freebsd-ports/security/krb5-118/Makefile

# Created by: nectar@FreeBSD.org
# $FreeBSD$

PORTNAME=		krb5
PORTVERSION=		1.18
CATEGORIES=		security
MASTER_SITES=		http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/
.if !defined(MASTERDIR)
PKGNAMESUFFIX=		-118
.endif

PATCH_SITES=		http://web.mit.edu/kerberos/advisories/
PATCH_DIST_STRIP=	-p2

MAINTAINER=		cy@FreeBSD.org
COMMENT=		MIT implementation of RFC 4120 network authentication service

LICENSE=		MIT

CONFLICTS=		heimdal-[0-9]* srp-[0-9]* krb5-11[3-6]-[0-9]* \
			krb5-1.[0-9]* krb5-devel-*
CONFLICTS_BUILD=	boringssl-*

KERBEROSV_URL=		http://web.mit.edu/kerberos/
USE_PERL5=		build
USE_LDCONFIG=		yes
USE_CSTD=		gnu99
GNU_CONFIGURE=		yes
USES=			compiler:c++11-lang cpe gmake localbase perl5 libtool:build \
			gssapi:bootstrap,mit pkgconfig ssl \
			gettext-runtime
CONFIGURE_ARGS?=	--enable-shared --without-system-verto \
			--disable-rpath --localstatedir="${PREFIX}/var" \
			--runstatedir="${PREFIX}/var/run"
CONFIGURE_ENV=		INSTALL="${INSTALL}" INSTALL_LIB="${INSTALL_LIB}" YACC="${YACC}"
MAKE_ARGS=		INSTALL="${INSTALL}" INSTALL_LIB="${INSTALL_LIB}"

CPE_VENDOR=		mit
CPE_VERSION=		5-${PORTVERSION}
CPE_PRODUCT=		kerberos

OPTIONS_DEFINE=		EXAMPLES NLS KRB5_PDF KRB5_HTML DNS_FOR_REALM LDAP LMDB
OPTIONS_DEFAULT=	KRB5_PDF KRB5_HTML READLINE
OPTIONS_RADIO=		CMD_LINE_EDITING
OPTIONS_RADIO_CMD_LINE_EDITING=	READLINE READLINE_PORT LIBEDIT
CMD_LINE_EDITING_DESC=	Command line editing for kadmin and ktutil
KRB5_PDF_DESC=		Install krb5 PDF documentation
KRB5_HTML_DESC=		Install krb5 HTML documentation
DNS_FOR_REALM_DESC=	Enable DNS lookups for Kerberos realm names
DNS_FOR_REALM_CONFIGURE_ENABLE=	dns-for-realm
LDAP=			Enable LDAP support
LDAP_USE=		OPENLDAP=yes
LDAP_CONFIGURE_WITH=	ldap
LMDB_DESC=		OpenLDAP Lightning Memory-Mapped Database support
LMDB_CONFIGURE_WITH=	lmdb
LMDB_LIB_DEPENDS=	liblmdb.so:databases/lmdb
LMDB_IMPLIES=		LDAP
NLS_USES=		gettext
READLINE_USES=		readline
READLINE_PORT_DESC=	Command line editing via devel/readline
READLINE_PORT_USES=	readline:port
LIBEDIT_USES=		libedit
LIBEDIT_CONFIGURE_WITH=	libedit

.if defined(KRB5_HOME)
PREFIX=			${KRB5_HOME}
.endif
CPPFLAGS+=		-I${OPENSSLINC}
LDFLAGS+=		-L${OPENSSLLIB}

USE_RC_SUBR=		kpropd
OPTIONS_SUB=		yes
WRKSRC_SUBDIR=		src
PORTEXAMPLES=		kdc.conf krb5.conf services.append

