From cb4678361a0cf41a886153ae23075bf6ba902071 Mon Sep 17 00:00:00 2001 From: Florian Brandes Date: Tue, 14 May 2024 22:03:13 +0200 Subject: [PATCH] gnutls: fix an upstream regression in RSA certificates The update to 3.8.5 involved adding a feature to conditionally disable RSAES-PKCS1-v1.5 [1]. It was intended to be turned on by default [2], but failed [3]. Therefore it is disabled, which in turn throws a new error: "Fatal error: The encryption algorithm is not supported". (error 113). This can have severe implications, as for example Lets Encrypt signed RSA certificates aren't trusted anymore. This commit fetches the upstream patch, which hasn't been included in 3.8.5 [1]: https://gitlab.com/gnutls/gnutls/-/merge_requests/1828 [2]: https://gitlab.com/gnutls/gnutls/-/merge_requests/1828/diffs#cd5a2ba3b145c1bd292e027ef84c618b6b7fb895_267_274 [3]: https://gitlab.com/gnutls/gnutls/-/issues/1540 Signed-off-by: Florian Brandes --- pkgs/development/libraries/gnutls/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkgs/development/libraries/gnutls/default.nix b/pkgs/development/libraries/gnutls/default.nix index 13bdb921ef71d..b527c0d3c3331 100644 --- a/pkgs/development/libraries/gnutls/default.nix +++ b/pkgs/development/libraries/gnutls/default.nix @@ -85,6 +85,16 @@ stdenv.mkDerivation rec { revert = true; hash = "sha256-r/+Gmwqy0Yc1LHL/PdPLXlErUBC5JxquLzCBAN3LuRM="; }) + # Makes the system-wide configuration for RSAES-PKCS1-v1_5 actually apply + # and makes it enabled by default when the config file is missing + # Without this an error 113 is thrown when using some RSA certificates + # see https://gitlab.com/gnutls/gnutls/-/issues/1540 + # "This is pretty sever[e], since it breaks on letsencrypt-issued RSA keys." (comment from above issue) + (fetchpatch2 { + name = "fix-rsaes-pkcs1-v1_5-system-wide-configuration.patch"; + url = "https://gitlab.com/gnutls/gnutls/-/commit/2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d.diff"; + hash = "sha256-2aWcLff9jzJnY+XSqCIaK/zdwSLwkNlfDeMlWyRShN8="; + }) ]; # Skip some tests: