subject:"\[gentoo\-commits\] repo\/gentoo\:master commit in\: app\-crypt\/mit\-krb5\/files\/, app\-crypt\/mit\-krb5\/"

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

2022-11-21 Thread Sam James

commit: 5163051e02908e8415eb36cbee56727e08c3b1c1
Author: Sam James  gentoo  org>
AuthorDate: Tue Nov 22 04:44:24 2022 +
Commit: Sam James  gentoo  org>
CommitDate: Tue Nov 22 04:44:24 2022 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5163051e

app-crypt/mit-krb5: add autoconf 2.72 patch

Signed-off-by: Sam James  gentoo.org>

 .../files/mit-krb5-1.20.1-autoconf-2.72.patch  | 31 ++
 app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild  |  1 +
 2 files changed, 32 insertions(+)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.20.1-autoconf-2.72.patch 
b/app-crypt/mit-krb5/files/mit-krb5-1.20.1-autoconf-2.72.patch
new file mode 100644
index ..b55193bcc7fa
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.20.1-autoconf-2.72.patch
@@ -0,0 +1,31 @@
+https://github.com/krb5/krb5/commit/d864d740d019fdf2c640460f2aa2760c7fa4d5e9
+
+From d864d740d019fdf2c640460f2aa2760c7fa4d5e9 Mon Sep 17 00:00:00 2001
+From: Julien Rische 
+Date: Thu, 17 Nov 2022 15:01:24 +0100
+Subject: [PATCH] Fix aclocal.m4 syntax error for autoconf 2.72
+
+An incorrect closure inside KRB5_AC_INET6 is innocuous with autoconf
+versions up to 2.71, but will cause an error at configure time with
+the forthcoming autoconf 2.72.
+
+[ghud...@mit.edu: added more context to commit message]
+
+ticket: 9077 (new)
+tags: pullup
+target_version: 1.20-next
+target_version: 1.19-next
+--- a/aclocal.m4
 b/aclocal.m4
+@@ -409,8 +409,8 @@ else
+   [[struct sockaddr_in6 in;
+ AF_INET6;
+ IN6_IS_ADDR_LINKLOCAL(_addr);]])],
+-[krb5_cv_inet6=yes], [krb5_cv_inet6=no])])
+-fi
++[krb5_cv_inet6=yes], [krb5_cv_inet6=no])
++fi])
+ AC_MSG_RESULT($krb5_cv_inet6)
+ if test "$krb5_cv_inet6" = no && test "$ac_cv_func_inet_ntop" = yes; then
+ AC_MSG_CHECKING(for IPv6 compile-time support with -DINET6)
+

diff --git a/app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild 
b/app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild
index 1d7889bfab83..cd47708db88f 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild
@@ -54,6 +54,7 @@ PATCHES=(
"${FILESDIR}/${PN}_dont_create_rundir.patch"
"${FILESDIR}/${PN}-1.18.2-krb5-config.patch"
"${FILESDIR}/${PN}-1.20-missing-time-include.patch"
+   "${FILESDIR}/${PN}-1.20.1-autoconf-2.72.patch"
 )
 
 MULTILIB_CHOST_TOOLS=(

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

2022-11-07 Thread Eray Aslan

commit: 3fb4979bc5980af0060e50e80ee5bea3ae72a713
Author: Eray Aslan  gentoo  org>
AuthorDate: Mon Nov  7 10:43:02 2022 +
Commit: Eray Aslan  gentoo  org>
CommitDate: Mon Nov  7 10:43:02 2022 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3fb4979b

app-crypt/mit-krb5: drop 1.19.2-r4, 1.19.3-r2

Signed-off-by: Eray Aslan  gentoo.org>

 app-crypt/mit-krb5/Manifest|   2 -
 .../mit-krb5/files/mit-krb5-CVE-2021-37750.patch   |  43 --
 app-crypt/mit-krb5/mit-krb5-1.19.2-r4.ebuild   | 162 -
 app-crypt/mit-krb5/mit-krb5-1.19.3-r2.ebuild   | 161 
 4 files changed, 368 deletions(-)

diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index 04c701bf322e..ed2f9ab88d2c 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1,3 +1 @@
-DIST krb5-1.19.2.tar.gz 8741053 BLAKE2B 
963722721201e75381c91a2af6e982f569a5b1602beb2d1ded83d35f6f914235a6ed91e5d54f56c97e94921a32ed27c49aded258327966ee13d39485208c38d8
 SHA512 
b90d6ed0e1e8a87eb5cb2c36d88b823a6a6caabf85e5d419adb8a930f7eea09a5f8491464e7e454cca7ba88be09d19415962fe0036ad2e31fc584f9fc0bbd470
-DIST krb5-1.19.3.tar.gz 8741343 BLAKE2B 
79e68237ee82affa85299060c509e303453c0fab965adc6b9ed305ab64a1f73bd51e65df1b3faadc60815cd506ffefaeed535765ca060d393a9141812f85b48a
 SHA512 
18235440d6f7d8a72c5d7ca5cd8c6465e8adf091d85c483225c7b00d64b4688c1c7924cb800c2fc17e590b2709f1a9de48e6ec79f6debd11dcb7d6fa16c6f351
 DIST krb5-1.20.tar.gz 8660756 BLAKE2B 
fdaaab6c16dbe073c4308f312e321536b582b75fad10e5450be66b6b828825c8c775e56f5287d4a7df819d20889e5c0d9cc1d179d861c9caba185332c0db7387
 SHA512 
9aed84a971a4d74188468870260087ec7c3a614cceb5fe32ad7da1cb8db3d66e00df801c9f900f0131ac56eb828674b8be93df474c2d13b892b70c7977388604

diff --git a/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch 
b/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch
deleted file mode 100644
index 2f4c949e9f31..
--- a/app-crypt/mit-krb5/files/mit-krb5-CVE-2021-37750.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From d775c95af7606a51bf79547a94fa52ddd1cb7f49 Mon Sep 17 00:00:00 2001
-From: Greg Hudson 
-Date: Tue, 3 Aug 2021 01:15:27 -0400
-Subject: [PATCH] Fix KDC null deref on TGS inner body null server
-
-After the KDC decodes a FAST inner body, it does not check for a null
-server.  Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
-would typically result in an error from krb5_unparse_name(), but with
-the addition of get_local_tgt() it results in a null dereference.  Add
-a null check.
-
-Reported by Joseph Sutton of Catalyst.
-
-CVE-2021-37750:
-
-In MIT krb5 releases 1.14 and later, an authenticated attacker can
-cause a null dereference in the KDC by sending a FAST TGS request with
-no server field.
-
-ticket: 9008 (new)
-tags: pullup
-target_version: 1.19-next
-target_version: 1.18-next

- src/kdc/do_tgs_req.c | 5 +
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
-index 582e497cc9..32dc65fa8e 100644
 a/kdc/do_tgs_req.c
-+++ b/kdc/do_tgs_req.c
-@@ -204,6 +204,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
- status = "FIND_FAST";
- goto cleanup;
- }
-+if (sprinc == NULL) {
-+status = "NULL_SERVER";
-+errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
-+goto cleanup;
-+}
- 
- errcode = get_local_tgt(kdc_context, >realm, header_server,
- _tgt, _tgt_storage, _tgt_key);

diff --git a/app-crypt/mit-krb5/mit-krb5-1.19.2-r4.ebuild 
b/app-crypt/mit-krb5/mit-krb5-1.19.2-r4.ebuild
deleted file mode 100644
index a88217f5154c..
--- a/app-crypt/mit-krb5/mit-krb5-1.19.2-r4.ebuild
+++ /dev/null
@@ -1,162 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{8..10} )
-inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd 
toolchain-funcs
-
-MY_P="${P/mit-}"
-P_DIR=$(ver_cut 1-2)
-DESCRIPTION="MIT Kerberos V"
-HOMEPAGE="https://web.mit.edu/kerberos/www/;
-SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz;
-
-LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 
|| ( BSD-2 GPL-2+ )"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ~ppc ppc64 ~riscv ~s390 
sparc x86"
-IUSE="cpu_flags_x86_aes doc +keyutils lmdb nls openldap +pkinit selinux 
+threads test xinetd"
-
-# some tests requires network access
-RESTRICT="test"
-
-DEPEND="
-   !!app-crypt/heimdal
-   >=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}]
-   || (
-   >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
-   >=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
-   )
-   keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] )
-   lmdb? ( dev-db/lmdb:= )
-   nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
-

