Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ell for openSUSE:Factory checked in at 2021-05-15 23:15:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ell (Old) and /work/SRC/openSUSE:Factory/.ell.new.2988 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ell" Sat May 15 23:15:24 2021 rev:19 rq:892311 version:0.40 Changes: -------- --- /work/SRC/openSUSE:Factory/ell/ell.changes 2021-04-08 22:13:04.121532588 +0200 +++ /work/SRC/openSUSE:Factory/.ell.new.2988/ell.changes 2021-05-15 23:16:31.356657574 +0200 @@ -1,0 +2,7 @@ +Tue May 11 21:32:41 UTC 2021 - Dirk M??ller <dmuel...@suse.com> + +- update to 0.40: + * Fix issue with handling failure from missing CA certificates. + * Fix issue with handling DBus.Introspectable queries. + +------------------------------------------------------------------- Old: ---- ell-0.39.tar.sign ell-0.39.tar.xz New: ---- ell-0.40.tar.sign ell-0.40.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ell.spec ++++++ --- /var/tmp/diff_new_pack.v23qYH/_old 2021-05-15 23:16:32.256654060 +0200 +++ /var/tmp/diff_new_pack.v23qYH/_new 2021-05-15 23:16:32.256654060 +0200 @@ -16,15 +16,14 @@ # -Name: ell %define lname libell0 -Version: 0.39 +Name: ell +Version: 0.40 Release: 0 Summary: Wireless setup and cryptography library License: LGPL-2.1-or-later Group: Development/Libraries/C and C++ URL: https://01.org/ell -#Git-URL: https://git.kernel.org/pub/scm/libs/ell/ell.git/ Source: https://mirrors.kernel.org/pub/linux/libs/ell/%name-%version.tar.xz Source2: https://mirrors.kernel.org/pub/linux/libs/ell/%name-%version.tar.sign Source3: %name.keyring ++++++ ell-0.39.tar.xz -> ell-0.40.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ell-0.39/ChangeLog new/ell-0.40/ChangeLog --- old/ell-0.39/ChangeLog 2021-03-29 14:19:13.000000000 +0200 +++ new/ell-0.40/ChangeLog 2021-05-02 13:06:43.000000000 +0200 @@ -1,3 +1,7 @@ +ver 0.40: + Fix issue with handling failure from missing CA certificates. + Fix issue with handling DBus.Introspectable queries. + ver 0.39: Add support for serialized test execution framework. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ell-0.39/configure new/ell-0.40/configure --- old/ell-0.39/configure 2021-03-29 14:20:57.000000000 +0200 +++ new/ell-0.40/configure 2021-05-02 13:08:16.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for ell 0.39. +# Generated by GNU Autoconf 2.69 for ell 0.40. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='ell' PACKAGE_TARNAME='ell' -PACKAGE_VERSION='0.39' -PACKAGE_STRING='ell 0.39' +PACKAGE_VERSION='0.40' +PACKAGE_STRING='ell 0.40' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1350,7 +1350,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures ell 0.39 to adapt to many kinds of systems. +\`configure' configures ell 0.40 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1421,7 +1421,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of ell 0.39:";; + short | recursive ) echo "Configuration of ell 0.40:";; esac cat <<\_ACEOF @@ -1548,7 +1548,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -ell configure 0.39 +ell configure 0.40 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1913,7 +1913,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by ell $as_me 0.39, which was +It was created by ell $as_me 0.40, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2781,7 +2781,7 @@ # Define the identity of the package. PACKAGE='ell' - VERSION='0.39' + VERSION='0.40' cat >>confdefs.h <<_ACEOF @@ -13651,7 +13651,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by ell $as_me 0.39, which was +This file was extended by ell $as_me 0.40, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -13717,7 +13717,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -ell config.status 0.39 +ell config.status 0.40 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ell-0.39/configure.ac new/ell-0.40/configure.ac --- old/ell-0.39/configure.ac 2021-03-29 14:19:13.000000000 +0200 +++ new/ell-0.40/configure.ac 2021-05-02 13:06:43.000000000 +0200 @@ -1,5 +1,5 @@ AC_PREREQ(2.60) -AC_INIT(ell, 0.39) +AC_INIT(ell, 0.40) AC_CONFIG_HEADERS(config.h) AC_CONFIG_AUX_DIR(build-aux) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ell-0.39/ell/cert.c new/ell-0.40/ell/cert.c --- old/ell-0.39/ell/cert.c 2021-03-29 14:19:13.000000000 +0200 +++ new/ell-0.40/ell/cert.c 2021-05-02 13:06:43.000000000 +0200 @@ -35,6 +35,8 @@ #include "pem-private.h" #include "cert.h" #include "cert-private.h" +#include "tls.h" +#include "tls-private.h" #include "missing.h" #define X509_CERTIFICATE_POS 0 @@ -1635,14 +1637,34 @@ if (err != -ENOMSG) goto close; - /* Try PEM */ + /* Try other formats */ + } + + /* + * For backwards compatibility try the TLS internal struct Certificate + * format as may be captured by PCAP (no future support guaranteed). + */ + if (out_certchain && !password && file.st.st_size && + tls_parse_certificate_list(file.data, file.st.st_size, + out_certchain) == 0) { + error = false; + + if (out_privkey) + *out_privkey = NULL; + + if (out_encrypted) + *out_encrypted = false; + + goto close; } /* * RFC 7486 allows whitespace and possibly other data before the * PEM "encapsulation boundary" so rather than check if the start * of the data looks like PEM, we fall back to this format if the - * data didn't look like anything else we knew about. + * data didn't look like anything else we knew about. Note this + * succeeds for empty files and files without any PEM markers, + * returning NULL chain and privkey. */ if (cert_try_load_pem_format((const char *) file.data, file.st.st_size, password, out_certchain, out_privkey, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ell-0.39/ell/dbus-service.c new/ell-0.40/ell/dbus-service.c --- old/ell-0.39/ell/dbus-service.c 2021-03-29 14:19:13.000000000 +0200 +++ new/ell-0.40/ell/dbus-service.c 2021-05-02 13:06:43.000000000 +0200 @@ -1709,16 +1709,29 @@ { struct object_node *node; struct child_node *child; + bool path_is_object = true; node = l_hashmap_lookup(tree->objects, path); - if (!node) + if (!node) { + path_is_object = false; node = _dbus_object_tree_lookup(tree, path); + } l_string_append(buf, XML_HEAD); l_string_append(buf, "<node>\n"); if (node) { - l_string_append(buf, static_introspectable); + /* + * We emit org.freedesktop.DBus.Introspectable only in case the + * object node corresponds to a registered object, i.e. + * exposes anything other than: + * - org.freedesktop.DBus.Introspectable + * - org.freedesktop.DBus.Peer + * - org.freedesktop.DBus.Properties + */ + if (path_is_object) + l_string_append(buf, static_introspectable); + l_queue_foreach(node->instances, generate_interface_instance, buf); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ell-0.39/ell/ell.sym new/ell-0.40/ell/ell.sym --- old/ell-0.39/ell/ell.sym 2021-03-29 14:19:13.000000000 +0200 +++ new/ell-0.40/ell/ell.sym 2021-05-02 13:06:43.000000000 +0200 @@ -443,6 +443,7 @@ l_settings_set_debug; l_settings_get_groups; l_settings_has_group; + l_settings_add_group; l_settings_get_keys; l_settings_has_key; l_settings_get_value; @@ -670,9 +671,9 @@ l_tester_destroy; l_tester_start; l_tester_summarize; - l_tester_test_add; - l_tester_test_add_full; - l_tester_test_get_stage; + l_tester_add; + l_tester_add_full; + l_tester_get_stage; l_tester_get_data; l_tester_pre_setup_complete; l_tester_pre_setup_failed; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ell-0.39/ell/settings.c new/ell-0.40/ell/settings.c --- old/ell-0.39/ell/settings.c 2021-03-29 14:19:13.000000000 +0200 +++ new/ell-0.40/ell/settings.c 2021-05-02 13:06:43.000000000 +0200 @@ -866,6 +866,34 @@ return true; } +LIB_EXPORT bool l_settings_add_group(struct l_settings *settings, + const char *group_name) +{ + struct group_data *group; + + if (unlikely(!settings || !group_name)) + return false; + + if (!validate_group_name(group_name)) { + l_util_debug(settings->debug_handler, settings->debug_data, + "Invalid group name %s", group_name); + return false; + } + + group = l_queue_find(settings->groups, group_match, group_name); + if (group) { + l_util_debug(settings->debug_handler, settings->debug_data, + "Group %s exists", group_name); + return true; + } + + group = l_new(struct group_data, 1); + group->name = l_strdup(group_name); + group->settings = l_queue_new(); + l_queue_push_tail(settings->groups, group); + return true; +} + static bool validate_key(const char *key) { int i; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ell-0.39/ell/settings.h new/ell-0.40/ell/settings.h --- old/ell-0.39/ell/settings.h 2020-11-29 22:35:22.000000000 +0100 +++ new/ell-0.40/ell/settings.h 2021-05-02 13:06:43.000000000 +0200 @@ -54,6 +54,8 @@ char **l_settings_get_keys(const struct l_settings *settings, const char *group_name); +bool l_settings_add_group(struct l_settings *settings, const char *group_name); + bool l_settings_has_group(const struct l_settings *settings, const char *group_name); bool l_settings_has_key(const struct l_settings *settings, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ell-0.39/ell/tester.c new/ell-0.40/ell/tester.c --- old/ell-0.39/ell/tester.c 2021-03-29 14:19:13.000000000 +0200 +++ new/ell-0.40/ell/tester.c 2021-05-02 13:06:43.000000000 +0200 @@ -131,18 +131,11 @@ struct l_tester *tester = user_data; struct test_case *test; - printf("teardown %p\n", tester->test_entry); - test = tester->test_entry->data; - printf("teardown data %p\n", tester->test_entry->data); test->stage = L_TESTER_STAGE_TEARDOWN; test->teardown = false; - printf("Test name %p\n", test->name); - printf("Test name %s\n", test->name); print_progress(test->name, COLOR_MAGENTA, "teardown"); - printf("teardown\n"); - if (test->teardown_func) test->teardown_func(test->test_data); @@ -189,7 +182,7 @@ if (test->timeout > 0) test->run_timer = l_timeout_create(test->timeout, test_timeout, - test, NULL); + tester, NULL); test->stage = L_TESTER_STAGE_PRE_SETUP; @@ -286,6 +279,9 @@ print_progress(test->name, COLOR_RED, "pre setup failed"); + l_timeout_remove(test->run_timer); + test->run_timer = NULL; + l_idle_oneshot(done_callback, tester, NULL); } @@ -508,7 +504,7 @@ wait->func(wait->user_data); - free(wait); + l_free(wait); l_timeout_remove(timer); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ell-0.39/ell/tls.c new/ell-0.40/ell/tls.c --- old/ell-0.39/ell/tls.c 2021-03-29 14:19:13.000000000 +0200 +++ new/ell-0.40/ell/tls.c 2021-05-02 13:06:43.000000000 +0200 @@ -1892,7 +1892,7 @@ const uint8_t *buf, size_t len) { size_t total; - struct l_certchain *certchain = NULL; + _auto_(l_certchain_free) struct l_certchain *certchain = NULL; struct l_cert *leaf; size_t der_len; const uint8_t *der; @@ -1914,7 +1914,7 @@ TLS_DISCONNECT(TLS_ALERT_DECODE_ERROR, 0, "Error decoding peer certificate chain"); - goto done; + return; } /* @@ -1930,12 +1930,12 @@ TLS_DISCONNECT(TLS_ALERT_HANDSHAKE_FAIL, 0, "Server sent no certificate chain"); - goto done; + return; } TLS_SET_STATE(TLS_HANDSHAKE_WAIT_KEY_EXCHANGE); - goto done; + return; } if (tls->cert_dump_path) { @@ -1956,12 +1956,33 @@ * against our CAs if we have any. */ if (!l_certchain_verify(certchain, tls->ca_certs, &error_str)) { - TLS_DISCONNECT(TLS_ALERT_BAD_CERT, 0, - "Peer certchain verification failed " - "consistency check%s: %s", tls->ca_certs ? - " or against local CA certs" : "", error_str); + if (tls->ca_certs) { + TLS_DISCONNECT(TLS_ALERT_BAD_CERT, 0, + "Peer certchain verification failed " + "consistency check%s: %s", + tls->ca_certs ? + " or against local CA certs" : "", + error_str); + + return; + } - goto done; + /* + * Until the mainstream kernel can handle the occasionally + * used certificates without the AKID extension (both root, + * which is legal, and non-root, which is iffy but still + * happens) don't fail on peer certificate chain verification + * failure when CA certificates were not provided. Knowing + * that the chain is self-consistent alone doesn't + * authenticate the peer in any way. Only warn when it looks + * like the chain is bad but parses and we can get the peer + * public key from it below. + */ + TLS_DEBUG("Peer certchain verification