summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Deutschmann <whissi@gentoo.org>2020-06-09 16:58:22 +0200
committerThomas Deutschmann <whissi@gentoo.org>2020-06-09 16:58:22 +0200
commit4254290cbaff26d7530a273eb9d307317f7f5f45 (patch)
treec39cffca7762592a91fd3049b2fb7ca894998acd
parentdev-libs/nss: s390 stable wrt bug #726842 (diff)
downloadgentoo-4254290cbaff26d7530a273eb9d307317f7f5f45.tar.gz
gentoo-4254290cbaff26d7530a273eb9d307317f7f5f45.tar.bz2
gentoo-4254290cbaff26d7530a273eb9d307317f7f5f45.zip
net-libs/gnutls: security cleanup
Bug: https://bugs.gentoo.org/727108 Package-Manager: Portage-2.3.100, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
-rw-r--r--net-libs/gnutls/Manifest1
-rw-r--r--net-libs/gnutls/files/gnutls-3.6.13-handle-expired-root-certificates.patch391
-rw-r--r--net-libs/gnutls/gnutls-3.6.13-r1.ebuild134
3 files changed, 0 insertions, 526 deletions
diff --git a/net-libs/gnutls/Manifest b/net-libs/gnutls/Manifest
index b64da79d7df0..a6db64d03c08 100644
--- a/net-libs/gnutls/Manifest
+++ b/net-libs/gnutls/Manifest
@@ -1,2 +1 @@
-DIST gnutls-3.6.13.tar.xz 5958956 BLAKE2B de67f96198b6456f397bf203f13bf1f906b69c7ce632dd96b72539fea12f2bd8ee8b2c608d1ed8b06d3b189023fa81e9a2cfcdd6c9bbd174e5bd2b0673f6ca47 SHA512 23581952cb72c9a34f378c002bb62413d5a1243b74b48ad8dc49eaea4020d33c550f8dc1dd374cf7fbfa4187b0ca1c5698c8a0430398268a8b8a863f8633305c
DIST gnutls-3.6.14.tar.xz 6069088 BLAKE2B a1cd88a7c977f3a94a49e4187878560a8d9589a6fd32d8ad41b84c33534597fb85a88cf6b260a4a5e8b1a100790a7ba701acac2368f1ad42dcaba7e5c90b6758 SHA512 b2d427b5542a4679117c011dffa8efb0e0bffa3ce9cebc319f8998d03f80f4168d08f9fda35df18dbeaaada59e479d325a6c1c77d5ca7f8ce221b44e42bfe604
diff --git a/net-libs/gnutls/files/gnutls-3.6.13-handle-expired-root-certificates.patch b/net-libs/gnutls/files/gnutls-3.6.13-handle-expired-root-certificates.patch
deleted file mode 100644
index 91986cf449cb..000000000000
--- a/net-libs/gnutls/files/gnutls-3.6.13-handle-expired-root-certificates.patch
+++ /dev/null
@@ -1,391 +0,0 @@
-From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Sun, 31 May 2020 12:39:14 +0200
-Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against
- system cert
-
-To verify a certificate chain, this function replaces known
-certificates with the ones in the system trust store if possible.
-
-However, if it is found, the function checks the validity of the
-original certificate rather than the certificate found in the trust
-store. That reveals a problem in a scenario that (1) a certificate is
-signed by multiple issuers and (2) one of the issuers' certificate has
-expired and included in the input chain.
-
-This patch makes it a little robuster by actually retrieving the
-certificate from the trust store and perform check against it.
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
----
- lib/pkcs11.c | 98 +++++++++++++++++++++++++++++++++--------------
- lib/pkcs11_int.h | 5 +++
- lib/x509/verify.c | 7 +++-
- 3 files changed, 80 insertions(+), 30 deletions(-)
-
-diff --git a/lib/pkcs11.c b/lib/pkcs11.c
-index fad16aaf4f..d8d4a65114 100644
---- a/lib/pkcs11.c
-+++ b/lib/pkcs11.c
-@@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url,
- return ret;
- }
-
--/**
-- * gnutls_pkcs11_crt_is_known:
-- * @url: A PKCS 11 url identifying a token
-- * @cert: is the certificate to find issuer for
-- * @issuer: Will hold the issuer if any in an allocated buffer.
-- * @fmt: The format of the exported issuer.
-- * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG.
