Update security/heimdal to version 1.1. Changes from version 0.7.2 include:

 * Read-only PKCS11 provider built-in to hx509.
 * Better compatibilty with Windows 2008 Server pre-releases and Vista.
 * Add RFC3526 modp group14 as default.
 * Handle [kdc] database = { } entries without realm = stanzas.
 * Add gss_pseudo_random() for mechglue and krb5.
 * Make session key for the krbtgt be selected by the best encryption
   type of the client.
 * Better interoperability with other PK-INIT implementations.
 * Alias support for inital ticket requests.
 * Make ASN.1 library less paranoid to with regard to NUL in string to
   make it inter-operate with MIT Kerberos again.
 * PK-INIT support.
 * HDB extensions support, used by PK-INIT.
 * New ASN.1 compiler.
 * GSS-API mechglue from FreeBSD.
 * Updated SPNEGO to support RFC4178.
 * Support for Cryptosystem Negotiation Extension (RFC 4537).
 * A new X.509 library (hx509) and related crypto functions.
 * A new ntlm library (heimntlm) and related crypto functions.
 * KDC will return the "response too big" error to force TCP retries
   for large (default 1400 bytes) UDP replies.  This is common for
   PK-INIT requests.
 * Libkafs defaults to use 2b tokens.
 * krb5_kuserok() also checks ~/.k5login.d directory for acl files.
 * Fix memory leaks.
 * Bugs fixes

10 files changed, 68 insertions, 264 deletions

diff --git a/security/heimdal/patches/patch-ac b/security/heimdal/patches/patch-ac
index e34eaf84cc7..56468576e11 100644
--- a/security/heimdal/patches/patch-ac
+++ b/security/heimdal/patches/patch-ac
@@ -1,8 +1,8 @@
-$NetBSD: patch-ac,v 1.2 2005/10/26 15:12:45 jlam Exp $
+$NetBSD: patch-ac,v 1.3 2008/02/28 08:14:41 jlam Exp $
 
---- configure.in.orig	2005-09-09 08:13:10.000000000 -0400
+--- configure.in.orig	2008-01-24 08:13:51.000000000 -0500
 +++ configure.in
-@@ -15,9 +15,6 @@ AM_MAINTAINER_MODE
+@@ -16,9 +16,6 @@ AC_PROG_CPP
  
  AC_PREFIX_DEFAULT(/usr/heimdal)
  
diff --git a/security/heimdal/patches/patch-ad b/security/heimdal/patches/patch-ad
index 4d5f341607d..9a5986b9d98 100644
--- a/security/heimdal/patches/patch-ad
+++ b/security/heimdal/patches/patch-ad
@@ -1,8 +1,8 @@
-$NetBSD: patch-ad,v 1.8 2007/02/20 10:17:14 rillig Exp $
+$NetBSD: patch-ad,v 1.9 2008/02/28 08:14:41 jlam Exp $
 
---- configure.orig	Mon Feb  6 08:29:16 2006
-+++ configure	Mon Feb 19 18:06:05 2007
-@@ -3182,9 +3182,6 @@
+--- configure.orig	2008-01-24 08:14:11.000000000 -0500
++++ configure
+@@ -3928,9 +3928,6 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
  
  
  
@@ -10,13 +10,38 @@ $NetBSD: patch-ad,v 1.8 2007/02/20 10:17:14 rillig Exp $
 -test "$localstatedir" = '${prefix}/var' && localstatedir='/var/heimdal'
 -
  # Make sure we can run config.sub.
- $ac_config_sub sun4 >/dev/null 2>&1 ||
-   { { echo "$as_me:$LINENO: error: cannot run $ac_config_sub" >&5
-@@ -4199,7 +4196,6 @@
+ $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
+   { { echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5
+@@ -4902,7 +4899,11 @@ fi #if test -n "$GCC"; then
  esac
  
