diff options
author | Thomas Deutschmann <whissi@gentoo.org> | 2020-06-01 21:01:34 +0200 |
---|---|---|
committer | Thomas Deutschmann <whissi@gentoo.org> | 2020-06-01 21:17:15 +0200 |
commit | f7402bdfcb5c3017b29d80d60312804b4b3fbebd (patch) | |
tree | 13034e052fffa456c54379742b3389ad500059dd | |
parent | sys-cluster/ceph-15.2.3: Fix build with USE=spdk (diff) | |
download | gentoo-f7402bdfcb5c3017b29d80d60312804b4b3fbebd.tar.gz gentoo-f7402bdfcb5c3017b29d80d60312804b4b3fbebd.tar.bz2 gentoo-f7402bdfcb5c3017b29d80d60312804b4b3fbebd.zip |
net-libs/gnutls: rev bump to fix handling of expired root certificates
Link: https://gitlab.com/gnutls/gnutls/-/issues/1008
Closes: https://bugs.gentoo.org/726650
Package-Manager: Portage-2.3.100, Repoman-2.3.22
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
-rw-r--r-- | net-libs/gnutls/files/gnutls-3.6.13-handle-expired-root-certificates.patch | 391 | ||||
-rw-r--r-- | net-libs/gnutls/gnutls-3.6.13-r1.ebuild (renamed from net-libs/gnutls/gnutls-3.6.13.ebuild) | 2 |
2 files changed, 393 insertions, 0 deletions
diff --git a/net-libs/gnutls/files/gnutls-3.6.13-handle-expired-root-certificates.patch b/net-libs/gnutls/files/gnutls-3.6.13-handle-expired-root-certificates.patch new file mode 100644 index 000000000000..91986cf449cb --- /dev/null +++ b/net-libs/gnutls/files/gnutls-3.6.13-handle-expired-root-certificates.patch @@ -0,0 +1,391 @@ +From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001 +From: Daiki Ueno <ueno@gnu.org> +Date: Sun, 31 May 2020 12:39:14 +0200 +Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against + system cert + +To verify a certificate chain, this function replaces known +certificates with the ones in the system trust store if possible. + +However, if it is found, the function checks the validity of the +original certificate rather than the certificate found in the trust +store. That reveals a problem in a scenario that (1) a certificate is +signed by multiple issuers and (2) one of the issuers' certificate has +expired and included in the input chain. + +This patch makes it a little robuster by actually retrieving the +certificate from the trust store and perform check against it. + +Signed-off-by: Daiki Ueno <ueno@gnu.org> +--- + lib/pkcs11.c | 98 +++++++++++++++++++++++++++++++++-------------- + lib/pkcs11_int.h | 5 +++ + lib/x509/verify.c | 7 +++- + 3 files changed, 80 insertions(+), 30 deletions(-) + +diff --git a/lib/pkcs11.c b/lib/pkcs11.c +index fad16aaf4f..d8d4a65114 100644 +--- a/lib/pkcs11.c ++++ b/lib/pkcs11.c +@@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url, + return ret; + } + +-/** +- * gnutls_pkcs11_crt_is_known: +- * @url: A PKCS 11 url identifying a token +- * @cert: is the certificate to find issuer for +- * @issuer: Will hold the issuer if any in an allocated buffer. +- * @fmt: The format of the exported issuer. +- * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. +- * +- * This function will check whether the provided certificate is stored +- * in the specified token. This is useful in combination with +- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or +- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, +- * to check whether a CA is present or a certificate is blacklisted in +- * a trust PKCS #11 module. +- * +- * This function can be used with a @url of "pkcs11:", and in that case all