Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libressl for openSUSE:Factory checked in at 2021-02-15 23:18:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libressl (Old) and /work/SRC/openSUSE:Factory/.libressl.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libressl" Mon Feb 15 23:18:36 2021 rev:55 rq:871658 version:3.2.4 Changes: -------- --- /work/SRC/openSUSE:Factory/libressl/libressl.changes 2020-12-10 18:20:00.991101754 +0100 +++ /work/SRC/openSUSE:Factory/.libressl.new.28504/libressl.changes 2021-02-15 23:20:51.835804773 +0100 @@ -1,0 +2,14 @@ +Sat Feb 13 11:46:09 UTC 2021 - Jan Engelhardt <[email protected]> + +- Update to release 3.2.4 + * Switch back to certificate verification code from LibreSSL + 3.1.x. The new verifier is not bug compatible with the old + verifier causing issues with applications expecting behavior + of the old verifier. + * Unbreak DTLS retransmissions for flights that include a CCS. + * Implement autochain for the TLSv1.3 server. + * Use the legacy verifier for autochain. + * Implement exporter for TLSv1.3. + * Plug leak in x509_verify_chain_dup(). + +------------------------------------------------------------------- Old: ---- libressl-3.2.3.tar.gz libressl-3.2.3.tar.gz.asc New: ---- libressl-3.2.4.tar.gz libressl-3.2.4.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libressl.spec ++++++ --- /var/tmp/diff_new_pack.3Pdyby/_old 2021-02-15 23:20:52.723806100 +0100 +++ /var/tmp/diff_new_pack.3Pdyby/_new 2021-02-15 23:20:52.727806106 +0100 @@ -17,7 +17,7 @@ Name: libressl -Version: 3.2.3 +Version: 3.2.4 Release: 0 Summary: An SSL/TLS protocol implementation License: OpenSSL @@ -116,7 +116,7 @@ autoreconf -fi # Some smart people broke disable-static %configure --enable-libtls -make %{?_smp_mflags} +%make_build %install b="%buildroot" @@ -125,6 +125,10 @@ for i in "$b/%_mandir"/man*; do pushd "$i" for j in *.*; do + if [ -L "$j" ]; then + target=$(readlink "$j") + ln -fs "${target}ssl" "$j" + fi mv "$j" "${j}ssl" done popd ++++++ libressl-3.2.3.tar.gz -> libressl-3.2.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/ChangeLog new/libressl-3.2.4/ChangeLog --- old/libressl-3.2.3/ChangeLog 2020-12-08 18:06:16.000000000 +0100 +++ new/libressl-3.2.4/ChangeLog 2021-02-07 17:24:19.000000000 +0100 @@ -28,6 +28,28 @@ LibreSSL Portable Release Notes: +3.2.4 - Bug and interoperability fixes + + * Switch back to certificate verification code from LibreSSL 3.1.x. The + new verifier is not bug compatible with the old verifier causing issues + with applications expecting behavior of the old verifier. + + * Unbreak DTLS retransmissions for flights that include a CCS + + * Only check BIO_should_read() on read and BIO_should_write() on write + + * Implement autochain for the TLSv1.3 server + + * Use the legacy verifier for autochain + + * Implement exporter for TLSv1.3 + + * Free alert_data and phh_data in tls13_record_layer_free() + + * Plug leak in x509_verify_chain_dup() + + * Free the policy tree in x509_vfy_check_policy() + 3.2.3 - Security fix * Malformed ASN.1 in a certificate revocation list or a timestamp diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/Makefile.in new/libressl-3.2.4/Makefile.in --- old/libressl-3.2.3/Makefile.in 2020-12-08 18:09:52.000000000 +0100 +++ new/libressl-3.2.4/Makefile.in 2021-02-07 17:25:23.000000000 +0100 @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2020 Free Software Foundation, Inc. @@ -237,6 +237,8 @@ DIST_ARCHIVES = $(distdir).tar.gz GZIP_ENV = --best DIST_TARGETS = dist-gzip +# Exists only to be overridden by the user if desired. +AM_DISTCHECK_DVI_TARGET = dvi distuninstallcheck_listfiles = find . -type f -print am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \ | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$' @@ -699,7 +701,7 @@ $(DISTCHECK_CONFIGURE_FLAGS) \ --srcdir=../.. --prefix="$$dc_install_base" \ && $(MAKE) $(AM_MAKEFLAGS) \ - && $(MAKE) $(AM_MAKEFLAGS) dvi \ + && $(MAKE) $(AM_MAKEFLAGS) $(AM_DISTCHECK_DVI_TARGET) \ && $(MAKE) $(AM_MAKEFLAGS) check \ && $(MAKE) $(AM_MAKEFLAGS) install \ && $(MAKE) $(AM_MAKEFLAGS) installcheck \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/VERSION new/libressl-3.2.4/VERSION --- old/libressl-3.2.3/VERSION 2020-12-08 18:09:01.000000000 +0100 +++ new/libressl-3.2.4/VERSION 2021-02-07 17:24:33.000000000 +0100 @@ -1,2 +1,2 @@ -3.2.3 +3.2.4 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/aclocal.m4 new/libressl-3.2.4/aclocal.m4 --- old/libressl-3.2.3/aclocal.m4 2020-12-08 18:09:49.000000000 +0100 +++ new/libressl-3.2.4/aclocal.m4 2021-02-07 17:25:20.000000000 +0100 @@ -1,4 +1,4 @@ -# generated automatically by aclocal 1.16.2 -*- Autoconf -*- +# generated