  CC="$CC $abi"
 -libdir="$libdir$abilibdirext"
++#
++# Comment out the following line for pkgsrc as pkgsrc always installs
++# libraries into .../lib, not .../lib{32,64}.
++#
++#libdir="$libdir$abilibdirext"
  
  
- echo "$as_me:$LINENO: checking for __attribute__" >&5
+ { echo "$as_me:$LINENO: checking for __attribute__" >&5
+@@ -29714,6 +29715,9 @@ _ACEOF
+ cat confdefs.h >>conftest.$ac_ext
+ cat >>conftest.$ac_ext <<_ACEOF
+ /* end confdefs.h.  */
++#ifdef HAVE_SYS_TYPES_H
++#include <sys/types.h>
++#endif
+ #ifdef HAVE_SYS_BSWAP_H
+ #include <sys/bswap.h>
+ #endif
+@@ -29925,6 +29929,9 @@ _ACEOF
+ cat confdefs.h >>conftest.$ac_ext
+ cat >>conftest.$ac_ext <<_ACEOF
+ /* end confdefs.h.  */
++#ifdef HAVE_SYS_TYPES_H
++#include <sys/types.h>
++#endif
+ #ifdef HAVE_SYS_BSWAP_H
+ #include <sys/bswap.h>
+ #endif
diff --git a/security/heimdal/patches/patch-al b/security/heimdal/patches/patch-al
index 4d9892d20b9..8a73a278690 100644
--- a/security/heimdal/patches/patch-al
+++ b/security/heimdal/patches/patch-al
@@ -1,8 +1,8 @@
-$NetBSD: patch-al,v 1.1 2006/07/05 04:39:15 jlam Exp $
+$NetBSD: patch-al,v 1.2 2008/02/28 08:14:41 jlam Exp $
 
---- lib/roken/Makefile.in.orig	2006-02-06 08:32:11.000000000 -0500
+--- lib/roken/Makefile.in.orig	2008-01-24 08:14:23.000000000 -0500
 +++ lib/roken/Makefile.in
-@@ -1654,6 +1654,9 @@ roken.h: make-roken$(EXEEXT)
+@@ -1421,6 +1421,9 @@ roken.h: make-roken$(EXEEXT)
  
