From 1524cad3598174c8968090f7fc9329b77660ce1d Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 18 Nov 2020 18:18:07 -0500
Subject: [PATCH 1/3] Hardcode value of GSS_C_DELEG_POLICY_FLAG

This value is fortunately specified by RFC 5896.  Truly ancient Kerberos
implementations, such as the Heimdal in base on FreeBSD at the time of
writing, will not provide this flag.  However, since unknown flags will
be ignored, it's fine to just provide it anyway.

Resolves: #228

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
 gssapi/raw/types.pyx | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/gssapi/raw/types.pyx b/gssapi/raw/types.pyx
index d2013fb9..d99f74a5 100644
--- a/gssapi/raw/types.pyx
+++ b/gssapi/raw/types.pyx
@@ -56,7 +56,11 @@ class RequirementFlag(IntEnum, metaclass=ExtendableEnum):
     anonymity = GSS_C_ANON_FLAG
     protection_ready = GSS_C_PROT_READY_FLAG
     transferable = GSS_C_TRANS_FLAG
-    ok_as_delegate = GSS_C_DELEG_POLICY_FLAG
+
+    # GSS_C_DELEG_POLICY_FLAG.  cython can't do compile-time detection of
+    # this, so take the value from RFC 5896.  Implementations that don't
+    # support it will ignore it.
+    ok_as_delegate = 32768
 
 
 class AddressType(IntEnum, metaclass=ExtendableEnum):

From a5da8f55f362f9264458ac8ce3811ac84375faae Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 18 Nov 2020 20:17:43 -0500
Subject: [PATCH 2/3] Fix detection of libgssapi_krb5.so in nonstandard path

Related: #228

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
 setup.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/setup.py b/setup.py
index b784a725..e5a78b8e 100755
--- a/setup.py
+++ b/setup.py
@@ -165,6 +165,11 @@ def get_output(*args, **kwargs):
             # To support Heimdal on Debian, read the linker path.
             if opt.startswith('-Wl,/'):
                 main_path = opt[4:] + "/"
+        if main_path == "":
+            for d in library_dirs:
+                if os.path.exists(os.path.join(d, main_lib)):
+                    main_path = d
+                    break
 
     if main_lib is None:
         raise Exception("Could not find main GSSAPI shared library.  Please "

From a6674688b85e82db35321833894dee29bed76ffd Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 18 Nov 2020 19:31:09 -0500
Subject: [PATCH 3/3] On FreeBSD, prefer the ports version of krb5 to base

Base has heimdal-1.1.0 at the time of writing, while ports have
krb5-1.18.2 and heimdal-7.7.0.

Related: #228

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
 setup.py | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/setup.py b/setup.py
index e5a78b8e..a0843552 100755
--- a/setup.py
+++ b/setup.py
@@ -37,6 +37,7 @@ def get_output(*args, **kwargs):
 
 
 # get the compile and link args
+kc = "krb5-config"
 posix = os.name != 'nt'
 link_args, compile_args = [
     shlex.split(os.environ[e], posix=posix) if e in os.environ else None
@@ -71,6 +72,26 @@ def get_output(*args, **kwargs):
     except ValueError:
         cygwinccompiler.get_msvcr = lambda *a, **kw: []
 
+if sys.platform.startswith("freebsd"):
+    # FreeBSD does $PATH backward, for our purposes.  That is, the package
+    # manager's version of the software is in /usr/local, which is in PATH
+    # *after* the version in /usr.  We prefer the package manager's version
+    # because the Heimdal in base is truly ancient, but this can be overridden
+    # - either in the "normal" fashion by putting something in PATH in front
+    # of it, or by removing /usr/local from PATH.
+
+    bins = []
+    for b in os.environ["PATH"].split(":"):
+        p = f"{b}/krb5-config"
+        if not os.path.exists(p):
+            continue
+        bins.append(p)
+
+    if len(bins) > 1 and bins[0] == "/usr/bin/krb5-config" and \
+       "/usr/local/bin/krb5-config" in bins:
+        kc = "/usr/local/bin/krb5-config"
+    print(f"Detected: {kc}")
+
 if link_args is None:
     if osx_has_gss_framework:
         link_args = ['-framework', 'GSS']
@@ -85,7 +106,7 @@ def get_output(*args, **kwargs):
     elif os.environ.get('MINGW_PREFIX'):
         link_args = ['-lgss']
     else:
-        link_args = shlex.split(get_output('krb5-config --libs gssapi'))
+        link_args = shlex.split(get_output(f"{kc} --libs gssapi"))
 
 if compile_args is None:
     if osx_has_gss_framework:
@@ -98,14 +119,14 @@ def get_output(*args, **kwargs):
     elif os.environ.get('MINGW_PREFIX'):
         compile_args = ['-fPIC']
     else:
-        compile_args = shlex.split(get_output('krb5-config --cflags gssapi'))
+        compile_args = shlex.split(get_output(f"{kc} --cflags gssapi"))
 
 # add in the extra workarounds for different include structures
 if winkrb_path:
     prefix = winkrb_path
 else:
     try:
-        prefix = get_output('krb5-config gssapi --prefix')
+        prefix = get_output(f"{kc} gssapi --prefix")
     except Exception:
         print("WARNING: couldn't find krb5-config; assuming prefix of %s"
               % str(sys.prefix))