diff options
author | Leo <thinkabit.ukim@gmail.com> | 2020-06-03 14:08:03 -0300 |
---|---|---|
committer | Leo <thinkabit.ukim@gmail.com> | 2020-06-05 00:29:55 +0000 |
commit | 184bdcdae88dadac240902be8a85c234a429d36c (patch) | |
tree | b0cec7f1e200be74f6d811df5211f2ea8a57b416 | |
parent | 89fa63d61b194d73d08e826584da04f61ac6ffef (diff) | |
download | alpine_aports-184bdcdae88dadac240902be8a85c234a429d36c.tar.bz2 alpine_aports-184bdcdae88dadac240902be8a85c234a429d36c.tar.xz alpine_aports-184bdcdae88dadac240902be8a85c234a429d36c.zip |
main/gnutls: upgrade to 3.6.14
4 files changed, 7 insertions, 402 deletions
diff --git a/main/gnutls/APKBUILD b/main/gnutls/APKBUILD index 10238cceb9..27e4b23a38 100644 --- a/main/gnutls/APKBUILD +++ b/main/gnutls/APKBUILD | |||
@@ -2,8 +2,8 @@ | |||
2 | # Contributor: Michael Mason <ms13sp@gmail.com> | 2 | # Contributor: Michael Mason <ms13sp@gmail.com> |
3 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | 3 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> |
4 | pkgname=gnutls | 4 | pkgname=gnutls |
5 | pkgver=3.6.13 | 5 | pkgver=3.6.14 |
6 | pkgrel=2 | 6 | pkgrel=0 |
7 | pkgdesc="A TLS protocol implementation" | 7 | pkgdesc="A TLS protocol implementation" |
8 | url="https://www.gnutls.org/" | 8 | url="https://www.gnutls.org/" |
9 | arch="all" | 9 | arch="all" |
@@ -18,16 +18,12 @@ esac | |||
18 | source="https://www.gnupg.org/ftp/gcrypt/gnutls/v$_v/gnutls-$pkgver.tar.xz | 18 | source="https://www.gnupg.org/ftp/gcrypt/gnutls/v$_v/gnutls-$pkgver.tar.xz |
19 | tests-crq.patch | 19 | tests-crq.patch |
20 | tests-certtool.patch | 20 | tests-certtool.patch |
21 | |||
22 | _gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch | ||
23 | x509-trigger-fallback-verification-path-when-cert-is-expired.patch | ||
24 | tests-add-test-case-for-certificate-chain-superseding.patch | ||
25 | " | 21 | " |
26 | 22 | ||
27 | |||
28 | |||
29 | # Upstream Tracker: https://gnutls.org/security-new.html | 23 | # Upstream Tracker: https://gnutls.org/security-new.html |
30 | # secfixes: | 24 | # secfixes: |
25 | # 3.6.14-r0: | ||
26 | # - GNUTLS-SA-2020-06-03 | ||
31 | # 3.6.13-r0: | 27 | # 3.6.13-r0: |
32 | # - CVE-2020-11501 GNUTLS-SA-2020-03-31 | 28 | # - CVE-2020-11501 GNUTLS-SA-2020-03-31 |
33 | # 3.6.7-r0: | 29 | # 3.6.7-r0: |
@@ -53,7 +49,7 @@ build() { | |||
53 | } | 49 | } |
54 | 50 | ||
55 | check() { | 51 | check() { |
56 | make check | 52 | make -j1 check |
57 | } | 53 | } |
58 | 54 | ||
59 | package() { | 55 | package() { |
@@ -73,9 +69,6 @@ xx() { | |||
73 | mv "$pkgdir"/usr/lib/lib*xx.so.* "$subpkgdir"/usr/lib/ | 69 | mv "$pkgdir"/usr/lib/lib*xx.so.* "$subpkgdir"/usr/lib/ |
74 | } | 70 | } |
75 | 71 | ||
76 | sha512sums="23581952cb72c9a34f378c002bb62413d5a1243b74b48ad8dc49eaea4020d33c550f8dc1dd374cf7fbfa4187b0ca1c5698c8a0430398268a8b8a863f8633305c gnutls-3.6.13.tar.xz | 72 | sha512sums="b2d427b5542a4679117c011dffa8efb0e0bffa3ce9cebc319f8998d03f80f4168d08f9fda35df18dbeaaada59e479d325a6c1c77d5ca7f8ce221b44e42bfe604 gnutls-3.6.14.tar.xz |
77 | 3e7d872963cc25e49f1ecf98de7d6f3b6b22d2c1c9e982bc4b22ce658c11d8567903728e5aa33ce7b6d3e25fe0b7a75b8aca3e8f53838155af5abe23887d33fa tests-crq.patch | 73 | 3e7d872963cc25e49f1ecf98de7d6f3b6b22d2c1c9e982bc4b22ce658c11d8567903728e5aa33ce7b6d3e25fe0b7a75b8aca3e8f53838155af5abe23887d33fa tests-crq.patch |
