Apply patch from MIT KRB5 GIT tree commit: 043533c2f13d2bc69316.

libgssrpc was ignorant of the remote address of the kadmin socket,
even when it's IPv4.  This made old-style GSSAPI authentication fail
because it uses the wrong channel bindings.  Fix this problem by making
clnttcp_create() get the remote address from the socket using getpeername()
if the caller doesn't provide it and it's an IPv4 address.

PR:		160500
Submitted by:	Ben Kaduk <kaduk@mit.edu>

2 files changed, 22 insertions, 0 deletions

diff --git a/security/krb5/Makefile b/security/krb5/Makefile
index ed7d95ee8e57..e817b3721539 100644
--- a/security/krb5/Makefile
+++ b/security/krb5/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=		krb5
 PORTVERSION=		1.9.1
+PORTREVISION=		1
 CATEGORIES=		security
 MASTER_SITES=		http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/
 #PATCH_SITES=		http://web.mit.edu/kerberos/advisories/
diff --git a/security/krb5/files/patch-lib-rpc-clnt_tcp.c b/security/krb5/files/patch-lib-rpc-clnt_tcp.c
new file mode 100644
index 000000000000..8427e25152e1
--- /dev/null
+++ b/security/krb5/files/patch-lib-rpc-clnt_tcp.c
@@ -0,0 +1,21 @@
+--- lib/rpc/clnt_tcp.c.orig	2011-09-06 02:05:14.000000000 +0000
++++ lib/rpc/clnt_tcp.c	2011-09-06 02:10:30.000000000 +0000
+@@ -187,9 +187,16 @@
+ 	ct->ct_sock = *sockp;
+ 	ct->ct_wait.tv_usec = 0;
+ 	ct->ct_waitset = FALSE;
+-	if (raddr == NULL)
+-	    memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
++	if (raddr == NULL) {
++	/* Get the remote address from the socket, if it's IPv4. */
++	struct sockaddr_in sin;
++	socklen_t len = sizeof(sin);
++	int ret = getpeername(ct->ct_sock, (struct sockaddr *)&sin, &len);
++	if (ret == 0 && len == sizeof(sin) && sin.sin_family == AF_INET)
++      ct->ct_addr = sin;
+ 	else
++      memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
++    } else
+ 	    ct->ct_addr = *raddr;
+ 
+ 	/*