automatically by aclocal 1.16.3 -*- Autoconf -*- # Copyright (C) 1996-2020 Free Software Foundation, Inc. @@ -35,7 +35,7 @@ [am__api_version='1.16' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.16.2], [], +m4_if([$1], [1.16.3], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -51,7 +51,7 @@ # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.16.2])dnl +[AM_AUTOMAKE_VERSION([1.16.3])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) @@ -723,12 +723,7 @@ [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl AC_REQUIRE_AUX_FILE([missing])dnl if test x"${MISSING+set}" != xset; then - case $am_aux_dir in - *\ * | *\ *) - MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; - *) - MISSING="\${SHELL} $am_aux_dir/missing" ;; - esac + MISSING="\${SHELL} '$am_aux_dir/missing'" fi # Use eval to expand $SHELL if eval "$MISSING --is-lightweight"; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/apps/Makefile.in new/libressl-3.2.4/apps/Makefile.in --- old/libressl-3.2.3/apps/Makefile.in 2020-12-08 18:09:52.000000000 +0100 +++ new/libressl-3.2.4/apps/Makefile.in 2021-02-07 17:25:23.000000000 +0100 @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2020 Free Software Foundation, Inc. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/apps/nc/Makefile.in new/libressl-3.2.4/apps/nc/Makefile.in --- old/libressl-3.2.3/apps/nc/Makefile.in 2020-12-08 18:09:52.000000000 +0100 +++ new/libressl-3.2.4/apps/nc/Makefile.in 2021-02-07 17:25:23.000000000 +0100 @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2020 Free Software Foundation, Inc. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/apps/ocspcheck/Makefile.in new/libressl-3.2.4/apps/ocspcheck/Makefile.in --- old/libressl-3.2.3/apps/ocspcheck/Makefile.in 2020-12-08 18:09:52.000000000 +0100 +++ new/libressl-3.2.4/apps/ocspcheck/Makefile.in 2021-02-07 17:25:23.000000000 +0100 @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2020 Free Software Foundation, Inc. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/apps/openssl/Makefile.in new/libressl-3.2.4/apps/openssl/Makefile.in --- old/libressl-3.2.3/apps/openssl/Makefile.in 2020-12-08 18:09:53.000000000 +0100 +++ new/libressl-3.2.4/apps/openssl/Makefile.in 2021-02-07 17:25:24.000000000 +0100 @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2020 Free Software Foundation, Inc. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/configure new/libressl-3.2.4/configure --- old/libressl-3.2.3/configure 2020-12-08 18:09:51.000000000 +0100 +++ new/libressl-3.2.4/configure 2021-02-07 17:25:22.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for libressl 3.2.3. +# Generated by GNU Autoconf 2.69 for libressl 3.2.4. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='libressl' PACKAGE_TARNAME='libressl' -PACKAGE_VERSION='3.2.3' -PACKAGE_STRING='libressl 3.2.3' +PACKAGE_VERSION='3.2.4' +PACKAGE_STRING='libressl 3.2.4' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1449,7 +1449,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libressl 3.2.3 to adapt to many kinds of systems. +\`configure' configures libressl 3.2.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1520,7 +1520,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libressl 3.2.3:";; + short | recursive ) echo "Configuration of libressl 3.2.4:";; esac cat <<\_ACEOF @@ -1637,7 +1637,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libressl configure 3.2.3 +libressl configure 3.2.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2185,7 +2185,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libressl $as_me 3.2.3, which was +It was created by libressl $as_me 3.2.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2816,12 +2816,7 @@ am_aux_dir=`cd "$ac_aux_dir" && pwd` if test x"${MISSING+set}" != xset; then - case $am_aux_dir in - *\ * | *\ *) - MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; - *) - MISSING="\${SHELL} $am_aux_dir/missing" ;; - esac + MISSING="\${SHELL} '$am_aux_dir/missing'" fi # Use eval to expand $SHELL if eval "$MISSING --is-lightweight"; then @@ -3126,7 +3121,7 @@ # Define the identity of the package. PACKAGE='libressl' - VERSION='3.2.3' + VERSION='3.2.4' cat >>confdefs.h <<_ACEOF @@ -14929,7 +14924,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libressl $as_me 3.2.3, which was +This file was extended by libressl $as_me 3.2.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -14986,7 +14981,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -libressl config.status 3.2.3 +libressl config.status 3.2.