[Pkg-openldap-devel] [openldap] 01/01: build with libgnutls28-dev (#745231)
Ryan Tandy
rtandy-guest at moszumanska.debian.org
Thu Jul 3 23:29:50 UTC 2014
This is an automated email from the git hooks/post-receive script.
rtandy-guest pushed a commit to branch master
in repository openldap.
commit c19d5bd15d4087caa5c3d79567395ca753a28d5f
Author: Ryan Tandy <ryan at nardis.ca>
Date: Wed Jul 2 14:37:50 2014 -0700
build with libgnutls28-dev (#745231)
---
debian/changelog | 6 +
debian/control | 4 +-
debian/patches/fix-ftbfs-binutils-gold | 64 ---------
.../its7430-avoid-gnutls-deprecated-function | 42 ++++++
.../patches/its7877-use-nettle-instead-of-gcrypt | 155 +++++++++++++++++++++
debian/patches/series | 3 +-
debian/patches/smbk5pwd-makefile | 2 +-
7 files changed, 208 insertions(+), 68 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 1d9550e..89cd1aa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -16,6 +16,12 @@ openldap (2.4.39-2) UNRELEASED; urgency=low
* debian/rules: Enable parallel building.
* debian/slapd.README.Debian: Add a note about database format upgrades and
the consequences of missing one. (Closes: #594711)
+ * Build with GnuTLS 3 (Closes: #745231):
+ - debian/patches/its7430-avoid-gnutls-deprecated-function: Import upstream
+ fix for building with newer gnutls.
+ - debian/patches/its7877-use-nettle-instead-of-gcrypt: Remove explicit
+ gcrypt usage from libldap and migrate smbk5pwd from gcrypt to nettle.
+ - Drop debian/patches/fix-ftbfs-binutils-gold, no longer needed.
[ Jelmer Vernooij ]
* Depend on heimdal-multidev rather than heimdal-dev. (Closes: #745356,
diff --git a/debian/control b/debian/control
index 4cc91c8..6a4ee2c 100644
--- a/debian/control
+++ b/debian/control
@@ -9,8 +9,8 @@ Uploaders: Roland Bauerschmidt <rb at debian.org>,
Timo Aaltonen <tjaalton at ubuntu.com>
Build-Depends: debhelper (>= 8.9.0~),
dpkg-dev (>= 1.16.1),
- libdb5.3-dev, libgcrypt-dev,
- libgnutls-dev (>= 1.7), unixodbc-dev, libncurses5-dev, libperl-dev (>= 5.8.0),
+ libdb5.3-dev, nettle-dev,
+ libgnutls28-dev, unixodbc-dev, libncurses5-dev, libperl-dev (>= 5.8.0),
libsasl2-dev, libslp-dev, libltdl-dev | libltdl3-dev (>= 1.4.3),
libwrap0-dev, perl, debconf-utils, po-debconf, quilt (>= 0.46-7),
groff-base, time, heimdal-multidev,
diff --git a/debian/patches/fix-ftbfs-binutils-gold b/debian/patches/fix-ftbfs-binutils-gold
deleted file mode 100644
index 1f0ca88..0000000
--- a/debian/patches/fix-ftbfs-binutils-gold
+++ /dev/null
@@ -1,64 +0,0 @@
---- a/configure.in
-+++ b/configure.in
-@@ -1214,7 +1214,7 @@ if test $ol_link_tls = no ; then
- ol_with_tls=gnutls
- ol_link_tls=yes
-
-- TLS_LIBS="-lgnutls"
-+ TLS_LIBS="-lgnutls -lgcrypt"
-
- AC_DEFINE(HAVE_GNUTLS, 1,
- [define if you have GNUtls])