modules +- * will be searched. To restrict the modules to the marked as trusted in p11-kit +- * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. +- * +- * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is +- * specific to p11-kit trust modules. +- * +- * Returns: If the certificate exists non-zero is returned, otherwise zero. +- * +- * Since: 3.3.0 +- **/ +-unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, +- unsigned int flags) ++unsigned ++_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, ++ unsigned int flags, ++ gnutls_x509_crt_t *trusted_cert) + { + int ret; + struct find_cert_st priv; +@@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + + memset(&priv, 0, sizeof(priv)); + ++ if (trusted_cert) { ++ ret = gnutls_pkcs11_obj_init(&priv.obj); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ priv.need_import = 1; ++ } ++ + if (url == NULL || url[0] == 0) { + url = "pkcs11:"; + } +@@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n"); + /* attempt searching with the subject DN only */ + gnutls_assert(); ++ if (priv.obj) ++ gnutls_pkcs11_obj_deinit(priv.obj); + gnutls_free(priv.serial.data); + memset(&priv, 0, sizeof(priv)); ++ if (trusted_cert) { ++ ret = gnutls_pkcs11_obj_init(&priv.obj); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ priv.need_import = 1; ++ } + priv.crt = cert; + priv.flags = flags; + +@@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + goto cleanup; + } + ++ if (trusted_cert) { ++ ret = gnutls_x509_crt_init(trusted_cert); ++ if (ret < 0) { ++ gnutls_assert(); ++ ret = 0; ++ goto cleanup; ++ } ++ ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj); ++ if (ret < 0) { ++ gnutls_assert(); ++ gnutls_x509_crt_deinit(*trusted_cert); ++ ret = 0; ++ goto cleanup; ++ } ++ } + ret = 1; + + cleanup: ++ if (priv.obj) ++ gnutls_pkcs11_obj_deinit(priv.obj); + if (info) + p11_kit_uri_free(info); + gnutls_free(priv.serial.data); +@@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + return ret; + } + ++/** ++ * gnutls_pkcs11_crt_is_known: ++ * @url: A PKCS 11 url identifying a token ++ * @cert: is the certificate to find issuer for ++ * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. ++ * ++ * This function will check whether the provided certificate is stored ++ * in the specified token. This is useful in combination with ++ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or ++ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, ++ * to check whether a CA is present or a certificate is blacklisted in ++ * a trust PKCS #11 module. ++ * ++ * This function can be used with a @url of "pkcs11:", and in that case all modules ++ * will be searched. To restrict the modules to the marked as trusted in p11-kit ++ * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. ++ * ++ * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is ++ * specific to p11-kit trust modules. ++ * ++ * Returns: If the certificate exists non-zero is returned, otherwise zero. ++ * ++ * Since: 3.3.0 ++ **/ ++unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, ++ unsigned int flags) ++{ ++ return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL); ++} ++ + /** + * gnutls_pkcs11_obj_get_flags: + * @obj: The pkcs11 object +diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h +index 9d88807098..86cce0dee5 100644 +--- a/lib/pkcs11_int.h ++++ b/lib/pkcs11_int.h +@@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object(const char *url) + return 0; + } + ++unsigned ++_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, ++ unsigned int flags, ++ gnutls_x509_crt_t *trusted_cert); ++ + #endif /* ENABLE_PKCS11 */ + + #endif /* GNUTLS_LIB_PKCS11_INT_H */ +diff --git a/lib/x509/verify.c b/lib/x509/verify.c +index d202670198..fd7c6a1642 100644 +--- a/lib/x509/verify.c ++++ b/lib/x509/verify.c +@@ -34,6 +34,7 @@ + #include <tls-sig.h> + #include <str.h> + #include <datum.h> ++#include <pkcs11_int.h> + #include <x509_int.h> + #include <common.h> + #include <pk.h> +@@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url, + + for (; i < clist_size; i++) { + unsigned vflags; ++ gnutls_x509_crt_t trusted_cert; + + if (i == 0) /* in the end certificate do full comparison */ + vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| +@@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url, + vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| + GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; + +- if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) { ++ if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) { + +- status |= check_ca_sanity(certificate_list[i], now, flags); ++ status |= check_ca_sanity(trusted_cert, now, flags); ++ gnutls_x509_crt_deinit(trusted_cert); + + if (func) + func(certificate_list[i], +-- +2.26.2 + + +From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001 +From: Daiki Ueno <ueno@gnu.org> +Date: Sun, 31 May 2020 13:59:53 +0200 +Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is + expired + +gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN +to trigger the fallback verification path if the signer of the last +certificate is not in the trust store. Previously, it doesn't take +into account of the condition where the certificate is expired. + +Signed-off-by: Daiki Ueno <ueno@gnu.org> +--- + lib/x509/verify-high.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c +index b1421ef17a..40638ad3aa 100644 +--- a/lib/x509/verify-high.c ++++ b/lib/x509/verify-high.c +@@ -1192,11 +1192,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, + + #define LAST_DN cert_list[cert_list_size-1]->raw_dn + #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn +-/* This macro is introduced to detect a verification output +- * which indicates an unknown signer, or a signer which uses +- * an insecure algorithm (e.g., sha1), something that indicates +- * a superseded signer */ +-#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM)) ++/* This macro is introduced to detect a verification output which ++ * indicates an unknown signer, a signer which uses an insecure ++ * algorithm (e.g., sha1), a signer has expired, or something that ++ * indicates a superseded signer */ ++#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \ ++ (output & GNUTLS_CERT_EXPIRED) || \ ++ (output & GNUTLS_CERT_INSECURE_ALGORITHM)) + #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND)) + + /** +-- +2.26.2 + + +From 9067bcbee8ff18badff1e829d22e63590dbd7a5c Mon Sep 17 00:00:00 2001 +From: Daiki Ueno <ueno@gnu.org> +Date: Sun, 31 May 2020 14:28:48 +0200 +Subject: [PATCH 3/3] tests: add test case for certificate chain superseding + +Signed-off-by: Daiki Ueno <ueno@gnu.org> +--- + tests/test-chains.h | 97 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 