Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package ell for openSUSE:Factory checked in
at 2022-09-14 13:44:35
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ell (Old)
and /work/SRC/openSUSE:Factory/.ell.new.2083 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ell"
Wed Sep 14 13:44:35 2022 rev:31 rq:1003272 version:0.53
Changes:
--------
--- /work/SRC/openSUSE:Factory/ell/ell.changes 2022-07-21 11:33:24.990949252
+0200
+++ /work/SRC/openSUSE:Factory/.ell.new.2083/ell.changes 2022-09-14
13:44:39.849846223 +0200
@@ -1,0 +2,6 @@
+Tue Sep 13 09:25:35 UTC 2022 - Dirk M??ller <dmuel...@suse.com>
+
+- update to 0.53:
+ * Add support for EC based certificates.
+
+-------------------------------------------------------------------
Old:
----
ell-0.52.tar.sign
ell-0.52.tar.xz
New:
----
ell-0.53.tar.sign
ell-0.53.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ell.spec ++++++
--- /var/tmp/diff_new_pack.VgCsA0/_old 2022-09-14 13:44:40.417847653 +0200
+++ /var/tmp/diff_new_pack.VgCsA0/_new 2022-09-14 13:44:40.425847673 +0200
@@ -18,7 +18,7 @@
%define lname libell0
Name: ell
-Version: 0.52
+Version: 0.53
Release: 0
Summary: Wireless setup and cryptography library
License: LGPL-2.1-or-later
++++++ ell-0.52.tar.xz -> ell-0.53.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/ChangeLog new/ell-0.53/ChangeLog
--- old/ell-0.52/ChangeLog 2022-07-15 18:22:44.000000000 +0200
+++ new/ell-0.53/ChangeLog 2022-09-07 20:21:45.000000000 +0200
@@ -1,3 +1,6 @@
+ver 0.53:
+ Add support for EC based certificates.
+
ver 0.52:
Fix issue with using PTRDIFF_MAX constant.
Fix issue with accepting FD 0 as epoll_fd.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/Makefile.am new/ell-0.53/Makefile.am
--- old/ell-0.52/Makefile.am 2022-07-15 18:22:44.000000000 +0200
+++ new/ell-0.53/Makefile.am 2022-09-07 20:21:45.000000000 +0200
@@ -219,6 +219,7 @@
cert_files = unit/cert-chain.pem \
unit/cert-entity-int.pem \
unit/cert-server.pem \
+ unit/ec-cert-server.pem \
unit/cert-server-key-pkcs8.pem \
unit/cert-client.pem \
unit/cert-client.crt \
@@ -246,6 +247,7 @@
cert_checks = unit/cert-intca \
unit/cert-entity-int \
unit/cert-server \
+ unit/ec-cert-server \
unit/cert-client \
unit/cert-no-keyid
@@ -417,15 +419,30 @@
unit/cert-ca-key.pem:
$(AM_V_GEN)openssl genrsa -out $@ 2048 $($(AM_V_P)_redirect_openssl)
+unit/ec-cert-ca-key.pem:
+ $(AM_V_GEN)openssl ecparam -out $@ -name secp384r1 \
+ -genkey $($(AM_V_P)_redirect_openssl)
+
+
unit/cert-ca.pem: unit/cert-ca-key.pem unit/gencerts.cnf
$(AM_V_GEN)openssl req -x509 -new -nodes -extensions ca_ext \
-config $(srcdir)/unit/gencerts.cnf \
-subj '/O=International Union of Example
Organizations/CN=Certificate issuer guy/emailAddress=ca@mail.example' \
-key $< -sha256 -days 10000 -out $@
+unit/ec-cert-ca.pem: unit/ec-cert-ca-key.pem unit/gencerts.cnf
+ $(AM_V_GEN)openssl req -x509 -new -nodes -extensions ca_ext \
+ -config $(srcdir)/unit/gencerts.cnf \
+ -subj '/O=International Union of Example
Organizations/CN=Certificate issuer guy/emailAddress=ca@mail.example' \
+ -key $< -sha256 -days 10000 -out $@
+
unit/cert-server-key.pem:
$(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
+unit/ec-cert-server-key.pem:
+ $(AM_V_GEN)openssl ecparam -out $@ -name secp384r1 \
+ -genkey $($(AM_V_P)_redirect_openssl)
+