-- *
-- * This function will check whether the provided certificate is stored
-- * in the specified token. This is useful in combination with
-- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or
-- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,
-- * to check whether a CA is present or a certificate is blacklisted in
-- * a trust PKCS #11 module.
-- *
-- * This function can be used with a @url of "pkcs11:", and in that case all modules
-- * will be searched. To restrict the modules to the marked as trusted in p11-kit
-- * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.
-- *
-- * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is
-- * specific to p11-kit trust modules.
-- *
-- * Returns: If the certificate exists non-zero is returned, otherwise zero.
-- *
-- * Since: 3.3.0
-- **/
--unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
-- unsigned int flags)
-+unsigned
-+_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
-+ unsigned int flags,
-+ gnutls_x509_crt_t *trusted_cert)
- {
- int ret;
- struct find_cert_st priv;
-@@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
-
- memset(&priv, 0, sizeof(priv));
-
-+ if (trusted_cert) {
-+ ret = gnutls_pkcs11_obj_init(&priv.obj);
-+ if (ret < 0) {
-+ gnutls_assert();
-+ goto cleanup;
-+ }
-+ priv.need_import = 1;
-+ }
-+
- if (url == NULL || url[0] == 0) {
- url = "pkcs11:";
- }
-@@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
- _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n");
- /* attempt searching with the subject DN only */
- gnutls_assert();
-+ if (priv.obj)
-+ gnutls_pkcs11_obj_deinit(priv.obj);
- gnutls_free(priv.serial.data);
- memset(&priv, 0, sizeof(priv));
-+ if (trusted_cert) {
-+ ret = gnutls_pkcs11_obj_init(&priv.obj);
-+ if (ret < 0) {
-+ gnutls_assert();
-+ goto cleanup;
-+ }
-+ priv.need_import = 1;
-+ }
- priv.crt = cert;
- priv.flags = flags;
-
-@@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
- goto cleanup;
- }
-
-+ if (trusted_cert) {
-+ ret = gnutls_x509_crt_init(trusted_cert);
-+ if (ret < 0) {
-+ gnutls_assert();
-+ ret = 0;
-+ goto cleanup;
-+ }
-+ ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj);
-+ if (ret < 0) {
-+ gnutls_assert();
-+ gnutls_x509_crt_deinit(*trusted_cert);
-+ ret = 0;
-+ goto cleanup;
-+ }
-+ }
- ret = 1;
-
- cleanup:
-+ if (priv.obj)
-+ gnutls_pkcs11_obj_deinit(priv.obj);
- if (info)
- p11_kit_uri_free(info);
- gnutls_free(priv.serial.data);
-@@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
- return ret;
- }
-
-+/**
-+ * gnutls_pkcs11_crt_is_known:
-+ * @url: A PKCS 11 url identifying a token
-+ * @cert: is the certificate to find issuer for
-+ * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG.
-+ *
-+ * This function will check whether the provided certificate is stored
-+ * in the specified token. This is useful in combination with
-+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or
-+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,
-+ * to check whether a CA is present or a certificate is blacklisted in
-+ * a trust PKCS #11 module.
-+ *
-+ * This function can be used with a @url of "pkcs11:", and in that case all modules
-+ * will be searched. To restrict the modules to the marked as trusted in p11-kit
-+ * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.
-+ *
-+ * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is
-+ * specific to p11-kit trust modules.
-+ *
-+ * Returns: If the certificate exists non-zero is returned, otherwise zero.
