1 |
commit: e6232da235fc02eabf2dc7ee0790a51f5e811e0d |
2 |
Author: Eray Aslan <eras <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Dec 5 10:00:13 2017 +0000 |
4 |
Commit: Eray Aslan <eras <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Dec 5 10:00:13 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e6232da2 |
7 |
|
8 |
app-crypt/mit-krb5: security bump to 1.15.2-r1. Bug 639702 |
9 |
|
10 |
Package-Manager: Portage-2.3.16, Repoman-2.3.6 |
11 |
|
12 |
.../files/mit-krb5-1.15.2-fix-pkinit.patch | 98 ++++++++++++++ |
13 |
app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild | 149 +++++++++++++++++++++ |
14 |
2 files changed, 247 insertions(+) |
15 |
|
16 |
diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch b/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch |
17 |
new file mode 100644 |
18 |
index 00000000000..4f721d4d961 |
19 |
--- /dev/null |
20 |
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch |
21 |
@@ -0,0 +1,98 @@ |
22 |
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c |
23 |
+index 74fffbf321..4b86a6f302 100644 |
24 |
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c |
25 |
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c |
26 |
+@@ -5145,33 +5145,29 @@ crypto_retieve_X509_key_usage(krb5_context context, |
27 |
+ return retval; |
28 |
+ } |
29 |
+ |
30 |
+-/* |
31 |
+- * Return a string format of an X509_NAME in buf where |
32 |
+- * size is an in/out parameter. On input it is the size |
33 |
+- * of the buffer, and on output it is the actual length |
34 |
+- * of the name. |
35 |
+- * If buf is NULL, returns the length req'd to hold name |
36 |
+- */ |
37 |
+-static char * |
38 |
+-X509_NAME_oneline_ex(X509_NAME * a, |
39 |
+- char *buf, |
40 |
+- unsigned int *size, |
41 |
+- unsigned long flag) |
42 |
++static krb5_error_code |
43 |
++rfc2253_name(X509_NAME *name, char **str_out) |
44 |
+ { |
45 |
+- BIO *out = NULL; |
46 |
++ BIO *b = NULL; |
47 |
++ char *str; |
48 |
+ |
49 |
+- out = BIO_new(BIO_s_mem ()); |
50 |
+- if (X509_NAME_print_ex(out, a, 0, flag) > 0) { |
51 |
+- if (buf != NULL && (*size) > (unsigned int) BIO_number_written(out)) { |
52 |
+- memset(buf, 0, *size); |
53 |
+- BIO_read(out, buf, (int) BIO_number_written(out)); |
54 |
+- } |
55 |
+- else { |
56 |
+- *size = BIO_number_written(out); |
57 |
+- } |
58 |
+- } |
59 |
+- BIO_free(out); |
60 |
+- return (buf); |
61 |
++ *str_out = NULL; |
62 |
++ b = BIO_new(BIO_s_mem()); |
63 |
++ if (b == NULL) |
64 |
++ return ENOMEM; |
65 |
++ if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0) |
66 |
++ goto error; |
67 |
++ str = calloc(BIO_number_written(b) + 1, 1); |
68 |
++ if (str == NULL) |
69 |
++ goto error; |
70 |
++ BIO_read(b, str, BIO_number_written(b)); |
71 |
++ BIO_free(b); |
72 |
++ *str_out = str; |
73 |
++ return 0; |
74 |
++ |
75 |
++error: |
76 |
++ BIO_free(b); |
77 |
++ return ENOMEM; |
78 |
+ } |
79 |
+ |
80 |
+ /* |
81 |
+@@ -5187,8 +5183,6 @@ crypto_cert_get_matching_data(krb5_context context, |
82 |
+ krb5_principal *pkinit_sans =NULL, *upn_sans = NULL; |
83 |
+ struct _pkinit_cert_data *cd = (struct _pkinit_cert_data *)ch; |
84 |
+ unsigned int i, j; |
85 |
+- char buf[DN_BUF_LEN]; |
86 |
+- unsigned int bufsize = sizeof(buf); |
87 |
+ |
88 |
+ if (cd == NULL || cd->magic != CERT_MAGIC) |
