From 1ec4d4652ae9c38e33c8ba59eba3eb43af4fc0fd Mon Sep 17 00:00:00 2001 From: Alon Bar-Lev Date: Sat, 4 Mar 2017 01:32:47 +0200 Subject: [PATCH] net-firewall/nufw: support gnutls-3.4 + eapi bump Bug: 583608 Package-Manager: Portage-2.3.3, Repoman-2.3.1 --- .../nufw/files/nufw-2.2.22-gnutls-3.4.patch | 103 +++++++++++++++++ net-firewall/nufw/nufw-2.2.22-r2.ebuild | 105 ++++++++++++++++++ 2 files changed, 208 insertions(+) create mode 100644 net-firewall/nufw/files/nufw-2.2.22-gnutls-3.4.patch create mode 100644 net-firewall/nufw/nufw-2.2.22-r2.ebuild diff --git a/net-firewall/nufw/files/nufw-2.2.22-gnutls-3.4.patch b/net-firewall/nufw/files/nufw-2.2.22-gnutls-3.4.patch new file mode 100644 index 000000000000..e75d2b3fd61d --- /dev/null +++ b/net-firewall/nufw/files/nufw-2.2.22-gnutls-3.4.patch @@ -0,0 +1,103 @@ +From cbe4cfe90322e5add59433d9dd8394f46e341fab Mon Sep 17 00:00:00 2001 +From: Alon Bar-Lev +Date: Sat, 4 Mar 2017 01:00:40 +0200 +Subject: [PATCH] ssl: drop call of deprecated + gnutls_certificate_type_set_priority() + +CTYPE-X.509 is the default value. Closes: #624077 + +Signed-off-by: Alon Bar-Lev +--- + src/clients/lib/libnuclient.c | 15 ++------------- + src/nufw/tls.c | 14 -------------- + 2 files changed, 2 insertions(+), 27 deletions(-) + +diff --git a/src/clients/lib/libnuclient.c b/src/clients/lib/libnuclient.c +index 917e75a..6e78c96 100644 +--- a/src/clients/lib/libnuclient.c ++++ b/src/clients/lib/libnuclient.c +@@ -62,9 +62,6 @@ GCRY_THREAD_OPTION_PTHREAD_IMPL; + # define DH_BITS 1024 + #endif + +-static const int cert_type_priority[3] = { GNUTLS_CRT_X509, 0 }; +- +- + void nu_exit_clean(nuauth_session_t * session) + { + if (session->ct) { +@@ -270,7 +267,7 @@ int check_key_perms(const char* filename) + return 1; + } + +-static int _cb_request_cert(gnutls_session_t session, const gnutls_datum_t* req_ca_dn, int nreqs, const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr_st* st) ++static int _cb_request_cert(gnutls_session_t session, const gnutls_datum_t* req_ca_dn, int nreqs, const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr2_st* st) + { + printf("TLS error: server requests certificate, none configured\n"); + return 0; +@@ -518,7 +515,7 @@ int nu_client_setup_tls(nuauth_session_t * session, + SET_ERROR(err, INTERNAL_ERROR, FILE_ACCESS_ERR); + return 0; + } +- gnutls_certificate_client_set_retrieve_function(session->cred, ++ gnutls_certificate_set_retrieve_function(session->cred, + &_cb_request_cert); + } + +@@ -604,12 +601,6 @@ int nu_client_reset_tls(nuauth_session_t *session) + return 0; + } + +- ret = +- gnutls_certificate_type_set_priority(session->tls, +- cert_type_priority); +- if (ret < 0) { +- return 0; +- } + return 1; + } + +@@ -776,8 +767,6 @@ void nu_client_reset(nuauth_session_t * session) + gnutls_deinit(session->tls); + gnutls_init(&session->tls, GNUTLS_CLIENT); + gnutls_set_default_priority(session->tls); +- gnutls_certificate_type_set_priority(session->tls, +- cert_type_priority); + session->need_set_cred = 1; + + /* close socket */ +diff --git a/src/nufw/tls.c b/src/nufw/tls.c +index e7223eb..2d46820 100644 +--- a/src/nufw/tls.c ++++ b/src/nufw/tls.c +@@ -506,8 +506,6 @@ void tls_connect() + gnutls_session *tls_session; + int tls_socket, ret; + #if USE_X509 +- const int cert_type_priority[3] = { GNUTLS_CRT_X509, 0 }; +- + tls.session = NULL; + + /* compute patch key_file */ +@@ -655,18 +653,6 @@ void