-+ *
-+ * Since: 3.3.0
-+ **/
-+unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
-+ unsigned int flags)
-+{
-+ return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL);
-+}
-+
- /**
- * gnutls_pkcs11_obj_get_flags:
- * @obj: The pkcs11 object
-diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
-index 9d88807098..86cce0dee5 100644
---- a/lib/pkcs11_int.h
-+++ b/lib/pkcs11_int.h
-@@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object(const char *url)
- return 0;
- }
-
-+unsigned
-+_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
-+ unsigned int flags,
-+ gnutls_x509_crt_t *trusted_cert);
-+
- #endif /* ENABLE_PKCS11 */
-
- #endif /* GNUTLS_LIB_PKCS11_INT_H */
-diff --git a/lib/x509/verify.c b/lib/x509/verify.c
-index d202670198..fd7c6a1642 100644
---- a/lib/x509/verify.c
-+++ b/lib/x509/verify.c
-@@ -34,6 +34,7 @@
- #include <tls-sig.h>
- #include <str.h>
- #include <datum.h>
-+#include <pkcs11_int.h>
- #include <x509_int.h>
- #include <common.h>
- #include <pk.h>
-@@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url,
-
- for (; i < clist_size; i++) {
- unsigned vflags;
-+ gnutls_x509_crt_t trusted_cert;
-
- if (i == 0) /* in the end certificate do full comparison */
- vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
-@@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url,
- vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
- GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED;
-
-- if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) {
-+ if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) {
-
-- status |= check_ca_sanity(certificate_list[i], now, flags);
-+ status |= check_ca_sanity(trusted_cert, now, flags);
-+ gnutls_x509_crt_deinit(trusted_cert);
-
- if (func)
- func(certificate_list[i],
---
-2.26.2
-
-
-From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Sun, 31 May 2020 13:59:53 +0200
-Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is
- expired
-
-gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN
-to trigger the fallback verification path if the signer of the last
-certificate is not in the trust store. Previously, it doesn't take
-into account of the condition where the certificate is expired.
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
----
- lib/x509/verify-high.c | 12 +++++++-----
- 1 file changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
-index b1421ef17a..40638ad3aa 100644
---- a/lib/x509/verify-high.c
-+++ b/lib/x509/verify-high.c
-@@ -1192,11 +1192,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list,
-
- #define LAST_DN cert_list[cert_list_size-1]->raw_dn
- #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn
--/* This macro is introduced to detect a verification output
-- * which indicates an unknown signer, or a signer which uses
-- * an insecure algorithm (e.g., sha1), something that indicates
-- * a superseded signer */
--#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM))
-+/* This macro is introduced to detect a verification output which
-+ * indicates an unknown signer, a signer which uses an insecure
-+ * algorithm (e.g., sha1), a signer has expired, or something that
-+ * indicates a superseded signer */
-+#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \
-+ (output & GNUTLS_CERT_EXPIRED) || \
-+ (output & GNUTLS_CERT_INSECURE_ALGORITHM))
- #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND))
-
- /**
---
-2.26.2
-
-
-From 9067bcbee8ff18badff1e829d22e63590dbd7a5c Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Sun, 31 May 2020 14:28:48 +0200