---- a/libraries/libldap/Makefile.in
-+++ b/libraries/libldap/Makefile.in
-@@ -51,21 +51,21 @@ LIB_DEFS = -DLDAP_LIBRARY
- XLIBS = $(LIBRARY) $(LDAP_LIBLBER_LA) $(LDAP_LIBLUTIL_A)
- XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
- NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
--UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
-+UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(TLS_LIBS)
- ifneq (,$(VERSION_OPTION))
- VERSION_FLAGS = $(VERSION_OPTION)$(srcdir)/libldap.map
- endif
-
- apitest: $(XLIBS) apitest.o
-- $(LTLINK) -o $@ apitest.o $(LIBS)
-+ $(LTLINK) -o $@ apitest.o $(LIBS) $(TLS_LIBS)
- dntest: $(XLIBS) dntest.o
-- $(LTLINK) -o $@ dntest.o $(LIBS)
-+ $(LTLINK) -o $@ dntest.o $(LIBS) $(TLS_LIBS)
- ftest: $(XLIBS) ftest.o
-- $(LTLINK) -o $@ ftest.o $(LIBS)
-+ $(LTLINK) -o $@ ftest.o $(LIBS) $(TLS_LIBS)
- ltest: $(XLIBS) test.o
-- $(LTLINK) -o $@ test.o $(LIBS)
-+ $(LTLINK) -o $@ test.o $(LIBS) $(TLS_LIBS)
- urltest: $(XLIBS) urltest.o
-- $(LTLINK) -o $@ urltest.o $(LIBS)
-+ $(LTLINK) -o $@ urltest.o $(LIBS) $(TLS_LIBS)
-
- CFFILES=ldap.conf
-
---- a/libraries/libldap_r/Makefile.in
-+++ b/libraries/libldap_r/Makefile.in
-@@ -60,7 +60,7 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLBER_LA) $(
- XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
- XXXLIBS = $(LTHREAD_LIBS)
- NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
--UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS)
-+UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS) $(TLS_LIBS)
- ifneq (,$(VERSION_OPTION))
- VERSION_FLAGS = "$(VERSION_OPTION)$(XXDIR)/libldap.map"
- endif
-@@ -80,9 +80,9 @@ clean-local: FORCE
- depend-common: .links
-
- apitest: $(XLIBS) apitest.o
-- $(LTLINK) -o $@ apitest.o $(LIBS)
-+ $(LTLINK) -o $@ apitest.o $(LIBS) $(TLS_LIBS)
- ltest: $(XLIBS) test.o
-- $(LTLINK) -o $@ test.o $(LIBS)
-+ $(LTLINK) -o $@ test.o $(LIBS) $(TLS_LIBS)
-
- install-local: $(CFFILES) FORCE
- -$(MKDIR) $(DESTDIR)$(libdir)
diff --git a/debian/patches/its7430-avoid-gnutls-deprecated-function b/debian/patches/its7430-avoid-gnutls-deprecated-function
new file mode 100644
index 0000000..60af264
--- /dev/null
+++ b/debian/patches/its7430-avoid-gnutls-deprecated-function
@@ -0,0 +1,42 @@
+From 654ae1871fc35647af7ff78cb2d4851cac263fff Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc at openldap.org>
+Date: Sat, 7 Sep 2013 09:39:24 -0700
+Subject: [PATCH] ITS#7430 GnuTLS: Avoid use of deprecated function
+
+---
+ libraries/libldap/tls_g.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
+index c1e368e..cc8af63 100644
+--- a/libraries/libldap/tls_g.c
++++ b/libraries/libldap/tls_g.c
+@@ -368,6 +368,17 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ * then we have to build the cert chain.