78 | 30739b5ca06bb72e93d021065fbc90a1808c5fc139ff917308738456ae8601f5c372d223d77e51cdd34a6aa4d28dcb8140101c3f753ede1e39ee12e229c24cbe tests-certtool.patch | 74 | 30739b5ca06bb72e93d021065fbc90a1808c5fc139ff917308738456ae8601f5c372d223d77e51cdd34a6aa4d28dcb8140101c3f753ede1e39ee12e229c24cbe tests-certtool.patch" |
79 | 0b781bac53fd9e39532ff839836f362bb873a67746e01e72c10e149b4d3c2b32a078a3f0bf0a8ec369afad71845cd85ed23f4ec4056d2f18435011bc8ffb3c36 _gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch | ||
80 | 7a183193cc6551699d204f66eb80470adeff350b3391e29c06f4f962eeae6da4c9c9adf29cce384e841583061736b727227c44bfe062a80ca2cebf5f08ea7cb7 x509-trigger-fallback-verification-path-when-cert-is-expired.patch | ||
81 | e57a0029130648ba7b0b47942f0d7db91c20eadc234992a250fdd93659f4fdacdb0f81438bb5d27ebd32de99de4894e4ae79dd1253d753e8979e23b7e21654a0 tests-add-test-case-for-certificate-chain-superseding.patch" | ||
diff --git a/main/gnutls/_gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch b/main/gnutls/_gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch deleted file mode 100644 index 13d002a106..0000000000 --- a/main/gnutls/_gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch +++ /dev/null | |||
@@ -1,219 +0,0 @@ | |||
1 | From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Sun, 31 May 2020 12:39:14 +0200 | ||
4 | Subject: [PATCH] _gnutls_pkcs11_verify_crt_status: check validity against | ||
5 | system cert | ||
6 | |||
7 | To verify a certificate chain, this function replaces known | ||
8 | certificates with the ones in the system trust store if possible. | ||
9 | |||
10 | However, if it is found, the function checks the validity of the | ||
11 | original certificate rather than the certificate found in the trust | ||
12 | store. That reveals a problem in a scenario that (1) a certificate is | ||
13 | signed by multiple issuers and (2) one of the issuers' certificate has | ||
14 | expired and included in the input chain. | ||
15 | |||
16 | This patch makes it a little robuster by actually retrieving the | ||
17 | certificate from the trust store and perform check against it. | ||
18 | |||
19 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
20 | --- | ||
21 | lib/pkcs11.c | 98 +++++++++++++++++++++++++++++++++-------------- | ||
22 | lib/pkcs11_int.h | 5 +++ | ||
23 | lib/x509/verify.c | 7 +++- | ||
24 | 3 files changed, 80 insertions(+), 30 deletions(-) | ||
25 | |||
26 | diff --git a/lib/pkcs11.c b/lib/pkcs11.c | ||
27 | index fad16aaf4f..d8d4a65114 100644 | ||
28 | --- a/lib/pkcs11.c | ||
29 | +++ b/lib/pkcs11.c | ||
30 | @@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url, | ||
31 | return ret; | ||
32 | } | ||
33 | |||
34 | -/** | ||
35 | - * gnutls_pkcs11_crt_is_known: | ||
36 | - * @url: A PKCS 11 url identifying a token | ||
37 | - * @cert: is the certificate to find issuer for | ||
38 | - * @issuer: Will hold the issuer if any in an allocated buffer. | ||
39 | - * @fmt: The format of the exported issuer. | ||
40 | - * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. | ||
41 | - * | ||
42 | - * This function will check whether the provided certificate is stored | ||
43 | - * in the specified token. This is useful in combination with | ||
44 | - * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or | ||
45 | - * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, | ||
46 | - * to check whether a CA is present or a certificate is blacklisted in | ||
47 | - * a trust PKCS #11 module. | ||
