtree"));
-+        st = validate_xargs(context, ldap_server_handle, &xargs,
-+                            standalone_principal_dn, subtreelist, ntrees);
-+        if (st)
-             goto cleanup;
--        }
--
--        /*
--         * dn value will be set either by dn, linkdn or the standalone_principal_dn
--         * In the first 2 cases, the dn should be existing and in the last case we
--         * are supposed to create the ldap object. so the below should not be
--         * executed for the last case.
--         */
--
--        if (standalone_principal_dn == NULL) {
--            /*
--             * If the ldap object is missing, this results in an error.
--             */
--
--            /*
--             * Search for krbprincipalname attribute here.
--             * This is to find if a kerberos identity is already present
--             * on the ldap object, in which case adding a kerberos identity
--             * on the ldap object should result in an error.
--             */
--            char  *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL};
--
--            ldap_msgfree(result);
--            result = NULL;
--            LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS);
--            if (st == LDAP_SUCCESS) {
--                ent = ldap_first_entry(ld, result);
--                if (ent != NULL) {
--                    if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) {
--                        ldap_value_free(values);
--                    }
--
--                    if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
--                        krb_identity_exists = TRUE;
--                        ldap_value_free(values);
--                    }
--                }
--            } else {
--                st = set_ldap_error(context, st, OP_SEARCH);
--                goto cleanup;
--            }
--        }
--    }
--
--    /*
--     * If xargs.dn is set then the request is to add a
--     * kerberos principal on a ldap object, but if
--     * there is one already on the ldap object this
--     * should result in an error.
--     */
--
--    if (xargs.dn != NULL && krb_identity_exists == TRUE) {
--        st = EINVAL;
--        snprintf(errbuf, sizeof(errbuf),
--                 _("ldap object is already kerberized"));
--        k5_setmsg(context, st, "%s", errbuf);
--        goto cleanup;
-     }
- 
-     if (xargs.linkdn != NULL) {
-diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
-index 217f2cdc3b..6e563b1032 100755
---- a/src/tests/t_kdb.py
-+++ b/src/tests/t_kdb.py
-@@ -203,6 +203,12 @@ def ldap_add(dn, objectclass, attrs=[]):
- # in the test LDAP server.
- realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'],
-           expected_code=1, expected_msg='DN is out of the realm subtree')
-+# Check that the DN container check is a hierarchy test, not a simple
-+# suffix match (CVE-2018-5730).  We expect this operation to fail
-+# either way (because "xcn" isn't a valid DN tag) but the container
-+# check should happen before the DN is parsed.
-+realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=xcn=t1,cn=krb5', 'princ1'],
-+          expected_code=1, expected_msg='DN is out of the realm subtree')
- realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'princ1'])
- realm.run([kadminl, 'getprinc', 'princ1'], expected_msg='Principal: princ1')
- realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'again'],
-@@ -226,6 +232,11 @@ def ldap_add(dn, objectclass, attrs=[]):
-            'princ3'])
- realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5', 'princ3'],
-           expected_code=1, expected_msg='containerdn option not supported')
-+# Verify that containerdn is checked when linkdn is also supplied
-+# (CVE-2018-5730).
-+realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5',
-+           '-x', 'linkdn=cn=t2,cn=krb5', 'princ4'], expected_code=1,
-+          expected_msg='DN is out of the realm subtree')
- 
- # Create and modify a ticket policy.
- kldaputil(['create_policy', '-maxtktlife', '3hour', '-maxrenewlife', '6hour',

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl.patch b/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl.patch
deleted file mode 100644
index 7a655fb9a1d..00000000000
--- a/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From 58263cbf3106f4c9c9a2252794093014a2f9c01f Mon Sep 17 00:00:00 2001
-From: Stefan Strogin <stefan.strogin@gmail.com>
-Date: Thu, 25 Apr 2019 03:48:10 +0300
-Subject: [PATCH] Fix build for LibreSSL 2.9.x
-
-asn1_mac.h is removed from LibreSSL 2.9.0, but static_ASN1_*() methods
-are not defined. Define them.
-
-Upstream-Status: Pending
-[Needs to be amended if
-https://github.com/libressl-portable/openbsd/pull/109 is accepted]
-Signed-off-by: Stefan Strogin <stefan.strogin@gmail.com>
----
- .../preauth/pkinit/pkinit_crypto_openssl.c    | 13 ++++++++----
- .../preauth/pkinit/pkinit_crypto_openssl.h    | 20 ++++++++++++++++++-
- 2 files changed, 28 insertions(+), 5 deletions(-)
-
-diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-index 2064eb7bd..81d5d3cf2 100644
---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-@@ -188,14 +188,16 @@ pkinit_pkcs11_code_to_text(int err);
-     (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si)
- #endif
- 
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- 
--/* 1.1 standardizes constructor and destructor names, renaming
-- * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */
-+/* 1.1 (and LibreSSL 2.7) standardizes constructor and destructor names,
-+ * renaming EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */
- 
-+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
- #define EVP_MD_CTX_new EVP_MD_CTX_create
- #define EVP_MD_CTX_free EVP_MD_CTX_destroy
- #define ASN1_STRING_get0_data ASN1_STRING_data
-+#endif
- 
- /* 1.1 makes many handle types opaque and adds accessors.  Add compatibility
-  * versions of the new accessors we use for pre-1.1. */
-@@ -203,6 +205,7 @@ pkinit_pkcs11_code_to_text(int err);
- #define OBJ_get0_data(o) ((o)->data)
- #define OBJ_length(o) ((o)->length)
- 
-+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
- #define DH_set0_pqg compat_dh_set0_pqg
- static int compat_dh_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
- {
-@@ -235,6 +238,7 @@ static void compat_dh_get0_key(const DH *dh, const BIGNUM **pub,
-     if (priv != NULL)
-         *priv = dh->priv_key;
- }
-+#endif /* LIBRESSL_VERSION_NUMBER */
- 
- /* Return true if the cert c includes a key usage which doesn't include u.
-  * Define using direct member access for pre-1.1. */
-@@ -3040,7 +3044,8 @@ cleanup:
-     return retval;
- }
- 
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || \
-+  LIBRESSL_VERSION_NUMBER >= 0x2090000fL
- 
- /*
-  * We need to decode DomainParameters from RFC 3279 section 2.3.3.  We would
-diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
-index 7411348fa..ac91408c4 100644
---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
-+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
-@@ -46,7 +46,25 @@
- #include <openssl/asn1.h>
- #include <openssl/pem.h>
- 
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || \
-+  LIBRESSL_VERSION_NUMBER >= 0x2090000fL
-+
-+#ifndef static_ASN1_SEQUENCE_END_name
-+#define static_ASN1_ITEM_start(itname) \
-+	static const ASN1_ITEM itname##_it = {
-+#define static_ASN1_SEQUENCE_END_name(stname, tname) \
-+	;\
-+	static_ASN1_ITEM_start(tname) \
-+		ASN1_ITYPE_SEQUENCE,\
-+		V_ASN1_SEQUENCE,\
-+		tname##_seq_tt,\
-+		sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
-+		NULL,\
-+		sizeof(stname),\
-+		#stname \
-+	ASN1_ITEM_end(tname)
-+#endif /* !defined(static_ASN1_SEQUENCE_END_name) */
-+
- #include <openssl/asn1t.h>
- #else
- #include <openssl/asn1_mac.h>
--- 
-2.21.0
-

diff --git a/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS.patch b/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS.patch
deleted file mode 100644
index 8490e629a37..00000000000
--- a/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Bug #448778
---- a/src/build-tools/krb5-config.in	2012-12-18 02:47:04.000000000 +0000
-+++ b/src/build-tools/krb5-config.in	2012-12-28 07:13:16.582693363 +0000
-@@ -217,7 +217,7 @@
- 	    -e 's#\$(PROG_RPATH)#'$libdir'#' \
- 	    -e 's#\$(PROG_LIBPATH)#'$libdirarg'#' \
- 	    -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
--	    -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
-+	    -e 's#\$(LDFLAGS)##' \
- 	    -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
- 	    -e 's#\$(CFLAGS)##'`
- 

diff --git a/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch b/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch
deleted file mode 100644
index 5c979cfd1ef..00000000000
--- a/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch
+++ /dev/null
@@ -1,31 +0,0 @@
---- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-@@ -191,7 +191,7 @@ pkinit_pkcs11_code_to_text(int err);
-     (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si)
- #endif
- 
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- 
- /* 1.1 standardizes constructor and destructor names, renaming
-  * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */
-@@ -3059,7 +3059,7 @@ cleanup:
-     return retval;
- }
- 
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
- 
- /*
-  * We need to decode DomainParameters from RFC 3279 section 2.3.3.  We would
---- src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
-+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
-@@ -46,7 +46,7 @@
- #include <openssl/asn1.h>
- #include <openssl/pem.h>
- 
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
- #include <openssl/asn1t.h>
- #else
- #include <openssl/asn1_mac.h>

diff --git a/app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild
deleted file mode 100644
index 1953c395599..00000000000
--- a/app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild
+++ /dev/null
@@ -1,154 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-PYTHON_COMPAT=( python2_7 )
-inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd versionator
-
-MY_P="${P/mit-}"
-P_DIR=$(get_version_component_range 1-2)
-DESCRIPTION="MIT Kerberos V"
-HOMEPAGE="https://web.mit.edu/kerberos/www/"
-SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
-
-LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 ~mips ppc ppc64 s390 ~sh sparc x86"
-IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
-
-# Test suite require network access
-RESTRICT="test"
-
-CDEPEND="
-	!!app-crypt/heimdal
-	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
-	|| (
-		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
-	)
-	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
-	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
-	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
-	pkinit? (
-		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
-		libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] )
-	)
-	xinetd? ( sys-apps/xinetd )"
-DEPEND="${CDEPEND}
-	${PYTHON_DEPS}
-	virtual/yacc
-	doc? ( virtual/latex-base )
-	test? (
-		${PYTHON_DEPS}
-		dev-lang/tcl:0
-		dev-util/dejagnu
-	)"
-RDEPEND="${CDEPEND}
-	selinux? ( sec-policy/selinux-kerberos )"
-
-S=${WORKDIR}/${MY_P}/src
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/krb5-config
-)
-
-src_prepare() {
-	eapply -p2 "${FILESDIR}/CVE-2018-5729-5730.patch"
-	eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
-	eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch"
-	eapply "${FILESDIR}/${PN}-libressl-version-check.patch"
-
-	# Make sure we always use the system copies.
-	rm -rf util/{et,ss,verto}
-	sed -i 's:^[[:space:]]*util/verto$::' configure.in || die
-
-	eapply_user
-	eautoreconf
-}
-
-src_configure() {
-	# QA
-	append-flags -fno-strict-aliasing
-	append-flags -fno-strict-overflow
-
-	multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
-	use keyutils || export ac_cv_header_keyutils_h=no
-	ECONF_SOURCE=${S} \
-	WARN_CFLAGS="set" \
-	econf \
-		$(use_with openldap ldap) \
-		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
-		$(use_enable nls) \
-		$(use_enable pkinit) \
-		$(use_enable threads thread-support) \
-		--without-hesiod \
-		--enable-shared \
-		--with-system-et \
-		--with-system-ss \
-		--enable-dns-for-realm \
-		--enable-kdc-lookaside-cache \
-		--with-system-verto \
-		--disable-rpath
-}
-
-multilib_src_compile() {
-	emake -j1
-}
-
-multilib_src_test() {
-	multilib_is_native_abi && emake -j1 check
-}
-
-multilib_src_install() {
-	emake \
-		DESTDIR="${D}" \
-		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
-		install
-}
-
-multilib_src_install_all() {
-	# default database dir
-	keepdir /var/lib/krb5kdc
-
-	cd ..
-	dodoc README
-
-	if use doc; then
-		dodoc -r doc/html
-		docinto pdf
-		dodoc doc/pdf/*.pdf
-	fi
-
-	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
-	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
-	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
-	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
-	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
-	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
-
-	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
-
-	insinto /etc
-	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
-	insinto /var/lib/krb5kdc
-	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
-
-	if use openldap ; then
-		insinto /etc/openldap/schema
-		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
-	fi
-
-	if use xinetd ; then
-		insinto /etc/xinetd.d
-		newins "${FILESDIR}/kpropd.xinetd" kpropd
-	fi
-}

