Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/mit-krb5 mit-krb5: updated to 1.18
details: https://anonhg.NetBSD.org/pkgsrc/rev/acb4d6bbdf48
branches: trunk
changeset: 428658:acb4d6bbdf48
user: adam <adam%pkgsrc.org@localhost>
date: Thu Apr 09 10:57:04 2020 +0000
description:
mit-krb5: updated to 1.18
Major changes in 1.18:
Administrator experience
* Remove support for single-DES encryption types.
* Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with ".rcache2" by default.
* setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context().
* Add an "enforce_ok_as_delegate" krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket.
* Use the permitted_enctypes krb5.conf setting as the default value for default_tkt_enctypes and default_tgs_enctypes.
Developer experience
* Implement krb5_cc_remove_cred() for all credential cache types.
* Add the krb5_pac_get_client_info() API to get the client account name from a PAC.
Protocol evolution
* Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.)
* Remove support for an old ("draft 9") variant of PKINIT.
* Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.)
User experience
* Add support for "dns_canonicalize_hostname=fallback", causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized
server is not found.
* Expand single-component hostnames in host-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix. Add a "qualify_shortname" krb5.conf
relation to override this suffix or disable expansion.
* Honor the transited-policy-checked ticket flag on application servers, eliminating the requirement to configure capaths on servers in some scenarios.
Code quality
* The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe.
* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices.
* The test suite has been modified to work with macOS System Integrity Protection enabled.
* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested.
Major changes in 1.17.1:
This is a bug fix release.
* Fix a bug preventing "addprinc -randkey -kvno" from working in kadmin.
* Fix a bug preventing time skew correction from working when a KCM credential cache is used.
Major changes in 1.17:
Administrator experience
* A new Kerberos database module using the Lightning Memory-Mapped Database library (LMDB) has been added. The LMDB KDB module should be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific principal names are requested.
* kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode.
Developer experience
* The new krb5_get_etype_info() API can be used to retrieve enctype, salt, and string-to-key parameters from the KDC for a client principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should perform better.
Protocol evolution
* The SPAKE pre-authentication mechanism is now supported. This mechanism protects against password dictionary attacks without requiring any additional infrastructure such as certificates. SPAKE is
enabled by default on clients, but must be manually enabled on the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can protect against scenarios where an attacker uses temporary access to a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid spurious error messages about replays when a response packet is dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a third-party KDB module such as Samba's. The client code for cross-realm S4U2Self requests is also now more robust.
User experience
* The new ktutil addent -f flag can be used to fetch salt information from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache within a collection by client principal name.
* The Kerberos man page has been restored, and documents the environment variables that affect programs using the Kerberos library.