.include <bsd.port.options.mk>

# Fix up -Wl,-rpath in LDFLAGS
.if !empty(KRB5_HOME)
_RPATH=	${KRB5_HOME}/lib:
.else
_RPATH=	${LOCALBASE}/lib:
.endif
.if !empty(LDFLAGS:M-Wl,-rpath,*)
.for F in ${LDFLAGS:M-Wl,-rpath,*}
LDFLAGS:=	-Wl,-rpath,${_RPATH}${F:S/-Wl,-rpath,//} \
		${LDFLAGS:N-Wl,-rpath,*}
.endfor
.endif

.if defined(KRB5_HOME) && ${KRB5_HOME} != ${LOCALBASE}
BROKEN=			LIB_DEPENDS when using KRB5_HOME is broken
.endif

# OPTIONS helper causes conflicting with/without
.if ${PORT_OPTIONS:MREADLINE} || ${PORT_OPTIONS:MREADLINE_PORT}
CONFIGURE_ARGS+=	--with-readline
.else
CONFIGURE_ARGS+=	--without-readline
.endif

.if defined(PROGRAM_TRANSFORM_NAME) && ${PROGRAM_TRANSFORM_NAME} != ""
CONFIGURE_ARGS+=	--program-transform-name="${PROGRAM_TRANSFORM_NAME}"
.endif

HTML_DOC_DIR=		${WRKDIR}/${PORTNAME}-${PORTVERSION}/doc/html
PDF_DOC_DIR=		${WRKDIR}/${PORTNAME}-${PORTVERSION}/doc/pdf

.include <bsd.port.pre.mk>

post-install:
	@${MKDIR} ${STAGEDIR}${PREFIX}/share/doc/krb5
	@${SED} "s|%%PREFIX%%|${PREFIX}|" ${FILESDIR}/kdc.in > ${STAGEDIR}${PREFIX}/sbin/kdc; \
	${CHMOD} +x ${STAGEDIR}${PREFIX}/sbin/kdc
# html documentation
.if ${PORT_OPTIONS:MKRB5_PDF}
	pdf_files=`${FIND} ${PDF_DOC_DIR} ! -type d`
	pdf_dirs=`${FIND} ${PDF_DOC_DIR} -type d`
	for i in $${pdf_dirs}; do \
		${MKDIR} ${STAGEDIR}${PREFIX}/share/doc/krb5/$${i}; \
	done; \
	for i in $${pdf_files}; do \
		${INSTALL_DATA} $${pdf} ${PREFIX}/share/doc/krb5/$${i}; \
		${ECHO_CMD} share/doc/krb5/$${i} >> ${TMPPLIST}; \
	done
.endif
.if ${PORT_OPTIONS:MKRB5_HTML}
	html_files=`${FIND} ${HTML_DOC_DIR} ! -type d | ${GREP} -v /_sources`
	html_dirs=`${FIND} ${HTML_DOC_DIR} -type d | ${GREP} -v /_sources`
	for i in $${html_dirs}; do \
		${MKDIR} ${PREFIX}/share/doc/krb5/$${i}; \
	done; \
	for i in $${html_files}; do \
		${INSTALL_DATA} $${i} ${PREFIX}/share/doc/krb5/$${i}; \
		${ECHO_CMD} share/doc/krb5/$${i} >> ${TMPPLIST}; \
	done
.endif
.if ${PORT_OPTIONS:MKRB5_PDF}
	for i in $${pdf_dirs}; do \
		${ECHO_CMD} @dir share/doc/krb5/$${i} >> ${TMPPLIST}; \
	done | ${TAIL} -r >> ${TMPPLIST}
.endif
.if ${PORT_OPTIONS:MKRB5_HTML}
	for i in $${html_dirs}; do \
		${ECHO_CMD} @dir share/doc/krb5/$${i} >> ${TMPPLIST}; \
	done | ${TAIL} -r >> ${TMPPLIST}
.endif
	${ECHO_CMD} @dir share/doc/krb5 >> ${TMPPLIST}

post-install-LDAP-on:
	${MKDIR} ${STAGEDIR}${DATADIR}
	${INSTALL_DATA} ${WRKSRC}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema \
		${STAGEDIR}${DATADIR}
	${INSTALL_DATA} ${WRKSRC}/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif \
		${STAGEDIR}${DATADIR}