diff --git a/app-crypt/mit-krb5/mit-krb5-1.16.1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.16.1.ebuild
deleted file mode 100644
index 6e6edde5000..00000000000
--- a/app-crypt/mit-krb5/mit-krb5-1.16.1.ebuild
+++ /dev/null
@@ -1,153 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-PYTHON_COMPAT=( python2_7 )
-inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd versionator
-
-MY_P="${P/mit-}"
-P_DIR=$(get_version_component_range 1-2)
-DESCRIPTION="MIT Kerberos V"
-HOMEPAGE="https://web.mit.edu/kerberos/www/"
-SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
-
-LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
-IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
-
-# Test suite require network access
-RESTRICT="test"
-
-CDEPEND="
-	!!app-crypt/heimdal
-	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
-	|| (
-		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
-	)
-	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
-	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
-	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
-	pkinit? (
-		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
-		libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] )
-	)
-	xinetd? ( sys-apps/xinetd )"
-DEPEND="${CDEPEND}
-	${PYTHON_DEPS}
-	virtual/yacc
-	doc? ( virtual/latex-base )
-	test? (
-		${PYTHON_DEPS}
-		dev-lang/tcl:0
-		dev-util/dejagnu
-	)"
-RDEPEND="${CDEPEND}
-	selinux? ( sec-policy/selinux-kerberos )"
-
-S=${WORKDIR}/${MY_P}/src
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/krb5-config
-)
-
-src_prepare() {
-	eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
-	eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch"
-	eapply "${FILESDIR}/${PN}-libressl-version-check.patch"
-
-	# Make sure we always use the system copies.
-	rm -rf util/{et,ss,verto}
-	sed -i 's:^[[:space:]]*util/verto$::' configure.in || die
-
-	eapply_user
-	eautoreconf
-}
-
-src_configure() {
-	# QA
-	append-flags -fno-strict-aliasing
-	append-flags -fno-strict-overflow
-
-	multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
-	use keyutils || export ac_cv_header_keyutils_h=no
-	ECONF_SOURCE=${S} \
-	WARN_CFLAGS="set" \
-	econf \
-		$(use_with openldap ldap) \
-		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
-		$(use_enable nls) \
-		$(use_enable pkinit) \
-		$(use_enable threads thread-support) \
-		--without-hesiod \
-		--enable-shared \
-		--with-system-et \
-		--with-system-ss \
-		--enable-dns-for-realm \
-		--enable-kdc-lookaside-cache \
-		--with-system-verto \
-		--disable-rpath
-}
-
-multilib_src_compile() {
-	emake -j1
-}
-
-multilib_src_test() {
-	multilib_is_native_abi && emake -j1 check
-}
-
-multilib_src_install() {
-	emake \
-		DESTDIR="${D}" \
-		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
-		install
-}
-
-multilib_src_install_all() {
-	# default database dir
-	keepdir /var/lib/krb5kdc
-
-	cd ..
-	dodoc README
-
-	if use doc; then
-		dodoc -r doc/html
-		docinto pdf
-		dodoc doc/pdf/*.pdf
-	fi
-
-	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
-	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
-	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
-	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
-	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
-	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
-
-	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
-
-	insinto /etc
-	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
-	insinto /var/lib/krb5kdc
-	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
-
-	if use openldap ; then
-		insinto /etc/openldap/schema
-		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
-	fi
-
-	if use xinetd ; then
-		insinto /etc/xinetd.d
-		newins "${FILESDIR}/kpropd.xinetd" kpropd
-	fi
-}

diff --git a/app-crypt/mit-krb5/mit-krb5-1.16.2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.16.2.ebuild
deleted file mode 100644
index 75bb0cdbf0b..00000000000
--- a/app-crypt/mit-krb5/mit-krb5-1.16.2.ebuild
+++ /dev/null
@@ -1,161 +0,0 @@
-# Copyright 1999-2018 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-PYTHON_COMPAT=( python2_7 )
-inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd
-
-MY_P="${P/mit-}"
-P_DIR=$(ver_cut 1-2)
-DESCRIPTION="MIT Kerberos V"
-HOMEPAGE="https://web.mit.edu/kerberos/www/"
-SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
-
-LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
-IUSE="cpu_flags_x86_aes doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
-
-# Test suite require network access
-RESTRICT="test"
-
-CDEPEND="
-	!!app-crypt/heimdal
-	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
-	|| (
-		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
-	)
-	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
-	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
-	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
-	pkinit? (
-		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
-		libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] )
-	)
-	xinetd? ( sys-apps/xinetd )
-	"
-DEPEND="${CDEPEND}
-	${PYTHON_DEPS}
-	virtual/yacc
-	cpu_flags_x86_aes? (
-		amd64? ( dev-lang/yasm )
-		x86? ( dev-lang/yasm )
-	)
-	doc? ( virtual/latex-base )
-	test? (
-		${PYTHON_DEPS}
-		dev-lang/tcl:0
-		dev-util/dejagnu
-		dev-util/cmocka
-	)"
-RDEPEND="${CDEPEND}
-	selinux? ( sec-policy/selinux-kerberos )"
-
-S=${WORKDIR}/${MY_P}/src
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/krb5-config
-)
-
-src_prepare() {
-	eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
-	eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch"
-	eapply "${FILESDIR}/${PN}-libressl-version-check.patch"
-
-	# Make sure we always use the system copies.
-	rm -rf util/{et,ss,verto}
-	sed -i 's:^[[:space:]]*util/verto$::' configure.in || die
-
-	eapply_user
-	eautoreconf
-}
-
-src_configure() {
-	# QA
-	append-flags -fno-strict-aliasing
-	append-flags -fno-strict-overflow
-
-	multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
-	use keyutils || export ac_cv_header_keyutils_h=no
-	ECONF_SOURCE=${S} \
-	WARN_CFLAGS="set" \
-	econf \
-		$(use_with openldap ldap) \
-		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
-		$(use_enable nls) \
-		$(use_enable pkinit) \
-		$(use_enable threads thread-support) \
-		--without-hesiod \
-		--enable-shared \
-		--with-system-et \
-		--with-system-ss \
-		--enable-dns-for-realm \
-		--enable-kdc-lookaside-cache \
-		--with-system-verto \
-		--disable-rpath
-}
-
-multilib_src_compile() {
-	emake -j1
-}
-
-multilib_src_test() {
-	multilib_is_native_abi && emake -j1 check
-}
-
-multilib_src_install() {
-	emake \
-		DESTDIR="${D}" \
-		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
-		install
-}
-
-multilib_src_install_all() {
-	# default database dir
-	keepdir /var/lib/krb5kdc
-
-	rmdir "${ED}"/var/lib/{run/krb5kdc,run}
-
-	cd ..
-	dodoc README
-
-	if use doc; then
-		dodoc -r doc/html
-		docinto pdf
-		dodoc doc/pdf/*.pdf
-	fi
-
-	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
-	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
-	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
-	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
-	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
-	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
-
-	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
-
-	insinto /etc
-	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
-	insinto /var/lib/krb5kdc
-	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
-
-	if use openldap ; then
-		insinto /etc/openldap/schema
-		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
-	fi
-
-	if use xinetd ; then
-		insinto /etc/xinetd.d
-		newins "${FILESDIR}/kpropd.xinetd" kpropd
-	fi
-}

diff --git a/app-crypt/mit-krb5/mit-krb5-1.16.3.ebuild b/app-crypt/mit-krb5/mit-krb5-1.16.3.ebuild
deleted file mode 100644
index 9d8b9911639..00000000000
--- a/app-crypt/mit-krb5/mit-krb5-1.16.3.ebuild
+++ /dev/null
@@ -1,161 +0,0 @@
-# Copyright 1999-2019 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-PYTHON_COMPAT=( python2_7 )
-inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd
-
-MY_P="${P/mit-}"
-P_DIR=$(ver_cut 1-2)
-DESCRIPTION="MIT Kerberos V"
-HOMEPAGE="https://web.mit.edu/kerberos/www/"
-SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
-
-LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
-IUSE="cpu_flags_x86_aes doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
-
-# Test suite require network access
-#RESTRICT="test"
-
-CDEPEND="
-	!!app-crypt/heimdal
-	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
-	|| (
-		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
-		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
-	)
-	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
-	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
-	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
-	pkinit? (
-		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
-		libressl? ( dev-libs/libressl:0=[${MULTILIB_USEDEP}] )
-	)
-	xinetd? ( sys-apps/xinetd )
-	"
-DEPEND="${CDEPEND}
-	${PYTHON_DEPS}
-	virtual/yacc
-	cpu_flags_x86_aes? (
-		amd64? ( dev-lang/yasm )
-		x86? ( dev-lang/yasm )
-	)
-	doc? ( virtual/latex-base )
-	test? (
-		${PYTHON_DEPS}
-		dev-lang/tcl:0
-		dev-util/dejagnu
-		dev-util/cmocka
-	)"
-RDEPEND="${CDEPEND}
-	selinux? ( sec-policy/selinux-kerberos )"
-
-S=${WORKDIR}/${MY_P}/src
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/krb5-config
-)
-
-src_prepare() {
-	eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
-	eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch"
-	eapply -p2 "${FILESDIR}/${P}-libressl.patch"
-
-	# Make sure we always use the system copies.
-	rm -rf util/{et,ss,verto}
-	sed -i 's:^[[:space:]]*util/verto$::' configure.in || die
-
-	eapply_user
-	eautoreconf
-}
-
-src_configure() {
-	# QA
-	append-flags -fno-strict-aliasing
-	append-flags -fno-strict-overflow
-
-	multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
-	use keyutils || export ac_cv_header_keyutils_h=no
-	ECONF_SOURCE=${S} \
-	WARN_CFLAGS="set" \
-	econf \
-		$(use_with openldap ldap) \
-		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
-		$(use_enable nls) \
-		$(use_enable pkinit) \
-		$(use_enable threads thread-support) \
-		--without-hesiod \
-		--enable-shared \
-		--with-system-et \
-		--with-system-ss \
-		--enable-dns-for-realm \
-		--enable-kdc-lookaside-cache \
-		--with-system-verto \
-		--disable-rpath
-}
-
-multilib_src_compile() {
-	emake -j1
-}
-
-multilib_src_test() {
-	multilib_is_native_abi && emake -j1 check
-}
-
-multilib_src_install() {
-	emake \
-		DESTDIR="${D}" \
-		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
-		install
-}
-
-multilib_src_install_all() {
-	# default database dir
-	keepdir /var/lib/krb5kdc
-
-	rmdir "${ED}"/var/lib/{run/krb5kdc,run}
-
-	cd ..
-	dodoc README
-
-	if use doc; then
-		dodoc -r doc/html
-		docinto pdf
-		dodoc doc/pdf/*.pdf
-	fi
-
-	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
-	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
-	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
-	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
-	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
-	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
-
-	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
-	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
-
-	insinto /etc
-	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
-	insinto /var/lib/krb5kdc
-	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
-
-	if use openldap ; then
-		insinto /etc/openldap/schema
-		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
-	fi
-
-	if use xinetd ; then
-		insinto /etc/xinetd.d
-		newins "${FILESDIR}/kpropd.xinetd" kpropd
-	fi
-}