48 | - * | ||
49 | - * This function can be used with a @url of "pkcs11:", and in that case all modules | ||
50 | - * will be searched. To restrict the modules to the marked as trusted in p11-kit | ||
51 | - * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. | ||
52 | - * | ||
53 | - * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is | ||
54 | - * specific to p11-kit trust modules. | ||
55 | - * | ||
56 | - * Returns: If the certificate exists non-zero is returned, otherwise zero. | ||
57 | - * | ||
58 | - * Since: 3.3.0 | ||
59 | - **/ | ||
60 | -unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
61 | - unsigned int flags) | ||
62 | +unsigned | ||
63 | +_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
64 | + unsigned int flags, | ||
65 | + gnutls_x509_crt_t *trusted_cert) | ||
66 | { | ||
67 | int ret; | ||
68 | struct find_cert_st priv; | ||
69 | @@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
70 | |||
71 | memset(&priv, 0, sizeof(priv)); | ||
72 | |||
73 | + if (trusted_cert) { | ||
74 | + ret = gnutls_pkcs11_obj_init(&priv.obj); | ||
75 | + if (ret < 0) { | ||
76 | + gnutls_assert(); | ||
77 | + goto cleanup; | ||
78 | + } | ||
79 | + priv.need_import = 1; | ||
80 | + } | ||
81 | + | ||
82 | if (url == NULL || url[0] == 0) { | ||
83 | url = "pkcs11:"; | ||
84 | } | ||
85 | @@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
86 | _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n"); | ||
87 | /* attempt searching with the subject DN only */ | ||
88 | gnutls_assert(); | ||
89 | + if (priv.obj) | ||
90 | + gnutls_pkcs11_obj_deinit(priv.obj); | ||
91 | gnutls_free(priv.serial.data); | ||
92 | memset(&priv, 0, sizeof(priv)); | ||
93 | + if (trusted_cert) { | ||
94 | + ret = gnutls_pkcs11_obj_init(&priv.obj); | ||
95 | + if (ret < 0) { | ||
96 | + gnutls_assert(); | ||
97 | + goto cleanup; | ||
98 | + } | ||
99 | + priv.need_import = 1; | ||
100 | + } | ||
101 | priv.crt = cert; | ||
102 | priv.flags = flags; | ||
103 | |||
104 | @@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
105 | goto cleanup; | ||
106 | } | ||
107 | |||
108 | + if (trusted_cert) { | ||
109 | + ret = gnutls_x509_crt_init(trusted_cert); | ||
110 | + if (ret < 0) { | ||
111 | + gnutls_assert(); | ||
112 | + ret = 0; | ||
113 | + goto cleanup; | ||
114 | + } | ||
115 | + ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj); | ||
116 | + if (ret < 0) { | ||
117 | + gnutls_assert(); | ||
118 | + gnutls_x509_crt_deinit(*trusted_cert); | ||
119 | + ret = 0; | ||
120 | + goto cleanup; | ||
121 | + } | ||
122 | + } | ||
123 | ret = 1; | ||
124 | |||
125 | cleanup: | ||
126 | + if (priv.obj) | ||
127 | + gnutls_pkcs11_obj_deinit(priv.obj); | ||
128 | if (info) | ||
129 | p11_kit_uri_free(info); | ||
130 | gnutls_free(priv.serial.data); | ||
131 | @@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
132 | return ret; | ||
133 | } | ||
134 | |||
135 | +/** | ||
136 | + * gnutls_pkcs11_crt_is_known: | ||
137 | + * @url: A PKCS 11 url identifying a token | ||
138 | + * @cert: is the certificate to find issuer for | ||
139 | + * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. | ||
140 | + * | ||
141 | + * This function will check whether the provided certificate is stored | ||
142 | + * in the specified token. This is useful in combination with | ||
143 | + * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or | ||
