summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSam James <sam@gentoo.org>2024-03-04 03:08:13 +0000
committerSam James <sam@gentoo.org>2024-03-04 03:08:13 +0000
commitd987187cc95abbca02949ae2d94a84963fe5f74a (patch)
tree7cc78b714e72597de10dc194a1715aa716205c5b /app-crypt
parentapp-crypt/gnupg: drop 2.2.41, 2.2.42-r1 (diff)
downloadgentoo-d987187cc95abbca02949ae2d94a84963fe5f74a.tar.gz
gentoo-d987187cc95abbca02949ae2d94a84963fe5f74a.tar.bz2
gentoo-d987187cc95abbca02949ae2d94a84963fe5f74a.zip
app-crypt/gnupg: backport fix for gpgme tests
Closes: https://bugs.gentoo.org/924386 Signed-off-by: Sam James <sam@gentoo.org>
Diffstat (limited to 'app-crypt')
-rw-r--r--app-crypt/gnupg/files/gnupg-2.2.42-dirmngr-proxy.patch156
-rw-r--r--app-crypt/gnupg/files/gnupg-2.2.42-gpgme-tests.patch39
-rw-r--r--app-crypt/gnupg/gnupg-2.2.42-r3.ebuild184
3 files changed, 379 insertions, 0 deletions
diff --git a/app-crypt/gnupg/files/gnupg-2.2.42-dirmngr-proxy.patch b/app-crypt/gnupg/files/gnupg-2.2.42-dirmngr-proxy.patch
new file mode 100644
index 000000000000..21be675adef4
--- /dev/null
+++ b/app-crypt/gnupg/files/gnupg-2.2.42-dirmngr-proxy.patch
@@ -0,0 +1,156 @@
+https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=d6c428699db7aa20f8b6ca9fe83197a0314b7e91
+https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=c33c4fdf10b7ed9e03f2afe988d93f3085b727aa
+https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=41c022072599bc3f12f659e962653548cd86fa3a
+
+From d6c428699db7aa20f8b6ca9fe83197a0314b7e91 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Thu, 15 Feb 2024 15:38:34 +0900
+Subject: [PATCH] dirmngr: Fix proxy with TLS.
+
+* dirmngr/http.c (proxy_get_token, run_proxy_connect): Always
+available regardless of USE_TLS.
+(send_request): Remove USE_TLS.
+
+--
+
+Since quite some time building w/o TLS won't work.
+
+GnuPG-bug-id: 6997
+--- a/dirmngr/http.c
++++ b/dirmngr/http.c
+@@ -2498,9 +2498,7 @@ proxy_get_token (proxy_info_t proxy, const char *inputstring)
+ }
+
+
+-
+ /* Use the CONNECT method to proxy our TLS stream. */
+-#ifdef USE_TLS
+ static gpg_error_t
+ run_proxy_connect (http_t hd, proxy_info_t proxy,
+ const char *httphost, const char *server,
+@@ -2709,7 +2707,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
+ xfree (tmpstr);
+ return err;
+ }
+-#endif /*USE_TLS*/
+
+
+ /* Make a request string using a standard proxy. On success the
+@@ -2866,7 +2863,6 @@ send_request (http_t hd, const char *httphost, const char *auth,
+ goto leave;
+ }
+
+-#if USE_TLS
+ if (use_http_proxy && hd->uri->use_tls)
+ {
+ err = run_proxy_connect (hd, proxy, httphost, server, port);
+@@ -2878,7 +2874,6 @@ send_request (http_t hd, const char *httphost, const char *auth,
+ * clear the flag to indicate this. */
+ use_http_proxy = 0;
+ }
+-#endif /* USE_TLS */
+
+ #if HTTP_USE_NTBTLS
+ err = run_ntbtls_handshake (hd);
+--
+2.30.2
+
+From c33c4fdf10b7ed9e03f2afe988d93f3085b727aa Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 16 Feb 2024 11:31:37 +0900
+Subject: [PATCH] dirmngr: Fix the regression of use of proxy for TLS
+ connection.
+
+* dirmngr/http.c (run_proxy_connect): Don't set keep_alive, since it
+causes resource leak of FP_WRITE.
+Don't try to read response body to fix the hang.
+
+--
+
+GnuPG-bug-id: 6997
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+--- a/dirmngr/http.c
++++ b/dirmngr/http.c
+@@ -2520,6 +2520,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
+ * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication
+ */
+ auth_basic = !!proxy->uri->auth;
++ hd->keep_alive = 0;
+
+ /* For basic authentication we need to send just one request. */
+ if (auth_basic
+@@ -2541,13 +2542,12 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
+ httphost ? httphost : server,
+ port,
+ authhdr ? authhdr : "",
+- auth_basic? "" : "Connection: keep-alive\r\n");
++ hd->keep_alive? "Connection: keep-alive\r\n" : "");
+ if (!request)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+- hd->keep_alive = !auth_basic; /* We may need to send more requests. */
+
+ if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP))
+ log_debug_with_string (request, "http.c:proxy:request:");
+@@ -2574,16 +2574,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
+ if (err)
+ goto leave;
+
+- {
+- unsigned long count = 0;
+-
+- while (es_getc (hd->fp_read) != EOF)
+- count++;
+- if (opt_debug)
+- log_debug ("http.c:proxy_connect: skipped %lu bytes of response-body\n",
+- count);
+- }
+-
+ /* Reset state. */
+ es_clearerr (hd->fp_read);
+ ((cookie_t)(hd->read_cookie))->up_to_empty_line = 1;
+--
+2.30.2
+
+From 41c022072599bc3f12f659e962653548cd86fa3a Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 16 Feb 2024 16:24:26 +0900
+Subject: [PATCH] dirmngr: Fix keep-alive flag handling.
+
+* dirmngr/http.c (run_proxy_connect): Set KEEP_ALIVE if not Basic
+Authentication. Fix resource leak of FP_WRITE.
+
+--
+
+GnuPG-bug-id: 6997
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+--- a/dirmngr/http.c
++++ b/dirmngr/http.c
+@@ -2520,7 +2520,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
+ * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication
+ */
+ auth_basic = !!proxy->uri->auth;
+- hd->keep_alive = 0;
++ hd->keep_alive = !auth_basic; /* We may need to send more requests. */
+
+ /* For basic authentication we need to send just one request. */
+ if (auth_basic
+@@ -2684,6 +2684,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
+ }
+
+ leave:
++ if (hd->keep_alive)
++ {
++ es_fclose (hd->fp_write);
++ hd->fp_write = NULL;
++ /* The close has released the cookie and thus we better set it
++ * to NULL. */
++ hd->write_cookie = NULL;
++ }
+ /* Restore flags, destroy stream, reset state. */
+ hd->flags = saved_flags;
+ es_fclose (hd->fp_read);
+--
+2.30.2
diff --git a/app-crypt/gnupg/files/gnupg-2.2.42-gpgme-tests.patch b/app-crypt/gnupg/files/gnupg-2.2.42-gpgme-tests.patch
new file mode 100644
index 000000000000..f10154b303e5
--- /dev/null
+++ b/app-crypt/gnupg/files/gnupg-2.2.42-gpgme-tests.patch
@@ -0,0 +1,39 @@
+https://bugs.gentoo.org/924386
+https://dev.gnupg.org/T7003
+https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=f50c543326c2eea6b40f548d61cf3a66a077bf54
+
+From f50c543326c2eea6b40f548d61cf3a66a077bf54 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 1 Mar 2024 13:59:43 +0900
+Subject: [PATCH] agent: Allow simple KEYINFO command when restricted.
+
+* agent/command.c (cmd_keyinfo): Only forbid list command.
+
+--
+
+GnuPG-bug-id: 7003
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+--- a/agent/command.c
++++ b/agent/command.c
+@@ -1282,9 +1282,6 @@ cmd_keyinfo (assuan_context_t ctx, char *line)
+ char hexgrip[41];
+ int disabled, ttl, confirm, is_ssh;
+
+- if (ctrl->restricted)
+- return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
+-
+ if (has_option (line, "--ssh-list"))
+ list_mode = 2;
+ else
+@@ -1333,6 +1330,9 @@ cmd_keyinfo (assuan_context_t ctx, char *line)
+ char *dirname;
+ gnupg_dirent_t dir_entry;
+
++ if (ctrl->restricted)
++ return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
++
+ dirname = make_filename_try (gnupg_homedir (),
+ GNUPG_PRIVATE_KEYS_DIR, NULL);
+ if (!dirname)
+--
+2.30.2
diff --git a/app-crypt/gnupg/gnupg-2.2.42-r3.ebuild b/app-crypt/gnupg/gnupg-2.2.42-r3.ebuild
new file mode 100644
index 000000000000..dcb738d1d5ba
--- /dev/null
+++ b/app-crypt/gnupg/gnupg-2.2.42-r3.ebuild
@@ -0,0 +1,184 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# Maintainers should:
+# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
+# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
+# (find the one for the current release then subscribe to it +
+# any subsequent ones linked within so you're covered for a while.)
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc
+# in-source builds are not supported: https://dev.gnupg.org/T6313#166339
+inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig
+
+MY_P="${P/_/-}"
+
+DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
+HOMEPAGE="https://gnupg.org/"
+SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
+SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="GPL-3+"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server"
+RESTRICT="!test? ( test )"
+
+# Existence of executables is checked during configuration.