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/crypto/Makefile.in new/libressl-3.2.4/crypto/Makefile.in --- old/libressl-3.2.3/crypto/Makefile.in 2020-12-08 18:09:57.000000000 +0100 +++ new/libressl-3.2.4/crypto/Makefile.in 2021-02-07 17:25:28.000000000 +0100 @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2020 Free Software Foundation, Inc. @@ -9499,7 +9499,8 @@ done install: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) install-am -install-exec: install-exec-am +install-exec: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data: install-data-am uninstall: uninstall-am @@ -11071,7 +11072,7 @@ uninstall-am: uninstall-libLTLIBRARIES -.MAKE: all check install install-am install-strip +.MAKE: all check install install-am install-exec install-strip .PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \ clean-generic clean-libLTLIBRARIES clean-libtool \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/crypto/x509/x509_verify.c new/libressl-3.2.4/crypto/x509/x509_verify.c --- old/libressl-3.2.3/crypto/x509/x509_verify.c 2020-12-08 18:06:25.000000000 +0100 +++ new/libressl-3.2.4/crypto/x509/x509_verify.c 2021-02-03 13:15:38.000000000 +0100 @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.13 2020/09/26 15:44:06 jsing Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.13.4.1 2021/02/03 07:06:13 tb Exp $ */ /* * Copyright (c) 2020 Bob Beck <[email protected]> * @@ -81,7 +81,7 @@ { struct x509_verify_chain *new_chain; - if ((new_chain = x509_verify_chain_new()) == NULL) + if ((new_chain = calloc(1, sizeof(*chain))) == NULL) goto err; if ((new_chain->certs = X509_chain_up_ref(chain->certs)) == NULL) goto err; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/crypto/x509/x509_vfy.c new/libressl-3.2.4/crypto/x509/x509_vfy.c --- old/libressl-3.2.3/crypto/x509/x509_vfy.c 2020-12-08 18:06:25.000000000 +0100 +++ new/libressl-3.2.4/crypto/x509/x509_vfy.c 2021-02-03 13:15:38.000000000 +0100 @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.81 2020/09/26 02:06:28 deraadt Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.81.4.1 2021/02/03 07:06:13 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young ([email protected]) * All rights reserved. * @@ -1794,6 +1794,11 @@ if (ctx->parent) return 1; + + /* X509_policy_check always allocates a new tree. */ + X509_policy_tree_free(ctx->tree); + ctx->tree = NULL; + ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, ctx->param->policies, ctx->param->flags); if (ret == 0) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/crypto/x509/x509_vpm.c new/libressl-3.2.4/crypto/x509/x509_vpm.c --- old/libressl-3.2.3/crypto/x509/x509_vpm.c 2020-12-08 18:06:25.000000000 +0100 +++ new/libressl-3.2.4/crypto/x509/x509_vpm.c 2021-02-03 13:15:38.000000000 +0100 @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vpm.c,v 1.22 2020/09/14 08:10:04 beck Exp $ */ +/* $OpenBSD: x509_vpm.c,v 1.22.4.1 2021/02/03 07:06:13 tb Exp $ */ /* Written by Dr Stephen N Henson ([email protected]) for the OpenSSL * project 2004. */ @@ -177,7 +177,7 @@ param->trust = 0; /*param->inh_flags = X509_VP_FLAG_DEFAULT;*/ param->inh_flags = 0; - param->flags = 0; + param->flags = X509_V_FLAG_LEGACY_VERIFY; param->depth = -1; if (param->policies) { sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/include/Makefile.in new/libressl-3.2.4/include/Makefile.in --- old/libressl-3.2.3/include/Makefile.in 2020-12-08 18:09:57.000000000 +0100 +++ new/libressl-3.2.4/include/Makefile.in 2021-02-07 17:25:28.000000000 +0100 @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2020 Free Software Foundation, Inc. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/include/openssl/Makefile.in new/libressl-3.2.4/include/openssl/Makefile.in --- old/libressl-3.2.3/include/openssl/Makefile.in 2020-12-08 18:09:57.000000000 +0100 +++ new/libressl-3.2.4/include/openssl/Makefile.in 2021-02-07 17:25:28.000000000 +0100 @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2020 Free Software Foundation, Inc. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/include/openssl/opensslv.h new/libressl-3.2.4/include/openssl/opensslv.h --- old/libressl-3.2.3/include/openssl/opensslv.h 2020-12-08 18:08:40.000000000 +0100 +++ new/libressl-3.2.4/include/openssl/opensslv.h 2021-02-03 13:22:46.000000000 +0100 @@ -3,9 +3,9 @@ #define HEADER_OPENSSLV_H /* These will change with each release of LibreSSL-portable */ -#define LIBRESSL_VERSION_NUMBER 0x3020300fL +#define LIBRESSL_VERSION_NUMBER 0x3020400fL /* ^ Patch starts here */ -#define LIBRESSL_VERSION_TEXT "LibreSSL 3.2.3" +#define LIBRESSL_VERSION_TEXT "LibreSSL 3.2.4" /* These will never change */ #define OPENSSL_VERSION_NUMBER 0x20000000L diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/install-sh new/libressl-3.2.4/install-sh --- old/libressl-3.2.3/install-sh 2020-12-08 18:09:52.000000000 +0100 +++ new/libressl-3.2.4/install-sh 2021-02-07 17:25:23.000000000 +0100 @@ -1,7 +1,7 @@ #!