144 | + * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, | ||
145 | + * to check whether a CA is present or a certificate is blacklisted in | ||
146 | + * a trust PKCS #11 module. | ||
147 | + * | ||
148 | + * This function can be used with a @url of "pkcs11:", and in that case all modules | ||
149 | + * will be searched. To restrict the modules to the marked as trusted in p11-kit | ||
150 | + * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. | ||
151 | + * | ||
152 | + * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is | ||
153 | + * specific to p11-kit trust modules. | ||
154 | + * | ||
155 | + * Returns: If the certificate exists non-zero is returned, otherwise zero. | ||
156 | + * | ||
157 | + * Since: 3.3.0 | ||
158 | + **/ | ||
159 | +unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
160 | + unsigned int flags) | ||
161 | +{ | ||
162 | + return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL); | ||
163 | +} | ||
164 | + | ||
165 | /** | ||
166 | * gnutls_pkcs11_obj_get_flags: | ||
167 | * @obj: The pkcs11 object | ||
168 | diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h | ||
169 | index 9d88807098..86cce0dee5 100644 | ||
170 | --- a/lib/pkcs11_int.h | ||
171 | +++ b/lib/pkcs11_int.h | ||
172 | @@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object(const char *url) | ||
173 | return 0; | ||
174 | } | ||
175 | |||
176 | +unsigned | ||
177 | +_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
178 | + unsigned int flags, | ||
179 | + gnutls_x509_crt_t *trusted_cert); | ||
180 | + | ||
181 | #endif /* ENABLE_PKCS11 */ | ||
182 | |||
183 | #endif /* GNUTLS_LIB_PKCS11_INT_H */ | ||
184 | diff --git a/lib/x509/verify.c b/lib/x509/verify.c | ||
185 | index d202670198..fd7c6a1642 100644 | ||
186 | --- a/lib/x509/verify.c | ||
187 | +++ b/lib/x509/verify.c | ||
188 | @@ -34,6 +34,7 @@ | ||
189 | #include <tls-sig.h> | ||
190 | #include <str.h> | ||
191 | #include <datum.h> | ||
192 | +#include <pkcs11_int.h> | ||
193 | #include <x509_int.h> | ||
194 | #include <common.h> | ||
195 | #include <pk.h> | ||
196 | @@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url, | ||
197 | |||
198 | for (; i < clist_size; i++) { | ||
199 | unsigned vflags; | ||
200 | + gnutls_x509_crt_t trusted_cert; | ||
201 | |||
202 | if (i == 0) /* in the end certificate do full comparison */ | ||
203 | vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| | ||
204 | @@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url, | ||
205 | vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| | ||
206 | GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; | ||
207 | |||
208 | - if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) { | ||
209 | + if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) { | ||
210 | |||
211 | - status |= check_ca_sanity(certificate_list[i], now, flags); | ||
212 | + status |= check_ca_sanity(trusted_cert, now, flags); | ||
213 | + gnutls_x509_crt_deinit(trusted_cert); | ||
214 | |||
215 | if (func) | ||
216 | func(certificate_list[i], | ||
217 | -- | ||
218 | 2.26.2 | ||
219 | |||
diff --git a/main/gnutls/tests-add-test-case-for-certificate-chain-superseding.patch b/main/gnutls/tests-add-test-case-for-certificate-chain-superseding.patch deleted file mode 100644 index 84867c3d37..0000000000 --- a/main/gnutls/tests-add-test-case-for-certificate-chain-superseding.patch +++ /dev/null | |||