  make-roken.c: roken.h.in roken.awk
  	$(AWK) -f $(srcdir)/roken.awk $(srcdir)/roken.h.in > make-roken.c
diff --git a/security/heimdal/patches/patch-am b/security/heimdal/patches/patch-am
deleted file mode 100644
index b55e4f44837..00000000000
--- a/security/heimdal/patches/patch-am
+++ /dev/null
@@ -1,25 +0,0 @@
-$NetBSD: patch-am,v 1.1 2006/08/09 17:58:09 salo Exp $
-
-Security fix for SA21436.
-
---- appl/dceutils/k5dcecon.c.orig	2002-08-09 15:19:41.000000000 +0200
-+++ appl/dceutils/k5dcecon.c	2006-08-09 19:42:15.000000000 +0200
-@@ -71,7 +71,7 @@
- #endif
- 
- #ifdef __hpux
--#define seteuid(A)		setresuid(-1,A,-1);
-+#define seteuid(A)		setresuid(-1,A,-1)
- #endif
- 
- 
-@@ -549,7 +549,8 @@ int k5dcecreate(luid, luser, pname, krbt
- 	 */
- 
- 	if (uid == 0) {
--		seteuid(luid);
-+		if (seteuid(luid) < 0)
-+			goto abort;
- 	}  
- 
- 	cp = strchr(pname,'@');
diff --git a/security/heimdal/patches/patch-an b/security/heimdal/patches/patch-an
deleted file mode 100644
index 78879014233..00000000000
--- a/security/heimdal/patches/patch-an
+++ /dev/null
@@ -1,145 +0,0 @@
-$NetBSD: patch-an,v 1.1 2006/08/09 17:58:09 salo Exp $
-
-Security fix for SA21436.
-
---- appl/ftp/ftpd/ftpd.c.orig	2005-06-02 12:41:28.000000000 +0200
-+++ appl/ftp/ftpd/ftpd.c	2006-08-09 19:42:15.000000000 +0200
-@@ -138,9 +138,9 @@ static int	 handleoobcmd(void);
- static int	 checkuser (char *, char *);
- static int	 checkaccess (char *);
- static FILE	*dataconn (const char *, off_t, const char *);
--static void	 dolog (struct sockaddr *sa, int len);
-+static void	 dolog (struct sockaddr *, int);
- static void	 end_login (void);
--static FILE	*getdatasock (const char *);
-+static FILE	*getdatasock (const char *, int);
- static char	*gunique (char *);
- static RETSIGTYPE	 lostconn (int);
- static int	 receive_data (FILE *, FILE *);
-@@ -835,7 +835,8 @@ static void
- end_login(void)
- {
- 
--	seteuid((uid_t)0);
-+	if (seteuid((uid_t)0) < 0)
-+		fatal("Failed to seteuid");
- 	if (logged_in)
- 		ftpd_logwtmp(ttyline, "", "");
- 	pw = NULL;
-@@ -1208,14 +1209,15 @@ done:
- }
- 
- static FILE *
--getdatasock(const char *mode)
-+getdatasock(const char *mode, int domain)
- {
- 	int s, t, tries;
- 
- 	if (data >= 0)
- 		return (fdopen(data, mode));
--	seteuid(0);
--	s = socket(ctrl_addr->sa_family, SOCK_STREAM, 0);
-+	if (seteuid(0) < 0)
-+		fatal("Failed to seteuid");
-+	s = socket(domain, SOCK_STREAM, 0);
- 	if (s < 0)
- 		goto bad;
- 	socket_set_reuseaddr (s, 1);
-@@ -1232,7 +1234,8 @@ getdatasock(const char *mode)
- 			goto bad;
- 		sleep(tries);
- 	}
--	seteuid(pw->pw_uid);
-+	if (seteuid(pw->pw_uid) < 0)
-+		fatal("Failed to seteuid");
- #ifdef IPTOS_THROUGHPUT
- 	socket_set_tos (s, IPTOS_THROUGHPUT);
- #endif
-@@ -1240,7 +1243,8 @@ getdatasock(const char *mode)
- bad:
- 	/* Return the real value of errno (close may change it) */
- 	t = errno;
--	seteuid((uid_t)pw->pw_uid);
-+	if (seteuid((uid_t)pw->pw_uid) < 0)
-+		fatal("Failed to seteuid");
- 	close(s);
- 	errno = t;
- 	return (NULL);
-@@ -1271,7 +1275,7 @@ dataconn(const char *name, off_t size, c
- {
- 	char sizebuf[32];
- 	FILE *file;
--	int retry = 0;
-+	int domain, retry = 0;
- 
- 	file_size = size;
- 	byte_count = 0;
-@@ -1318,7 +1322,15 @@ dataconn(const char *name, off_t size, c
- 	if (usedefault)
- 		data_dest = his_addr;
- 	usedefault = 1;
--	file = getdatasock(mode);
-+	/* 
-+	 * Default to using the same socket type as the ctrl address,
-+	 * unless we know the type of the data address.
-+	 */
-+	domain = data_dest->sa_family;
-+	if (domain == PF_UNSPEC)
-+	    domain = ctrl_addr->sa_family;
-+
-+	file = getdatasock(mode, domain);
- 	if (file == NULL) {
- 		char data_addr[256];
- 
-@@ -1889,11 +1901,11 @@ dologout(int status)
-     transflag = 0;
-     urgflag = 0;
-     if (logged_in) {
--	seteuid((uid_t)0);
--	ftpd_logwtmp(ttyline, "", "");
- #ifdef KRB4
- 	cond_kdestroy();
- #endif
-+	seteuid((uid_t)0); /* No need to check, we call exit() below */
-+	ftpd_logwtmp(ttyline, "", "");
-     }
-     /* beware of flushing buffers after a SIGPIPE */
