security/heimdal: Fix uninitialized pointer dereference

krb5_ret_preincipal() returns a non-zero return code when
a garbage principal is passed to it. Unfortunately ret_principal_ent()
does not check the return code, with garbage pointing to what would
have been the principal. This results in a segfault when free() is
called.

PR:		267944, 267972
Reported by:	Robert Morris <rtm@lcs.mit.edu>
MFH:		2024Q1

security/heimdal: Fix build

Fix build due to many undefined symbols listed in version.map. The
problem is that the listed functions are conditionally built and since
they exist in FreeBSD they are not built but they are still referenced
in version.map.

PR:		275979
MFH:		2024Q1
Approved by:	portmgr (just fix it)

security/heimdal: Move man pages to share/man

Approved by:	portmgr (blanket)

Mk/**ldap.mk: Convert USE_LDAP to USES=ldap

Convert the USE_LDAP=yes to USES=ldap and adds the following features:

- Adds the argument USES=ldap:server to add openldap2{4|5|6}-server as
  RUN_DEPENDS
- Adds the argument USES=ldap<version> and replaces WANT_OPENLDAP_VER
- Adds OPENLDAP versions in bsd.default-versions.mk
- Adds USE_OPENLDAP/WANT_OPENLDAP_VER in Mk/bsd.sanity.mk
- Changes consumers to use the features

Reviewed by:	delphij
Approved by:	portmgr
Differential Revision: https://reviews.freebsd.org/D38233

security/heimdal: Remove LLVM_DEFAULT artifact

Remove an artifact from 22a683a337ef.

PR:		267814
Fixes:		22a683a337ef
MFH:		2022Q4

security/heimdal*: Handle other types of garbage data

In addition to garbage realm data, also handle garbage dbname, acl_file,
stash_file, and invalid bitmask garbage data.

PR:             267912
Reported by:    Robert Morris <rtm@lcs.mit.edu>
MFH:		2022Q4

security/heimdal*: Fix NULL dereference when mangled realm message

Fix a NULL dereference in _kadm5_s_init_context() when the client
sends a mangled realm message.

PR:             267912
Reported by:    Robert Morris <rtm@lcs.mit.edu>
MFH:      	2022Q4

security/heimdal*: The version string must always contain a terminating NUL

Should the sender send a string without a terminating NUL, ensure that
the NUL terminates the string regardless.

And while at it only process the version string when bytes are returned.

PR:		267884
Reported by:	Robert Morris <rtm@lcs.mit.edu>
MFH:		2022Q4

security/heimdal*: Remove LLVM_DEFAULT build prerequisite

Adjust ./configure to set the correct CLANG_FORMAT value when
clang-format is not found (when none of the llvm ports are installed).

PR:		267814
Submitted by:	Tatsuki Makino <tatsuki_makino@hotmail.com>
MFH:		2022Q4

security/heimdal*: Remove lockfile dependency

Though heimdal ./configure checks for a lockfile dependency, it does
not use it. Let's remove the dependency.

PR:		267814
Reported by:	Tatsuki Makino <tatsuki_makino@hotmail.com>
MFH:		2022Q4

security/heimdal: Remove python dependency

Python is only needed in developer mode and only to regenerate already
provided files in lib/wind.

PR:		267814
Submitted by:	jkim
Reported by:	jkim
Fixes:		a5523d807d01
MFH:		2022Q4

security/heimdal: Fix build

Three problems were discovered when building under poudriere or in
a clean jail.

1. Python is now a prerequisite.

2. liblockfile is now needed.

3. clang-format is needed for asn1_compile. Unfortunately the base llvm
   does not install clang-format so we need install $LLVM_DEFAULT to get
   this file.

PR:		267814
Reported by:	many
Fixes:		83f79ba0e0ca
MFH:		2022Q4

security/heimdal: Update to 7.8.0

This upgrade fixes multiple security vulnerabilities.

The following issues are patched:

 - CVE-2022-42898 PAC parse integer overflows
 - CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
 - CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
 - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec

    Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
    on the Common Vulnerability Scoring System (CVSS) v3, as we believe
    it should be possible to get an RCE on a KDC, which means that
    credentials can be compromised that can be used to impersonate

Remove WWW entries moved into port Makefiles

Commit b7f05445c00f has added WWW entries to port Makefiles based on
WWW: lines in pkg-descr files.

This commit removes the WWW: lines of moved-over URLs from these
pkg-descr files.

Approved by:		portmgr (tcberner)

Add WWW entries to port Makefiles

It has been common practice to have one or more URLs at the end of the
ports' pkg-descr files, one per line and prefixed with "WWW:". These
URLs should point at a project website or other relevant resources.

