1 |
commit: 4ee1e630aca57b00bfaaa1e1b1c8921c4a6e25b5 |
2 |
Author: Alon Bar-Lev <alonbl <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Apr 1 04:09:15 2019 +0000 |
4 |
Commit: Alon Bar-Lev <alonbl <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Apr 1 04:11:49 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ee1e630 |
7 |
|
8 |
dev-libs/xmlsec: support SHA-1 signed certificates with gnutls-3.6 |
9 |
|
10 |
Signed-off-by: Alon Bar-Lev <alonbl <AT> gentoo.org> |
11 |
Package-Manager: Portage-2.3.62, Repoman-2.3.11 |
12 |
RepoMan-Options: --force |
13 |
|
14 |
dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch | 47 ++++++++++++++++++++++ |
15 |
...mlsec-1.2.27.ebuild => xmlsec-1.2.27-r1.ebuild} | 4 ++ |
16 |
2 files changed, 51 insertions(+) |
17 |
|
18 |
diff --git a/dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch b/dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch |
19 |
new file mode 100644 |
20 |
index 00000000000..2837420e0dc |
21 |
--- /dev/null |
22 |
+++ b/dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch |
23 |
@@ -0,0 +1,47 @@ |
24 |
+From 321e62add243cf8f024d6278da4c5ff030bae3b9 Mon Sep 17 00:00:00 2001 |
25 |
+From: Alon Bar-Lev <alon.barlev@×××××.com> |
26 |
+Date: Mon, 1 Apr 2019 01:28:18 +0300 |
27 |
+Subject: [PATCH] gnutls: allow SHA-1 signed certificate when not in strict |
28 |
+ checks (#250) (#251) |
29 |
+ |
30 |
+This is required for gnutls-3.6.x. |
31 |
+ |
32 |
+Allow tests to use no strict checks until all certificates will be converted |
33 |
+to stronger signature than SHA-1. |
34 |
+ |
35 |
+Signed-off-by: Alon Bar-Lev <alon.barlev@×××××.com> |
36 |
+--- |
37 |
+ src/gnutls/x509vfy.c | 3 +++ |
38 |
+ tests/testrun.sh | 2 +- |
39 |
+ 2 files changed, 4 insertions(+), 1 deletion(-) |
40 |
+ |
41 |
+diff --git a/src/gnutls/x509vfy.c b/src/gnutls/x509vfy.c |
42 |
+index a9c956a3..4c753344 100644 |
43 |
+--- a/src/gnutls/x509vfy.c |
44 |
++++ b/src/gnutls/x509vfy.c |
45 |
+@@ -295,6 +295,9 @@ xmlSecGnuTLSX509StoreVerify(xmlSecKeyDataStorePtr store, |
46 |
+ if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS) != 0) { |
47 |
+ flags |= GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2; |
48 |
+ flags |= GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5; |
49 |
++#if GNUTLS_VERSION_NUMBER >= 0x030600 |
50 |
++ flags |= GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1; |
51 |
++#endif |
52 |
+ } |
53 |
+ |
54 |
+ /* We are going to build all possible cert chains and try to verify them */ |
55 |
+diff --git a/tests/testrun.sh b/tests/testrun.sh |
56 |
+index 02484d09..ea65802b 100755 |
57 |
+--- a/tests/testrun.sh |
58 |
++++ b/tests/testrun.sh |
59 |
+@@ -59,7 +59,7 @@ if [ "z$XMLSEC_DEFAULT_CRYPTO" != "z" ] ; then |
60 |
+ elif [ "z$crypto" != "z" ] ; then |
61 |
+ xmlsec_params="$xmlsec_params --crypto $crypto" |
62 |
+ fi |
63 |
+-xmlsec_params="$xmlsec_params --crypto-config $crypto_config" |
64 |
++xmlsec_params="$xmlsec_params --X509-skip-strict-checks --crypto-config $crypto_config" |
65 |
+ |
66 |
+ # |
67 |
+ # Setup keys config |
68 |
+-- |
69 |
+2.21.0 |
70 |
+ |
71 |
|
72 |
diff --git a/dev-libs/xmlsec/xmlsec-1.2.27.ebuild b/dev-libs/xmlsec/xmlsec-1.2.27-r1.ebuild |
73 |
similarity index 97% |
74 |
rename from dev-libs/xmlsec/xmlsec-1.2.27.ebuild |
75 |
rename to dev-libs/xmlsec/xmlsec-1.2.27-r1.ebuild |
76 |
index 80b76456dd6..e56570b8002 100644 |
77 |
--- a/dev-libs/xmlsec/xmlsec-1.2.27.ebuild |
78 |
+++ b/dev-libs/xmlsec/xmlsec-1.2.27-r1.ebuild |
79 |
@@ -38,6 +38,10 @@ BDEPEND="virtual/pkgconfig |
80 |
|
81 |
S="${WORKDIR}/${PN}1-${PV}" |
82 |
|
83 |
+PATCHES=( |
84 |
+ "${FILESDIR}/${P}-gnutls.patch" |
85 |
+) |
86 |
+ |
87 |
src_prepare() { |
88 |
default |
89 |
# conditionally install extra documentation |