89 |
+ return EINVAL; |
90 |
+@@ -5201,23 +5195,14 @@ crypto_cert_get_matching_data(krb5_context context, |
91 |
+ |
92 |
+ md->ch = ch; |
93 |
+ |
94 |
+- /* get the subject name (in rfc2253 format) */ |
95 |
+- X509_NAME_oneline_ex(X509_get_subject_name(cd->cred->cert), |
96 |
+- buf, &bufsize, XN_FLAG_SEP_COMMA_PLUS); |
97 |
+- md->subject_dn = strdup(buf); |
98 |
+- if (md->subject_dn == NULL) { |
99 |
+- retval = ENOMEM; |
100 |
++ retval = rfc2253_name(X509_get_subject_name(cd->cred->cert), |
101 |
++ &md->subject_dn); |
102 |
++ if (retval) |
103 |
+ goto cleanup; |
104 |
+- } |
105 |
+- |
106 |
+- /* get the issuer name (in rfc2253 format) */ |
107 |
+- X509_NAME_oneline_ex(X509_get_issuer_name(cd->cred->cert), |
108 |
+- buf, &bufsize, XN_FLAG_SEP_COMMA_PLUS); |
109 |
+- md->issuer_dn = strdup(buf); |
110 |
+- if (md->issuer_dn == NULL) { |
111 |
+- retval = ENOMEM; |
112 |
++ retval = rfc2253_name(X509_get_issuer_name(cd->cred->cert), |
113 |
++ &md->issuer_dn); |
114 |
++ if (retval) |
115 |
+ goto cleanup; |
116 |
+- } |
117 |
+ |
118 |
+ /* get the san data */ |
119 |
+ retval = crypto_retrieve_X509_sans(context, cd->plgctx, cd->reqctx, |
120 |
|
121 |
diff --git a/app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild |
122 |
new file mode 100644 |
123 |
index 00000000000..1f9cfda9466 |
124 |
--- /dev/null |
125 |
+++ b/app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild |
126 |
@@ -0,0 +1,149 @@ |
127 |
+# Copyright 1999-2017 Gentoo Foundation |
128 |
+# Distributed under the terms of the GNU General Public License v2 |
129 |
+ |
130 |
+EAPI=6 |
131 |
+ |
132 |
+PYTHON_COMPAT=( python2_7 ) |
133 |
+inherit autotools flag-o-matic multilib-minimal python-any-r1 versionator |
134 |
+ |
135 |
+MY_P="${P/mit-}" |
136 |
+P_DIR=$(get_version_component_range 1-2) |
137 |
+DESCRIPTION="MIT Kerberos V" |
138 |
+HOMEPAGE="http://web.mit.edu/kerberos/www/" |
139 |
+SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz" |
140 |
+ |
141 |
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )" |
142 |
+SLOT="0" |
143 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" |
144 |
+IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd" |
145 |
+ |
146 |
+CDEPEND=" |
147 |
+ !!app-crypt/heimdal |
148 |
+ >=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}] |
149 |
+ || ( |
150 |
+ >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}] |
151 |
+ >=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}] |
152 |
+ >=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}] |
153 |
+ ) |
154 |
+ keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] ) |
155 |
+ openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] ) |
156 |
+ pkinit? ( |
157 |
+ !libressl? ( >=dev-libs/openssl-1.0.1h-r2:0[${MULTILIB_USEDEP}] ) |
158 |
+ libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] ) |
159 |
+ ) |
160 |
+ xinetd? ( sys-apps/xinetd ) |
161 |
+ abi_x86_32? ( |
162 |
+ !<=app-emulation/emul-linux-x86-baselibs-20140508-r1 |
163 |
+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)] |
164 |
+ )" |
165 |
+DEPEND="${CDEPEND} |
166 |
+ ${PYTHON_DEPS} |
167 |
+ virtual/yacc |
168 |
+ doc? ( virtual/latex-base ) |
169 |
+ test? ( |
170 |
+ ${PYTHON_DEPS} |
171 |
+ dev-lang/tcl:0 |
172 |
+ dev-util/dejagnu |
173 |