Access to these URLs required processing of the pkg-descr files, and
they have often become stale over time. If more than one such URL was
present in a pkg-descr file, only the first one was tarnsfered into
the port INDEX, but for many ports only the last line did contain the
port specific URL to further information.

There have been several proposals to make a project URL available as
a macro in the ports' Makefiles, over time.

security: remove 'Created by' lines

A big Thank You to the original contributors of these ports:

  *  <ports@c0decafe.net>
  *  Aaron Dalton <aaron@FreeBSD.org>
  *  Adam Weinberger <adamw@FreeBSD.org>
  *  Ade Lovett <ade@FreeBSD.org>
  *  Aldis Berjoza <aldis@bsdroot.lv>
  *  Alex Dupre <ale@FreeBSD.org>
  *  Alex Kapranoff <kappa@rambler-co.ru>
  *  Alex Samorukov <samm@freebsd.org>
  *  Alexander Botero-Lowry <alex@foxybanana.com>
  *  Alexander Kriventsov <avk@vl.ru>
  *  Alexander Leidinger <netchild@FreeBSD.org>

Fix CONFLICTS entries of multiple ports

There have been lots of missing CONFLICTS_INSTALL entries, either
because conflicting ports were added without updating existing ports,
due to name changes of generated packages, due to mis-understanding
the format and semantics of the conflicts entries, or just due to
typoes in package names.

This patch is the result of a comparison of all files contained in
the official packages with each other. This comparison was based on
packages built with default options and may therefore have missed
further conflicts with optionally installed files.

Where possible, version numbers in conflicts entries have been
generalized, some times taking advantage of the fact that a port

*/*: Remove redundant '-[0-9]*' from CONFLICTS

The conflict checks compare the patterns first against the package
names without version (as reported by "pkg query "%n"), then - if
there was no match - agsinst the full package names including the
version (as reported by "pkg query "%n-%v").

Many CONFLICTS definitions used patterns like "bash-[0-9]*" to filter
for the bash package in any version. But that pattern is functionally
identical with just "bash".

Approved by:	portmgr (blanket)

security/heimdal: Add CPE information

Approved by:	portmgr (blanket)

net/openldap24-server: Make SASL permanent for OpenLDAP port.

PR:		ports/257374
Reviewed by:	obrien
Approved by:	portmgr (exp-run by antoine)
Differential Revision: https://reviews.freebsd.org/D31301

all: Remove all other $FreeBSD keywords.

Remove # $FreeBSD$ from Makefiles.

Regen patches.

Fix build breakage when PKINIT and/or KX509 disabled.

PR:	244751

- Fix build when !BDB.
- Regenerate patches.

PR:	244282

Update to 7.7.0.

Drop the ipv6 virtual category for s* category as it is not relevant anymore

Convert to UCL & cleanup pkg-message (categories s)

Update devel/readline to 8.0

- Bump PORTREVISION of dependent ports for shlib change

Changes:	https://tiswww.case.edu/php/chet/readline/CHANGES
PR:		236156
Exp-run by:	antoine

Install texinfo files (GNU info) into ${PREFIX}/share/info

After a discussion on the mailing list on moving manpages to
${PREFIX}/share/man for consistency with base where it is
installed in usr/share/man, it appeared the same should happen
to GNU info files which were installed under share in base and
not in ports.

Now texinfo is not in base on any of the supported version of FreeBSD
it is possible to proceed to this move and it is easier to do than
the manpage change.

Other benefit than consistency are less patching: all build tools but
cmake are expecting info files to be under share/info and cmake (patched here)
was having an exception for BSD so the patch makes FreeBSD case less
specific for them

Bump revision of all impacted ports

PR:		232907
exp-run by:	antoine
Differential Revision:	https://reviews.freebsd.org/D17816

security/heimdal: Chase cracklib dictionary rename from r408137

PR:		213157
Submitted by:	Florian Riehm <mail@friehm.de>
Approved by:	2 year bug anniversary

security/heimdal: Don't call arc4random_stir.

PR:		230835, 230756
Approved by:	portmgr (antoine)

Update to 7.5.0:

- In Heimdal 7.1 through 7.4, remote unauthenticated
  attackers are able to crash the KDC by sending a crafted UDP packet
  containing empty data fields for client name or realm.

Security:	CVE-2017-17439
PR:		224191

Fix whitespace issues (mixed tab/spaces, alignment) in a few ports.

This round is @FreeBSD.org residents except teams.