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

2021-08-02 Thread Eray Aslan

commit: 98dc35e8c0f276aa167465b5e7636e8a975beaed
Author: Eray Aslan  gentoo  org>
AuthorDate: Mon Aug  2 10:35:50 2021 +
Commit: Eray Aslan  gentoo  org>
CommitDate: Mon Aug  2 10:35:50 2021 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=98dc35e8

app-crypt/mit-krb5: cleanup

Bug: https://bugs.gentoo.org/803434
Package-Manager: Portage-3.0.20, Repoman-3.0.3
Signed-off-by: Eray Aslan  gentoo.org>

 app-crypt/mit-krb5/Manifest|   3 -
 app-crypt/mit-krb5/files/CVE-2020-28196.patch  |  71 -
 .../files/mit-krb5-1.18.2-autoconf-2.70.patch  |  35 -
 .../mit-krb5/files/mit-krb5_dont_create_run.patch  |  10 --
 app-crypt/mit-krb5/mit-krb5-1.18.2-r4.ebuild   | 166 -
 app-crypt/mit-krb5/mit-krb5-1.18.3-r2.ebuild   | 164 
 app-crypt/mit-krb5/mit-krb5-1.19.1-r1.ebuild   | 161 
 7 files changed, 610 deletions(-)

diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index 57a2a337308..a5005ab76f7 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1,4 +1 @@
-DIST krb5-1.18.2.tar.gz 8713927 BLAKE2B 
f0eb34e67adcb86f347c59ec6ef74970a57530cc56336a84909f852cd6135079ea89828e77c906a272f54e0faf6a4a0497f2b648446eb9d048d1c51e4ec513af
 SHA512 
7cbb1b28e677fea3e0794e93951f3caaa2c49bb1175dd187951e72a466cc69d96c3b833d838000fe911c1a437d96a558e550f27c53a8b332fb9dfc7cbb7ec44c
-DIST krb5-1.18.3.tar.gz 8715312 BLAKE2B 
4f6ad4a529e7578e83d82b43c2cada33bce1dca5081ec826ee06a713f82520b783f72ec56d2ce289e10d1ddcfaa079491e43f21c035b214d244bb80e6b2a1c9f
 SHA512 
cf0bf6cf8f622fa085954e6da998d952cf64dc7ccc319972ed81ea0542089cabf2d0e8243df84da01ad6f40584768ca2f02d108630c6741fa7b3d7d98c887c01
-DIST krb5-1.19.1.tar.gz 8738142 BLAKE2B 
902dd08fe4b81b1cb0ec2bf1b95eeece0f8a87b87bae865272c7bf5dd028c01997ec4c5d24df605328db85e7cbfe9a38dd804b363b651aefa7b4eaec958a280c
 SHA512 
36bf33802119ada4650a8f69f1daca95aaf882dc96bfa7061f0340a5decd588c31fc10108ddadf1042934e0e2c3bbd975deec565b0a7f0fc2baf8b8cc6d97491
 DIST krb5-1.19.2.tar.gz 8741053 BLAKE2B 
963722721201e75381c91a2af6e982f569a5b1602beb2d1ded83d35f6f914235a6ed91e5d54f56c97e94921a32ed27c49aded258327966ee13d39485208c38d8
 SHA512 
b90d6ed0e1e8a87eb5cb2c36d88b823a6a6caabf85e5d419adb8a930f7eea09a5f8491464e7e454cca7ba88be09d19415962fe0036ad2e31fc584f9fc0bbd470

diff --git a/app-crypt/mit-krb5/files/CVE-2020-28196.patch 
b/app-crypt/mit-krb5/files/CVE-2020-28196.patch
deleted file mode 100644
index 486078437e8..000
--- a/app-crypt/mit-krb5/files/CVE-2020-28196.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-diff --git a/src/lib/krb5/asn.1/asn1_encode.c 
b/src/lib/krb5/asn.1/asn1_encode.c
-index a160cf4fe8..cd6b879f77 100644
 a/lib/krb5/asn.1/asn1_encode.c
-+++ b/lib/krb5/asn.1/asn1_encode.c
-@@ -356,7 +356,7 @@ make_tag(asn1buf *buf, const taginfo *t, size_t len)
- static krb5_error_code
- get_tag(const uint8_t *asn1, size_t len, taginfo *tag_out,
- const uint8_t **contents_out, size_t *clen_out,
--const uint8_t **remainder_out, size_t *rlen_out)
-+const uint8_t **remainder_out, size_t *rlen_out, int recursion)
- {
- krb5_error_code ret;
- uint8_t o;
-@@ -394,9 +394,11 @@ get_tag(const uint8_t *asn1, size_t len, taginfo *tag_out,
- /* Indefinite form (should not be present in DER, but we accept it). 
*/
- if (tag_out->construction != CONSTRUCTED)
- return ASN1_MISMATCH_INDEF;
-+if (recursion >= 32)
-+return ASN1_OVERFLOW;
- p = asn1;
- while (!(len >= 2 && p[0] == 0 && p[1] == 0)) {
--ret = get_tag(p, len, , , , , );
-+ret = get_tag(p, len, , , , , , recursion + 1);
- if (ret)
- return ret;
- }
-@@ -613,7 +615,7 @@ split_der(asn1buf *buf, uint8_t *const *der, size_t len, 
taginfo *tag_out)
- const uint8_t *contents, *remainder;
- size_t clen, rlen;
- 
--ret = get_tag(*der, len, tag_out, , , , );
-+ret = get_tag(*der, len, tag_out, , , , , 0);
- if (ret)
- return ret;
- if (rlen != 0)
-@@ -1199,7 +1201,7 @@ decode_atype(const taginfo *t, const uint8_t *asn1, 
size_t len,
- const uint8_t *rem;
- size_t rlen;
- if (!tag->implicit) {
--ret = get_tag(asn1, len, _tag, , , , );
-+ret = get_tag(asn1, len, _tag, , , , , 0);
- if (ret)
- return ret;
- /* Note: we don't check rlen (it should be 0). */
-@@ -1420,7 +1422,7 @@ decode_sequence(const uint8_t *asn1, size_t len, const 
struct seq_info *seq,
- for (i = 0; i < seq->n_fields; i++) {
- if (len == 0)
- break;
--ret = get_tag(asn1, len, , , , , );
-+ret = get_tag(asn1, len, , , , , , 0);
- if (ret)
- goto error;
- /*
-@@ -1478,7 +1480,7 @@ decode_sequence_of(const uint8_t *asn1, size_t len,
- *seq_out = NULL;
- *count_out =

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

2021-05-01 Thread Sam James

commit: 180ca9f16a555d6e4b66f13411c12fe3eea5eb5b
Author: Sam James  gentoo  org>
AuthorDate: Sat May  1 17:20:13 2021 +
Commit: Sam James  gentoo  org>
CommitDate: Sat May  1 18:06:21 2021 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=180ca9f1

app-crypt/mit-krb5: drop obsolete LibreSSL patches

Signed-off-by: Sam James  gentoo.org>

 .../files/mit-krb5-1.16.3-libressl-r1.patch| 101 -
 .../mit-krb5/files/mit-krb5-1.18-libressl.patch|  42 -
 app-crypt/mit-krb5/mit-krb5-1.18.2-r3.ebuild   |   2 -
 app-crypt/mit-krb5/mit-krb5-1.18.3-r1.ebuild   |   2 -
 4 files changed, 147 deletions(-)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl-r1.patch 
b/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl-r1.patch
deleted file mode 100644
index ca74b88bb0f..000
--- a/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl-r1.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From 58263cbf3106f4c9c9a2252794093014a2f9c01f Mon Sep 17 00:00:00 2001
-From: Stefan Strogin 
-Date: Thu, 25 Apr 2019 03:48:10 +0300
-Subject: [PATCH] Fix build for LibreSSL 2.9.x
-
-asn1_mac.h is removed from LibreSSL 2.9.0, but static_ASN1_*() methods
-are not defined. Define them.
-
-Upstream-Status: Pending
-[Needs to be amended if
-https://github.com/libressl-portable/openbsd/pull/109 is accepted]
-Signed-off-by: Stefan Strogin 