/bin/sh # install - install a program, script, or datafile -scriptversion=2018-03-11.20; # UTC +scriptversion=2020-11-14.01; # UTC # This originates from X11R5 (mit/util/scripts/install.sh), which was # later released in X11R6 (xc/config/util/install.sh) with the @@ -69,6 +69,11 @@ # Desired mode of installed file. mode=0755 +# Create dirs (including intermediate dirs) using mode 755. +# This is like GNU 'install' as of coreutils 8.32 (2020). +mkdir_umask=22 + +backupsuffix= chgrpcmd= chmodcmd=$chmodprog chowncmd= @@ -99,18 +104,28 @@ --version display version info and exit. -c (ignored) - -C install only if different (preserve the last data modification time) + -C install only if different (preserve data modification time) -d create directories instead of installing files. -g GROUP $chgrpprog installed files to GROUP. -m MODE $chmodprog installed files to MODE. -o USER $chownprog installed files to USER. + -p pass -p to $cpprog. -s $stripprog installed files. + -S SUFFIX attempt to back up existing files, with suffix SUFFIX. -t DIRECTORY install into DIRECTORY. -T report an error if DSTFILE is a directory. Environment variables override the default commands: CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG RMPROG STRIPPROG + +By default, rm is invoked with -f; when overridden with RMPROG, +it's up to you to specify -f if you want it. + +If -S is not specified, no backups are attempted. + +Email bug reports to [email protected]. +Automake home page: https://www.gnu.org/software/automake/ " while test $# -ne 0; do @@ -137,8 +152,13 @@ -o) chowncmd="$chownprog $2" shift;; + -p) cpprog="$cpprog -p";; + -s) stripcmd=$stripprog;; + -S) backupsuffix="$2" + shift;; + -t) is_target_a_directory=always dst_arg=$2 @@ -255,6 +275,10 @@ dstdir=$dst test -d "$dstdir" dstdir_status=$? + # Don't chown directories that already exist. + if test $dstdir_status = 0; then + chowncmd="" + fi else # Waiting for this to be detected by the "$cpprog $src $dsttmp" command @@ -301,22 +325,6 @@ if test $dstdir_status != 0; then case $posix_mkdir in '') - # Create intermediate dirs using mode 755 as modified by the umask. - # This is like FreeBSD 'install' as of 1997-10-28. - umask=`umask` - case $stripcmd.$umask in - # Optimize common cases. - *[2367][2367]) mkdir_umask=$umask;; - .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;; - - *[0-7]) - mkdir_umask=`expr $umask + 22 \ - - $umask % 100 % 40 + $umask % 20 \ - - $umask % 10 % 4 + $umask % 2 - `;; - *) mkdir_umask=$umask,go-w;; - esac - # With -d, create the new directory with the user-specified mode. # Otherwise, rely on $mkdir_umask. if test -n "$dir_arg"; then @@ -326,52 +334,49 @@ fi posix_mkdir=false - case $umask in - *[123567][0-7][0-7]) - # POSIX mkdir -p sets u+wx bits regardless of umask, which - # is incompatible with FreeBSD 'install' when (umask & 300) != 0. - ;; - *) - # Note that $RANDOM variable is not portable (e.g. dash); Use it - # here however when possible just to lower collision chance. - tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ - - trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0 - - # Because "mkdir -p" follows existing symlinks and we likely work - # directly in world-writeable /tmp, make sure that the '$tmpdir' - # directory is successfully created first before we actually test - # 'mkdir -p' feature. - if (umask $mkdir_umask && - $mkdirprog $mkdir_mode "$tmpdir" && - exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 - then - if test -z "$dir_arg" || { - # Check for POSIX incompatibilities with -m. - # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or - # other-writable bit of parent directory when it shouldn't. - # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. - test_tmpdir="$tmpdir/a" - ls_ld_tmpdir=`ls -ld "$test_tmpdir"` - case $ls_ld_tmpdir in - d????-?r-*) different_mode=700;; - d????-?--*) different_mode=755;; - *) false;; - esac && - $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { - ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` - test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" - } - } - then posix_mkdir=: - fi - rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" - else - # Remove any dirs left behind by ancient mkdir implementations. - rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null - fi - trap '' 0;; - esac;; + # The $RANDOM variable is not portable (e.g., dash). Use it + # here however when possible just to lower collision chance. + tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ + + trap ' + ret=$? + rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null + exit $ret + ' 0 + + # Because "mkdir -p" follows existing symlinks and we likely work + # directly in world-writeable /tmp, make sure that the '$tmpdir' + # directory is successfully created first before we actually test + # 'mkdir -p'. + if (umask $mkdir_umask && + $mkdirprog $mkdir_mode "$tmpdir" && + exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 + then + if test -z "$dir_arg" || { + # Check for POSIX incompatibilities with -m. + # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or + # other-writable bit of parent directory when it shouldn't. + # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. + test_tmpdir="$tmpdir/a" + ls_ld_tmpdir=`ls -ld "$test_tmpdir"` + case $ls_ld_tmpdir in + d????