diff options
| author | Leo <thinkabit.ukim@gmail.com> | 2020-06-03 14:08:03 -0300 |
|---|---|---|
| committer | Leo <thinkabit.ukim@gmail.com> | 2020-06-05 00:29:55 +0000 |
| commit | 184bdcdae88dadac240902be8a85c234a429d36c (patch) | |
| tree | b0cec7f1e200be74f6d811df5211f2ea8a57b416 | |
| parent | 89fa63d61b194d73d08e826584da04f61ac6ffef (diff) | |
| download | alpine_aports-184bdcdae88dadac240902be8a85c234a429d36c.tar.bz2 alpine_aports-184bdcdae88dadac240902be8a85c234a429d36c.tar.xz alpine_aports-184bdcdae88dadac240902be8a85c234a429d36c.zip | |
main/gnutls: upgrade to 3.6.14
4 files changed, 7 insertions, 402 deletions
diff --git a/main/gnutls/APKBUILD b/main/gnutls/APKBUILD index 10238cceb9..27e4b23a38 100644 --- a/main/gnutls/APKBUILD +++ b/main/gnutls/APKBUILD | |||
| @@ -2,8 +2,8 @@ | |||
| 2 | # Contributor: Michael Mason <ms13sp@gmail.com> | 2 | # Contributor: Michael Mason <ms13sp@gmail.com> |
| 3 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | 3 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> |
| 4 | pkgname=gnutls | 4 | pkgname=gnutls |
| 5 | pkgver=3.6.13 | 5 | pkgver=3.6.14 |
| 6 | pkgrel=2 | 6 | pkgrel=0 |
| 7 | pkgdesc="A TLS protocol implementation" | 7 | pkgdesc="A TLS protocol implementation" |
| 8 | url="https://www.gnutls.org/" | 8 | url="https://www.gnutls.org/" |
| 9 | arch="all" | 9 | arch="all" |
| @@ -18,16 +18,12 @@ esac | |||
| 18 | source="https://www.gnupg.org/ftp/gcrypt/gnutls/v$_v/gnutls-$pkgver.tar.xz | 18 | source="https://www.gnupg.org/ftp/gcrypt/gnutls/v$_v/gnutls-$pkgver.tar.xz |
| 19 | tests-crq.patch | 19 | tests-crq.patch |
| 20 | tests-certtool.patch | 20 | tests-certtool.patch |
| 21 | |||
| 22 | _gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch | ||
| 23 | x509-trigger-fallback-verification-path-when-cert-is-expired.patch | ||
| 24 | tests-add-test-case-for-certificate-chain-superseding.patch | ||
| 25 | " | 21 | " |
| 26 | 22 | ||
| 27 | |||
| 28 | |||
| 29 | # Upstream Tracker: https://gnutls.org/security-new.html | 23 | # Upstream Tracker: https://gnutls.org/security-new.html |
| 30 | # secfixes: | 24 | # secfixes: |
| 25 | # 3.6.14-r0: | ||
| 26 | # - GNUTLS-SA-2020-06-03 | ||
| 31 | # 3.6.13-r0: | 27 | # 3.6.13-r0: |
| 32 | # - CVE-2020-11501 GNUTLS-SA-2020-03-31 | 28 | # - CVE-2020-11501 GNUTLS-SA-2020-03-31 |
| 33 | # 3.6.7-r0: | 29 | # 3.6.7-r0: |
| @@ -53,7 +49,7 @@ build() { | |||
| 53 | } | 49 | } |
| 54 | 50 | ||
| 55 | check() { | 51 | check() { |
| 56 | make check | 52 | make -j1 check |
| 57 | } | 53 | } |
| 58 | 54 | ||
| 59 | package() { | 55 | package() { |
| @@ -73,9 +69,6 @@ xx() { | |||
| 73 | mv "$pkgdir"/usr/lib/lib*xx.so.* "$subpkgdir"/usr/lib/ | 69 | mv "$pkgdir"/usr/lib/lib*xx.so.* "$subpkgdir"/usr/lib/ |
| 74 | } | 70 | } |
| 75 | 71 | ||
| 76 | sha512sums="23581952cb72c9a34f378c002bb62413d5a1243b74b48ad8dc49eaea4020d33c550f8dc1dd374cf7fbfa4187b0ca1c5698c8a0430398268a8b8a863f8633305c gnutls-3.6.13.tar.xz | 72 | sha512sums="b2d427b5542a4679117c011dffa8efb0e0bffa3ce9cebc319f8998d03f80f4168d08f9fda35df18dbeaaada59e479d325a6c1c77d5ca7f8ce221b44e42bfe604 gnutls-3.6.14.tar.xz |