- .../preauth/pkinit/pkinit_crypto_openssl.c| 13 
- .../preauth/pkinit/pkinit_crypto_openssl.h| 20 ++-
- 2 files changed, 28 insertions(+), 5 deletions(-)
-
-diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 
b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-index 2064eb7bd..81d5d3cf2 100644
 a/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-+++ b/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-@@ -188,14 +188,16 @@ pkinit_pkcs11_code_to_text(int err);
- (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si)
- #endif
- 
--#if OPENSSL_VERSION_NUMBER < 0x1010L
-+#if OPENSSL_VERSION_NUMBER < 0x1010L || defined(LIBRESSL_VERSION_NUMBER)
- 
--/* 1.1 standardizes constructor and destructor names, renaming
-- * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */
-+/* 1.1 (and LibreSSL 2.7) standardizes constructor and destructor names,
-+ * renaming EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */
- 
-+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x207fL
- #define EVP_MD_CTX_new EVP_MD_CTX_create
- #define EVP_MD_CTX_free EVP_MD_CTX_destroy
- #define ASN1_STRING_get0_data ASN1_STRING_data
-+#endif
- 
- /* 1.1 makes many handle types opaque and adds accessors.  Add compatibility
-  * versions of the new accessors we use for pre-1.1. */
-@@ -203,6 +205,7 @@ pkinit_pkcs11_code_to_text(int err);
- #define OBJ_get0_data(o) ((o)->data)
- #define OBJ_length(o) ((o)->length)
- 
-+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x207fL
- #define DH_set0_pqg compat_dh_set0_pqg
- static int compat_dh_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
- {
-@@ -235,6 +238,7 @@ static void compat_dh_get0_key(const DH *dh, const BIGNUM 
**pub,
- if (priv != NULL)
- *priv = dh->priv_key;
- }
-+#endif /* LIBRESSL_VERSION_NUMBER */
- 
- /* Return true if the cert c includes a key usage which doesn't include u.
-  * Define using direct member access for pre-1.1. */
-@@ -3040,7 +3044,8 @@ cleanup:
- return retval;
- }
- 
--#if OPENSSL_VERSION_NUMBER >= 0x1010L
-+#if (OPENSSL_VERSION_NUMBER >= 0x1010L && 
!defined(LIBRESSL_VERSION_NUMBER)) || \
-+  LIBRESSL_VERSION_NUMBER >= 0x209fL
- 
- /*
-  * We need to decode DomainParameters from RFC 3279 section 2.3.3.  We would
-diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h 
b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
-index 7411348fa..ac91408c4 100644
 a/plugins/preauth/pkinit/pkinit_crypto_openssl.h
-+++ b/plugins/preauth/pkinit/pkinit_crypto_openssl.h
-@@ -46,7 +46,25 @@
- #include 
- #include 
- 
--#if OPENSSL_VERSION_NUMBER >= 0x1010L
-+#if (OPENSSL_VERSION_NUMBER >= 0x1010L && 
!defined(LIBRESSL_VERSION_NUMBER)) || \
-+  LIBRESSL_VERSION_NUMBER >= 0x209fL
-+
-+#ifndef static_ASN1_SEQUENCE_END_name
-+#define static_ASN1_ITEM_start(itname) \
-+  static const ASN1_ITEM itname##_it = {
-+#define static_ASN1_SEQUENCE_END_name(stname, tname) \
-+  ;\
-+  static_ASN1_ITEM_start(tname) \
-+  ASN1_ITYPE_SEQUENCE,\
-+  V_ASN1_SEQUENCE,\
-+  tname##_seq_tt,\
-+  sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
-+  NULL,\
-+  sizeof(stname),\
-+  #stname \
-+  ASN1_ITEM_end(tname)
-+#endif /* !defined(static_ASN1_SEQUENCE_END_name) */
-+
- #include 
- #else
- #include 
--- 
-2.21.0
-

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.18-libressl.patch 
b/app-crypt/mit-krb5/files/mit-krb5-1.18-libressl.patch

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

2020-02-15 Thread Stefan Strogin

commit: 96076573ffc3c9e64a31dd6258129bd5044bb9ee
Author: Stefan Strogin  gentoo  org>
AuthorDate: Sat Feb 15 08:50:01 2020 +
Commit: Stefan Strogin  gentoo  org>
CommitDate: Sat Feb 15 08:50:01 2020 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96076573

app-crypt/mit-krb5: add patch for LibreSSL for 1.18

Closes: https://bugs.gentoo.org/709640
Package-Manager: Portage-2.3.88, Repoman-2.3.20
Signed-off-by: Stefan Strogin  gentoo.org>

 .../mit-krb5/files/mit-krb5-1.18-libressl.patch| 42 ++
 app-crypt/mit-krb5/mit-krb5-1.18.ebuild|  1 +
 2 files changed, 43 insertions(+)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.18-libressl.patch 
b/app-crypt/mit-krb5/files/mit-krb5-1.18-libressl.patch
new file mode 100644
index 000..1522d42a730
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.18-libressl.patch
@@ -0,0 +1,42 @@
+From e3e3bc2a20795becda6e130d511fe59f04635624 Mon Sep 17 00:00:00 2001
+From: Stefan Strogin 
+Date: Sat, 15 Feb 2020 10:27:20 +0200
+Subject: [PATCH] Fix compilation for LibreSSL 3.0.2
+
+RSA_PKCS1_OpenSSL() is provided in LibreSSL the master branch,
+expected to be in the next release.
+See: 
https://github.com/libressl-portable/openbsd/commit/3a8c41f3a84868337fde01ec1122198ec60bdc8e
+
+Bug: https://bugs.gentoo.org/709640
+Signed-off-by: Stefan Strogin 
+---
+ tests/softpkcs11/main.c | 6 +-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/tests/softpkcs11/main.c b/tests/softpkcs11/main.c
+index 1cccdfb43..a5099fbe4 100644
+--- a/tests/softpkcs11/main.c
 b/tests/softpkcs11/main.c
+@@ -47,7 +47,6 @@
+ 
+ #if OPENSSL_VERSION_NUMBER < 0x1010L
+ #define EVP_PKEY_get0_RSA(key) ((key)->pkey.rsa)
+-#define RSA_PKCS1_OpenSSL RSA_PKCS1_SSLeay
+ #define RSA_get0_key compat_rsa_get0_key
+ static void
+ compat_rsa_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e,
+@@ -62,6 +61,11 @@ compat_rsa_get0_key(const RSA *rsa, const BIGNUM **n, const 
BIGNUM **e,
+ }
+ #endif
+ 
++#if (OPENSSL_VERSION_NUMBER < 0x1010L) || \
++defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER <= 
0x3000200fL)
++#define RSA_PKCS1_OpenSSL RSA_PKCS1_SSLeay
++#endif
++
+ #define OPENSSL_ASN1_MALLOC_ENCODE(T, B, BL, S, R)  \
+ {   \
+ unsigned char *p;   \
+-- 
+2.25.0
+

diff --git a/app-crypt/mit-krb5/mit-krb5-1.18.ebuild 
b/app-crypt/mit-krb5/mit-krb5-1.18.ebuild
index 393c85034b8..2c9031b2e10 100644
--- a/app-crypt/mit-krb5/mit-krb5-1.18.ebuild
+++ b/app-crypt/mit-krb5/mit-krb5-1.18.ebuild
@@ -63,6 +63,7 @@ PATCHES=(
"${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
"${FILESDIR}/${PN}-1.16.3-libressl-r1.patch"
"${FILESDIR}/${PN}_dont_create_run.patch"
+   "${FILESDIR}/${P}-libressl.patch"
 )
 
 MULTILIB_CHOST_TOOLS=(

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

2019-12-11 Thread Eray Aslan

commit: 7be2eed6b6b41bfa1fd1769d3e9909f571851074
Author: Eray Aslan  gentoo  org>
AuthorDate: Thu Dec 12 07:46:07 2019 +
Commit: Eray Aslan  gentoo  org>
CommitDate: Thu Dec 12 07:46:07 2019 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7be2eed6

app-crypt/mit-krb5: bump to 1.17.1

and dont create /run
Closes: https://bugs.gentoo.org/701430
Package-Manager: Portage-2.3.81, Repoman-2.3.20
Signed-off-by: Eray Aslan  gentoo.org>

 app-crypt/mit-krb5/Manifest|   1 +
 .../mit-krb5/files/mit-krb5_dont_create_run.patch  |  10 ++
 app-crypt/mit-krb5/mit-krb5-1.17.1.ebuild  | 164 +
 3 files changed, 175 insertions(+)

diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index 4b2ab0c10a3..4f15bcb4650 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1 +1,2 @@
+DIST krb5-1.17.1.tar.gz 8765399 BLAKE2B 
46be864e2db9c70d164532d82776195bf57342ce4f1fd7dfcf3cf6bd72a3639a69954f742607a2b8950b4dea8acfac5d633aa379d669de20bafe54b407bab94b
 SHA512 
e0c3dc0a6554ab3105ac32f3f01519f56064500213aa743816235d83250abc1db9a9ca38a2ba93a938d562b4af135a013017ce96346d6742bca0c812b842ceef
 DIST krb5-1.17.tar.gz 8761763 BLAKE2B 
76f636836c67e9eefca91c9417118efdcf4437c1220691f43f3d246daf3eabd53b40a30956f0e57703c3fde5d7193b1d86b68becf3ae1c0c803d2462e79d3014
 SHA512 
7462a578b936bd17f155a362dbb5d388e157a80a096549028be6c55400b11361c7f8a28e424fd5674801873651df4e694d536cae66728b7ae5e840e532358c52

