commit uacme for openSUSE:Factory

Sun, 05 Apr 2026 09:26:44 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package uacme for openSUSE:Factory checked 
in at 2026-04-05 18:24:39
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/uacme (Old)
 and      /work/SRC/openSUSE:Factory/.uacme.new.21863 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "uacme"

Sun Apr  5 18:24:39 2026 rev:8 rq:1344648 version:1.8.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/uacme/uacme.changes      2026-03-16 
14:19:22.322373845 +0100
+++ /work/SRC/openSUSE:Factory/.uacme.new.21863/uacme.changes   2026-04-05 
18:25:31.781298305 +0200
@@ -1,0 +2,7 @@
+Sun Apr  5 10:13:32 UTC 2026 - Martin Hauke <[email protected]>
+
+- Update to version 1.8.1
+  * uacme: Fix EAB bit parsing logic.
+  * ualpn: Manage TLS alerts when built with mbedTLS.
+
+-------------------------------------------------------------------

Old:
----
  uacme-1.8.0.tar.gz

New:
----
  uacme-1.8.1.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ uacme.spec ++++++
--- /var/tmp/diff_new_pack.JdDRF3/_old  2026-04-05 18:25:32.425324729 +0200
+++ /var/tmp/diff_new_pack.JdDRF3/_new  2026-04-05 18:25:32.429324893 +0200
@@ -18,7 +18,7 @@
 
 
 Name:           uacme
-Version:        1.8.0
+Version:        1.8.1
 Release:        0
 Summary:        A minimal ACMEv2 client
 License:        GPL-3.0-or-later

++++++ uacme-1.8.0.tar.gz -> uacme-1.8.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/uacme-1.8.0/ChangeLog new/uacme-1.8.1/ChangeLog
--- old/uacme-1.8.0/ChangeLog   2026-01-25 13:30:19.000000000 +0100
+++ new/uacme-1.8.1/ChangeLog   2026-04-05 10:20:43.000000000 +0200
@@ -1,3 +1,11 @@
+2026-04-05 Nicola Di Lieto <[email protected]>
+       * Release 1.8.1
+       - uacme: Fix EAB bit parsing logic
+         Closes https://github.com/ndilieto/uacme/issues/108
+       - ualpn: Manage TLS alerts when built with mbedTLS
+         Closes https://github.com/ndilieto/uacme/issues/109
+         See also https://github.com/openwrt/packages/issues/29003
+
 2026-01-25 Nicola Di Lieto <[email protected]>
        * Release 1.8.0
        - uacme: Add support for dns-persist-01 challenge
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/uacme-1.8.0/NEWS new/uacme-1.8.1/NEWS
--- old/uacme-1.8.0/NEWS        2026-01-25 13:30:19.000000000 +0100
+++ new/uacme-1.8.1/NEWS        2026-04-05 10:20:43.000000000 +0200
@@ -1,6 +1,14 @@
 uacme NEWS
 Copyright (C) 2019-2026 Nicola Di Lieto <[email protected]>
 
+## [1.8.1] - 2026-04-05
+### Changed
+- uacme: Fix EAB bit parsing logic
+  Closes https://github.com/ndilieto/uacme/issues/108
+- ualpn: Manage TLS alerts when built with mbedTLS
+  Closes https://github.com/ndilieto/uacme/issues/109
+  See also https://github.com/openwrt/packages/issues/29003
+
 ## [1.8.0] - 2026-01-25
 ### Added
 - uacme: Add support for dns-persist-01 challenge
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/uacme-1.8.0/docs/uacme.html 
new/uacme-1.8.1/docs/uacme.html
--- old/uacme-1.8.0/docs/uacme.html     2026-01-25 13:30:19.000000000 +0100
+++ new/uacme-1.8.1/docs/uacme.html     2026-04-05 10:20:43.000000000 +0200
@@ -1594,7 +1594,7 @@
 <div id="footnotes"><hr></div>
 <div id="footer">
 <div id="footer-text">
-Version 1.8.0<br>
+Version 1.8.1<br>
 Last updated
  2026-01-25 13:13:59 CET
 </div>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/uacme-1.8.0/docs/ualpn.html 
new/uacme-1.8.1/docs/ualpn.html
--- old/uacme-1.8.0/docs/ualpn.html     2026-01-25 13:30:19.000000000 +0100
+++ new/uacme-1.8.1/docs/ualpn.html     2026-04-05 10:20:43.000000000 +0200
@@ -1188,7 +1188,7 @@
 <div id="footnotes"><hr></div>
 <div id="footer">
 <div id="footer-text">
-Version 1.8.0<br>
+Version 1.8.1<br>
 Last updated
  2026-01-25 13:13:59 CET
 </div>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/uacme-1.8.0/uacme.1 new/uacme-1.8.1/uacme.1
--- old/uacme-1.8.0/uacme.1     2026-01-25 13:30:19.000000000 +0100
+++ new/uacme-1.8.1/uacme.1     2026-04-05 10:20:43.000000000 +0200
@@ -2,12 +2,12 @@
 .\"     Title: uacme
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\"      Date: 01/25/2026
+.\"      Date: 04/05/2026
 .\"    Manual: User Commands
-.\"    Source: uacme 1.8.0
+.\"    Source: uacme 1.8.1
 .\"  Language: English
 .\"
-.TH "UACME" "1" "01/25/2026" "uacme 1\&.8\&.0" "User Commands"
+.TH "UACME" "1" "04/05/2026" "uacme 1\&.8\&.1" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/uacme-1.8.0/uacme.c new/uacme-1.8.1/uacme.c
--- old/uacme-1.8.0/uacme.c     2026-01-25 13:30:19.000000000 +0100
+++ new/uacme-1.8.1/uacme.c     2026-04-05 10:20:43.000000000 +0200
@@ -1427,11 +1427,12 @@
     }
 