.include <bsd.port.post.mk>
Welcome the new KRB5 1.18 (krb5-118) In addition, deprecate krb5-116 to retire one year after the release of krb5-118: Feb 12, 2021. Major changes in 1.18 (2020-02-12) ================================== Administrator experience: * Remove support for single-DES encryption types. * Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with ".rcache2" by default. * setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context(). * Add an "enforce_ok_as_delegate" krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket. * Use the permitted_enctypes krb5.conf setting as the default value for default_tkt_enctypes and default_tgs_enctypes. Developer experience: * Implement krb5_cc_remove_cred() for all credential cache types. * Add the krb5_pac_get_client_info() API to get the client account name from a PAC. Protocol evolution: * Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.) * Remove support for an old ("draft 9") variant of PKINIT. * Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.) * Honor the transited-policy-checked ticket flag on application servers, eliminating the requirement to configure capaths on servers in some scenarios. User experience: * Add support for "dns_canonicalize_hostname=fallback""`, causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found. * Expand single-component hostnames in host-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix. Add a "qualify_shortname" krb5.conf relation to override this suffix or disable expansion. Code quality: * The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe. * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices. * The test suite has been modified to work with macOS System Integrity Protection enabled. * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested. 2020-02-19 02:42:55 +00:00			`# Created by: nectar@FreeBSD.org`
			`# $FreeBSD$`

			`PORTNAME= krb5`
			`PORTVERSION= 1.18`
			`CATEGORIES= security`
			`MASTER_SITES= http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]\.[0-9]/&X/:C/X\.[0-9]*$//:C/X//}/`
			`.if !defined(MASTERDIR)`
			`PKGNAMESUFFIX= -118`
			`.endif`

			`PATCH_SITES= http://web.mit.edu/kerberos/advisories/`
			`PATCH_DIST_STRIP= -p2`

			`MAINTAINER= cy@FreeBSD.org`
			`COMMENT= MIT implementation of RFC 4120 network authentication service`

			`LICENSE= MIT`

			`CONFLICTS= heimdal-[0-9]* srp-[0-9]* krb5-11[3-6]-[0-9]* \`
			`krb5-1.[0-9]* krb5-devel-*`
			`CONFLICTS_BUILD= boringssl-*`

			`KERBEROSV_URL= http://web.mit.edu/kerberos/`
			`USE_PERL5= build`
			`USE_LDCONFIG= yes`
			`USE_CSTD= gnu99`
			`GNU_CONFIGURE= yes`
Add compiler:c++11-lang to USES to fix build on GCC-based systems: edwards25519_fiat.h:14: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'fiat_25519_int128' Approved by: portmgr (tier-2 blanket) 2020-02-19 09:12:27 +00:00			`USES= compiler:c++11-lang cpe gmake localbase perl5 libtool:build \`
Welcome the new KRB5 1.18 (krb5-118) In addition, deprecate krb5-116 to retire one year after the release of krb5-118: Feb 12, 2021. Major changes in 1.18 (2020-02-12) ================================== Administrator experience: * Remove support for single-DES encryption types. * Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with ".rcache2" by default. * setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context(). * Add an "enforce_ok_as_delegate" krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket. * Use the permitted_enctypes krb5.conf setting as the default value for default_tkt_enctypes and default_tgs_enctypes. Developer experience: * Implement krb5_cc_remove_cred() for all credential cache types. * Add the krb5_pac_get_client_info() API to get the client account name from a PAC. Protocol evolution: * Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.) * Remove support for an old ("draft 9") variant of PKINIT. * Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.) * Honor the transited-policy-checked ticket flag on application servers, eliminating the requirement to configure capaths on servers in some scenarios. User experience: * Add support for "dns_canonicalize_hostname=fallback""`, causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found. * Expand single-component hostnames in host-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix. Add a "qualify_shortname" krb5.conf relation to override this suffix or disable expansion. Code quality: * The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe. * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices. * The test suite has been modified to work with macOS System Integrity Protection enabled. * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested. 2020-02-19 02:42:55 +00:00			`gssapi:bootstrap,mit pkgconfig ssl \`
			`gettext-runtime`
			`CONFIGURE_ARGS?= --enable-shared --without-system-verto \`
			`--disable-rpath --localstatedir="${PREFIX}/var" \`
			`--runstatedir="${PREFIX}/var/run"`
			`CONFIGURE_ENV= INSTALL="${INSTALL}" INSTALL_LIB="${INSTALL_LIB}" YACC="${YACC}"`
			`MAKE_ARGS= INSTALL="${INSTALL}" INSTALL_LIB="${INSTALL_LIB}"`

