diff options
| author |   Stuart Shelton <stuart@shelton.me> | 2018-04-29 20:57:52 +0100 |
|---|---|---|
| committer | Stuart Shelton <stuart@shelton.me> | 2018-04-29 21:05:58 +0100 |
| commit | f7844116d980db83d97cfbe1708193964553605e (patch) | |
| tree | b4a0fbd8d946dd2cde5815717daefa43b2b8b3dc | |
| parent | Add media-sound/teamspeak-server-bin-3.1.2, remove obsolete teamspeak-server-... (diff) | |
| download | srcshelton-f7844116d980db83d97cfbe1708193964553605e.tar.gz srcshelton-f7844116d980db83d97cfbe1708193964553605e.tar.bz2 srcshelton-f7844116d980db83d97cfbe1708193964553605e.zip | |
Add app-crypt/mit-krb5-1.16-r2
| -rw-r--r-- | app-crypt/mit-krb5/Manifest | 3 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch | 297 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch | 31 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild | 162 |
4 files changed, 493 insertions, 0 deletions
diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest index b3045783..e476bf60 100644 --- a/app-crypt/mit-krb5/Manifest +++ b/app-crypt/mit-krb5/Manifest @@ -4,6 +4,7 @@ AUX CVE-2014-4344.patch 325 BLAKE2B 05f04ee2f48249d318e4cc71a2b7b6f6152fd701a94b AUX CVE-2015-2695.patch 17036 BLAKE2B 1f9c5e0740330c3276346b8ca775761fed3e88ef788e83048a7829a18b3be90fe4f7c388bd364b537130a86d6210fbe21a75c2344baa21bae7891c8110992f8a SHA512 4e1499d799bed90b2857d24de29ea3bb7500b514a86c2a8f4596fb80f97f01445b7dd9d0cb19c1cfb1f03f5c6a8e2a2149a6278c720933181db8e188063dcc6a AUX CVE-2015-2696.patch 27537 BLAKE2B 3c3985ff59f6597017bb41ab41526156d46dd50621de739e0c429656f7405e0ed46ceacf5a0cb08f1a672fd0e0f01bc4241095804d0e433a4e57bc182eb31cbf SHA512 d27e836a3e8a1ca6b711c0ce4f9f68cbd42d888cb9dcaf2dcb78fdc9ca7652865c124e14c7026b4e94a722a314a0c30f732cc00344973ee5a180f11901347ed1 AUX CVE-2015-2697.patch 1982 BLAKE2B 24bde75d8a51a7de2f1400c09179008cae33b8712fdaa48970c4fa75392df523591aca80bb6aacaf88956ea106392620a1c7782d21947ea5cd0dac5c4212c2f0 SHA512 5f6a630b566c9f0cb02528fca3a789547e294acf5f3435eb62b79411187e4fcaaa58b81eff34e8ac6cbca3dacb076bd626a31687c04936b35bf7ab3e35965a31 +AUX CVE-2018-5729-5730.patch 11896 BLAKE2B 324bbd80acf4a2520909fc26f90f67cec06148ee0effecc43fbadd6c6445b57ee17eae57864c92a5ce0cdc3dbfb0540758910133195fd2078d334bc6e209a452 SHA512 b59ba6cb5d40cca6c8f539c028ba24c2fa6bd1750133545e912f519b91043d426cecf782209c373598fd895c6294e44fc2bc27af34c033ff367bdfb2cb4f91c4 AUX kpropd.xinetd 194 BLAKE2B cfc40af2e75b0ce5a71e0dfdcfe076d13d996b25d2cb50d4282bc88d7b33b317a202d57df0bb4a2b47113f0d38cb508614e122e4a3bb7dfd2397e2daa3178396 SHA512 c9bbd13f2fadfd2a925bfae834ba61f227cd4386b4c4466b5227d93c792f4549778ef4d6e08353372df99804459277c71f61b41ec71f3afcc600d73c5705f72f AUX mit-krb5-1.12_warn_cflags.patch 448 BLAKE2B cd9793866173b394bab3497d19653ca3296924cc49aaf540499b149254265af1d995b4d7493b76185ce35d123e70827cb5fcb221efc6499b86a346cfad7478ab SHA512 42364d9cd8c0a6fd28ae661eeac4d0dd3f2001fe290bf9731ee99c2c786a6488805fc93057d59e201e2cef1e5280af4c170187aa5603f4cf542906abc0fccc2b AUX mit-krb5-1.12_x32.patch 431 BLAKE2B a7c1e2d59cf340fcdd6d32e19ed0b3749df44e30750688cad6b6b14b445a7e9b3cb592162e05652b381a0798a7fd682d192bdf70e79072352deae416abe85e25 SHA512 8105894ad1fe144c7f7375580f00c8a1a33b666706bfcf01271f56477ef1970cf56d8bcc5eb8f9538f723a4fef670d2fb0dd17d29c7d22afc08a1152dac74879 @@ -13,6 +14,7 @@ AUX mit-krb5-1.15.2-fix-pkinit.patch 3196 BLAKE2B 6fdf17bb1ad096bc2745c3c908fbc9 AUX mit-krb5-CVE-2014-5353.patch 820 BLAKE2B 769d827ecc5b3b6b5713015e9db4bd4987d82bdbe3aa411d6a086f5c80daac322b5f1393eaea19da4fe9cc09868a9cf5582221b578735d71fe2f74361ed7023a SHA512 db45cf33516483024cc11242d35b011c750c61c77fc4baaa952172d36a2484f2ffee0bc6170e3d54ac34155f284bb40d73bbb9843fc78cfc127807efb960b8ea AUX mit-krb5-CVE-2014-5354.patch 2344 BLAKE2B fc041da1568f909b276f95a7e5bda9a64c86839098e85afe6b711d475e2099e3fa4c531dace7830495121b7b8b572ef996e48e311b8dbf88a155f84aff3fc754 