- #ifdef XXX
-@@ -2006,12 +2018,15 @@ pasv(void)
- 				     0);
- 	socket_set_portrange(pdata, restricted_data_ports, 
- 	    pasv_addr->sa_family); 
--	seteuid(0);
-+	if (seteuid(0) < 0)
-+		fatal("Failed to seteuid");
- 	if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) {
--		seteuid(pw->pw_uid);
-+		if (seteuid(pw->pw_uid) < 0)
-+			fatal("Failed to seteuid");
- 		goto pasv_error;
- 	}
--	seteuid(pw->pw_uid);
-+	if (seteuid(pw->pw_uid) < 0)
-+		fatal("Failed to seteuid");
- 	len = sizeof(pasv_addr_ss);
- 	if (getsockname(pdata, pasv_addr, &len) < 0)
- 		goto pasv_error;
-@@ -2050,12 +2065,15 @@ epsv(char *proto)
- 				     0);
- 	socket_set_portrange(pdata, restricted_data_ports, 
- 	    pasv_addr->sa_family); 
--	seteuid(0);
-+	if (seteuid(0) < 0)
-+		fatal("Failed to seteuid");
- 	if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) {
--		seteuid(pw->pw_uid);
-+		if (seteuid(pw->pw_uid))
-+			fatal("Failed to seteuid");
- 		goto pasv_error;
- 	}
--	seteuid(pw->pw_uid);
-+	if (seteuid(pw->pw_uid) < 0)
-+		fatal("Failed to seteuid");
- 	len = sizeof(pasv_addr_ss);
- 	if (getsockname(pdata, pasv_addr, &len) < 0)
- 		goto pasv_error;
diff --git a/security/heimdal/patches/patch-ao b/security/heimdal/patches/patch-ao
deleted file mode 100644
index 342e457a8f8..00000000000
--- a/security/heimdal/patches/patch-ao
+++ /dev/null
@@ -1,44 +0,0 @@
-$NetBSD: patch-ao,v 1.1 2006/08/09 17:58:09 salo Exp $
-
-Security fix for SA21436.
-
---- appl/rcp/rcp.c.orig	2005-05-11 13:04:30.000000000 +0200
-+++ appl/rcp/rcp.c	2006-08-09 19:42:15.000000000 +0200
-@@ -119,13 +119,15 @@ main(int argc, char **argv)
- 
- 	if (fflag) {			/* Follow "protocol", send data. */
- 		response();
--		setuid(userid);
-+		if (setuid(userid) < 0)
-+			errx(1, "setuid failed");
- 		source(argc, argv);
- 		exit(errs);
- 	}
- 
- 	if (tflag) {			/* Receive data. */
--		setuid(userid);
-+		if (setuid(userid) < 0)
-+			errx(1, "setuid failed");
- 		sink(argc, argv);
- 		exit(errs);
- 	}
-@@ -221,7 +223,8 @@ toremote(char *targ, int argc, char **ar
- 				if (response() < 0)
- 					exit(1);
- 				free(bp);
--				setuid(userid);
-+				if (setuid(userid) < 0)
-+					errx(1, "setuid failed");
- 			}
- 			source(1, argv+i);
- 		}
-@@ -270,7 +273,8 @@ tolocal(int argc, char **argv)
- 		}
- 		free(bp);
- 		sink(1, argv + argc - 1);
--		seteuid(0);
-+		if (seteuid(0) < 0)
-+			exit(1);
- 		close(remin);
- 		remin = remout = -1;
- 	}
diff --git a/security/heimdal/patches/patch-ap b/security/heimdal/patches/patch-ap
deleted file mode 100644
index 0cf6ab9a525..00000000000
--- a/security/heimdal/patches/patch-ap
+++ /dev/null
@@ -1,16 +0,0 @@
-$NetBSD: patch-ap,v 1.1 2006/08/09 17:58:09 salo Exp $
-
-Security fix for SA21436.
-
---- appl/rcp/util.c.orig	2005-04-18 09:52:58.000000000 +0200
-+++ appl/rcp/util.c	2006-08-09 19:42:15.000000000 +0200
-@@ -112,7 +112,8 @@ susystem(s, userid)
- 		return (127);
- 
- 	case 0:
--		(void)setuid(userid);
-+		if (setuid(userid) < 0)
-+			_exit(127);
- 		execl(_PATH_BSHELL, "sh", "-c", s, NULL);
- 		_exit(127);
- 	}
diff --git a/security/heimdal/patches/patch-aq b/security/heimdal/patches/patch-aq
deleted file mode 100644
index eeb146f1426..00000000000
--- a/security/heimdal/patches/patch-aq
+++ /dev/null
@@ -1,16 +0,0 @@
-$NetBSD: patch-aq,v 1.1 2006/08/09 17:58:09 salo Exp $
-
-Security fix for SA21436.
-
---- lib/roken/iruserok.c.orig	2005-04-12 13:28:54.000000000 +0200
-+++ lib/roken/iruserok.c	2006-08-09 19:42:15.000000000 +0200
-@@ -250,7 +250,8 @@ again:
- 		 * are protected read/write owner only.
- 		 */
- 		uid = geteuid();
--		seteuid(pwd->pw_uid);
-+		if (seteuid(pwd->pw_uid) < 0)
-+			return (-1);
- 		hostf = fopen(pbuf, "r");
- 		seteuid(uid);
- 
diff --git a/security/heimdal/patches/patch-ar b/security/heimdal/patches/patch-ar
index 835804e9e59..7bd16c282e7 100644
--- a/security/heimdal/patches/patch-ar
+++ b/security/heimdal/patches/patch-ar
@@ -1,11 +1,11 @@
-$NetBSD: patch-ar,v 1.1 2007/02/20 10:17:14 rillig Exp $
+$NetBSD: patch-ar,v 1.2 2008/02/28 08:14:41 jlam Exp $
 