unit/cert-server-key-pkcs8.pem: unit/cert-server-key.pem
$(AM_V_GEN)openssl pkcs8 -topk8 -nocrypt -in $< -out $@
@@ -435,6 +452,12 @@
-subj '/O=Foo Example Organization/CN=Foo Example
Organization/emailAddress=foo@mail.example' \
-key $< -out $@
+unit/ec-cert-server.csr: unit/ec-cert-server-key.pem unit/gencerts.cnf
+ $(AM_V_GEN)openssl req -new -extensions cert_ext \
+ -config $(srcdir)/unit/gencerts.cnf \
+ -subj '/O=Foo Example Organization/CN=Foo Example
Organization/emailAddress=foo@mail.example' \
+ -key $< -out $@
+
unit/cert-server.pem: unit/cert-server.csr unit/cert-ca.pem unit/gencerts.cnf
$(AM_V_GEN)openssl x509 -req -extensions server_ext \
-extfile $(srcdir)/unit/gencerts.cnf \
@@ -443,9 +466,22 @@
-CAserial $(builddir)/unit/cert-ca.srl \
-CAcreateserial -sha256 -days 10000 -out $@
$($(AM_V_P)_redirect_openssl)
+unit/ec-cert-server.pem: unit/ec-cert-server.csr unit/ec-cert-ca.pem \
+ unit/gencerts.cnf
+ $(AM_V_GEN)openssl x509 -req -extensions server_ext \
+ -extfile $(srcdir)/unit/gencerts.cnf \
+ -in $< -CA $(builddir)/unit/ec-cert-ca.pem \
+ -CAkey $(builddir)/unit/ec-cert-ca-key.pem \
+ -CAserial $(builddir)/unit/cert-ca.srl \
+ -CAcreateserial -sha256 -days 10000 \
+ -out $@ $($(AM_V_P)_redirect_openssl)
+
unit/cert-server: unit/cert-server.pem unit/cert-ca.pem
$(AM_V_GEN)openssl verify -CAfile $(builddir)/unit/cert-ca.pem $<
+unit/ec-cert-server: unit/ec-cert-server.pem unit/ec-cert-ca.pem
+ $(AM_V_GEN)openssl verify -CAfile $(builddir)/unit/ec-cert-ca.pem $<
+
unit/cert-client-key-pkcs1.pem:
$(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
@@ -623,7 +659,8 @@
endif
clean-local:
- -rm -f unit/cert-*.pem unit/cert-*.csr unit/cert-*.srl unit/key-*.dat
+ -rm -f unit/ec-cert*.pem unit/ec-cert-*.csr \
+ unit/cert-*.pem unit/cert-*.csr unit/cert-*.srl unit/key-*.dat
maintainer-clean-local:
-rm -rf build-aux
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/Makefile.in new/ell-0.53/Makefile.in
--- old/ell-0.52/Makefile.in 2022-07-15 18:24:21.000000000 +0200
+++ new/ell-0.53/Makefile.in 2022-09-07 20:23:26.000000000 +0200
@@ -1147,6 +1147,7 @@
cert_files = unit/cert-chain.pem \
unit/cert-entity-int.pem \
unit/cert-server.pem \
+ unit/ec-cert-server.pem \
unit/cert-server-key-pkcs8.pem \
unit/cert-client.pem \
unit/cert-client.crt \
@@ -1174,6 +1175,7 @@
cert_checks = unit/cert-intca \
unit/cert-entity-int \
unit/cert-server \
+ unit/ec-cert-server \
unit/cert-client \
unit/cert-no-keyid
@@ -3141,15 +3143,29 @@
unit/cert-ca-key.pem:
$(AM_V_GEN)openssl genrsa -out $@ 2048 $($(AM_V_P)_redirect_openssl)
+unit/ec-cert-ca-key.pem:
+ $(AM_V_GEN)openssl ecparam -out $@ -name secp384r1 \
+ -genkey $($(AM_V_P)_redirect_openssl)
+
unit/cert-ca.pem: unit/cert-ca-key.pem unit/gencerts.cnf
$(AM_V_GEN)openssl req -x509 -new -nodes -extensions ca_ext \
-config $(srcdir)/unit/gencerts.cnf \
-subj '/O=International Union of Example
Organizations/CN=Certificate issuer guy/emailAddress=ca@mail.example' \
-key $< -sha256 -days 10000 -out $@
+unit/ec-cert-ca.pem: unit/ec-cert-ca-key.pem unit/gencerts.cnf
+ $(AM_V_GEN)openssl req -x509 -new -nodes -extensions ca_ext \
+ -config $(srcdir)/unit/gencerts.cnf \
+ -subj '/O=International Union of Example
Organizations/CN=Certificate issuer guy/emailAddress=ca@mail.example' \
+ -key $< -sha256 -days 10000 -out $@