@@ -1,128 +0,0 @@ | |||
1 | From 9067bcbee8ff18badff1e829d22e63590dbd7a5c Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Sun, 31 May 2020 14:28:48 +0200 | ||
4 | Subject: [PATCH] tests: add test case for certificate chain superseding | ||
5 | |||
6 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
7 | --- | ||
8 | tests/test-chains.h | 97 +++++++++++++++++++++++++++++++++++++++++++++ | ||
9 | 1 file changed, 97 insertions(+) | ||
10 | |||
11 | diff --git a/tests/test-chains.h b/tests/test-chains.h | ||
12 | index dd19e6a815..9b06b85f5f 100644 | ||
13 | --- a/tests/test-chains.h | ||
14 | +++ b/tests/test-chains.h | ||
15 | @@ -4010,6 +4010,102 @@ static const char *ed448[] = { | ||
16 | NULL | ||
17 | }; | ||
18 | |||
19 | +/* This contains an expired intermediate CA, which should be superseded. */ | ||
20 | +static const char *superseding[] = { | ||
21 | + "-----BEGIN CERTIFICATE-----" | ||
22 | + "MIIDrzCCAmegAwIBAgIUcozIBhMJvM/rd1PVI7LOq7Kscs8wDQYJKoZIhvcNAQEL" | ||
23 | + "BQAwJjEkMCIGA1UEAxMbR251VExTIHRlc3QgaW50ZXJtZWRpYXRlIENBMCAXDTIw" | ||
24 | + "MDUzMTEyMTczN1oYDzk5OTkxMjMxMjM1OTU5WjA3MRgwFgYDVQQDEw90ZXN0Lmdu" | ||
25 | + "dXRscy5vcmcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCASAwCwYJKoZI" | ||
26 | + "hvcNAQEKA4IBDwAwggEKAoIBAQCd2PBnWn+b0FsIMbG+f/K+og2iK/BoLCsJD3j9" | ||
27 | + "yRNSHD6wTifYwNTbe1LF/8BzxcwVRCD0zpbpFQawbjxbmBSzrXqQlUFFG11DvNBa" | ||
28 | + "w58rgHGo3TYCrtFIBfLbziyB1w/vWeX0xHvv8MMJ1iRSdY+7Y36a2cV+s85PdO4B" | ||
29 | + "TpZlLfy8LPP6p6+dgVoC+9tTu2H1wARYOVog+jt9A3Hx0L1xxVWTedFoiK2sVouz" | ||
30 | + "fLRjfp5cOwuRHSD2qbpGOAeNVVaOE88Bv3pIGPguMw0qAdEDo20hRYH23LIyvBwB" | ||
31 | + "oCnyFNnAViMtLa2QlXSliV9a9BKOXYjWzAeso2SF4pdHcvd5AgMBAAGjgZMwgZAw" | ||
32 | + "DAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg90ZXN0LmdudXRscy5vcmcwEwYDVR0l" | ||
33 | + "BAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUan6mlccq" | ||
34 | + "Uy1Z64wvRv3xxg4h2ykwHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgw" | ||
35 | + "DQYJKoZIhvcNAQELBQADggExAKAOMyMLpk0u2UTwwFWtr1hfx7evo2J7dgco410I" | ||
36 | + "DN/QWoe2Xlcxcp1h5R9rX1I3KU2WGFtdXqiMsllCLnrDEKZmlks0uz76bCpKmM99" | ||
37 | + "/1MDlY7mGCr/2PPx53USK5J5JTiqgp6r7qAcDAnpYvrPH45kk7iqwh02DhAxRnGR" | ||
38 | + "CW7KWK8h7uu0Az9iBT2YfV372g4fRDK3fqYzJofQwbhSiUuJ7wyZCRhGOoxMMmDb" | ||
39 | + "KBbc1wAYXW+tlv2cSbfzRvSxMR+CzkyH2tGDxeN//aZUfGmQ8IzWUQ7UtK5z+Q0E" | ||
40 | + "fL6fZtm2SdGabGpV1UYoGpwOtOngK+m0i9SqrMD7g5+SMhc1VuvVuTtxjr5Cha8l" | ||
41 | + "X0HEZtxgFrkdfMD4yLAqiguaCBngtbRmELF5VpebmJbiLVU=" | ||
42 | + "-----END CERTIFICATE-----", | ||
43 | + "-----BEGIN CERTIFICATE-----" | ||
44 | + "MIIDkTCCAkmgAwIBAgIUY9cJ4NLNFEaojJHdP1I4Q7OHNJwwDQYJKoZIhvcNAQEL" | ||
45 | + "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMTgxMjMxMjMwMDAwWhcN" | ||
46 | + "MjAwNTMwMjIwMDAwWjAmMSQwIgYDVQQDExtHbnVUTFMgdGVzdCBpbnRlcm1lZGlh" | ||
47 | + "dGUgQ0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7K" | ||
48 | + "sH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8W" | ||
49 | + "yZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITc" | ||
50 | + "lg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7" | ||
51 | + "oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLy" | ||
52 | + "rXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+" | ||
53 | + "G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjeh" | ||
54 | + "KZ+Aeap1AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE" | ||