-Subject: [PATCH 3/3] tests: add test case for certificate chain superseding
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
----
- tests/test-chains.h | 97 +++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 97 insertions(+)
-
-diff --git a/tests/test-chains.h b/tests/test-chains.h
-index dd19e6a815..9b06b85f5f 100644
---- a/tests/test-chains.h
-+++ b/tests/test-chains.h
-@@ -4010,6 +4010,102 @@ static const char *ed448[] = {
- NULL
- };
-
-+/* This contains an expired intermediate CA, which should be superseded. */
-+static const char *superseding[] = {
-+ "-----BEGIN CERTIFICATE-----"
-+ "MIIDrzCCAmegAwIBAgIUcozIBhMJvM/rd1PVI7LOq7Kscs8wDQYJKoZIhvcNAQEL"
-+ "BQAwJjEkMCIGA1UEAxMbR251VExTIHRlc3QgaW50ZXJtZWRpYXRlIENBMCAXDTIw"
-+ "MDUzMTEyMTczN1oYDzk5OTkxMjMxMjM1OTU5WjA3MRgwFgYDVQQDEw90ZXN0Lmdu"
-+ "dXRscy5vcmcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCASAwCwYJKoZI"
-+ "hvcNAQEKA4IBDwAwggEKAoIBAQCd2PBnWn+b0FsIMbG+f/K+og2iK/BoLCsJD3j9"
-+ "yRNSHD6wTifYwNTbe1LF/8BzxcwVRCD0zpbpFQawbjxbmBSzrXqQlUFFG11DvNBa"
-+ "w58rgHGo3TYCrtFIBfLbziyB1w/vWeX0xHvv8MMJ1iRSdY+7Y36a2cV+s85PdO4B"
-+ "TpZlLfy8LPP6p6+dgVoC+9tTu2H1wARYOVog+jt9A3Hx0L1xxVWTedFoiK2sVouz"
-+ "fLRjfp5cOwuRHSD2qbpGOAeNVVaOE88Bv3pIGPguMw0qAdEDo20hRYH23LIyvBwB"
-+ "oCnyFNnAViMtLa2QlXSliV9a9BKOXYjWzAeso2SF4pdHcvd5AgMBAAGjgZMwgZAw"
-+ "DAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg90ZXN0LmdudXRscy5vcmcwEwYDVR0l"
-+ "BAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUan6mlccq"
-+ "Uy1Z64wvRv3xxg4h2ykwHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgw"
-+ "DQYJKoZIhvcNAQELBQADggExAKAOMyMLpk0u2UTwwFWtr1hfx7evo2J7dgco410I"
-+ "DN/QWoe2Xlcxcp1h5R9rX1I3KU2WGFtdXqiMsllCLnrDEKZmlks0uz76bCpKmM99"
-+ "/1MDlY7mGCr/2PPx53USK5J5JTiqgp6r7qAcDAnpYvrPH45kk7iqwh02DhAxRnGR"
-+ "CW7KWK8h7uu0Az9iBT2YfV372g4fRDK3fqYzJofQwbhSiUuJ7wyZCRhGOoxMMmDb"
-+ "KBbc1wAYXW+tlv2cSbfzRvSxMR+CzkyH2tGDxeN//aZUfGmQ8IzWUQ7UtK5z+Q0E"
-+ "fL6fZtm2SdGabGpV1UYoGpwOtOngK+m0i9SqrMD7g5+SMhc1VuvVuTtxjr5Cha8l"
-+ "X0HEZtxgFrkdfMD4yLAqiguaCBngtbRmELF5VpebmJbiLVU="
-+ "-----END CERTIFICATE-----",
-+ "-----BEGIN CERTIFICATE-----"
-+ "MIIDkTCCAkmgAwIBAgIUY9cJ4NLNFEaojJHdP1I4Q7OHNJwwDQYJKoZIhvcNAQEL"
-+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMTgxMjMxMjMwMDAwWhcN"
-+ "MjAwNTMwMjIwMDAwWjAmMSQwIgYDVQQDExtHbnVUTFMgdGVzdCBpbnRlcm1lZGlh"
-+ "dGUgQ0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7K"
-+ "sH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8W"
-+ "yZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITc"
-+ "lg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7"
-+ "oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLy"
-+ "rXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+"
-+ "G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjeh"
-+ "KZ+Aeap1AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE"
-+ "ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUHncj"
-+ "bWcxH5EHm5Yv7PzIRv6M4QMwDQYJKoZIhvcNAQELBQADggExAHP1UAQ/nvuQtRZF"
-+ "Q4b96yxVwCjMjn7knLyLNtyYGE3466xvE/ofvx5lgaR06ez/G17XP+Ok5SLJNUVc"
-+ "mplTERCv5CgnX7R5VdGJkkD1repaYxaTtwyJz0AfYEMRUj3jfaeLaiUKJvEW5RRs"
-+ "I3solY18sy/m/xGrH2X0GTNfKM9BURENABsppt07jxH719nF9m9SynV/Z2hE5hlv"
-+ "5e5vyPt4wyRPIJLUI3TKAlvb1s40zz3ua7ZTgQL/cOxfY4f9pRKW9CMB3uF69OP9"
-+ "COAxrmHVZsImmDZ6qO1qQrbY1KN/cX5kG4pKg7Ium723aOlwcWzEDXKumD960fN1"
-+ "5g+HrjNs6kW+r9Q5QS8qV5s8maZNcxTrMvQ1fF2AKBNI3Z3U7vmtrSeqxIXp3rGH"
-+ "iJwOKIk="
-+ "-----END CERTIFICATE-----",
-+ NULL
-+};
-+
-+static const char *superseding_ca[] = {
-+ "-----BEGIN CERTIFICATE-----"
-+ "MIIDkzCCAkugAwIBAgIUIs7jB4Q4sFcdCmzWVHbJLESC3T4wDQYJKoZIhvcNAQEL"