+
unit/cert-server-key.pem:
$(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
+unit/ec-cert-server-key.pem:
+ $(AM_V_GEN)openssl ecparam -out $@ -name secp384r1 \
+ -genkey $($(AM_V_P)_redirect_openssl)
+
unit/cert-server-key-pkcs8.pem: unit/cert-server-key.pem
$(AM_V_GEN)openssl pkcs8 -topk8 -nocrypt -in $< -out $@
@@ -3159,6 +3175,12 @@
-subj '/O=Foo Example Organization/CN=Foo Example
Organization/emailAddress=foo@mail.example' \
-key $< -out $@
+unit/ec-cert-server.csr: unit/ec-cert-server-key.pem unit/gencerts.cnf
+ $(AM_V_GEN)openssl req -new -extensions cert_ext \
+ -config $(srcdir)/unit/gencerts.cnf \
+ -subj '/O=Foo Example Organization/CN=Foo Example
Organization/emailAddress=foo@mail.example' \
+ -key $< -out $@
+
unit/cert-server.pem: unit/cert-server.csr unit/cert-ca.pem unit/gencerts.cnf
$(AM_V_GEN)openssl x509 -req -extensions server_ext \
-extfile $(srcdir)/unit/gencerts.cnf \
@@ -3167,9 +3189,22 @@
-CAserial $(builddir)/unit/cert-ca.srl \
-CAcreateserial -sha256 -days 10000 -out $@
$($(AM_V_P)_redirect_openssl)
+unit/ec-cert-server.pem: unit/ec-cert-server.csr unit/ec-cert-ca.pem \
+ unit/gencerts.cnf
+ $(AM_V_GEN)openssl x509 -req -extensions server_ext \
+ -extfile $(srcdir)/unit/gencerts.cnf \
+ -in $< -CA $(builddir)/unit/ec-cert-ca.pem \
+ -CAkey $(builddir)/unit/ec-cert-ca-key.pem \
+ -CAserial $(builddir)/unit/cert-ca.srl \
+ -CAcreateserial -sha256 -days 10000 \
+ -out $@ $($(AM_V_P)_redirect_openssl)
+
unit/cert-server: unit/cert-server.pem unit/cert-ca.pem
$(AM_V_GEN)openssl verify -CAfile $(builddir)/unit/cert-ca.pem $<
+unit/ec-cert-server: unit/ec-cert-server.pem unit/ec-cert-ca.pem
+ $(AM_V_GEN)openssl verify -CAfile $(builddir)/unit/ec-cert-ca.pem $<
+
unit/cert-client-key-pkcs1.pem:
$(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
@@ -3343,7 +3378,8 @@
@MAINTAINER_MODE_TRUE@check-local: $(cert_checks)
clean-local:
- -rm -f unit/cert-*.pem unit/cert-*.csr unit/cert-*.srl unit/key-*.dat
+ -rm -f unit/ec-cert*.pem unit/ec-cert-*.csr \
+ unit/cert-*.pem unit/cert-*.csr unit/cert-*.srl unit/key-*.dat
maintainer-clean-local:
-rm -rf build-aux
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/configure new/ell-0.53/configure
--- old/ell-0.52/configure 2022-07-15 18:24:16.000000000 +0200
+++ new/ell-0.53/configure 2022-09-07 20:23:22.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for ell 0.52.
+# Generated by GNU Autoconf 2.71 for ell 0.53.
#
#
# Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation,
@@ -618,8 +618,8 @@
# Identity of this package.
PACKAGE_NAME='ell'
PACKAGE_TARNAME='ell'
-PACKAGE_VERSION='0.52'
-PACKAGE_STRING='ell 0.52'
+PACKAGE_VERSION='0.53'
+PACKAGE_STRING='ell 0.53'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1380,7 +1380,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures ell 0.52 to adapt to many kinds of systems.
+\`configure' configures ell 0.53 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1451,7 +1451,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of ell 0.52:";;
+ short | recursive ) echo "Configuration of ell 0.53:";;
esac
cat <<\_ACEOF
@@ -1578,7 +1578,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-ell configure 0.52
+ell configure 0.53
generated by GNU Autoconf 2.71
Copyright (C) 2021 Free Software Foundation, Inc.