Code quality
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work with more recent versions of Visual Studio. A large volume of unused Windows-specific code has been removed. Visual Studio 2013 or
later is now required.
diffstat:
security/mit-krb5/Makefile | 28 ++-------
security/mit-krb5/PLIST | 4 +-
security/mit-krb5/distinfo | 19 ++---
security/mit-krb5/patches/patch-Makefile.in | 37 ++++--------
security/mit-krb5/patches/patch-configure.in | 21 -------
security/mit-krb5/patches/patch-lib_crypto_builtin_pbkdf2.c | 34 -----------
security/mit-krb5/patches/patch-lib_kdb_kdb__log.c | 22 +++---
security/mit-krb5/patches/patch-lib_krb5_asn.1_asn1buf.h | 15 -----
security/mit-krb5/patches/patch-slave_kproplog.c | 15 -----
9 files changed, 42 insertions(+), 153 deletions(-)
diffs (truncated from 341 to 300 lines):
diff -r 3effae87b2f1 -r acb4d6bbdf48 security/mit-krb5/Makefile
--- a/security/mit-krb5/Makefile Thu Apr 09 09:45:19 2020 +0000
+++ b/security/mit-krb5/Makefile Thu Apr 09 10:57:04 2020 +0000
@@ -1,16 +1,15 @@
-# $NetBSD: Makefile,v 1.105 2020/01/26 17:32:04 rillig Exp $
+# $NetBSD: Makefile,v 1.106 2020/04/09 10:57:04 adam Exp $
-DISTNAME= krb5-1.16.2
+DISTNAME= krb5-1.18
PKGNAME= mit-${DISTNAME}
-PKGREVISION= 4
CATEGORIES= security
-MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/${PKGVERSION_NOREV:R}/
+MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/${PKGVERSION_NOREV}/
MAINTAINER= tez%NetBSD.org@localhost
HOMEPAGE= https://web.mit.edu/kerberos/
COMMENT= MIT Kerberos 5 authentication system
-MAKE_JOBS_SAFE= no
+MAKE_JOBS_SAFE= no
WRKSRC= ${WRKDIR}/${DISTNAME}/src
@@ -39,23 +38,19 @@
CONFIGURE_ARGS+= --localstatedir=${MIT_KRB5_STATEDIR}
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR}
-CONFIGURE_ARGS+= --enable-shared
-CONFIGURE_ARGS+= --enable-dns-for-realm
+CONFIGURE_ARGS+= --disable-aesni
CONFIGURE_ARGS+= --disable-kdc-lookaside-cache
CONFIGURE_ARGS+= --disable-thread-support
-CONFIGURE_ARGS+= --without-tcl
+CONFIGURE_ARGS+= --enable-shared
+CONFIGURE_ARGS+= --enable-dns-for-realm
CONFIGURE_ARGS+= --enable-pkgsrc-libtool
CONFIGURE_ARGS+= --without-system-verto
-CONFIGURE_ARGS+= --disable-aesni
+CONFIGURE_ARGS+= --without-tcl
CONFIGURE_ENV+= BUILDLINK_PREFIX_OPENSSL=${BUILDLINK_PREFIX.openssl}
CONFIGURE_ENV+= DEFKTNAME=FILE:${PKG_SYSCONFDIR}/krb5.keytab
MAKE_ENV+= ROOT_USER=${ROOT_USER}
LIBS.SunOS= -lrt
-PATCH_DIST_ARGS= -d ${WRKSRC} -p2
-
-INFO_FILES= YES
-
OWN_DIRS_PERMS= ${MIT_KRB5_STATEDIR}/krb5kdc \
${REAL_ROOT_USER} ${REAL_ROOT_GROUP} 0700
RCD_SCRIPTS= kadmind kdc
@@ -74,12 +69,5 @@
pre-configure:
cd ${WRKSRC} && autoconf -I ${WRKSRC} -f
-post-install:
- cd ${WRKDIR}/${DISTNAME}/doc; \
- for f in *.info *.info-[0-9]*; do \
- ${TEST} ! -f "$$f" || \
- ${INSTALL_MAN} "$$f" ${DESTDIR}${PREFIX}/${PKGINFODIR}; \
- done
-
.include "../../security/openssl/buildlink3.mk"
.include "../../mk/bsd.pkg.mk"
diff -r 3effae87b2f1 -r acb4d6bbdf48 security/mit-krb5/PLIST
--- a/security/mit-krb5/PLIST Thu Apr 09 09:45:19 2020 +0000
+++ b/security/mit-krb5/PLIST Thu Apr 09 10:57:04 2020 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.21 2019/07/12 15:40:55 jperkin Exp $
+@comment $NetBSD: PLIST,v 1.22 2020/04/09 10:57:04 adam Exp $
bin/compile_et
bin/gss-client
bin/k5srvutil
@@ -18,6 +18,7 @@
include/com_err.h
include/gssapi.h
include/gssapi/gssapi.h
+include/gssapi/gssapi_alloc.h
include/gssapi/gssapi_ext.h
include/gssapi/gssapi_generic.h
include/gssapi/gssapi_krb5.h
@@ -65,6 +66,7 @@
${PLIST.ldap}lib/krb5/plugins/kdb/kldap.la
lib/krb5/plugins/preauth/otp.la
lib/krb5/plugins/preauth/pkinit.la
+lib/krb5/plugins/preauth/spake.la
lib/krb5/plugins/tls/k5tls.la
lib/libcom_err.la
lib/libgssapi_krb5.la