Update to 7.4.0.  This release fixes a critical vulnerability named
"Orpheus' Lyre".

Security:	CVE-2017-11103
Secuirty:	https://www.orpheus-lyre.info/

Update devel/readline to 7.0 patch 3

- Bump PORTREVISION for shlib change

Changes:	https://cnswww.cns.cwru.edu/php/chet/readline/CHANGES
		https://lists.gnu.org/archive/html/bug-bash/2016-09/msg00107.html
		https://lists.gnu.org/archive/html/bug-readline/2017-01/msg00002.html
Differential Revision:	https://reviews.freebsd.org/D11172
PR:		219947
Exp-run by:	antoine

Update to 7.3.0.

security/heimdal: Fix build

Previous backported patch for CVE requires a new build dependency.

PR:		219657
Reported by:	Benjamin Woods
MFH:		2017Q2
Differential Revision:	https://reviews.freebsd.org/D11125

security/heimdal: Backport security fix

PR:		219657
MFH:		2017Q2
Security:	CVE-2017-6594

Fix build when !BDB and db5 is installed at the same time.
The configure script picked up the db5 library though
ac_cv_func_db_create=no.

PR:	215772

- Fix krb5-config --libs to provide a list of libraries including
  dependency.  This broke ports which depend on this utility.

- Add LMDB option to support database/lmdb.

- Enable dbopen() in DB 1.85 even if !BDB because libhdb with
  no backend is very confusing.

- Fix build when !BDB[*]

PR:	215741 [*]

Update to 7.1.0.  Changes include:

- hcrypto is now thread safe on all platforms and as much as possible
  hcrypto now uses the operating system's preferred crypto
  implementation ensuring that optimized hardware assisted
  implementations of AES-NI are used.

- RFC 6113 Generalized Framework for Kerberos Pre-Authentication
  (FAST).

- Hierarchical capath support

- iprop has been revamped to fix a number of race conditions that
  could lead to inconsistent replication.

- Fix Berkeley DB dependency.  It now properly uses BDB_LIB specified in
  Mk/Uses/bdb.mk instead of db185 interfaces in libc.
  As a side-effect, this causes a compatibility issue between
  heimdal.db created by kadmin(8) in the base system or one by
  an older security/heimdal.  See UPDATING about this issue.

- Fix readline dependency end eliminate libheimedit.

- Use -lpthread instead of -pthread.

- Use FOO_CONFIGURE_WITH=foo instead of FOO_CONFIGURE_ON=--with-foo.

Do not let the configure script pick up Berkeley DB from ports.

Approved by:	hrs (maintainer)

ix Berkeley DB detection at the configuration stage.

PR:	214182

Add missing header files (com_err.h and com_right.h).

Submitted by:	Franco Fichtner
PR:		213470

security/heimdal: Fix build when EGD is not available (e.g. LibreSSL)

Approved by:	SSL blanket

Remove NLS, DOCS, EXAMPLES and IPV6 from OPTIONS_DEFAULT, they are enabled by
default anyway and don't need to be listed

Approved by:	portmgr blanket

Remove USE_SQLITE from bsd.databases.mk, replaced by USES=sqlite.

While there replace USE_SQLITE=x by USES=sqlite:x.

PR:		208971
Submitted by:	mat
Exp-run by:	antoine
With hat:	portmgr
Sponsored by:	Absolight
Differential Revision:	https://reviews.freebsd.org/D5951

Remove ${PORTSDIR}/ from dependencies, categories r, s, t, and u.

With hat:	portmgr
Sponsored by:	Absolight

- Remove an orphaned directory [1].
- Fix USE_LDCONFIG [2].

Spotted by:	sunpoet [1] and bdrewery [2]

Fix krb5-config.

Add -rpath forgotten in the previous commit.

- Fix heimdal-gssapi.pc.
- Add an UPDATING entry.

PR:	195319

Update to 1.5.3.  Changes include:

 - Fix leaking file descriptors in KDC
 - Better socket/timeout handling in libkrb5
 - General bug fixes

- Move headers and libraries into PREFIX/{include,lib}/heimdal.  This
  prevents build breakage when a port depends on heimdal in base and
  some other libraries in LOCALBASE/lib such as OpenSSL from ports
  at the same time.

- Always build libcom_err[*].

PR:	194475 [*]

security/heimdal: Unbreak on DragonFly

The 30 AUG 14 commit to fix libcom_err on some FreeBSD releases crippled
Heimdal on DragonFly such that samba-nsupdate no longer would configure.
The culprit was once again using OSVERSION without checking OPSYS, so
adjusting for OPSYS fixes this regression.