SHA512 134e3efb0fc9e562ba47b8ac013f62c6e3fa438ee8df1b68426303c8892f647aa74a6476be80d54ed7a1dd68dc60430f1bd15d6a04ae840a3c7fbe5a9f86298d AUX mit-krb5-config_LDFLAGS.patch 466 BLAKE2B 2dd4f1cfc20bea229d08201d66e3de71472dccfa45dee9b260c51578187e706b864c0b4ff81c0c5a09fd29401c2abdbe334441ca075208299b02d5e1d49aff94 SHA512 9a1ca9b33e7708346eda78d199fdc51f0d7bd08d3d65ea15a19955a6155ab71b8ee0c8989859d6dff293a141f197ea19394a91b3b641181140a289b743e0f0e7 +AUX mit-krb5-libressl-version-check.patch 1123 BLAKE2B ca8bad504949c8dcbffe5f9906a38287a2483ffef8b0326cf361f7a07c44787aa0972a24a832aa4da9a1450fa41035bf216c55e1aafb8a890cc8d88f1e210e88 SHA512 cec03ab3577fd8f96f34e51e9380622b09ac5964687b2e8e45e066d16846a9add71c3fd44f6de305ee5c5be5a27a07e4758b6752afdd8a70149b3f191be609f8 AUX mit-krb5_krb5-config_LDFLAGS.patch 458 BLAKE2B 969b6ae5de8b280a32e55374c99816a406c421d2a802f103d81e329038feb33f0bc16039f510b3b7cbd36e7956c2d35abdef5f0713e9231a81c9deb24f10d3e1 SHA512 8118518e359cb5e69e3321b7438b200d5d74ceeac16b4623bf4e4bfb4ead6c656de6fa153f9bcc454097b45a512bc8cd0798b1f062a2c4a09f75253b204a7a17 AUX mit-krb5kadmind.confd 76 BLAKE2B ca69357a77ddaf67e2f9c104b17d49af5da9891b13bd855f8b04d54bfb6ccf07ae8c5cb694f65a47646675c844c8f8c7224e8487081df678c73c554498259516 SHA512 dbf968800959f0463899031e823f003e9ece90132f452ebf03df08caf0e6a6e6ca2cfdee91491d269cfa24bef19e72dd33c7d818a4bb13ef85edfb6f0e8299f3 AUX mit-krb5kadmind.initd-r1 592 BLAKE2B 1a40d819ad6d04fa9b5f2f3105d3faf94ad44716df312b194d16cd53c50afbeee9ad66561b7ca7b8e13389060f5f618fd0bdfea1fae82f82ef2510af7b9377a5 SHA512 f0595e9bbcd85badb403af7febce1fa28278bd7fc8118498948171ea12a27ce8b3c479a34b36639d7370193bc69a0b093ae7e3b66473078dabc38864fec931e9 @@ -47,4 +49,5 @@ EBUILD mit-krb5-1.14.1.ebuild 4029 BLAKE2B d510cc01e3c14c9147fa598255f69e31d90a5 EBUILD mit-krb5-1.14.2.ebuild 4186 BLAKE2B e998158b30327e75d4ade00dcb0ad02a2b3bab70c192af2ce520026fd3015bcac29eb4041c3d7c8a97df4b4c76517f3ae54ffe8a0965f7ea46426725287d8f2a SHA512 d9c65a953e7bc4bf44b6caadd38a975f97bc20888d70cf01081ae310a348371f6f28fb9316ba11bb847e32c5e3791bff3e1c3b39beb471623151cba1b2ab24d7 EBUILD mit-krb5-1.15.2-r1.ebuild 4108 BLAKE2B 9e938431d8172c4ccfa095612a7070805c99ba526252a6ea5ccaf2064cf9328fb78fc2f2dc8350045acb09221d5078fc801411a9d3f842455eb460216c313a31 SHA512 35b4d25e745eb744c5f3d2fe875ef29352874162c370b27f544f2b7833e5beb83b1c2f63abbe58634221f8bc2598e485d42adc5b322adbc46326af01296a7726 EBUILD mit-krb5-1.15.2.ebuild 4050 BLAKE2B bf3cb938c521397dc339c165a15ca79eab6cb88a425ba3bca2d17d0c6f0068f10040bc93db1ef05b6a0b3b88c50f7a26f08fd1750fd19cfa5c6ac611838cf0ef SHA512 c4f8621964980b1c954399cbdefc10699736eaf457d5ddbe0af8b62e513a81ae610b66658f6f12416f9adead9310773db19d5441b88fe948077cf287346b99bc +EBUILD mit-krb5-1.16-r2.ebuild 4450 BLAKE2B 042b9c87fd67fc7d4d97507909b03084bfb253e2962a16406496980d39e27a520d15fc6134ec3f4ca28d0fcd213813ba347d1dc3a60c363db924391320c72f0c SHA512 e497dc90e18e197e6e82634d6eea22e7e0307bc5dc914d71427cc5670011fa97a6ed960624cced32b7cf057dd708b5b402608c46185e6a541e2fd67df605d881 EBUILD mit-krb5-1.16.ebuild 4294 BLAKE2B 1a31e5ca55e668370198ace716170a12d35adeb81442b830dc5280aeca708fa1ebe0e87bf257a4e6f21a5b32653c4730160ce0b48081b2dad844975170f7e844 SHA512 0a5bae71ad3f0502bea1464dd0f567623e26cae04fcfa7478a19adcd42972db21cccc837dc96ac346b422b884283f7b1ffd1cf750d4dde138c8da090d67fe29c diff --git a/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch b/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch new file mode 100644 index 00000000..114cfe68 --- /dev/null +++ b/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch @@ -0,0 +1,297 @@ +diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c +index 2420f2c2be..a59a65e8f6 100644 +--- a/src/lib/kadm5/srv/svr_principal.c ++++ b/src/lib/kadm5/srv/svr_principal.c +@@ -330,6 +330,13 @@ kadm5_create_principal_3(void *server_handle, + return KADM5_BAD_MASK; + if((mask & ~ALL_PRINC_MASK)) + return KADM5_BAD_MASK; ++ if (mask & KADM5_TL_DATA) { ++ for (tl_data_tail = entry->tl_data; tl_data_tail != NULL; ++ tl_data_tail = tl_data_tail->tl_data_next) { ++ if (tl_data_tail->tl_data_type < 256) ++ return KADM5_BAD_TL_TYPE; ++ } ++ } + + /* + * Check to see if the principal exists +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +index 535a1f309e..8b8420faa9 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h ++++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +@@ -141,7 +141,7 @@ extern int set_ldap_error (krb5_context ctx, int st, int op); + #define UNSTORE16_INT(ptr, val) (val = load_16_be(ptr)) + #define UNSTORE32_INT(ptr, val) (val = load_32_be(ptr)) + +-#define KDB_TL_USER_INFO 0x7ffe ++#define KDB_TL_USER_INFO 0xff + + #define KDB_TL_PRINCTYPE 0x01 + #define KDB_TL_PRINCCOUNT 0x02 +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +index 88a1704950..b7c9212cb2 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +@@ -651,6 +651,107 @@ update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry, + return ret; + } + ++static krb5_error_code ++check_dn_in_container(krb5_context context, const char *dn, ++ char *const *subtrees, unsigned int ntrees) ++{ ++ unsigned int i; ++ size_t dnlen = strlen(dn), stlen; ++ ++ for (i = 0; i < ntrees; i++) { ++ if (subtrees[i] == NULL || *subtrees[i] == '\0') ++ return 0; ++ stlen = strlen(subtrees[i]); ++ if (dnlen >= stlen && ++ strcasecmp(dn + dnlen - stlen, subtrees[i]) == 0 && ++ (dnlen == stlen || dn[dnlen - stlen - 1] == ',')) ++ return 0; ++ } ++ ++ k5_setmsg(context, EINVAL, _("DN is out of the realm subtree")); ++ return EINVAL; ++} ++ ++static krb5_error_code ++check_dn_exists(krb5_context context, ++ krb5_ldap_server_handle *ldap_server_handle, ++ const char *dn, krb5_boolean nonkrb_only) ++{ ++ krb5_error_code st = 0, tempst; ++ krb5_ldap_context *ldap_context = context->dal_handle->db_context; ++ LDAP *ld = ldap_server_handle->ldap_handle; ++ LDAPMessage *result = NULL, *ent; ++ char *attrs[] = { "krbticketpolicyreference", "krbprincipalname", NULL }; ++ char **values; ++ ++ LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attrs, IGNORE_STATUS); ++ if (st != LDAP_SUCCESS) ++ return set_ldap_error(context, st, OP_SEARCH); ++ ++ ent = ldap_first_entry(ld, result); ++ CHECK_NULL(ent); ++ ++ values = ldap_get_values(ld, ent, "krbticketpolicyreference"); ++ if (values != NULL) ++ ldap_value_free(values); ++ ++ values = ldap_get_values(ld, ent, "krbprincipalname"); ++ if (values != NULL) { ++ ldap_value_free(values); ++ if (nonkrb_only) { ++ st = EINVAL; ++ k5_setmsg(context, st, _("ldap object is already kerberized")); ++ goto cleanup; ++ } ++ } ++ ++cleanup: ++ ldap_msgfree(result); ++ return st; ++} ++ ++static krb5_error_code ++validate_xargs(krb5_context context, ++ krb5_ldap_server_handle *ldap_server_handle, ++ const xargs_t *xargs, const char *standalone_dn, ++ char *const *subtrees, unsigned int ntrees) ++{ ++ krb5_error_code st; ++ ++ if (xargs->dn != NULL) { ++ /* The supplied dn must be within a realm container. */ ++ st = check_dn_in_container(context, xargs->dn, subtrees, ntrees); ++ if (st) ++ return st; ++ /* The supplied dn must exist without Kerberos attributes. */ ++ st = check_dn_exists(context, ldap_server_handle, xargs->dn, TRUE); ++ if (st) ++ return st; ++ } ++ ++ if (xargs->linkdn != NULL) { ++ /* The supplied linkdn must be within a realm container. */ ++ st = check_dn_in_container(context, xargs->linkdn, subtrees, ntrees); ++ if (st) ++ return st; ++ /* The supplied linkdn must exist. */ ++ st = check_dn_exists(context, ldap_server_handle, xargs->linkdn, ++ FALSE); ++ if (st) ++ return st; ++ } ++ ++ if (xargs->containerdn != NULL && standalone_dn != NULL) { ++ /* standalone_dn (likely composed using containerdn) must be within a ++ * container. */ ++ st = check_dn_in_container(context, standalone_dn, subtrees, ntrees); ++ if (st) ++ return st; ++ } ++ ++ return 0; ++} ++ + krb5_error_code + krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, + char **db_args) +@@ -662,12 +763,12 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, + LDAPMessage *result=NULL, *ent=NULL; + char **subtreelist = NULL; + char *user=NULL, *subtree=NULL, *principal_dn=NULL; +- char **values=NULL, *strval[10]={NULL}, errbuf[1024]; ++ char *strval[10]={NULL}, errbuf[1024]; + char *filtuser=NULL; + struct berval **bersecretkey=NULL; + LDAPMod **mods=NULL; + krb5_boolean create_standalone=FALSE; +- krb5_boolean krb_identity_exists=FALSE, establish_links=FALSE; ++ krb5_boolean establish_links=FALSE; + char *standalone_principal_dn=NULL; + krb5_tl_data *tl_data=NULL; + krb5_key_data **keys=NULL; +@@ -860,24 +961,6 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, + * any of the subtrees + */ + if (xargs.dn_from_kbd == TRUE) { +- /* make sure the DN falls in the subtree */ +- int dnlen=0, subtreelen=0; +- char *dn=NULL; +- krb5_boolean outofsubtree=TRUE; +- +- if (xargs.dn != NULL) { +- dn = xargs.dn; +- } else if (xargs.linkdn != NULL) { +- dn = xargs.linkdn; +- } else if (standalone_principal_dn != NULL) { +- /* +- * Even though the standalone_principal_dn is constructed +- * within this function, there is the containerdn input +- * from the user that can become part of the it. +- */ +- dn = standalone_principal_dn; +- } +- + /* Get the current subtree list if we haven't already done so. */ + if (subtreelist == NULL) { + st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees); +@@ -885,81 +968,10 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, + goto cleanup; + } + +- for (tre=0; tre<ntrees; ++tre) { +- if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) { +- outofsubtree = FALSE; +- break; +- } else { +- dnlen = strlen (dn); +- subtreelen = strlen(subtreelist[tre]); +- if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) { +- outofsubtree = FALSE; +- break; +- } +- } +- } +- +- if (outofsubtree == TRUE) { +- st = EINVAL; +- k5_setmsg(context, st, _("DN is out of the realm subtree")); ++ st = validate_xargs(context, ldap_server_handle, &xargs, ++ standalone_principal_dn, subtreelist, ntrees); ++ if (st) + goto cleanup; +- } +- +- /* +- * dn value will be set either by dn, linkdn or the standalone_principal_dn +- * In the first 2 cases, the dn should be existing and in the last case we +- * are supposed to create the ldap object. so the below should not be +- * executed for the last case. +- */ +- +- if (standalone_principal_dn == NULL) { +- /* +- * If the ldap object is missing, this results in an error. +- */ +- +- /* +- * Search for krbprincipalname attribute here. +- * This is to find if a kerberos identity is already present +- * on the ldap object, in which case adding a kerberos identity +- * on the ldap object should result in an error. +- */ +- char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL}; +- +- ldap_msgfree(result); +- result = NULL; +- LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS); +- if (st == LDAP_SUCCESS) { +- ent = ldap_first_entry(ld, result); +- if (ent != NULL) { +- if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) { +- ldap_value_free(values); +- } +- +- if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { +- krb_identity_exists = TRUE; +- ldap_value_free(values); +- } +- } +- } else { +- st = set_ldap_error(context, st, OP_SEARCH); +- goto cleanup; +- } +- } +- } +- +- /* +- * If xargs.dn is set then the request is to add a +- * kerberos principal on a ldap object, but if +- * there is one already on the ldap