diff -r 3effae87b2f1 -r acb4d6bbdf48 security/mit-krb5/distinfo
--- a/security/mit-krb5/distinfo Thu Apr 09 09:45:19 2020 +0000
+++ b/security/mit-krb5/distinfo Thu Apr 09 10:57:04 2020 +0000
@@ -1,10 +1,10 @@
-$NetBSD: distinfo,v 1.69 2019/07/12 15:40:55 jperkin Exp $
+$NetBSD: distinfo,v 1.70 2020/04/09 10:57:04 adam Exp $
-SHA1 (krb5-1.16.2.tar.gz) = 6d6ef205194be386fb5f4e6bef32cb9fc79e853b
-RMD160 (krb5-1.16.2.tar.gz) = 76188113d13eb9667d6057fe23d653a3d09d4817
-SHA512 (krb5-1.16.2.tar.gz) = 738c071a90e0f38680bb17bdcf950310bc4549f3cb851e1d34de11239ae88178e6ee1a5e5d48c6d3efef544339b07d22dba5347dd763a4266d8d4df7cf47afc9
-Size (krb5-1.16.2.tar.gz) = 9652415 bytes
-SHA1 (patch-Makefile.in) = adacbcb9d569107e6b7af9b0e7ee177f79a9103c
+SHA1 (krb5-1.18.tar.gz) = 95573bea40844bba1032b7d8a7c3c43ccc44fdb1
+RMD160 (krb5-1.18.tar.gz) = 6595de6f7dc77746c986e3dad6a016d206efe4d9
+SHA512 (krb5-1.18.tar.gz) = 36a01ea310b4b3d0a3d209b641739575239e1ca5e93b3de99cb1fec83e82f9a70ad0761dd6eb77cda5c18c53044ab80168b00725642a0c2dfde0e492c42af6a9
+Size (krb5-1.18.tar.gz) = 8706395 bytes
+SHA1 (patch-Makefile.in) = 24f915d7a4340b9a4a454b9b67c94147fdc49c34
SHA1 (patch-aclocal.m4) = 07b5d9ae38c74eaea6ba62aed9062dca1bf7f3fb
SHA1 (patch-build-tools_krb5-config.in) = 4ab922df1d86d86f9ef043f2c5cdf048c0477d3a
SHA1 (patch-config_lib.in) = 974db26486b3239e4fcd53be7280b32c802f6007
@@ -13,22 +13,19 @@
SHA1 (patch-config_libpriv.in) = 78342f649f8e9d3a3b5a4f83e65b6c46f589586b
SHA1 (patch-config_pre.in) = 255973132db9327190211214c3e33b4551bd283b
SHA1 (patch-config_shlib.conf) = c47a647307e7d883e7c22528b7b0f5ad038cbcb3
-SHA1 (patch-configure.in) = 2b7de47c4da223670566c70ce1a9eaa27d49a984
SHA1 (patch-include_osconf.hin) = d31a8164f417bc31a787c8e16d1bd24f27b7140d
SHA1 (patch-kadmin_cli_ss_wrapper.c) = e32e6180f8d508cb2eb18489ce2fef0a1ad0f51d
+SHA1 (patch-kprop_kproplog.c) = 9b751de7eb70d026b54e15275bb878bdb0ce52eb
SHA1 (patch-lib_apputils_Makefile.in) = 085004041a2bb8c4bb3074c2e71e71f22f4f06d7
SHA1 (patch-lib_apputils_udppktinfo.c) = 47ac861181faebfe5f95c28be329ce917ece872c
-SHA1 (patch-lib_crypto_builtin_pbkdf2.c) = 5d67d5435cc4e14e9ba2e548101b272918616f1c
SHA1 (patch-lib_gssapi_Makefile.in) = 806b089d3b12ea9a17c6caab59cbdeb6ec17bbc3
SHA1 (patch-lib_gssapi_krb5_import__name.c) = 7445639b82eadf9b1feb1448c1654fa6ddc937aa
SHA1 (patch-lib_kdb_Makefile.in) = 0c45e34ea8b5d0270c386d430b0d37469e8440ea
-SHA1 (patch-lib_kdb_kdb__log.c) = 87052d7940db0f5a41ffce250c19c0b338b37d60
-SHA1 (patch-lib_krb5_asn.1_asn1buf.h) = 74d7d172ec4c8d7f68a093befc6b40c99b119e37
+SHA1 (patch-lib_kdb_kdb__log.c) = dc759fae6099e7586686bcf14d7cd775854e0360
SHA1 (patch-lib_krb5_ccache_Makefile.in) = 330ae21ec3b290ae16478c2c49a138acac5bf2fd
SHA1 (patch-plugins_kdb_db2_Makefile.in) = f374fc5915b735075fbb751ef736f4ce54abc289
SHA1 (patch-plugins_kdb_db2_libdb2_Makefile.in) = b4b7e8e4192b5e5318f1e42c49315789619f3ae9
SHA1 (patch-plugins_preauth_otp_Makefile.in) = 8c779e3b37cab4138f300f4a09325387092c79f8
SHA1 (patch-plugins_preauth_pkinit_Makefile.in) = c778366d5bd1cae85424643a582013101fc9632d
-SHA1 (patch-slave_kproplog.c) = a238c8740aeb5e4068775148f03a8692bd514423
SHA1 (patch-util_k5ev_verto-k5ev.c) = 8f074ddccbaaa03576f0302437aed3aaad1b738d
SHA1 (patch-util_ss_Makefile.in) = 5ca0bf7295a8f4c1d8e59097863940f88d224ee7
diff -r 3effae87b2f1 -r acb4d6bbdf48 security/mit-krb5/patches/patch-Makefile.in
--- a/security/mit-krb5/patches/patch-Makefile.in Thu Apr 09 09:45:19 2020 +0000
+++ b/security/mit-krb5/patches/patch-Makefile.in Thu Apr 09 10:57:04 2020 +0000
@@ -1,11 +1,10 @@
-$NetBSD: patch-Makefile.in,v 1.2 2018/06/15 20:46:01 tez Exp $
+$NetBSD: patch-Makefile.in,v 1.3 2020/04/09 10:57:05 adam Exp $
+
+Don't build plugin examples and tests to avoid libtool problems.
