| 1 |
commit: 8de0c5c4f0e7c862d82893a94945d32b4cc38076 |
| 2 |
Author: Alexis Ballier <aballier <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Wed Feb 17 20:12:14 2016 +0000 |
| 4 |
Commit: Alexis Ballier <aballier <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Wed Feb 17 21:08:07 2016 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8de0c5c4 |
| 7 |
|
| 8 |
net-libs/neon: Import patch from debian & upstream to fix build with gnutls 3.4. Bug #546114. |
| 9 |
|
| 10 |
Package-Manager: portage-2.2.27 |
| 11 |
Signed-off-by: Alexis Ballier <aballier <AT> gentoo.org> |
| 12 |
|
| 13 |
net-libs/neon/files/neon-0.30.1-gnutls3.4.patch | 282 ++++++++++++++++++++++++ |
| 14 |
net-libs/neon/neon-0.30.1-r1.ebuild | 3 +- |
| 15 |
2 files changed, 284 insertions(+), 1 deletion(-) |
| 16 |
|
| 17 |
diff --git a/net-libs/neon/files/neon-0.30.1-gnutls3.4.patch b/net-libs/neon/files/neon-0.30.1-gnutls3.4.patch |
| 18 |
new file mode 100644 |
| 19 |
index 0000000..c5165a0 |
| 20 |
--- /dev/null |
| 21 |
+++ b/net-libs/neon/files/neon-0.30.1-gnutls3.4.patch |
| 22 |
@@ -0,0 +1,282 @@ |
| 23 |
+Description: fix building with GnuTLS 3.4 |
| 24 |
+ Rewrite GnuTLS PKCS#11 support to work (exclusively) with the new |
| 25 |
+ GnuTLS 3.x API. |
| 26 |
+Origin: upstream, r1963 |
| 27 |
+Author: Joe Orton <joe@××××××××××.com> |
| 28 |
+Bug-Debian: https://bugs.debian.org/782832 |
| 29 |
+Last-Update: 2015-10-03 |
| 30 |
+ |
| 31 |
+--- |
| 32 |
+ |
| 33 |
+--- neon27-0.30.1.orig/macros/neon.m4 |
| 34 |
++++ neon27-0.30.1/macros/neon.m4 |
| 35 |
+@@ -982,10 +982,11 @@ gnutls) |
| 36 |
+ |
| 37 |
+ # Check for functions in later releases |
| 38 |
+ NE_CHECK_FUNCS([gnutls_session_get_data2 gnutls_x509_dn_get_rdn_ava \ |
| 39 |
+- gnutls_sign_callback_set \ |
| 40 |
+ gnutls_certificate_get_issuer \ |
| 41 |
+ gnutls_certificate_get_x509_cas \ |
| 42 |
+- gnutls_x509_crt_sign2]) |
| 43 |
++ gnutls_x509_crt_sign2 \ |
| 44 |
++ gnutls_certificate_set_retrieve_function2 \ |
| 45 |
++ gnutls_privkey_import_ext]) |
| 46 |
+ |
| 47 |
+ # fail if gnutls_x509_crt_sign2 is not found (it was introduced in 1.2.0, which is required) |
| 48 |
+ if test x${ac_cv_func_gnutls_x509_crt_sign2} != xyes; then |
| 49 |
+@@ -1039,7 +1040,7 @@ posix|yes) |
| 50 |
+ ;; |
| 51 |
+ esac |
| 52 |
+ |
| 53 |
+-case ${with_pakchois}X${ac_cv_func_gnutls_sign_callback_set}Y${ne_cv_lib_ssl097} in |
| 54 |
++case ${with_pakchois}X${ac_cv_func_gnutls_privkey_import_ext}Y${ne_cv_lib_ssl097} in |
| 55 |
+ noX*Y*) ;; |
| 56 |
+ *X*Yyes|*XyesY*) |
| 57 |
+ # PKCS#11... ho! |
| 58 |
+--- neon27-0.30.1.orig/src/ne_gnutls.c |
| 59 |
++++ neon27-0.30.1/src/ne_gnutls.c |
| 60 |
+@@ -89,6 +89,13 @@ struct ne_ssl_client_cert_s { |
| 61 |