 Why should anyone want to install the libtool wrapper for a library, but
 not the library itself?
 
---- lib/auth/afskauthlib/Makefile.in.orig	Mon Feb  6 08:31:49 2006
-+++ lib/auth/afskauthlib/Makefile.in	Tue Feb 20 04:20:05 2007
-@@ -347,7 +347,7 @@
+--- lib/auth/afskauthlib/Makefile.in.orig	2008-01-24 08:14:21.000000000 -0500
++++ lib/auth/afskauthlib/Makefile.in
+@@ -317,7 +317,7 @@ LIB_kafs = $(top_builddir)/lib/kafs/libk
  @KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
  @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
  foodir = $(libdir)
diff --git a/security/heimdal/patches/patch-as b/security/heimdal/patches/patch-as
new file mode 100644
index 00000000000..0f5c3a3ec67
--- /dev/null
+++ b/security/heimdal/patches/patch-as
@@ -0,0 +1,25 @@
+$NetBSD: patch-as,v 1.1 2008/02/28 08:14:41 jlam Exp $
+
+--- cf/roken-frag.m4.orig	2008-01-24 08:13:43.000000000 -0500
++++ cf/roken-frag.m4
+@@ -243,12 +243,18 @@ AC_FOREACH([rk_func], [asprintf vasprint
+ 	rk_func)])
+ 
+ AC_FIND_FUNC_NO_LIBS(bswap16,,
+-[#ifdef HAVE_SYS_BSWAP_H
++[#ifdef HAVE_SYS_TYPES_H
++#include <sys/types.h>
++#endif
++#ifdef HAVE_SYS_BSWAP_H
+ #include <sys/bswap.h>
+ #endif],0)
+ 
+ AC_FIND_FUNC_NO_LIBS(bswap32,,
+-[#ifdef HAVE_SYS_BSWAP_H
++[#ifdef HAVE_SYS_TYPES_H
++#include <sys/types.h>
++#endif
++#ifdef HAVE_SYS_BSWAP_H
+ #include <sys/bswap.h>
+ #endif],0)
+