^ permalink raw reply related	[flat|nested] 9+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/
@ 2019-06-20 11:08 Eray Aslan
  0 siblings, 0 replies; 9+ messages in thread
From: Eray Aslan @ 2019-06-20 11:08 UTC (permalink / raw
  To: gentoo-commits

commit:     2bacefac07dbccfa01942e1ec9245d6cbd598268
Author:     Eray Aslan <eras <AT> gentoo <DOT> org>
AuthorDate: Thu Jun 20 11:07:51 2019 +0000
Commit:     Eray Aslan <eras <AT> gentoo <DOT> org>
CommitDate: Thu Jun 20 11:07:51 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bacefac

app-crypt/mit-krb5: bump to 1.17

Closes: https://bugs.gentoo.org/687730
Package-Manager: Portage-2.3.67, Repoman-2.3.15
Signed-off-by: Eray Aslan <eras <AT> gentoo.org>

 app-crypt/mit-krb5/Manifest                        |   1 +
 .../files/mit-krb5-1.16.3-libressl-r1.patch        | 101 +++++++++++++
 .../files/mit-krb5-config_LDFLAGS-r1.patch         |  12 ++
 app-crypt/mit-krb5/metadata.xml                    |   9 +-
 app-crypt/mit-krb5/mit-krb5-1.17.ebuild            | 165 +++++++++++++++++++++
 5 files changed, 284 insertions(+), 4 deletions(-)

diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index 3d33ce756db..0911382bd22 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -2,3 +2,4 @@ DIST krb5-1.16.1.tar.gz 9477480 BLAKE2B 16bdd7d6d03ddbd4b070663c3a7a3d2331d54e85
 DIST krb5-1.16.2.tar.gz 9652415 BLAKE2B 21c4d56e43476a9b87a4ca9a8b7d0dd5739d3d70731fb4727de5ae248d8638e2016581cd2462f5e2ec7950d9e216aa165199505e581fa10db81ce26062fc097e SHA512 738c071a90e0f38680bb17bdcf950310bc4549f3cb851e1d34de11239ae88178e6ee1a5e5d48c6d3efef544339b07d22dba5347dd763a4266d8d4df7cf47afc9
 DIST krb5-1.16.3.tar.gz 9656985 BLAKE2B 92e6d2b5f27e80f495d7bb3fb64acfb03530156fb8e1a07dbc8d045616fd2ac4be8047d844580e3aa01d5e8b733ceea9024290dcc53b691696201f02a31e3034 SHA512 77da5f8bb19108e158c3df5a17b9141b7cbbae7d01f9f0dca5c504dc4b468953d67a1f4566bed5a062d8ff8e0d80796094dea12d2e45bdda810a1633bb08318d
 DIST krb5-1.16.tar.gz 9474479 BLAKE2B 0c5caa0a0d2308a447d47ab94d7b8dc92a67ad78b3bac1678c3f3ece3905f27feda5a23d28b3c13ebd64d1760726888c759fb19da82ad960c6f84a433b753873 SHA512 7e162467b95dad2b6aaa11686d08a00f1cc4eb08247fca8f0e5a8bcaa5f9f7b42cdf00db69c5c6111bdf9eb8063d53cef3bb207ce5d6a287615ca10b710153f9
+DIST krb5-1.17.tar.gz 8761763 BLAKE2B 76f636836c67e9eefca91c9417118efdcf4437c1220691f43f3d246daf3eabd53b40a30956f0e57703c3fde5d7193b1d86b68becf3ae1c0c803d2462e79d3014 SHA512 7462a578b936bd17f155a362dbb5d388e157a80a096549028be6c55400b11361c7f8a28e424fd5674801873651df4e694d536cae66728b7ae5e840e532358c52

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl-r1.patch b/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl-r1.patch
new file mode 100644
index 00000000000..ca74b88bb0f
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl-r1.patch
@@ -0,0 +1,101 @@
+From 58263cbf3106f4c9c9a2252794093014a2f9c01f Mon Sep 17 00:00:00 2001
+From: Stefan Strogin <stefan.strogin@gmail.com>
+Date: Thu, 25 Apr 2019 03:48:10 +0300
+Subject: [PATCH] Fix build for LibreSSL 2.9.x
+
+asn1_mac.h is removed from LibreSSL 2.9.0, but static_ASN1_*() methods
+are not defined. Define them.
+
+Upstream-Status: Pending
+[Needs to be amended if
+https://github.com/libressl-portable/openbsd/pull/109 is accepted]
+Signed-off-by: Stefan Strogin <stefan.strogin@gmail.com>
+---
+ .../preauth/pkinit/pkinit_crypto_openssl.c    | 13 ++++++++----
+ .../preauth/pkinit/pkinit_crypto_openssl.h    | 20 ++++++++++++++++++-
+ 2 files changed, 28 insertions(+), 5 deletions(-)
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index 2064eb7bd..81d5d3cf2 100644
+--- a/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -188,14 +188,16 @@ pkinit_pkcs11_code_to_text(int err);
+     (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si)
+ #endif
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+-/* 1.1 standardizes constructor and destructor names, renaming
+- * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */
++/* 1.1 (and LibreSSL 2.7) standardizes constructor and destructor names,
++ * renaming EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */
+ 
++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
+ #define EVP_MD_CTX_new EVP_MD_CTX_create
+ #define EVP_MD_CTX_free EVP_MD_CTX_destroy
+ #define ASN1_STRING_get0_data ASN1_STRING_data
++#endif
+ 
+ /* 1.1 makes many handle types opaque and adds accessors.  Add compatibility
+  * versions of the new accessors we use for pre-1.1. */
+@@ -203,6 +205,7 @@ pkinit_pkcs11_code_to_text(int err);
+ #define OBJ_get0_data(o) ((o)->data)
+ #define OBJ_length(o) ((o)->length)
+ 
++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
+ #define DH_set0_pqg compat_dh_set0_pqg
+ static int compat_dh_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+ {
+@@ -235,6 +238,7 @@ static void compat_dh_get0_key(const DH *dh, const BIGNUM **pub,
+     if (priv != NULL)
+         *priv = dh->priv_key;
+ }
++#endif /* LIBRESSL_VERSION_NUMBER */
+ 
+ /* Return true if the cert c includes a key usage which doesn't include u.
+  * Define using direct member access for pre-1.1. */
+@@ -3040,7 +3044,8 @@ cleanup:
+     return retval;
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || \
++  LIBRESSL_VERSION_NUMBER >= 0x2090000fL
+ 
+ /*
+  * We need to decode DomainParameters from RFC 3279 section 2.3.3.  We would
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
+index 7411348fa..ac91408c4 100644
+--- a/plugins/preauth/pkinit/pkinit_crypto_openssl.h
++++ b/plugins/preauth/pkinit/pkinit_crypto_openssl.h
+@@ -46,7 +46,25 @@
+ #include <openssl/asn1.h>
+ #include <openssl/pem.h>
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || \
++  LIBRESSL_VERSION_NUMBER >= 0x2090000fL
++
++#ifndef static_ASN1_SEQUENCE_END_name
++#define static_ASN1_ITEM_start(itname) \
++	static const ASN1_ITEM itname##_it = {
++#define static_ASN1_SEQUENCE_END_name(stname, tname) \
++	;\
++	static_ASN1_ITEM_start(tname) \
++		ASN1_ITYPE_SEQUENCE,\
++		V_ASN1_SEQUENCE,\
++		tname##_seq_tt,\
++		sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
++		NULL,\
++		sizeof(stname),\
++		#stname \
++	ASN1_ITEM_end(tname)
++#endif /* !defined(static_ASN1_SEQUENCE_END_name) */
++
+ #include <openssl/asn1t.h>
+ #else
+ #include <openssl/asn1_mac.h>
+-- 
+2.21.0
+

diff --git a/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS-r1.patch b/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS-r1.patch
new file mode 100644
index 00000000000..39bac974afc
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-config_LDFLAGS-r1.patch
@@ -0,0 +1,12 @@
+Bug #448778
+--- a/build-tools/krb5-config.in	2012-12-18 02:47:04.000000000 +0000
++++ b/build-tools/krb5-config.in	2012-12-28 07:13:16.582693363 +0000
+@@ -217,7 +217,7 @@
+ 	    -e 's#\$(PROG_RPATH)#'$libdir'#' \
+ 	    -e 's#\$(PROG_LIBPATH)#'$libdirarg'#' \
+ 	    -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
+-	    -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
++	    -e 's#\$(LDFLAGS)##' \
+ 	    -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
+ 	    -e 's#\$(CFLAGS)##'`
+ 

diff --git a/app-crypt/mit-krb5/metadata.xml b/app-crypt/mit-krb5/metadata.xml
index 25333874398..70f026233c9 100644
--- a/app-crypt/mit-krb5/metadata.xml
+++ b/app-crypt/mit-krb5/metadata.xml
@@ -10,11 +10,12 @@
   <flag name="doc">
     Creates and installs the API and implementation
     documentation. This is only useful if you want to develop software
-    which depends on kerberos.
+    which depends on kerberos
   </flag>
-  <flag name="keyutils">Enable for the keyring ccache using keyutils.</flag>
-  <flag name="pkinit">Enable pkinit support for the initial ticket.</flag>
-  <flag name="openldap">Enable support for ldap as a database backend.</flag>
+  <flag name="keyutils">Enable for the keyring ccache using keyutils</flag>
+  <flag name="lmdb">Add support for using dev-db/lmdb for lookup tables</flag>
+  <flag name="pkinit">Enable pkinit support for the initial ticket</flag>
+  <flag name="openldap">Enable support for ldap as a database backend</flag>
 </use>
 <upstream>
   <remote-id type="cpe">cpe:/a:mit:kerberos</remote-id>