Add ipropd_master and ipropd_slave rc.d scripts for branches which do not
have them.

PR:	176805

Fix build with makeinfo version 5.2.

Obtained from:	https://github.com/heimdal/heimdal/commit/1846c7a35d1091d3b6140c
56b

security/heimdal: Restore MAKE_JOBS_UNSAFE removed recently

The MAKE_JOBS_UNSAFE flag was set 10 June 2014 (PR 181923) and it
was removed without explanation on 30 Aug 2014 (r366616).  I have
first-hand confirmation that it is still required with default
options set.  I'm resetting this flag as it shouldn't have been removed.

Fix build on branches which do not have com_right_r() in libcom_err.

Spotted by:	ume

- Add LICENSE.
- Build kcm by default.
- Use gssapi.mk.
- Use ${opt}_* variables instead of .if ${PORT_OPTIONS:Mopt} wherever possible.
- Use /var/heimdal as $hdbdir for compatibility with Heimdal in base.
- Merge pkg-plist.* into pkg-plist.
- Remove lines that are no longer valid.
- Remove stale kdc.sh.  rc.d scripts in base system work with this port.

Berkeley DB cleanup, remove versions 4.0 ... 4.7.
- Mk/bsd.database.mk rewrite, new default to db5.
- db6 is eligible by default only if installed on the system.
- Bump PORTREVISION of all ports that directly depend on BerkeleyDB or
  where USE_BDB is found in the port's directory
- Patch a few ports such that they will pick up or work with newer
  versions.
- Add UPDATING entry
- Drive-by format fix for pks
- Drop BerkeleyDB option from mail/popular for now, requires more work.
- Exp-run logs linked from the PR below.
- Ports that do not build (IGNORE, BROKEN, etc.) have pro-forma changes
  for new Berkeley DB, but are untested.

NOTE: please read UPDATING and the Wiki page before proceeding!

Announcement:	http://lists.freebsd.org/pipermail/freebsd-ports-announce/2014-August/000090.html
Wiki reference:	https://wiki.freebsd.org/Ports/BerkeleyDBCleanup
PR:		192690
Approved by:	portmgr (implicit, PORTREVISION bump on unstaged ports)

security/heimdal: Establish consistency for seed data with base heimdal

This patch enables heimdal port and heimdal bad to be consistent [in byte
order for seed data] and talk nicely to each other.  Please refer to
FreeBSD Errata Notice FreeBSD-EN-14:08.heimdal.  This port is not
unmaintained.

PR:		191356
Submitted by:	dewayne (heuristicsystems.com.au)

net/openldap24-*:
- Convert to USES=libtool and bump dependent ports
- Avoid USE_AUTOTOOLS
- Don't use PTHREAD_LIBS
- Use MAKE_CMD

databases/glom:
- Drop :keepla
- Add INSTALL_TARGET=install-strip

databases/libgda4* databases/libgda5*:
- Convert to USES=libtool and bump dependent ports
- USES=tar:xz
- Use INSTALL_TARGET=install-strip
- Use @sample

Remove patches added together with USES=libtool that are no longer needed
after r362656.

Fix plist again.  r361101 reverted SQLITE fixes in r358060 and r358150.

Pointyhat to:	tijl

- Fix pkg-plist [1]
- Add INSTALL_TARGET=install-strip

Reported by:	swills (jenkins) [1]

- Convert to USES=libtool
- Remove USE_AUTOTOOLS

Bump PORTREVISION on all ports with USE_SQLITE=yes or USE_SQLITE=3 that
have not been bumped yet after the latest libsqlite3.so library version
change.

Approved by:	portmgr (implicit)

Fix packaging without KCM

Bump PORTREVISION after the plist fix so that people get the fix.

Sponsored by:	Absolight

Fix plist without SQLITE option, i.e., r358060 was incomplete.  Actually,
this option is very confusing.  This option does not enable SQLite support
but enables building with existing SQLite library, i.e., disables building
with bundled SQLite source.

Submitted by:	mat

Fix plist for SQLITE option.  We do not build bundled SQLite for years.

security/heimdal: Mark not-jobs-safe and fix cracklib location

While here:
 * Clean up options and PLIST_SUB with new option framework capabilities
 * Remove condition for FreeBSD 6 and earlier
   - Remove never-fulfilled plist condition
   - Move extra-patch to always-patch
 * minor cosmetic realignment

PR:		181923
Submitted by:	dewayne

security/heimdal: Fix LDAP/SASL support

Enable heimdal to properly build against net/openldap-sasl-client when
openldap24-server is built with SASL support.  It did not before.
Heimdal is currently unmaintained.

