diff options
| author |   Alon Bar-Lev <alonbl@gentoo.org> | 2019-04-01 07:09:15 +0300 |
|---|---|---|
| committer | Alon Bar-Lev <alonbl@gentoo.org> | 2019-04-01 07:11:49 +0300 |
| commit | 4ee1e630aca57b00bfaaa1e1b1c8921c4a6e25b5 (patch) | |
| tree | 9b093665b327edcfd325f64cbacc5f7347ffed1e /dev-libs/xmlsec/files | |
| parent | app-misc/skim: bump to 0.6.5 (diff) | |
| download | gentoo-4ee1e630aca57b00bfaaa1e1b1c8921c4a6e25b5.tar.gz gentoo-4ee1e630aca57b00bfaaa1e1b1c8921c4a6e25b5.tar.bz2 gentoo-4ee1e630aca57b00bfaaa1e1b1c8921c4a6e25b5.zip | |
dev-libs/xmlsec: support SHA-1 signed certificates with gnutls-3.6
Signed-off-by: Alon Bar-Lev <alonbl@gentoo.org>
Package-Manager: Portage-2.3.62, Repoman-2.3.11
RepoMan-Options: --force
Diffstat (limited to 'dev-libs/xmlsec/files')
| -rw-r--r-- | dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch b/dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch new file mode 100644 index 000000000000..2837420e0dc7 --- /dev/null +++ b/dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch @@ -0,0 +1,47 @@ +From 321e62add243cf8f024d6278da4c5ff030bae3b9 Mon Sep 17 00:00:00 2001 +From: Alon Bar-Lev <alon.barlev@gmail.com> +Date: Mon, 1 Apr 2019 01:28:18 +0300 +Subject: [PATCH] gnutls: allow SHA-1 signed certificate when not in strict + checks (#250) (#251) + +This is required for gnutls-3.6.x. + +Allow tests to use no strict checks until all certificates will be converted +to stronger signature than SHA-1. + +Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> +--- + src/gnutls/x509vfy.c | 3 +++ + tests/testrun.sh | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/gnutls/x509vfy.c b/src/gnutls/x509vfy.c +index a9c956a3..4c753344 100644 +--- a/src/gnutls/x509vfy.c ++++ b/src/gnutls/x509vfy.c +@@ -295,6 +295,9 @@ xmlSecGnuTLSX509StoreVerify(xmlSecKeyDataStorePtr store, + if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS) != 0) { + flags |= GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2; + flags |= GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5; ++#if GNUTLS_VERSION_NUMBER >= 0x030600 ++ flags |= GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1; ++#endif + } + + /* We are going to build all possible cert chains and try to verify them */ +diff --git a/tests/testrun.sh b/tests/testrun.sh +index 02484d09..ea65802b 100755 +--- a/tests/testrun.sh ++++ b/tests/testrun.sh +@@ -59,7 +59,7 @@ if [ "z$XMLSEC_DEFAULT_CRYPTO" != "z" ] ; then + elif [ "z$crypto" != "z" ] ; then + xmlsec_params="$xmlsec_params --crypto $crypto" + fi +-xmlsec_params="$xmlsec_params --crypto-config $crypto_config" ++xmlsec_params="$xmlsec_params --X509-skip-strict-checks --crypto-config $crypto_config" + + # + # Setup keys config +-- +2.21.0 + |