diff --git a/app-crypt/mit-krb5/mit-krb5-1.17.ebuild b/app-crypt/mit-krb5/mit-krb5-1.17.ebuild
new file mode 100644
index 00000000000..f1ff44b3a29
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.17.ebuild
@@ -0,0 +1,165 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{5,6,7} )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd
+
+MY_P="${P/mit-}"
+P_DIR=$(ver_cut 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/"
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="cpu_flags_x86_aes doc +keyutils libressl lmdb nls openldap +pkinit selinux +threads test xinetd"
+
+# Test suite requires network access
+RESTRICT="test"
+
+CDEPEND="
+	!!app-crypt/heimdal
+	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
+	|| (
+		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
+	)
+	keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
+	lmdb? ( dev-db/lmdb )
+	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
+	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+	pkinit? (
+		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
+		libressl? ( dev-libs/libressl:0=[${MULTILIB_USEDEP}] )
+	)
+	xinetd? ( sys-apps/xinetd )
+	"
+DEPEND="${CDEPEND}
+	${PYTHON_DEPS}
+	virtual/yacc
+	cpu_flags_x86_aes? (
+		amd64? ( dev-lang/yasm )
+		x86? ( dev-lang/yasm )
+	)
+	doc? ( virtual/latex-base )
+	test? (
+		${PYTHON_DEPS}
+		dev-lang/tcl:0
+		dev-util/dejagnu
+		dev-util/cmocka
+	)"
+RDEPEND="${CDEPEND}
+	selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+PATCHES=(
+	"${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+	"${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
+	"${FILESDIR}/${PN}-1.16.3-libressl-r1.patch"
+)
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/krb5-config
+)
+
+src_prepare() {
+	default
+	# Make sure we always use the system copies.
+	rm -rf util/{et,ss,verto}
+	sed -i 's:^[[:space:]]*util/verto$::' configure.in || die
+
+	eautoreconf
+}
+
+src_configure() {
+	# QA
+	append-flags -fno-strict-aliasing
+	append-flags -fno-strict-overflow
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use keyutils || export ac_cv_header_keyutils_h=no
+	ECONF_SOURCE=${S} \
+	WARN_CFLAGS="set" \
+	econf \
+		$(use_with openldap ldap) \
+		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+		$(use_enable nls) \
+		$(use_enable pkinit) \
+		$(use_enable threads thread-support) \
+		$(use_with lmdb) \
+		--without-hesiod \
+		--enable-shared \
+		--with-system-et \
+		--with-system-ss \
+		--enable-dns-for-realm \
+		--enable-kdc-lookaside-cache \
+		--with-system-verto \
+		--disable-rpath
+}
+
+multilib_src_compile() {
+	emake -j1
+}
+
+multilib_src_test() {
+	multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+		install
+}
+
+multilib_src_install_all() {
+	# default database dir
+	keepdir /var/lib/krb5kdc
+
+	rmdir "${ED}"/var/lib/{run/krb5kdc,run}
+
+	cd ..
+	dodoc README
+
+	if use doc; then
+		dodoc -r doc/html
+		docinto pdf
+		dodoc doc/pdf/*.pdf
+	fi
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
+	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
+	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
+	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
+	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
+
+	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
+
+	insinto /etc
+	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+	insinto /var/lib/krb5kdc
+	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+	if use openldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+	fi
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/kpropd.xinetd" kpropd
+	fi
+}


^ permalink raw reply related	[flat|nested] 9+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/
@ 2016-12-22 22:36 Mike Frysinger
  0 siblings, 0 replies; 9+ messages in thread
From: Mike Frysinger @ 2016-12-22 22:36 UTC (permalink / raw
  To: gentoo-commits

commit:     acab2831eac296a423c8204013f0290f2c4f3b5b
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Thu Dec 22 22:34:28 2016 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Thu Dec 22 22:36:01 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=acab2831

app-crypt/mit-krb5: respect USE=nls

Patch from Chromium OS.

 .../files/mit-krb5-1.14.4-disable-nls.patch        | 45 ++++++++++++++++++++++
 app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild          |  4 +-
 app-crypt/mit-krb5/mit-krb5-1.15.ebuild            |  4 +-
 3 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.14.4-disable-nls.patch b/app-crypt/mit-krb5/files/mit-krb5-1.14.4-disable-nls.patch
new file mode 100644
index 00000000..63cb0fc
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.14.4-disable-nls.patch
@@ -0,0 +1,45 @@
+Adds support for --(enable|disable)-nls configure option.
+
+This enables\disables the generation of language files and
+sets the ENABLE_NLS define appropriately.
+
+Default value is enabled to preserve current behavior.
+
+Patch by Zentaro Kavanagh <zentaro@google.com>
+https://crbug.com/654842
+
+https://github.com/krb5/krb5/pull/584
+
+--- src/configure.in
++++ src/configure.in
+@@ -118,15 +118,22 @@
+ ])
+ AC_SUBST(LIBUTIL)
+ 
+-AC_CHECK_HEADER(libintl.h, [
+-	AC_SEARCH_LIBS(dgettext, intl, [
+-		AC_DEFINE(ENABLE_NLS, 1,
+-			[Define if translation functions should be used.])])])
+-
+-AC_CHECK_PROG(MSGFMT,msgfmt,msgfmt)
++# Determine if NLS is desired and supported.
+ po=
+-if test x"$MSGFMT" != x; then
+-	po=po
++AC_ARG_ENABLE([nls],
++AC_HELP_STRING([--disable-nls],
++               [Disable Native Language Support(NLS).]), ,
++               enableval=yes)
++if test "$enableval" = yes ; then
++        AC_CHECK_HEADER(libintl.h, [
++                AC_SEARCH_LIBS(dgettext, intl, [
++                        AC_DEFINE(ENABLE_NLS, 1,
++                                [Define if translation functions should be used.])])])
++
++        AC_CHECK_PROG(MSGFMT,msgfmt,msgfmt)
++        if test x"$MSGFMT" != x; then
++                po=po
++        fi
+ fi
+ AC_SUBST(po)
+ 

diff --git a/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild b/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild
index 0eff67b..5662c02 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild
@@ -16,7 +16,7 @@ SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
 LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
-IUSE="doc +keyutils libressl openldap +pkinit selinux +threads test xinetd"
+IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
 
 CDEPEND="
 	!!app-crypt/heimdal
@@ -59,6 +59,7 @@ src_prepare() {
 	epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
 	epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch"
 	epatch "${FILESDIR}/${PN}-1.14.2-redeclared-ttyname.patch"
+	epatch "${FILESDIR}/${PN}-1.14.4-disable-nls.patch"
 
 	# Make sure we always use the system copies.
 	rm -rf util/{et,ss,verto}
@@ -82,6 +83,7 @@ multilib_src_configure() {
 	econf \
 		$(use_with openldap ldap) \
 		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+		$(use_enable nls) \
 		$(use_enable pkinit) \
 		$(use_enable threads thread-support) \
 		--without-hesiod \

diff --git a/app-crypt/mit-krb5/mit-krb5-1.15.ebuild b/app-crypt/mit-krb5/mit-krb5-1.15.ebuild
index 8d0ae5b..0859120 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.15.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.15.ebuild
@@ -16,7 +16,7 @@ SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
 LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
-IUSE="doc +keyutils libressl openldap +pkinit selinux +threads test xinetd"
+IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
 
 CDEPEND="
 	!!app-crypt/heimdal
@@ -59,6 +59,7 @@ src_prepare() {
 	eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
 	eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch"
 	eapply -p0 "${FILESDIR}/${PN}-1.14.2-redeclared-ttyname.patch"
+	eapply "${FILESDIR}/${PN}-1.14.4-disable-nls.patch"
 
 	# Make sure we always use the system copies.
 	rm -rf util/{et,ss,verto}
@@ -83,6 +84,7 @@ multilib_src_configure() {
 	econf \
 		$(use_with openldap ldap) \
 		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+		$(use_enable nls) \
 		$(use_enable pkinit) \
 		$(use_enable threads thread-support) \
 		--without-hesiod \


^ permalink raw reply related	[flat|nested] 9+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/
@ 2016-11-16 23:21 Mike Frysinger
  0 siblings, 0 replies; 9+ messages in thread
From: Mike Frysinger @ 2016-11-16 23:21 UTC (permalink / raw
  To: gentoo-commits

commit:     e506143656e90f7f705f9727d128d176e1700b2a
Author:     Zentaro Kavanagh <zentaro <AT> google <DOT> com>
AuthorDate: Wed Nov 16 23:21:13 2016 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Wed Nov 16 23:21:13 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5061436

app-crypt/mit-krb5: fix clang build due to ttyname redecl

 .../files/mit-krb5-1.14.2-redeclared-ttyname.patch | 26 ++++++++++++++++++++++
 app-crypt/mit-krb5/mit-krb5-1.14.2.ebuild          |  1 +
 app-crypt/mit-krb5/mit-krb5-1.14.3.ebuild          |  1 +
 app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild          |  1 +
 4 files changed, 29 insertions(+)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.14.2-redeclared-ttyname.patch b/app-crypt/mit-krb5/files/mit-krb5-1.14.2-redeclared-ttyname.patch
new file mode 100644
index 00000000..a76cd3a
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.14.2-redeclared-ttyname.patch
@@ -0,0 +1,26 @@
+Fixes the redeclaration of ttyname which was preventing
+enabling clang fortify.
+
+The error was;
+
+main.c:858:15: error: redeclaration of 'ttyname' must have the 'overloadable' attribute
+    char *p, *ttyname();
+              ^
+/build/samus/usr/include/unistd.h:784:14: note: previous overload of function is here
+extern char *ttyname (int __fd) __THROW __CLANG_NO_MANGLE (ttyname);
+
+https://github.com/krb5/krb5/pull/568
+
+Patch by Zentaro Kavanagh <zentaro@google.com>
+
+--- clients/ksu/main.c
++++ clients/ksu/main.c
+@@ -855,7 +855,7 @@
+ 
+ static char * ontty()
+ {
+-    char *p, *ttyname();
++    char *p;
+     static char buf[MAXPATHLEN + 5];
+     int result;
+ 

diff --git a/app-crypt/mit-krb5/mit-krb5-1.14.2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.14.2.ebuild
index 60d7a5b..8a3c7c3 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.14.2.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.14.2.ebuild
@@ -58,6 +58,7 @@ MULTILIB_CHOST_TOOLS=(
 src_prepare() {
 	epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
 	epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch"
+	epatch "${FILESDIR}/${PN}-1.14.2-redeclared-ttyname.patch"
 
 	eautoreconf
 }

diff --git a/app-crypt/mit-krb5/mit-krb5-1.14.3.ebuild b/app-crypt/mit-krb5/mit-krb5-1.14.3.ebuild
index 4a050dd..0a8a335 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.14.3.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.14.3.ebuild
@@ -58,6 +58,7 @@ MULTILIB_CHOST_TOOLS=(
 src_prepare() {
 	epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
 	epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch"
+	epatch "${FILESDIR}/${PN}-1.14.2-redeclared-ttyname.patch"
 
 	eautoreconf
 }

diff --git a/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild b/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild
index 9e30788..0eff67b 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.14.4.ebuild
@@ -58,6 +58,7 @@ MULTILIB_CHOST_TOOLS=(
 src_prepare() {
 	epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
 	epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch"
+	epatch "${FILESDIR}/${PN}-1.14.2-redeclared-ttyname.patch"
 