| 77 | 3e7d872963cc25e49f1ecf98de7d6f3b6b22d2c1c9e982bc4b22ce658c11d8567903728e5aa33ce7b6d3e25fe0b7a75b8aca3e8f53838155af5abe23887d33fa tests-crq.patch | 73 | 3e7d872963cc25e49f1ecf98de7d6f3b6b22d2c1c9e982bc4b22ce658c11d8567903728e5aa33ce7b6d3e25fe0b7a75b8aca3e8f53838155af5abe23887d33fa tests-crq.patch |
| 78 | 30739b5ca06bb72e93d021065fbc90a1808c5fc139ff917308738456ae8601f5c372d223d77e51cdd34a6aa4d28dcb8140101c3f753ede1e39ee12e229c24cbe tests-certtool.patch | 74 | 30739b5ca06bb72e93d021065fbc90a1808c5fc139ff917308738456ae8601f5c372d223d77e51cdd34a6aa4d28dcb8140101c3f753ede1e39ee12e229c24cbe tests-certtool.patch" |
| 79 | 0b781bac53fd9e39532ff839836f362bb873a67746e01e72c10e149b4d3c2b32a078a3f0bf0a8ec369afad71845cd85ed23f4ec4056d2f18435011bc8ffb3c36 _gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch | ||
| 80 | 7a183193cc6551699d204f66eb80470adeff350b3391e29c06f4f962eeae6da4c9c9adf29cce384e841583061736b727227c44bfe062a80ca2cebf5f08ea7cb7 x509-trigger-fallback-verification-path-when-cert-is-expired.patch | ||
| 81 | e57a0029130648ba7b0b47942f0d7db91c20eadc234992a250fdd93659f4fdacdb0f81438bb5d27ebd32de99de4894e4ae79dd1253d753e8979e23b7e21654a0 tests-add-test-case-for-certificate-chain-superseding.patch" | ||
diff --git a/main/gnutls/_gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch b/main/gnutls/_gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch deleted file mode 100644 index 13d002a106..0000000000 --- a/main/gnutls/_gnutls_pkcs11_verify_crt_status-check-validity-against-system-cert.patch +++ /dev/null | |||
| @@ -1,219 +0,0 @@ | |||
| 1 | From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daiki Ueno <ueno@gnu.org> | ||
| 3 | Date: Sun, 31 May 2020 12:39:14 +0200 | ||
| 4 | Subject: [PATCH] _gnutls_pkcs11_verify_crt_status: check validity against | ||
| 5 | system cert | ||
| 6 | |||
| 7 | To verify a certificate chain, this function replaces known | ||
| 8 | certificates with the ones in the system trust store if possible. | ||
| 9 | |||
| 10 | However, if it is found, the function checks the validity of the | ||
| 11 | original certificate rather than the certificate found in the trust | ||
| 12 | store. That reveals a problem in a scenario that (1) a certificate is | ||
| 13 | signed by multiple issuers and (2) one of the issuers' certificate has | ||
| 14 | expired and included in the input chain. | ||
| 15 | |||
| 16 | This patch makes it a little robuster by actually retrieving the | ||
| 17 | certificate from the trust store and perform check against it. | ||
| 18 | |||
| 19 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
| 20 | --- | ||
| 21 | lib/pkcs11.c | 98 +++++++++++++++++++++++++++++++++-------------- | ||
| 22 | lib/pkcs11_int.h | 5 +++ | ||
| 23 | lib/x509/verify.c | 7 +++- | ||
| 24 | 3 files changed, 80 insertions(+), 30 deletions(-) | ||
| 25 | |||
| 26 | diff --git a/lib/pkcs11.c b/lib/pkcs11.c | ||
| 27 | index fad16aaf4f..d8d4a65114 100644 | ||
| 28 | --- a/lib/pkcs11.c | ||
| 29 | +++ b/lib/pkcs11.c | ||
| 30 | @@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url, | ||
| 31 | return ret; | ||