+ */
+ if ( max == 1 && !gnutls_x509_crt_check_issuer( certs[0], certs[0] )) {
++#if GNUTLS_VERSION_NUMBER >= 0x020c00
++ unsigned int i;
++ for ( i = 1; i<VERIFY_DEPTH; i++ ) {
++ if ( gnutls_certificate_get_issuer( ctx->cred, certs[i-1], &certs[i], 0 ))
++ break;
++ max++;
++ /* If this CA is self-signed, we're done */
++ if ( gnutls_x509_crt_check_issuer( certs[i], certs[i] ))
++ break;
++ }
++#else
+ gnutls_x509_crt_t *cas;
+ unsigned int i, j, ncas;
+
+@@ -387,6 +398,7 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ if ( j == ncas )
+ break;
+ }
++#endif
+ }
+ rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
+ if ( rc ) return -1;
+--
+2.0.1
+
diff --git a/debian/patches/its7877-use-nettle-instead-of-gcrypt b/debian/patches/its7877-use-nettle-instead-of-gcrypt
new file mode 100644
index 0000000..247c788
--- /dev/null
+++ b/debian/patches/its7877-use-nettle-instead-of-gcrypt
@@ -0,0 +1,155 @@
+From 8a5bec8ce0fdd9e5ba1671920baf52cdd5ced5d9 Mon Sep 17 00:00:00 2001
+From: Ryan Tandy <ryan at nardis.ca>
+Date: Wed, 2 Jul 2014 14:27:56 -0700
+Subject: [PATCH] ITS#7877 use nettle instead of gcrypt
+
+---
+ contrib/slapd-modules/smbk5pwd/smbk5pwd.c | 34 +++++++++++++------------------
+ libraries/libldap/tls_g.c | 34 ++++---------------------------
+ 2 files changed, 18 insertions(+), 50 deletions(-)
+
+diff --git a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
+index 075ce88..459ce0c 100644
+--- a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
++++ b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
+@@ -66,7 +66,8 @@ static ObjectClass *oc_krb5KDCEntry;
+
+ #ifdef DO_SAMBA
+ #ifdef HAVE_GNUTLS
+-#include <gcrypt.h>
++#include <nettle/des.h>
++#include <nettle/md4.h>
+ typedef unsigned char DES_cblock[8];
+ #elif HAVE_OPENSSL
+ #include <openssl/des.h>
+@@ -193,11 +194,7 @@ static void lmhash(
+ #ifdef HAVE_OPENSSL
+ DES_key_schedule schedule;
+ #elif defined(HAVE_GNUTLS)
+- gcry_cipher_hd_t h = NULL;
+- gcry_error_t err;
+-
+- err = gcry_cipher_open( &h, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_CBC, 0 );
+- if ( err ) return;
++ struct des_ctx ctx;
+ #endif
+
+ strncpy( UcasePassword, passwd->bv_val, 14 );
+@@ -206,19 +203,12 @@ static void lmhash(
+
+ lmPasswd_to_key( UcasePassword, &key );
+ #ifdef HAVE_GNUTLS
+- err = gcry_cipher_setkey( h, &key, sizeof(key) );
+- if ( err == 0 ) {
+- err = gcry_cipher_encrypt( h, &hbuf[0], sizeof(key), &StdText, sizeof(key) );
+- if ( err == 0 ) {
+- gcry_cipher_reset( h );
+- lmPasswd_to_key( &UcasePassword[7], &key );
+- err = gcry_cipher_setkey( h, &key, sizeof(key) );
+- if ( err == 0 ) {
+- err = gcry_cipher_encrypt( h, &hbuf[1], sizeof(key), &StdText, sizeof(key) );
+- }
+- }
+- gcry_cipher_close( h );
+- }
++ des_set_key( &ctx, &key );
++ des_encrypt( &ctx, sizeof(key), &hbuf[0], &StdText );
++
++ lmPasswd_to_key( &UcasePassword[7], &key );
++ des_set_key( &ctx, &key );
++ des_encrypt( &ctx, sizeof(key), &hbuf[1], &StdText );
+ #elif defined(HAVE_OPENSSL)
+ des_set_key_unchecked( &key, schedule );
+ des_ecb_encrypt( &StdText, &hbuf[0], schedule , DES_ENCRYPT );
+@@ -243,6 +233,8 @@ static void nthash(
+ char hbuf[HASHLEN];
+ #ifdef HAVE_OPENSSL
+ MD4_CTX ctx;
++#elif defined(HAVE_GNUTLS)
++ struct md4_ctx ctx;
+ #endif
+
+ if (passwd->bv_len > MAX_PWLEN*2)
+@@ -253,7 +245,9 @@ static void nthash(
+ MD4_Update( &ctx, passwd->bv_val, passwd->bv_len );
+ MD4_Final( (unsigned char *)hbuf, &ctx );
+ #elif defined(HAVE_GNUTLS)
+- gcry_md_hash_buffer(GCRY_MD_MD4, hbuf, passwd->bv_val, passwd->bv_len );
++ md4_init( &ctx );
++ md4_update( &ctx, passwd->bv_len, passwd->bv_val );
++ md4_digest( &ctx, sizeof(hbuf), (unsigned char *)hbuf );
+ #endif
+
+ hexify( hbuf, hash );
+diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
+index cc8af63..be7ebc0 100644
+--- a/libraries/libldap/tls_g.c
++++ b/libraries/libldap/tls_g.c
+@@ -43,21 +43,13 @@
+
+ #include <gnutls/gnutls.h>
+ #include <gnutls/x509.h>
+-#include <gcrypt.h>
+
+ #define DH_BITS (1024)
+
+ #if LIBGNUTLS_VERSION_NUMBER >= 0x020200
+ #define HAVE_CIPHERSUITES 1
+-/* This is a kludge. gcrypt 1.4.x has support. Recent GnuTLS requires gcrypt 1.4.x
+- * but that dependency isn't reflected in their configure script, resulting in
+- * build errors on older gcrypt. So, if they have a working build environment,
+- * assume gcrypt is new enough.