-?r-*) different_mode=700;; + d????-?--*) different_mode=755;; + *) false;; + esac && + $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { + ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` + test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" + } + } + then posix_mkdir=: + fi + rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" + else + # Remove any dirs left behind by ancient mkdir implementations. + rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null + fi + trap '' 0;; esac if @@ -382,7 +387,7 @@ then : else - # The umask is ridiculous, or mkdir does not conform to POSIX, + # mkdir does not conform to POSIX, # or it failed possibly due to a race condition. Create the # directory the slow way, step by step, checking for races as we go. @@ -411,7 +416,7 @@ prefixes= else if $posix_mkdir; then - (umask=$mkdir_umask && + (umask $mkdir_umask && $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break # Don't fail if two instances are running concurrently. test -d "$prefix" || exit 1 @@ -488,6 +493,13 @@ then rm -f "$dsttmp" else + # If $backupsuffix is set, and the file being installed + # already exists, attempt a backup. Don't worry if it fails, + # e.g., if mv doesn't support -f. + if test -n "$backupsuffix" && test -f "$dst"; then + $doit $mvcmd -f "$dst" "$dst$backupsuffix" 2>/dev/null + fi + # Rename the file to the real destination. $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null || @@ -502,9 +514,9 @@ # file should still install successfully. { test ! -f "$dst" || - $doit $rmcmd -f "$dst" 2>/dev/null || + $doit $rmcmd "$dst" 2>/dev/null || { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && - { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; } + { $doit $rmcmd "$rmtmp" 2>/dev/null; :; } } || { echo "$0: cannot unlink or rename $dst" >&2 (exit 1); exit 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/man/Makefile.in new/libressl-3.2.4/man/Makefile.in --- old/libressl-3.2.3/man/Makefile.in 2020-12-08 18:09:58.000000000 +0100 +++ new/libressl-3.2.4/man/Makefile.in 2021-02-07 17:25:29.000000000 +0100 @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2020 Free Software Foundation, Inc. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/ssl/Makefile.in new/libressl-3.2.4/ssl/Makefile.in --- old/libressl-3.2.3/ssl/Makefile.in 2020-12-08 18:09:58.000000000 +0100 +++ new/libressl-3.2.4/ssl/Makefile.in 2021-02-07 17:25:29.000000000 +0100 @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2020 Free Software Foundation, Inc. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/ssl/d1_both.c new/libressl-3.2.4/ssl/d1_both.c --- old/libressl-3.2.3/ssl/d1_both.c 2020-12-08 18:06:25.000000000 +0100 +++ new/libressl-3.2.4/ssl/d1_both.c 2021-02-03 13:15:38.000000000 +0100 @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_both.c,v 1.60 2020/09/26 14:43:17 jsing Exp $ */ +/* $OpenBSD: d1_both.c,v 1.60.4.1 2021/02/03 07:06:13 tb Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * ([email protected]) for the OpenSSL project 2005. @@ -1060,18 +1060,18 @@ frag->msg_header.frag_len); /* save current state */ - saved_state.enc_write_ctx = s->internal->enc_write_ctx; - saved_state.write_hash = s->internal->write_hash; saved_state.session = s->session; saved_state.epoch = D1I(s)->w_epoch; D1I(s)->retransmitting = 1; /* restore state in which the message was originally sent */ - s->internal->enc_write_ctx = frag->msg_header.saved_retransmit_state.enc_write_ctx; - s->internal->write_hash = frag->msg_header.saved_retransmit_state.write_hash; s->session = frag->msg_header.saved_retransmit_state.session; D1I(s)->w_epoch = frag->msg_header.saved_retransmit_state.epoch; + if (!tls12_record_layer_set_write_cipher_hash(s->internal->rl, + frag->msg_header.saved_retransmit_state.enc_write_ctx, + frag->msg_header.saved_retransmit_state.write_hash, 0)) + return 0; if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1) { @@ -1085,10 +1085,11 @@ SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE); /* restore