 	# Make sure we always use the system copies.
 	rm -rf util/{et,ss,verto}


^ permalink raw reply related	[flat|nested] 9+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/
@ 2015-10-29  4:37 Eray Aslan
  0 siblings, 0 replies; 9+ messages in thread
From: Eray Aslan @ 2015-10-29  4:37 UTC (permalink / raw
  To: gentoo-commits

commit:     dbd92e7f768c3f799be7f7f9e4b0cd3b7282bff3
Author:     Eray Aslan <eras <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 29 04:37:30 2015 +0000
Commit:     Eray Aslan <eras <AT> gentoo <DOT> org>
CommitDate: Thu Oct 29 04:37:30 2015 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dbd92e7f

app-crypt/mit-krb5: security bump

Gentoo-Bug: 564304

Package-Manager: portage-2.2.23

 app-crypt/mit-krb5/files/CVE-2015-2695.patch | 564 +++++++++++++++++++++
 app-crypt/mit-krb5/files/CVE-2015-2696.patch | 731 +++++++++++++++++++++++++++
 app-crypt/mit-krb5/files/CVE-2015-2697.patch |  50 ++
 app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild |   3 +
 4 files changed, 1348 insertions(+)

diff --git a/app-crypt/mit-krb5/files/CVE-2015-2695.patch b/app-crypt/mit-krb5/files/CVE-2015-2695.patch
new file mode 100644
index 0000000..08bc8ab
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2015-2695.patch
@@ -0,0 +1,564 @@
+From b51b33f2bc5d1497ddf5bd107f791c101695000d Mon Sep 17 00:00:00 2001
+From: Nicolas Williams <nico@twosigma.com>
+Date: Mon, 14 Sep 2015 12:27:52 -0400
+Subject: [PATCH] Fix SPNEGO context aliasing bugs [CVE-2015-2695]
+
+The SPNEGO mechanism currently replaces its context handle with the
+mechanism context handle upon establishment, under the assumption that
+most GSS functions are only called after context establishment.  This
+assumption is incorrect, and can lead to aliasing violations for some
+programs.  Maintain the SPNEGO context structure after context
+establishment and refer to it in all GSS methods.  Add initiate and
+opened flags to the SPNEGO context structure for use in
+gss_inquire_context() prior to context establishment.
+
+CVE-2015-2695:
+
+In MIT krb5 1.5 and later, applications which call
+gss_inquire_context() on a partially-established SPNEGO context can
+cause the GSS-API library to read from a pointer using the wrong type,
+generally causing a process crash.  This bug may go unnoticed, because
+the most common SPNEGO authentication scenario establishes the context
+after just one call to gss_accept_sec_context().  Java server
+applications using the native JGSS provider are vulnerable to this
+bug.  A carefully crafted SPNEGO packet might allow the
+gss_inquire_context() call to succeed with attacker-determined
+results, but applications should not make access control decisions
+based on gss_inquire_context() results prior to context establishment.
+
+    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
+
+[ghudson@mit.edu: several bugfixes, style changes, and edge-case
+behavior changes; commit message and CVE description]
+
+ticket: 8244
+target_version: 1.14
+tags: pullup
+---
+ src/lib/gssapi/spnego/gssapiP_spnego.h |   2 +
+ src/lib/gssapi/spnego/spnego_mech.c    | 254 ++++++++++++++++++++++++---------
+ 2 files changed, 192 insertions(+), 64 deletions(-)
+
+diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h
+index 57372de..5c82764 100644
+--- a/src/lib/gssapi/spnego/gssapiP_spnego.h
++++ b/src/lib/gssapi/spnego/gssapiP_spnego.h
+@@ -103,6 +103,8 @@ typedef struct {
+ 	int firstpass;
+ 	int mech_complete;
+ 	int nego_done;
++	int initiate;
++	int opened;
+ 	OM_uint32 ctx_flags;
+ 	gss_name_t internal_name;
+ 	gss_OID actual_mech;
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index ef76e1f..7849c85 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -102,7 +102,7 @@ static OM_uint32 get_negotiable_mechs(OM_uint32 *, spnego_gss_cred_id_t,
+ 				      gss_cred_usage_t, gss_OID_set *);
+ static void release_spnego_ctx(spnego_gss_ctx_id_t *);
+ static void check_spnego_options(spnego_gss_ctx_id_t);
+-static spnego_gss_ctx_id_t create_spnego_ctx(void);
++static spnego_gss_ctx_id_t create_spnego_ctx(int);
+ static int put_mech_set(gss_OID_set mechSet, gss_buffer_t buf);
+ static int put_input_token(unsigned char **, gss_buffer_t, unsigned int);
+ static int put_mech_oid(unsigned char **, gss_OID_const, unsigned int);
+@@ -454,7 +454,7 @@ check_spnego_options(spnego_gss_ctx_id_t spnego_ctx)
+ }
+ 
+ static spnego_gss_ctx_id_t
+-create_spnego_ctx(void)
++create_spnego_ctx(int initiate)
+ {
+ 	spnego_gss_ctx_id_t spnego_ctx = NULL;
+ 	spnego_ctx = (spnego_gss_ctx_id_t)
+@@ -477,6 +477,8 @@ create_spnego_ctx(void)
+ 	spnego_ctx->mic_rcvd = 0;
+ 	spnego_ctx->mech_complete = 0;
+ 	spnego_ctx->nego_done = 0;
++	spnego_ctx->opened = 0;
++	spnego_ctx->initiate = initiate;
+ 	spnego_ctx->internal_name = GSS_C_NO_NAME;
+ 	spnego_ctx->actual_mech = GSS_C_NO_OID;
+ 
+@@ -642,7 +644,7 @@ init_ctx_new(OM_uint32 *minor_status,
+ 	OM_uint32 ret;
+ 	spnego_gss_ctx_id_t sc = NULL;
+ 
+-	sc = create_spnego_ctx();
++	sc = create_spnego_ctx(1);
+ 	if (sc == NULL)
+ 		return GSS_S_FAILURE;
+ 
+@@ -659,10 +661,7 @@ init_ctx_new(OM_uint32 *minor_status,
+ 		ret = GSS_S_FAILURE;
+ 		goto cleanup;
+ 	}
+-	/*
+-	 * The actual context is not yet determined, set the output
+-	 * context handle to refer to the spnego context itself.
+-	 */
++
+ 	sc->ctx_handle = GSS_C_NO_CONTEXT;
+ 	*ctx = (gss_ctx_id_t)sc;
+ 	sc = NULL;
+@@ -1108,16 +1107,11 @@ spnego_gss_init_sec_context(
+ 	}
+ 	gss_release_buffer(&tmpmin, &mechtok_out);
+ 	if (ret == GSS_S_COMPLETE) {
+-		/*
+-		 * Now, switch the output context to refer to the
+-		 * negotiated mechanism's context.
+-		 */
+-		*context_handle = (gss_ctx_id_t)spnego_ctx->ctx_handle;
++		spnego_ctx->opened = 1;
+ 		if (actual_mech != NULL)
+ 			*actual_mech = spnego_ctx->actual_mech;
+ 		if (ret_flags != NULL)
+ 			*ret_flags = spnego_ctx->ctx_flags;
+-		release_spnego_ctx(&spnego_ctx);
+ 	} else if (ret != GSS_S_CONTINUE_NEEDED) {
+ 		if (spnego_ctx != NULL) {
+ 			gss_delete_sec_context(&tmpmin,
+@@ -1285,7 +1279,7 @@ acc_ctx_hints(OM_uint32 *minor_status,
+ 	if (ret != GSS_S_COMPLETE)
+ 		goto cleanup;
+ 
+-	sc = create_spnego_ctx();
++	sc = create_spnego_ctx(0);
+ 	if (sc == NULL) {
+ 		ret = GSS_S_FAILURE;
+ 		goto cleanup;
+@@ -1367,7 +1361,7 @@ acc_ctx_new(OM_uint32 *minor_status,
+ 		gss_release_buffer(&tmpmin, &sc->DER_mechTypes);
+ 		assert(mech_wanted != GSS_C_NO_OID);
+ 	} else
+-		sc = create_spnego_ctx();
++		sc = create_spnego_ctx(0);
+ 	if (sc == NULL) {
+ 		ret = GSS_S_FAILURE;
+ 		*return_token = NO_TOKEN_SEND;
+@@ -1750,13 +1744,12 @@ spnego_gss_accept_sec_context(
+ 			ret = GSS_S_FAILURE;
+ 	}
+ 	if (ret == GSS_S_COMPLETE) {
+-		*context_handle = (gss_ctx_id_t)sc->ctx_handle;
++		sc->opened = 1;
+ 		if (sc->internal_name != GSS_C_NO_NAME &&
+ 		    src_name != NULL) {
+ 			*src_name = sc->internal_name;
+ 			sc->internal_name = GSS_C_NO_NAME;
+ 		}
+-		release_spnego_ctx(&sc);
+ 	} else if (ret != GSS_S_CONTINUE_NEEDED) {
+ 		if (sc != NULL) {
+ 			gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
+@@ -2069,8 +2062,13 @@ spnego_gss_unwrap(
+ 		gss_qop_t *qop_state)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_unwrap(minor_status,
+-			context_handle,
++			sc->ctx_handle,
+ 			input_message_buffer,
+ 			output_message_buffer,
+ 			conf_state,
+@@ -2090,8 +2088,13 @@ spnego_gss_wrap(
+ 		gss_buffer_t output_message_buffer)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_wrap(minor_status,
+-		    context_handle,
++		    sc->ctx_handle,
+ 		    conf_req_flag,
+ 		    qop_req,
+ 		    input_message_buffer,
+@@ -2108,8 +2111,14 @@ spnego_gss_process_context_token(
+ 				const gss_buffer_t token_buffer)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	/* SPNEGO doesn't have its own context tokens. */
++	if (!sc->opened)
++		return (GSS_S_DEFECTIVE_TOKEN);
++
+ 	ret = gss_process_context_token(minor_status,
+-					context_handle,
++					sc->ctx_handle,
+ 					token_buffer);
+ 
+ 	return (ret);
+@@ -2133,19 +2142,9 @@ spnego_gss_delete_sec_context(
+ 	if (*ctx == NULL)
+ 		return (GSS_S_COMPLETE);
+ 
+-	/*
+-	 * If this is still an SPNEGO mech, release it locally.
+-	 */
+-	if ((*ctx)->magic_num == SPNEGO_MAGIC_ID) {
+-		(void) gss_delete_sec_context(minor_status,
+-				    &(*ctx)->ctx_handle,
+-				    output_token);
+-		(void) release_spnego_ctx(ctx);
+-	} else {
+-		ret = gss_delete_sec_context(minor_status,
+-				    context_handle,
+-				    output_token);
+-	}
++	(void) gss_delete_sec_context(minor_status, &(*ctx)->ctx_handle,
++				      output_token);
++	(void) release_spnego_ctx(ctx);
+ 
+ 	return (ret);
+ }
+@@ -2157,8 +2156,13 @@ spnego_gss_context_time(
+ 			OM_uint32	*time_rec)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_context_time(minor_status,
+-			    context_handle,
++			    sc->ctx_handle,
+ 			    time_rec);
+ 	return (ret);
+ }
+@@ -2170,9 +2174,20 @@ spnego_gss_export_sec_context(
+ 			    gss_buffer_t interprocess_token)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = *(spnego_gss_ctx_id_t *)context_handle;
++
++	/* We don't currently support exporting partially established
++	 * contexts. */
++	if (!sc->opened)
++		return GSS_S_UNAVAILABLE;
++
+ 	ret = gss_export_sec_context(minor_status,
+-				    context_handle,
++				    &sc->ctx_handle,
+ 				    interprocess_token);
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT) {
++		release_spnego_ctx(&sc);
++		*context_handle = GSS_C_NO_CONTEXT;
++	}
+ 	return (ret);
+ }
+ 
+@@ -2182,11 +2197,12 @@ spnego_gss_import_sec_context(
+ 	const gss_buffer_t	interprocess_token,
+ 	gss_ctx_id_t		*context_handle)
+ {
+-	OM_uint32 ret;
+-	ret = gss_import_sec_context(minor_status,
+-				    interprocess_token,
+-				    context_handle);
+-	return (ret);
++	/*
++	 * Until we implement partial context exports, there are no SPNEGO
++	 * exported context tokens, only tokens for underlying mechs.  So just
++	 * return an error for now.
++	 */
++	return GSS_S_UNAVAILABLE;
+ }
+ #endif /* LEAN_CLIENT */
+ 
+@@ -2203,16 +2219,48 @@ spnego_gss_inquire_context(
+ 			int		*opened)
+ {
+ 	OM_uint32 ret = GSS_S_COMPLETE;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (src_name != NULL)
++		*src_name = GSS_C_NO_NAME;
++	if (targ_name != NULL)
++		*targ_name = GSS_C_NO_NAME;
++	if (lifetime_rec != NULL)
++		*lifetime_rec = 0;
++	if (mech_type != NULL)
++		*mech_type = (gss_OID)gss_mech_spnego;
++	if (ctx_flags != NULL)
++		*ctx_flags = 0;
++	if (locally_initiated != NULL)
++		*locally_initiated = sc->initiate;
++	if (opened != NULL)
++		*opened = sc->opened;
++
++	if (sc->ctx_handle != GSS_C_NO_CONTEXT) {
++		ret = gss_inquire_context(minor_status, sc->ctx_handle,
++					  src_name, targ_name, lifetime_rec,
++					  mech_type, ctx_flags, NULL, NULL);
++	}
+ 
+-	ret = gss_inquire_context(minor_status,
+-				context_handle,
+-				src_name,
+-				targ_name,
+-				lifetime_rec,
+-				mech_type,
+-				ctx_flags,
+-				locally_initiated,
+-				opened);
++	if (!sc->opened) {
++		/*
++		 * We are still doing SPNEGO negotiation, so report SPNEGO as
++		 * the OID.  After negotiation is complete we will report the
++		 * underlying mechanism OID.
++		 */
++		if (mech_type != NULL)
++			*mech_type = (gss_OID)gss_mech_spnego;
++
++		/*
++		 * Remove flags we don't support with partially-established
++		 * contexts.  (Change this to keep GSS_C_TRANS_FLAG if we add
++		 * support for exporting partial SPNEGO contexts.)
++		 */
++		if (ctx_flags != NULL) {
++			*ctx_flags &= ~GSS_C_PROT_READY_FLAG;
++			*ctx_flags &= ~GSS_C_TRANS_FLAG;
++		}
++	}
+ 
+ 	return (ret);
+ }
+@@ -2227,8 +2275,13 @@ spnego_gss_wrap_size_limit(
+ 	OM_uint32	*max_input_size)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_wrap_size_limit(minor_status,
+-				context_handle,
++				sc->ctx_handle,
+ 				conf_req_flag,
+ 				qop_req,
+ 				req_output_size,
+@@ -2245,8 +2298,13 @@ spnego_gss_get_mic(
+ 		gss_buffer_t message_token)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_get_mic(minor_status,
+-		    context_handle,
++		    sc->ctx_handle,
+ 		    qop_req,
+ 		    message_buffer,
+ 		    message_token);
+@@ -2262,8 +2320,13 @@ spnego_gss_verify_mic(
+ 		gss_qop_t *qop_state)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_verify_mic(minor_status,
+-			    context_handle,
++			    sc->ctx_handle,
+ 			    msg_buffer,
+ 			    token_buffer,
+ 			    qop_state);
+@@ -2278,8 +2341,14 @@ spnego_gss_inquire_sec_context_by_oid(
+ 		gss_buffer_set_t *data_set)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	/* There are no SPNEGO-specific OIDs for this function. */
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_UNAVAILABLE);
++
+ 	ret = gss_inquire_sec_context_by_oid(minor_status,
+-			    context_handle,
++			    sc->ctx_handle,
+ 			    desired_object,
+ 			    data_set);
+ 	return (ret);
+@@ -2359,8 +2428,15 @@ spnego_gss_set_sec_context_option(
+ 		const gss_buffer_t value)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)*context_handle;
++
++	/* There are no SPNEGO-specific OIDs for this function, and we cannot
++	 * construct an empty SPNEGO context with it. */
++	if (sc == NULL || sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_UNAVAILABLE);
++
+ 	ret = gss_set_sec_context_option(minor_status,
+-			    context_handle,
++			    &sc->ctx_handle,
+ 			    desired_object,
+ 			    value);
+ 	return (ret);
+@@ -2377,8 +2453,13 @@ spnego_gss_wrap_aead(OM_uint32 *minor_status,
+ 		     gss_buffer_t output_message_buffer)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_wrap_aead(minor_status,
+-			    context_handle,
++			    sc->ctx_handle,
+ 			    conf_req_flag,
+ 			    qop_req,
+ 			    input_assoc_buffer,
+@@ -2399,8 +2480,13 @@ spnego_gss_unwrap_aead(OM_uint32 *minor_status,
+ 		       gss_qop_t *qop_state)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_unwrap_aead(minor_status,
+-			      context_handle,
++			      sc->ctx_handle,
+ 			      input_message_buffer,
+ 			      input_assoc_buffer,
+ 			      output_payload_buffer,
+@@ -2419,8 +2505,13 @@ spnego_gss_wrap_iov(OM_uint32 *minor_status,
+ 		    int iov_count)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_wrap_iov(minor_status,
+-			   context_handle,
++			   sc->ctx_handle,
+ 			   conf_req_flag,
+ 			   qop_req,
+ 			   conf_state,
+@@ -2438,8 +2529,13 @@ spnego_gss_unwrap_iov(OM_uint32 *minor_status,
+ 		      int iov_count)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_unwrap_iov(minor_status,
+-			     context_handle,
++			     sc->ctx_handle,
+ 			     conf_state,
+ 			     qop_state,
+ 			     iov,
+@@ -2457,8 +2553,13 @@ spnego_gss_wrap_iov_length(OM_uint32 *minor_status,
+ 			   int iov_count)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_wrap_iov_length(minor_status,
+-				  context_handle,
++				  sc->ctx_handle,
+ 				  conf_req_flag,
+ 				  qop_req,
+ 				  conf_state,
+@@ -2475,8 +2576,13 @@ spnego_gss_complete_auth_token(
+ 		gss_buffer_t input_message_buffer)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_UNAVAILABLE);
++
+ 	ret = gss_complete_auth_token(minor_status,
+-				      context_handle,
++				      sc->ctx_handle,
+ 				      input_message_buffer);
+ 	return (ret);
+ }
+@@ -2721,8 +2827,13 @@ spnego_gss_pseudo_random(OM_uint32 *minor_status,
+ 			 gss_buffer_t prf_out)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_pseudo_random(minor_status,
+-				context,
++				sc->ctx_handle,
+ 				prf_key,
+ 				prf_in,
+ 				desired_output_len,
+@@ -2863,7 +2974,12 @@ spnego_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ 		       gss_qop_t qop_req, gss_iov_buffer_desc *iov,
+ 		       int iov_count)
+ {
+-    return gss_get_mic_iov(minor_status, context_handle, qop_req, iov,
++    spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++    if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++	    return (GSS_S_NO_CONTEXT);
++
++    return gss_get_mic_iov(minor_status, sc->ctx_handle, qop_req, iov,
+ 			   iov_count);
+ }
+ 
+@@ -2872,7 +2988,12 @@ spnego_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ 			  gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
+ 			  int iov_count)
+ {
+-    return gss_verify_mic_iov(minor_status, context_handle, qop_state, iov,
++    spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++    if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++	    return (GSS_S_NO_CONTEXT);
++
++    return gss_verify_mic_iov(minor_status, sc->ctx_handle, qop_state, iov,
+ 			      iov_count);
+ }
+ 
+@@ -2881,7 +3002,12 @@ spnego_gss_get_mic_iov_length(OM_uint32 *minor_status,
+ 			      gss_ctx_id_t context_handle, gss_qop_t qop_req,
+ 			      gss_iov_buffer_desc *iov, int iov_count)
+ {
+-    return gss_get_mic_iov_length(minor_status, context_handle, qop_req, iov,
++    spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++    if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++	    return (GSS_S_NO_CONTEXT);
++
++    return gss_get_mic_iov_length(minor_status, sc->ctx_handle, qop_req, iov,
+ 				  iov_count);
+ }
+ 