| 32 | } | ||
| 33 | |||
| 34 | -/** | ||
| 35 | - * gnutls_pkcs11_crt_is_known: | ||
| 36 | - * @url: A PKCS 11 url identifying a token | ||
| 37 | - * @cert: is the certificate to find issuer for | ||
| 38 | - * @issuer: Will hold the issuer if any in an allocated buffer. | ||
| 39 | - * @fmt: The format of the exported issuer. | ||
| 40 | - * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. | ||
| 41 | - * | ||
| 42 | - * This function will check whether the provided certificate is stored | ||
| 43 | - * in the specified token. This is useful in combination with | ||
| 44 | - * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or | ||
| 45 | - * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, | ||
| 46 | - * to check whether a CA is present or a certificate is blacklisted in | ||
| 47 | - * a trust PKCS #11 module. | ||
| 48 | - * | ||
| 49 | - * This function can be used with a @url of "pkcs11:", and in that case all modules | ||
| 50 | - * will be searched. To restrict the modules to the marked as trusted in p11-kit | ||
| 51 | - * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. | ||
| 52 | - * | ||
| 53 | - * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is | ||
| 54 | - * specific to p11-kit trust modules. | ||
| 55 | - * | ||
| 56 | - * Returns: If the certificate exists non-zero is returned, otherwise zero. | ||
| 57 | - * | ||
| 58 | - * Since: 3.3.0 | ||
| 59 | - **/ | ||
| 60 | -unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
| 61 | - unsigned int flags) | ||
| 62 | +unsigned | ||
| 63 | +_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
| 64 | + unsigned int flags, | ||
| 65 | + gnutls_x509_crt_t *trusted_cert) | ||
| 66 | { | ||
| 67 | int ret; | ||
| 68 | struct find_cert_st priv; | ||
| 69 | @@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
| 70 | |||
| 71 | memset(&priv, 0, sizeof(priv)); | ||
| 72 | |||
| 73 | + if (trusted_cert) { | ||
| 74 | + ret = gnutls_pkcs11_obj_init(&priv.obj); | ||
| 75 | + if (ret < 0) { | ||
| 76 | + gnutls_assert(); | ||
| 77 | + goto cleanup; | ||
| 78 | + } | ||
| 79 | + priv.need_import = 1; | ||
| 80 | + } | ||
| 81 | + | ||
| 82 | if (url == NULL || url[0] == 0) { | ||
| 83 | url = "pkcs11:"; | ||
| 84 | } | ||
| 85 | @@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
| 86 | _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n"); | ||
| 87 | /* attempt searching with the subject DN only */ | ||
| 88 | gnutls_assert(); | ||
| 89 | + if (priv.obj) | ||
| 90 | + gnutls_pkcs11_obj_deinit(priv.obj); | ||
| 91 | gnutls_free(priv.serial.data); | ||
| 92 | memset(&priv, 0, sizeof(priv)); | ||
| 93 | + if (trusted_cert) { | ||
| 94 | + ret = gnutls_pkcs11_obj_init(&priv.obj); | ||
| 95 | + if (ret < 0) { | ||
| 96 | + gnutls_assert(); | ||
| 97 | + goto cleanup; | ||
| 98 | + } | ||
| 99 | + priv.need_import = 1; | ||
| 100 | + } | ||
| 101 | priv.crt = cert; | ||
| 102 | priv.flags = flags; | ||
| 103 | |||
| 104 | @@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
| 105 | goto cleanup; | ||
| 106 | } | ||
| 107 | |||
| 108 | + if (trusted_cert) { | ||
