| 1 |
commit: 4ee1e630aca57b00bfaaa1e1b1c8921c4a6e25b5 |
| 2 |
Author: Alon Bar-Lev <alonbl <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Mon Apr 1 04:09:15 2019 +0000 |
| 4 |
Commit: Alon Bar-Lev <alonbl <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Apr 1 04:11:49 2019 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ee1e630 |
| 7 |
|
| 8 |
dev-libs/xmlsec: support SHA-1 signed certificates with gnutls-3.6 |
| 9 |
|
| 10 |
Signed-off-by: Alon Bar-Lev <alonbl <AT> gentoo.org> |
| 11 |
Package-Manager: Portage-2.3.62, Repoman-2.3.11 |
| 12 |
RepoMan-Options: --force |
| 13 |
|
| 14 |
dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch | 47 ++++++++++++++++++++++ |
| 15 |
...mlsec-1.2.27.ebuild => xmlsec-1.2.27-r1.ebuild} | 4 ++ |
| 16 |
2 files changed, 51 insertions(+) |
| 17 |
|
| 18 |
diff --git a/dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch b/dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch |
| 19 |
new file mode 100644 |
| 20 |
index 00000000000..2837420e0dc |
| 21 |
--- /dev/null |
| 22 |
+++ b/dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch |
| 23 |
@@ -0,0 +1,47 @@ |
| 24 |
+From 321e62add243cf8f024d6278da4c5ff030bae3b9 Mon Sep 17 00:00:00 2001 |
| 25 |
+From: Alon Bar-Lev <alon.barlev@×××××.com> |
| 26 |
+Date: Mon, 1 Apr 2019 01:28:18 +0300 |
| 27 |
+Subject: [PATCH] gnutls: allow SHA-1 signed certificate when not in strict |
| 28 |
+ checks (#250) (#251) |
| 29 |
+ |
| 30 |
+This is required for gnutls-3.6.x. |
| 31 |
+ |
| 32 |
+Allow tests to use no strict checks until all certificates will be converted |
| 33 |
+to stronger signature than SHA-1. |
| 34 |
+ |
| 35 |
+Signed-off-by: Alon Bar-Lev <alon.barlev@×××××.com> |
| 36 |
+--- |
| 37 |
+ src/gnutls/x509vfy.c | 3 +++ |
| 38 |
+ tests/testrun.sh | 2 +- |
| 39 |
+ 2 files changed, 4 insertions(+), 1 deletion(-) |
| 40 |
+ |
| 41 |
+diff --git a/src/gnutls/x509vfy.c b/src/gnutls/x509vfy.c |
| 42 |
+index a9c956a3..4c753344 100644 |
| 43 |
+--- a/src/gnutls/x509vfy.c |
| 44 |
++++ b/src/gnutls/x509vfy.c |
| 45 |
+@@ -295,6 +295,9 @@ xmlSecGnuTLSX509StoreVerify(xmlSecKeyDataStorePtr store, |
| 46 |
+ if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS) != 0) { |
| 47 |
+ flags |= GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2; |
| 48 |
+ flags |= GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5; |
| 49 |
++#if GNUTLS_VERSION_NUMBER >= 0x030600 |
| 50 |
++ flags |= GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1; |
| 51 |
++#endif |
| 52 |
+ } |
| 53 |
+ |
| 54 |
+ /* We are going to build all possible cert chains and try to verify them */ |
| 55 |
+diff --git a/tests/testrun.sh b/tests/testrun.sh |
| 56 |
+index 02484d09..ea65802b 100755 |
| 57 |
+--- a/tests/testrun.sh |
| 58 |
++++ b/tests/testrun.sh |
| 59 |
+@@ -59,7 +59,7 @@ if [ "z$XMLSEC_DEFAULT_CRYPTO" != "z" ] ; then |
| 60 |
+ elif [ "z$crypto" != "z" ] ; then |
| 61 |
+ xmlsec_params="$xmlsec_params --crypto $crypto" |
| 62 |
+ fi |
| 63 |
+-xmlsec_params="$xmlsec_params --crypto-config $crypto_config" |
| 64 |
++xmlsec_params="$xmlsec_params --X509-skip-strict-checks --crypto-config $crypto_config" |
| 65 |
+ |
| 66 |
+ # |
| 67 |
+ # Setup keys config |
| 68 |
+-- |
| 69 |
+2.21.0 |
| 70 |
+ |
| 71 |
|
| 72 |
diff --git a/dev-libs/xmlsec/xmlsec-1.2.27.ebuild b/dev-libs/xmlsec/xmlsec-1.2.27-r1.ebuild |
| 73 |
similarity index 97% |
| 74 |
rename from dev-libs/xmlsec/xmlsec-1.2.27.ebuild |
| 75 |
rename to dev-libs/xmlsec/xmlsec-1.2.27-r1.ebuild |
| 76 |
index 80b76456dd6..e56570b8002 100644 |
| 77 |
--- a/dev-libs/xmlsec/xmlsec-1.2.27.ebuild |
| 78 |
+++ b/dev-libs/xmlsec/xmlsec-1.2.27-r1.ebuild |
| 79 |
@@ -38,6 +38,10 @@ BDEPEND="virtual/pkgconfig |
| 80 |
|
| 81 |
S="${WORKDIR}/${PN}1-${PV}" |
| 82 |
|
| 83 |
+PATCHES=( |
| 84 |
+ "${FILESDIR}/${P}-gnutls.patch" |
| 85 |
+) |
| 86 |
+ |
| 87 |
src_prepare() { |
| 88 |
default |
| 89 |
# conditionally install extra documentation |
Archives