			`CPE_VENDOR= mit`
			`CPE_VERSION= 5-${PORTVERSION}`
			`CPE_PRODUCT= kerberos`

			`OPTIONS_DEFINE= EXAMPLES NLS KRB5_PDF KRB5_HTML DNS_FOR_REALM LDAP LMDB`
			`OPTIONS_DEFAULT= KRB5_PDF KRB5_HTML READLINE`
			`OPTIONS_RADIO= CMD_LINE_EDITING`
			`OPTIONS_RADIO_CMD_LINE_EDITING= READLINE READLINE_PORT LIBEDIT`
			`CMD_LINE_EDITING_DESC= Command line editing for kadmin and ktutil`
			`KRB5_PDF_DESC= Install krb5 PDF documentation`
			`KRB5_HTML_DESC= Install krb5 HTML documentation`
			`DNS_FOR_REALM_DESC= Enable DNS lookups for Kerberos realm names`
			`DNS_FOR_REALM_CONFIGURE_ENABLE= dns-for-realm`
			`LDAP= Enable LDAP support`
			`LDAP_USE= OPENLDAP=yes`
			`LDAP_CONFIGURE_WITH= ldap`
			`LMDB_DESC= OpenLDAP Lightning Memory-Mapped Database support`
			`LMDB_CONFIGURE_WITH= lmdb`
			`LMDB_LIB_DEPENDS= liblmdb.so:databases/lmdb`
			`LMDB_IMPLIES= LDAP`
			`NLS_USES= gettext`
			`READLINE_USES= readline`
			`READLINE_PORT_DESC= Command line editing via devel/readline`
			`READLINE_PORT_USES= readline:port`
			`LIBEDIT_USES= libedit`
			`LIBEDIT_CONFIGURE_WITH= libedit`

			`.if defined(KRB5_HOME)`
			`PREFIX= ${KRB5_HOME}`
			`.endif`
			`CPPFLAGS+= -I${OPENSSLINC}`
			`LDFLAGS+= -L${OPENSSLLIB}`

			`USE_RC_SUBR= kpropd`
			`OPTIONS_SUB= yes`
			`WRKSRC_SUBDIR= src`
			`PORTEXAMPLES= kdc.conf krb5.conf services.append`

			`.include <bsd.port.options.mk>`

			`# Fix up -Wl,-rpath in LDFLAGS`
			`.if !empty(KRB5_HOME)`
			`_RPATH= ${KRB5_HOME}/lib:`
			`.else`
			`_RPATH= ${LOCALBASE}/lib:`
			`.endif`
			`.if !empty(LDFLAGS:M-Wl,-rpath,*)`
			`.for F in ${LDFLAGS:M-Wl,-rpath,*}`
			`LDFLAGS:= -Wl,-rpath,${_RPATH}${F:S/-Wl,-rpath,//} \`
			`${LDFLAGS:N-Wl,-rpath,*}`
			`.endfor`
			`.endif`

			`.if defined(KRB5_HOME) && ${KRB5_HOME} != ${LOCALBASE}`
			`BROKEN= LIB_DEPENDS when using KRB5_HOME is broken`
			`.endif`