current state */ - s->internal->enc_write_ctx = saved_state.enc_write_ctx; - s->internal->write_hash = saved_state.write_hash; s->session = saved_state.session; D1I(s)->w_epoch = saved_state.epoch; + if (!tls12_record_layer_set_write_cipher_hash(s->internal->rl, + s->internal->enc_write_ctx, s->internal->write_hash, 0)) + return 0; if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/ssl/ssl_both.c new/libressl-3.2.4/ssl/ssl_both.c --- old/libressl-3.2.3/ssl/ssl_both.c 2020-12-08 18:06:25.000000000 +0100 +++ new/libressl-3.2.4/ssl/ssl_both.c 2021-02-03 13:15:38.000000000 +0100 @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_both.c,v 1.20 2020/09/24 18:12:00 jsing Exp $ */ +/* $OpenBSD: ssl_both.c,v 1.20.4.1 2021/02/03 07:06:13 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young ([email protected]) * All rights reserved. * @@ -408,6 +408,8 @@ SSLerror(s, ERR_R_X509_LIB); goto err; } + X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xs_ctx), + X509_V_FLAG_LEGACY_VERIFY); X509_verify_cert(xs_ctx); ERR_clear_error(); chain = xs_ctx->chain; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/ssl/ssl_lib.c new/libressl-3.2.4/ssl/ssl_lib.c --- old/libressl-3.2.3/ssl/ssl_lib.c 2020-12-08 18:06:25.000000000 +0100 +++ new/libressl-3.2.4/ssl/ssl_lib.c 2021-02-03 13:15:38.000000000 +0100 @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.234 2020/09/24 18:12:00 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.234.4.1 2021/02/03 07:06:13 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young ([email protected]) * All rights reserved. * @@ -1710,8 +1710,17 @@ const char *label, size_t llen, const unsigned char *p, size_t plen, int use_context) { - return (tls1_export_keying_material(s, out, olen, - label, llen, p, plen, use_context)); + if (s->internal->tls13 != NULL && s->version == TLS1_3_VERSION) { + if (!use_context) { + p = NULL; + plen = 0; + } + return tls13_exporter(s->internal->tls13, label, llen, p, plen, + out, olen); + } + + return (tls1_export_keying_material(s, out, olen, label, llen, p, plen, + use_context)); } static unsigned long diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/ssl/tls13_internal.h new/libressl-3.2.4/ssl/tls13_internal.h --- old/libressl-3.2.3/ssl/tls13_internal.h 2020-12-08 18:06:25.000000000 +0100 +++ new/libressl-3.2.4/ssl/tls13_internal.h 2021-02-03 13:15:38.000000000 +0100 @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_internal.h,v 1.86 2020/07/30 16:23:17 tb Exp $ */ +/* $OpenBSD: tls13_internal.h,v 1.86.4.1 2021/02/03 07:06:14 tb Exp $ */ /* * Copyright (c) 2018 Bob Beck <[email protected]> * Copyright (c) 2018 Theo Buehler <[email protected]> @@ -148,6 +148,16 @@ int tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest, const struct tls13_secret *secret, const char *label, const struct tls13_secret *context); +int tls13_hkdf_expand_label_with_length(struct tls13_secret *out, + const EVP_MD *digest, const struct tls13_secret *secret, + const uint8_t *label, size_t label_len, const struct tls13_secret *context); + +int tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest, + const struct tls13_secret *secret, const char *label, + const struct tls13_secret *context); +int tls13_derive_secret_with_label_length(struct tls13_secret *out, + const EVP_MD *digest, const struct tls13_secret *secret, + const uint8_t *label, size_t label_len, const struct tls13_secret *context); int tls13_derive_early_secrets(struct tls13_secrets *secrets, uint8_t *psk, size_t psk_len, const struct tls13_secret *context); @@ -412,6 +422,10 @@ tls13_error_setx(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \ (fmt), __VA_ARGS__) +int tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len, + const uint8_t *context_value, size_t context_value_len, uint8_t *out, + size_t out_len); + extern const uint8_t tls13_downgrade_12[8]; extern const uint8_t tls13_downgrade_11[8]; extern const uint8_t tls13_hello_retry_request_hash[32]; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/ssl/tls13_key_schedule.c new/libressl-3.2.4/ssl/tls13_key_schedule.c --- old/libressl-3.2.3/ssl/tls13_key_schedule.c 2020-12-08 17:55:29.000000000 +0100 +++ new/libressl-3.2.4/ssl/tls13_key_schedule.c 2021-02-03 13:15:38.000000000 +0100 @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_key_schedule.c,v 1.8 2019/11/17 21:01:08 beck Exp $ */ +/* $OpenBSD: tls13_key_schedule.c,v 1.8.6.1 2021/02/03 07:06:14 tb Exp $ */ /* Copyright (c) 2018, Bob Beck <[email protected]> * * Permission to use, copy, modify, and/or distribute this software for any @@ -174,6 +174,15 @@ const struct tls13_secret *secret, const char *label, const struct tls13_secret *context) { + return