security/krb5-121: Update to 1.21.3

security/krb5*: Flavorize with default and ldap flavors

This provides a binary package to users who require MIT KRB5 with LDAP
support. This patch does not change the current, now default, package
name.

PR:		277015

security/krb5-*: Move man pages to share/man

security/krb5-1*: Fix plist error

Fix:

====> Checking for pkg-plist issues (check-plist)
===> Parsing plist
===> Checking for items in STAGEDIR missing from pkg-plist
===> Checking for items in pkg-plist which are not in STAGEDIR
Error: Missing: @dir %%DOCSDIR%%
===> Error: Plist issues found.
*** Error code 1

security/krb5*: Remve kdc wrappers script

Remove the kdc script that allowed krb5kdc to be stared using
the /etc/rc.d/kdc rc script. This is no longer needed since
src/ 91f78c32befa.

security/krb5*: Allow the user to specify state directory locations

localstatedir and runstatedir are set to ${PREFIX}/var and
${PREFIX}/var/run respectively. Users who wish to put their KDC
DB elsewhere can set the following in make.conf:
	KRB5_LOCALSTATEDIR=/va
	KRB5_RUNSTATEDIR=/var/run.

Unfortunately defaulting to /var instead of the current default would
result in MIT KDC not finding its KDC DB files. This would be disruptive
to all MIT KDC users. But new users of MIT KRB5 KDC can set the pathname
above as desired.

PR:	267560

security/krb5-121: Update to 1.21.2

Major changes in 1.21.2 (2023-08-14)
====================================

This is a bug fix release.

* Fix double-free in KDC TGS processing [CVE-2023-39975].

MFH:	2023Q3

security/krb5-121: Fix double-free in KDC TGS processing

Upstream's commit log message:

    When issuing a ticket for a TGS renew or validate request, copy only
    the server field from the outer part of the header ticket to the new
    ticket.  Copying the whole structure causes the enc_part pointer to be
    aliased to the header ticket until krb5_encrypt_tkt_part() is called,
    resulting in a double-free if handle_authdata() fails.

    [ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather
    than check for aliasing before freeing; rewrote commit message]

    CVE-2023-39975:

    In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to
    free the same pointer twice if it can induce a failure in
    authorization data handling.

    ticket: 9101 (new)
    tags: pullup
    target_version: 1.21-next

Obtained from:	Upstream git commit 88a1701b4
MFH:		2023Q3

security/krb5: Support libedit in base

Even though libedit is in base FreeBSD, the krb5 ports still depend
on devel/libedit when the LIBEDIT option is selected. This is because
./configure uses pkgconf to determine if libedit exists, ignoring
libedit in FreeBSD base. This patch adds a new LIBEDIT_BASE option
which enables LIBEDIT (LIBEDIT_BASE) without installing the
devel/libedit port.

The GNU READLINE option will remain the default for now but it is
planned to switch the default to LIBEDIT_BASE at some point. This is
to reduce the dependency on GNU software and to bring it more into
line with the planned MIT KRB5 import into FreeBSD base.

security/krb5*: Disable NLS when option is deselected

When the NLS option is deselected, ./configure reverts to
enable_nls=check. As some prerequisites do require NLS, NLS is
always enabled even when deslected. This ensures that when NLS
is not wanted, that it is not used, regardless of its install status.

security/krb5-121: Update to 1.21.1

MFH:		2023Q3

security/krb5-121: Welcome new krb5 1.21

Welcome the new krb5-121 (1.21) from MIT.

krb5-119 is now deprecated and scheduled for removal a year from
now.