svn commit: r489737 - in head/security: . krb5 krb5-115 krb5-116 krb5-117 krb5-117/files

Tue Jan 8 20:29:36 UTC 2019

Author: cy
Date: Tue Jan  8 20:29:34 2019
New Revision: 489737
URL: https://svnweb.freebsd.org/changeset/ports/489737

Log:
  Welcome the new KRB5 1.17 (krb5-117).
  
  Major changes in 1.17 (2019-01-08)
  ==================================
  
  Administrator experience:
  
  * A new Kerberos database module using the Lightning Memory-Mapped
    Database library (LMDB) has been added.  The LMDB KDB module should
    be more performant and more robust than the DB2 module, and may
    become the default module for new databases in a future release.
  
  * "kdb5_util dump" will no longer dump policy entries when specific
    principal names are requested.
  
  Developer experience:
  
  * The new krb5_get_etype_info() API can be used to retrieve enctype,
    salt, and string-to-key parameters from the KDC for a client
    principal.
  
  * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
    principal names to be used with GSS-API functions.
  
  * KDC and kadmind modules which call com_err() will now write to the
    log file in a format more consistent with other log messages.
  
  * Programs which use large numbers of memory credential caches should
    perform better.
  
  Protocol evolution:
  
  * The SPAKE pre-authentication mechanism is now supported.  This
    mechanism protects against password dictionary attacks without
    requiring any additional infrastructure such as certificates.  SPAKE
    is enabled by default on clients, but must be manually enabled on
    the KDC for this release.
  
  * PKINIT freshness tokens are now supported.  Freshness tokens can
    protect against scenarios where an attacker uses temporary access to
    a smart card to generate authentication requests for the future.
  
  * Password change operations now prefer TCP over UDP, to avoid
    spurious error messages about replays when a response packet is
    dropped.
  
  * The KDC now supports cross-realm S4U2Self requests when used with a
    third-party KDB module such as Samba's.  The client code for
    cross-realm S4U2Self requests is also now more robust.
  
  User experience:
  
  * The new ktutil addent -f flag can be used to fetch salt information
    from the KDC for password-based keys.
  
  * The new kdestroy -p option can be used to destroy a credential cache
    within a collection by client principal name.
  
  * The Kerberos man page has been restored, and documents the
    environment variables that affect programs using the Kerberos
    library.
  
  Changes to the FreeBSD krb5* ports include:
  
  * CONFLICTS updated in krb5-115 and krb5-116 taking krb5-117 in
    consideration.
  
  * The default krb5 port is now krb5-117.
  
  * MIT's practice is to EOL KRB5 n-2. krb5-115 is deprecated and set
    to expire Jan 31, 2020.

Added:
  head/security/krb5-117/
     - copied from r489734, head/security/krb5-116/
Deleted:
  head/security/krb5-117/files/patch-MIT-git-beeb2828945a41d86488e391ce440bacee0ec8a4
Modified:
  head/security/Makefile
  head/security/krb5-115/Makefile
  head/security/krb5-116/Makefile
  head/security/krb5-117/Makefile
  head/security/krb5-117/distinfo
  head/security/krb5-117/pkg-plist
  head/security/krb5/Makefile

Modified: head/security/Makefile
==============================================================================

--- head/security/Makefile	Tue Jan  8 20:04:04 2019	(r489736)
+++ head/security/Makefile	Tue Jan  8 20:29:34 2019	(r489737)
@@ -314,6 +314,7 @@
     SUBDIR += krb5
     SUBDIR += krb5-115
     SUBDIR += krb5-116
+    SUBDIR += krb5-117
     SUBDIR += krb5-appl
     SUBDIR += krb5-devel
     SUBDIR += kripp

Modified: head/security/krb5-115/Makefile
==============================================================================
--- head/security/krb5-115/Makefile	Tue Jan  8 20:04:04 2019	(r489736)
+++ head/security/krb5-115/Makefile	Tue Jan  8 20:29:34 2019	(r489737)
@@ -15,9 +15,12 @@ PATCH_DIST_STRIP=	-p2
 MAINTAINER=		cy at FreeBSD.org
 COMMENT=		MIT implementation of RFC 4120 network authentication service
 
+DEPRECATED=		EOL one year after the release of krb5 1.17
+EXPIRATION_DATE=	2020-01-31
+
 LICENSE=		MIT
 
-CONFLICTS=		heimdal-[0-9]* srp-[0-9]* krb5-11[346]-[0-9]* \
+CONFLICTS=		heimdal-[0-9]* srp-[0-9]* krb5-11[3467]-[0-9]* \
 			krb5-1.[0-9]* krb5-devel-*
 CONFLICTS_BUILD=	boringssl-*
 