@@ -1839,7 +1839,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by ell $as_me 0.52, which was
+It was created by ell $as_me 0.53, which was
generated by GNU Autoconf 2.71. Invocation command line was
$ $0$ac_configure_args_raw
@@ -3114,7 +3114,7 @@
# Define the identity of the package.
PACKAGE='ell'
- VERSION='0.52'
+ VERSION='0.53'
printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -14344,7 +14344,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by ell $as_me 0.52, which was
+This file was extended by ell $as_me 0.53, which was
generated by GNU Autoconf 2.71. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -14412,7 +14412,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-ell config.status 0.52
+ell config.status 0.53
configured by $0, generated by GNU Autoconf 2.71,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/configure.ac new/ell-0.53/configure.ac
--- old/ell-0.52/configure.ac 2022-07-15 18:22:44.000000000 +0200
+++ new/ell-0.53/configure.ac 2022-09-07 20:21:45.000000000 +0200
@@ -1,5 +1,5 @@
AC_PREREQ([2.69])
-AC_INIT([ell],[0.52])
+AC_INIT([ell],[0.53])
AC_CONFIG_HEADERS(config.h)
AC_CONFIG_AUX_DIR(build-aux)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/ell/cert.c new/ell-0.53/ell/cert.c
--- old/ell-0.52/ell/cert.c 2021-05-02 13:06:43.000000000 +0200
+++ new/ell-0.53/ell/cert.c 2022-09-07 20:21:45.000000000 +0200
@@ -77,7 +77,15 @@
} pkcs1_encryption_oids[] = {
{ /* rsaEncryption */
L_CERT_KEY_RSA,
- { 9, { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01 } },
+ { .asn1_len = 9, .asn1 = {
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01 }
+ },
+ },
+ { /* ecPublicKey */
+ L_CERT_KEY_ECC,
+ { .asn1_len = 7, .asn1 = {
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01 }
+ },
},
};
@@ -261,8 +269,14 @@
return NULL;
/* Use kernel's ASN.1 certificate parser to find the key data for us */
- if (cert->pubkey_type == L_CERT_KEY_RSA)
+ switch (cert->pubkey_type) {
+ case L_CERT_KEY_RSA:
return l_key_new(L_KEY_RSA, cert->asn1, cert->asn1_len);
+ case L_CERT_KEY_ECC:
+ return l_key_new(L_KEY_ECC, cert->asn1, cert->asn1_len);
+ case L_CERT_KEY_UNKNOWN:
+ break;
+ }
return NULL;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/ell/cert.h new/ell-0.53/ell/cert.h
--- old/ell-0.52/ell/cert.h 2021-11-02 15:41:45.000000000 +0100
+++ new/ell-0.53/ell/cert.h 2022-09-07 20:21:45.000000000 +0200
@@ -36,6 +36,7 @@
enum l_cert_key_type {
L_CERT_KEY_RSA,
+ L_CERT_KEY_ECC,
L_CERT_KEY_UNKNOWN,
};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/ell/ell.sym new/ell-0.53/ell/ell.sym
--- old/ell-0.52/ell/ell.sym 2022-07-15 18:22:44.000000000 +0200
+++ new/ell-0.53/ell/ell.sym 2022-09-07 20:21:45.000000000 +0200
@@ -537,6 +537,7 @@
l_uintset_foreach;
l_uintset_clone;
l_uintset_intersect;
+ l_uintset_subtract;
l_uintset_isempty;
l_uintset_size;
/* uuid */
@@ -747,10 +748,12 @@
l_netconfig_set_gateway_override;
l_netconfig_set_dns_override;
l_netconfig_set_domain_names_override;
+ l_netconfig_set_acd_enabled;
l_netconfig_check_config;
l_netconfig_reset_config;
l_netconfig_start;