| 109 | + ret = gnutls_x509_crt_init(trusted_cert); | ||
| 110 | + if (ret < 0) { | ||
| 111 | + gnutls_assert(); | ||
| 112 | + ret = 0; | ||
| 113 | + goto cleanup; | ||
| 114 | + } | ||
| 115 | + ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj); | ||
| 116 | + if (ret < 0) { | ||
| 117 | + gnutls_assert(); | ||
| 118 | + gnutls_x509_crt_deinit(*trusted_cert); | ||
| 119 | + ret = 0; | ||
| 120 | + goto cleanup; | ||
| 121 | + } | ||
| 122 | + } | ||
| 123 | ret = 1; | ||
| 124 | |||
| 125 | cleanup: | ||
| 126 | + if (priv.obj) | ||
| 127 | + gnutls_pkcs11_obj_deinit(priv.obj); | ||
| 128 | if (info) | ||
| 129 | p11_kit_uri_free(info); | ||
| 130 | gnutls_free(priv.serial.data); | ||
| 131 | @@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
| 132 | return ret; | ||
| 133 | } | ||
| 134 | |||
| 135 | +/** | ||
| 136 | + * gnutls_pkcs11_crt_is_known: | ||
| 137 | + * @url: A PKCS 11 url identifying a token | ||
| 138 | + * @cert: is the certificate to find issuer for | ||
| 139 | + * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. | ||
| 140 | + * | ||
| 141 | + * This function will check whether the provided certificate is stored | ||
| 142 | + * in the specified token. This is useful in combination with | ||
| 143 | + * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or | ||
| 144 | + * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, | ||
| 145 | + * to check whether a CA is present or a certificate is blacklisted in | ||
| 146 | + * a trust PKCS #11 module. | ||
| 147 | + * | ||
| 148 | + * This function can be used with a @url of "pkcs11:", and in that case all modules | ||
| 149 | + * will be searched. To restrict the modules to the marked as trusted in p11-kit | ||
| 150 | + * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. | ||
| 151 | + * | ||
| 152 | + * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is | ||
| 153 | + * specific to p11-kit trust modules. | ||
| 154 | + * | ||
| 155 | + * Returns: If the certificate exists non-zero is returned, otherwise zero. | ||
| 156 | + * | ||
| 157 | + * Since: 3.3.0 | ||
| 158 | + **/ | ||
| 159 | +unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
| 160 | + unsigned int flags) | ||
| 161 | +{ | ||
| 162 | + return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL); | ||
| 163 | +} | ||
| 164 | + | ||
| 165 | /** | ||
| 166 | * gnutls_pkcs11_obj_get_flags: | ||
| 167 | * @obj: The pkcs11 object | ||
| 168 | diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h | ||
| 169 | index 9d88807098..86cce0dee5 100644 | ||
| 170 | --- a/lib/pkcs11_int.h | ||
| 171 | +++ b/lib/pkcs11_int.h | ||
| 172 | @@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object(const char *url) | ||
| 173 | return 0; | ||
| 174 | } | ||
| 175 | |||
| 176 | +unsigned | ||
| 177 | +_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, | ||
| 178 | + unsigned int flags, | ||
| 179 | + gnutls_x509_crt_t *trusted_cert); | ||
| 180 | + | ||
| 181 | #endif /* ENABLE_PKCS11 */ | ||
| 182 | |||
| 183 | #endif /* GNUTLS_LIB_PKCS11_INT_H */ | ||
