commit: 4ee1e630aca57b00bfaaa1e1b1c8921c4a6e25b5 Author: Alon Bar-Lev <alonbl <AT> gentoo <DOT> org> AuthorDate: Mon Apr 1 04:09:15 2019 +0000 Commit: Alon Bar-Lev <alonbl <AT> gentoo <DOT> org> CommitDate: Mon Apr 1 04:11:49 2019 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ee1e630
dev-libs/xmlsec: support SHA-1 signed certificates with gnutls-3.6 Signed-off-by: Alon Bar-Lev <alonbl <AT> gentoo.org> Package-Manager: Portage-2.3.62, Repoman-2.3.11 RepoMan-Options: --force dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch | 47 ++++++++++++++++++++++ ...mlsec-1.2.27.ebuild => xmlsec-1.2.27-r1.ebuild} | 4 ++ 2 files changed, 51 insertions(+) diff --git a/dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch b/dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch new file mode 100644 index 00000000000..2837420e0dc --- /dev/null +++ b/dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch @@ -0,0 +1,47 @@ +From 321e62add243cf8f024d6278da4c5ff030bae3b9 Mon Sep 17 00:00:00 2001 +From: Alon Bar-Lev <[email protected]> +Date: Mon, 1 Apr 2019 01:28:18 +0300 +Subject: [PATCH] gnutls: allow SHA-1 signed certificate when not in strict + checks (#250) (#251) + +This is required for gnutls-3.6.x. + +Allow tests to use no strict checks until all certificates will be converted +to stronger signature than SHA-1. + +Signed-off-by: Alon Bar-Lev <[email protected]> +--- + src/gnutls/x509vfy.c | 3 +++ + tests/testrun.sh | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/gnutls/x509vfy.c b/src/gnutls/x509vfy.c +index a9c956a3..4c753344 100644 +--- a/src/gnutls/x509vfy.c ++++ b/src/gnutls/x509vfy.c +@@ -295,6 +295,9 @@ xmlSecGnuTLSX509StoreVerify(xmlSecKeyDataStorePtr store, + if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS) != 0) { + flags |= GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2; + flags |= GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5; ++#if GNUTLS_VERSION_NUMBER >= 0x030600 ++ flags |= GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1; ++#endif + } + + /* We are going to build all possible cert chains and try to verify them */ +diff --git a/tests/testrun.sh b/tests/testrun.sh +index 02484d09..ea65802b 100755 +--- a/tests/testrun.sh ++++ b/tests/testrun.sh +@@ -59,7 +59,7 @@ if [ "z$XMLSEC_DEFAULT_CRYPTO" != "z" ] ; then + elif [ "z$crypto" != "z" ] ; then + xmlsec_params="$xmlsec_params --crypto $crypto" + fi +-xmlsec_params="$xmlsec_params --crypto-config $crypto_config" ++xmlsec_params="$xmlsec_params --X509-skip-strict-checks --crypto-config $crypto_config" + + # + # Setup keys config +-- +2.21.0 + diff --git a/dev-libs/xmlsec/xmlsec-1.2.27.ebuild b/dev-libs/xmlsec/xmlsec-1.2.27-r1.ebuild similarity index 97% rename from dev-libs/xmlsec/xmlsec-1.2.27.ebuild rename to dev-libs/xmlsec/xmlsec-1.2.27-r1.ebuild index 80b76456dd6..e56570b8002 100644 --- a/dev-libs/xmlsec/xmlsec-1.2.27.ebuild +++ b/dev-libs/xmlsec/xmlsec-1.2.27-r1.ebuild @@ -38,6 +38,10 @@ BDEPEND="virtual/pkgconfig S="${WORKDIR}/${PN}1-${PV}" +PATCHES=( + "${FILESDIR}/${P}-gnutls.patch" +) + src_prepare() { default # conditionally install extra documentation