object this +- * should result in an error. +- */ +- +- if (xargs.dn != NULL && krb_identity_exists == TRUE) { +- st = EINVAL; +- snprintf(errbuf, sizeof(errbuf), +- _("ldap object is already kerberized")); +- k5_setmsg(context, st, "%s", errbuf); +- goto cleanup; + } + + if (xargs.linkdn != NULL) { +diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py +index 217f2cdc3b..6e563b1032 100755 +--- a/src/tests/t_kdb.py ++++ b/src/tests/t_kdb.py +@@ -203,6 +203,12 @@ def ldap_add(dn, objectclass, attrs=[]): + # in the test LDAP server. + realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'], + expected_code=1, expected_msg='DN is out of the realm subtree') ++# Check that the DN container check is a hierarchy test, not a simple ++# suffix match (CVE-2018-5730). We expect this operation to fail ++# either way (because "xcn" isn't a valid DN tag) but the container ++# check should happen before the DN is parsed. ++realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=xcn=t1,cn=krb5', 'princ1'], ++ expected_code=1, expected_msg='DN is out of the realm subtree') + realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'princ1']) + realm.run([kadminl, 'getprinc', 'princ1'], expected_msg='Principal: princ1') + realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'again'], +@@ -226,6 +232,11 @@ def ldap_add(dn, objectclass, attrs=[]): + 'princ3']) + realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5', 'princ3'], + expected_code=1, expected_msg='containerdn option not supported') ++# Verify that containerdn is checked when linkdn is also supplied ++# (CVE-2018-5730). ++realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5', ++ '-x', 'linkdn=cn=t2,cn=krb5', 'princ4'], expected_code=1, ++ expected_msg='DN is out of the realm subtree') + + # Create and modify a ticket policy. + kldaputil(['create_policy', '-maxtktlife', '3hour', '-maxrenewlife', '6hour', diff --git a/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch b/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch new file mode 100644 index 00000000..5c979cfd --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch @@ -0,0 +1,31 @@ +--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -191,7 +191,7 @@ pkinit_pkcs11_code_to_text(int err); + (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si) + #endif + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + + /* 1.1 standardizes constructor and destructor names, renaming + * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */ +@@ -3059,7 +3059,7 @@ cleanup: + return retval; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + + /* + * We need to decode DomainParameters from RFC 3279 section 2.3.3. We would +--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.h ++++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.h +@@ -46,7 +46,7 @@ + #include <openssl/asn1.h> + #include <openssl/pem.h> + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + #include <openssl/asn1t.h> + #else + #include <openssl/asn1_mac.h> diff --git a/app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild new file mode 100644 index 00000000..ce816f48 --- /dev/null +++ b/app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild @@ -0,0 +1,162 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +PYTHON_COMPAT=( python2_7 ) +inherit autotools eutils flag-o-matic python-any-r1 versionator systemd multilib-minimal + +MY_P="${P/mit-}" +P_DIR=$(get_version_component_range 1-2) +DESCRIPTION="MIT Kerberos V" +HOMEPAGE="https://web.mit.edu/kerberos/www/" +SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz" + +LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )" +SLOT="0" +KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ~ppc ppc64 ~s390 ~sh ~sparc x86" +IUSE="doc +keyutils libressl nls openldap +pkinit selinux sep-usr systemd +threads test xinetd" + +# Test suite require network access +RESTRICT="test" + +CDEPEND=" + !!app-crypt/heimdal + >=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}] + || ( + >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}] + >=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}] + >=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}] + ) + keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] ) + nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] ) + openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] ) + pkinit? ( + !libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] ) + libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] ) + ) + xinetd? ( sys-apps/xinetd )" +DEPEND="${CDEPEND} + ${PYTHON_DEPS} + virtual/yacc + doc? ( virtual/latex-base ) + test? ( + ${PYTHON_DEPS} + dev-lang/tcl:0 + dev-util/dejagnu + )" +RDEPEND="${CDEPEND} + selinux? ( sec-policy/selinux-kerberos )" + +S=${WORKDIR}/${MY_P}/src + +MULTILIB_CHOST_TOOLS=( + /usr/bin/krb5-config +) + +src_prepare() { + eapply -p2 "${FILESDIR}/CVE-2018-5729-5730.patch" + eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch" + eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch" + eapply "${FILESDIR}/${PN}-libressl-version-check.patch" + eapply "${FILESDIR}/${PN}-1.12_x32.patch" + + # Make sure we always use the system copies. + rm -rf util/{et,ss,verto} + sed -i 's:^[[:space:]]*util/verto$::' configure.in || die + + eapply_user + eautoreconf +} + +src_configure() { + # QA + append-flags -fno-strict-aliasing + append-flags -fno-strict-overflow + + multilib-minimal_src_configure +} + +multilib_src_configure() { + use keyutils || export ac_cv_header_keyutils_h=no + ECONF_SOURCE=${S} \ + WARN_CFLAGS="set" \ + econf \ + $(use_with openldap ldap) \ + "$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \ + $(use_enable nls) \ + $(use_enable pkinit) \ + $(use_enable threads thread-support) \ + --without-hesiod \ + --enable-shared \ + --with-system-et \ + --with-system-ss \ + --enable-dns-for-realm \ + --enable-kdc-lookaside-cache \ + --with-system-verto \ + --disable-rpath +} + +multilib_src_compile() { + emake -j1 +} + +multilib_src_test() { + multilib_is_native_abi && emake -j1 check +} + +multilib_src_install() { + emake \ + DESTDIR="${D}" \ + EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \ + install + + if use sep-usr && multilib_is_native_abi; then + # need the libs in / + gen_usr_ldscript -a gssapi_krb5 k5crypto krb5 krb5support + fi +} + +multilib_src_install_all() { + # default database dir + keepdir /var/lib/krb5kdc + + cd .. + dodoc README + + if use doc; then + dohtml -r doc/html + docinto pdf + dodoc doc/pdf/*.pdf + fi + + newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind + newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc + newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd + newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind + newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc + newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd + + if use systemd; then + systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service + systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service + systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service + systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service" + systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket + fi + + insinto /etc + newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example + insinto /var/lib/krb5kdc + newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example + + if use openldap ; then + insinto /etc/openldap/schema + doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema" + fi + + if use xinetd ; then + insinto /etc/xinetd.d + newins "${FILESDIR}/kpropd.xinetd" kpropd + fi +} |