commit: 3e414999ed5919555adceb25d8abf547f001f034 Author: Christopher Fore <csfore <AT> posteo <DOT> net> AuthorDate: Tue Apr 23 22:59:04 2024 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Sat Apr 27 22:10:27 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e414999
net-libs/gnutls: Add patch to fix Wireshark tests - GnuTLS tests pass - Wireshark tests pass now with this [sam: add more references to patch] Closes: https://bugs.gentoo.org/930529 Closes: https://bugs.gentoo.org/930752 Signed-off-by: Christopher Fore <csfore <AT> posteo.net> Closes: https://github.com/gentoo/gentoo/pull/36392 Signed-off-by: Sam James <sam <AT> gentoo.org> ...3.8.5-fix-rsaes-pkcs1-systemd-wide-config.patch | 261 +++++++++++++++++++++ net-libs/gnutls/gnutls-3.8.5-r1.ebuild | 155 ++++++++++++ 2 files changed, 416 insertions(+) diff --git a/net-libs/gnutls/files/gnutls-3.8.5-fix-rsaes-pkcs1-systemd-wide-config.patch b/net-libs/gnutls/files/gnutls-3.8.5-fix-rsaes-pkcs1-systemd-wide-config.patch new file mode 100644 index 000000000000..6905f793ab4f --- /dev/null +++ b/net-libs/gnutls/files/gnutls-3.8.5-fix-rsaes-pkcs1-systemd-wide-config.patch @@ -0,0 +1,261 @@ +https://bugs.gentoo.org/930752 +https://bugs.gentoo.org/930529 +https://gitlab.com/gnutls/gnutls/-/issues/1540 +https://gitlab.com/gnutls/gnutls/-/merge_requests/1830 +https://gitlab.com/gnutls/gnutls/-/commit/2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d + +From 2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d Mon Sep 17 00:00:00 2001 +From: Zoltan Fridrich <zfrid...@redhat.com> +Date: Wed, 10 Apr 2024 12:51:33 +0200 +Subject: [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration + +Signed-off-by: Zoltan Fridrich <zfrid...@redhat.com> +--- a/lib/priority.c ++++ b/lib/priority.c +@@ -1018,6 +1018,12 @@ struct cfg { + bool force_ext_master_secret_set; + }; + ++static inline void cfg_init(struct cfg *cfg) ++{ ++ memset(cfg, 0, sizeof(*cfg)); ++ cfg->allow_rsa_pkcs1_encrypt = true; ++} ++ + static inline void cfg_deinit(struct cfg *cfg) + { + if (cfg->priority_strings) { +@@ -1095,6 +1101,12 @@ struct ini_ctx { + size_t curves_size; + }; + ++static inline void ini_ctx_init(struct ini_ctx *ctx) ++{ ++ memset(ctx, 0, sizeof(*ctx)); ++ cfg_init(&ctx->cfg); ++} ++ + static inline void ini_ctx_deinit(struct ini_ctx *ctx) + { + cfg_deinit(&ctx->cfg); +@@ -1423,9 +1435,6 @@ static inline int cfg_apply(struct cfg *cfg, struct ini_ctx *ctx) + _gnutls_default_priority_string = cfg->default_priority_string; + } + +- /* enable RSA-PKCS1-V1_5 by default */ +- cfg->allow_rsa_pkcs1_encrypt = true; +- + if (cfg->allowlisting) { + /* also updates `flags` of global `hash_algorithms[]` */ + ret = cfg_hashes_set_array(cfg, ctx->hashes, ctx->hashes_size); +@@ -2217,22 +2226,73 @@ update_system_wide_priority_string(void) + return 0; + } + ++/* Returns false on parse error, otherwise true. ++ * The system_wide_config must be locked for writing. ++ */ ++static inline bool load_system_priority_file(void) ++{ ++ int err; ++ FILE *fp; ++ struct ini_ctx ctx; ++ ++ cfg_init(&system_wide_config); ++ ++ fp = fopen(system_priority_file, "re"); ++ if (fp == NULL) { ++ _gnutls_debug_log("cfg: unable to open: %s: %d\n", ++ system_priority_file, errno); ++ return true; ++ } ++ ++ /* Parsing the configuration file needs to be done in 2 phases: ++ * first parsing the [global] section ++ * and then the