commit: d987187cc95abbca02949ae2d94a84963fe5f74a Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Mon Mar 4 03:08:13 2024 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Mon Mar 4 03:08:13 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d987187c
app-crypt/gnupg: backport fix for gpgme tests Closes: https://bugs.gentoo.org/924386 Signed-off-by: Sam James <sam <AT> gentoo.org> .../gnupg/files/gnupg-2.2.42-dirmngr-proxy.patch | 156 +++++++++++++++++ .../gnupg/files/gnupg-2.2.42-gpgme-tests.patch | 39 +++++ app-crypt/gnupg/gnupg-2.2.42-r3.ebuild | 184 +++++++++++++++++++++ 3 files changed, 379 insertions(+) diff --git a/app-crypt/gnupg/files/gnupg-2.2.42-dirmngr-proxy.patch b/app-crypt/gnupg/files/gnupg-2.2.42-dirmngr-proxy.patch new file mode 100644 index 000000000000..21be675adef4 --- /dev/null +++ b/app-crypt/gnupg/files/gnupg-2.2.42-dirmngr-proxy.patch @@ -0,0 +1,156 @@ +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=d6c428699db7aa20f8b6ca9fe83197a0314b7e91 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=c33c4fdf10b7ed9e03f2afe988d93f3085b727aa +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=41c022072599bc3f12f659e962653548cd86fa3a + +From d6c428699db7aa20f8b6ca9fe83197a0314b7e91 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gni...@fsij.org> +Date: Thu, 15 Feb 2024 15:38:34 +0900 +Subject: [PATCH] dirmngr: Fix proxy with TLS. + +* dirmngr/http.c (proxy_get_token, run_proxy_connect): Always +available regardless of USE_TLS. +(send_request): Remove USE_TLS. + +-- + +Since quite some time building w/o TLS won't work. + +GnuPG-bug-id: 6997 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2498,9 +2498,7 @@ proxy_get_token (proxy_info_t proxy, const char *inputstring) + } + + +- + /* Use the CONNECT method to proxy our TLS stream. */ +-#ifdef USE_TLS + static gpg_error_t + run_proxy_connect (http_t hd, proxy_info_t proxy, + const char *httphost, const char *server, +@@ -2709,7 +2707,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + xfree (tmpstr); + return err; + } +-#endif /*USE_TLS*/ + + + /* Make a request string using a standard proxy. On success the +@@ -2866,7 +2863,6 @@ send_request (http_t hd, const char *httphost, const char *auth, + goto leave; + } + +-#if USE_TLS + if (use_http_proxy && hd->uri->use_tls) + { + err = run_proxy_connect (hd, proxy, httphost, server, port); +@@ -2878,7 +2874,6 @@ send_request (http_t hd, const char *httphost, const char *auth, + * clear the flag to indicate this. */ + use_http_proxy = 0; + } +-#endif /* USE_TLS */ + + #if HTTP_USE_NTBTLS + err = run_ntbtls_handshake (hd); +-- +2.30.2 + +From c33c4fdf10b7ed9e03f2afe988d93f3085b727aa Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gni...@fsij.org> +Date: Fri, 16 Feb 2024 11:31:37 +0900 +Subject: [PATCH] dirmngr: Fix the regression of use of proxy for TLS + connection. + +* dirmngr/http.c (run_proxy_connect): Don't set keep_alive, since it +causes resource leak of FP_WRITE. +Don't try to read response body to fix the hang. + +-- + +GnuPG-bug-id: 6997 +Signed-off-by: NIIBE Yutaka <gni...@fsij.org> +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2520,6 +2520,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication + */ + auth_basic = !!proxy->uri->auth; ++ hd->keep_alive = 0; + + /* For basic authentication we need to send just one request. */ + if (auth_basic +@@ -2541,13 +2542,12 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + httphost ? httphost : server, + port, + authhdr ? authhdr : "", +- auth_basic? "" : "Connection: keep-alive\r\n"); ++ hd->keep_alive? "Connection: keep-alive\r\n" : ""); + if (!request) + { + err = gpg_error_from_syserror (); + goto leave; + } +- hd->keep_alive = !auth_basic; /* We may need to send more requests. */ + + if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP)) + log_debug_with_string (request, "http.c:proxy:request:"); +@@ -2574,16 +2574,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + if (err) + goto leave; + +- { +- unsigned long count = 0; +- +- while (es_getc (hd->fp_read) != EOF) +- count++; +- if (opt_debug) +- log_debug ("http.c:proxy_connect: skipped %lu bytes of response-body\n", +- count); +- } +- + /* Reset state. */ + es_clearerr (hd->fp_read); + ((cookie_t)(hd->read_cookie))->up_to_empty_line = 1; +-- +2.30.2 + +From 41c022072599bc3f12f659e962653548cd86fa3a Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gni...