tls13_hkdf_expand_label_with_length(out, digest, secret, label, + strlen(label), context); +} + +int +tls13_hkdf_expand_label_with_length(struct tls13_secret *out, + const EVP_MD *digest, const struct tls13_secret *secret, + const uint8_t *label, size_t label_len, const struct tls13_secret *context) +{ const char tls13_plabel[] = "tls13 "; uint8_t *hkdf_label; size_t hkdf_label_len; @@ -188,7 +197,7 @@ goto err; if (!CBB_add_bytes(&child, tls13_plabel, strlen(tls13_plabel))) goto err; - if (!CBB_add_bytes(&child, label, strlen(label))) + if (!CBB_add_bytes(&child, label, label_len)) goto err; if (!CBB_add_u8_length_prefixed(&cbb, &child)) goto err; @@ -207,7 +216,7 @@ return(0); } -static int +int tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest, const struct tls13_secret *secret, const char *label, const struct tls13_secret *context) @@ -216,6 +225,15 @@ } int +tls13_derive_secret_with_label_length(struct tls13_secret *out, + const EVP_MD *digest, const struct tls13_secret *secret, const uint8_t *label, + size_t label_len, const struct tls13_secret *context) +{ + return tls13_hkdf_expand_label_with_length(out, digest, secret, label, + label_len, context); +} + +int tls13_derive_early_secrets(struct tls13_secrets *secrets, uint8_t *psk, size_t psk_len, const struct tls13_secret *context) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/ssl/tls13_legacy.c new/libressl-3.2.4/ssl/tls13_legacy.c --- old/libressl-3.2.3/ssl/tls13_legacy.c 2020-12-08 18:06:25.000000000 +0100 +++ new/libressl-3.2.4/ssl/tls13_legacy.c 2021-02-03 13:15:38.000000000 +0100 @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_legacy.c,v 1.13 2020/09/13 15:04:35 jsing Exp $ */ +/* $OpenBSD: tls13_legacy.c,v 1.13.4.1 2021/02/03 07:06:14 tb Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <[email protected]> * @@ -40,8 +40,6 @@ if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) { if (BIO_should_read(ssl->rbio)) return TLS13_IO_WANT_POLLIN; - if (BIO_should_write(ssl->rbio)) - return TLS13_IO_WANT_POLLOUT; if (n == 0) return TLS13_IO_EOF; @@ -79,8 +77,6 @@ errno = 0; if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) { - if (BIO_should_read(ssl->wbio)) - return TLS13_IO_WANT_POLLIN; if (BIO_should_write(ssl->wbio)) return TLS13_IO_WANT_POLLOUT; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/ssl/tls13_lib.c new/libressl-3.2.4/ssl/tls13_lib.c --- old/libressl-3.2.3/ssl/tls13_lib.c 2020-12-08 18:06:25.000000000 +0100 +++ new/libressl-3.2.4/ssl/tls13_lib.c 2021-02-03 13:15:38.000000000 +0100 @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_lib.c,v 1.54 2020/09/11 15:03:36 jsing Exp $ */ +/* $OpenBSD: tls13_lib.c,v 1.54.4.1 2021/02/03 07:06:14 tb Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <[email protected]> * Copyright (c) 2019 Bob Beck <[email protected]> @@ -579,3 +579,75 @@ return 1; } +int +tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len, + const uint8_t *context_value, size_t context_value_len, uint8_t *out, + size_t out_len) +{ + struct tls13_secret context, export_out, export_secret; + struct tls13_secrets *secrets = ctx->hs->secrets; + EVP_MD_CTX *md_ctx = NULL; + unsigned int md_out_len; + int md_len; + int ret = 0; + + /* + * RFC 8446 Section 7.5. + */ + + memset(&context, 0, sizeof(context)); + memset(&export_secret, 0, sizeof(export_secret)); + + export_out.data = out; + export_out.len = out_len; + + if (!ctx->handshake_completed) + return 0; + + md_len = EVP_MD_size(secrets->digest); + if (md_len <= 0 || md_len > EVP_MAX_MD_SIZE) + goto err; + + if ((export_secret.data = calloc(1, md_len)) == NULL) + goto err; + export_secret.len = md_len; + + if ((context.data = calloc(1, md_len)) == NULL) + goto err; + context.len = md_len; + + /* In TLSv1.3 no context is equivalent to an empty context. */ + if (context_value == NULL) { + context_value = ""; + context_value_len = 0; + } + + if ((md_ctx = EVP_MD_CTX_new()) == NULL) + goto err; + if (!EVP_DigestInit_ex(md_ctx, secrets->digest, NULL)) + goto err; + if (!EVP_DigestUpdate(md_ctx, context_value, context_value_len)) + goto err; + if (!EVP_DigestFinal_ex(md_ctx, context.data, &md_out_len)) + goto err; + if (md_len != md_out_len) + goto err; + + if (!tls13_derive_secret_with_label_length(&export_secret, + secrets->digest, &secrets->exporter_master, label, label_len, + &secrets->empty_hash)) + goto err; + + if (!tls13_hkdf_expand_label(&export_out, secrets->digest, + &export_secret, "exporter", &context)) + goto err; + + ret = 1; + + err: + EVP_MD_CTX_free(md_ctx); + freezero(context.data, context.len); + freezero(export_secret.data, export_secret.len); + + return ret; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/ssl/tls13_record_layer.c new/libressl-3.2.4/ssl/tls13_record_layer.c --- old/libressl-3.2.3/ssl/tls13_record_layer.c 2020-12-08 18:06:25.000000000 +0100 +++ new/libressl-3.2.4/ssl/tls13_record_layer.c 2021-02-03 13:15:38.000000000 +0100 @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_record_layer.c,v 1.53 2020/09/11 15:03:36 jsing Exp $ */ +/* $OpenBSD: tls13_record_layer.c,v 1.53.4.1 2021/02/03 07:06:14 tb Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <[email protected]> * @@ -135,6 +135,9 @@ if (rl == NULL) return; + freezero(rl->alert_data, rl->alert_len); + freezero(rl->phh_data, rl->phh_len); + tls13_record_layer_rbuf_free(rl); tls13_record_layer_rrec_free(rl); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/ssl/tls13_server.c new/libressl-3.2.4/ssl/tls13_server.c --- old/libressl-3.2.3/ssl/tls13_server.c 2020-12-08 18:06:25.000000000 +0100 +++ new/libressl-3.2.4/ssl/tls13_server.c 2021-02-03 13:15:38.000000000 +0100 @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.61 2020/07/03 04:12:51 tb Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.61.4.1 2021/02/03 07:06:14 tb Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing <[email protected]> * Copyright (c) 2020 Bob Beck <[email protected]> @@ -611,6 +611,7 @@ SSL *s = ctx->ssl; CBB cert_request_context, cert_list; const struct ssl_sigalg *sigalg; + X509_STORE_CTX *xsc = NULL; STACK_OF(X509) *chain; CERT_PKEY *cpk; X509 *cert; @@ -633,6 +634,18 @@ if ((chain = cpk->chain) == NULL) chain = s->ctx->extra_certs; + if (chain == NULL && !(s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) { + if ((xsc = X509_STORE_CTX_new()) == NULL) + goto err; + if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL)) + goto err; + X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc), + X509_V_FLAG_LEGACY_VERIFY); + X509_verify_cert(xsc); + ERR_clear_error(); + chain = xsc->chain; + } + if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) goto err; if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) @@ -643,6 +656,15 @@ for (i = 0; i < sk_X509_num(chain); i++) { cert = sk_X509_value(chain, i); + + /* + * In the case of auto chain, the leaf certificate will be at + * the top of the chain - skip over it as we've already added + * it earlier. + */ + if (i == 0 && cert == cpk->x509) + continue; + /* * XXX we don't send extensions with chain certs to avoid sending * a leaf ocsp stape with the chain certs. This needs to get @@ -658,6 +680,8 @@ ret = 1; err: + X509_STORE_CTX_free(xsc); + return ret; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/tap-driver.sh new/libressl-3.2.4/tap-driver.sh --- old/libressl-3.2.3/tap-driver.sh 2020-12-08 18:09:52.000000000 +0100 +++ new/libressl-3.2.4/tap-driver.sh 2021-02-07 17:25:23.000000000 +0100 @@ -369,7 +369,7 @@ sub("^(not )?ok[ \t]*", "", line) # If the result has an explicit number, get it and strip it; otherwise, - # automatically assing the next progresive number to it. + # automatically assign the next test number to it. if (line ~ /^[0-9]+$/ || line ~ /^[0-9]+[^a-zA-Z0-9_]/) { match(line, "^[0-9]+") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/test-driver new/libressl-3.2.4/test-driver --- old/libressl-3.2.3/test-driver 2020-12-08 18:09:58.000000000 +0100 +++ new/libressl-3.2.4/test-driver 2021-02-07 17:25:29.000000000 +0100 @@ -42,11 +42,13 @@ { cat <<END Usage: - test-driver --test-name=NAME --log-file=PATH --trs-file=PATH - [--expect-failure={yes|no}] [--color-tests={yes|no}] - [--enable-hard-errors={yes|no}] [--] + test-driver --test-name NAME --log-file PATH --trs-file PATH + [--expect-failure {yes|no}] [--color-tests {yes|no}] + [--enable-hard-errors {yes|no}] [--] TEST-SCRIPT [TEST-SCRIPT-ARGUMENTS] + The '--test-name', '--log-file' and '--trs-file' options are mandatory. +See the GNU Automake documentation for information. END } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/tests/Makefile.in new/libressl-3.2.4/tests/Makefile.in --- old/libressl-3.2.3/tests/Makefile.in 2020-12-08 18:09:59.000000000 +0100 +++ new/libressl-3.2.4/tests/Makefile.in 2021-02-07 17:25:30.000000000 +0100 @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2020 Free Software Foundation, Inc. @@ -1145,6 +1145,7 @@ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck @SMALL_TIME_T_FALSE@am__EXEEXT_6 = rfc5280time$(EXEEXT) @@ -2111,7 +2112,7 @@ test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.2.3/tls/Makefile.in new/libressl-3.2.4/tls/Makefile.in --- old/libressl-3.2.3/tls/Makefile.in 2020-12-08 18:09:59.000000000 +0100 +++ new/libressl-3.2.4/tls/Makefile.in 2021-02-07 17:25:30.000000000 +0100 @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2020 Free Software Foundation, Inc.