-Don't build plugin examples & tests and avoid libtool problem.
-No idea why... copied from previous instance of this package.
-
---- Makefile.in.orig 2018-05-03 14:34:47.000000000 +0000
+--- Makefile.in.orig 2020-02-12 17:21:58.000000000 +0000
+++ Makefile.in
-@@ -9,23 +9,11 @@ mydir=.
+@@ -9,28 +9,15 @@ mydir=.
SUBDIRS=util include lib \
@sam2_plugin@ \
plugins/audit \
@@ -13,6 +12,7 @@
@audit_plugin@ \
- plugins/kadm5_hook/test \
- plugins/kadm5_auth/test \
+- plugins/gssapi/negoextest \
- plugins/hostrealm/test \
- plugins/localauth/test \
- plugins/pwqual/test \
@@ -21,29 +21,16 @@
- plugins/certauth/test \
plugins/kdb/db2 \
@ldap_plugin_dir@ \
+ @lmdb_plugin_dir@ \
- plugins/kdb/test \
- plugins/kdcpolicy/test \
plugins/preauth/otp \
plugins/preauth/pkinit \
+ plugins/preauth/spake \
- plugins/preauth/test \
plugins/tls/k5tls \
- kdc kadmin slave clients appl tests \
+- kdc kadmin kprop clients appl tests \
++ kdc kadmin kprop clients appl \
config-files build-tools man doc @po@
-@@ -76,7 +64,7 @@ INSTALLMKDIRS = $(KRB5ROOT) $(KRB5MANROO
- install-strip:
- $(MAKE) install INSTALL_STRIP=-s
-
--install-recurse: install-mkdirs
-+install-recurse:
-
- install-mkdirs:
- @for i in $(INSTALLMKDIRS); do \
-@@ -87,7 +75,7 @@ install-headers-mkdirs:
- $(srcdir)/config/mkinstalldirs $(DESTDIR)$(KRB5_INCDIR)
- $(srcdir)/config/mkinstalldirs $(DESTDIR)$(KRB5_INCDIR)/gssapi
- $(srcdir)/config/mkinstalldirs $(DESTDIR)$(KRB5_INCDIR)/gssrpc
--install-headers-prerecurse: install-headers-mkdirs
-+install-headers-prerecurse:
-
- clean-:: clean-windows
- clean-unix::
+ WINSUBDIRS=include util lib ccapi windows clients appl plugins\preauth\spake
+ BUILDTOP=$(REL).
diff -r 3effae87b2f1 -r acb4d6bbdf48 security/mit-krb5/patches/patch-configure.in
--- a/security/mit-krb5/patches/patch-configure.in Thu Apr 09 09:45:19 2020 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,21 +0,0 @@
-$NetBSD: patch-configure.in,v 1.3 2018/06/15 20:46:01 tez Exp $
-
-Find the correct libcrypto.
-
---- configure.in.orig 2018-05-03 14:34:47.000000000 +0000
-+++ configure.in
-@@ -287,12 +287,12 @@ AC_HELP_STRING([--with-tls-impl=IMPL],
- case "$TLS_IMPL" in
- openssl|auto)
- AC_CHECK_LIB(ssl,SSL_CTX_new,[have_lib_ssl=true],[have_lib_ssl=false],
-- -lcrypto)
-+ "-L${BUILDLINK_PREFIX_OPENSSL}/lib -lcrypto")
- AC_MSG_CHECKING([for OpenSSL])
- if test x$have_lib_ssl = xtrue ; then
- AC_DEFINE(TLS_IMPL_OPENSSL,1,[Define if TLS implementation is OpenSSL])
- AC_MSG_RESULT([yes])
-- TLS_IMPL_LIBS="-lssl -lcrypto"
-+ TLS_IMPL_LIBS="-L${BUILDLINK_PREFIX_OPENSSL}/lib -lssl -lcrypto"
- TLS_IMPL=openssl
- AC_MSG_NOTICE([TLS module will use OpenSSL])
- else
diff -r 3effae87b2f1 -r acb4d6bbdf48 security/mit-krb5/patches/patch-lib_crypto_builtin_pbkdf2.c
--- a/security/mit-krb5/patches/patch-lib_crypto_builtin_pbkdf2.c Thu Apr 09 09:45:19 2020 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,34 +0,0 @@
-$NetBSD: patch-lib_crypto_builtin_pbkdf2.c,v 1.2 2019/05/06 14:06:05 wiz Exp $
-
-Fix conflict with hmac() symbol in libc.