55 | + "ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUHncj" | ||
56 | + "bWcxH5EHm5Yv7PzIRv6M4QMwDQYJKoZIhvcNAQELBQADggExAHP1UAQ/nvuQtRZF" | ||
57 | + "Q4b96yxVwCjMjn7knLyLNtyYGE3466xvE/ofvx5lgaR06ez/G17XP+Ok5SLJNUVc" | ||
58 | + "mplTERCv5CgnX7R5VdGJkkD1repaYxaTtwyJz0AfYEMRUj3jfaeLaiUKJvEW5RRs" | ||
59 | + "I3solY18sy/m/xGrH2X0GTNfKM9BURENABsppt07jxH719nF9m9SynV/Z2hE5hlv" | ||
60 | + "5e5vyPt4wyRPIJLUI3TKAlvb1s40zz3ua7ZTgQL/cOxfY4f9pRKW9CMB3uF69OP9" | ||
61 | + "COAxrmHVZsImmDZ6qO1qQrbY1KN/cX5kG4pKg7Ium723aOlwcWzEDXKumD960fN1" | ||
62 | + "5g+HrjNs6kW+r9Q5QS8qV5s8maZNcxTrMvQ1fF2AKBNI3Z3U7vmtrSeqxIXp3rGH" | ||
63 | + "iJwOKIk=" | ||
64 | + "-----END CERTIFICATE-----", | ||
65 | + NULL | ||
66 | +}; | ||
67 | + | ||
68 | +static const char *superseding_ca[] = { | ||
69 | + "-----BEGIN CERTIFICATE-----" | ||
70 | + "MIIDkzCCAkugAwIBAgIUIs7jB4Q4sFcdCmzWVHbJLESC3T4wDQYJKoZIhvcNAQEL" | ||
71 | + "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMzEwWhgP" | ||
72 | + "OTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMTG0dudVRMUyB0ZXN0IGludGVybWVk" | ||
73 | + "aWF0ZSBDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/" | ||
74 | + "HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8" | ||
75 | + "vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqI" | ||
76 | + "hNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWl" | ||
77 | + "WDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQp" | ||
78 | + "kvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzkl" | ||
79 | + "zz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2" | ||
80 | + "N6Epn4B5qnUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD" | ||
81 | + "BwQAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQe" | ||
82 | + "dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAcF9R9VGQxTwW" | ||
83 | + "aOjeIeQ9ZJxybaj0BaXC8xR4b9uZloS9d/RBFTjgRbQ82yqaj7f80mgUtabKRfTA" | ||
84 | + "ltV2MgTbJdOjwGzEDtKGhClBbovnEGrYTbPBT9rgfYPt0q7SMBr6AzGAPt+ltwI7" | ||
85 | + "9yntV81qvTxvW5MEEo0j2MuA3NT3oqe+w1rUKNQCWhnN2TUhJGkTlaaMozcgNFaE" | ||
86 | + "Dplop4dtvCGtupxOjC3Nf6FWq1k7iZQxX70AFBYVMpuF7qGh6qDp+T1hmTCSVzxP" | ||
87 | + "SfDQIBjhKgy4clhkuR5SRxhN74RX+/5eiQyVLxzr+eIhqzJhPqUCmVnCLcqYdNRi" | ||
88 | + "hpHic4uJm0wGOKYTI7EG8rb4ZP4Jz6k4iN9CnL/+kiiW5otSl3YyCAuao5VKdDq9" | ||
89 | + "izchzb9eow==" | ||
90 | + "-----END CERTIFICATE-----", | ||
91 | + "-----BEGIN CERTIFICATE-----" | ||
92 | + "MIIDZTCCAh2gAwIBAgIULcrECQOBgPaePBfBHXcyZiU0IiYwDQYJKoZIhvcNAQEL" | ||
93 | + "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMTQzWhgP" | ||
94 | + "OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN" | ||
95 | + "BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C" | ||
96 | + "qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ" | ||
97 | + "U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8" | ||
98 | + "vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW" | ||
99 | + "PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG" | ||
100 | + "VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7" | ||
101 | + "FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB" | ||
102 | + "o0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYE" | ||
103 | + "FB53I21nMR+RB5uWL+z8yEb+jOEDMA0GCSqGSIb3DQEBCwUAA4IBMQAeMSzMyuTy" | ||
104 | + "FjXTjxAUv010bsr6e6fI9txq/S1tXmWWJV/8aeARthuOFZO5Jjy3C5aMbac2HDV4" | ||