-+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMzEwWhgP"
-+ "OTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMTG0dudVRMUyB0ZXN0IGludGVybWVk"
-+ "aWF0ZSBDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/"
-+ "HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8"
-+ "vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqI"
-+ "hNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWl"
-+ "WDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQp"
-+ "kvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzkl"
-+ "zz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2"
-+ "N6Epn4B5qnUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD"
-+ "BwQAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQe"
-+ "dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAcF9R9VGQxTwW"
-+ "aOjeIeQ9ZJxybaj0BaXC8xR4b9uZloS9d/RBFTjgRbQ82yqaj7f80mgUtabKRfTA"
-+ "ltV2MgTbJdOjwGzEDtKGhClBbovnEGrYTbPBT9rgfYPt0q7SMBr6AzGAPt+ltwI7"
-+ "9yntV81qvTxvW5MEEo0j2MuA3NT3oqe+w1rUKNQCWhnN2TUhJGkTlaaMozcgNFaE"
-+ "Dplop4dtvCGtupxOjC3Nf6FWq1k7iZQxX70AFBYVMpuF7qGh6qDp+T1hmTCSVzxP"
-+ "SfDQIBjhKgy4clhkuR5SRxhN74RX+/5eiQyVLxzr+eIhqzJhPqUCmVnCLcqYdNRi"
-+ "hpHic4uJm0wGOKYTI7EG8rb4ZP4Jz6k4iN9CnL/+kiiW5otSl3YyCAuao5VKdDq9"
-+ "izchzb9eow=="
-+ "-----END CERTIFICATE-----",
-+ "-----BEGIN CERTIFICATE-----"
-+ "MIIDZTCCAh2gAwIBAgIULcrECQOBgPaePBfBHXcyZiU0IiYwDQYJKoZIhvcNAQEL"
-+ "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMTQzWhgP"
-+ "OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN"
-+ "BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C"
-+ "qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ"
-+ "U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8"
-+ "vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW"
-+ "PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG"
-+ "VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7"
-+ "FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB"
-+ "o0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYE"
-+ "FB53I21nMR+RB5uWL+z8yEb+jOEDMA0GCSqGSIb3DQEBCwUAA4IBMQAeMSzMyuTy"
-+ "FjXTjxAUv010bsr6e6fI9txq/S1tXmWWJV/8aeARthuOFZO5Jjy3C5aMbac2HDV4"
-+ "Otu0+JLaoEMSXvorAhValVuq06i5cmaPzvJBcxMWzlEAXfavSwHv5Q+kqNU3z81S"
-+ "WnjEpMHcl9OyER7o9IhF55Xom2BXY5XL83QOzQ4C3bpKrNevZC7i7zS8NoYRGP+8"
-+ "w21JseXkWQW4o2hkFqbCcRE1dlMW02iJE28RZ5aBFDIm2Y6zuLaXZIkaO7E41CAw"
-+ "IUyhowm/S1HcmQnhruAGKJvQtB6jvnhZb7pgnuSkhIvAQgw93CLE985KEua1ifY2"
-+ "p1d/6ho2TWotHHqDnDkB8pC0Wzai8R+63z18Kt0gROX2QItCyFksjNJqYPbgwZgt"
-+ "eh1COrLsOJo+"
-+ "-----END CERTIFICATE-----",
-+ NULL
-+};
-+
- #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
- # pragma GCC diagnostic push
- # pragma GCC diagnostic ignored "-Wunused-variable"
-@@ -4178,6 +4274,7 @@ static struct
- GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1},
- { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA),
- 0, NULL, 1584352960, 1},
-+ { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 },
- { NULL, NULL, NULL, 0, 0}
- };
-
---
-2.26.2
-
diff --git a/net-libs/gnutls/gnutls-3.6.13-r1.ebuild b/net-libs/gnutls/gnutls-3.6.13-r1.ebuild
deleted file mode 100644
index 0f8de4605ebc..000000000000
--- a/net-libs/gnutls/gnutls-3.6.13-r1.ebuild
+++ /dev/null
@@ -1,134 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit libtool multilib-minimal
-
-DESCRIPTION="A TLS 1.2 and SSL 3.0 implementation for the GNU project"
-HOMEPAGE="http://www.gnutls.org/"
-SRC_URI="mirror://gnupg/gnutls/v$(ver_cut 1-2)/${P}.tar.xz"
-
-LICENSE="GPL-3 LGPL-2.1+"
-SLOT="0/30" # libgnutls.so number