diff --git a/app-crypt/mit-krb5/files/mit-krb5_dont_create_run.patch 
b/app-crypt/mit-krb5/files/mit-krb5_dont_create_run.patch
new file mode 100644
index 000..d68e13b0675
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5_dont_create_run.patch
@@ -0,0 +1,10 @@
+--- src/Makefile.in2019-12-12 10:15:51.674552983 +0300
 src/Makefile.in2019-12-12 10:16:33.205543490 +0300
+@@ -71,7 +71,6 @@
+   $(KRB5_AD_MODULE_DIR) \
+   $(KRB5_LIBKRB5_MODULE_DIR) $(KRB5_TLS_MODULE_DIR) \
+   @localstatedir@ @localstatedir@/krb5kdc \
+-  @runstatedir@ @runstatedir@/krb5kdc \
+   $(KRB5_INCSUBDIRS) $(datadir) $(EXAMPLEDIR) \
+   $(PKGCONFIG_DIR)
+ 

diff --git a/app-crypt/mit-krb5/mit-krb5-1.17.1.ebuild 
b/app-crypt/mit-krb5/mit-krb5-1.17.1.ebuild
new file mode 100644
index 000..1b7882df2d0
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.17.1.ebuild
@@ -0,0 +1,164 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{5,6,7} )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd
+
+MY_P="${P/mit-}"
+P_DIR=$(ver_cut 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/;
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz;
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 
|| ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh 
~sparc ~x86"
+IUSE="cpu_flags_x86_aes doc +keyutils libressl lmdb nls openldap +pkinit 
selinux +threads test xinetd"
+
+# Test suite requires network access
+#RESTRICT="test"
+
+DEPEND="
+   !!app-crypt/heimdal
+   >=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
+   || (
+   >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+   >=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+   >=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
+   )
+   keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] )
+   lmdb? ( dev-db/lmdb )
+   nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
+   openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+   pkinit? (
+   !libressl? ( 
>=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
+   libressl? ( dev-libs/libressl:0=[${MULTILIB_USEDEP}] )
+   )
+   xinetd? ( sys-apps/xinetd )
+   "
+BDEPEND="
+   ${PYTHON_DEPS}
+   virtual/yacc
+   cpu_flags_x86_aes? (
+   amd64? ( dev-lang/yasm )
+   x86? ( dev-lang/yasm )
+   )
+   doc? ( virtual/latex-base )
+   test? (
+   ${PYTHON_DEPS}
+   dev-lang/tcl:0
+   dev-util/dejagnu
+   dev-util/cmocka
+   )"
+RDEPEND="${DEPEND}
+   selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+PATCHES=(
+   "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+   "${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
+   "${FILESDIR}/${PN}-1.16.3-libressl-r1.patch"
+   "${FILESDIR}/${PN}_dont_create_run.patch"
+)
+
+MULTILIB_CHOST_TOOLS=(
+   /usr/bin/krb5-config
+)
+
+src_prepare() {
+   default
+   # Make sure we always use the system copies.
+   rm -rf util/{et,ss,verto}
+   sed -i 's:^[[:space:]]*util/verto$::' configure.in || die
+
+

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

2019-04-24 Thread Aaron Bauman

commit: bb54b6ddf7a0ba9ad911ea73b747743eb00759b0
Author: Stefan Strogin  gmail  com>
AuthorDate: Thu Apr 25 03:02:10 2019 +
Commit: Aaron Bauman  gentoo  org>
CommitDate: Thu Apr 25 03:31:04 2019 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb54b6dd

app-crypt/mit-krb5: update patch for LibreSSL 2.9.1

Closes: https://bugs.gentoo.org/684302
Package-Manager: Portage-2.3.64, Repoman-2.3.12
Signed-off-by: Stefan Strogin  gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/11821
Signed-off-by: Aaron Bauman  gentoo.org>

 .../mit-krb5/files/mit-krb5-1.16.3-libressl.patch  | 101 +
 app-crypt/mit-krb5/mit-krb5-1.16.3.ebuild  |   2 +-
 2 files changed, 102 insertions(+), 1 deletion(-)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl.patch 
b/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl.patch
new file mode 100644
index 000..7a655fb9a1d
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.16.3-libressl.patch
@@ -0,0 +1,101 @@
+From 58263cbf3106f4c9c9a2252794093014a2f9c01f Mon Sep 17 00:00:00 2001
+From: Stefan Strogin 
+Date: Thu, 25 Apr 2019 03:48:10 +0300
+Subject: [PATCH] Fix build for LibreSSL 2.9.x
+
+asn1_mac.h is removed from LibreSSL 2.9.0, but static_ASN1_*() methods
+are not defined. Define them.
+
+Upstream-Status: Pending
+[Needs to be amended if
+https://github.com/libressl-portable/openbsd/pull/109 is accepted]
+Signed-off-by: Stefan Strogin 
+---
+ .../preauth/pkinit/pkinit_crypto_openssl.c| 13 
+ .../preauth/pkinit/pkinit_crypto_openssl.h| 20 ++-
+ 2 files changed, 28 insertions(+), 5 deletions(-)
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 
b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index 2064eb7bd..81d5d3cf2 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
 b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -188,14 +188,16 @@ pkinit_pkcs11_code_to_text(int err);
+ (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si)
+ #endif
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x1010L
++#if OPENSSL_VERSION_NUMBER < 0x1010L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+-/* 1.1 standardizes constructor and destructor names, renaming
+- * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */
++/* 1.1 (and LibreSSL 2.7) standardizes constructor and destructor names,
++ * renaming EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */
+ 
++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x207fL
+ #define EVP_MD_CTX_new EVP_MD_CTX_create
+ #define EVP_MD_CTX_free EVP_MD_CTX_destroy
+ #define ASN1_STRING_get0_data ASN1_STRING_data
++#endif
+ 
+ /* 1.1 makes many handle types opaque and adds accessors.  Add compatibility
+  * versions of the new accessors we use for pre-1.1. */
+@@ -203,6 +205,7 @@ pkinit_pkcs11_code_to_text(int err);
+ #define OBJ_get0_data(o) ((o)->data)
+ #define OBJ_length(o) ((o)->length)
+ 
++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x207fL
+ #define DH_set0_pqg compat_dh_set0_pqg
+ static int compat_dh_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+ {
+@@ -235,6 +238,7 @@ static void compat_dh_get0_key(const DH *dh, const BIGNUM 
**pub,
+ if (priv != NULL)
+ *priv = dh->priv_key;
+ }
++#endif /* LIBRESSL_VERSION_NUMBER */
+ 
+ /* Return true if the cert c includes a key usage which doesn't include u.
+  * Define using direct member access for pre-1.1. */
+@@ -3040,7 +3044,8 @@ cleanup:
+ return retval;
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x1010L
++#if (OPENSSL_VERSION_NUMBER >= 0x1010L && 
!defined(LIBRESSL_VERSION_NUMBER)) || \
++  LIBRESSL_VERSION_NUMBER >= 0x209fL
+ 
+ /*
+  * We need to decode DomainParameters from RFC 3279 section 2.3.3.  We would
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h 
b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
+index 7411348fa..ac91408c4 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
 b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
+@@ -46,7 +46,25 @@
+ #include 
+ #include 
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x1010L
++#if (OPENSSL_VERSION_NUMBER >= 0x1010L && 
!defined(LIBRESSL_VERSION_NUMBER)) || \
++  LIBRESSL_VERSION_NUMBER >= 0x209fL
++
++#ifndef static_ASN1_SEQUENCE_END_name
++#define static_ASN1_ITEM_start(itname) \
++  static const ASN1_ITEM itname##_it = {
++#define static_ASN1_SEQUENCE_END_name(stname, tname) \
++  ;\
++  static_ASN1_ITEM_start(tname) \
++  ASN1_ITYPE_SEQUENCE,\
++  V_ASN1_SEQUENCE,\
++  tname##_seq_tt,\
++  sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
++  NULL,\
++  sizeof(stname),\
++  #stname \
++  ASN1_ITEM_end(tname)
++#endif /* !defined(static_ASN1_SEQUENCE_END_name) */
++
+ #include 
+ #else
+ #include 
+-- 
+2.21.0
+

diff --git

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

2018-05-10 Thread Eray Aslan

commit: f7248912b982989fc1aa142bdbbab3a375725fa5
Author: Eray Aslan  gentoo  org>
AuthorDate: Thu May 10 06:41:26 2018 +
Commit: Eray Aslan  gentoo  org>
CommitDate: Thu May 10 06:41:53 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7248912

app-crypt/mit-krb5: remove old

Package-Manager: Portage-2.3.36, Repoman-2.3.9

 app-crypt/mit-krb5/Manifest|   1 -
 .../files/mit-krb5-1.14.2-redeclared-ttyname.patch |  26 
 .../files/mit-krb5-1.14.4-disable-nls.patch|  45 --
 .../files/mit-krb5-1.15.2-fix-pkinit.patch |  98 -
 app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild   | 145 
 app-crypt/mit-krb5/mit-krb5-1.15.2.ebuild  | 144 ---
 app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild | 152 -
 7 files changed, 611 deletions(-)

diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index 2e79cf89fa3..80fe45536f5 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1,3 +1,2 @@
-DIST krb5-1.15.2.tar.gz 9380755 BLAKE2B 
3f5d00a70bf44ef077872bde282e4753e82acb70632e136b8f9f8d3a192e3e7b692840803e5a3f67ddb202d53631767ea9eb8b7615d45a3479389a01a6390ac4
 SHA512 
e5814bb66384b13637c37918df694c6b9933c29c2d952da0ed0dcd2e623b269060b4c16b6c02162039dadebdab99ff1085e37e7621ae4748dafb036424e612c2
 DIST krb5-1.16.1.tar.gz 9477480 BLAKE2B 
16bdd7d6d03ddbd4b070663c3a7a3d2331d54e8590b24f1dc162be2531bfbbbd65878d426a160c65ffc1ba4751f16bbbd177a8a91c01002fde0e886cc1bd91b9
 SHA512 
fa4ec14a4ffe690861e2dd7ea39d7698af2058ce181bb733ea891f80279f4dde4bb891adec5ccb0eaddf737306e6ceb1fe3744a2946e6189a7d7d2dd3bc5ba84
 DIST krb5-1.16.tar.gz 9474479 BLAKE2B 
0c5caa0a0d2308a447d47ab94d7b8dc92a67ad78b3bac1678c3f3ece3905f27feda5a23d28b3c13ebd64d1760726888c759fb19da82ad960c6f84a433b753873
 SHA512 
7e162467b95dad2b6aaa11686d08a00f1cc4eb08247fca8f0e5a8bcaa5f9f7b42cdf00db69c5c6111bdf9eb8063d53cef3bb207ce5d6a287615ca10b710153f9

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.14.2-redeclared-ttyname.patch 
b/app-crypt/mit-krb5/files/mit-krb5-1.14.2-redeclared-ttyname.patch
deleted file mode 100644
index a76cd3a7f84..000
--- a/app-crypt/mit-krb5/files/mit-krb5-1.14.2-redeclared-ttyname.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-Fixes the redeclaration of ttyname which was preventing
-enabling clang fortify.
-
-The error was;
-
-main.c:858:15: error: redeclaration of 'ttyname' must have the 'overloadable' 
attribute
-char *p, *ttyname();
-  ^
-/build/samus/usr/include/unistd.h:784:14: note: previous overload of function 
is here
-extern char *ttyname (int __fd) __THROW __CLANG_NO_MANGLE (ttyname);
-
-https://github.com/krb5/krb5/pull/568
-
-Patch by Zentaro Kavanagh 
-
 clients/ksu/main.c
-+++ clients/ksu/main.c
-@@ -855,7 +855,7 @@
- 
- static char * ontty()
- {
--char *p, *ttyname();
-+char *p;
- static char buf[MAXPATHLEN + 5];
- int result;
- 

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.14.4-disable-nls.patch 
b/app-crypt/mit-krb5/files/mit-krb5-1.14.4-disable-nls.patch
deleted file mode 100644
index 63cb0fc0c55..000
--- a/app-crypt/mit-krb5/files/mit-krb5-1.14.4-disable-nls.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Adds support for --(enable|disable)-nls configure option.
-
-This enables\disables the generation of language files and
-sets the ENABLE_NLS define appropriately.
-
-Default value is enabled to preserve current behavior.
-
-Patch by Zentaro Kavanagh 
-https://crbug.com/654842
-
-https://github.com/krb5/krb5/pull/584
-
 src/configure.in
-+++ src/configure.in
-@@ -118,15 +118,22 @@
- ])
- AC_SUBST(LIBUTIL)
- 
--AC_CHECK_HEADER(libintl.h, [
--  AC_SEARCH_LIBS(dgettext, intl, [
--  AC_DEFINE(ENABLE_NLS, 1,
--  [Define if translation functions should be used.])])])
--
--AC_CHECK_PROG(MSGFMT,msgfmt,msgfmt)
-+# Determine if NLS is desired and supported.
- po=
--if test x"$MSGFMT" != x; then
--  po=po
-+AC_ARG_ENABLE([nls],
-+AC_HELP_STRING([--disable-nls],
-+   [Disable Native Language Support(NLS).]), ,
-+   enableval=yes)
-+if test "$enableval" = yes ; then
-+AC_CHECK_HEADER(libintl.h, [
-+AC_SEARCH_LIBS(dgettext, intl, [
-+AC_DEFINE(ENABLE_NLS, 1,
-+[Define if translation functions should be 
used.])])])
-+
-+AC_CHECK_PROG(MSGFMT,msgfmt,msgfmt)
-+if test x"$MSGFMT" != x; then
-+po=po
-+fi
- fi
- AC_SUBST(po)
- 

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch 
b/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch
deleted file mode 100644
index 4f721d4d961..000
--- a/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

2018-04-13 Thread Eray Aslan

commit: 95a08abb6dc4b1a0babe590527e19ce7a5c5bd10
Author: Eray Aslan  gentoo  org>
AuthorDate: Fri Apr 13 07:01:47 2018 +
Commit: Eray Aslan  gentoo  org>
CommitDate: Fri Apr 13 07:02:17 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=95a08abb

app-crypt/mit-krb5: security bump - bug 649610

Also fix gettext dependency
Closes: https://bugs.gentoo.org/652108
Package-Manager: Portage-2.3.28, Repoman-2.3.9

 app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch | 297 ++
 app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild| 158 
 2 files changed, 455 insertions(+)

diff --git a/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch 
b/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch
new file mode 100644
index 000..114cfe688e7
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch
@@ -0,0 +1,297 @@
+diff --git a/src/lib/kadm5/srv/svr_principal.c 
b/src/lib/kadm5/srv/svr_principal.c
+index 2420f2c2be..a59a65e8f6 100644
+--- a/src/lib/kadm5/srv/svr_principal.c
 b/src/lib/kadm5/srv/svr_principal.c
+@@ -330,6 +330,13 @@ kadm5_create_principal_3(void *server_handle,
+ return KADM5_BAD_MASK;
+ if((mask & ~ALL_PRINC_MASK))
+ return KADM5_BAD_MASK;
++if (mask & KADM5_TL_DATA) {
++for (tl_data_tail = entry->tl_data; tl_data_tail != NULL;
++ tl_data_tail = tl_data_tail->tl_data_next) {
++if (tl_data_tail->tl_data_type < 256)
++return KADM5_BAD_TL_TYPE;
++}
++}
+ 
+ /*
+  * Check to see if the principal exists
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h 
b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+index 535a1f309e..8b8420faa9 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
 b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+@@ -141,7 +141,7 @@ extern int set_ldap_error (krb5_context ctx, int st, int 
op);
+ #define UNSTORE16_INT(ptr, val) (val = load_16_be(ptr))
+ #define UNSTORE32_INT(ptr, val) (val = load_32_be(ptr))
+ 
+-#define  KDB_TL_USER_INFO  0x7ffe
++#define  KDB_TL_USER_INFO  0xff
+ 
+ #define KDB_TL_PRINCTYPE  0x01
+ #define KDB_TL_PRINCCOUNT 0x02
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 
b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+index 88a1704950..b7c9212cb2 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
 b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -651,6 +651,107 @@ update_ldap_mod_auth_ind(krb5_context context, 
krb5_db_entry *entry,
+ return ret;
+ }
+ 
++static krb5_error_code
++check_dn_in_container(krb5_context context, const char *dn,
++  char *const *subtrees, unsigned int ntrees)
++{
++unsigned int i;
++size_t dnlen = strlen(dn), stlen;
++
++for (i = 0; i < ntrees; i++) {
++if (subtrees[i] == NULL || *subtrees[i] == '\0')
++return 0;
++stlen = strlen(subtrees[i]);
++if (dnlen >= stlen &&
++strcasecmp(dn + dnlen - stlen, subtrees[i]) == 0 &&
++(dnlen == stlen || dn[dnlen - stlen - 1] == ','))
++return 0;
++}
++
++k5_setmsg(context, EINVAL, _("DN is out of the realm subtree"));
++return EINVAL;
++}
++
++static krb5_error_code
++check_dn_exists(krb5_context context,
++krb5_ldap_server_handle *ldap_server_handle,
++const char *dn, krb5_boolean nonkrb_only)
++{
++krb5_error_code st = 0, tempst;
++krb5_ldap_context *ldap_context = context->dal_handle->db_context;
++LDAP *ld = ldap_server_handle->ldap_handle;
++LDAPMessage *result = NULL, *ent;
++char *attrs[] = { "krbticketpolicyreference", "krbprincipalname", NULL };
++char **values;
++
++LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attrs, IGNORE_STATUS);
++if (st != LDAP_SUCCESS)
++return set_ldap_error(context, st, OP_SEARCH);
++
++ent = ldap_first_entry(ld, result);
++CHECK_NULL(ent);
++
++values = ldap_get_values(ld, ent, "krbticketpolicyreference");
++if (values != NULL)
++ldap_value_free(values);
++
++values = ldap_get_values(ld, ent, "krbprincipalname");
++if (values != NULL) {
++ldap_value_free(values);
++if (nonkrb_only) {
++st = EINVAL;
++k5_setmsg(context, st, _("ldap object is already kerberized"));
++goto cleanup;
++}
++}
++
++cleanup:
++ldap_msgfree(result);
++return st;
++}
++
++static krb5_error_code
++validate_xargs(krb5_context context,
++   krb5_ldap_server_handle *ldap_server_handle,
++   const xargs_t *xargs, const char *standalone_dn,
++   char *const *subtrees, unsigned int ntrees)
++{
++krb5_error_code st;
++
++if (xargs->dn != NULL) {
++/* The supplied dn must be within a realm container. */
++st = check_dn_in_container(context, xargs->dn, subtrees, ntrees);
++if (st)
++