diff --git a/app-crypt/mit-krb5/files/CVE-2015-2696.patch b/app-crypt/mit-krb5/files/CVE-2015-2696.patch
new file mode 100644
index 0000000..c1f50a5
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2015-2696.patch
@@ -0,0 +1,731 @@
+From e04f0283516e80d2f93366e0d479d13c9b5c8c2a Mon Sep 17 00:00:00 2001
+From: Nicolas Williams <nico@twosigma.com>
+Date: Mon, 14 Sep 2015 12:28:36 -0400
+Subject: [PATCH] Fix IAKERB context aliasing bugs [CVE-2015-2696]
+
+The IAKERB mechanism currently replaces its context handle with the
+krb5 mechanism handle upon establishment, under the assumption that
+most GSS functions are only called after context establishment.  This
+assumption is incorrect, and can lead to aliasing violations for some
+programs.  Maintain the IAKERB context structure after context
+establishment and add new IAKERB entry points to refer to it with that
+type.  Add initiate and established flags to the IAKERB context
+structure for use in gss_inquire_context() prior to context
+establishment.
+
+CVE-2015-2696:
+
+In MIT krb5 1.9 and later, applications which call
+gss_inquire_context() on a partially-established IAKERB context can
+cause the GSS-API library to read from a pointer using the wrong type,
+generally causing a process crash.  Java server applications using the
+native JGSS provider are vulnerable to this bug.  A carefully crafted
+IAKERB packet might allow the gss_inquire_context() call to succeed
+with attacker-determined results, but applications should not make
+access control decisions based on gss_inquire_context() results prior
+to context establishment.
+
+    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
+
+[ghudson@mit.edu: several bugfixes, style changes, and edge-case
+behavior changes; commit message and CVE description]
+
+ticket: 8244
+target_version: 1.14
+tags: pullup
+---
+ src/lib/gssapi/krb5/gssapiP_krb5.h | 114 ++++++++++++
+ src/lib/gssapi/krb5/gssapi_krb5.c  | 105 +++++++++--
+ src/lib/gssapi/krb5/iakerb.c       | 351 +++++++++++++++++++++++++++++++++----
+ 3 files changed, 529 insertions(+), 41 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
+index 9aae12a..97e090d 100644
+--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
+@@ -621,6 +621,21 @@ OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context_ext
+ );
+ #endif /* LEAN_CLIENT */
+ 
++OM_uint32 KRB5_CALLCONV krb5_gss_inquire_sec_context_by_oid
++(OM_uint32*,       /* minor_status */
++ const gss_ctx_id_t,
++ /* context_handle */
++ const gss_OID,    /* desired_object */
++ gss_buffer_set_t* /* data_set */
++);
++
++OM_uint32 KRB5_CALLCONV krb5_gss_set_sec_context_option
++(OM_uint32*,       /* minor_status */
++ gss_ctx_id_t*,    /* context_handle */
++ const gss_OID,    /* desired_object */
++ const gss_buffer_t/* value */
++);
++
+ OM_uint32 KRB5_CALLCONV krb5_gss_process_context_token
+ (OM_uint32*,       /* minor_status */
+  gss_ctx_id_t,     /* context_handle */
+@@ -1302,6 +1317,105 @@ OM_uint32 KRB5_CALLCONV
+ krb5_gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token,
+                      gss_cred_id_t *cred_handle);
+ 
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_process_context_token(OM_uint32 *minor_status,
++                                 const gss_ctx_id_t context_handle,
++                                 const gss_buffer_t token_buffer);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                        OM_uint32 *time_rec);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_inquire_context(OM_uint32 *minor_status,
++                           gss_ctx_id_t context_handle, gss_name_t *src_name,
++                           gss_name_t *targ_name, OM_uint32 *lifetime_rec,
++                           gss_OID *mech_type, OM_uint32 *ctx_flags,
++                           int *locally_initiated, int *opened);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                   gss_qop_t qop_req, gss_buffer_t message_buffer,
++                   gss_buffer_t message_token);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                       gss_qop_t qop_req, gss_iov_buffer_desc *iov,
++                       int iov_count);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status,
++                              gss_ctx_id_t context_handle, gss_qop_t qop_req,
++                              gss_iov_buffer_desc *iov, int iov_count);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                      gss_buffer_t msg_buffer, gss_buffer_t token_buffer,
++                      gss_qop_t *qop_state);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                          gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
++                          int iov_count);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                int conf_req_flag, gss_qop_t qop_req,
++                gss_buffer_t input_message_buffer, int *conf_state,
++                gss_buffer_t output_message_buffer);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                    int conf_req_flag, gss_qop_t qop_req, int *conf_state,
++                    gss_iov_buffer_desc *iov, int iov_count);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap_iov_length(OM_uint32 *minor_status,
++                           gss_ctx_id_t context_handle, int conf_req_flag,
++                           gss_qop_t qop_req, int *conf_state,
++                           gss_iov_buffer_desc *iov, int iov_count);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                  gss_buffer_t input_message_buffer,
++                  gss_buffer_t output_message_buffer, int *conf_state,
++                  gss_qop_t *qop_state);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                      int *conf_state, gss_qop_t *qop_state,
++                      gss_iov_buffer_desc *iov, int iov_count);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap_size_limit(OM_uint32 *minor_status,
++                           gss_ctx_id_t context_handle, int conf_req_flag,
++                           gss_qop_t qop_req, OM_uint32 req_output_size,
++                           OM_uint32 *max_input_size);
++
++#ifndef LEAN_CLIENT
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_export_sec_context(OM_uint32 *minor_status,
++                              gss_ctx_id_t *context_handle,
++                              gss_buffer_t interprocess_token);
++#endif /* LEAN_CLIENT */
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status,
++                                      const gss_ctx_id_t context_handle,
++                                      const gss_OID desired_object,
++                                      gss_buffer_set_t *data_set);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_set_sec_context_option(OM_uint32 *minor_status,
++                                  gss_ctx_id_t *context_handle,
++                                  const gss_OID desired_object,
++                                  const gss_buffer_t value);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                         int prf_key, const gss_buffer_t prf_in,
++                         ssize_t desired_output_len, gss_buffer_t prf_out);
++
+ /* Magic string to identify exported krb5 GSS credentials.  Increment this if
+  * the format changes. */
+ #define CRED_EXPORT_MAGIC "K5C1"
+diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
+index 0be92e4..c4dfdd6 100644
+--- a/src/lib/gssapi/krb5/gssapi_krb5.c
++++ b/src/lib/gssapi/krb5/gssapi_krb5.c
+@@ -351,7 +351,7 @@ static struct {
+     }
+ };
+ 
+-static OM_uint32 KRB5_CALLCONV
++OM_uint32 KRB5_CALLCONV
+ krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
+                                      const gss_ctx_id_t context_handle,
+                                      const gss_OID desired_object,
+@@ -465,7 +465,7 @@ static struct {
+ };
+ #endif
+ 
+-static OM_uint32 KRB5_CALLCONV
++OM_uint32 KRB5_CALLCONV
+ krb5_gss_set_sec_context_option (OM_uint32 *minor_status,
+                                  gss_ctx_id_t *context_handle,
+                                  const gss_OID desired_object,
+@@ -929,20 +929,103 @@ static struct gss_config krb5_mechanism = {
+     krb5_gss_get_mic_iov_length,
+ };
+ 
++/* Functions which use security contexts or acquire creds are IAKERB-specific;
++ * other functions can borrow from the krb5 mech. */
++static struct gss_config iakerb_mechanism = {
++    { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID },
++    NULL,
++    iakerb_gss_acquire_cred,
++    krb5_gss_release_cred,
++    iakerb_gss_init_sec_context,
++#ifdef LEAN_CLIENT
++    NULL,
++#else
++    iakerb_gss_accept_sec_context,
++#endif
++    iakerb_gss_process_context_token,
++    iakerb_gss_delete_sec_context,
++    iakerb_gss_context_time,
++    iakerb_gss_get_mic,
++    iakerb_gss_verify_mic,
++#if defined(IOV_SHIM_EXERCISE_WRAP) || defined(IOV_SHIM_EXERCISE)
++    NULL,
++#else
++    iakerb_gss_wrap,
++#endif
++#if defined(IOV_SHIM_EXERCISE_UNWRAP) || defined(IOV_SHIM_EXERCISE)
++    NULL,
++#else
++    iakerb_gss_unwrap,
++#endif
++    krb5_gss_display_status,
++    krb5_gss_indicate_mechs,
++    krb5_gss_compare_name,
++    krb5_gss_display_name,
++    krb5_gss_import_name,
++    krb5_gss_release_name,
++    krb5_gss_inquire_cred,
++    NULL,                /* add_cred */
++#ifdef LEAN_CLIENT
++    NULL,
++    NULL,
++#else
++    iakerb_gss_export_sec_context,
++    NULL,
++#endif
++    krb5_gss_inquire_cred_by_mech,
++    krb5_gss_inquire_names_for_mech,
++    iakerb_gss_inquire_context,
++    krb5_gss_internal_release_oid,
++    iakerb_gss_wrap_size_limit,
++    krb5_gss_localname,
++    krb5_gss_authorize_localname,
++    krb5_gss_export_name,
++    krb5_gss_duplicate_name,
++    krb5_gss_store_cred,
++    iakerb_gss_inquire_sec_context_by_oid,
++    krb5_gss_inquire_cred_by_oid,
++    iakerb_gss_set_sec_context_option,
++    krb5_gssspi_set_cred_option,
++    krb5_gssspi_mech_invoke,
++    NULL,                /* wrap_aead */
++    NULL,                /* unwrap_aead */
++    iakerb_gss_wrap_iov,
++    iakerb_gss_unwrap_iov,
++    iakerb_gss_wrap_iov_length,
++    NULL,               /* complete_auth_token */
++    NULL,               /* acquire_cred_impersonate_name */
++    NULL,               /* add_cred_impersonate_name */
++    NULL,               /* display_name_ext */
++    krb5_gss_inquire_name,
++    krb5_gss_get_name_attribute,
++    krb5_gss_set_name_attribute,
++    krb5_gss_delete_name_attribute,
++    krb5_gss_export_name_composite,
++    krb5_gss_map_name_to_any,
++    krb5_gss_release_any_name_mapping,
++    iakerb_gss_pseudo_random,
++    NULL,               /* set_neg_mechs */
++    krb5_gss_inquire_saslname_for_mech,
++    krb5_gss_inquire_mech_for_saslname,
++    krb5_gss_inquire_attrs_for_mech,
++    krb5_gss_acquire_cred_from,
++    krb5_gss_store_cred_into,
++    iakerb_gss_acquire_cred_with_password,
++    krb5_gss_export_cred,
++    krb5_gss_import_cred,
++    NULL,               /* import_sec_context_by_mech */
++    NULL,               /* import_name_by_mech */
++    NULL,               /* import_cred_by_mech */
++    iakerb_gss_get_mic_iov,
++    iakerb_gss_verify_mic_iov,
++    iakerb_gss_get_mic_iov_length,
++};
++
+ #ifdef _GSS_STATIC_LINK
+ #include "mglueP.h"
+ static int gss_iakerbmechglue_init(void)
+ {
+     struct gss_mech_config mech_iakerb;
+-    struct gss_config iakerb_mechanism = krb5_mechanism;
+-
+-    /* IAKERB mechanism mirrors krb5, but with different context SPIs */
+-    iakerb_mechanism.gss_accept_sec_context = iakerb_gss_accept_sec_context;
+-    iakerb_mechanism.gss_init_sec_context   = iakerb_gss_init_sec_context;
+-    iakerb_mechanism.gss_delete_sec_context = iakerb_gss_delete_sec_context;
+-    iakerb_mechanism.gss_acquire_cred       = iakerb_gss_acquire_cred;
+-    iakerb_mechanism.gssspi_acquire_cred_with_password
+-                                    = iakerb_gss_acquire_cred_with_password;
+ 
+     memset(&mech_iakerb, 0, sizeof(mech_iakerb));
+     mech_iakerb.mech = &iakerb_mechanism;
+diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
+index f30de32..4662bd9 100644
+--- a/src/lib/gssapi/krb5/iakerb.c
++++ b/src/lib/gssapi/krb5/iakerb.c
+@@ -47,6 +47,8 @@ struct _iakerb_ctx_id_rec {
+     gss_ctx_id_t gssc;
+     krb5_data conv;                     /* conversation for checksumming */
+     unsigned int count;                 /* number of round trips */
++    int initiate;
++    int established;
+     krb5_get_init_creds_opt *gic_opts;
+ };
+ 
+@@ -695,7 +697,7 @@ iakerb_get_initial_state(iakerb_ctx_id_t ctx,
+  * Allocate and initialise an IAKERB context
+  */
+ static krb5_error_code
+-iakerb_alloc_context(iakerb_ctx_id_t *pctx)