+ ne_ssl_certificate cert; |
| 62 |
+ gnutls_x509_privkey_t pkey; |
| 63 |
+ char *friendly_name; |
| 64 |
++#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT |
| 65 |
++ /* Signing callback & userdata provided by ne_pkcs11.c. It would |
| 66 |
++ * be better to rewrite the whole module to use gnutls_privkey_t |
| 67 |
++ * directly, but it seems impossible to dup such an object. */ |
| 68 |
++ gnutls_privkey_sign_func sign_func; |
| 69 |
++ void *sign_ud; |
| 70 |
++#endif |
| 71 |
+ }; |
| 72 |
+ |
| 73 |
+ /* Returns the highest used index in subject (or issuer) DN of |
| 74 |
+@@ -525,6 +532,10 @@ static ne_ssl_client_cert *dup_client_ce |
| 75 |
+ |
| 76 |
+ if (cc->keyless) { |
| 77 |
+ newcc->keyless = 1; |
| 78 |
++#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT |
| 79 |
++ newcc->sign_func = cc->sign_func; |
| 80 |
++ newcc->sign_ud = cc->sign_ud; |
| 81 |
++#endif |
| 82 |
+ } |
| 83 |
+ else { |
| 84 |
+ ret = gnutls_x509_privkey_init(&newcc->pkey); |
| 85 |
+@@ -553,7 +564,15 @@ dup_error: |
| 86 |
+ static int provide_client_cert(gnutls_session_t session, |
| 87 |
+ const gnutls_datum_t *req_ca_rdn, int nreqs, |
| 88 |
+ const gnutls_pk_algorithm_t *sign_algos, |
| 89 |
+- int sign_algos_length, gnutls_retr_st *st) |
| 90 |
++ int sign_algos_length, |
| 91 |
++#ifdef HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2 |
| 92 |
++ gnutls_pcert_st **pcert, |
| 93 |
++ unsigned int *pcert_length, |
| 94 |
++ gnutls_privkey_t *pkey |
| 95 |
++#else |
| 96 |
++ gnutls_retr2_st *st |
| 97 |
++#endif |
| 98 |
++ ) |
| 99 |
+ { |
| 100 |
+ ne_session *sess = gnutls_session_get_ptr(session); |
| 101 |
+ |
| 102 |
+@@ -611,27 +630,59 @@ static int provide_client_cert(gnutls_se |
| 103 |
+ if (sess->client_cert) { |
| 104 |
+ gnutls_certificate_type_t type = gnutls_certificate_type_get(session); |
| 105 |
+ if (type == GNUTLS_CRT_X509 |
| 106 |
+-#if LIBGNUTLS_VERSION_NUMBER > 0x030000 |
| 107 |
+- /* Ugly hack; prevent segfaults w/GnuTLS 3.0. */ |
| 108 |
+- && sess->client_cert->pkey != NULL |
| 109 |
++ && (sess->client_cert->pkey || sess->client_cert->keyless)) { |
| 110 |
++ int ret; |
| 111 |
++ |
| 112 |
++#ifdef HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2 |
| 113 |
++ *pkey = gnutls_malloc(sizeof *pkey); |
| 114 |
++ gnutls_privkey_init(pkey); |
| 115 |
++ |
| 116 |
++#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT |
| 117 |
++ if (sess->client_cert->sign_func) { |
| 118 |
++ int algo = gnutls_x509_crt_get_pk_algorithm(sess->client_cert->cert.subject, NULL); |
| 119 |
++ NE_DEBUG(NE_DBG_SSL, "ssl: Signing for %s.\n", gnutls_pk_algorithm_get_name(algo)); |
| 120 |
++ |
| 121 |
++ ret = gnutls_privkey_import_ext(*pkey, algo, sess->client_cert->sign_ud, |