tls_connect() + return; + } + #if USE_X509 +- ret = gnutls_certificate_type_set_priority(*(tls_session), +- cert_type_priority); +- if (ret < 0) { +- log_area_printf(DEBUG_AREA_MAIN, DEBUG_LEVEL_WARNING, +- "TLS: gnutls_certificate_type_set_priority() failed: %s", +- gnutls_strerror(ret)); +- gnutls_certificate_free_credentials(tls.xcred); +- gnutls_deinit(*tls_session); +- free(tls_session); +- return; +- } +- + /* put the x509 credentials to the current session */ + ret = gnutls_credentials_set(*(tls_session), GNUTLS_CRD_CERTIFICATE, + tls.xcred); +-- +2.10.2 + diff --git a/net-firewall/nufw/nufw-2.2.22-r2.ebuild b/net-firewall/nufw/nufw-2.2.22-r2.ebuild new file mode 100644 index 000000000000..98a634420c3f --- /dev/null +++ b/net-firewall/nufw/nufw-2.2.22-r2.ebuild @@ -0,0 +1,105 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +SSL_CERT_MANDATORY=1 +inherit autotools eutils multilib pam ssl-cert + +DESCRIPTION="An enterprise grade authenticating firewall based on netfilter" +HOMEPAGE="http://www.nufw.org/" +SRC_URI="http://www.nufw.org/attachments/download/39/${P}.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="debug ldap mysql pam pam_nuauth plaintext postgres prelude unicode nfqueue nfconntrack static syslog test" + +REQUIRED_USE="pam_nuauth? ( plaintext )" +DEPEND=" + dev-libs/cyrus-sasl + dev-libs/glib:2 + dev-libs/libgcrypt:0 + dev-python/ipy + net-firewall/iptables + net-libs/gnutls + ldap? ( >=net-nds/openldap-2 ) + mysql? ( virtual/mysql ) + nfconntrack? ( net-libs/libnetfilter_conntrack ) + nfqueue? ( net-libs/libnfnetlink net-libs/libnetfilter_queue ) + pam? ( sys-libs/pam ) + pam_nuauth? ( sys-libs/pam ) + postgres? ( dev-db/postgresql:*[server] ) + prelude? ( dev-libs/libprelude ) +" +RDEPEND=${DEPEND} + +PATCHES=( + "${FILESDIR}/${P}-var-run.patch" + "${FILESDIR}/${P}-gnutls-3.4.patch" +) + +RESTRICT="test" + +src_prepare() { + default + sed -i \ + -e 's:^#\(nuauth_tls_key="/etc/nufw/\)nuauth-key.pem:\1nuauth.key:' \ + -e 's:^#\(nuauth_tls_cert="/etc/nufw/\)nuauth-cert.pem:\1nuauth.pem:' \ + conf/nuauth.conf || die + sed -i \ + -e "/^modulesdir/s|=.*|= /$(get_libdir)/security|g" \ + src/clients/pam_nufw/Makefile.am || die + eautoreconf +} + +src_configure() { + econf \ + $(use_enable debug) \ + $(use_enable pam_nuauth pam-nufw) \ + $(use_enable static) \ + $(use_with ldap) \ + $(use_with mysql mysql-auth) \ + $(use_with mysql mysql-log) \ + $(use_with nfconntrack) \ + $(use_with nfqueue) \ + $(use_with pam system-auth) \ + $(use_with plaintext plaintext-auth) \ + $(use_with postgres pgsql-log) \ + $(use_with prelude prelude-log) \ + $(use_with syslog syslog-log) \ + $(use_with unicode utf8) \ + --enable-shared \ + --includedir="/usr/include/nufw" \ + --localstatedir="/var" \ + --sysconfdir="/etc/nufw" \ + --with-mark-group \ + --with-user-mark +} + +src_install() { + default + prune_libtool_files + + newinitd "${FILESDIR}"/nufw-init.d nufw + newconfd "${FILESDIR}"/nufw-conf.d nufw + + newinitd "${FILESDIR}"/nuauth-init.d nuauth + newconfd "${FILESDIR}"/nuauth-conf.d nuauth + + insinto /etc/nufw + doins conf/nuauth.conf + + docinto scripts + dodoc scripts/{clean_conntrack.pl,nuaclgen,nutop,README,ulog_rotate_daily.sh,ulog_rotate_weekly.sh} + docinto conf + dodoc conf/*.{nufw,schema,conf,dump,xml} + + if use pam; then + pamd_mimic system-auth nufw auth account password session + fi +} + +pkg_postinst() { + install_cert /etc/nufw/{nufw,nuauth} +} -- 2.26.2