++iakerb_alloc_context(iakerb_ctx_id_t *pctx, int initiate)
+ {
+     iakerb_ctx_id_t ctx;
+     krb5_error_code code;
+@@ -709,6 +711,8 @@ iakerb_alloc_context(iakerb_ctx_id_t *pctx)
+     ctx->magic = KG_IAKERB_CONTEXT;
+     ctx->state = IAKERB_AS_REQ;
+     ctx->count = 0;
++    ctx->initiate = initiate;
++    ctx->established = 0;
+ 
+     code = krb5_gss_init_context(&ctx->k5c);
+     if (code != 0)
+@@ -732,7 +736,7 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
+                               gss_ctx_id_t *context_handle,
+                               gss_buffer_t output_token)
+ {
+-    OM_uint32 major_status = GSS_S_COMPLETE;
++    iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle;
+ 
+     if (output_token != GSS_C_NO_BUFFER) {
+         output_token->length = 0;
+@@ -740,23 +744,10 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
+     }
+ 
+     *minor_status = 0;
++    *context_handle = GSS_C_NO_CONTEXT;
++    iakerb_release_context(iakerb_ctx);
+ 
+-    if (*context_handle != GSS_C_NO_CONTEXT) {
+-        iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle;
+-
+-        if (iakerb_ctx->magic == KG_IAKERB_CONTEXT) {
+-            iakerb_release_context(iakerb_ctx);
+-            *context_handle = GSS_C_NO_CONTEXT;
+-        } else {
+-            assert(iakerb_ctx->magic == KG_CONTEXT);
+-
+-            major_status = krb5_gss_delete_sec_context(minor_status,
+-                                                       context_handle,
+-                                                       output_token);
+-        }
+-    }
+-
+-    return major_status;
++    return GSS_S_COMPLETE;
+ }
+ 
+ static krb5_boolean
+@@ -802,7 +793,7 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
+     int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
+ 
+     if (initialContextToken) {
+-        code = iakerb_alloc_context(&ctx);
++        code = iakerb_alloc_context(&ctx, 0);
+         if (code != 0)
+             goto cleanup;
+ 
+@@ -854,11 +845,8 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
+                                                        time_rec,
+                                                        delegated_cred_handle,
+                                                        &exts);
+-        if (major_status == GSS_S_COMPLETE) {
+-            *context_handle = ctx->gssc;
+-            ctx->gssc = NULL;
+-            iakerb_release_context(ctx);
+-        }
++        if (major_status == GSS_S_COMPLETE)
++            ctx->established = 1;
+         if (mech_type != NULL)
+             *mech_type = (gss_OID)gss_mech_krb5;
+     }
+@@ -897,7 +885,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
+     int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
+ 
+     if (initialContextToken) {
+-        code = iakerb_alloc_context(&ctx);
++        code = iakerb_alloc_context(&ctx, 1);
+         if (code != 0) {
+             *minor_status = code;
+             goto cleanup;
+@@ -983,11 +971,8 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
+                                                      ret_flags,
+                                                      time_rec,
+                                                      &exts);
+-        if (major_status == GSS_S_COMPLETE) {
+-            *context_handle = ctx->gssc;
+-            ctx->gssc = GSS_C_NO_CONTEXT;
+-            iakerb_release_context(ctx);
+-        }
++        if (major_status == GSS_S_COMPLETE)
++            ctx->established = 1;
+         if (actual_mech_type != NULL)
+             *actual_mech_type = (gss_OID)gss_mech_krb5;
+     } else {
+@@ -1010,3 +995,309 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
+ 
+     return major_status;
+ }
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                  gss_buffer_t input_message_buffer,
++                  gss_buffer_t output_message_buffer, int *conf_state,
++                  gss_qop_t *qop_state)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_unwrap(minor_status, ctx->gssc, input_message_buffer,
++                           output_message_buffer, conf_state, qop_state);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                int conf_req_flag, gss_qop_t qop_req,
++                gss_buffer_t input_message_buffer, int *conf_state,
++                gss_buffer_t output_message_buffer)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_wrap(minor_status, ctx->gssc, conf_req_flag, qop_req,
++                         input_message_buffer, conf_state,
++                         output_message_buffer);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_process_context_token(OM_uint32 *minor_status,
++                                 const gss_ctx_id_t context_handle,
++                                 const gss_buffer_t token_buffer)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_DEFECTIVE_TOKEN;
++
++    return krb5_gss_process_context_token(minor_status, ctx->gssc,
++                                          token_buffer);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                        OM_uint32 *time_rec)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_context_time(minor_status, ctx->gssc, time_rec);
++}
++
++#ifndef LEAN_CLIENT
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_export_sec_context(OM_uint32 *minor_status,
++                              gss_ctx_id_t *context_handle,
++                              gss_buffer_t interprocess_token)
++{
++    OM_uint32 maj;
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    /* We don't currently support exporting partially established contexts. */
++    if (!ctx->established)
++        return GSS_S_UNAVAILABLE;
++
++    maj = krb5_gss_export_sec_context(minor_status, &ctx->gssc,
++                                      interprocess_token);
++    if (ctx->gssc == GSS_C_NO_CONTEXT) {
++        iakerb_release_context(ctx);
++        *context_handle = GSS_C_NO_CONTEXT;
++    }
++    return maj;
++}
++
++/*
++ * Until we implement partial context exports, there are no SPNEGO exported
++ * context tokens, only tokens for the underlying krb5 context.  So we do not
++ * need to implement an iakerb_gss_import_sec_context() yet; it would be
++ * unreachable except via a manually constructed token.
++ */
++
++#endif /* LEAN_CLIENT */
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_inquire_context(OM_uint32 *minor_status,
++                           gss_ctx_id_t context_handle, gss_name_t *src_name,
++                           gss_name_t *targ_name, OM_uint32 *lifetime_rec,
++                           gss_OID *mech_type, OM_uint32 *ctx_flags,
++                           int *initiate, int *opened)
++{
++    OM_uint32 ret;
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (src_name != NULL)
++        *src_name = GSS_C_NO_NAME;
++    if (targ_name != NULL)
++        *targ_name = GSS_C_NO_NAME;
++    if (lifetime_rec != NULL)
++        *lifetime_rec = 0;
++    if (mech_type != NULL)
++        *mech_type = (gss_OID)gss_mech_iakerb;
++    if (ctx_flags != NULL)
++        *ctx_flags = 0;
++    if (initiate != NULL)
++        *initiate = ctx->initiate;
++    if (opened != NULL)
++        *opened = ctx->established;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_COMPLETE;
++
++    ret = krb5_gss_inquire_context(minor_status, ctx->gssc, src_name,
++                                   targ_name, lifetime_rec, mech_type,
++                                   ctx_flags, initiate, opened);
++
++    if (!ctx->established) {
++        /* Report IAKERB as the mech OID until the context is established. */
++        if (mech_type != NULL)
++            *mech_type = (gss_OID)gss_mech_iakerb;
++
++        /* We don't support exporting partially-established contexts. */
++        if (ctx_flags != NULL)
++            *ctx_flags &= ~GSS_C_TRANS_FLAG;
++    }
++
++    return ret;
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap_size_limit(OM_uint32 *minor_status,
++                           gss_ctx_id_t context_handle, int conf_req_flag,
++                           gss_qop_t qop_req, OM_uint32 req_output_size,
++                           OM_uint32 *max_input_size)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_wrap_size_limit(minor_status, ctx->gssc, conf_req_flag,
++                                    qop_req, req_output_size, max_input_size);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                   gss_qop_t qop_req, gss_buffer_t message_buffer,
++                   gss_buffer_t message_token)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_get_mic(minor_status, ctx->gssc, qop_req, message_buffer,
++                            message_token);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                      gss_buffer_t msg_buffer, gss_buffer_t token_buffer,
++                      gss_qop_t *qop_state)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_verify_mic(minor_status, ctx->gssc, msg_buffer,
++                               token_buffer, qop_state);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status,
++                                      const gss_ctx_id_t context_handle,
++                                      const gss_OID desired_object,
++                                      gss_buffer_set_t *data_set)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_UNAVAILABLE;
++
++    return krb5_gss_inquire_sec_context_by_oid(minor_status, ctx->gssc,
++                                               desired_object, data_set);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_set_sec_context_option(OM_uint32 *minor_status,
++                                  gss_ctx_id_t *context_handle,
++                                  const gss_OID desired_object,
++                                  const gss_buffer_t value)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
++
++    if (ctx == NULL || ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_UNAVAILABLE;
++
++    return krb5_gss_set_sec_context_option(minor_status, &ctx->gssc,
++                                           desired_object, value);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                    int conf_req_flag, gss_qop_t qop_req, int *conf_state,
++                    gss_iov_buffer_desc *iov, int iov_count)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_wrap_iov(minor_status, ctx->gssc, conf_req_flag, qop_req,
++                             conf_state, iov, iov_count);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                      int *conf_state, gss_qop_t *qop_state,
++                      gss_iov_buffer_desc *iov, int iov_count)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_unwrap_iov(minor_status, ctx->gssc, conf_state, qop_state,
++                               iov, iov_count);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap_iov_length(OM_uint32 *minor_status,
++                           gss_ctx_id_t context_handle, int conf_req_flag,
++                           gss_qop_t qop_req, int *conf_state,
++                           gss_iov_buffer_desc *iov, int iov_count)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_wrap_iov_length(minor_status, ctx->gssc, conf_req_flag,
++                                    qop_req, conf_state, iov, iov_count);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                         int prf_key, const gss_buffer_t prf_in,
++                         ssize_t desired_output_len, gss_buffer_t prf_out)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_pseudo_random(minor_status, ctx->gssc, prf_key, prf_in,
++                                  desired_output_len, prf_out);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                       gss_qop_t qop_req, gss_iov_buffer_desc *iov,
++                       int iov_count)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_get_mic_iov(minor_status, ctx->gssc, qop_req, iov,
++                                iov_count);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                          gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
++                          int iov_count)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_verify_mic_iov(minor_status, ctx->gssc, qop_state, iov,
++                                   iov_count);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status,
++                              gss_ctx_id_t context_handle, gss_qop_t qop_req,
++                              gss_iov_buffer_desc *iov, int iov_count)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_get_mic_iov_length(minor_status, ctx->gssc, qop_req, iov,
++                                       iov_count);
++}

