summaryrefslogtreecommitdiff
path: root/app-crypt/mit-krb5
diff options
context:
space:
mode:
Diffstat (limited to 'app-crypt/mit-krb5')
-rw-r--r--app-crypt/mit-krb5/Manifest4
-rw-r--r--app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch297
-rw-r--r--app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch31
-rw-r--r--app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild156
-rw-r--r--app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild158
5 files changed, 646 insertions, 0 deletions
diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest
index f79cdae7b3da..525b44b1b318 100644
--- a/app-crypt/mit-krb5/Manifest
+++ b/app-crypt/mit-krb5/Manifest
@@ -1,9 +1,11 @@
+AUX CVE-2018-5729-5730.patch 11896 BLAKE2B 324bbd80acf4a2520909fc26f90f67cec06148ee0effecc43fbadd6c6445b57ee17eae57864c92a5ce0cdc3dbfb0540758910133195fd2078d334bc6e209a452 SHA512 b59ba6cb5d40cca6c8f539c028ba24c2fa6bd1750133545e912f519b91043d426cecf782209c373598fd895c6294e44fc2bc27af34c033ff367bdfb2cb4f91c4
AUX kpropd.xinetd 194 BLAKE2B cfc40af2e75b0ce5a71e0dfdcfe076d13d996b25d2cb50d4282bc88d7b33b317a202d57df0bb4a2b47113f0d38cb508614e122e4a3bb7dfd2397e2daa3178396 SHA512 c9bbd13f2fadfd2a925bfae834ba61f227cd4386b4c4466b5227d93c792f4549778ef4d6e08353372df99804459277c71f61b41ec71f3afcc600d73c5705f72f
AUX mit-krb5-1.12_warn_cflags.patch 448 BLAKE2B cd9793866173b394bab3497d19653ca3296924cc49aaf540499b149254265af1d995b4d7493b76185ce35d123e70827cb5fcb221efc6499b86a346cfad7478ab SHA512 42364d9cd8c0a6fd28ae661eeac4d0dd3f2001fe290bf9731ee99c2c786a6488805fc93057d59e201e2cef1e5280af4c170187aa5603f4cf542906abc0fccc2b
AUX mit-krb5-1.14.2-redeclared-ttyname.patch 660 BLAKE2B 8fb59ad5ed7b0896272f4bf10e8e15a1c848047dbe6a7735930657422888530691f681949d72b4b0924a8983ec392282736eae57dd72c8548ee960fc85909c53 SHA512 90a2adedcdca4e2079daaa613e2d4f08e948ccfaf56aba19a08b4cbe2257a6a60dcfd5bbc4b19ca64f584759b1a374d1894729a423e636bfec1969a675a1628e
AUX mit-krb5-1.14.4-disable-nls.patch 1247 BLAKE2B a24c425a21bed40c7b563658207f324d1dccade9b8aec4d4124e2a2d0007d81e314765d23fe3e4be2bf857fa67bf3da06aead99ffb21afe635bbb1d7bb2c89cf SHA512 5fecc719c5c8a1f5c971443d42561615b8fb8c6b99b735a633c7479f109cfb6852eee5179e267a1e2576e52faf2311395ddabdb47f749b573ead3ddd86714e2e
AUX mit-krb5-1.15.2-fix-pkinit.patch 3196 BLAKE2B 6fdf17bb1ad096bc2745c3c908fbc913de3d4d7176c060cb51d911b256e82f67a73d9204044f5227c7d3d1cb1f76dbc31b2845738c4f97dd0a199990a9e09f0f SHA512 d7b3f33f25e610b24f2854892d75016dfa5b5e34fac24600df80b91194f5fe2e6dbc35ea3a9a772e0dcdf7659263a56230e767fe393d32796c61b3bd5bb2de69
AUX mit-krb5-config_LDFLAGS.patch 466 BLAKE2B 2dd4f1cfc20bea229d08201d66e3de71472dccfa45dee9b260c51578187e706b864c0b4ff81c0c5a09fd29401c2abdbe334441ca075208299b02d5e1d49aff94 SHA512 9a1ca9b33e7708346eda78d199fdc51f0d7bd08d3d65ea15a19955a6155ab71b8ee0c8989859d6dff293a141f197ea19394a91b3b641181140a289b743e0f0e7
+AUX mit-krb5-libressl-version-check.patch 1123 BLAKE2B ca8bad504949c8dcbffe5f9906a38287a2483ffef8b0326cf361f7a07c44787aa0972a24a832aa4da9a1450fa41035bf216c55e1aafb8a890cc8d88f1e210e88 SHA512 cec03ab3577fd8f96f34e51e9380622b09ac5964687b2e8e45e066d16846a9add71c3fd44f6de305ee5c5be5a27a07e4758b6752afdd8a70149b3f191be609f8