-https://github.com/krb5/krb5/pull/926
-
---- lib/crypto/builtin/pbkdf2.c.orig 2018-11-01 23:51:07.000000000 +0000
-+++ lib/crypto/builtin/pbkdf2.c
-@@ -75,7 +75,7 @@ static void printd (const char *descr, k
- * index appended to the original salt.
- */
- static krb5_error_code
--hmac(const struct krb5_hash_provider *hash, krb5_keyblock *pass,
-+krb5_hmac(const struct krb5_hash_provider *hash, krb5_keyblock *pass,
- krb5_data *salt, krb5_data *out)
- {
- krb5_error_code err;
-@@ -123,7 +123,7 @@ F(char *output, char *u_tmp1, char *u_tm
- #if 0
- printf("F: computing hmac #1 (U_1) with %s\n", pdata.contents);
- #endif
-- err = hmac(hash, pass, &sdata, &out);
-+ err = krb5_hmac(hash, pass, &sdata, &out);
- if (err)
- return err;
- #if 0
-@@ -138,7 +138,7 @@ F(char *output, char *u_tmp1, char *u_tm
- printf("F: computing hmac #%d (U_%d)\n", j, j);
- #endif
- memcpy(u_tmp2, u_tmp1, hlen);
-- err = hmac(hash, pass, &sdata, &out);
-+ err = krb5_hmac(hash, pass, &sdata, &out);
- if (err)
- return err;
- #if 0
diff -r 3effae87b2f1 -r acb4d6bbdf48 security/mit-krb5/patches/patch-lib_kdb_kdb__log.c
--- a/security/mit-krb5/patches/patch-lib_kdb_kdb__log.c Thu Apr 09 09:45:19 2020 +0000
+++ b/security/mit-krb5/patches/patch-lib_kdb_kdb__log.c Thu Apr 09 10:57:04 2020 +0000
@@ -1,19 +1,19 @@
-$NetBSD: patch-lib_kdb_kdb__log.c,v 1.1 2018/07/16 10:26:40 jperkin Exp $
+$NetBSD: patch-lib_kdb_kdb__log.c,v 1.2 2020/04/09 10:57:05 adam Exp $
Fix mmap/munmap -Werror=incompatible-pointer-types
---- lib/kdb/kdb_log.c.orig 2018-05-03 14:34:47.000000000 +0000
+--- lib/kdb/kdb_log.c.orig 2020-02-12 17:21:58.000000000 +0000
+++ lib/kdb/kdb_log.c
-@@ -489,7 +489,7 @@ ulog_map(krb5_context context, const cha
- return errno;
+@@ -498,7 +498,7 @@ ulog_map(krb5_context context, const cha
+ }
}
-- ulog = mmap(0, MAXLOGLEN, PROT_READ | PROT_WRITE, MAP_SHARED, ulogfd, 0);
-+ ulog = (kdb_hlog_t *)mmap(0, MAXLOGLEN, PROT_READ | PROT_WRITE, MAP_SHARED, ulogfd, 0);
+- ulog = mmap(0, MAXLOGLEN, PROT_READ | PROT_WRITE, MAP_SHARED,
++ ulog = (kdb_hlog_t *)mmap(0, MAXLOGLEN, PROT_READ | PROT_WRITE, MAP_SHARED,
+ log_ctx->ulogfd, 0);
if (ulog == MAP_FAILED) {
- /* Can't map update log file to memory. */
- close(ulogfd);
-@@ -681,7 +681,11 @@ ulog_fini(krb5_context context)
+ retval = errno;
+@@ -680,7 +680,11 @@ ulog_fini(krb5_context context)
if (log_ctx == NULL)
return;
if (log_ctx->ulog != NULL)
@@ -22,6 +22,6 @@
+#else
munmap(log_ctx->ulog, MAXLOGLEN);
+#endif
+ if (log_ctx->ulogfd != -1)
+ close(log_ctx->ulogfd);
Home |
Main Index |
Thread Index |
Old Index