failed (%s.) No local " + "CA certs provided so proceeding anyway. This " + "failure can signal a security issue or a " + "known kernel problem with some certificates.", + error_str); } /* @@ -1978,7 +1999,7 @@ "pending cipher suite %s", tls->pending.cipher_suite->name); - goto done; + return; } if (tls->subject_mask && !tls_cert_domains_match_mask(leaf, @@ -1992,7 +2013,7 @@ l_free(mask); l_free(subject_str); - goto done; + return; } /* Save the end-entity certificate and free the chain */ @@ -2004,7 +2025,7 @@ TLS_DISCONNECT(TLS_ALERT_UNSUPPORTED_CERT, 0, "Error loading peer public key to kernel"); - goto done; + return; } if (!l_key_get_info(tls->peer_pubkey, L_KEY_RSA_PKCS1_V1_5, @@ -2013,7 +2034,7 @@ TLS_DISCONNECT(TLS_ALERT_INTERNAL_ERROR, 0, "Can't l_key_get_info for peer public key"); - goto done; + return; } tls->peer_pubkey_size /= 8; @@ -2024,14 +2045,11 @@ else TLS_SET_STATE(TLS_HANDSHAKE_WAIT_HELLO_DONE); - goto done; + return; decode_error: TLS_DISCONNECT(TLS_ALERT_DECODE_ERROR, 0, "TLS_CERTIFICATE decode error"); - -done: - l_certchain_free(certchain); } static void tls_handle_certificate_request(struct l_tls *tls, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ell-0.39/ell/util.h new/ell-0.40/ell/util.h --- old/ell-0.39/ell/util.h 2021-03-29 14:19:13.000000000 +0200 +++ new/ell-0.40/ell/util.h 2021-05-02 13:06:43.000000000 +0200 @@ -245,6 +245,9 @@ l_free(*p); } +#define l_steal_ptr(ptr) \ + (__extension__ ({ typeof(ptr) _tmp = (ptr); (ptr) = NULL; _tmp; })) + /** * l_new: * @type: type of structure diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ell-0.39/tools/certchain-verify.c new/ell-0.40/tools/certchain-verify.c --- old/ell-0.39/tools/certchain-verify.c 2018-12-11 12:27:44.000000000 +0100 +++ new/ell-0.40/tools/certchain-verify.c 2021-05-02 13:06:43.000000000 +0200 @@ -23,72 +23,16 @@ #endif #include <stdio.h> -#include <errno.h> -#include <stdint.h> -#include <stdbool.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <fcntl.h> -#include <unistd.h> -#include <sys/mman.h> #include <ell/ell.h> -#include "ell/tls-private.h" - -static int load_cert_chain(const char *file, struct l_certchain **certchain) -{ - int fd; - struct stat st; - char *data; - int err; - - fd = open(file, O_RDONLY); - if (fd < 0) { - fprintf(stderr, "Could not open %s: %s\n", - file, strerror(errno)); - return -errno; - } - - if (fstat(fd, &st) < 0) { - err = -errno; - fprintf(stderr, "Could not stat %s: %s\n", - file, strerror(errno)); - goto close_file; - } - - if (st.st_size == 0) { - err = -EINVAL; - fprintf(stderr, "Certificate file %s is empty!\n", file); - goto close_file; - } - - data = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0); - if (data == MAP_FAILED) { - err = -errno; - fprintf(stderr, "Could not mmap %s: %s\n", - file, strerror(errno)); - goto close_file; - } - - err = tls_parse_certificate_list(data, st.st_size, certchain); - if (err < 0) - fprintf(stderr, "Could not parse certificate list: %s\n", - strerror(-err)); - - munmap(data, st.st_size); - -close_file: - close(fd); - return err; -} static void usage(const char *bin) { - printf("%s - TLS certificate chain verification utility\n\n", bin); + printf("%s - Certificate chain verification utility\n\n", bin); - printf("Usage: %s [options] <ca_cert file> <raw certificates file>\n" - " <ca_cert file> - local CA Certificate to validate against\n" - " <raw certificates file> - Certificates obtained from PCAP\n" + printf("Usage: %s [options] <ca_cert file> <certchain container>\n" + " <ca_cert file> - local CA Certificates to validate against\n" + " <certchain container> - certificate chain to verify\n" " --help\n\n", bin); } @@ -97,7 +41,6 @@ int status = EXIT_FAILURE; struct l_certchain *certchain; struct l_queue *ca_certs; - int err; const char *error_str; if (argc != 3) { @@ -107,8 +50,7 @@ l_log_set_stderr(); - err = load_cert_chain(argv[2], &certchain); - if (err < 0) + if (!l_cert_load_container_file(argv[2], NULL, &certchain, NULL, NULL)) goto done; if (!certchain) {