| 122 |
++ sess->client_cert->sign_func, NULL, 0); |
| 123 |
++ } |
| 124 |
++ else |
| 125 |
+ #endif |
| 126 |
+- ) { |
| 127 |
+- NE_DEBUG(NE_DBG_SSL, "Supplying client certificate.\n"); |
| 128 |
++ if (sess->client_cert->keyless) { |
| 129 |
++ ret = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; |
| 130 |
++ } |
| 131 |
++ else { |
| 132 |
++ ret = gnutls_privkey_import_x509(*pkey, sess->client_cert->pkey, 0); |
| 133 |
++ } |
| 134 |
+ |
| 135 |
+- st->type = type; |
| 136 |
++ if (ret) { |
| 137 |
++ NE_DEBUG(NE_DBG_SSL, "ssl: Failed to import private key: %s.\n", gnutls_strerror(ret)); |
| 138 |
++ ne_set_error(sess, _("Failed to import private key: %s"), gnutls_strerror(ret)); |
| 139 |
++ return ret; |
| 140 |
++ } |
| 141 |
++ |
| 142 |
++ *pcert = gnutls_malloc(sizeof *pcert); |
| 143 |
++ gnutls_pcert_import_x509(*pcert, sess->client_cert->cert.subject, 0); |
| 144 |
++ *pcert_length = 1; |
| 145 |
++#else /* !HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2 */ |
| 146 |
++ st->cert_type = type; |
| 147 |
+ st->ncerts = 1; |
| 148 |
+ st->cert.x509 = &sess->client_cert->cert.subject; |
| 149 |
+ st->key.x509 = sess->client_cert->pkey; |
| 150 |
+ |
| 151 |
+ /* tell GNU TLS not to deallocate the certs. */ |
| 152 |
+ st->deinit_all = 0; |
| 153 |
++#endif |
| 154 |
+ } else { |
| 155 |
+ return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; |
| 156 |
+ } |
| 157 |
+ } |
| 158 |
+ else { |
| 159 |
+- NE_DEBUG(NE_DBG_SSL, "No client certificate supplied.\n"); |
| 160 |
++ NE_DEBUG(NE_DBG_SSL, "ssl: No client certificate supplied.\n"); |
| 161 |
++#ifdef HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2 |
| 162 |
++ *pcert_length = 0; |
| 163 |
++#else |
| 164 |
+ st->ncerts = 0; |
| 165 |
++#endif |
| 166 |
+ sess->ssl_cc_requested = 1; |
| 167 |
+ return 0; |
| 168 |
+ } |
| 169 |
+@@ -649,8 +700,12 @@ ne_ssl_context *ne_ssl_context_create(in |
| 170 |
+ ne_ssl_context *ctx = ne_calloc(sizeof *ctx); |
| 171 |
+ gnutls_certificate_allocate_credentials(&ctx->cred); |
| 172 |
+ if (flags == NE_SSL_CTX_CLIENT) { |
| 173 |
++#ifdef HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2 |
| 174 |
++ gnutls_certificate_set_retrieve_function2(ctx->cred, provide_client_cert); |
| 175 |
++#else |
| 176 |
+ gnutls_certificate_client_set_retrieve_function(ctx->cred, |
| 177 |
+ provide_client_cert); |
| 178 |
++#endif |
| 179 |
+ } |
| 180 |
+ gnutls_certificate_set_verify_flags(ctx->cred, |
| 181 |
+ GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); |
| 182 |
+@@ -1206,8 +1261,10 @@ ne_ssl_client_cert *ne_ssl_clicert_impor |
| 183 |
+ } |
| 184 |
+ } |
| 185 |
+ |
| 186 |
+-ne_ssl_client_cert *ne__ssl_clicert_exkey_import(const unsigned char *der, |
| 187 |
