Add LibreSSL patch for app-crypt/mit-krb5

app-crypt/mit-krb5/Manifest

@@ -0,0 +1 @@
+DIST krb5-1.21.3.tar.gz 9136145 BLAKE2B e909a55eaedab68e5c829bb7bbd26cec5db2d7b8d97f3b034de94d8f957003f16977ac619afee3b862f288e59f05c5e44f41e65b8883961c8b22a26e2f4733bc SHA512 87bc06607f4d95ff604169cea22180703a42d667af05f66f1569b8bd592670c42820b335e5c279e8b4f066d1e7da20f1948a1e4def7c5d295c170cbfc7f49c71

app-crypt/mit-krb5/files/kpropd.xinetd

@@ -0,0 +1,11 @@
+service tell
+{
+	disable		= yes
+	socket_type	= stream
+	user		= root
+	wait		= no
+	server		= /usr/sbin/kpropd
+	only_from	= 0.0.0.0
+	log_on_success	= PID HOST EXIT DURATION
+	log_on_failure	= HOST
+}

app-crypt/mit-krb5/files/mit-krb5-1.12_warn_cflags.patch

@@ -0,0 +1,11 @@
+gentoo bug #498794
+--- src/aclocal.m4	2014-01-16 00:44:15.000000000 +0000
++++ src/aclocal.m4	2014-03-26 10:20:54.000000000 +0000
+@@ -501,6 +501,7 @@
+   fi
+   if test "x$krb5_ac_warn_cflags_set" = xset ; then
+     AC_MSG_NOTICE(not adding extra gcc warning flags because WARN_CFLAGS was set)
++    WARN_CFLAGS=""
+   else
+     AC_MSG_NOTICE(adding extra warning flags for gcc)
+     WARN_CFLAGS="$WARN_CFLAGS $extra_gcc_warn_opts -Wmissing-prototypes"

app-crypt/mit-krb5/files/mit-krb5-1.18.2-krb5-config.patch

@@ -0,0 +1,15 @@
+--- a/build-tools/krb5-config.in
++++ b/build-tools/krb5-config.in
+@@ -208,12 +208,6 @@
+
+
+ if test -n "$do_libs"; then
+-    # Assumes /usr/lib is the standard library directory everywhere...
+-    if test "$libdir" = /usr/lib; then
+-	libdirarg=
+-    else
+-	libdirarg="-L$libdir"
+-    fi
+     # Ugly gross hack for our build tree
+     lib_flags=`echo $CC_LINK | sed -e 's/\$(CC)//' \
+ 	    -e 's/\$(PURE)//' \

app-crypt/mit-krb5/files/mit-krb5-1.21.3-libressl.patch

@@ -0,0 +1,52 @@
+--- a/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -146,6 +146,10 @@ wrap_signeddata(unsigned char *data, unsigned int data_len,
+ static const char *
+ pkcs11err(int err);
+
++#ifdef LIBRESSL_VERSION_NUMBER
++#define EVP_PKEY_DHX EVP_PKEY_DH
++#define d2i_DHxparams d2i_DHparams
++#endif
+
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
+
+@@ -283,7 +287,7 @@ decode_bn_der(const uint8_t *der, size_t len)
+     return bn;
+ }
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ static int
+ params_valid(EVP_PKEY *params)
+ {
+@@ -545,13 +549,13 @@ cleanup:
+
+ /* Attempt to specify padded Diffie-Hellman result derivation.  Don't error out
+  * if this fails since we also detect short results and adjust them. */
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER)
+ static void
+ set_padded_derivation(EVP_PKEY_CTX *ctx)
+ {
+     EVP_PKEY_CTX_set_dh_pad(ctx, 1);
+ }
+-#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
++#elif OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ static void
+ set_padded_derivation(EVP_PKEY_CTX *ctx)
+ {
+@@ -5636,8 +5640,11 @@ pkcs7_decrypt(krb5_context context,
+     evp_ctx = EVP_CIPHER_CTX_new();
+     if (evp_ctx == NULL)
+         goto cleanup;
+-    if (!EVP_DecryptInit(evp_ctx, evp_cipher, NULL, NULL) ||
+-        EVP_CIPHER_asn1_to_param(evp_ctx, enc_alg->parameter) <= 0)
++    if (!EVP_DecryptInit(evp_ctx, evp_cipher, NULL, NULL)
++#ifndef LIBRESSL_VERSION_NUMBER
++        || EVP_CIPHER_asn1_to_param(evp_ctx, enc_alg->parameter) <= 0
++#endif
++     )
+         goto cleanup;
+
+     /* Generate a random symmetric key to avoid exposing timing data if RSA

app-crypt/mit-krb5/files/mit-krb5_dont_create_rundir.patch

@@ -0,0 +1,10 @@
+--- src/Makefile.in	2019-12-12 10:15:51.674552983 +0300
++++ src/Makefile.in	2019-12-12 10:16:33.205543490 +0300
+@@ -71,7 +71,6 @@
+ 		$(KRB5_AD_MODULE_DIR) \
+ 		$(KRB5_LIBKRB5_MODULE_DIR) $(KRB5_TLS_MODULE_DIR) \
+ 		$(localstatedir) $(localstatedir)/krb5kdc \
+-		$(runstatedir) $(runstatedir)/krb5kdc \
+ 		$(KRB5_INCSUBDIRS) $(datadir) $(EXAMPLEDIR) \
+ 		$(PKGCONFIG_DIR)
+