     eab[m[4].rm_eo] = 0;
-    if (strcmp(eab + m[4].rm_so, "512"))
+    if (strcmp(eab + m[4].rm_so, "512") == 0)
         a->eab_bits = 512;
-    else if (strcmp(eab + m[4].rm_so, "384"))
+    else if (strcmp(eab + m[4].rm_so, "384") == 0)
         a->eab_bits = 384;
-    else if (strcmp(eab + m[4].rm_so, "256") || strlen(eab + m[4].rm_so) == 0)
+    else if (strcmp(eab + m[4].rm_so, "256") == 0
+            || strlen(eab + m[4].rm_so) == 0)
         a->eab_bits = 256;
     else {
         warnx("EAB credentials BITS must be 256 (default), 384 or 512");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/uacme-1.8.0/ualpn.1 new/uacme-1.8.1/ualpn.1
--- old/uacme-1.8.0/ualpn.1     2026-01-25 13:30:19.000000000 +0100
+++ new/uacme-1.8.1/ualpn.1     2026-04-05 10:20:43.000000000 +0200
@@ -2,12 +2,12 @@
 .\"     Title: ualpn
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\"      Date: 01/25/2026
+.\"      Date: 04/05/2026
 .\"    Manual: User Commands
-.\"    Source: ualpn 1.8.0
+.\"    Source: ualpn 1.8.1
 .\"  Language: English
 .\"
-.TH "UALPN" "1" "01/25/2026" "ualpn 1\&.8\&.0" "User Commands"
+.TH "UALPN" "1" "04/05/2026" "ualpn 1\&.8\&.1" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/uacme-1.8.0/ualpn.c new/uacme-1.8.1/ualpn.c
--- old/uacme-1.8.0/ualpn.c     2026-01-25 13:30:19.000000000 +0100
+++ new/uacme-1.8.1/ualpn.c     2026-04-05 10:20:43.000000000 +0200
@@ -225,6 +225,9 @@
     mbedtls_ssl_config cnf;
     mbedtls_x509_crt crt;
     mbedtls_pk_context key;
+    size_t tls_record_offset;
+    size_t tls_record_size;
+    uint8_t tls_record_type;
 #endif
     char ident[0x100];
     char auth[0x30];
@@ -994,7 +997,9 @@
     mbedtls_x509write_crt_set_version(&c, MBEDTLS_X509_CRT_VERSION_3);
     mbedtls_x509write_crt_set_md_alg(&c, MBEDTLS_MD_SHA256);
     mbedtls_x509write_crt_set_subject_key(&c, &k);
+    mbedtls_x509write_crt_set_subject_name(&c, "CN=ualpn");
     mbedtls_x509write_crt_set_issuer_key(&c, &k);
+    mbedtls_x509write_crt_set_issuer_name(&c, "CN=ualpn");
 
     rc = mbedtls_x509write_crt_set_basic_constraints(&c, 1, -1);
     if (rc) {
@@ -2166,6 +2171,35 @@
     EV_P = c->loop;
 #endif
     if (c->state != STATE_ACME) {
+        // Since only "acme-tls/1" ALPN extensions are supported, normal
+        // traffic makes the handshake fail, which in turn starts the
+        // proxying to the backend.
+        // Since commit https://github.com/Mbed-TLS/mbedtls/commit/e7047819ee
+        // mbedTLS sends TLS alerts before returning a failed handshake.
+        // Returning MBEDTLS_ERR_SSL_WANT_WRITE here would therefore loop
+        // forever.
+        // Therefore, parse the TLS records that mbedTLS sends and break the
+        // loop by returning MBEDTLS_ERR_SSL_INTERNAL_ERROR.
+        for (size_t i = 0; i < size; i++) {
+            switch (c->tls_record_offset) {
+                case 0:
+                    c->tls_record_type = data[i];
+                    break;
+                case 3:
+                    c->tls_record_size = data[i] << 8;
+                    break;
+                case 4:
+                    c->tls_record_size += data[i];
+                    break;
+            }
+            if (c->tls_record_offset < c->tls_record_size + 4) {
+                c->tls_record_offset++;
+                continue;
+            }
+            c->tls_record_offset = 0;
+            if (c->tls_record_type == 21)
+                return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+        }
         // prevent sending data to client until PROXY/ACME decision
         return MBEDTLS_ERR_SSL_WANT_WRITE;
     }
@@ -2387,6 +2421,9 @@
     SSL_set0_wbio(c->ssl, bio);
     SSL_set_accept_state(c->ssl);
 #elif defined(USE_MBEDTLS)
+    c->tls_record_offset = 0;
+    c->tls_record_size = 0;
+    c->tls_record_type = 0;
     mbedtls_ssl_config_init(&c->cnf);
     int rc = mbedtls_ssl_config_defaults(&c->cnf, MBEDTLS_SSL_IS_SERVER,
                     MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);

Reply via email to