+- size_t der_len) |
| 188 |
++#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT |
| 189 |
++ne_ssl_client_cert *ne__ssl_clicert_exkey_import(const unsigned char *der, size_t der_len, |
| 190 |
++ gnutls_privkey_sign_func sign_func, |
| 191 |
++ void *userdata) |
| 192 |
+ { |
| 193 |
+ ne_ssl_client_cert *cc; |
| 194 |
+ gnutls_x509_crt_t x5; |
| 195 |
+@@ -1226,9 +1283,12 @@ ne_ssl_client_cert *ne__ssl_clicert_exke |
| 196 |
+ cc->keyless = 1; |
| 197 |
+ cc->decrypted = 1; |
| 198 |
+ populate_cert(&cc->cert, x5); |
| 199 |
++ cc->sign_func = sign_func; |
| 200 |
++ cc->sign_ud = userdata; |
| 201 |
+ |
| 202 |
+- return cc; |
| 203 |
++ return cc; |
| 204 |
+ } |
| 205 |
++#endif |
| 206 |
+ |
| 207 |
+ int ne_ssl_clicert_encrypted(const ne_ssl_client_cert *cc) |
| 208 |
+ { |
| 209 |
+--- neon27-0.30.1.orig/src/ne_pkcs11.c |
| 210 |
++++ neon27-0.30.1/src/ne_pkcs11.c |
| 211 |
+@@ -156,6 +156,13 @@ static RSA_METHOD *pk11_rsa_method(ne_ss |
| 212 |
+ } |
| 213 |
+ #endif |
| 214 |
+ |
| 215 |
++#ifdef HAVE_GNUTLS |
| 216 |
++static int pk11_sign_callback(gnutls_privkey_t pkey, |
| 217 |
++ void *userdata, |
| 218 |
++ const gnutls_datum_t *raw_data, |
| 219 |
++ gnutls_datum_t *signature); |
| 220 |
++#endif |
| 221 |
++ |
| 222 |
+ static int pk11_find_x509(ne_ssl_pkcs11_provider *prov, |
| 223 |
+ pakchois_session_t *pks, |
| 224 |
+ unsigned char *certid, unsigned long *cid_len) |
| 225 |
+@@ -203,7 +210,7 @@ static int pk11_find_x509(ne_ssl_pkcs11_ |
| 226 |
+ ne_ssl_client_cert *cc; |
| 227 |
+ |
| 228 |
+ #ifdef HAVE_GNUTLS |
| 229 |
+- cc = ne__ssl_clicert_exkey_import(value, a[0].value_len); |
| 230 |
++ cc = ne__ssl_clicert_exkey_import(value, a[0].value_len, pk11_sign_callback, prov); |
| 231 |
+ #else |
| 232 |
+ cc = ne__ssl_clicert_exkey_import(value, a[0].value_len, pk11_rsa_method(prov)); |
| 233 |
+ #endif |
| 234 |
+@@ -298,10 +305,8 @@ static int find_client_cert(ne_ssl_pkcs1 |
| 235 |
+ #ifdef HAVE_GNUTLS |
| 236 |
+ /* Callback invoked by GnuTLS to provide the signature. The signature |
| 237 |
+ * operation is handled here by the PKCS#11 provider. */ |
| 238 |
+-static int pk11_sign_callback(gnutls_session_t session, |
| 239 |
++static int pk11_sign_callback(gnutls_privkey_t pkey, |
| 240 |
+ void *userdata, |
| 241 |
+- gnutls_certificate_type_t cert_type, |
| 242 |
+- const gnutls_datum_t *cert, |
| 243 |
+ const gnutls_datum_t *hash, |
| 244 |
+ gnutls_datum_t *signature) |
| 245 |
+ { |
| 246 |
+@@ -571,11 +576,6 @@ void ne_ssl_pkcs11_provider_pin(ne_ssl_p |
| 247 |
+ void ne_ssl_set_pkcs11_provider(ne_session *sess, |
| 248 |
+ ne_ssl_pkcs11_provider *provider) |
| 249 |
+ { |
| 250 |
+-#ifdef HAVE_GNUTLS |
| 251 |
+- sess->ssl_context->sign_func = pk11_sign_callback; |