PR:		183697
Submitted by:	pcm

security/heimdal: Reset maintainer

There have been 3 consecutive PR timeouts since June 2012, and several
PRs are still open.

Fix heimdal.

- Resolve conflict with security/openssl regarding manual pages.
- Add a couple of patches from the upstream.
- Remove NO_STAGE and delete obsolete MLINKS while at it.

PR:		177397
Submitted by:	Shane Ambler <FreeBSD@ShaneWare.Biz>
Approved by:	(MAINTAINER timeout)

Fixup the props on Makefile*

With hat:	portmgr
Sponsored by:	Absolight

Update krb5 to 1.12. Security/krb5 tracks MIT KRB5 current release.

Adjust the newly created krb5-maint with a new portname and conflicts.
Krb5-maint is a maintenance release for those who wish to use the previous
release of krb5. krb5-maint remains at 1.11.3.

Adjust CONFLICTS in security/heimdal and security/srp to account for the
newly repocopied krb5-maint.

Adjust security/Makefile to include krb5-maint.

Add NO_STAGE all over the place in preparation for the staging support (cat:
security)

Eradicate USE_GNOME=pkgconfig from security
While here:
- Trim headers
- Convert USE_GMAKE to USES=gmake
- Convert USE_GNOME=gnomehack to USES=pathfix
- Convert USE_PERL5 to USES=perl5

Convert security to new options framework

- Convert USE_GETTEXT to USES (part 3)

Approved by:	portmgr (bapt)

- Remove A/An in COMMENT
- Trim Header where applicable

Enable the Berkley DB backend by default.
Bump portrevision.

PR:		ports/154711
Submitted by:	Jason C. Wells <jcw@speakeasy.net> (pr)
		Robert Simmons <rsimmons0@gmail.com> (patch)
Approved by:	maintainer timeout (12 weeks), kwm (mentor)

Fix issue where kpasswdd and kstash look for krb5.conf in /etc.

PR:             ports/168386
Submitted by:   Robert Simmons <rsimmons0@gmail.com>
Approved by:    maintainer timeout

Fix build when BDB is selected.

PR:             ports/168214
Submitted by:   Robert Simmons <rsimmons0@gmail.com>
Approved by:    Joerg Pulz <Joerg.Pulz@frm2.tum.de> (maintainer)

Do not install catpages

PR:             ports/167640
Submitted by:   bapt@
Approved by:    maintainer timeout (14 days)

Update to 1.5.2

PR:             ports/166320
Submitted by:   Joerg Pulz <Joerg.Pulz@frm2.tum.de> (maintainer)

Sync to new bsd.autotools.mk

Add the 'gss_pname_to_uid' function to libgssapi.
This function is obtained from the FreeBSD base libgssapi code.

Whith this function added to the port, it is possible to buildworld
FreeBSD fully against the port.
FYI: Patches for CURRENT and 8-STABLE src/ are here:
ftp://ftp.frm2.tum.de/pub/jpulz/FreeBSD/patches/CURRENT_use_kerberos_port.patch
ftp://ftp.frm2.tum.de/pub/jpulz/FreeBSD/patches/8-STABLE_use_kerberos_port.patch

PR:             ports/152030
Submitted by:   maintainer

Assign maintainer to submitter of previous commit (ports/151506).

Update to 1.4

PR:             ports/151506
Submitted by:   Joerg Pulz <Joerg.Pulz@frm2.tum.de>

- Mark BROKEN on HEAD: fails to build with new utmpx

Reported by:    pointyhat

Use CMGROUP_MAX instead of NGROUPS and the argument to SOCKCREDSIZE().
This is a NO-OP except on 8/9 where it is a bugfix.

Fix invalid malloc in LDAP backend.

PR:     128025

-Repocopy devel/libtool15 -> libtool22 and libltdl15 -> libltdl22.
-Update libtool and libltdl to 2.2.6a.
-Remove devel/libtool15 and devel/libltdl15.
-Fix ports build with libtool22/libltdl22.
-Bump ports that depend on libltdl22 due to shared library version change.
-Explain what to do update in the UPDATING.

It has been tested with GNOME2, XFCE4, KDE3, KDE4 and other many wm/desktop
and applications in the runtime.

With help:      marcus and kwm
Pointyhat-exp:  a few times by pav
Tested by:      pgollucci, "Romain Tartière" <romain@blogreen.org>, and
                a few MarcusCom CVS users. Also, I might have missed a few.
Repocopy by:    marcus
Approved by:    portmgr

With regret, return these to the pool.