| 184 | diff --git a/lib/x509/verify.c b/lib/x509/verify.c | ||
| 185 | index d202670198..fd7c6a1642 100644 | ||
| 186 | --- a/lib/x509/verify.c | ||
| 187 | +++ b/lib/x509/verify.c | ||
| 188 | @@ -34,6 +34,7 @@ | ||
| 189 | #include <tls-sig.h> | ||
| 190 | #include <str.h> | ||
| 191 | #include <datum.h> | ||
| 192 | +#include <pkcs11_int.h> | ||
| 193 | #include <x509_int.h> | ||
| 194 | #include <common.h> | ||
| 195 | #include <pk.h> | ||
| 196 | @@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url, | ||
| 197 | |||
| 198 | for (; i < clist_size; i++) { | ||
| 199 | unsigned vflags; | ||
| 200 | + gnutls_x509_crt_t trusted_cert; | ||
| 201 | |||
| 202 | if (i == 0) /* in the end certificate do full comparison */ | ||
| 203 | vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| | ||
| 204 | @@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url, | ||
| 205 | vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE| | ||
| 206 | GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED; | ||
| 207 | |||
| 208 | - if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) { | ||
| 209 | + if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) { | ||
| 210 | |||
| 211 | - status |= check_ca_sanity(certificate_list[i], now, flags); | ||
| 212 | + status |= check_ca_sanity(trusted_cert, now, flags); | ||
| 213 | + gnutls_x509_crt_deinit(trusted_cert); | ||
| 214 | |||
| 215 | if (func) | ||
| 216 | func(certificate_list[i], | ||
| 217 | -- | ||
| 218 | 2.26.2 | ||
| 219 | |||
diff --git a/main/gnutls/tests-add-test-case-for-certificate-chain-superseding.patch b/main/gnutls/tests-add-test-case-for-certificate-chain-superseding.patch deleted file mode 100644 index 84867c3d37..0000000000 --- a/main/gnutls/tests-add-test-case-for-certificate-chain-superseding.patch +++ /dev/null | |||
| @@ -1,128 +0,0 @@ | |||
| 1 | From 9067bcbee8ff18badff1e829d22e63590dbd7a5c Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daiki Ueno <ueno@gnu.org> | ||
| 3 | Date: Sun, 31 May 2020 14:28:48 +0200 | ||
| 4 | Subject: [PATCH] tests: add test case for certificate chain superseding | ||
| 5 | |||
| 6 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
| 7 | --- | ||
| 8 | tests/test-chains.h | 97 +++++++++++++++++++++++++++++++++++++++++++++ | ||
| 9 | 1 file changed, 97 insertions(+) | ||
| 10 | |||
| 11 | diff --git a/tests/test-chains.h b/tests/test-chains.h | ||
| 12 | index dd19e6a815..9b06b85f5f 100644 | ||
| 13 | --- a/tests/test-chains.h | ||
| 14 | +++ b/tests/test-chains.h | ||
| 15 | @@ -4010,6 +4010,102 @@ static const char *ed448[] = { | ||
| 16 | NULL | ||
| 17 | }; | ||
| 18 | |||
| 19 | +/* This contains an expired intermediate CA, which should be superseded. */ | ||
| 20 | +static const char *superseding[] = { | ||
| 21 | + "-----BEGIN CERTIFICATE-----" | ||
| 22 | + "MIIDrzCCAmegAwIBAgIUcozIBhMJvM/rd1PVI7LOq7Kscs8wDQYJKoZIhvcNAQEL" | ||
| 23 | + "BQAwJjEkMCIGA1UEAxMbR251VExTIHRlc3QgaW50ZXJtZWRpYXRlIENBMCAXDTIw" | ||
| 24 | + "MDUzMTEyMTczN1oYDzk5OTkxMjMxMjM1OTU5WjA3MRgwFgYDVQQDEw90ZXN0Lmdu" | ||
| 25 | + "dXRscy5vcmcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCASAwCwYJKoZI" | ||
