gentoo resync : 05.04.2019

1 files changed, 47 insertions, 0 deletions

diff --git a/dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch b/dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch
new file mode 100644
index 000000000000..2837420e0dc7
--- /dev/null
+++ b/dev-libs/xmlsec/files/xmlsec-1.2.27-gnutls.patch
@@ -0,0 +1,47 @@
+From 321e62add243cf8f024d6278da4c5ff030bae3b9 Mon Sep 17 00:00:00 2001
+From: Alon Bar-Lev <alon.barlev@gmail.com>
+Date: Mon, 1 Apr 2019 01:28:18 +0300
+Subject: [PATCH] gnutls: allow SHA-1 signed certificate when not in strict
+ checks (#250) (#251)
+
+This is required for gnutls-3.6.x.
+
+Allow tests to use no strict checks until all certificates will be converted
+to stronger signature than SHA-1.
+
+Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
+---
+ src/gnutls/x509vfy.c | 3 +++
+ tests/testrun.sh     | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/gnutls/x509vfy.c b/src/gnutls/x509vfy.c
+index a9c956a3..4c753344 100644
+--- a/src/gnutls/x509vfy.c
++++ b/src/gnutls/x509vfy.c
+@@ -295,6 +295,9 @@ xmlSecGnuTLSX509StoreVerify(xmlSecKeyDataStorePtr store,
+     if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS) != 0) {
+         flags |= GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2;
+         flags |= GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5;
++#if GNUTLS_VERSION_NUMBER >= 0x030600
++        flags |= GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1;
++#endif
+     }
+ 
+     /* We are going to build all possible cert chains and try to verify them */
+diff --git a/tests/testrun.sh b/tests/testrun.sh
+index 02484d09..ea65802b 100755
+--- a/tests/testrun.sh
++++ b/tests/testrun.sh
+@@ -59,7 +59,7 @@ if [ "z$XMLSEC_DEFAULT_CRYPTO" != "z" ] ; then
+ elif [ "z$crypto" != "z" ] ; then
+     xmlsec_params="$xmlsec_params --crypto $crypto"
+ fi
+-xmlsec_params="$xmlsec_params --crypto-config $crypto_config"
++xmlsec_params="$xmlsec_params --X509-skip-strict-checks --crypto-config $crypto_config"
+ 
+ #
+ # Setup keys config
+-- 
+2.21.0
+