other sections, ++ * because the [global] section modifies the parsing behavior. ++ */ ++ ini_ctx_init(&ctx); ++ err = ini_parse_file(fp, global_ini_handler, &ctx); ++ if (!err) { ++ if (fseek(fp, 0L, SEEK_SET) < 0) { ++ _gnutls_debug_log("cfg: unable to rewind: %s\n", ++ system_priority_file); ++ if (fail_on_invalid_config) ++ exit(1); ++ } ++ err = ini_parse_file(fp, cfg_ini_handler, &ctx); ++ } ++ fclose(fp); ++ if (err) { ++ ini_ctx_deinit(&ctx); ++ _gnutls_debug_log("cfg: unable to parse: %s: %d\n", ++ system_priority_file, err); ++ return false; ++ } ++ cfg_apply(&system_wide_config, &ctx); ++ ini_ctx_deinit(&ctx); ++ return true; ++} ++ + static int _gnutls_update_system_priorities(bool defer_system_wide) + { +- int ret, err = 0; ++ int ret; ++ bool config_parse_error = false; + struct stat sb; +- FILE *fp; + gnutls_buffer_st buf; +- struct ini_ctx ctx; + + ret = gnutls_rwlock_rdlock(&system_wide_config_rwlock); +- if (ret < 0) { ++ if (ret < 0) + return gnutls_assert_val(ret); +- } + + if (stat(system_priority_file, &sb) < 0) { + _gnutls_debug_log("cfg: unable to access: %s: %d\n", + system_priority_file, errno); ++ ++ (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); ++ ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock); ++ if (ret < 0) ++ goto out; ++ /* If system-wide config is unavailable, apply the defaults */ ++ cfg_init(&system_wide_config); + goto out; + } + +@@ -2240,63 +2300,27 @@ static int _gnutls_update_system_priorities(bool defer_system_wide) + system_priority_last_mod == sb.st_mtime) { + _gnutls_debug_log("cfg: system priority %s has not changed\n", + system_priority_file); +- if (system_wide_config.priority_string) { ++ if (system_wide_config.priority_string) + goto out; /* nothing to do */ +- } + } + + (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); + + ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock); +- if (ret < 0) { ++ if (ret < 0) + return gnutls_assert_val(ret); +- } + + /* Another thread could have successfully re-read system-wide config, + * skip re-reading if the mtime it has used is exactly the same. + */ +- if (system_priority_file_loaded) { ++ if (system_priority_file_loaded) + system_priority_file_loaded = + (system_priority_last_mod == sb.st_mtime); +- } + + if (!system_priority_file_loaded) { +- _name_val_array_clear(&system_wide_config.priority_strings); +- +- gnutls_free(system_wide_config.priority_string); +- system_wide_config.priority_string = NULL; +- +- fp = fopen(system_priority_file, "re"); +- if (fp == NULL) { +- _gnutls_debug_log("cfg: unable to open: %s: %d\n", +- system_priority_file, errno); ++ config_parse_error = !load_system_priority_file(); ++ if (config_parse_error) + goto out; +- } +- /* Parsing the configuration file needs to be done in 2 phases: +- * first parsing the [global] section +- * and then the other sections, +- * because the [global] section modifies the parsing behavior. +- */ +- memset(&ctx, 0, sizeof(ctx)); +- err = ini_parse_file(fp, global_ini_handler, &ctx); +- if (!err) { +- if (fseek(fp, 0L, SEEK_SET) < 0) { +- _gnutls_debug_log("cfg: unable to rewind: %s\n", +- system_priority_file); +- if (fail_on_invalid_config) +- exit(1); +- } +- err = ini_parse_file(fp, cfg_ini_handler, &ctx); +- } +- fclose(fp); +- if (err) { +- ini_ctx_deinit(&ctx); +- _gnutls_debug_log("cfg: unable to parse: %s: %d\n", +- system_priority_file, err); +- goto