AUX mit-krb5kadmind.confd 76 BLAKE2B ca69357a77ddaf67e2f9c104b17d49af5da9891b13bd855f8b04d54bfb6ccf07ae8c5cb694f65a47646675c844c8f8c7224e8487081df678c73c554498259516 SHA512 dbf968800959f0463899031e823f003e9ece90132f452ebf03df08caf0e6a6e6ca2cfdee91491d269cfa24bef19e72dd33c7d818a4bb13ef85edfb6f0e8299f3
AUX mit-krb5kadmind.initd-r2 612 BLAKE2B ba2a70a7c123d63b9c58f4ec31c3c2366949e6971ff4f203cb38e1efb5a69991533291e118066e680d880c5221168c8eb5b047ec70dac857888330978d1e5a9b SHA512 3791af603380277a9d2632a01a86f96f68c9eb38a2c9574cca462fe9a01bef60f24785051d0215a8d71dd5022f1404e281929278e2bfd31603a0415dd9df6a98
AUX mit-krb5kadmind.service 137 BLAKE2B fcbb450a9bd39407801c93d7ffe050eadb27adbfe3165f27fe9a6ad1b18464153109bdab61a85a6a908dbb8e57b14d577165d9144a6f311d90167d01a92de748 SHA512 65a507b84e8280a9e417e32f8667941f52802f1afe9de513718db5a414ba84569b95a5c4d84eb9d39c232901c4ae1f674e6c95ea2c6895dc0c495b78ec04a026
@@ -19,5 +21,7 @@ DIST krb5-1.15.2.tar.gz 9380755 BLAKE2B 3f5d00a70bf44ef077872bde282e4753e82acb70
DIST krb5-1.16.tar.gz 9474479 BLAKE2B 0c5caa0a0d2308a447d47ab94d7b8dc92a67ad78b3bac1678c3f3ece3905f27feda5a23d28b3c13ebd64d1760726888c759fb19da82ad960c6f84a433b753873 SHA512 7e162467b95dad2b6aaa11686d08a00f1cc4eb08247fca8f0e5a8bcaa5f9f7b42cdf00db69c5c6111bdf9eb8063d53cef3bb207ce5d6a287615ca10b710153f9
EBUILD mit-krb5-1.15.2-r1.ebuild 3913 BLAKE2B f4559c0b17ef398ac7168763d2e2225d8b1b061a61384313c93d69db9f680461008b48f4e66ed64f672fe1e6e32825a874084954e03b1dfa228ead6bb6d1e89c SHA512 b4da2e82b91b1fec83d94dcad8b2787f07f9b0bc1421519ce6a3b1545ecf30e14817debe67a9dd98ddb88b666b337be18b286b3d866e51664599b1e07f13eeae
EBUILD mit-krb5-1.15.2.ebuild 3856 BLAKE2B 7b3d059b5bd6e68ba99bc896ae8435543a6128e4e7f9dc29e73a02cb145228a54c1f7eeca92bc3aec49582e1e0c24f9620089a8abe917b59a152b2608d0b5a25 SHA512 dc2d6fb486e95100a02a4b2f32fb93279b022195d82810e2a794f6d813f5c31f95b68b3449e2b885bc9a3658cb1d18acd76d76fa13907baa817215534531148b
+EBUILD mit-krb5-1.16-r1.ebuild 4255 BLAKE2B 00ccf28de187059c3b4f864e56782557ae79ef064dd90178491dd1d6ebfe5dd6706766e569f7800d841f10ea0ff62db5f609c4a14ac0abbfe7eda210962826fe SHA512 d73f5a9cde6cf3bbca2ccf1ad81a0efc7e3c3d27e329dfa76fe9eb32979bcfc77162ddf5de85f84e84af183cad23eaf44334498bf00f161add4c4c448db6b41a
+EBUILD mit-krb5-1.16-r2.ebuild 4353 BLAKE2B eabe3a5b76175736da4a74091257e30c91210c9897a64772eb022d3fd02af5131119f11ffafc9353f2c80f2f0893cde25fdad8cce711c11bae22a2544661be2a SHA512 455b0c557ae3402ce8a8b1850214f4412d33a94d593b7083cd9ef68c7c4554507428d14275cd0601395222d63a12fbab2d84a21c3ff13dd25199be666000a72b
EBUILD mit-krb5-1.16.ebuild 4190 BLAKE2B 906b1ae21a3d91d86fb3993eb076890812f3dee319fe2ae8599e2f728758e75c27374092f8157d70e5720d8615b0d5d6cd59294f831c4582319e294a7cf53d67 SHA512 0f91fb7d2364068b6917413ee317a1d8287f2be5c3f30889ae4c568cab61b37ae8e852010bd00fb61c7a0be2f9272a99f52f23709a063ce04d8f76a8bce4c2f0