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-IUSE="+cxx dane doc examples guile +idn nls +openssl pkcs11 seccomp sslv2 sslv3 static-libs test test-full +tls-heartbeat tools valgrind"
-
-REQUIRED_USE="
- test-full? ( cxx dane doc examples guile idn nls openssl pkcs11 seccomp tls-heartbeat tools )"
-RESTRICT="!test? ( test )"
-
-# NOTICE: sys-devel/autogen is required at runtime as we
-# use system libopts
-RDEPEND=">=dev-libs/libtasn1-4.9:=[${MULTILIB_USEDEP}]
- dev-libs/libunistring:=[${MULTILIB_USEDEP}]
- >=dev-libs/nettle-3.4.1:=[gmp,${MULTILIB_USEDEP}]
- >=dev-libs/gmp-5.1.3-r1:=[${MULTILIB_USEDEP}]
- tools? ( sys-devel/autogen:= )
- dane? ( >=net-dns/unbound-1.4.20:=[${MULTILIB_USEDEP}] )
- guile? ( >=dev-scheme/guile-2:=[networking] )
- nls? ( >=virtual/libintl-0-r1:=[${MULTILIB_USEDEP}] )
- pkcs11? ( >=app-crypt/p11-kit-0.23.1:=[${MULTILIB_USEDEP}] )
- idn? ( >=net-dns/libidn2-0.16-r1:=[${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}
- test? (
- seccomp? ( sys-libs/libseccomp )
- )"
-BDEPEND=">=virtual/pkgconfig-0-r1
- doc? ( dev-util/gtk-doc )
- nls? ( sys-devel/gettext )
- tools? ( sys-devel/autogen )
- valgrind? ( dev-util/valgrind )
- test-full? (
- app-crypt/dieharder
- >=app-misc/datefudge-1.22
- dev-libs/softhsm:2[-bindist]
- net-dialup/ppp
- net-misc/socat
- )"
-
-DOCS=(
- README.md
- doc/certtool.cfg
-)
-
-HTML_DOCS=()
-
-PATCHES=( "${FILESDIR}"/${P}-handle-expired-root-certificates.patch )
-
-pkg_setup() {
- # bug#520818
- export TZ=UTC
-
- use doc && HTML_DOCS+=(
- doc/gnutls.html
- )
-}
-
-src_prepare() {
- default
-
- # force regeneration of autogen-ed files
- local file
- for file in $(grep -l AutoGen-ed src/*.c) ; do
- rm src/$(basename ${file} .c).{c,h} || die
- done
-
- # Use sane .so versioning on FreeBSD.
- elibtoolize
-}
-
-multilib_src_configure() {
- LINGUAS="${LINGUAS//en/en@boldquot en@quot}"
-
- local libconf=()
-
- # TPM needs to be tested before being enabled
- libconf+=( --without-tpm )
-
- # hardware-accell is disabled on OSX because the asm files force
- # GNU-stack (as doesn't support that) and when that's removed ld
- # complains about duplicate symbols
- [[ ${CHOST} == *-darwin* ]] && libconf+=( --disable-hardware-acceleration )
-
- # Cygwin as does not understand these asm files at all
- [[ ${CHOST} == *-cygwin* ]] && libconf+=( --disable-hardware-acceleration )
-
- local myeconfargs=(
- $(multilib_native_enable manpages)
- $(multilib_native_use_enable doc gtk-doc)
- $(multilib_native_use_enable doc)
- $(multilib_native_use_enable guile)
- $(multilib_native_use_enable seccomp seccomp-tests)
- $(multilib_native_use_enable test tests)
- $(multilib_native_use_enable test-full full-test-suite)
- $(multilib_native_use_enable tools)
- $(multilib_native_use_enable valgrind valgrind-tests)
- $(use_enable cxx)
- $(use_enable dane libdane)
- $(use_enable nls)
- $(use_enable openssl openssl-compatibility)
- $(use_enable sslv2 ssl2-support)
- $(use_enable sslv3 ssl3-support)
- $(use_enable static-libs static)
- $(use_enable tls-heartbeat heartbeat-support)
- $(use_with idn)
- $(use_with pkcs11 p11-kit)
- --disable-rpath
- --with-default-trust-store-file="${EPREFIX}/etc/ssl/certs/ca-certificates.crt"
- --with-unbound-root-key-file="${EPREFIX}/etc/dnssec/root-anchors.txt"
- --without-included-libtasn1
- $("${S}/configure" --help | grep -o -- '--without-.*-prefix')
- )
- ECONF_SOURCE="${S}" econf "${libconf[@]}" "${myeconfargs[@]}"
-}
-
-multilib_src_install_all() {
- einstalldocs
- find "${ED}" -type f -name '*.la' -delete || die
-
- if use examples; then
- docinto examples
- dodoc doc/examples/*.c
- fi
-}