97 insertions(+) + +diff --git a/tests/test-chains.h b/tests/test-chains.h +index dd19e6a815..9b06b85f5f 100644 +--- a/tests/test-chains.h ++++ b/tests/test-chains.h +@@ -4010,6 +4010,102 @@ static const char *ed448[] = { + NULL + }; + ++/* This contains an expired intermediate CA, which should be superseded. */ ++static const char *superseding[] = { ++ "-----BEGIN CERTIFICATE-----" ++ "MIIDrzCCAmegAwIBAgIUcozIBhMJvM/rd1PVI7LOq7Kscs8wDQYJKoZIhvcNAQEL" ++ "BQAwJjEkMCIGA1UEAxMbR251VExTIHRlc3QgaW50ZXJtZWRpYXRlIENBMCAXDTIw" ++ "MDUzMTEyMTczN1oYDzk5OTkxMjMxMjM1OTU5WjA3MRgwFgYDVQQDEw90ZXN0Lmdu" ++ "dXRscy5vcmcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCASAwCwYJKoZI" ++ "hvcNAQEKA4IBDwAwggEKAoIBAQCd2PBnWn+b0FsIMbG+f/K+og2iK/BoLCsJD3j9" ++ "yRNSHD6wTifYwNTbe1LF/8BzxcwVRCD0zpbpFQawbjxbmBSzrXqQlUFFG11DvNBa" ++ "w58rgHGo3TYCrtFIBfLbziyB1w/vWeX0xHvv8MMJ1iRSdY+7Y36a2cV+s85PdO4B" ++ "TpZlLfy8LPP6p6+dgVoC+9tTu2H1wARYOVog+jt9A3Hx0L1xxVWTedFoiK2sVouz" ++ "fLRjfp5cOwuRHSD2qbpGOAeNVVaOE88Bv3pIGPguMw0qAdEDo20hRYH23LIyvBwB" ++ "oCnyFNnAViMtLa2QlXSliV9a9BKOXYjWzAeso2SF4pdHcvd5AgMBAAGjgZMwgZAw" ++ "DAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg90ZXN0LmdudXRscy5vcmcwEwYDVR0l" ++ "BAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUan6mlccq" ++ "Uy1Z64wvRv3xxg4h2ykwHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgw" ++ "DQYJKoZIhvcNAQELBQADggExAKAOMyMLpk0u2UTwwFWtr1hfx7evo2J7dgco410I" ++ "DN/QWoe2Xlcxcp1h5R9rX1I3KU2WGFtdXqiMsllCLnrDEKZmlks0uz76bCpKmM99" ++ "/1MDlY7mGCr/2PPx53USK5J5JTiqgp6r7qAcDAnpYvrPH45kk7iqwh02DhAxRnGR" ++ "CW7KWK8h7uu0Az9iBT2YfV372g4fRDK3fqYzJofQwbhSiUuJ7wyZCRhGOoxMMmDb" ++ "KBbc1wAYXW+tlv2cSbfzRvSxMR+CzkyH2tGDxeN//aZUfGmQ8IzWUQ7UtK5z+Q0E" ++ "fL6fZtm2SdGabGpV1UYoGpwOtOngK+m0i9SqrMD7g5+SMhc1VuvVuTtxjr5Cha8l" ++ "X0HEZtxgFrkdfMD4yLAqiguaCBngtbRmELF5VpebmJbiLVU=" ++ "-----END CERTIFICATE-----", ++ "-----BEGIN CERTIFICATE-----" ++ "MIIDkTCCAkmgAwIBAgIUY9cJ4NLNFEaojJHdP1I4Q7OHNJwwDQYJKoZIhvcNAQEL" ++ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMTgxMjMxMjMwMDAwWhcN" ++ "MjAwNTMwMjIwMDAwWjAmMSQwIgYDVQQDExtHbnVUTFMgdGVzdCBpbnRlcm1lZGlh" ++ "dGUgQ0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7K" ++ "sH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8W" ++ "yZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITc" ++ "lg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7" ++ "oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLy" ++ "rXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+" ++ "G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjeh" ++ "KZ+Aeap1AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE" ++ "ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUHncj" ++ "bWcxH5EHm5Yv7PzIRv6M4QMwDQYJKoZIhvcNAQELBQADggExAHP1UAQ/nvuQtRZF" ++ "Q4b96yxVwCjMjn7knLyLNtyYGE3466xvE/ofvx5lgaR06ez/G17XP+Ok5SLJNUVc" ++ "mplTERCv5CgnX7R5VdGJkkD1repaYxaTtwyJz0AfYEMRUj3jfaeLaiUKJvEW5RRs" ++ "I3solY18sy/m/xGrH2X0GTNfKM9BURENABsppt07jxH719nF9m9SynV/Z2hE5hlv" ++ "5e5vyPt4wyRPIJLUI3TKAlvb1s40zz3ua7ZTgQL/cOxfY4f9pRKW9CMB3uF69OP9" ++ "COAxrmHVZsImmDZ6qO1qQrbY1KN/cX5kG4pKg7Ium723aOlwcWzEDXKumD960fN1" ++ "5g+HrjNs6kW+r9Q5QS8qV5s8maZNcxTrMvQ1fF2AKBNI3Z3U7vmtrSeqxIXp3rGH" ++ "iJwOKIk=" ++ "-----END CERTIFICATE-----", ++ NULL ++}; ++ ++static const char *superseding_ca[] = { ++ "-----BEGIN CERTIFICATE-----" ++ "MIIDkzCCAkugAwIBAgIUIs7jB4Q4sFcdCmzWVHbJLESC3T4wDQYJKoZIhvcNAQEL" ++ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMzEwWhgP" ++ "OTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMTG0dudVRMUyB0ZXN0IGludGVybWVk" ++ "aWF0ZSBDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/" ++ "HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8" ++ "vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqI" ++ "hNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWl" ++ "WDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQp" ++ "kvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzkl" ++ "zz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2" ++ "N6Epn4B5qnUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD" ++ "BwQAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQe" ++ "dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAcF9R9VGQxTwW" ++ "aOjeIeQ9ZJxybaj0BaXC8xR4b9uZloS9d/RBFTjgRbQ82yqaj7f80mgUtabKRfTA" ++ "ltV2MgTbJdOjwGzEDtKGhClBbovnEGrYTbPBT9rgfYPt0q7SMBr6AzGAPt+ltwI7" ++ "9yntV81qvTxvW5MEEo0j2MuA3NT3oqe+w1rUKNQCWhnN2TUhJGkTlaaMozcgNFaE" ++ "Dplop4dtvCGtupxOjC3Nf6FWq1k7iZQxX70AFBYVMpuF7qGh6qDp+T1hmTCSVzxP" ++ "SfDQIBjhKgy4clhkuR5SRxhN74RX+/5eiQyVLxzr+eIhqzJhPqUCmVnCLcqYdNRi" ++ "hpHic4uJm0wGOKYTI7EG8rb4ZP4Jz6k4iN9CnL/+kiiW5otSl3YyCAuao5VKdDq9" ++ "izchzb9eow==" ++ "-----END CERTIFICATE-----", ++ "-----BEGIN CERTIFICATE-----" ++ "MIIDZTCCAh2gAwIBAgIULcrECQOBgPaePBfBHXcyZiU0IiYwDQYJKoZIhvcNAQEL" ++ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMTQzWhgP" ++ "OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN" ++ "BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C" ++ "qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ" ++ "U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8" ++ "vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW" ++ "PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG" ++ "VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7" ++ "FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB" ++ "o0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYE" ++ "FB53I21nMR+RB5uWL+z8yEb+jOEDMA0GCSqGSIb3DQEBCwUAA4IBMQAeMSzMyuTy" ++ "FjXTjxAUv010bsr6e6fI9txq/S1tXmWWJV/8aeARthuOFZO5Jjy3C5aMbac2HDV4" ++ "Otu0+JLaoEMSXvorAhValVuq06i5cmaPzvJBcxMWzlEAXfavSwHv5Q+kqNU3z81S" ++ "WnjEpMHcl9OyER7o9IhF55Xom2BXY5XL83QOzQ4C3bpKrNevZC7i7zS8NoYRGP+8" ++ "w21JseXkWQW4o2hkFqbCcRE1dlMW02iJE28RZ5aBFDIm2Y6zuLaXZIkaO7E41CAw" ++ "IUyhowm/S1HcmQnhruAGKJvQtB6jvnhZb7pgnuSkhIvAQgw93CLE985KEua1ifY2" ++ "p1d/6ho2TWotHHqDnDkB8pC0Wzai8R+63z18Kt0gROX2QItCyFksjNJqYPbgwZgt" ++ "eh1COrLsOJo+" ++ "-----END CERTIFICATE-----", ++ NULL ++}; ++ + #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) + # pragma GCC diagnostic push + # pragma GCC diagnostic ignored "-Wunused-variable" +@@ -4178,6 +4274,7 @@ static struct + GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1}, + { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), + 0, NULL, 1584352960, 1}, ++ { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 }, + { NULL, NULL, NULL, 0, 0} + }; + +-- +2.26.2 + diff --git a/net-libs/gnutls/gnutls-3.6.13.ebuild b/net-libs/gnutls/gnutls-3.6.13-r1.ebuild index 1969a8391568..0f8de4605ebc 100644 --- a/net-libs/gnutls/gnutls-3.6.13.ebuild +++ b/net-libs/gnutls/gnutls-3.6.13-r1.ebuild @@ -54,6 +54,8 @@ DOCS=( HTML_DOCS=() +PATCHES=( "${FILESDIR}"/${P}-handle-expired-root-certificates.patch ) + pkg_setup() { # bug#520818 export TZ=UTC |