[gentoo-commits] repo/gentoo:master commit in: net-libs/gnutls/files/, net-libs/gnutls/ - gentoo-commits

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-libs/gnutls/files/, net-libs/gnutls/
Date:	Mon, 01 Jun 2020 19:17:30
Message-Id:	`1591039035.f7402bdfcb5c3017b29d80d60312804b4b3fbebd.whissi@gentoo`

1

commit:     f7402bdfcb5c3017b29d80d60312804b4b3fbebd

2

Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

3

AuthorDate: Mon Jun  1 19:01:34 2020 +0000

4

Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

5

CommitDate: Mon Jun  1 19:17:15 2020 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7402bdf

7

8

net-libs/gnutls: rev bump to fix handling of expired root certificates

9

10

Link: https://gitlab.com/gnutls/gnutls/-/issues/1008

11

Closes: https://bugs.gentoo.org/726650

12

Package-Manager: Portage-2.3.100, Repoman-2.3.22

13

Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

14

15

 ...s-3.6.13-handle-expired-root-certificates.patch | 391 +++++++++++++++++++++

16

 ...nutls-3.6.13.ebuild => gnutls-3.6.13-r1.ebuild} |   2 +

17

 2 files changed, 393 insertions(+)

18

19

diff --git a/net-libs/gnutls/files/gnutls-3.6.13-handle-expired-root-certificates.patch b/net-libs/gnutls/files/gnutls-3.6.13-handle-expired-root-certificates.patch

20

new file mode 100644

21

index 00000000000..91986cf449c

22

--- /dev/null

23

+++ b/net-libs/gnutls/files/gnutls-3.6.13-handle-expired-root-certificates.patch

24

@@ -0,0 +1,391 @@

25

+From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001

26

+From: Daiki Ueno <ueno@×××.org>

27

+Date: Sun, 31 May 2020 12:39:14 +0200

28

+Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against

29

+ system cert

30

+

31

+To verify a certificate chain, this function replaces known

32

+certificates with the ones in the system trust store if possible.

33

+

34

+However, if it is found, the function checks the validity of the

35

+original certificate rather than the certificate found in the trust

36

+store.  That reveals a problem in a scenario that (1) a certificate is

37

+signed by multiple issuers and (2) one of the issuers' certificate has

38

+expired and included in the input chain.

39

+

40

+This patch makes it a little robuster by actually retrieving the

41

+certificate from the trust store and perform check against it.

42

+

43

+Signed-off-by: Daiki Ueno <ueno@×××.org>

44

+---

45

+ lib/pkcs11.c      | 98 +++++++++++++++++++++++++++++++++--------------

46

+ lib/pkcs11_int.h  |  5 +++

47

+ lib/x509/verify.c |  7 +++-

48

+ 3 files changed, 80 insertions(+), 30 deletions(-)

49

+

50

+diff --git a/lib/pkcs11.c b/lib/pkcs11.c

51

+index fad16aaf4f..d8d4a65114 100644

52

+--- a/lib/pkcs11.c

53

++++ b/lib/pkcs11.c

54

+@@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url,

55

+ 	return ret;

56

+ }

57

+

58

+-/**

59

+- * gnutls_pkcs11_crt_is_known:

60

+- * @url: A PKCS 11 url identifying a token

61

+- * @cert: is the certificate to find issuer for

62

+- * @issuer: Will hold the issuer if any in an allocated buffer.

63

+- * @fmt: The format of the exported issuer.

64

+- * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG.

65

+- *

66

+- * This function will check whether the provided certificate is stored

67

+- * in the specified token. This is useful in combination with 

68

+- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or

69

+- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,

70

+- * to check whether a CA is present or a certificate is blacklisted in

71

+- * a trust PKCS #11 module.

72

+- *

73

+- * This function can be used with a @url of "pkcs11:", and in that case all modules

74

+- * will be searched. To restrict the modules to the marked as trusted in p11-kit

75

+- * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.

76

+- *

77

+- * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is

78

+- * specific to p11-kit trust modules.

79

+- *

80

+- * Returns: If the certificate exists non-zero is returned, otherwise zero.

81

+- *

82

+- * Since: 3.3.0

83

+- **/

84

+-unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,

85

+-				 unsigned int flags)

86

++unsigned

87

++_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,

88

++			    unsigned int flags,

89

++			    gnutls_x509_crt_t *trusted_cert)

90

+ {

91

+ 	int ret;

92

+ 	struct find_cert_st priv;

93

+@@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,

94

+

95

+ 	memset(&priv, 0, sizeof(priv));

96

+

97

++	if (trusted_cert) {

98

++		ret = gnutls_pkcs11_obj_init(&priv.obj);

99

++		if (ret < 0) {

100

++			gnutls_assert();

101

++			goto cleanup;

102

++		}

103

++		priv.need_import = 1;

104

++	}

105

++

106

+ 	if (url == NULL || url[0] == 0) {

107

+ 		url = "pkcs11:";

108

+ 	}

109

+@@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,

110

+ 		_gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n");

111

+ 		/* attempt searching with the subject DN only */

112

+ 		gnutls_assert();

113

++		if (priv.obj)

114

++			gnutls_pkcs11_obj_deinit(priv.obj);

115

+ 		gnutls_free(priv.serial.data);

116

+ 		memset(&priv, 0, sizeof(priv));

117

++		if (trusted_cert) {

118

++			ret = gnutls_pkcs11_obj_init(&priv.obj);

119

++			if (ret < 0) {

120

++				gnutls_assert();

121

++				goto cleanup;

122

++			}

123

++			priv.need_import = 1;

124

++		}

125

+ 		priv.crt = cert;

126

+ 		priv.flags = flags;

127

+

128

+@@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,

129

+ 		goto cleanup;

130

+ 	}

131

+

132

++	if (trusted_cert) {

133

++		ret = gnutls_x509_crt_init(trusted_cert);

134

++		if (ret < 0) {

135

++			gnutls_assert();

136

++			ret = 0;

137

++			goto cleanup;

138

++		}

139

++		ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj);

140

++		if (ret < 0) {

141

++			gnutls_assert();

142

++			gnutls_x509_crt_deinit(*trusted_cert);

143

++			ret = 0;

144

++			goto cleanup;

145

++		}

146

++	}

147

+ 	ret = 1;

148

+

149

+       cleanup:

150

++	if (priv.obj)

151

++		gnutls_pkcs11_obj_deinit(priv.obj);

152

+ 	if (info)

153

+ 		p11_kit_uri_free(info);

154

+ 	gnutls_free(priv.serial.data);

155

+@@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,

156

+ 	return ret;

157

+ }

158

+

159

++/**

160

++ * gnutls_pkcs11_crt_is_known:

161

++ * @url: A PKCS 11 url identifying a token

162

++ * @cert: is the certificate to find issuer for

163

++ * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG.

164

++ *

165

++ * This function will check whether the provided certificate is stored

166

++ * in the specified token. This is useful in combination with 

167

++ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or

168

++ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,

169

++ * to check whether a CA is present or a certificate is blacklisted in

170

++ * a trust PKCS #11 module.

171

++ *

172

++ * This function can be used with a @url of "pkcs11:", and in that case all modules

173

++ * will be searched. To restrict the modules to the marked as trusted in p11-kit

174

++ * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.

175

++ *

176

++ * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is

177

++ * specific to p11-kit trust modules.

178

++ *

179

++ * Returns: If the certificate exists non-zero is returned, otherwise zero.

180

++ *

181

++ * Since: 3.3.0

182

++ **/

183

++unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,

184

++				 unsigned int flags)

185

++{

186

++	return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL);

187

++}

188

++

189

+ /**

190

+  * gnutls_pkcs11_obj_get_flags:

191

+  * @obj: The pkcs11 object

192

+diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h

193

+index 9d88807098..86cce0dee5 100644

194

+--- a/lib/pkcs11_int.h

195

++++ b/lib/pkcs11_int.h

196

+@@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object(const char *url)

197

+ 	return 0;

198

+ }

199

+

200

++unsigned

201

++_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,

202

++			    unsigned int flags,

203

++			    gnutls_x509_crt_t *trusted_cert);

204

++

205

+ #endif				/* ENABLE_PKCS11 */

206

+

207

+ #endif /* GNUTLS_LIB_PKCS11_INT_H */

208

+diff --git a/lib/x509/verify.c b/lib/x509/verify.c

209

+index d202670198..fd7c6a1642 100644

210

+--- a/lib/x509/verify.c

211

++++ b/lib/x509/verify.c

212

+@@ -34,6 +34,7 @@

213

+ #include <tls-sig.h>

214

+ #include <str.h>

215

+ #include <datum.h>

216

++#include <pkcs11_int.h>

217

+ #include <x509_int.h>

218

+ #include <common.h>

219

+ #include <pk.h>

220

+@@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url,

221

+

222

+ 	for (; i < clist_size; i++) {

223

+ 		unsigned vflags;

224

++		gnutls_x509_crt_t trusted_cert;

225

+

226

+ 		if (i == 0) /* in the end certificate do full comparison */

227

+ 			vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|

228

+@@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url,

229

+ 			vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|

230

+ 				GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED;

231

+

232

+-		if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) {

233

++		if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) {

234

+

235

+-			status |= check_ca_sanity(certificate_list[i], now, flags);

236

++			status |= check_ca_sanity(trusted_cert, now, flags);

237

++			gnutls_x509_crt_deinit(trusted_cert);

238

+

239

+ 			if (func)

240

+ 				func(certificate_list[i],

241

+--

242

+2.26.2

243

+

244

+

245

+From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001

246

+From: Daiki Ueno <ueno@×××.org>

247

+Date: Sun, 31 May 2020 13:59:53 +0200

248

+Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is

249

+ expired

250

+

251

+gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN

252

+to trigger the fallback verification path if the signer of the last

253

+certificate is not in the trust store.  Previously, it doesn't take

254

+into account of the condition where the certificate is expired.

255

+

256

+Signed-off-by: Daiki Ueno <ueno@×××.org>

257

+---

258

+ lib/x509/verify-high.c | 12 +++++++-----

259

+ 1 file changed, 7 insertions(+), 5 deletions(-)

260

+

261

+diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c

262

+index b1421ef17a..40638ad3aa 100644

263

+--- a/lib/x509/verify-high.c

264

++++ b/lib/x509/verify-high.c

265

+@@ -1192,11 +1192,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list,

266

+

267

+ #define LAST_DN cert_list[cert_list_size-1]->raw_dn

268

+ #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn

269

+-/* This macro is introduced to detect a verification output

270

+- * which indicates an unknown signer, or a signer which uses

271

+- * an insecure algorithm (e.g., sha1), something that indicates

272

+- * a superseded signer */

273

+-#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM))

274

++/* This macro is introduced to detect a verification output which

275

++ * indicates an unknown signer, a signer which uses an insecure

276

++ * algorithm (e.g., sha1), a signer has expired, or something that

277

++ * indicates a superseded signer */

278

++#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \

279

++				       (output & GNUTLS_CERT_EXPIRED) || \

280

++				       (output & GNUTLS_CERT_INSECURE_ALGORITHM))

281

+ #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND))

282

+

283

+ /**

284

+--

285

+2.26.2

286

+

287

+

288

+From 9067bcbee8ff18badff1e829d22e63590dbd7a5c Mon Sep 17 00:00:00 2001

289

+From: Daiki Ueno <ueno@×××.org>

290

+Date: Sun, 31 May 2020 14:28:48 +0200

291

+Subject: [PATCH 3/3] tests: add test case for certificate chain superseding

292

+

293

+Signed-off-by: Daiki Ueno <ueno@×××.org>

294

+---

295

+ tests/test-chains.h | 97 +++++++++++++++++++++++++++++++++++++++++++++

296

+ 1 file changed, 97 insertions(+)

297

+

298

+diff --git a/tests/test-chains.h b/tests/test-chains.h

299

+index dd19e6a815..9b06b85f5f 100644

300

+--- a/tests/test-chains.h

301

++++ b/tests/test-chains.h

302

+@@ -4010,6 +4010,102 @@ static const char *ed448[] = {

303

+ 	NULL

304

+ };

305

+

306

++/* This contains an expired intermediate CA, which should be superseded. */

307

++static const char *superseding[] = {

308

++	"-----BEGIN CERTIFICATE-----"

309

++	"MIIDrzCCAmegAwIBAgIUcozIBhMJvM/rd1PVI7LOq7Kscs8wDQYJKoZIhvcNAQEL"

310

++	"BQAwJjEkMCIGA1UEAxMbR251VExTIHRlc3QgaW50ZXJtZWRpYXRlIENBMCAXDTIw"

311

++	"MDUzMTEyMTczN1oYDzk5OTkxMjMxMjM1OTU5WjA3MRgwFgYDVQQDEw90ZXN0Lmdu"

312

++	"dXRscy5vcmcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCASAwCwYJKoZI"

313

++	"hvcNAQEKA4IBDwAwggEKAoIBAQCd2PBnWn+b0FsIMbG+f/K+og2iK/BoLCsJD3j9"

314

++	"yRNSHD6wTifYwNTbe1LF/8BzxcwVRCD0zpbpFQawbjxbmBSzrXqQlUFFG11DvNBa"

315

++	"w58rgHGo3TYCrtFIBfLbziyB1w/vWeX0xHvv8MMJ1iRSdY+7Y36a2cV+s85PdO4B"

316

++	"TpZlLfy8LPP6p6+dgVoC+9tTu2H1wARYOVog+jt9A3Hx0L1xxVWTedFoiK2sVouz"

317

++	"fLRjfp5cOwuRHSD2qbpGOAeNVVaOE88Bv3pIGPguMw0qAdEDo20hRYH23LIyvBwB"

318

++	"oCnyFNnAViMtLa2QlXSliV9a9BKOXYjWzAeso2SF4pdHcvd5AgMBAAGjgZMwgZAw"

319

++	"DAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg90ZXN0LmdudXRscy5vcmcwEwYDVR0l"

320

++	"BAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUan6mlccq"

321

++	"Uy1Z64wvRv3xxg4h2ykwHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgw"

322

++	"DQYJKoZIhvcNAQELBQADggExAKAOMyMLpk0u2UTwwFWtr1hfx7evo2J7dgco410I"

323

++	"DN/QWoe2Xlcxcp1h5R9rX1I3KU2WGFtdXqiMsllCLnrDEKZmlks0uz76bCpKmM99"

324

++	"/1MDlY7mGCr/2PPx53USK5J5JTiqgp6r7qAcDAnpYvrPH45kk7iqwh02DhAxRnGR"

325

++	"CW7KWK8h7uu0Az9iBT2YfV372g4fRDK3fqYzJofQwbhSiUuJ7wyZCRhGOoxMMmDb"

326

++	"KBbc1wAYXW+tlv2cSbfzRvSxMR+CzkyH2tGDxeN//aZUfGmQ8IzWUQ7UtK5z+Q0E"

327

++	"fL6fZtm2SdGabGpV1UYoGpwOtOngK+m0i9SqrMD7g5+SMhc1VuvVuTtxjr5Cha8l"

328

++	"X0HEZtxgFrkdfMD4yLAqiguaCBngtbRmELF5VpebmJbiLVU="

329

++	"-----END CERTIFICATE-----",

330

++	"-----BEGIN CERTIFICATE-----"

331

++	"MIIDkTCCAkmgAwIBAgIUY9cJ4NLNFEaojJHdP1I4Q7OHNJwwDQYJKoZIhvcNAQEL"

332

++	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMTgxMjMxMjMwMDAwWhcN"

333

++	"MjAwNTMwMjIwMDAwWjAmMSQwIgYDVQQDExtHbnVUTFMgdGVzdCBpbnRlcm1lZGlh"

334

++	"dGUgQ0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7K"

335

++	"sH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8W"

336

++	"yZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITc"

337

++	"lg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7"

338

++	"oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLy"

339

++	"rXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+"

340

++	"G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjeh"

341

++	"KZ+Aeap1AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE"

342

++	"ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUHncj"

343

++	"bWcxH5EHm5Yv7PzIRv6M4QMwDQYJKoZIhvcNAQELBQADggExAHP1UAQ/nvuQtRZF"

344

++	"Q4b96yxVwCjMjn7knLyLNtyYGE3466xvE/ofvx5lgaR06ez/G17XP+Ok5SLJNUVc"

345

++	"mplTERCv5CgnX7R5VdGJkkD1repaYxaTtwyJz0AfYEMRUj3jfaeLaiUKJvEW5RRs"

346

++	"I3solY18sy/m/xGrH2X0GTNfKM9BURENABsppt07jxH719nF9m9SynV/Z2hE5hlv"

347

++	"5e5vyPt4wyRPIJLUI3TKAlvb1s40zz3ua7ZTgQL/cOxfY4f9pRKW9CMB3uF69OP9"

348

++	"COAxrmHVZsImmDZ6qO1qQrbY1KN/cX5kG4pKg7Ium723aOlwcWzEDXKumD960fN1"

349

++	"5g+HrjNs6kW+r9Q5QS8qV5s8maZNcxTrMvQ1fF2AKBNI3Z3U7vmtrSeqxIXp3rGH"

350

++	"iJwOKIk="

351

++	"-----END CERTIFICATE-----",

352

++	NULL

353

++};

354

++

355

++static const char *superseding_ca[] = {

356

++	"-----BEGIN CERTIFICATE-----"

357

++	"MIIDkzCCAkugAwIBAgIUIs7jB4Q4sFcdCmzWVHbJLESC3T4wDQYJKoZIhvcNAQEL"

358

++	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMzEwWhgP"

359

++	"OTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMTG0dudVRMUyB0ZXN0IGludGVybWVk"

360

++	"aWF0ZSBDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/"

361

++	"HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8"

362

++	"vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqI"

363

++	"hNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWl"

364

++	"WDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQp"

365

++	"kvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzkl"

366

++	"zz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2"

367

++	"N6Epn4B5qnUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD"

368

++	"BwQAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQe"

369

++	"dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAcF9R9VGQxTwW"

370

++	"aOjeIeQ9ZJxybaj0BaXC8xR4b9uZloS9d/RBFTjgRbQ82yqaj7f80mgUtabKRfTA"

371

++	"ltV2MgTbJdOjwGzEDtKGhClBbovnEGrYTbPBT9rgfYPt0q7SMBr6AzGAPt+ltwI7"

372

++	"9yntV81qvTxvW5MEEo0j2MuA3NT3oqe+w1rUKNQCWhnN2TUhJGkTlaaMozcgNFaE"

373

++	"Dplop4dtvCGtupxOjC3Nf6FWq1k7iZQxX70AFBYVMpuF7qGh6qDp+T1hmTCSVzxP"

374

++	"SfDQIBjhKgy4clhkuR5SRxhN74RX+/5eiQyVLxzr+eIhqzJhPqUCmVnCLcqYdNRi"

375

++	"hpHic4uJm0wGOKYTI7EG8rb4ZP4Jz6k4iN9CnL/+kiiW5otSl3YyCAuao5VKdDq9"

376

++	"izchzb9eow=="

377

++	"-----END CERTIFICATE-----",

378

++	"-----BEGIN CERTIFICATE-----"

379

++	"MIIDZTCCAh2gAwIBAgIULcrECQOBgPaePBfBHXcyZiU0IiYwDQYJKoZIhvcNAQEL"

380

++	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMTQzWhgP"

381

++	"OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN"

382

++	"BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C"

383

++	"qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ"

384

++	"U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8"

385

++	"vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW"

386

++	"PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG"

387

++	"VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7"

388

++	"FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB"

389

++	"o0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYE"

390

++	"FB53I21nMR+RB5uWL+z8yEb+jOEDMA0GCSqGSIb3DQEBCwUAA4IBMQAeMSzMyuTy"

391

++	"FjXTjxAUv010bsr6e6fI9txq/S1tXmWWJV/8aeARthuOFZO5Jjy3C5aMbac2HDV4"

392

++	"Otu0+JLaoEMSXvorAhValVuq06i5cmaPzvJBcxMWzlEAXfavSwHv5Q+kqNU3z81S"

393

++	"WnjEpMHcl9OyER7o9IhF55Xom2BXY5XL83QOzQ4C3bpKrNevZC7i7zS8NoYRGP+8"

394

++	"w21JseXkWQW4o2hkFqbCcRE1dlMW02iJE28RZ5aBFDIm2Y6zuLaXZIkaO7E41CAw"

395

++	"IUyhowm/S1HcmQnhruAGKJvQtB6jvnhZb7pgnuSkhIvAQgw93CLE985KEua1ifY2"

396

++	"p1d/6ho2TWotHHqDnDkB8pC0Wzai8R+63z18Kt0gROX2QItCyFksjNJqYPbgwZgt"

397

++	"eh1COrLsOJo+"

398

++	"-----END CERTIFICATE-----",

399

++	NULL

400

++};

401

++

402

+ #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)

403

+ #  pragma GCC diagnostic push

404

+ #  pragma GCC diagnostic ignored "-Wunused-variable"

405

+@@ -4178,6 +4274,7 @@ static struct

406

+     GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1},

407

+   { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA),

408

+     0, NULL, 1584352960, 1},

409

++  { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 },

410

+   { NULL, NULL, NULL, 0, 0}

411

+ };

412

+

413

+--

414

+2.26.2

415

+

416

417

diff --git a/net-libs/gnutls/gnutls-3.6.13.ebuild b/net-libs/gnutls/gnutls-3.6.13-r1.ebuild

418

similarity index 98%

419

rename from net-libs/gnutls/gnutls-3.6.13.ebuild

420

rename to net-libs/gnutls/gnutls-3.6.13-r1.ebuild

421

index 1969a839156..0f8de4605eb 100644

422

--- a/net-libs/gnutls/gnutls-3.6.13.ebuild

423

+++ b/net-libs/gnutls/gnutls-3.6.13-r1.ebuild

424

@@ -54,6 +54,8 @@ DOCS=(

425

426

 HTML_DOCS=()

427

428

+PATCHES=( "${FILESDIR}"/${P}-handle-expired-root-certificates.patch )

429

+

430

 pkg_setup() {

431

 	# bug#520818

432

 	export TZ=UTC

1	commit: f7402bdfcb5c3017b29d80d60312804b4b3fbebd
2	Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3	AuthorDate: Mon Jun 1 19:01:34 2020 +0000
4	Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5	CommitDate: Mon Jun 1 19:17:15 2020 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7402bdf
7
8	net-libs/gnutls: rev bump to fix handling of expired root certificates
9
10	Link: https://gitlab.com/gnutls/gnutls/-/issues/1008
11	Closes: https://bugs.gentoo.org/726650
12	Package-Manager: Portage-2.3.100, Repoman-2.3.22
13	Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
14
15	...s-3.6.13-handle-expired-root-certificates.patch \| 391 +++++++++++++++++++++
16	...nutls-3.6.13.ebuild => gnutls-3.6.13-r1.ebuild} \| 2 +
17	2 files changed, 393 insertions(+)
18
19	diff --git a/net-libs/gnutls/files/gnutls-3.6.13-handle-expired-root-certificates.patch b/net-libs/gnutls/files/gnutls-3.6.13-handle-expired-root-certificates.patch
20	new file mode 100644
21	index 00000000000..91986cf449c
22	--- /dev/null
23	+++ b/net-libs/gnutls/files/gnutls-3.6.13-handle-expired-root-certificates.patch
24	@@ -0,0 +1,391 @@
25	+From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001
26	+From: Daiki Ueno <ueno@×××.org>
27	+Date: Sun, 31 May 2020 12:39:14 +0200
28	+Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against
29	+ system cert
30	+
31	+To verify a certificate chain, this function replaces known
32	+certificates with the ones in the system trust store if possible.
33	+
34	+However, if it is found, the function checks the validity of the
35	+original certificate rather than the certificate found in the trust
36	+store. That reveals a problem in a scenario that (1) a certificate is
37	+signed by multiple issuers and (2) one of the issuers' certificate has
38	+expired and included in the input chain.
39	+
40	+This patch makes it a little robuster by actually retrieving the
41	+certificate from the trust store and perform check against it.
42	+
43	+Signed-off-by: Daiki Ueno <ueno@×××.org>
44	+---
45	+ lib/pkcs11.c \| 98 +++++++++++++++++++++++++++++++++--------------
46	+ lib/pkcs11_int.h \| 5 +++
47	+ lib/x509/verify.c \| 7 +++-
48	+ 3 files changed, 80 insertions(+), 30 deletions(-)
49	+
50	+diff --git a/lib/pkcs11.c b/lib/pkcs11.c
51	+index fad16aaf4f..d8d4a65114 100644
52	+--- a/lib/pkcs11.c
53	++++ b/lib/pkcs11.c
54	+@@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url,
55	+ return ret;
56	+ }
57	+
58	+-/**
59	+- * gnutls_pkcs11_crt_is_known:
60	+- * @url: A PKCS 11 url identifying a token
61	+- * @cert: is the certificate to find issuer for
62	+- * @issuer: Will hold the issuer if any in an allocated buffer.
63	+- * @fmt: The format of the exported issuer.
64	+- * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG.
65	+- *
66	+- * This function will check whether the provided certificate is stored
67	+- * in the specified token. This is useful in combination with
68	+- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or
69	+- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,
70	+- * to check whether a CA is present or a certificate is blacklisted in
71	+- * a trust PKCS #11 module.
72	+- *
73	+- * This function can be used with a @url of "pkcs11:", and in that case all modules
74	+- * will be searched. To restrict the modules to the marked as trusted in p11-kit
75	+- * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.
76	+- *
77	+- * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is
78	+- * specific to p11-kit trust modules.
79	+- *
80	+- * Returns: If the certificate exists non-zero is returned, otherwise zero.
81	+- *
82	+- * Since: 3.3.0
83	+- **/
84	+-unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
85	+- unsigned int flags)
86	++unsigned
87	++_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
88	++ unsigned int flags,
89	++ gnutls_x509_crt_t *trusted_cert)
90	+ {
91	+ int ret;
92	+ struct find_cert_st priv;
93	+@@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
94	+
95	+ memset(&priv, 0, sizeof(priv));
96	+
97	++ if (trusted_cert) {
98	++ ret = gnutls_pkcs11_obj_init(&priv.obj);
99	++ if (ret < 0) {
100	++ gnutls_assert();
101	++ goto cleanup;
102	++ }
103	++ priv.need_import = 1;
104	++ }
105	++
106	+ if (url == NULL \|\| url[0] == 0) {
107	+ url = "pkcs11:";
108	+ }
109	+@@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
110	+ _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n");
111	+ /* attempt searching with the subject DN only */
112	+ gnutls_assert();
113	++ if (priv.obj)
114	++ gnutls_pkcs11_obj_deinit(priv.obj);
115	+ gnutls_free(priv.serial.data);
116	+ memset(&priv, 0, sizeof(priv));
117	++ if (trusted_cert) {
118	++ ret = gnutls_pkcs11_obj_init(&priv.obj);
119	++ if (ret < 0) {
120	++ gnutls_assert();
121	++ goto cleanup;
122	++ }
123	++ priv.need_import = 1;
124	++ }
125	+ priv.crt = cert;
126	+ priv.flags = flags;
127	+
128	+@@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
129	+ goto cleanup;
130	+ }
131	+
132	++ if (trusted_cert) {
133	++ ret = gnutls_x509_crt_init(trusted_cert);
134	++ if (ret < 0) {
135	++ gnutls_assert();
136	++ ret = 0;
137	++ goto cleanup;
138	++ }
139	++ ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj);
140	++ if (ret < 0) {
141	++ gnutls_assert();
142	++ gnutls_x509_crt_deinit(*trusted_cert);
143	++ ret = 0;
144	++ goto cleanup;
145	++ }
146	++ }
147	+ ret = 1;
148	+
149	+ cleanup:
150	++ if (priv.obj)
151	++ gnutls_pkcs11_obj_deinit(priv.obj);
152	+ if (info)
153	+ p11_kit_uri_free(info);
154	+ gnutls_free(priv.serial.data);
155	+@@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
156	+ return ret;
157	+ }
158	+
159	++/**
160	++ * gnutls_pkcs11_crt_is_known:
161	++ * @url: A PKCS 11 url identifying a token
162	++ * @cert: is the certificate to find issuer for
163	++ * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG.
164	++ *
165	++ * This function will check whether the provided certificate is stored
166	++ * in the specified token. This is useful in combination with
167	++ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or
168	++ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,
169	++ * to check whether a CA is present or a certificate is blacklisted in
170	++ * a trust PKCS #11 module.
171	++ *
172	++ * This function can be used with a @url of "pkcs11:", and in that case all modules
173	++ * will be searched. To restrict the modules to the marked as trusted in p11-kit
174	++ * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.
175	++ *
176	++ * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is
177	++ * specific to p11-kit trust modules.
178	++ *
179	++ * Returns: If the certificate exists non-zero is returned, otherwise zero.
180	++ *
181	++ * Since: 3.3.0
182	++ **/
183	++unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
184	++ unsigned int flags)
185	++{
186	++ return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL);
187	++}
188	++
189	+ /**
190	+ * gnutls_pkcs11_obj_get_flags:
191	+ * @obj: The pkcs11 object
192	+diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
193	+index 9d88807098..86cce0dee5 100644
194	+--- a/lib/pkcs11_int.h
195	++++ b/lib/pkcs11_int.h
196	+@@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object(const char *url)
197	+ return 0;
198	+ }
199	+
200	++unsigned
201	++_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
202	++ unsigned int flags,
203	++ gnutls_x509_crt_t *trusted_cert);
204	++
205	+ #endif /* ENABLE_PKCS11 */
206	+
207	+ #endif /* GNUTLS_LIB_PKCS11_INT_H */
208	+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
209	+index d202670198..fd7c6a1642 100644
210	+--- a/lib/x509/verify.c
211	++++ b/lib/x509/verify.c
212	+@@ -34,6 +34,7 @@
213	+ #include <tls-sig.h>
214	+ #include <str.h>
215	+ #include <datum.h>
216	++#include <pkcs11_int.h>
217	+ #include <x509_int.h>
218	+ #include <common.h>
219	+ #include <pk.h>
220	+@@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url,
221	+
222	+ for (; i < clist_size; i++) {
223	+ unsigned vflags;
224	++ gnutls_x509_crt_t trusted_cert;
225	+
226	+ if (i == 0) /* in the end certificate do full comparison */
227	+ vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE\|
228	+@@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url,
229	+ vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE\|
230	+ GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY\|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED;
231	+
232	+- if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) {
233	++ if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) {
234	+
235	+- status \|= check_ca_sanity(certificate_list[i], now, flags);
236	++ status \|= check_ca_sanity(trusted_cert, now, flags);
237	++ gnutls_x509_crt_deinit(trusted_cert);
238	+
239	+ if (func)
240	+ func(certificate_list[i],
241	+--
242	+2.26.2
243	+
244	+
245	+From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001
246	+From: Daiki Ueno <ueno@×××.org>
247	+Date: Sun, 31 May 2020 13:59:53 +0200
248	+Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is
249	+ expired
250	+
251	+gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN
252	+to trigger the fallback verification path if the signer of the last
253	+certificate is not in the trust store. Previously, it doesn't take
254	+into account of the condition where the certificate is expired.
255	+
256	+Signed-off-by: Daiki Ueno <ueno@×××.org>
257	+---
258	+ lib/x509/verify-high.c \| 12 +++++++-----
259	+ 1 file changed, 7 insertions(+), 5 deletions(-)
260	+
261	+diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
262	+index b1421ef17a..40638ad3aa 100644
263	+--- a/lib/x509/verify-high.c
264	++++ b/lib/x509/verify-high.c
265	+@@ -1192,11 +1192,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list,
266	+
267	+ #define LAST_DN cert_list[cert_list_size-1]->raw_dn
268	+ #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn
269	+-/* This macro is introduced to detect a verification output
270	+- * which indicates an unknown signer, or a signer which uses
271	+- * an insecure algorithm (e.g., sha1), something that indicates
272	+- * a superseded signer */
273	+-#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) \|\| (output & GNUTLS_CERT_INSECURE_ALGORITHM))
274	++/* This macro is introduced to detect a verification output which
275	++ * indicates an unknown signer, a signer which uses an insecure
276	++ * algorithm (e.g., sha1), a signer has expired, or something that
277	++ * indicates a superseded signer */
278	++#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) \|\| \
279	++ (output & GNUTLS_CERT_EXPIRED) \|\| \
280	++ (output & GNUTLS_CERT_INSECURE_ALGORITHM))
281	+ #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND))
282	+
283	+ /**
284	+--
285	+2.26.2
286	+
287	+
288	+From 9067bcbee8ff18badff1e829d22e63590dbd7a5c Mon Sep 17 00:00:00 2001
289	+From: Daiki Ueno <ueno@×××.org>
290	+Date: Sun, 31 May 2020 14:28:48 +0200
291	+Subject: [PATCH 3/3] tests: add test case for certificate chain superseding
292	+
293	+Signed-off-by: Daiki Ueno <ueno@×××.org>
294	+---
295	+ tests/test-chains.h \| 97 +++++++++++++++++++++++++++++++++++++++++++++
296	+ 1 file changed, 97 insertions(+)
297	+
298	+diff --git a/tests/test-chains.h b/tests/test-chains.h
299	+index dd19e6a815..9b06b85f5f 100644
300	+--- a/tests/test-chains.h
301	++++ b/tests/test-chains.h
302	+@@ -4010,6 +4010,102 @@ static const char *ed448[] = {
303	+ NULL
304	+ };
305	+
306	++/* This contains an expired intermediate CA, which should be superseded. */
307	++static const char *superseding[] = {
308	++ "-----BEGIN CERTIFICATE-----"
309	++ "MIIDrzCCAmegAwIBAgIUcozIBhMJvM/rd1PVI7LOq7Kscs8wDQYJKoZIhvcNAQEL"
310	++ "BQAwJjEkMCIGA1UEAxMbR251VExTIHRlc3QgaW50ZXJtZWRpYXRlIENBMCAXDTIw"
311	++ "MDUzMTEyMTczN1oYDzk5OTkxMjMxMjM1OTU5WjA3MRgwFgYDVQQDEw90ZXN0Lmdu"
312	++ "dXRscy5vcmcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCASAwCwYJKoZI"
313	++ "hvcNAQEKA4IBDwAwggEKAoIBAQCd2PBnWn+b0FsIMbG+f/K+og2iK/BoLCsJD3j9"
314	++ "yRNSHD6wTifYwNTbe1LF/8BzxcwVRCD0zpbpFQawbjxbmBSzrXqQlUFFG11DvNBa"
315	++ "w58rgHGo3TYCrtFIBfLbziyB1w/vWeX0xHvv8MMJ1iRSdY+7Y36a2cV+s85PdO4B"
316	++ "TpZlLfy8LPP6p6+dgVoC+9tTu2H1wARYOVog+jt9A3Hx0L1xxVWTedFoiK2sVouz"
317	++ "fLRjfp5cOwuRHSD2qbpGOAeNVVaOE88Bv3pIGPguMw0qAdEDo20hRYH23LIyvBwB"
318	++ "oCnyFNnAViMtLa2QlXSliV9a9BKOXYjWzAeso2SF4pdHcvd5AgMBAAGjgZMwgZAw"
319	++ "DAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg90ZXN0LmdudXRscy5vcmcwEwYDVR0l"
320	++ "BAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUan6mlccq"
321	++ "Uy1Z64wvRv3xxg4h2ykwHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgw"
322	++ "DQYJKoZIhvcNAQELBQADggExAKAOMyMLpk0u2UTwwFWtr1hfx7evo2J7dgco410I"
323	++ "DN/QWoe2Xlcxcp1h5R9rX1I3KU2WGFtdXqiMsllCLnrDEKZmlks0uz76bCpKmM99"
324	++ "/1MDlY7mGCr/2PPx53USK5J5JTiqgp6r7qAcDAnpYvrPH45kk7iqwh02DhAxRnGR"
325	++ "CW7KWK8h7uu0Az9iBT2YfV372g4fRDK3fqYzJofQwbhSiUuJ7wyZCRhGOoxMMmDb"
326	++ "KBbc1wAYXW+tlv2cSbfzRvSxMR+CzkyH2tGDxeN//aZUfGmQ8IzWUQ7UtK5z+Q0E"
327	++ "fL6fZtm2SdGabGpV1UYoGpwOtOngK+m0i9SqrMD7g5+SMhc1VuvVuTtxjr5Cha8l"
328	++ "X0HEZtxgFrkdfMD4yLAqiguaCBngtbRmELF5VpebmJbiLVU="
329	++ "-----END CERTIFICATE-----",
330	++ "-----BEGIN CERTIFICATE-----"
331	++ "MIIDkTCCAkmgAwIBAgIUY9cJ4NLNFEaojJHdP1I4Q7OHNJwwDQYJKoZIhvcNAQEL"
332	++ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMTgxMjMxMjMwMDAwWhcN"
333	++ "MjAwNTMwMjIwMDAwWjAmMSQwIgYDVQQDExtHbnVUTFMgdGVzdCBpbnRlcm1lZGlh"
334	++ "dGUgQ0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7K"
335	++ "sH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8W"
336	++ "yZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITc"
337	++ "lg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7"
338	++ "oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLy"
339	++ "rXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+"
340	++ "G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjeh"
341	++ "KZ+Aeap1AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE"