| 26 | + "hvcNAQEKA4IBDwAwggEKAoIBAQCd2PBnWn+b0FsIMbG+f/K+og2iK/BoLCsJD3j9" | ||
| 27 | + "yRNSHD6wTifYwNTbe1LF/8BzxcwVRCD0zpbpFQawbjxbmBSzrXqQlUFFG11DvNBa" | ||
| 28 | + "w58rgHGo3TYCrtFIBfLbziyB1w/vWeX0xHvv8MMJ1iRSdY+7Y36a2cV+s85PdO4B" | ||
| 29 | + "TpZlLfy8LPP6p6+dgVoC+9tTu2H1wARYOVog+jt9A3Hx0L1xxVWTedFoiK2sVouz" | ||
| 30 | + "fLRjfp5cOwuRHSD2qbpGOAeNVVaOE88Bv3pIGPguMw0qAdEDo20hRYH23LIyvBwB" | ||
| 31 | + "oCnyFNnAViMtLa2QlXSliV9a9BKOXYjWzAeso2SF4pdHcvd5AgMBAAGjgZMwgZAw" | ||
| 32 | + "DAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg90ZXN0LmdudXRscy5vcmcwEwYDVR0l" | ||
| 33 | + "BAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUan6mlccq" | ||
| 34 | + "Uy1Z64wvRv3xxg4h2ykwHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgw" | ||
| 35 | + "DQYJKoZIhvcNAQELBQADggExAKAOMyMLpk0u2UTwwFWtr1hfx7evo2J7dgco410I" | ||
| 36 | + "DN/QWoe2Xlcxcp1h5R9rX1I3KU2WGFtdXqiMsllCLnrDEKZmlks0uz76bCpKmM99" | ||
| 37 | + "/1MDlY7mGCr/2PPx53USK5J5JTiqgp6r7qAcDAnpYvrPH45kk7iqwh02DhAxRnGR" | ||
| 38 | + "CW7KWK8h7uu0Az9iBT2YfV372g4fRDK3fqYzJofQwbhSiUuJ7wyZCRhGOoxMMmDb" | ||
| 39 | + "KBbc1wAYXW+tlv2cSbfzRvSxMR+CzkyH2tGDxeN//aZUfGmQ8IzWUQ7UtK5z+Q0E" | ||
| 40 | + "fL6fZtm2SdGabGpV1UYoGpwOtOngK+m0i9SqrMD7g5+SMhc1VuvVuTtxjr5Cha8l" | ||
| 41 | + "X0HEZtxgFrkdfMD4yLAqiguaCBngtbRmELF5VpebmJbiLVU=" | ||
| 42 | + "-----END CERTIFICATE-----", | ||
| 43 | + "-----BEGIN CERTIFICATE-----" | ||
| 44 | + "MIIDkTCCAkmgAwIBAgIUY9cJ4NLNFEaojJHdP1I4Q7OHNJwwDQYJKoZIhvcNAQEL" | ||
| 45 | + "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMTgxMjMxMjMwMDAwWhcN" | ||
| 46 | + "MjAwNTMwMjIwMDAwWjAmMSQwIgYDVQQDExtHbnVUTFMgdGVzdCBpbnRlcm1lZGlh" | ||
| 47 | + "dGUgQ0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7K" | ||
| 48 | + "sH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8W" | ||
| 49 | + "yZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITc" | ||
| 50 | + "lg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7" | ||
| 51 | + "oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLy" | ||
| 52 | + "rXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+" | ||
| 53 | + "G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjeh" | ||
| 54 | + "KZ+Aeap1AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE" | ||
| 55 | + "ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUHncj" | ||
| 56 | + "bWcxH5EHm5Yv7PzIRv6M4QMwDQYJKoZIhvcNAQELBQADggExAHP1UAQ/nvuQtRZF" | ||
| 57 | + "Q4b96yxVwCjMjn7knLyLNtyYGE3466xvE/ofvx5lgaR06ez/G17XP+Ok5SLJNUVc" | ||
| 58 | + "mplTERCv5CgnX7R5VdGJkkD1repaYxaTtwyJz0AfYEMRUj3jfaeLaiUKJvEW5RRs" | ||
| 59 | + "I3solY18sy/m/xGrH2X0GTNfKM9BURENABsppt07jxH719nF9m9SynV/Z2hE5hlv" | ||
| 60 | + "5e5vyPt4wyRPIJLUI3TKAlvb1s40zz3ua7ZTgQL/cOxfY4f9pRKW9CMB3uF69OP9" | ||
| 61 | + "COAxrmHVZsImmDZ6qO1qQrbY1KN/cX5kG4pKg7Ium723aOlwcWzEDXKumD960fN1" | ||
| 62 | + "5g+HrjNs6kW+r9Q5QS8qV5s8maZNcxTrMvQ1fF2AKBNI3Z3U7vmtrSeqxIXp3rGH" | ||
| 63 | + "iJwOKIk=" | ||
| 64 | + "-----END CERTIFICATE-----", | ||
| 65 | + NULL | ||
| 66 | +}; | ||
| 67 | + | ||
| 68 | +static const char *superseding_ca[] = { | ||
| 69 | + "-----BEGIN CERTIFICATE-----" | ||