l_netconfig_stop;
+ l_netconfig_unconfigure;
l_netconfig_get_dhcp_client;
l_netconfig_get_dhcp6_client;
l_netconfig_get_icmp6_client;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/ell/genl.c new/ell-0.53/ell/genl.c
--- old/ell-0.52/ell/genl.c 2022-07-15 18:22:44.000000000 +0200
+++ new/ell-0.53/ell/genl.c 2022-09-07 20:21:45.000000000 +0200
@@ -1720,7 +1720,6 @@
if (!NLA_OK(nla, len))
return false;
- attr->msg = msg;
attr->data = NULL;
attr->len = 0;
attr->next_data = nla;
@@ -1761,7 +1760,7 @@
return true;
}
-LIB_EXPORT bool l_genl_attr_recurse(struct l_genl_attr *attr,
+LIB_EXPORT bool l_genl_attr_recurse(const struct l_genl_attr *attr,
struct l_genl_attr *nested)
{
const struct nlattr *nla;
@@ -1773,7 +1772,6 @@
if (!nla)
return false;
- nested->msg = attr->msg;
nested->data = NULL;
nested->len = 0;
nested->next_data = NLA_DATA(nla);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/ell/genl.h new/ell-0.53/ell/genl.h
--- old/ell-0.52/ell/genl.h 2022-01-05 22:10:31.000000000 +0100
+++ new/ell-0.53/ell/genl.h 2022-09-07 20:21:45.000000000 +0200
@@ -76,7 +76,6 @@
l_genl_destroy_func_t destroy);
struct l_genl_attr {
- struct l_genl_msg *msg;
const void *data;
uint32_t len;
const void *next_data;
@@ -109,7 +108,8 @@
bool l_genl_attr_init(struct l_genl_attr *attr, struct l_genl_msg *msg);
bool l_genl_attr_next(struct l_genl_attr *attr, uint16_t *type,
uint16_t *len, const void **data);
-bool l_genl_attr_recurse(struct l_genl_attr *attr, struct l_genl_attr *nested);
+bool l_genl_attr_recurse(const struct l_genl_attr *attr,
+ struct l_genl_attr *nested);
bool l_genl_family_info_has_group(const struct l_genl_family_info *info,
const char *group);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/ell/key.c new/ell-0.53/ell/key.c
--- old/ell-0.52/ell/key.c 2021-03-29 14:19:13.000000000 +0200
+++ new/ell-0.53/ell/key.c 2022-09-07 20:21:45.000000000 +0200
@@ -108,6 +108,7 @@
static const char * const key_type_names[] = {
[L_KEY_RAW] = "user",
[L_KEY_RSA] = "asymmetric",
+ [L_KEY_ECC] = "asymmetric",
};
static long kernel_add_key(const char *type, const char *description,
@@ -382,18 +383,16 @@
static const char *lookup_cipher(enum l_key_cipher_type cipher)
{
- const char* ret = NULL;
-
switch (cipher) {
case L_KEY_RSA_PKCS1_V1_5:
- ret = "pkcs1";
- break;
+ return "pkcs1";
case L_KEY_RSA_RAW:
- ret = "raw";
- break;
+ return "raw";
+ case L_KEY_ECDSA_X962:
+ return "x962";
}
- return ret;
+ return NULL;
}
static const char *lookup_checksum(enum l_checksum_type checksum)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/ell/key.h new/ell-0.53/ell/key.h
--- old/ell-0.52/ell/key.h 2021-11-02 15:41:45.000000000 +0100
+++ new/ell-0.53/ell/key.h 2022-09-07 20:21:45.000000000 +0200
@@ -45,6 +45,7 @@
enum l_key_type {
L_KEY_RAW = 0,
L_KEY_RSA,
+ L_KEY_ECC,
};
enum l_keyring_restriction {
@@ -55,6 +56,7 @@
enum l_key_cipher_type {
L_KEY_RSA_PKCS1_V1_5,
L_KEY_RSA_RAW,
+ L_KEY_ECDSA_X962,
};
struct l_key *l_key_new(enum l_key_type type, const void *payload,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/ell/netconfig.c new/ell-0.53/ell/netconfig.c