@fsij.org> +Date: Fri, 16 Feb 2024 16:24:26 +0900 +Subject: [PATCH] dirmngr: Fix keep-alive flag handling. + +* dirmngr/http.c (run_proxy_connect): Set KEEP_ALIVE if not Basic +Authentication. Fix resource leak of FP_WRITE. + +-- + +GnuPG-bug-id: 6997 +Signed-off-by: NIIBE Yutaka <gni...@fsij.org> +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2520,7 +2520,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication + */ + auth_basic = !!proxy->uri->auth; +- hd->keep_alive = 0; ++ hd->keep_alive = !auth_basic; /* We may need to send more requests. */ + + /* For basic authentication we need to send just one request. */ + if (auth_basic +@@ -2684,6 +2684,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + } + + leave: ++ if (hd->keep_alive) ++ { ++ es_fclose (hd->fp_write); ++ hd->fp_write = NULL; ++ /* The close has released the cookie and thus we better set it ++ * to NULL. */ ++ hd->write_cookie = NULL; ++ } + /* Restore flags, destroy stream, reset state. */ + hd->flags = saved_flags; + es_fclose (hd->fp_read); +-- +2.30.2 diff --git a/app-crypt/gnupg/files/gnupg-2.2.42-gpgme-tests.patch b/app-crypt/gnupg/files/gnupg-2.2.42-gpgme-tests.patch new file mode 100644 index 000000000000..f10154b303e5 --- /dev/null +++ b/app-crypt/gnupg/files/gnupg-2.2.42-gpgme-tests.patch @@ -0,0 +1,39 @@ +https://bugs.gentoo.org/924386 +https://dev.gnupg.org/T7003 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=f50c543326c2eea6b40f548d61cf3a66a077bf54 + +From f50c543326c2eea6b40f548d61cf3a66a077bf54 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gni...@fsij.org> +Date: Fri, 1 Mar 2024 13:59:43 +0900 +Subject: [PATCH] agent: Allow simple KEYINFO command when restricted. + +* agent/command.c (cmd_keyinfo): Only forbid list command. + +-- + +GnuPG-bug-id: 7003 +Signed-off-by: NIIBE Yutaka <gni...@fsij.org> +--- a/agent/command.c ++++ b/agent/command.c +@@ -1282,9 +1282,6 @@ cmd_keyinfo (assuan_context_t ctx, char *line) + char hexgrip[41]; + int disabled, ttl, confirm, is_ssh; + +- if (ctrl->restricted) +- return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); +- + if (has_option (line, "--ssh-list")) + list_mode = 2; + else +@@ -1333,6 +1330,9 @@ cmd_keyinfo (assuan_context_t ctx, char *line) + char *dirname; + gnupg_dirent_t dir_entry; + ++ if (ctrl->restricted) ++ return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); ++ + dirname = make_filename_try (gnupg_homedir (), + GNUPG_PRIVATE_KEYS_DIR, NULL); + if (!dirname) +-- +2.30.2 diff --git a/app-crypt/gnupg/gnupg-2.2.42-r3.ebuild b/app-crypt/gnupg/gnupg-2.2.42-r3.ebuild new file mode 100644 index 000000000000..dcb738d1d5ba --- /dev/null +++ b/app-crypt/gnupg/gnupg-2.2.42-r3.ebuild @@ -0,0 +1,184 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Maintainers should: +# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/ +# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159 +# (find the one for the current release then subscribe to it + +# any subsequent ones linked within so you're covered for a while.) + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc +# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 +inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig + +MY_P="${P/_/-}" + +DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" +HOMEPAGE="https://gnupg.org/"; +SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" +SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" +S="${WORKDIR}/${MY_P}" + +LICENSE="GPL-3+" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server" +RESTRICT="!test? ( test )" + +# Existence of executables is checked during configuration. +# Note: On each bump, update dep bounds on each version from configure.ac! +DEPEND=" + >=dev-libs/libassuan-2.5.0 + >=dev-libs/libgcrypt-1.8.0:= + >=dev-libs/libgpg-error-1.38 + >=dev-libs/libksba-1.3.5 + >=dev-libs/npth-1.2 + >=net-misc/curl-7.10 + sys-libs/zlib + bzip2? ( app-arch/bzip2 ) + ldap? ( net-nds/openldap:= ) + readline? ( sys-libs/readline:= ) + smartcard? ( usb? ( virtual/libusb:1 ) ) + ssl? ( >=net-libs/gnutls-3.0:= ) + tofu? ( >=dev-db/sqlite-3.7 ) +" +RDEPEND=" + ${DEPEND} + nls? ( virtual/libintl ) + selinux? ( sec-policy/selinux-gpg ) + wks-server? ( virtual/mta ) +" +PDEPEND=" + app-crypt/pinentry +" +BDEPEND=" + virtual/pkgconfig + doc? ( sys-apps/texinfo ) + nls? ( sys-devel/gettext ) + verify-sig? ( sec-keys/openpgp-keys-gnupg ) +" + +DOCS=( + ChangeLog NEWS README THANKS TODO VERSION + doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER +) + +PATCHES=( + "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch + "${FILESDIR}"/${P}-bug923248-insecure-backup.patch + "${FILESDIR}"/${P}-dirmngr-proxy.patch + "${FILESDIR}"/${P}-gpgme-tests.patch +) + +src_prepare() { + default + + # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, + # idea borrowed from libdbus, see + # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 + # + # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', + # which in turn requires discovery in Autoconf, something that upstream deeply resents. + sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ + -i doc/examples/systemd-user/gpg-agent-ssh.socket || die +} + +my_src_configure() { + # Upstream don't support LTO, bug #854222. + filter-lto + + local myconf=( + $(use_enable bzip2) + $(use_enable nls) + $(use_enable smartcard scdaemon) + $(use_enable ssl gnutls) + $(use_enable test all-tests) + $(use_enable test tests) + $(use_enable tofu) + $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') + $(use_enable wks-server wks-tools) + $(use_with ldap) + $(use_with readline) + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. + --with-mailprog=/usr/libexec/sendmail + + --disable-ntbtls + --enable-gpg + --enable-gpgsm + --enable-large-secmem + + CC_FOR_BUILD="$(tc-getBUILD_CC)" + GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" + KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config" + LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config" + LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config" + NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config" + + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') + ) + + if use prefix && use usb; then + # bug #649598 + append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" + fi + + # bug #663142 + if use user-socket; then + myconf+=( --enable-run-gnupg-user-socket ) + fi + + # glib fails and picks up clang's internal stdint.h causing weird errors + tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h + + econf "${myconf[@]}" +} + +my_src_compile() { + default + + use doc && emake -C doc html +} + +my_src_test() { + export TESTFLAGS="--parallel=$(makeopts_jobs)" + + default +} + +my_src_install() { + emake DESTDIR="${D}" install + + use tools && dobin \ + tools/{gpg-zip,gpgconf,gpgsplit,gpg-check-pattern} \ + tools/make-dns-cert + + dosym gpg /usr/bin/gpg2 + dosym gpgv /usr/bin/gpgv2 + echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die + echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die + + dodir /etc/env.d + echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die + + use doc && dodoc doc/gnupg.html/* +} + +my_src_install_all() { + einstalldocs + + use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} + + use doc && dodoc doc/*.png + + systemd_douserunit doc/examples/systemd-user/*.{service,socket} +}