| 252 |
+- sess->ssl_context->sign_data = provider; |
| 253 |
+-#endif |
| 254 |
+- |
| 255 |
+ ne_ssl_provide_clicert(sess, pk11_provide, provider); |
| 256 |
+ } |
| 257 |
+ |
| 258 |
+--- neon27-0.30.1.orig/src/ne_privssl.h |
| 259 |
++++ neon27-0.30.1/src/ne_privssl.h |
| 260 |
+@@ -58,6 +58,10 @@ ne__ssl_clicert_exkey_import(const unsig |
| 261 |
+ |
| 262 |
+ #include <gnutls/gnutls.h> |
| 263 |
+ |
| 264 |
++#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT |
| 265 |
++#include <gnutls/abstract.h> |
| 266 |
++#endif |
| 267 |
++ |
| 268 |
+ struct ne_ssl_context_s { |
| 269 |
+ gnutls_certificate_credentials_t cred; |
| 270 |
+ int verify; /* non-zero if client cert verification required */ |
| 271 |
+@@ -78,17 +82,13 @@ struct ne_ssl_context_s { |
| 272 |
+ } client; |
| 273 |
+ #endif |
| 274 |
+ } cache; |
| 275 |
+- |
| 276 |
+-#ifdef HAVE_GNUTLS_SIGN_CALLBACK_SET |
| 277 |
+- gnutls_sign_func sign_func; |
| 278 |
+- void *sign_data; |
| 279 |
+-#endif |
| 280 |
+ }; |
| 281 |
+ |
| 282 |
+ typedef gnutls_session_t ne_ssl_socket; |
| 283 |
+ |
| 284 |
+ NE_PRIVATE ne_ssl_client_cert * |
| 285 |
+-ne__ssl_clicert_exkey_import(const unsigned char *der, size_t der_len); |
| 286 |
++ne__ssl_clicert_exkey_import(const unsigned char *der, size_t der_len, |
| 287 |
++ gnutls_privkey_sign_func sign_func, void *userdata); |
| 288 |
+ |
| 289 |
+ #endif /* HAVE_GNUTLS */ |
| 290 |
+ |
| 291 |
+--- neon27-0.30.1.orig/src/ne_socket.c |
| 292 |
++++ neon27-0.30.1/src/ne_socket.c |
| 293 |
+@@ -1793,11 +1793,6 @@ int ne_sock_connect_ssl(ne_socket *sock, |
| 294 |
+ gnutls_session_set_ptr(sock->ssl, userdata); |
| 295 |
+ gnutls_credentials_set(sock->ssl, GNUTLS_CRD_CERTIFICATE, ctx->cred); |
| 296 |
+ |
| 297 |
+-#ifdef HAVE_GNUTLS_SIGN_CALLBACK_SET |
| 298 |
+- if (ctx->sign_func) |
| 299 |
+- gnutls_sign_callback_set(sock->ssl, ctx->sign_func, ctx->sign_data); |
| 300 |
+-#endif |
| 301 |
+- |
| 302 |
+ if (ctx->hostname) { |
| 303 |
+ gnutls_server_name_set(sock->ssl, GNUTLS_NAME_DNS, ctx->hostname, |
| 304 |
+ strlen(ctx->hostname)); |
| 305 |
|
| 306 |
diff --git a/net-libs/neon/neon-0.30.1-r1.ebuild b/net-libs/neon/neon-0.30.1-r1.ebuild |
| 307 |
index c2b7f79..e4de832 100644 |
| 308 |
--- a/net-libs/neon/neon-0.30.1-r1.ebuild |
| 309 |
+++ b/net-libs/neon/neon-0.30.1-r1.ebuild |
| 310 |
@@ -56,7 +56,8 @@ src_prepare() { |
| 311 |
done |
| 312 |
sed -e "s/ALL_LINGUAS=.*/ALL_LINGUAS=\"${linguas}\"/" -i configure.ac || die |
| 313 |
|
| 314 |
- epatch "${FILESDIR}"/${P}-xml2-config.patch |
| 315 |
+ epatch "${FILESDIR}"/${P}-xml2-config.patch \ |
| 316 |
+ "${FILESDIR}"/${P}-gnutls3.4.patch |
| 317 |
AT_M4DIR="macros" eautoreconf |
| 318 |
|
| 319 |
elibtoolize |
Archives