+# Note: On each bump, update dep bounds on each version from configure.ac!
+DEPEND="
+ >=dev-libs/libassuan-2.5.0
+ >=dev-libs/libgcrypt-1.8.0:=
+ >=dev-libs/libgpg-error-1.38
+ >=dev-libs/libksba-1.3.5
+ >=dev-libs/npth-1.2
+ >=net-misc/curl-7.10
+ sys-libs/zlib
+ bzip2? ( app-arch/bzip2 )
+ ldap? ( net-nds/openldap:= )
+ readline? ( sys-libs/readline:= )
+ smartcard? ( usb? ( virtual/libusb:1 ) )
+ ssl? ( >=net-libs/gnutls-3.0:= )
+ tofu? ( >=dev-db/sqlite-3.7 )
+"
+RDEPEND="
+ ${DEPEND}
+ nls? ( virtual/libintl )
+ selinux? ( sec-policy/selinux-gpg )
+ wks-server? ( virtual/mta )
+"
+PDEPEND="
+ app-crypt/pinentry
+"
+BDEPEND="
+ virtual/pkgconfig
+ doc? ( sys-apps/texinfo )
+ nls? ( sys-devel/gettext )
+ verify-sig? ( sec-keys/openpgp-keys-gnupg )
+"
+
+DOCS=(
+ ChangeLog NEWS README THANKS TODO VERSION
+ doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
+)
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
+ "${FILESDIR}"/${P}-bug923248-insecure-backup.patch
+ "${FILESDIR}"/${P}-dirmngr-proxy.patch
+ "${FILESDIR}"/${P}-gpgme-tests.patch
+)
+
+src_prepare() {
+ default
+
+ # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
+ # idea borrowed from libdbus, see
+ # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
+ #
+ # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
+ # which in turn requires discovery in Autoconf, something that upstream deeply resents.
+ sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
+ -i doc/examples/systemd-user/gpg-agent-ssh.socket || die
+}
+
+my_src_configure() {
+ # Upstream don't support LTO, bug #854222.
+ filter-lto
+
+ local myconf=(
+ $(use_enable bzip2)
+ $(use_enable nls)
+ $(use_enable smartcard scdaemon)
+ $(use_enable ssl gnutls)
+ $(use_enable test all-tests)
+ $(use_enable test tests)
+ $(use_enable tofu)
+ $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
+ $(use_enable wks-server wks-tools)
+ $(use_with ldap)
+ $(use_with readline)
+
+ # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
+ # As of GnuPG 2.3, the mailprog substitution is used for the binary called
+ # by wks-client & wks-server; and if it's autodetected but not not exist at
+ # build time, then then 'gpg-wks-client --send' functionality will not
+ # work. This has an unwanted side-effect in stage3 builds: there was a
+ # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
+ # the build where the install guide previously make the user chose the
+ # logger & mta early in the install.
+ --with-mailprog=/usr/libexec/sendmail
+
+ --disable-ntbtls
+ --enable-gpg
+ --enable-gpgsm
+ --enable-large-secmem
+
+ CC_FOR_BUILD="$(tc-getBUILD_CC)"
+ GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
+ KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
+ LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
+ LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
+ NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
+
+ $("${S}/configure" --help | grep -o -- '--without-.*-prefix')
+ )
+
+ if use prefix && use usb; then
+ # bug #649598
+ append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
+ fi
+
+ # bug #663142
+ if use user-socket; then
+ myconf+=( --enable-run-gnupg-user-socket )
+ fi
+
+ # glib fails and picks up clang's internal stdint.h causing weird errors
+ tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
+
+ econf "${myconf[@]}"
+}
+
+my_src_compile() {
+ default
+
+ use doc && emake -C doc html
+}
+
+my_src_test() {
+ export TESTFLAGS="--parallel=$(makeopts_jobs)"
+
+ default
+}
+
+my_src_install() {
+ emake DESTDIR="${D}" install
+
+ use tools && dobin \
+ tools/{gpg-zip,gpgconf,gpgsplit,gpg-check-pattern} \
+ tools/make-dns-cert
+
+ dosym gpg /usr/bin/gpg2
+ dosym gpgv /usr/bin/gpgv2
+ echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
+ echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
+
+ dodir /etc/env.d
+ echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
+
+ use doc && dodoc doc/gnupg.html/*
+}
+
+my_src_install_all() {
+ einstalldocs
+
+ use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot}
+
+ use doc && dodoc doc/*.png
+
+ systemd_douserunit doc/examples/systemd-user/*.{service,socket}
+}