+- */
+-#define HAVE_GCRYPT_RAND 1
+ #else
+ #undef HAVE_CIPHERSUITES
+-#undef HAVE_GCRYPT_RAND
+ #endif
+
+ #ifndef HAVE_CIPHERSUITES
+@@ -145,20 +137,13 @@ tlsg_mutex_unlock( void **lock )
+ return ldap_pvt_thread_mutex_unlock( *lock );
+ }
+
+-static struct gcry_thread_cbs tlsg_thread_cbs = {
+- GCRY_THREAD_OPTION_USER,
+- NULL,
+- tlsg_mutex_init,
+- tlsg_mutex_destroy,
+- tlsg_mutex_lock,
+- tlsg_mutex_unlock,
+- NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
+-};
+-
+ static void
+ tlsg_thr_init( void )
+ {
+- gcry_control (GCRYCTL_SET_THREAD_CBS, &tlsg_thread_cbs);
++ gnutls_global_set_mutex (tlsg_mutex_init,
++ tlsg_mutex_destroy,
++ tlsg_mutex_lock,
++ tlsg_mutex_unlock);
+ }
+ #endif /* LDAP_R_COMPILE */
+
+@@ -168,17 +153,6 @@ tlsg_thr_init( void )
+ static int
+ tlsg_init( void )
+ {
+-#ifdef HAVE_GCRYPT_RAND
+- struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT();
+- if ( lo->ldo_tls_randfile &&
+- gcry_control( GCRYCTL_SET_RNDEGD_SOCKET, lo->ldo_tls_randfile )) {
+- Debug( LDAP_DEBUG_ANY,
+- "TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed\n",
+- 0, 0, 0);
+- return -1;
+- }
+-#endif
+-
+ gnutls_global_init();
+
+ #ifndef HAVE_CIPHERSUITES
+--
+2.0.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 2239b82..d411c4b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,7 +13,6 @@ smbk5pwd-makefile
autogroup-makefile
ldap-conf-tls-cacertdir
add-tlscacert-option-to-ldap-conf
-fix-ftbfs-binutils-gold
fix-build-top-mk
no-AM_INIT_AUTOMAKE
switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
@@ -21,3 +20,5 @@ no-bdb-ABI-second-guessing
heimdal-fix
0001-ITS-7723-fix-reference-counting.patch
pw-sha2-makefile
+its7430-avoid-gnutls-deprecated-function
+its7877-use-nettle-instead-of-gcrypt
diff --git a/debian/patches/smbk5pwd-makefile b/debian/patches/smbk5pwd-makefile
index 19b1daf..4669c48 100644
--- a/debian/patches/smbk5pwd-makefile
+++ b/debian/patches/smbk5pwd-makefile
@@ -13,7 +13,7 @@
SSL_INC =
-SSL_LIB = -lcrypto
-+SSL_LIB = -lgcrypt
++SSL_LIB = -lnettle
-HEIMDAL_INC = -I/usr/heimdal/include
-HEIMDAL_LIB = -L/usr/heimdal/lib -lkrb5 -lkadm5srv
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openldap/openldap.git
More information about the Pkg-openldap-devel
mailing list