105 | + "Otu0+JLaoEMSXvorAhValVuq06i5cmaPzvJBcxMWzlEAXfavSwHv5Q+kqNU3z81S" | ||
106 | + "WnjEpMHcl9OyER7o9IhF55Xom2BXY5XL83QOzQ4C3bpKrNevZC7i7zS8NoYRGP+8" | ||
107 | + "w21JseXkWQW4o2hkFqbCcRE1dlMW02iJE28RZ5aBFDIm2Y6zuLaXZIkaO7E41CAw" | ||
108 | + "IUyhowm/S1HcmQnhruAGKJvQtB6jvnhZb7pgnuSkhIvAQgw93CLE985KEua1ifY2" | ||
109 | + "p1d/6ho2TWotHHqDnDkB8pC0Wzai8R+63z18Kt0gROX2QItCyFksjNJqYPbgwZgt" | ||
110 | + "eh1COrLsOJo+" | ||
111 | + "-----END CERTIFICATE-----", | ||
112 | + NULL | ||
113 | +}; | ||
114 | + | ||
115 | #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) | ||
116 | # pragma GCC diagnostic push | ||
117 | # pragma GCC diagnostic ignored "-Wunused-variable" | ||
118 | @@ -4178,6 +4274,7 @@ static struct | ||
119 | GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1}, | ||
120 | { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), | ||
121 | 0, NULL, 1584352960, 1}, | ||
122 | + { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 }, | ||
123 | { NULL, NULL, NULL, 0, 0} | ||
124 | }; | ||
125 | |||
126 | -- | ||
127 | 2.26.2 | ||
128 | |||
diff --git a/main/gnutls/x509-trigger-fallback-verification-path-when-cert-is-expired.patch b/main/gnutls/x509-trigger-fallback-verification-path-when-cert-is-expired.patch deleted file mode 100644 index 1bbbb92732..0000000000 --- a/main/gnutls/x509-trigger-fallback-verification-path-when-cert-is-expired.patch +++ /dev/null | |||
@@ -1,41 +0,0 @@ | |||
1 | From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Sun, 31 May 2020 13:59:53 +0200 | ||
4 | Subject: [PATCH] x509: trigger fallback verification path when cert is expired | ||
5 | |||
6 | gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN | ||
7 | to trigger the fallback verification path if the signer of the last | ||
8 | certificate is not in the trust store. Previously, it doesn't take | ||
9 | into account of the condition where the certificate is expired. | ||
10 | |||
11 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
12 | --- | ||
13 | lib/x509/verify-high.c | 12 +++++++----- | ||
14 | 1 file changed, 7 insertions(+), 5 deletions(-) | ||
15 | |||
16 | diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c | ||
17 | index b1421ef17a..40638ad3aa 100644 | ||
18 | --- a/lib/x509/verify-high.c | ||
19 | +++ b/lib/x509/verify-high.c | ||
20 | @@ -1192,11 +1192,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, | ||
21 | |||
22 | #define LAST_DN cert_list[cert_list_size-1]->raw_dn | ||
23 | #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn | ||
24 | -/* This macro is introduced to detect a verification output | ||
25 | - * which indicates an unknown signer, or a signer which uses | ||
26 | - * an insecure algorithm (e.g., sha1), something that indicates | ||
27 | - * a superseded signer */ | ||
28 | -#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM)) | ||
29 | +/* This macro is introduced to detect a verification output which | ||
30 | + * indicates an unknown signer, a signer which uses an insecure | ||
31 | + * algorithm (e.g., sha1), a signer has expired, or something that | ||
32 | + * indicates a superseded signer */ | ||
33 | +#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \ | ||
34 | + (output & GNUTLS_CERT_EXPIRED) || \ | ||
35 | + (output & GNUTLS_CERT_INSECURE_ALGORITHM)) | ||
36 | #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND)) | ||
37 | |||
38 | /** | ||
39 | -- | ||
40 | 2.26.2 | ||
41 | |||