| 70 | + "MIIDkzCCAkugAwIBAgIUIs7jB4Q4sFcdCmzWVHbJLESC3T4wDQYJKoZIhvcNAQEL" | ||
| 71 | + "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMzEwWhgP" | ||
| 72 | + "OTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMTG0dudVRMUyB0ZXN0IGludGVybWVk" | ||
| 73 | + "aWF0ZSBDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/" | ||
| 74 | + "HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8" | ||
| 75 | + "vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqI" | ||
| 76 | + "hNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWl" | ||
| 77 | + "WDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQp" | ||
| 78 | + "kvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzkl" | ||
| 79 | + "zz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2" | ||
| 80 | + "N6Epn4B5qnUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD" | ||
| 81 | + "BwQAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQe" | ||
| 82 | + "dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAcF9R9VGQxTwW" | ||
| 83 | + "aOjeIeQ9ZJxybaj0BaXC8xR4b9uZloS9d/RBFTjgRbQ82yqaj7f80mgUtabKRfTA" | ||
| 84 | + "ltV2MgTbJdOjwGzEDtKGhClBbovnEGrYTbPBT9rgfYPt0q7SMBr6AzGAPt+ltwI7" | ||
| 85 | + "9yntV81qvTxvW5MEEo0j2MuA3NT3oqe+w1rUKNQCWhnN2TUhJGkTlaaMozcgNFaE" | ||
| 86 | + "Dplop4dtvCGtupxOjC3Nf6FWq1k7iZQxX70AFBYVMpuF7qGh6qDp+T1hmTCSVzxP" | ||
| 87 | + "SfDQIBjhKgy4clhkuR5SRxhN74RX+/5eiQyVLxzr+eIhqzJhPqUCmVnCLcqYdNRi" | ||
| 88 | + "hpHic4uJm0wGOKYTI7EG8rb4ZP4Jz6k4iN9CnL/+kiiW5otSl3YyCAuao5VKdDq9" | ||
| 89 | + "izchzb9eow==" | ||
| 90 | + "-----END CERTIFICATE-----", | ||
| 91 | + "-----BEGIN CERTIFICATE-----" | ||
| 92 | + "MIIDZTCCAh2gAwIBAgIULcrECQOBgPaePBfBHXcyZiU0IiYwDQYJKoZIhvcNAQEL" | ||
| 93 | + "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMTQzWhgP" | ||
| 94 | + "OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN" | ||
| 95 | + "BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C" | ||
| 96 | + "qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ" | ||
| 97 | + "U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8" | ||
| 98 | + "vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW" | ||
| 99 | + "PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG" | ||
| 100 | + "VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7" | ||
| 101 | + "FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB" | ||
| 102 | + "o0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYE" | ||
| 103 | + "FB53I21nMR+RB5uWL+z8yEb+jOEDMA0GCSqGSIb3DQEBCwUAA4IBMQAeMSzMyuTy" | ||
| 104 | + "FjXTjxAUv010bsr6e6fI9txq/S1tXmWWJV/8aeARthuOFZO5Jjy3C5aMbac2HDV4" | ||
| 105 | + "Otu0+JLaoEMSXvorAhValVuq06i5cmaPzvJBcxMWzlEAXfavSwHv5Q+kqNU3z81S" | ||
| 106 | + "WnjEpMHcl9OyER7o9IhF55Xom2BXY5XL83QOzQ4C3bpKrNevZC7i7zS8NoYRGP+8" | ||
| 107 | + "w21JseXkWQW4o2hkFqbCcRE1dlMW02iJE28RZ5aBFDIm2Y6zuLaXZIkaO7E41CAw" | ||
| 108 | + "IUyhowm/S1HcmQnhruAGKJvQtB6jvnhZb7pgnuSkhIvAQgw93CLE985KEua1ifY2" | ||
| 109 | + "p1d/6ho2TWotHHqDnDkB8pC0Wzai8R+63z18Kt0gROX2QItCyFksjNJqYPbgwZgt" | ||
| 110 | + "eh1COrLsOJo+" | ||
| 111 | + "-----END CERTIFICATE-----", | ||