MISC metadata.xml 828 BLAKE2B f317440eac9d164e0640cb059dee0c3bdcfeaeb2d0e346d962f09b7152224efc10084611768663b84c67fdf73c9d89481370fe0b70ffe14aa10a360f60bd00f6 SHA512 c0f45699280d49b91eab24de6cbb28900170c3c4526b8c6ef0f6a996d3e53abd49911ce4f6ce7b28c69d37e86cc9e5b830977b9640809734e7fccf078886685c
diff --git a/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch b/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch
new file mode 100644
index 000000000000..114cfe688e73
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2018-5729-5730.patch
@@ -0,0 +1,297 @@
+diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
+index 2420f2c2be..a59a65e8f6 100644
+--- a/src/lib/kadm5/srv/svr_principal.c
++++ b/src/lib/kadm5/srv/svr_principal.c
+@@ -330,6 +330,13 @@ kadm5_create_principal_3(void *server_handle,
+ return KADM5_BAD_MASK;
+ if((mask & ~ALL_PRINC_MASK))
+ return KADM5_BAD_MASK;
++ if (mask & KADM5_TL_DATA) {
++ for (tl_data_tail = entry->tl_data; tl_data_tail != NULL;
++ tl_data_tail = tl_data_tail->tl_data_next) {
++ if (tl_data_tail->tl_data_type < 256)
++ return KADM5_BAD_TL_TYPE;
++ }
++ }
+
+ /*
+ * Check to see if the principal exists
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+index 535a1f309e..8b8420faa9 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
++++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+@@ -141,7 +141,7 @@ extern int set_ldap_error (krb5_context ctx, int st, int op);
+ #define UNSTORE16_INT(ptr, val) (val = load_16_be(ptr))
+ #define UNSTORE32_INT(ptr, val) (val = load_32_be(ptr))
+
+-#define KDB_TL_USER_INFO 0x7ffe
++#define KDB_TL_USER_INFO 0xff
+
+ #define KDB_TL_PRINCTYPE 0x01
+ #define KDB_TL_PRINCCOUNT 0x02
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+index 88a1704950..b7c9212cb2 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -651,6 +651,107 @@ update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry,
+ return ret;
+ }
+
++static krb5_error_code
++check_dn_in_container(krb5_context context, const char *dn,
++ char *const *subtrees, unsigned int ntrees)
++{
++ unsigned int i;
++ size_t dnlen = strlen(dn), stlen;
++
++ for (i = 0; i < ntrees; i++) {
++ if (subtrees[i] == NULL || *subtrees[i] == '\0')
++ return 0;
++ stlen = strlen(subtrees[i]);
++ if (dnlen >= stlen &&
++ strcasecmp(dn + dnlen - stlen, subtrees[i]) == 0 &&
++ (dnlen == stlen || dn[dnlen - stlen - 1] == ','))
++ return 0;
++ }
++
++ k5_setmsg(context, EINVAL, _("DN is out of the realm subtree"));
++ return EINVAL;
++}
++
++static krb5_error_code
++check_dn_exists(krb5_context context,
++ krb5_ldap_server_handle *ldap_server_handle,
++ const char *dn, krb5_boolean nonkrb_only)
++{
++ krb5_error_code st = 0, tempst;
++ krb5_ldap_context *ldap_context = context->dal_handle->db_context;
++ LDAP *ld = ldap_server_handle->ldap_handle;
++ LDAPMessage *result = NULL, *ent;
++ char *attrs[] = { "krbticketpolicyreference", "krbprincipalname", NULL };
++ char **values;
++
++ LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attrs, IGNORE_STATUS);
++ if (st != LDAP_SUCCESS)