+ )" |
174 |
+RDEPEND="${CDEPEND} |
175 |
+ selinux? ( sec-policy/selinux-kerberos )" |
176 |
+ |
177 |
+S=${WORKDIR}/${MY_P}/src |
178 |
+ |
179 |
+MULTILIB_CHOST_TOOLS=( |
180 |
+ /usr/bin/krb5-config |
181 |
+) |
182 |
+ |
183 |
+src_prepare() { |
184 |
+ eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch" |
185 |
+ eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch" |
186 |
+ eapply -p0 "${FILESDIR}/${PN}-1.14.2-redeclared-ttyname.patch" |
187 |
+ eapply "${FILESDIR}/${PN}-1.14.4-disable-nls.patch" |
188 |
+ eapply -p2 "${FILESDIR}/${PN}-1.15.2-fix-pkinit.patch" |
189 |
+ |
190 |
+ # Make sure we always use the system copies. |
191 |
+ rm -rf util/{et,ss,verto} |
192 |
+ sed -i 's:^[[:space:]]*util/verto$::' configure.in || die |
193 |
+ |
194 |
+ eapply_user |
195 |
+ eautoreconf |
196 |
+} |
197 |
+ |
198 |
+src_configure() { |
199 |
+ # QA |
200 |
+ append-flags -fno-strict-aliasing |
201 |
+ append-flags -fno-strict-overflow |
202 |
+ |
203 |
+ multilib-minimal_src_configure |
204 |
+} |
205 |
+ |
206 |
+multilib_src_configure() { |
207 |
+ use keyutils || export ac_cv_header_keyutils_h=no |
208 |
+ ECONF_SOURCE=${S} \ |
209 |
+ WARN_CFLAGS="set" \ |
210 |
+ econf \ |
211 |
+ $(use_with openldap ldap) \ |
212 |
+ "$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \ |
213 |
+ $(use_enable nls) \ |
214 |
+ $(use_enable pkinit) \ |
215 |
+ $(use_enable threads thread-support) \ |
216 |
+ --without-hesiod \ |
217 |
+ --enable-shared \ |
218 |
+ --with-system-et \ |
219 |
+ --with-system-ss \ |
220 |
+ --enable-dns-for-realm \ |
221 |
+ --enable-kdc-lookaside-cache \ |
222 |
+ --with-system-verto \ |
223 |
+ --disable-rpath |
224 |
+} |
225 |
+ |
226 |
+multilib_src_compile() { |
227 |
+ emake -j1 |
228 |
+} |
229 |
+ |
230 |
+multilib_src_test() { |
231 |
+ multilib_is_native_abi && emake -j1 check |
232 |
+} |
233 |
+ |
234 |
+multilib_src_install() { |
235 |
+ emake \ |
236 |
+ DESTDIR="${D}" \ |
237 |
+ EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \ |
238 |
+ install |
239 |
+} |
240 |
+ |
241 |
+multilib_src_install_all() { |
242 |
+ # default database dir |
243 |
+ keepdir /var/lib/krb5kdc |
244 |
+ |
245 |
+ cd .. |
246 |
+ dodoc README |
247 |
+ |
248 |
+ if use doc; then |
249 |
+ dodoc -r doc/html |
250 |
+ docinto pdf |
251 |
+ dodoc doc/pdf/*.pdf |
252 |
+ fi |
253 |
+ |
254 |
+ newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind |
255 |
+ newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc |
256 |
+ newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd |
257 |
+ newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind |
258 |
+ newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc |
259 |
+ newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd |
260 |
+ |
261 |
+ insinto /etc |
262 |
+ newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example |
263 |
+ insinto /var/lib/krb5kdc |
264 |
+ newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example |
265 |
+ |
266 |
+ if use openldap ; then |
267 |
+ insinto /etc/openldap/schema |
268 |
+ doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema" |
269 |
+ fi |
270 |
+ |
271 |
+ if use xinetd ; then |
272 |
+ insinto /etc/xinetd.d |
273 |
+ newins "${FILESDIR}/kpropd.xinetd" kpropd |
274 |
+ fi |
275 |
+} |