--- old/ell-0.52/ell/netconfig.c 2022-07-15 18:22:44.000000000 +0200
+++ new/ell-0.53/ell/netconfig.c 2022-09-07 20:21:45.000000000 +0200
@@ -67,6 +67,7 @@
char *v4_gateway_override;
char **v4_dns_override;
char **v4_domain_names_override;
+ bool acd_enabled;
bool v6_enabled;
struct l_rtnl_address *v6_static_addr;
@@ -1031,7 +1032,6 @@
nc = l_new(struct l_netconfig, 1);
nc->ifindex = ifindex;
- nc->v4_enabled = true;
nc->addresses.current = l_queue_new();
nc->addresses.added = l_queue_new();
@@ -1061,6 +1061,7 @@
/* Disable in-kernel autoconfiguration for the interface */
netconfig_proc_write_ipv6_uint_setting(nc, "accept_ra", 0);
+ l_netconfig_reset_config(nc);
return nc;
}
@@ -1275,6 +1276,16 @@
return true;
}
+LIB_EXPORT bool l_netconfig_set_acd_enabled(struct l_netconfig *netconfig,
+ bool enabled)
+{
+ if (unlikely(!netconfig || netconfig->started))
+ return false;
+
+ netconfig->acd_enabled = enabled;
+ return true;
+}
+
static bool netconfig_check_family_config(struct l_netconfig *nc,
uint8_t family)
{
@@ -1343,6 +1354,7 @@
l_netconfig_set_gateway_override(netconfig, AF_INET, NULL);
l_netconfig_set_dns_override(netconfig, AF_INET, NULL);
l_netconfig_set_domain_names_override(netconfig, AF_INET, NULL);
+ l_netconfig_set_acd_enabled(netconfig, true);
l_netconfig_set_family_enabled(netconfig, AF_INET6, false);
l_netconfig_set_static_addr(netconfig, AF_INET6, NULL);
l_netconfig_set_gateway_override(netconfig, AF_INET6, NULL);
@@ -1434,25 +1446,29 @@
l_idle_remove(l_steal_ptr(nc->do_static_work));
if (nc->v4_static_addr && !nc->v4_configured) {
- char ip[INET_ADDRSTRLEN];
+ if (nc->acd_enabled) {
+ char ip[INET_ADDRSTRLEN];
- l_rtnl_address_get_address(nc->v4_static_addr, ip);
+ l_rtnl_address_get_address(nc->v4_static_addr, ip);
- nc->acd = l_acd_new(nc->ifindex);
- l_acd_set_event_handler(nc->acd, netconfig_ipv4_acd_event, nc,
- NULL);
+ nc->acd = l_acd_new(nc->ifindex);
+ l_acd_set_event_handler(nc->acd,
+ netconfig_ipv4_acd_event, nc,
+ NULL);
- if (!l_acd_start(nc->acd, ip)) {
- l_acd_destroy(l_steal_ptr(nc->acd));
+ if (l_acd_start(nc->acd, ip))
+ goto configure_ipv6;
+ l_acd_destroy(l_steal_ptr(nc->acd));
/* Configure right now as a fallback */
- netconfig_add_v4_static_address_routes(nc);
- nc->v4_configured = true;
- netconfig_emit_event(nc, AF_INET,
- L_NETCONFIG_EVENT_CONFIGURE);
}
+
+ netconfig_add_v4_static_address_routes(nc);
+ nc->v4_configured = true;
+ netconfig_emit_event(nc, AF_INET, L_NETCONFIG_EVENT_CONFIGURE);
}
+configure_ipv6:
if (nc->v6_static_addr && !nc->v6_configured) {
netconfig_add_v6_static_address_routes(nc);
nc->v6_configured = true;
@@ -1731,6 +1747,55 @@
}
}
+/*
+ * Undo any configuration already applied to the interface by previous
+ * calls to the event handler, by synchronously emitting
+ * L_NETCONFIG_EVENT_UNCONFIGURE events. This can be called before
+ * l_netconfig_stop() which won't emit any events. It mainly makes
+ * sense if the interface isn't being removed or brought DOWN, which
+ * would otherwise implicitly remove routes and addresses.