++ return set_ldap_error(context, st, OP_SEARCH);
++
++ ent = ldap_first_entry(ld, result);
++ CHECK_NULL(ent);
++
++ values = ldap_get_values(ld, ent, "krbticketpolicyreference");
++ if (values != NULL)
++ ldap_value_free(values);
++
++ values = ldap_get_values(ld, ent, "krbprincipalname");
++ if (values != NULL) {
++ ldap_value_free(values);
++ if (nonkrb_only) {
++ st = EINVAL;
++ k5_setmsg(context, st, _("ldap object is already kerberized"));
++ goto cleanup;
++ }
++ }
++
++cleanup:
++ ldap_msgfree(result);
++ return st;
++}
++
++static krb5_error_code
++validate_xargs(krb5_context context,
++ krb5_ldap_server_handle *ldap_server_handle,
++ const xargs_t *xargs, const char *standalone_dn,
++ char *const *subtrees, unsigned int ntrees)
++{
++ krb5_error_code st;
++
++ if (xargs->dn != NULL) {
++ /* The supplied dn must be within a realm container. */
++ st = check_dn_in_container(context, xargs->dn, subtrees, ntrees);
++ if (st)
++ return st;
++ /* The supplied dn must exist without Kerberos attributes. */
++ st = check_dn_exists(context, ldap_server_handle, xargs->dn, TRUE);
++ if (st)
++ return st;
++ }
++
++ if (xargs->linkdn != NULL) {
++ /* The supplied linkdn must be within a realm container. */
++ st = check_dn_in_container(context, xargs->linkdn, subtrees, ntrees);
++ if (st)
++ return st;
++ /* The supplied linkdn must exist. */
++ st = check_dn_exists(context, ldap_server_handle, xargs->linkdn,
++ FALSE);
++ if (st)
++ return st;
++ }
++
++ if (xargs->containerdn != NULL && standalone_dn != NULL) {
++ /* standalone_dn (likely composed using containerdn) must be within a
++ * container. */
++ st = check_dn_in_container(context, standalone_dn, subtrees, ntrees);
++ if (st)
++ return st;
++ }
++
++ return 0;
++}
++
+ krb5_error_code
+ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
+ char **db_args)
+@@ -662,12 +763,12 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
+ LDAPMessage *result=NULL, *ent=NULL;
+ char **subtreelist = NULL;
+ char *user=NULL, *subtree=NULL, *principal_dn=NULL;
+- char **values=NULL, *strval[10]={NULL}, errbuf[1024];
++ char *strval[10]={NULL}, errbuf[1024];
+ char *filtuser=NULL;
+ struct berval **bersecretkey=NULL;
+ LDAPMod **mods=NULL;
+ krb5_boolean create_standalone=FALSE;
+- krb5_boolean krb_identity_exists=FALSE, establish_links=FALSE;
++ krb5_boolean establish_links=FALSE;
+ char *standalone_principal_dn=NULL;
+ krb5_tl_data *tl_data=NULL;
+ krb5_key_data **keys=NULL;
+@@ -860,24 +961,6 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
+ * any of the subtrees
+ */
+ if (xargs.dn_from_kbd == TRUE) {
+- /* make sure the DN falls in the subtree */
+- int dnlen=0, subtreelen=0;
+- char *dn=NULL;
+- krb5_boolean outofsubtree=TRUE;
+-
+- if (xargs.dn != NULL) {
+- dn = xargs.dn;
+- } else if (xargs.linkdn != NULL) {
+- dn = xargs.linkdn;
+- } else if (standalone_principal_dn != NULL) {
+- /*
+- * Even though the standalone_principal_dn is constructed
+- * within this function, there is the containerdn input
+- * from the user that can become part of the it.