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

2018-04-12 Thread Aaron Bauman

commit: e9f7afb1b75a3e78f0f3e468d3164f0eaf06eb10
Author: Aaron Bauman  gentoo  org>
AuthorDate: Thu Apr 12 21:26:27 2018 +
Commit: Aaron Bauman  gentoo  org>
CommitDate: Thu Apr 12 21:26:45 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9f7afb1

app-crypt/mit-krb5: properly detect LibreSSL version

Closes: https://bugs.gentoo.org/610854
Package-Manager: Portage-2.3.28, Repoman-2.3.9

 .../files/mit-krb5-libressl-version-check.patch|  31 
 app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild | 156 +
 2 files changed, 187 insertions(+)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch 
b/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch
new file mode 100644
index 000..5c979cfd1ef
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch
@@ -0,0 +1,31 @@
+--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -191,7 +191,7 @@ pkinit_pkcs11_code_to_text(int err);
+ (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si)
+ #endif
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x1010L
++#if OPENSSL_VERSION_NUMBER < 0x1010L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ /* 1.1 standardizes constructor and destructor names, renaming
+  * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */
+@@ -3059,7 +3059,7 @@ cleanup:
+ return retval;
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x1010L
++#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER)
+ 
+ /*
+  * We need to decode DomainParameters from RFC 3279 section 2.3.3.  We would
+--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
+@@ -46,7 +46,7 @@
+ #include 
+ #include 
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x1010L
++#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER)
+ #include 
+ #else
+ #include 

diff --git a/app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild 
b/app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild
new file mode 100644
index 000..c1f7a782063
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild
@@ -0,0 +1,156 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd 
versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/;
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz;
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 
|| ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh 
~sparc ~x86"
+IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
+
+# Test suite require network access
+RESTRICT="test"
+
+CDEPEND="
+   !!app-crypt/heimdal
+   >=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
+   || (
+   >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+   >=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+   >=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
+   )
+   keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
+   openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+   pkinit? (
+   !libressl? ( 
>=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
+   libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] )
+   )
+   xinetd? ( sys-apps/xinetd )
+   abi_x86_32? (
+   !<=app-emulation/emul-linux-x86-baselibs-20140508-r1
+   !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+   )"
+DEPEND="${CDEPEND}
+   ${PYTHON_DEPS}
+   virtual/yacc
+   doc? ( virtual/latex-base )
+   test? (
+   ${PYTHON_DEPS}
+   dev-lang/tcl:0
+   dev-util/dejagnu
+   )"
+RDEPEND="${CDEPEND}
+   selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+MULTILIB_CHOST_TOOLS=(
+   /usr/bin/krb5-config
+)
+
+src_prepare() {
+   eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+   eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch"
+   eapply "${FILESDIR}/${PN}-libressl-version-check.patch"
+   
+   # Make sure we always use the system copies.
+   rm -rf util/{et,ss,verto}
+   sed -i 's:^[[:space:]]*util/verto$::' configure.in || die
+
+   eapply_user
+   eautoreconf
+}
+
+src_configure() {
+   # QA
+   append-flags -fno-strict-aliasing
+   append-flags -fno-strict-overflow
+
+   multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+   use keyutils || export ac_cv_header_keyutils_h=no
+   ECONF_SOURCE=${S} \
+   WARN_CFLAGS="set" \
+   econf \
+

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

2018-01-26 Thread Thomas Deutschmann

commit: f4a050c738af81bb82e7b640667f08e3199c5ca1
Author: Thomas Deutschmann  gentoo  org>
AuthorDate: Fri Jan 26 21:07:00 2018 +
Commit: Thomas Deutschmann  gentoo  org>
CommitDate: Fri Jan 26 21:07:29 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4a050c7

app-crypt/mit-krb5: bump, fixes CVE-2017-7562

Ebuild changes:
===
- Dropped the following upstreamed patches which are now included in v1.16:

  - mit-krb5-1.14.2-redeclared-ttyname.patch
  - mit-krb5-1.14.4-disable-nls.patch
  - mit-krb5-1.15.2-fix-pkinit.patch

- We are now installing systemd services. [Bug 524412]

- Tests are now restricted because they are requiring network access.

Closes: https://bugs.gentoo.org/524412
Bug: https://bugs.gentoo.org/628936
Package-Manager: Portage-2.3.20, Repoman-2.3.6

 app-crypt/mit-krb5/Manifest|   1 +
 app-crypt/mit-krb5/files/mit-krb5kadmind.service   |   8 ++
 app-crypt/mit-krb5/files/mit-krb5kdc.service   |   9 ++
 app-crypt/mit-krb5/files/mit-krb5kpropd.service|   8 ++
 app-crypt/mit-krb5/files/mit-krb5kpropd.socket |   9 ++
 app-crypt/mit-krb5/files/mit-krb5kpropd_at.service |   8 ++
 app-crypt/mit-krb5/mit-krb5-1.16.ebuild| 155 +
 7 files changed, 198 insertions(+)

diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index 58df981b5a6..ef54ec04904 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1 +1,2 @@
 DIST krb5-1.15.2.tar.gz 9380755 BLAKE2B 
3f5d00a70bf44ef077872bde282e4753e82acb70632e136b8f9f8d3a192e3e7b692840803e5a3f67ddb202d53631767ea9eb8b7615d45a3479389a01a6390ac4
 SHA512 
e5814bb66384b13637c37918df694c6b9933c29c2d952da0ed0dcd2e623b269060b4c16b6c02162039dadebdab99ff1085e37e7621ae4748dafb036424e612c2
+DIST krb5-1.16.tar.gz 9474479 BLAKE2B 
0c5caa0a0d2308a447d47ab94d7b8dc92a67ad78b3bac1678c3f3ece3905f27feda5a23d28b3c13ebd64d1760726888c759fb19da82ad960c6f84a433b753873
 SHA512 
7e162467b95dad2b6aaa11686d08a00f1cc4eb08247fca8f0e5a8bcaa5f9f7b42cdf00db69c5c6111bdf9eb8063d53cef3bb207ce5d6a287615ca10b710153f9

diff --git a/app-crypt/mit-krb5/files/mit-krb5kadmind.service 
b/app-crypt/mit-krb5/files/mit-krb5kadmind.service
new file mode 100644
index 000..f3836c89862
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kadmind.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Kerberos 5 administration server
+
+[Service]
+ExecStart=/usr/sbin/kadmind -nofork
+
+[Install]
+WantedBy=multi-user.target

diff --git a/app-crypt/mit-krb5/files/mit-krb5kdc.service 
b/app-crypt/mit-krb5/files/mit-krb5kdc.service
new file mode 100644
index 000..6ec93bb7232
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kdc.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Kerberos 5 KDC
+
+[Service]
+ExecStart=/usr/sbin/krb5kdc -n
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

diff --git a/app-crypt/mit-krb5/files/mit-krb5kpropd.service 
b/app-crypt/mit-krb5/files/mit-krb5kpropd.service
new file mode 100644
index 000..a7c5b579d2b
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kpropd.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Kerberos 5 propagation server
+
+[Service]
+ExecStart=/usr/sbin/kpropd -S
+
+[Install]
+WantedBy=multi-user.target

diff --git a/app-crypt/mit-krb5/files/mit-krb5kpropd.socket 
b/app-crypt/mit-krb5/files/mit-krb5kpropd.socket
new file mode 100644
index 000..4389290c0b1
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kpropd.socket
@@ -0,0 +1,9 @@
+[Unit]
+Description=Kerberos 5 propagation server
+
+[Socket]
+ListenStream=754
+Accept=yes
+
+[Install]
+WantedBy=sockets.target

diff --git a/app-crypt/mit-krb5/files/mit-krb5kpropd_at.service 
b/app-crypt/mit-krb5/files/mit-krb5kpropd_at.service
new file mode 100644
index 000..f826eb33cb3
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kpropd_at.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Kerberos 5 propagation server
+Conflicts=mit-krb5kpropd.service
+
+[Service]
+ExecStart=/usr/sbin/kpropd
+StandardInput=socket
+StandardError=syslog

diff --git a/app-crypt/mit-krb5/mit-krb5-1.16.ebuild 
b/app-crypt/mit-krb5/mit-krb5-1.16.ebuild
new file mode 100644
index 000..acd4a3ed3b7
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.16.ebuild
@@ -0,0 +1,155 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd 
versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/;
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz;
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 
|| ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh 
~sparc ~x86"
+IUSE="doc +keyutils libressl nls