diff --git a/app-crypt/mit-krb5/files/CVE-2015-2697.patch b/app-crypt/mit-krb5/files/CVE-2015-2697.patch
new file mode 100644
index 0000000..af2f42a
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2015-2697.patch
@@ -0,0 +1,50 @@
+From f0c094a1b745d91ef2f9a4eae2149aac026a5789 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 25 Sep 2015 12:51:47 -0400
+Subject: [PATCH] Fix build_principal memory bug [CVE-2015-2697]
+
+In build_principal_va(), use k5memdup0() instead of strdup() to make a
+copy of the realm, to ensure that we allocate the correct number of
+bytes and do not read past the end of the input string.  This bug
+affects krb5_build_principal(), krb5_build_principal_va(), and
+krb5_build_principal_alloc_va().  krb5_build_principal_ext() is not
+affected.
+
+CVE-2015-2697:
+
+In MIT krb5 1.7 and later, an authenticated attacker may be able to
+cause a KDC to crash using a TGS request with a large realm field
+beginning with a null byte.  If the KDC attempts to find a referral to
+answer the request, it constructs a principal name for lookup using
+krb5_build_principal() with the requested realm.  Due to a bug in this
+function, the null byte causes only one byte be allocated for the
+realm field of the constructed principal, far less than its length.
+Subsequent operations on the lookup principal may cause a read beyond
+the end of the mapped memory region, causing the KDC process to crash.
+
+CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
+
+ticket: 8252 (new)
+target_version: 1.14
+tags: pullup
+---
+ src/lib/krb5/krb/bld_princ.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c
+index ab6fed8..8604268 100644
+--- a/src/lib/krb5/krb/bld_princ.c
++++ b/src/lib/krb5/krb/bld_princ.c
+@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ,
+     data = malloc(size * sizeof(krb5_data));
+     if (!data) { retval = ENOMEM; }
+ 
+-    if (!retval) {
+-        r = strdup(realm);
+-        if (!r) { retval = ENOMEM; }
+-    }
++    if (!retval)
++        r = k5memdup0(realm, rlen, &retval);
+ 
+     while (!retval && (component = va_arg(ap, char *))) {
+         if (count == size) {

diff --git a/app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild
index d70cb3d..76dfaeb 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild
@@ -64,6 +64,9 @@ src_unpack() {
 src_prepare() {
 	epatch "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
 	epatch "${FILESDIR}/${PN}-config_LDFLAGS.patch"
+	epatch "${FILESDIR}/CVE-2015-2695.patch" \
+		"${FILESDIR}/CVE-2015-2696.patch" \
+		"${FILESDIR}/CVE-2015-2697.patch"
 
 	eautoreconf
 }


^ permalink raw reply related	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2024-04-05  7:15 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-25 13:02 [gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/, app-crypt/mit-krb5/files/ Sam James
  -- strict thread matches above, loose matches on Subject: below --
2024-04-05  7:15 Eray Aslan
2022-01-05  9:57 Eray Aslan
2021-01-20 20:47 Conrad Kostecki
2019-09-28 18:27 Matt Turner
2019-06-20 11:08 Eray Aslan
2016-12-22 22:36 Mike Frysinger
2016-11-16 23:21 Mike Frysinger
2015-10-29  4:37 Eray Aslan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox