1 |
commit: f7402bdfcb5c3017b29d80d60312804b4b3fbebd |
2 |
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Jun 1 19:01:34 2020 +0000 |
4 |
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Jun 1 19:17:15 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7402bdf |
7 |
|
8 |
net-libs/gnutls: rev bump to fix handling of expired root certificates |
9 |
|
10 |
Link: https://gitlab.com/gnutls/gnutls/-/issues/1008 |
11 |
Closes: https://bugs.gentoo.org/726650 |
12 |
Package-Manager: Portage-2.3.100, Repoman-2.3.22 |
13 |
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> |
14 |
|
15 |
...s-3.6.13-handle-expired-root-certificates.patch | 391 +++++++++++++++++++++ |
16 |
...nutls-3.6.13.ebuild => gnutls-3.6.13-r1.ebuild} | 2 + |
17 |
2 files changed, 393 insertions(+) |
18 |
|
19 |
diff --git a/net-libs/gnutls/files/gnutls-3.6.13-handle-expired-root-certificates.patch b/net-libs/gnutls/files/gnutls-3.6.13-handle-expired-root-certificates.patch |
20 |
new file mode 100644 |
21 |
index 00000000000..91986cf449c |
22 |
--- /dev/null |
23 |
+++ b/net-libs/gnutls/files/gnutls-3.6.13-handle-expired-root-certificates.patch |
24 |
@@ -0,0 +1,391 @@ |
25 |
+From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001 |
26 |
+From: Daiki Ueno <ueno@×××.org> |
27 |
+Date: Sun, 31 May 2020 12:39:14 +0200 |
28 |
+Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against |
29 |
+ system cert |
30 |
+ |
31 |
+To verify a certificate chain, this function replaces known |
32 |
+certificates with the ones in the system trust store if possible. |
33 |
+ |
34 |
+However, if it is found, the function checks the validity of the |
35 |
+original certificate rather than the certificate found in the trust |
36 |
+store. That reveals a problem in a scenario that (1) a certificate is |
37 |
+signed by multiple issuers and (2) one of the issuers' certificate has |
38 |
+expired and included in the input chain. |
39 |
+ |
40 |
+This patch makes it a little robuster by actually retrieving the |
41 |
+certificate from the trust store and perform check against it. |
42 |
+ |
43 |
+Signed-off-by: Daiki Ueno <ueno@×××.org> |
44 |
+--- |
45 |
+ lib/pkcs11.c | 98 +++++++++++++++++++++++++++++++++-------------- |
46 |
+ lib/pkcs11_int.h | 5 +++ |
47 |
+ lib/x509/verify.c | 7 +++- |
48 |
+ 3 files changed, 80 insertions(+), 30 deletions(-) |
49 |
+ |
50 |
+diff --git a/lib/pkcs11.c b/lib/pkcs11.c |
51 |
+index fad16aaf4f..d8d4a65114 100644 |
52 |
+--- a/lib/pkcs11.c |
53 |
++++ b/lib/pkcs11.c |
54 |
+@@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url, |
55 |
+ return ret; |
56 |
+ } |
57 |
+ |
58 |
+-/** |
59 |
+- * gnutls_pkcs11_crt_is_known: |
60 |
+- * @url: A PKCS 11 url identifying a token |
61 |
+- * @cert: is the certificate to find issuer for |
62 |
+- * @issuer: Will hold the issuer if any in an allocated buffer. |
63 |
+- * @fmt: The format of the exported issuer. |
64 |
+- * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. |
65 |
+- * |
66 |
+- * This function will check whether the provided certificate is stored |
67 |
+- * in the specified token. This is useful in combination with |
68 |
+- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or |
69 |
+- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, |
70 |
+- * to check whether a CA is present or a certificate is blacklisted in |
71 |
+- * a trust PKCS #11 module. |
72 |
+- * |
73 |
+- * This function can be used with a @url of "pkcs11:", and in that case all modules |
74 |
+- * will be searched. To restrict the modules to the marked as trusted in p11-kit |
75 |
+- * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. |
76 |
+- * |
77 |
+- * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is |
78 |
+- * specific to p11-kit trust modules. |
79 |
+- * |
80 |
+- * Returns: If the certificate exists non-zero is returned, otherwise zero. |
81 |
+- * |
82 |
+- * Since: 3.3.0 |
83 |
+- **/ |
84 |
+-unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, |
85 |
+- unsigned int flags) |
86 |
++unsigned |
87 |
++_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, |
88 |
++ unsigned int flags, |
89 |
++ gnutls_x509_crt_t *trusted_cert) |
90 |
+ { |
91 |
+ int ret; |
92 |
+ struct find_cert_st priv; |
93 |
+@@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, |
94 |
+ |
95 |
+ memset(&priv, 0, sizeof(priv)); |
96 |
+ |
97 |
++ if (trusted_cert) { |
98 |
++ ret = gnutls_pkcs11_obj_init(&priv.obj); |
99 |
++ if (ret < 0) { |
100 |
++ gnutls_assert(); |
101 |
++ goto cleanup; |
102 |
++ } |
103 |
++ priv.need_import = 1; |
104 |
++ } |
105 |
++ |
106 |
+ if (url == NULL || url[0] == 0) { |
107 |
+ url = "pkcs11:"; |
108 |
+ } |
109 |
+@@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, |
110 |
+ _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n"); |
111 |
+ /* attempt searching with the subject DN only */ |
112 |
+ gnutls_assert(); |
113 |
++ if (priv.obj) |
114 |
++ gnutls_pkcs11_obj_deinit(priv.obj); |
115 |
+ gnutls_free(priv.serial.data); |
116 |
+ memset(&priv, 0, sizeof(priv)); |
117 |
++ if (trusted_cert) { |
118 |
++ ret = gnutls_pkcs11_obj_init(&priv.obj); |
119 |
++ if (ret < 0) { |
120 |
++ gnutls_assert(); |
121 |
++ goto cleanup; |
122 |
++ } |
123 |
++ priv.need_import = 1; |
124 |
++ } |
125 |
+ priv.crt = cert; |
126 |
+ priv.flags = flags; |
127 |
+ |
128 |
+@@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, |
129 |
+ goto cleanup; |
130 |
+ } |
131 |
+ |
132 |
++ if (trusted_cert) { |
133 |
++ ret = gnutls_x509_crt_init(trusted_cert); |
134 |
++ if (ret < 0) { |
135 |
++ gnutls_assert(); |
136 |
++ ret = 0; |
137 |
++ goto cleanup; |
138 |
++ } |
139 |
++ ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj); |
140 |
++ if (ret < 0) { |
141 |
++ gnutls_assert(); |
142 |
++ gnutls_x509_crt_deinit(*trusted_cert); |
143 |
++ ret = 0; |
144 |
++ goto cleanup; |
145 |
++ } |
146 |
++ } |
147 |
+ ret = 1; |
148 |
+ |
149 |
+ cleanup: |
150 |
++ if (priv.obj) |
151 |
++ gnutls_pkcs11_obj_deinit(priv.obj); |
152 |
+ if (info) |
153 |
+ p11_kit_uri_free(info); |
154 |
+ gnutls_free(priv.serial.data); |
155 |
+@@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, |
156 |
+ return ret; |
157 |
+ } |
158 |
+ |
159 |
++/** |
160 |
++ * gnutls_pkcs11_crt_is_known: |
161 |
++ * @url: A PKCS 11 url identifying a token |
162 |
++ * @cert: is the certificate to find issuer for |
163 |
++ * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. |
164 |
++ * |
165 |
++ * This function will check whether the provided certificate is stored |
166 |
++ * in the specified token. This is useful in combination with |
167 |
++ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or |
168 |
++ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, |
169 |
++ * to check whether a CA is present or a certificate is blacklisted in |
170 |
++ * a trust PKCS #11 module. |
171 |
++ * |
172 |
++ * This function can be used with a @url of "pkcs11:", and in that case all modules |
173 |
++ * will be searched. To restrict the modules to the marked as trusted in p11-kit |
174 |
++ * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. |
175 |
++ * |
176 |
++ * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is |
177 |
++ * specific to p11-kit trust modules. |
178 |
++ * |
179 |
++ * Returns: If the certificate exists non-zero is returned, otherwise zero. |
180 |
++ * |
181 |
++ * Since: 3.3.0 |
182 |
++ **/ |
183 |
++unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, |
184 |
++ unsigned int flags) |
185 |
++{ |
186 |
++ return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL); |
187 |
++} |
188 |
++ |
189 |
+ /** |
190 |
+ * gnutls_pkcs11_obj_get_flags: |
191 |
+ * @obj: The pkcs11 object |
192 |
+diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h |
193 |
+index 9d88807098..86cce0dee5 100644 |
194 |
+--- a/lib/pkcs11_int.h |
195 |
++++ b/lib/pkcs11_int.h |
196 |
+@@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object(const char *url) |
197 |
+ return 0; |
198 |
+ } |
199 |
+ |
200 |
++unsigned |
201 |
++_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, |
202 |
++ unsigned int flags, |
203 |
++ gnutls_x509_crt_t *trusted_cert); |
204 |
++ |
205 |
+ #endif /* ENABLE_PKCS11 */ |
206 |
+ |
207 |
+ #endif /* GNUTLS_LIB_PKCS11_INT_H */ |
208 |
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c |
209 |
+index d202670198..fd7c6a1642 100644 |
210 |
+--- a/lib/x509/verify.c |
211 |
++++ b/lib/x509/verify.c |
212 |
+@@ -34,6 +34,7 @@ |
213 |
+ #include <tls-sig.h> |
214 |
+ #include <str.h> |
215 |
+ #include <datum.h> |
216 |
++#include <pkcs11_int.h> |
217 |
+ #include <x509_int.h> |
218 |
+ #include <common.h> |
219 |
+ #include <pk.h> |
220 |
+@@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url, |
221 |
+ |
222 |
+ for (; i < clist_size; i++) { |
223 |
+ unsigned vflags; |
224 |
++ gnutls_x509_crt_t trusted_cert; |
225 |
+ |
226 |
+ if (i == 0) /* in the end certificate do full comparison */ |
227 |
+ vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| |
228 |
+@@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url, |
229 |
+ vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| |
230 |
+ GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; |
231 |
+ |
232 |
+- if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) { |
233 |
++ if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) { |
234 |
+ |
235 |
+- status |= check_ca_sanity(certificate_list[i], now, flags); |
236 |
++ status |= check_ca_sanity(trusted_cert, now, flags); |
237 |
++ gnutls_x509_crt_deinit(trusted_cert); |
238 |
+ |
239 |
+ if (func) |
240 |
+ func(certificate_list[i], |
241 |
+-- |
242 |
+2.26.2 |
243 |
+ |
244 |
+ |
245 |
+From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001 |
246 |
+From: Daiki Ueno <ueno@×××.org> |
247 |
+Date: Sun, 31 May 2020 13:59:53 +0200 |
248 |
+Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is |
249 |
+ expired |
250 |
+ |
251 |
+gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN |
252 |
+to trigger the fallback verification path if the signer of the last |
253 |
+certificate is not in the trust store. Previously, it doesn't take |
254 |
+into account of the condition where the certificate is expired. |
255 |
+ |
256 |
+Signed-off-by: Daiki Ueno <ueno@×××.org> |
257 |
+--- |
258 |
+ lib/x509/verify-high.c | 12 +++++++----- |
259 |
+ 1 file changed, 7 insertions(+), 5 deletions(-) |
260 |
+ |
261 |
+diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c |
262 |
+index b1421ef17a..40638ad3aa 100644 |
263 |
+--- a/lib/x509/verify-high.c |
264 |
++++ b/lib/x509/verify-high.c |
265 |
+@@ -1192,11 +1192,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, |
266 |
+ |
267 |
+ #define LAST_DN cert_list[cert_list_size-1]->raw_dn |
268 |
+ #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn |
269 |
+-/* This macro is introduced to detect a verification output |
270 |
+- * which indicates an unknown signer, or a signer which uses |
271 |
+- * an insecure algorithm (e.g., sha1), something that indicates |
272 |
+- * a superseded signer */ |
273 |
+-#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM)) |
274 |
++/* This macro is introduced to detect a verification output which |
275 |
++ * indicates an unknown signer, a signer which uses an insecure |
276 |
++ * algorithm (e.g., sha1), a signer has expired, or something that |
277 |
++ * indicates a superseded signer */ |
278 |
++#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \ |
279 |
++ (output & GNUTLS_CERT_EXPIRED) || \ |
280 |
++ (output & GNUTLS_CERT_INSECURE_ALGORITHM)) |
281 |
+ #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND)) |
282 |
+ |
283 |
+ /** |
284 |
+-- |
285 |
+2.26.2 |
286 |
+ |
287 |
+ |
288 |
+From 9067bcbee8ff18badff1e829d22e63590dbd7a5c Mon Sep 17 00:00:00 2001 |
289 |
+From: Daiki Ueno <ueno@×××.org> |
290 |
+Date: Sun, 31 May 2020 14:28:48 +0200 |
291 |
+Subject: [PATCH 3/3] tests: add test case for certificate chain superseding |
292 |
+ |
293 |
+Signed-off-by: Daiki Ueno <ueno@×××.org> |
294 |
+--- |
295 |
+ tests/test-chains.h | 97 +++++++++++++++++++++++++++++++++++++++++++++ |
296 |
+ 1 file changed, 97 insertions(+) |
297 |
+ |
298 |
+diff --git a/tests/test-chains.h b/tests/test-chains.h |
299 |
+index dd19e6a815..9b06b85f5f 100644 |
300 |
+--- a/tests/test-chains.h |
301 |
++++ b/tests/test-chains.h |
302 |
+@@ -4010,6 +4010,102 @@ static const char *ed448[] = { |
303 |
+ NULL |
304 |
+ }; |
305 |
+ |
306 |
++/* This contains an expired intermediate CA, which should be superseded. */ |
307 |
++static const char *superseding[] = { |
308 |
++ "-----BEGIN CERTIFICATE-----" |
309 |
++ "MIIDrzCCAmegAwIBAgIUcozIBhMJvM/rd1PVI7LOq7Kscs8wDQYJKoZIhvcNAQEL" |
310 |
++ "BQAwJjEkMCIGA1UEAxMbR251VExTIHRlc3QgaW50ZXJtZWRpYXRlIENBMCAXDTIw" |
311 |
++ "MDUzMTEyMTczN1oYDzk5OTkxMjMxMjM1OTU5WjA3MRgwFgYDVQQDEw90ZXN0Lmdu" |
312 |
++ "dXRscy5vcmcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCASAwCwYJKoZI" |
313 |
++ "hvcNAQEKA4IBDwAwggEKAoIBAQCd2PBnWn+b0FsIMbG+f/K+og2iK/BoLCsJD3j9" |
314 |
++ "yRNSHD6wTifYwNTbe1LF/8BzxcwVRCD0zpbpFQawbjxbmBSzrXqQlUFFG11DvNBa" |
315 |
++ "w58rgHGo3TYCrtFIBfLbziyB1w/vWeX0xHvv8MMJ1iRSdY+7Y36a2cV+s85PdO4B" |
316 |
++ "TpZlLfy8LPP6p6+dgVoC+9tTu2H1wARYOVog+jt9A3Hx0L1xxVWTedFoiK2sVouz" |
317 |
++ "fLRjfp5cOwuRHSD2qbpGOAeNVVaOE88Bv3pIGPguMw0qAdEDo20hRYH23LIyvBwB" |
318 |
++ "oCnyFNnAViMtLa2QlXSliV9a9BKOXYjWzAeso2SF4pdHcvd5AgMBAAGjgZMwgZAw" |
319 |
++ "DAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg90ZXN0LmdudXRscy5vcmcwEwYDVR0l" |
320 |
++ "BAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUan6mlccq" |
321 |
++ "Uy1Z64wvRv3xxg4h2ykwHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgw" |
322 |
++ "DQYJKoZIhvcNAQELBQADggExAKAOMyMLpk0u2UTwwFWtr1hfx7evo2J7dgco410I" |
323 |
++ "DN/QWoe2Xlcxcp1h5R9rX1I3KU2WGFtdXqiMsllCLnrDEKZmlks0uz76bCpKmM99" |
324 |
++ "/1MDlY7mGCr/2PPx53USK5J5JTiqgp6r7qAcDAnpYvrPH45kk7iqwh02DhAxRnGR" |
325 |
++ "CW7KWK8h7uu0Az9iBT2YfV372g4fRDK3fqYzJofQwbhSiUuJ7wyZCRhGOoxMMmDb" |
326 |
++ "KBbc1wAYXW+tlv2cSbfzRvSxMR+CzkyH2tGDxeN//aZUfGmQ8IzWUQ7UtK5z+Q0E" |
327 |
++ "fL6fZtm2SdGabGpV1UYoGpwOtOngK+m0i9SqrMD7g5+SMhc1VuvVuTtxjr5Cha8l" |
328 |
++ "X0HEZtxgFrkdfMD4yLAqiguaCBngtbRmELF5VpebmJbiLVU=" |
329 |
++ "-----END CERTIFICATE-----", |
330 |
++ "-----BEGIN CERTIFICATE-----" |
331 |
++ "MIIDkTCCAkmgAwIBAgIUY9cJ4NLNFEaojJHdP1I4Q7OHNJwwDQYJKoZIhvcNAQEL" |
332 |
++ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMTgxMjMxMjMwMDAwWhcN" |
333 |
++ "MjAwNTMwMjIwMDAwWjAmMSQwIgYDVQQDExtHbnVUTFMgdGVzdCBpbnRlcm1lZGlh" |
334 |
++ "dGUgQ0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7K" |
335 |
++ "sH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8W" |
336 |
++ "yZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITc" |
337 |
++ "lg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7" |
338 |
++ "oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLy" |
339 |
++ "rXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+" |
340 |
++ "G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjeh" |
341 |
++ "KZ+Aeap1AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE" |
342 |
++ "ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUHncj" |
343 |
++ "bWcxH5EHm5Yv7PzIRv6M4QMwDQYJKoZIhvcNAQELBQADggExAHP1UAQ/nvuQtRZF" |
344 |
++ "Q4b96yxVwCjMjn7knLyLNtyYGE3466xvE/ofvx5lgaR06ez/G17XP+Ok5SLJNUVc" |
345 |
++ "mplTERCv5CgnX7R5VdGJkkD1repaYxaTtwyJz0AfYEMRUj3jfaeLaiUKJvEW5RRs" |
346 |
++ "I3solY18sy/m/xGrH2X0GTNfKM9BURENABsppt07jxH719nF9m9SynV/Z2hE5hlv" |
347 |
++ "5e5vyPt4wyRPIJLUI3TKAlvb1s40zz3ua7ZTgQL/cOxfY4f9pRKW9CMB3uF69OP9" |
348 |
++ "COAxrmHVZsImmDZ6qO1qQrbY1KN/cX5kG4pKg7Ium723aOlwcWzEDXKumD960fN1" |
349 |
++ "5g+HrjNs6kW+r9Q5QS8qV5s8maZNcxTrMvQ1fF2AKBNI3Z3U7vmtrSeqxIXp3rGH" |
350 |
++ "iJwOKIk=" |
351 |
++ "-----END CERTIFICATE-----", |
352 |
++ NULL |
353 |
++}; |
354 |
++ |
355 |
++static const char *superseding_ca[] = { |
356 |
++ "-----BEGIN CERTIFICATE-----" |
357 |
++ "MIIDkzCCAkugAwIBAgIUIs7jB4Q4sFcdCmzWVHbJLESC3T4wDQYJKoZIhvcNAQEL" |
358 |
++ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMzEwWhgP" |
359 |
++ "OTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMTG0dudVRMUyB0ZXN0IGludGVybWVk" |
360 |
++ "aWF0ZSBDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/" |
361 |
++ "HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8" |
362 |
++ "vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqI" |
363 |
++ "hNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWl" |
364 |
++ "WDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQp" |
365 |
++ "kvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzkl" |
366 |
++ "zz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2" |
367 |
++ "N6Epn4B5qnUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD" |
368 |
++ "BwQAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQe" |
369 |
++ "dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAcF9R9VGQxTwW" |
370 |
++ "aOjeIeQ9ZJxybaj0BaXC8xR4b9uZloS9d/RBFTjgRbQ82yqaj7f80mgUtabKRfTA" |
371 |
++ "ltV2MgTbJdOjwGzEDtKGhClBbovnEGrYTbPBT9rgfYPt0q7SMBr6AzGAPt+ltwI7" |
372 |
++ "9yntV81qvTxvW5MEEo0j2MuA3NT3oqe+w1rUKNQCWhnN2TUhJGkTlaaMozcgNFaE" |
373 |
++ "Dplop4dtvCGtupxOjC3Nf6FWq1k7iZQxX70AFBYVMpuF7qGh6qDp+T1hmTCSVzxP" |
374 |
++ "SfDQIBjhKgy4clhkuR5SRxhN74RX+/5eiQyVLxzr+eIhqzJhPqUCmVnCLcqYdNRi" |
375 |
++ "hpHic4uJm0wGOKYTI7EG8rb4ZP4Jz6k4iN9CnL/+kiiW5otSl3YyCAuao5VKdDq9" |
376 |
++ "izchzb9eow==" |
377 |
++ "-----END CERTIFICATE-----", |
378 |
++ "-----BEGIN CERTIFICATE-----" |
379 |
++ "MIIDZTCCAh2gAwIBAgIULcrECQOBgPaePBfBHXcyZiU0IiYwDQYJKoZIhvcNAQEL" |
380 |
++ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMTQzWhgP" |
381 |
++ "OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN" |
382 |
++ "BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C" |
383 |
++ "qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ" |
384 |
++ "U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8" |
385 |
++ "vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW" |
386 |
++ "PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG" |
387 |
++ "VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7" |
388 |
++ "FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB" |
389 |
++ "o0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYE" |
390 |
++ "FB53I21nMR+RB5uWL+z8yEb+jOEDMA0GCSqGSIb3DQEBCwUAA4IBMQAeMSzMyuTy" |
391 |
++ "FjXTjxAUv010bsr6e6fI9txq/S1tXmWWJV/8aeARthuOFZO5Jjy3C5aMbac2HDV4" |
392 |
++ "Otu0+JLaoEMSXvorAhValVuq06i5cmaPzvJBcxMWzlEAXfavSwHv5Q+kqNU3z81S" |
393 |
++ "WnjEpMHcl9OyER7o9IhF55Xom2BXY5XL83QOzQ4C3bpKrNevZC7i7zS8NoYRGP+8" |
394 |
++ "w21JseXkWQW4o2hkFqbCcRE1dlMW02iJE28RZ5aBFDIm2Y6zuLaXZIkaO7E41CAw" |
395 |
++ "IUyhowm/S1HcmQnhruAGKJvQtB6jvnhZb7pgnuSkhIvAQgw93CLE985KEua1ifY2" |
396 |
++ "p1d/6ho2TWotHHqDnDkB8pC0Wzai8R+63z18Kt0gROX2QItCyFksjNJqYPbgwZgt" |
397 |
++ "eh1COrLsOJo+" |
398 |
++ "-----END CERTIFICATE-----", |
399 |
++ NULL |
400 |
++}; |
401 |
++ |
402 |
+ #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) |
403 |
+ # pragma GCC diagnostic push |
404 |
+ # pragma GCC diagnostic ignored "-Wunused-variable" |
405 |
+@@ -4178,6 +4274,7 @@ static struct |
406 |
+ GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1}, |
407 |
+ { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), |
408 |
+ 0, NULL, 1584352960, 1}, |
409 |
++ { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 }, |
410 |
+ { NULL, NULL, NULL, 0, 0} |
411 |
+ }; |
412 |
+ |
413 |
+-- |
414 |
+2.26.2 |
415 |
+ |
416 |
|
417 |
diff --git a/net-libs/gnutls/gnutls-3.6.13.ebuild b/net-libs/gnutls/gnutls-3.6.13-r1.ebuild |
418 |
similarity index 98% |
419 |
rename from net-libs/gnutls/gnutls-3.6.13.ebuild |
420 |
rename to net-libs/gnutls/gnutls-3.6.13-r1.ebuild |
421 |
index 1969a839156..0f8de4605eb 100644 |
422 |
--- a/net-libs/gnutls/gnutls-3.6.13.ebuild |
423 |
+++ b/net-libs/gnutls/gnutls-3.6.13-r1.ebuild |
424 |
@@ -54,6 +54,8 @@ DOCS=( |
425 |
|
426 |
HTML_DOCS=() |
427 |
|
428 |
+PATCHES=( "${FILESDIR}"/${P}-handle-expired-root-certificates.patch ) |
429 |
+ |
430 |
pkg_setup() { |
431 |
# bug#520818 |
432 |
export TZ=UTC |