342	++ "ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUHncj"
343	++ "bWcxH5EHm5Yv7PzIRv6M4QMwDQYJKoZIhvcNAQELBQADggExAHP1UAQ/nvuQtRZF"
344	++ "Q4b96yxVwCjMjn7knLyLNtyYGE3466xvE/ofvx5lgaR06ez/G17XP+Ok5SLJNUVc"
345	++ "mplTERCv5CgnX7R5VdGJkkD1repaYxaTtwyJz0AfYEMRUj3jfaeLaiUKJvEW5RRs"
346	++ "I3solY18sy/m/xGrH2X0GTNfKM9BURENABsppt07jxH719nF9m9SynV/Z2hE5hlv"
347	++ "5e5vyPt4wyRPIJLUI3TKAlvb1s40zz3ua7ZTgQL/cOxfY4f9pRKW9CMB3uF69OP9"
348	++ "COAxrmHVZsImmDZ6qO1qQrbY1KN/cX5kG4pKg7Ium723aOlwcWzEDXKumD960fN1"
349	++ "5g+HrjNs6kW+r9Q5QS8qV5s8maZNcxTrMvQ1fF2AKBNI3Z3U7vmtrSeqxIXp3rGH"
350	++ "iJwOKIk="
351	++ "-----END CERTIFICATE-----",
352	++ NULL
353	++};
354	++
355	++static const char *superseding_ca[] = {
356	++ "-----BEGIN CERTIFICATE-----"
357	++ "MIIDkzCCAkugAwIBAgIUIs7jB4Q4sFcdCmzWVHbJLESC3T4wDQYJKoZIhvcNAQEL"
358	++ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMzEwWhgP"
359	++ "OTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMTG0dudVRMUyB0ZXN0IGludGVybWVk"
360	++ "aWF0ZSBDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/"
361	++ "HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8"
362	++ "vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqI"
363	++ "hNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWl"
364	++ "WDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQp"
365	++ "kvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzkl"
366	++ "zz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2"
367	++ "N6Epn4B5qnUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD"
368	++ "BwQAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQe"
369	++ "dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAcF9R9VGQxTwW"
370	++ "aOjeIeQ9ZJxybaj0BaXC8xR4b9uZloS9d/RBFTjgRbQ82yqaj7f80mgUtabKRfTA"
371	++ "ltV2MgTbJdOjwGzEDtKGhClBbovnEGrYTbPBT9rgfYPt0q7SMBr6AzGAPt+ltwI7"
372	++ "9yntV81qvTxvW5MEEo0j2MuA3NT3oqe+w1rUKNQCWhnN2TUhJGkTlaaMozcgNFaE"
373	++ "Dplop4dtvCGtupxOjC3Nf6FWq1k7iZQxX70AFBYVMpuF7qGh6qDp+T1hmTCSVzxP"
374	++ "SfDQIBjhKgy4clhkuR5SRxhN74RX+/5eiQyVLxzr+eIhqzJhPqUCmVnCLcqYdNRi"
375	++ "hpHic4uJm0wGOKYTI7EG8rb4ZP4Jz6k4iN9CnL/+kiiW5otSl3YyCAuao5VKdDq9"
376	++ "izchzb9eow=="
377	++ "-----END CERTIFICATE-----",
378	++ "-----BEGIN CERTIFICATE-----"
379	++ "MIIDZTCCAh2gAwIBAgIULcrECQOBgPaePBfBHXcyZiU0IiYwDQYJKoZIhvcNAQEL"
380	++ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMTQzWhgP"
381	++ "OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN"
382	++ "BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C"
383	++ "qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ"
384	++ "U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8"
385	++ "vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW"
386	++ "PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG"
387	++ "VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7"
388	++ "FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB"
389	++ "o0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYE"
390	++ "FB53I21nMR+RB5uWL+z8yEb+jOEDMA0GCSqGSIb3DQEBCwUAA4IBMQAeMSzMyuTy"
391	++ "FjXTjxAUv010bsr6e6fI9txq/S1tXmWWJV/8aeARthuOFZO5Jjy3C5aMbac2HDV4"
392	++ "Otu0+JLaoEMSXvorAhValVuq06i5cmaPzvJBcxMWzlEAXfavSwHv5Q+kqNU3z81S"
393	++ "WnjEpMHcl9OyER7o9IhF55Xom2BXY5XL83QOzQ4C3bpKrNevZC7i7zS8NoYRGP+8"
394	++ "w21JseXkWQW4o2hkFqbCcRE1dlMW02iJE28RZ5aBFDIm2Y6zuLaXZIkaO7E41CAw"
395	++ "IUyhowm/S1HcmQnhruAGKJvQtB6jvnhZb7pgnuSkhIvAQgw93CLE985KEua1ifY2"
396	++ "p1d/6ho2TWotHHqDnDkB8pC0Wzai8R+63z18Kt0gROX2QItCyFksjNJqYPbgwZgt"
397	++ "eh1COrLsOJo+"
398	++ "-----END CERTIFICATE-----",
399	++ NULL
400	++};
401	++
402	+ #if defined __clang__ \|\| __GNUC__ > 4 \|\| (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
403	+ # pragma GCC diagnostic push
404	+ # pragma GCC diagnostic ignored "-Wunused-variable"
405	+@@ -4178,6 +4274,7 @@ static struct
406	+ GNUTLS_CERT_INSECURE_ALGORITHM \| GNUTLS_CERT_INVALID, NULL, 1576759855, 1},
407	+ { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA),
408	+ 0, NULL, 1584352960, 1},
409	++ { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 },
410	+ { NULL, NULL, NULL, 0, 0}
411	+ };
412	+
413	+--
414	+2.26.2
415	+
416
417	diff --git a/net-libs/gnutls/gnutls-3.6.13.ebuild b/net-libs/gnutls/gnutls-3.6.13-r1.ebuild
418	similarity index 98%
419	rename from net-libs/gnutls/gnutls-3.6.13.ebuild
420	rename to net-libs/gnutls/gnutls-3.6.13-r1.ebuild
421	index 1969a839156..0f8de4605eb 100644
422	--- a/net-libs/gnutls/gnutls-3.6.13.ebuild
423	+++ b/net-libs/gnutls/gnutls-3.6.13-r1.ebuild
424	@@ -54,6 +54,8 @@ DOCS=(
425
426	HTML_DOCS=()
427
428	+PATCHES=( "${FILESDIR}"/${P}-handle-expired-root-certificates.patch )
429	+
430	pkg_setup() {
431	# bug#520818
432	export TZ=UTC

Gentoo Archives: gentoo-commits