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

2017-12-05 Thread Eray Aslan

commit: e6232da235fc02eabf2dc7ee0790a51f5e811e0d
Author: Eray Aslan  gentoo  org>
AuthorDate: Tue Dec  5 10:00:13 2017 +
Commit: Eray Aslan  gentoo  org>
CommitDate: Tue Dec  5 10:00:13 2017 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e6232da2

app-crypt/mit-krb5: security bump to 1.15.2-r1.  Bug 639702

Package-Manager: Portage-2.3.16, Repoman-2.3.6

 .../files/mit-krb5-1.15.2-fix-pkinit.patch |  98 ++
 app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild   | 149 +
 2 files changed, 247 insertions(+)

diff --git a/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch 
b/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch
new file mode 100644
index 000..4f721d4d961
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-1.15.2-fix-pkinit.patch
@@ -0,0 +1,98 @@
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 
b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index 74fffbf321..4b86a6f302 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
 b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -5145,33 +5145,29 @@ crypto_retieve_X509_key_usage(krb5_context context,
+ return retval;
+ }
+ 
+-/*
+- * Return a string format of an X509_NAME in buf where
+- * size is an in/out parameter.  On input it is the size
+- * of the buffer, and on output it is the actual length
+- * of the name.
+- * If buf is NULL, returns the length req'd to hold name
+- */
+-static char *
+-X509_NAME_oneline_ex(X509_NAME * a,
+- char *buf,
+- unsigned int *size,
+- unsigned long flag)
++static krb5_error_code
++rfc2253_name(X509_NAME *name, char **str_out)
+ {
+-BIO *out = NULL;
++BIO *b = NULL;
++char *str;
+ 
+-out = BIO_new(BIO_s_mem ());
+-if (X509_NAME_print_ex(out, a, 0, flag) > 0) {
+-if (buf != NULL && (*size) >  (unsigned int) BIO_number_written(out)) 
{
+-memset(buf, 0, *size);
+-BIO_read(out, buf, (int) BIO_number_written(out));
+-}
+-else {
+-*size = BIO_number_written(out);
+-}
+-}
+-BIO_free(out);
+-return (buf);
++*str_out = NULL;
++b = BIO_new(BIO_s_mem());
++if (b == NULL)
++return ENOMEM;
++if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0)
++goto error;
++str = calloc(BIO_number_written(b) + 1, 1);
++if (str == NULL)
++goto error;
++BIO_read(b, str, BIO_number_written(b));
++BIO_free(b);
++*str_out = str;
++return 0;
++
++error:
++BIO_free(b);
++return ENOMEM;
+ }
+ 
+ /*
+@@ -5187,8 +5183,6 @@ crypto_cert_get_matching_data(krb5_context context,
+ krb5_principal *pkinit_sans =NULL, *upn_sans = NULL;
+ struct _pkinit_cert_data *cd = (struct _pkinit_cert_data *)ch;
+ unsigned int i, j;
+-char buf[DN_BUF_LEN];
+-unsigned int bufsize = sizeof(buf);
+ 
+ if (cd == NULL || cd->magic != CERT_MAGIC)
+ return EINVAL;
+@@ -5201,23 +5195,14 @@ crypto_cert_get_matching_data(krb5_context context,
+ 
+ md->ch = ch;
+ 
+-/* get the subject name (in rfc2253 format) */
+-X509_NAME_oneline_ex(X509_get_subject_name(cd->cred->cert),
+- buf, , XN_FLAG_SEP_COMMA_PLUS);
+-md->subject_dn = strdup(buf);
+-if (md->subject_dn == NULL) {
+-retval = ENOMEM;
++retval = rfc2253_name(X509_get_subject_name(cd->cred->cert),
++  >subject_dn);
++if (retval)
+ goto cleanup;
+-}
+-
+-/* get the issuer name (in rfc2253 format) */
+-X509_NAME_oneline_ex(X509_get_issuer_name(cd->cred->cert),
+- buf, , XN_FLAG_SEP_COMMA_PLUS);
+-md->issuer_dn = strdup(buf);
+-if (md->issuer_dn == NULL) {
+-retval = ENOMEM;
++retval = rfc2253_name(X509_get_issuer_name(cd->cred->cert),
++  >issuer_dn);
++if (retval)
+ goto cleanup;
+-}
+ 
+ /* get the san data */
+ retval = crypto_retrieve_X509_sans(context, cd->plgctx, cd->reqctx,

diff --git a/app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild 
b/app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild
new file mode 100644
index 000..1f9cfda9466
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.15.2-r1.ebuild
@@ -0,0 +1,149 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="http://web.mit.edu/kerberos/www/;
+SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz;
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 
|| ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

2016-04-21 Thread Eray Aslan

commit: 74ebaeed509febece37089ac12fe7127971b0b99
Author: Eray Aslan  gentoo  org>
AuthorDate: Thu Apr 21 16:07:08 2016 +
Commit: Eray Aslan  gentoo  org>
CommitDate: Thu Apr 21 16:07:08 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=74ebaeed

app-crypt/mit-krb5: Remove vulnerable versions

Package-Manager: portage-2.2.28

 app-crypt/mit-krb5/Manifest   |   2 -
 app-crypt/mit-krb5/files/CVE-2015-2695.patch  | 564 -
 app-crypt/mit-krb5/files/CVE-2015-2696.patch  | 731 --
 app-crypt/mit-krb5/files/CVE-2015-2697.patch  |  50 --
 app-crypt/mit-krb5/files/mit-krb5kadmind.initd-r1 |  25 -
 app-crypt/mit-krb5/files/mit-krb5kdc.initd-r1 |  24 -
 app-crypt/mit-krb5/files/mit-krb5kpropd.initd-r1  |  24 -
 app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild  | 160 -
 app-crypt/mit-krb5/mit-krb5-1.13.2-r3.ebuild  | 160 -
 app-crypt/mit-krb5/mit-krb5-1.14.ebuild   | 151 -
 10 files changed, 1891 deletions(-)

diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index e3d2128..89c6183 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1,4 +1,2 @@
-DIST krb5-1.13.2-signed.tar 12113920 SHA256 
e528c30b0209c741f6f320cb83122ded92f291802b6a1a1dc1a01dcdb3ff6de1 SHA512 
d3f8dde220876bd24703c488122ba8e54ffaa7f8f2c7d325e5d198a4e171248673fc1d5d3c997c6d2e66c314e2b7f4609eb980a789c3556a79458ab4411e61b5
 WHIRLPOOL 
9f29f4d76b7b2225f18707a95b217ce0eab7ae963ba547460fa6e7ffdc43e3c350ae070265c52b9751a70f80a95086e39c29dc2c44e0a22d17f9b48f7bf838f7
 DIST krb5-1.14.1.tar.gz 12259025 SHA256 
c8faa44574246f5bd0ce5a3dedc48c32db48a74cc4323949bf70f0ac2d6f1a99 SHA512 
5d64bb30ecb9e267e2494cea4995d8cc314916d8f6a9318fb80067ae6389ad7468656400d996698b6dc0bdb4c1355c13701b570521a7c40008cf1f83df24847d
 WHIRLPOOL 
2d4ab7e8e65d27ce207bd1d254586f95c8b219c01d2deb2fe60f8d5f84e13cd52881bbc2b51c1ee2d40a81570afa15d46c8446e5c6ec052e7621b76d34b72a7d
 DIST krb5-1.14.2.tar.gz 12264762 SHA256 
6bcad7e6778d1965e4ce4af21d2efdc15b274c5ce5c69031c58e4c954cda8b27 SHA512 
8e0d8203740aac78b65a62c0f79998b56dae23725763f645ae13a92dc4263d193e7334f84e278ca873d2b72d425f47cd4b68b58690d029dccce41e8a157b16f0
 WHIRLPOOL 
18a3729f5bfb928318f5cc28c919cbc49ee9179199ee82445922a5f2e8afbf4ed5a31f7e710877f8c12ef75f326723e7410608ce538983ce1b811e16091d72a1
-DIST krb5-1.14.tar.gz 12255176 SHA256 
cedb07fad8331e3ff2983d26e977a2ddba622f379c2b19bfea85bd695930f9e9 SHA512 
b33a85b37f6038e34ba4038c9d1cc6a0df027652cbeccd24e39b323a1ed1bc16305099df04654c80ba7e6b56bd3d3c2df95758add888f9ef8535cb78443684ff
 WHIRLPOOL 
e049aea7bcc99fa61af353bb0e831f63512c0c1f9df06332f2aae9add356f0fb27ee46e2a2fab23b7875bb827b2aa2ff78314ffe50d07fc95f089fff5fde5113