+- */
+- dn = standalone_principal_dn;
+- }
+-
+ /* Get the current subtree list if we haven't already done so. */
+ if (subtreelist == NULL) {
+ st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees);
+@@ -885,81 +968,10 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
+ goto cleanup;
+ }
+
+- for (tre=0; tre<ntrees; ++tre) {
+- if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) {
+- outofsubtree = FALSE;
+- break;
+- } else {
+- dnlen = strlen (dn);
+- subtreelen = strlen(subtreelist[tre]);
+- if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) {
+- outofsubtree = FALSE;
+- break;
+- }
+- }
+- }
+-
+- if (outofsubtree == TRUE) {
+- st = EINVAL;
+- k5_setmsg(context, st, _("DN is out of the realm subtree"));
++ st = validate_xargs(context, ldap_server_handle, &xargs,
++ standalone_principal_dn, subtreelist, ntrees);
++ if (st)
+ goto cleanup;
+- }
+-
+- /*
+- * dn value will be set either by dn, linkdn or the standalone_principal_dn
+- * In the first 2 cases, the dn should be existing and in the last case we
+- * are supposed to create the ldap object. so the below should not be
+- * executed for the last case.
+- */
+-
+- if (standalone_principal_dn == NULL) {
+- /*
+- * If the ldap object is missing, this results in an error.
+- */
+-
+- /*
+- * Search for krbprincipalname attribute here.
+- * This is to find if a kerberos identity is already present
+- * on the ldap object, in which case adding a kerberos identity
+- * on the ldap object should result in an error.
+- */
+- char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL};
+-
+- ldap_msgfree(result);
+- result = NULL;
+- LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS);
+- if (st == LDAP_SUCCESS) {
+- ent = ldap_first_entry(ld, result);
+- if (ent != NULL) {
+- if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) {
+- ldap_value_free(values);
+- }
+-
+- if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
+- krb_identity_exists = TRUE;
+- ldap_value_free(values);
+- }
+- }
+- } else {
+- st = set_ldap_error(context, st, OP_SEARCH);
+- goto cleanup;
+- }
+- }
+- }
+-
+- /*
+- * If xargs.dn is set then the request is to add a
+- * kerberos principal on a ldap object, but if
+- * there is one already on the ldap object this
+- * should result in an error.
+- */
+-
+- if (xargs.dn != NULL && krb_identity_exists == TRUE) {
+- st = EINVAL;
+- snprintf(errbuf, sizeof(errbuf),
+- _("ldap object is already kerberized"));
+- k5_setmsg(context, st, "%s", errbuf);
+- goto cleanup;
+ }
+
+ if (xargs.linkdn != NULL) {
+diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
+index 217f2cdc3b..6e563b1032 100755
+--- a/src/tests/t_kdb.py
++++ b/src/tests/t_kdb.py
+@@ -203,6 +203,12 @@ def ldap_add(dn, objectclass, attrs=[]):
+ # in the test LDAP server.
+ realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'],
+ expected_code=1, expected_msg='DN is out of the realm subtree')
++# Check that the DN container check is a hierarchy test, not a simple
++# suffix match (CVE-2018-5730). We expect this operation to fail
++# either way (because "xcn" isn't a valid DN tag) but the container
++# check should happen before the DN is parsed.
++realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=xcn=t1,cn=krb5', 'princ1'],
++ expected_code=1, expected_msg='DN is out of the realm subtree')
+ realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'princ1'])
+ realm.run([kadminl, 'getprinc', 'princ1'], expected_msg='Principal: princ1')
+ realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'again'],
+@@ -226,6 +232,11 @@ def ldap_add(dn, objectclass, attrs=[]):
+ 'princ3'])
+ realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5', 'princ3'],
+ expected_code=1, expected_msg='containerdn option not supported')
++# Verify that containerdn is checked when linkdn is also supplied
++# (CVE-2018-5730).
++realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5',
++ '-x', 'linkdn=cn=t2,cn=krb5', 'princ4'], expected_code=1,
++ expected_msg='DN is out of the realm subtree')
+
+ # Create and modify a ticket policy.
+ kldaputil(['create_policy', '-maxtktlife', '3hour', '-maxrenewlife', '6hour',
diff --git a/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch b/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch
new file mode 100644
index 000000000000..5c979cfd1ef7
--- /dev/null
+++ b/app-crypt/mit-krb5/files/mit-krb5-libressl-version-check.patch
@@ -0,0 +1,31 @@
+--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -191,7 +191,7 @@ pkinit_pkcs11_code_to_text(int err);
+ (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si)
+ #endif
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+
+ /* 1.1 standardizes constructor and destructor names, renaming
+ * EVP_MD_CTX_{create,destroy} and deprecating ASN1_STRING_data. */
+@@ -3059,7 +3059,7 @@ cleanup:
+ return retval;
+ }
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+
+ /*
+ * We need to decode DomainParameters from RFC 3279 section 2.3.3. We would
+--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
++++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
+@@ -46,7 +46,7 @@
+ #include <openssl/asn1.h>
+ #include <openssl/pem.h>
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ #include <openssl/asn1t.h>
+ #else
+ #include <openssl/asn1_mac.h>
diff --git a/app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild
new file mode 100644
index 000000000000..c1f7a7820634
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.16-r1.ebuild
@@ -0,0 +1,156 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/"
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
+
+# Test suite require network access
+RESTRICT="test"
+
+CDEPEND="
+ !!app-crypt/heimdal
+ >=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
+ || (
+ >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+ >=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+ >=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
+ )
+ keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
+ openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+ pkinit? (
+ !libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
+ libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] )
+ )
+ xinetd? ( sys-apps/xinetd )
+ abi_x86_32? (
+ !<=app-emulation/emul-linux-x86-baselibs-20140508-r1
+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+ )"
+DEPEND="${CDEPEND}
+ ${PYTHON_DEPS}
+ virtual/yacc
+ doc? ( virtual/latex-base )
+ test? (
+ ${PYTHON_DEPS}
+ dev-lang/tcl:0
+ dev-util/dejagnu
+ )"
+RDEPEND="${CDEPEND}
+ selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+MULTILIB_CHOST_TOOLS=(
+ /usr/bin/krb5-config
+)
+
+src_prepare() {
+ eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+ eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch"
+ eapply "${FILESDIR}/${PN}-libressl-version-check.patch"
+
+ # Make sure we always use the system copies.
+ rm -rf util/{et,ss,verto}
+ sed -i 's:^[[:space:]]*util/verto$::' configure.in || die
+
+ eapply_user
+ eautoreconf
+}
+
+src_configure() {
+ # QA
+ append-flags -fno-strict-aliasing
+ append-flags -fno-strict-overflow
+
+ multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+ use keyutils || export ac_cv_header_keyutils_h=no
+ ECONF_SOURCE=${S} \
+ WARN_CFLAGS="set" \
+ econf \
+ $(use_with openldap ldap) \
+ "$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+ $(use_enable nls) \
+ $(use_enable pkinit) \
+ $(use_enable threads thread-support) \
+ --without-hesiod \
+ --enable-shared \
+ --with-system-et \
+ --with-system-ss \
+ --enable-dns-for-realm \
+ --enable-kdc-lookaside-cache \
+ --with-system-verto \
+ --disable-rpath
+}
+
+multilib_src_compile() {
+ emake -j1
+}
+
+multilib_src_test() {
+ multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+ emake \
+ DESTDIR="${D}" \
+ EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+ install
+}
+
+multilib_src_install_all() {
+ # default database dir
+ keepdir /var/lib/krb5kdc
+
+ cd ..