out; +- } +- cfg_apply(&system_wide_config, &ctx); +- ini_ctx_deinit(&ctx); + _gnutls_debug_log("cfg: loaded system config %s mtime %lld\n", + system_priority_file, + (unsigned long long)sb.st_mtime); +@@ -2332,9 +2356,8 @@ static int _gnutls_update_system_priorities(bool defer_system_wide) + out: + (void)gnutls_rwlock_unlock(&system_wide_config_rwlock); + +- if (err && fail_on_invalid_config) { ++ if (config_parse_error && fail_on_invalid_config) + exit(1); +- } + + return ret; + } +--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh ++++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh +@@ -19,9 +19,8 @@ + # You should have received a copy of the GNU Lesser General Public License + # along with this program. If not, see <https://www.gnu.org/licenses/> + +-: ${srcdir=.} +-TEST=${srcdir}/rsaes-pkcs1-v1_5 +-CONF=${srcdir}/config.$$.tmp ++TEST=${builddir}/rsaes-pkcs1-v1_5 ++CONF=config.$$.tmp + export GNUTLS_SYSTEM_PRIORITY_FILE=${CONF} + export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 + +@@ -38,15 +37,33 @@ cat <<_EOF_ > ${CONF} + allow-rsa-pkcs1-encrypt = true + _EOF_ + +-${TEST} && fail "RSAES-PKCS1-v1_5 expected to succeed" ++${TEST} ++if [ $? != 0 ]; then ++ echo "${TEST} expected to succeed" ++ exit 1 ++fi ++echo "RSAES-PKCS1-v1_5 successfully enabled" + + cat <<_EOF_ > ${CONF} + [overrides] + allow-rsa-pkcs1-encrypt = false + _EOF_ + +-${TEST} || fail "RSAES-PKCS1-v1_5 expected to fail" ++${TEST} ++if [ $? = 0 ]; then ++ echo "${TEST} expected to fail" ++ exit 1 ++fi ++echo "RSAES-PKCS1-v1_5 successfully disabled" + + unset GNUTLS_SYSTEM_PRIORITY_FILE + unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID ++ ++${TEST} ++if [ $? != 0 ]; then ++ echo "${TEST} expected to succeed by default" ++ exit 1 ++fi ++echo "RSAES-PKCS1-v1_5 successfully enabled by default" ++ + exit 0 +-- +GitLab diff --git a/net-libs/gnutls/gnutls-3.8.5-r1.ebuild b/net-libs/gnutls/gnutls-3.8.5-r1.ebuild new file mode 100644 index 000000000000..24fba955fe8e --- /dev/null +++ b/net-libs/gnutls/gnutls-3.8.5-r1.ebuild @@ -0,0 +1,155 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnutls.asc +inherit libtool multilib-minimal verify-sig + +DESCRIPTION="A secure communications library implementing the SSL, TLS and DTLS protocols" +HOMEPAGE="https://www.gnutls.org/"; +SRC_URI="mirror://gnupg/gnutls/v$(ver_cut 1-2)/${P}.tar.xz" +SRC_URI+=" verify-sig? ( mirror://gnupg/gnutls/v$(ver_cut 1-2)/${P}.tar.xz.sig )" + +LICENSE="GPL-3 LGPL-2.1+" +# As of 3.8.0, the C++ library is header-only, but we won't drop the subslot +# component for it until libgnutls.so breaks ABI, to avoid pointless rebuilds. +# Subslot format: +# <libgnutls.so number>.<libgnutlsxx.so number> +SLOT="0/30.30" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="brotli +cxx dane doc examples +idn nls +openssl pkcs11 seccomp sslv2 sslv3 static-libs test test-full +tls-heartbeat tools zlib zstd" +REQUIRED_USE="test-full? ( cxx dane doc examples idn nls openssl pkcs11 seccomp tls-heartbeat tools )" +RESTRICT="!test? ( test )" + +RDEPEND=" + >=dev-libs/libtasn1-4.9:=[${MULTILIB_USEDEP}] + dev-libs/libunistring:=[${MULTILIB_USEDEP}] + >=dev-libs/nettle-3.6:=[gmp,${MULTILIB_USEDEP}] + >=dev-libs/gmp-5.1.3-r1:=[${MULTILIB_USEDEP}] + brotli? ( >=app-arch/brotli-1.0.0:=[${MULTILIB_USEDEP}] ) + dane? ( >=net-dns/unbound-1.4.20:=[${MULTILIB_USEDEP}] ) + nls? ( >=virtual/libintl-0-r1:=[${MULTILIB_USEDEP}] ) + pkcs11? ( >=app-crypt/p11-kit-0.23.1[${MULTILIB_USEDEP}] ) + idn? ( >=net-dns/libidn2-0.16-r1:=[${MULTILIB_USEDEP}] ) + zlib? ( sys-libs/zlib[${MULTILIB_USEDEP}] ) + zstd? ( >=app-arch/zstd-1.3.0:=[${MULTILIB_USEDEP}] ) +" +DEPEND=" + ${RDEPEND} + test? ( + seccomp? ( sys-libs/libseccomp ) + ) +" +BDEPEND=" + dev-build/gtk-doc-am + >=virtual/pkgconfig-0-r1 + doc? ( dev-util/gtk-doc ) + nls? ( sys-devel/gettext ) + test-full? ( + app-crypt/dieharder + || ( sys-libs/libfaketime >=app-misc/datefudge-1.22 ) + dev-libs/softhsm:2[-bindist(-)] + net-dialup/ppp + net-misc/socat + ) + verify-sig? ( >=sec-keys/openpgp-keys-gnutls-20240415 ) +" + +DOCS=( README.md doc/certtool.cfg ) + +HTML_DOCS=() + +QA_CONFIG_IMPL_DECL_SKIP=( + # gnulib FPs + MIN + alignof + static_assert +) + +PATCHES=( + # Should no longer be needed for the next release + # bug #930529 + "${FILESDIR}"/${PN}-3.8.5-fix-rsaes-pkcs1-systemd-wide-config.patch +) + +src_prepare() { + default + + # bug #520818 + export TZ=UTC + + use doc && HTML_DOCS+=( doc/gnutls.html ) + + # don't try to use system certificate store on macOS, it is + # confusingly ignoring our ca-certificates and more importantly + # fails to compile in certain configurations + sed -i -e 's/__APPLE__/__NO_APPLE__/' lib/system/certs.c || die + + # Use sane .so versioning on FreeBSD. + elibtoolize +} + +multilib_src_configure() { + LINGUAS="${LINGUAS//en/en@boldquot en@quot}" + + local libconf=() + + # TPM needs to be tested before being enabled + # Note that this may add a libltdl dep when enabled. Check configure.ac. + libconf+=( + --without-tpm + --without-tpm2 + ) + + # hardware-accel is disabled on OSX because the asm files force + # GNU-stack (as doesn't support that) and when that's removed ld + # complains about duplicate symbols + [[ ${CHOST} == *-darwin* ]] && libconf+=( --disable-hardware-acceleration ) + + # -fanalyzer substantially slows down the build and isn't useful for + # us. It's useful for upstream as it's static analysis, but it's not + # useful when just getting something built. + export gl_cv_warn_c__fanalyzer=no + + local myeconfargs=( + --disable-valgrind-tests + $(multilib_native_enable manpages) + $(multilib_native_use_enable doc gtk-doc) + $(multilib_native_use_enable doc) + $(multilib_native_use_enable seccomp seccomp-tests) + $(multilib_native_use_enable test tests) + $(multilib_native_use_enable test-full full-test-suite) + $(multilib_native_use_enable tools) + $(use_enable cxx) + $(use_enable dane libdane) + $(use_enable nls) + $(use_enable openssl openssl-compatibility) + $(use_enable sslv2 ssl2-support) + $(use_enable sslv3 ssl3-support) + $(use_enable static-libs static) + $(use_enable tls-heartbeat heartbeat-support) + $(use_with brotli) + $(use_with idn) + $(use_with pkcs11 p11-kit) + $(use_with zlib) + $(use_with zstd) + --disable-rpath + --with-default-trust-store-file="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt + --with-unbound-root-key-file="${EPREFIX}"/etc/dnssec/root-anchors.txt + --without-included-libtasn1 + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') + ) + + ECONF_SOURCE="${S}" econf "${libconf[@]}" "${myeconfargs[@]}" +} + +multilib_src_install_all() { + einstalldocs + find "${ED}" -type f -name '*.la' -delete || die + + if use examples; then + docinto examples + dodoc doc/examples/*.c + fi +}