app-crypt/mit-krb5/files/mit-krb5kadmind.confd

@@ -0,0 +1,2 @@
+# Define startup options for Kerberos administration server
+KADMIND_OPTS=""

app-crypt/mit-krb5/files/mit-krb5kadmind.initd-r2

@@ -0,0 +1,25 @@
+#!/sbin/openrc-run
+
+#---------------------------------------------------------------------------
+# This script starts/stops the MIT Kerberos 5 Admin daemon
+#---------------------------------------------------------------------------
+
+daemon="MIT Kerberos 5 Admin daemon"
+exec="/usr/sbin/kadmind"
+
+depend() {
+	need mit-krb5kdc
+	use net
+}
+
+start() {
+	ebegin "Starting $daemon"
+	start-stop-daemon --start --quiet --exec ${exec} -- ${KADMIND_OPTS} 1>&2
+	eend $? "Error starting $daemon"
+}
+
+stop() {
+	ebegin "Stopping $daemon"
+	start-stop-daemon --stop --quiet --exec ${exec} 1>&2
+	eend $? "Error stopping $daemon"
+}

app-crypt/mit-krb5/files/mit-krb5kadmind.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=Kerberos 5 administration server
+
+[Service]
+ExecStart=/usr/sbin/kadmind -nofork
+
+[Install]
+WantedBy=multi-user.target

app-crypt/mit-krb5/files/mit-krb5kdc.confd

@@ -0,0 +1,2 @@
+# Define startup options for Kerberos KDC
+KDC_OPTS=""

app-crypt/mit-krb5/files/mit-krb5kdc.initd-r2

@@ -0,0 +1,24 @@
+#!/sbin/openrc-run
+
+#---------------------------------------------------------------------------
+# This script starts/stops the MIT Kerberos 5 KDC
+#---------------------------------------------------------------------------
+
+daemon="MIT Kerberos 5 KDC"
+exec="/usr/sbin/krb5kdc"
+
+depend() {
+	use net
+}
+
+start() {
+	ebegin "Starting $daemon"
+	start-stop-daemon --start --quiet --exec ${exec} -- ${KDC_OPTS} 1>&2
+	eend $? "Error starting $daemon"
+}
+
+stop() {
+	ebegin "Stopping $daemon"
+	start-stop-daemon --stop --quiet --exec ${exec} 1>&2
+	eend $? "Error stopping $daemon"
+}

app-crypt/mit-krb5/files/mit-krb5kdc.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Kerberos 5 KDC
+
+[Service]
+ExecStart=/usr/sbin/krb5kdc -n
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

app-crypt/mit-krb5/files/mit-krb5kpropd.confd

@@ -0,0 +1,2 @@
+# Define startup options for Kerberos incremental propagation server
+KPROPD_OPTS=""

app-crypt/mit-krb5/files/mit-krb5kpropd.initd-r2

@@ -0,0 +1,24 @@
+#!/sbin/openrc-run
+
+#---------------------------------------------------------------------------
+# This script starts/stops the MIT Kerberos 5 kpropd
+#---------------------------------------------------------------------------
+
+daemon="MIT Kerberos 5 kpropd"
+exec="/usr/sbin/kpropd"
+
+depend() {
+	use net mit-krb5kdc mit-krb5kadmind
+}
+
+start() {
+	ebegin "Starting $daemon"
+	start-stop-daemon --start --quiet --exec ${exec} -- ${KPROPD_OPTS} 1>&2
+	eend $? "Error starting $daemon"
+}
+
+stop() {
+	ebegin "Stopping $daemon"
+	start-stop-daemon --stop --quiet --exec ${exec} 1>&2
+	eend $? "Error stopping $daemon"
+}

app-crypt/mit-krb5/files/mit-krb5kpropd.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=Kerberos 5 propagation server
+
+[Service]
+ExecStart=/usr/sbin/kpropd -S
+
+[Install]
+WantedBy=multi-user.target

app-crypt/mit-krb5/files/mit-krb5kpropd.socket

@@ -0,0 +1,9 @@
+[Unit]
+Description=Kerberos 5 propagation server
+
+[Socket]
+ListenStream=754
+Accept=yes
+
+[Install]
+WantedBy=sockets.target

app-crypt/mit-krb5/files/mit-krb5kpropd_at.service

@@ -0,0 +1,7 @@
+[Unit]
+Description=Kerberos 5 propagation server
+Conflicts=mit-krb5kpropd.service
+
+[Service]
+ExecStart=/usr/sbin/kpropd
+StandardInput=socket

app-crypt/mit-krb5/metadata.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<maintainer type="project">
+  <email>kerberos@gentoo.org</email>
+  <name>Kerberos</name>
+</maintainer>
+<use>
+  <flag name="doc">
+    Creates and installs the API and implementation
+    documentation. This is only useful if you want to develop software
+    which depends on kerberos
+  </flag>
+  <flag name="keyutils">Enable for the keyring ccache using keyutils</flag>
+  <flag name="lmdb">Add support for using <pkg>dev-db/lmdb</pkg> for lookup tables</flag>
+  <flag name="pkinit">Enable pkinit support for the initial ticket</flag>
+  <flag name="openldap">Enable support for ldap as a database backend</flag>
+</use>
+<upstream>
+  <remote-id type="cpe">cpe:/a:mit:kerberos_5</remote-id>
+  <remote-id type="github">krb5/krb5</remote-id>
+</upstream>
+</pkgmetadata>