+ dodoc README
+
+ if use doc; then
+ dodoc -r doc/html
+ docinto pdf
+ dodoc doc/pdf/*.pdf
+ fi
+
+ newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
+ newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
+ newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
+ newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
+ newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
+ newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
+
+ systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
+ systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
+ systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
+ systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
+ systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
+
+ insinto /etc
+ newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+ insinto /var/lib/krb5kdc
+ newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+ if use openldap ; then
+ insinto /etc/openldap/schema
+ doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+ fi
+
+ if use xinetd ; then
+ insinto /etc/xinetd.d
+ newins "${FILESDIR}/kpropd.xinetd" kpropd
+ fi
+}
diff --git a/app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild b/app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild
new file mode 100644
index 000000000000..feec00d8627d
--- /dev/null
+++ b/app-crypt/mit-krb5/mit-krb5-1.16-r2.ebuild
@@ -0,0 +1,158 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd versionator
+
+MY_P="${P/mit-}"
+P_DIR=$(get_version_component_range 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/"
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="doc +keyutils libressl nls openldap +pkinit selinux +threads test xinetd"
+
+# Test suite require network access
+RESTRICT="test"
+
+CDEPEND="
+ !!app-crypt/heimdal
+ >=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
+ || (
+ >=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+ >=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+ >=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
+ )
+ keyutils? ( >=sys-apps/keyutils-1.5.8[${MULTILIB_USEDEP}] )
+ nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
+ openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+ pkinit? (
+ !libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
+ libressl? ( dev-libs/libressl[${MULTILIB_USEDEP}] )
+ )
+ xinetd? ( sys-apps/xinetd )
+ abi_x86_32? (
+ !<=app-emulation/emul-linux-x86-baselibs-20140508-r1
+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+ )"
+DEPEND="${CDEPEND}
+ ${PYTHON_DEPS}
+ virtual/yacc
+ doc? ( virtual/latex-base )
+ test? (
+ ${PYTHON_DEPS}
+ dev-lang/tcl:0
+ dev-util/dejagnu
+ )"
+RDEPEND="${CDEPEND}
+ selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+MULTILIB_CHOST_TOOLS=(
+ /usr/bin/krb5-config
+)
+
+src_prepare() {
+ eapply -p2 "${FILESDIR}/CVE-2018-5729-5730.patch"
+ eapply "${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+ eapply -p2 "${FILESDIR}/${PN}-config_LDFLAGS.patch"
+ eapply "${FILESDIR}/${PN}-libressl-version-check.patch"
+
+ # Make sure we always use the system copies.
+ rm -rf util/{et,ss,verto}
+ sed -i 's:^[[:space:]]*util/verto$::' configure.in || die
+
+ eapply_user
+ eautoreconf
+}
+
+src_configure() {
+ # QA
+ append-flags -fno-strict-aliasing
+ append-flags -fno-strict-overflow
+
+ multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+ use keyutils || export ac_cv_header_keyutils_h=no
+ ECONF_SOURCE=${S} \
+ WARN_CFLAGS="set" \
+ econf \
+ $(use_with openldap ldap) \
+ "$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+ $(use_enable nls) \
+ $(use_enable pkinit) \
+ $(use_enable threads thread-support) \
+ --without-hesiod \
+ --enable-shared \
+ --with-system-et \
+ --with-system-ss \
+ --enable-dns-for-realm \
+ --enable-kdc-lookaside-cache \
+ --with-system-verto \
+ --disable-rpath
+}
+
+multilib_src_compile() {
+ emake -j1
+}
+
+multilib_src_test() {
+ multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+ emake \
+ DESTDIR="${D}" \
+ EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+ install
+}
+
+multilib_src_install_all() {
+ # default database dir
+ keepdir /var/lib/krb5kdc
+
+ cd ..
+ dodoc README
+
+ if use doc; then
+ dodoc -r doc/html
+ docinto pdf
+ dodoc doc/pdf/*.pdf
+ fi
+
+ newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
+ newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
+ newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
+ newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
+ newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
+ newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
+
+ systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
+ systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
+ systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
+ systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
+ systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
+
+ insinto /etc
+ newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+ insinto /var/lib/krb5kdc
+ newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+ if use openldap ; then
+ insinto /etc/openldap/schema
+ doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+ fi
+
+ if use xinetd ; then
+ insinto /etc/xinetd.d
+ newins "${FILESDIR}/kpropd.xinetd" kpropd
+ fi
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-17 18:54:30 +0000