| 112 | + NULL | ||
| 113 | +}; | ||
| 114 | + | ||
| 115 | #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) | ||
| 116 | # pragma GCC diagnostic push | ||
| 117 | # pragma GCC diagnostic ignored "-Wunused-variable" | ||
| 118 | @@ -4178,6 +4274,7 @@ static struct | ||
| 119 | GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1}, | ||
| 120 | { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), | ||
| 121 | 0, NULL, 1584352960, 1}, | ||
| 122 | + { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 }, | ||
| 123 | { NULL, NULL, NULL, 0, 0} | ||
| 124 | }; | ||
| 125 | |||
| 126 | -- | ||
| 127 | 2.26.2 | ||
| 128 | |||
diff --git a/main/gnutls/x509-trigger-fallback-verification-path-when-cert-is-expired.patch b/main/gnutls/x509-trigger-fallback-verification-path-when-cert-is-expired.patch deleted file mode 100644 index 1bbbb92732..0000000000 --- a/main/gnutls/x509-trigger-fallback-verification-path-when-cert-is-expired.patch +++ /dev/null | |||
| @@ -1,41 +0,0 @@ | |||
| 1 | From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Daiki Ueno <ueno@gnu.org> | ||
| 3 | Date: Sun, 31 May 2020 13:59:53 +0200 | ||
| 4 | Subject: [PATCH] x509: trigger fallback verification path when cert is expired | ||
| 5 | |||
| 6 | gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN | ||
| 7 | to trigger the fallback verification path if the signer of the last | ||
| 8 | certificate is not in the trust store. Previously, it doesn't take | ||
| 9 | into account of the condition where the certificate is expired. | ||
| 10 | |||
| 11 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
| 12 | --- | ||
| 13 | lib/x509/verify-high.c | 12 +++++++----- | ||
| 14 | 1 file changed, 7 insertions(+), 5 deletions(-) | ||
| 15 | |||
| 16 | diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c | ||
| 17 | index b1421ef17a..40638ad3aa 100644 | ||
| 18 | --- a/lib/x509/verify-high.c | ||
| 19 | +++ b/lib/x509/verify-high.c | ||
| 20 | @@ -1192,11 +1192,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, | ||
| 21 | |||
| 22 | #define LAST_DN cert_list[cert_list_size-1]->raw_dn | ||
| 23 | #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn | ||
| 24 | -/* This macro is introduced to detect a verification output | ||
| 25 | - * which indicates an unknown signer, or a signer which uses | ||
| 26 | - * an insecure algorithm (e.g., sha1), something that indicates | ||
| 27 | - * a superseded signer */ | ||
| 28 | -#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM)) | ||
| 29 | +/* This macro is introduced to detect a verification output which | ||
| 30 | + * indicates an unknown signer, a signer which uses an insecure | ||
| 31 | + * algorithm (e.g., sha1), a signer has expired, or something that | ||
| 32 | + * indicates a superseded signer */ | ||
| 33 | +#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \ | ||
| 34 | + (output & GNUTLS_CERT_EXPIRED) || \ | ||
| 35 | + (output & GNUTLS_CERT_INSECURE_ALGORITHM)) | ||
| 36 | #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND)) | ||
| 37 | |||
| 38 | /** | ||
| 39 | -- | ||
| 40 | 2.26.2 | ||
| 41 | |||