			`# OPTIONS helper causes conflicting with/without`
			`.if ${PORT_OPTIONS:MREADLINE} \|\| ${PORT_OPTIONS:MREADLINE_PORT}`
			`CONFIGURE_ARGS+= --with-readline`
			`.else`
			`CONFIGURE_ARGS+= --without-readline`
			`.endif`

			`.if defined(PROGRAM_TRANSFORM_NAME) && ${PROGRAM_TRANSFORM_NAME} != ""`
			`CONFIGURE_ARGS+= --program-transform-name="${PROGRAM_TRANSFORM_NAME}"`
			`.endif`

			`HTML_DOC_DIR= ${WRKDIR}/${PORTNAME}-${PORTVERSION}/doc/html`
			`PDF_DOC_DIR= ${WRKDIR}/${PORTNAME}-${PORTVERSION}/doc/pdf`

			`.include <bsd.port.pre.mk>`

			`post-install:`
			`@${MKDIR} ${STAGEDIR}${PREFIX}/share/doc/krb5`
			`@${SED} "s\|%%PREFIX%%\|${PREFIX}\|" ${FILESDIR}/kdc.in > ${STAGEDIR}${PREFIX}/sbin/kdc; \`
			`${CHMOD} +x ${STAGEDIR}${PREFIX}/sbin/kdc`
			`# html documentation`
			`.if ${PORT_OPTIONS:MKRB5_PDF}`
			pdf_files=`${FIND} ${PDF_DOC_DIR} ! -type d`
			pdf_dirs=`${FIND} ${PDF_DOC_DIR} -type d`
			`for i in $${pdf_dirs}; do \`
			`${MKDIR} ${STAGEDIR}${PREFIX}/share/doc/krb5/$${i}; \`
			`done; \`
			`for i in $${pdf_files}; do \`
			`${INSTALL_DATA} $${pdf} ${PREFIX}/share/doc/krb5/$${i}; \`
			`${ECHO_CMD} share/doc/krb5/$${i} >> ${TMPPLIST}; \`
			`done`
			`.endif`
			`.if ${PORT_OPTIONS:MKRB5_HTML}`
			html_files=`${FIND} ${HTML_DOC_DIR} ! -type d \| ${GREP} -v /_sources`
			html_dirs=`${FIND} ${HTML_DOC_DIR} -type d \| ${GREP} -v /_sources`
			`for i in $${html_dirs}; do \`
			`${MKDIR} ${PREFIX}/share/doc/krb5/$${i}; \`
			`done; \`
			`for i in $${html_files}; do \`
			`${INSTALL_DATA} $${i} ${PREFIX}/share/doc/krb5/$${i}; \`
			`${ECHO_CMD} share/doc/krb5/$${i} >> ${TMPPLIST}; \`
			`done`
			`.endif`
			`.if ${PORT_OPTIONS:MKRB5_PDF}`
			`for i in $${pdf_dirs}; do \`
			`${ECHO_CMD} @dir share/doc/krb5/$${i} >> ${TMPPLIST}; \`
			`done \| ${TAIL} -r >> ${TMPPLIST}`
			`.endif`
			`.if ${PORT_OPTIONS:MKRB5_HTML}`
			`for i in $${html_dirs}; do \`
			`${ECHO_CMD} @dir share/doc/krb5/$${i} >> ${TMPPLIST}; \`
			`done \| ${TAIL} -r >> ${TMPPLIST}`
			`.endif`
			`${ECHO_CMD} @dir share/doc/krb5 >> ${TMPPLIST}`

			`post-install-LDAP-on:`
			`${MKDIR} ${STAGEDIR}${DATADIR}`
			`${INSTALL_DATA} ${WRKSRC}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema \`
			`${STAGEDIR}${DATADIR}`
			`${INSTALL_DATA} ${WRKSRC}/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif \`
			`${STAGEDIR}${DATADIR}`

			`.include <bsd.port.post.mk>`