diff --git a/app-crypt/mit-krb5/files/CVE-2015-2695.patch 
b/app-crypt/mit-krb5/files/CVE-2015-2695.patch
deleted file mode 100644
index 08bc8ab..000
--- a/app-crypt/mit-krb5/files/CVE-2015-2695.patch
+++ /dev/null
@@ -1,564 +0,0 @@
-From b51b33f2bc5d1497ddf5bd107f791c101695000d Mon Sep 17 00:00:00 2001
-From: Nicolas Williams 
-Date: Mon, 14 Sep 2015 12:27:52 -0400
-Subject: [PATCH] Fix SPNEGO context aliasing bugs [CVE-2015-2695]
-
-The SPNEGO mechanism currently replaces its context handle with the
-mechanism context handle upon establishment, under the assumption that
-most GSS functions are only called after context establishment.  This
-assumption is incorrect, and can lead to aliasing violations for some
-programs.  Maintain the SPNEGO context structure after context
-establishment and refer to it in all GSS methods.  Add initiate and
-opened flags to the SPNEGO context structure for use in
-gss_inquire_context() prior to context establishment.
-
-CVE-2015-2695:
-
-In MIT krb5 1.5 and later, applications which call
-gss_inquire_context() on a partially-established SPNEGO context can
-cause the GSS-API library to read from a pointer using the wrong type,
-generally causing a process crash.  This bug may go unnoticed, because
-the most common SPNEGO authentication scenario establishes the context
-after just one call to gss_accept_sec_context().  Java server
-applications using the native JGSS provider are vulnerable to this
-bug.  A carefully crafted SPNEGO packet might allow the
-gss_inquire_context() call to succeed with attacker-determined
-results, but applications should not make access control decisions
-based on gss_inquire_context() results prior to context establishment.
-
-CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
-
-[ghud...@mit.edu: several bugfixes, style changes, and edge-case
-behavior changes; commit message and CVE description]
-
-ticket: 8244
-target_version: 1.14
-tags: pullup

- src/lib/gssapi/spnego/gssapiP_spnego.h |   2 +
- src/lib/gssapi/spnego/spnego_mech.c| 254 -
- 2 files changed, 192 insertions(+), 64 deletions(-)
-
-diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

2015-10-28 Thread Eray Aslan

commit: f8a5e1f10568cd3f63fe5cbcfd28c46287270234
Author: Eray Aslan  gentoo  org>
AuthorDate: Thu Oct 29 04:24:07 2015 +
Commit: Eray Aslan  gentoo  org>
CommitDate: Thu Oct 29 04:24:07 2015 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f8a5e1f1

app-crypt/mit-krb5: add confd files to kdc, kadmind and kpropd daemons

Gentoo-Bug: 539010
Thanks to Paul B. Henson

Package-Manager: portage-2.2.23

 app-crypt/mit-krb5/files/mit-krb5kadmind.confd|   2 +
 app-crypt/mit-krb5/files/mit-krb5kadmind.initd-r2 |  25 
 app-crypt/mit-krb5/files/mit-krb5kdc.confd|   2 +
 app-crypt/mit-krb5/files/mit-krb5kdc.initd-r2 |  24 
 app-crypt/mit-krb5/files/mit-krb5kpropd.confd |   2 +
 app-crypt/mit-krb5/files/mit-krb5kpropd.initd-r2  |  24 
 app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild  | 157 ++
 7 files changed, 236 insertions(+)

diff --git a/app-crypt/mit-krb5/files/mit-krb5kadmind.confd 
b/app-crypt/mit-krb5/files/mit-krb5kadmind.confd
new file mode 100644
index 000..f6029b6
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kadmind.confd
@@ -0,0 +1,2 @@
+# Define startup options for Kerberos administration server
+KADMIND_OPTS=""

diff --git a/app-crypt/mit-krb5/files/mit-krb5kadmind.initd-r2 
b/app-crypt/mit-krb5/files/mit-krb5kadmind.initd-r2
new file mode 100644
index 000..54dcb87
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kadmind.initd-r2
@@ -0,0 +1,25 @@
+#!/sbin/runscript
+
+#---
+# This script starts/stops the MIT Kerberos 5 Admin daemon
+#---
+
+daemon="MIT Kerberos 5 Admin daemon"
+exec="/usr/sbin/kadmind"
+
+depend() {
+   need mit-krb5kdc
+   use net
+}
+
+start() {
+   ebegin "Starting $daemon"
+   start-stop-daemon --start --quiet --exec ${exec} -- "${KADMIND_OPTS}" 
1>&2
+   eend $? "Error starting $daemon"
+}
+
+stop() {
+   ebegin "Stopping $daemon"
+   start-stop-daemon --stop --quiet --exec ${exec} 1>&2
+   eend $? "Error stopping $daemon"
+}

diff --git a/app-crypt/mit-krb5/files/mit-krb5kdc.confd 
b/app-crypt/mit-krb5/files/mit-krb5kdc.confd
new file mode 100644
index 000..887d3d8
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kdc.confd
@@ -0,0 +1,2 @@
+# Define startup options for Kerberos KDC
+KDC_OPTS=""

diff --git a/app-crypt/mit-krb5/files/mit-krb5kdc.initd-r2 
b/app-crypt/mit-krb5/files/mit-krb5kdc.initd-r2
new file mode 100644
index 000..12bb47a
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kdc.initd-r2
@@ -0,0 +1,24 @@
+#!/sbin/runscript
+
+#---
+# This script starts/stops the MIT Kerberos 5 KDC
+#---
+
+daemon="MIT Kerberos 5 KDC"
+exec="/usr/sbin/krb5kdc"
+
+depend() {
+   use net
+}
+
+start() {
+   ebegin "Starting $daemon"
+   start-stop-daemon --start --quiet --exec ${exec} -- "${KDC_OPTS}" 1>&2
+   eend $? "Error starting $daemon"
+}
+
+stop() {
+   ebegin "Stopping $daemon"
+   start-stop-daemon --stop --quiet --exec ${exec} 1>&2
+   eend $? "Error stopping $daemon"
+}

diff --git a/app-crypt/mit-krb5/files/mit-krb5kpropd.confd 
b/app-crypt/mit-krb5/files/mit-krb5kpropd.confd
new file mode 100644
index 000..d75d41a
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kpropd.confd
@@ -0,0 +1,2 @@
+# Define startup options for Kerberos incremental propagation server
+KPROPD_OPTS=""

diff --git a/app-crypt/mit-krb5/files/mit-krb5kpropd.initd-r2 
b/app-crypt/mit-krb5/files/mit-krb5kpropd.initd-r2
new file mode 100644
index 000..222c5f7
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5kpropd.initd-r2
@@ -0,0 +1,24 @@
+#!/sbin/runscript
+
+#---
+# This script starts/stops the MIT Kerberos 5 kpropd
+#---
+
+daemon="MIT Kerberos 5 kpropd"
+exec="/usr/sbin/kpropd"
+
+depend() {
+   use net mit-krb5kdc mit-krb5kadmind
+}
+
+start() {
+   ebegin "Starting $daemon"
+   start-stop-daemon --start --quiet --exec ${exec} -- "${KPROPD_OPTS}" 
1>&2
+   eend $? "Error starting $daemon"
+}
+
+stop() {
+   ebegin "Stopping $daemon"
+   start-stop-daemon --stop --quiet --exec ${exec} 1>&2
+   eend $? "Error stopping $daemon"
+}

diff --git a/app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild 
b/app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild
new file mode 100644
index 000..d70cb3d
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.13.2-r2.ebuild
@@ -0,0 +1,157 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+PYTHON_COMPAT=( python2_7 )
+
+inherit autotools eutils

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

[gentoo-commits] repo/gentoo:master commit in: app-crypt/mit-krb5/files/, app-crypt/mit-krb5/

14 matches

Site Navigation

Mail list logo

Footer information