Modified: head/security/krb5-116/Makefile
==============================================================================
--- head/security/krb5-116/Makefile	Tue Jan  8 20:04:04 2019	(r489736)
+++ head/security/krb5-116/Makefile	Tue Jan  8 20:29:34 2019	(r489737)
@@ -17,7 +17,7 @@ COMMENT=		MIT implementation of RFC 4120 network authe
 
 LICENSE=		MIT
 
-CONFLICTS=		heimdal-[0-9]* srp-[0-9]* krb5-11[345]-[0-9]* \
+CONFLICTS=		heimdal-[0-9]* srp-[0-9]* krb5-11[3457]-[0-9]* \
 			krb5-1.[0-9]* krb5-devel-*
 CONFLICTS_BUILD=	boringssl-*
 

Modified: head/security/krb5-117/Makefile
==============================================================================
--- head/security/krb5-116/Makefile	Tue Jan  8 18:51:42 2019	(r489734)
+++ head/security/krb5-117/Makefile	Tue Jan  8 20:29:34 2019	(r489737)
@@ -2,11 +2,11 @@
 # $FreeBSD$
 
 PORTNAME=		krb5
-PORTVERSION=		1.16.3
+PORTVERSION=		1.17
 CATEGORIES=		security
 MASTER_SITES=		http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/
 .if !defined(MASTERDIR)
-PKGNAMESUFFIX=		-116
+PKGNAMESUFFIX=		-117
 .endif
 
 PATCH_SITES=		http://web.mit.edu/kerberos/advisories/
@@ -17,7 +17,7 @@ COMMENT=		MIT implementation of RFC 4120 network authe
 
 LICENSE=		MIT
 
-CONFLICTS=		heimdal-[0-9]* srp-[0-9]* krb5-11[34]-[0-9]* \
+CONFLICTS=		heimdal-[0-9]* srp-[0-9]* krb5-11[3-6]-[0-9]* \
 			krb5-1.[0-9]* krb5-devel-*
 CONFLICTS_BUILD=	boringssl-*
 

Modified: head/security/krb5-117/distinfo
==============================================================================
--- head/security/krb5-116/distinfo	Tue Jan  8 18:51:42 2019	(r489734)
+++ head/security/krb5-117/distinfo	Tue Jan  8 20:29:34 2019	(r489737)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1546910420
-SHA256 (krb5-1.16.3.tar.gz) = e40499df7c6dbef0cf9b11870a0e167cde827737d8b2c06a9436334f08ab9b0d
-SIZE (krb5-1.16.3.tar.gz) = 9656985
+TIMESTAMP = 1546977717
+SHA256 (krb5-1.17.tar.gz) = 5a6e2284a53de5702d3dc2be3b9339c963f9b5397d3fbbc53beb249380a781f5
+SIZE (krb5-1.17.tar.gz) = 8761763

Modified: head/security/krb5-117/pkg-plist
==============================================================================
--- head/security/krb5-116/pkg-plist	Tue Jan  8 18:51:42 2019	(r489734)
+++ head/security/krb5-117/pkg-plist	Tue Jan  8 20:29:34 2019	(r489737)
@@ -96,10 +96,12 @@ lib/libkrb5support.so
 lib/libkrb5support.so.0
 lib/libkrb5support.so.0.1
 lib/krb5/plugins/kdb/db2.so
+lib/krb5/plugins/kdb/klmdb.so
 lib/krb5/plugins/tls/k5tls.so
 %%LDAP%%lib/krb5/plugins/kdb/kldap.so
 lib/krb5/plugins/preauth/otp.so
 lib/krb5/plugins/preauth/pkinit.so
+lib/krb5/plugins/preauth/spake.so
 lib/krb5/plugins/preauth/test.so
 %%LDAP%%lib/libkdb_ldap.so
 %%LDAP%%lib/libkdb_ldap.so.1

Modified: head/security/krb5/Makefile
==============================================================================
--- head/security/krb5/Makefile	Tue Jan  8 20:04:04 2019	(r489736)
+++ head/security/krb5/Makefile	Tue Jan  8 20:29:34 2019	(r489737)
@@ -1,7 +1,7 @@
 # $FreeBSD$
 
-VERSIONS=		115 116
-KRB5_VERSION?=		116
+VERSIONS=		115 116 117
+KRB5_VERSION?=		117
 
 MASTERDIR=		${.CURDIR}/../krb5-${KRB5_VERSION}
 