+ */
+LIB_EXPORT void l_netconfig_unconfigure(struct l_netconfig *netconfig)
+{
+ const struct l_queue_entry *entry;
+
+ if (netconfig->v4_configured) {
+ netconfig_remove_v4_address_routes(netconfig, false);
+ netconfig->v4_configured = false;
+
+ netconfig_emit_event(netconfig, AF_INET,
+ L_NETCONFIG_EVENT_UNCONFIGURE);
+ }
+
+ if (netconfig->v6_configured) {
+ netconfig_remove_dhcp6_address(netconfig, false);
+ netconfig->v6_configured = false;
+ }
+
+ /* Bulk remove any other routes or addresses */
+ for (entry = l_queue_get_entries(netconfig->addresses.current); entry;
+ entry = entry->next)
+ l_queue_push_tail(netconfig->addresses.removed, entry->data);
+
+ l_queue_clear(netconfig->addresses.added, NULL);
+ l_queue_clear(netconfig->addresses.updated, NULL);
+ l_queue_clear(netconfig->addresses.current, NULL);
+
+ for (entry = l_queue_get_entries(netconfig->routes.current); entry;
+ entry = entry->next)
+ l_queue_push_tail(netconfig->routes.removed, entry->data);
+
+ l_queue_clear(netconfig->routes.added, NULL);
+ l_queue_clear(netconfig->routes.updated, NULL);
+ l_queue_clear(netconfig->routes.current, NULL);
+ l_queue_clear(netconfig->icmp_route_data, l_free);
+
+ if (!l_queue_isempty(netconfig->addresses.removed) ||
+ !l_queue_isempty(netconfig->routes.removed))
+ netconfig_emit_event(netconfig, AF_INET6,
+ L_NETCONFIG_EVENT_UNCONFIGURE);
+}
+
LIB_EXPORT struct l_dhcp_client *l_netconfig_get_dhcp_client(
struct l_netconfig *netconfig)
{
@@ -1887,18 +1952,26 @@
const struct l_dhcp_lease *v4_lease;
const struct l_dhcp6_lease *v6_lease;
+ if (!netconfig->v4_configured)
+ goto append_v6;
+
if (netconfig->v4_dns_override)
netconfig_strv_cat(&ret, netconfig->v4_dns_override, false);
else if ((v4_lease =
l_dhcp_client_get_lease(netconfig->dhcp_client)))
netconfig_strv_cat(&ret, l_dhcp_lease_get_dns(v4_lease), true);
+append_v6:
+ if (!netconfig->v6_configured)
+ goto done;
+
if (netconfig->v6_dns_override)
netconfig_strv_cat(&ret, netconfig->v6_dns_override, false);
else if ((v6_lease =
l_dhcp6_client_get_lease(netconfig->dhcp6_client)))
netconfig_strv_cat(&ret, l_dhcp6_lease_get_dns(v6_lease), true);
+done:
return ret;
}
@@ -1910,6 +1983,9 @@
const struct l_dhcp6_lease *v6_lease;
char *dn;
+ if (!netconfig->v4_configured)
+ goto append_v6;
+
if (netconfig->v4_domain_names_override)
netconfig_strv_cat(&ret, netconfig->v4_domain_names_override,
false);
@@ -1920,6 +1996,10 @@
ret[0] = dn;
}
+append_v6:
+ if (!netconfig->v6_configured)
+ goto done;
+
if (netconfig->v6_dns_override)
netconfig_strv_cat(&ret, netconfig->v6_domain_names_override,
false);
@@ -1928,5 +2008,6 @@
netconfig_strv_cat(&ret, l_dhcp6_lease_get_domains(v6_lease),
true);
+done:
return ret;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/ell/netconfig.h new/ell-0.53/ell/netconfig.h
--- old/ell-0.52/ell/netconfig.h 2022-07-15 18:22:44.000000000 +0200
+++ new/ell-0.53/ell/netconfig.h 2022-09-07 20:21:45.000000000 +0200
@@ -68,11 +68,13 @@
char **dns_list);
bool l_netconfig_set_domain_names_override(struct l_netconfig *netconfig,
uint8_t family, char **names);
+bool l_netconfig_set_acd_enabled(struct l_netconfig *netconfig, bool enabled);
bool l_netconfig_check_config(struct l_netconfig *netconfig);
bool l_netconfig_reset_config(struct l_netconfig *netconfig);
bool l_netconfig_start(struct l_netconfig *netconfig);
void l_netconfig_stop(struct l_netconfig *netconfig);
+void l_netconfig_unconfigure(struct l_netconfig *netconfig);
struct l_dhcp_client *l_netconfig_get_dhcp_client(
struct l_netconfig *netconfig);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/ell/tls-private.h
new/ell-0.53/ell/tls-private.h
--- old/ell-0.52/ell/tls-private.h 2021-02-16 21:01:42.000000000 +0100
+++ new/ell-0.53/ell/tls-private.h 2022-09-07 20:21:45.000000000 +0200
@@ -112,7 +112,7 @@
struct tls_cipher_suite {
uint8_t id[2];
const char *name;
- int verify_data_length;
+ size_t verify_data_length;
struct tls_bulk_encryption_algorithm *encryption;
struct tls_signature_algorithm *signature;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/ell/tls-suites.c
new/ell-0.53/ell/tls-suites.c
--- old/ell-0.52/ell/tls-suites.c 2022-01-24 21:40:13.000000000 +0100
+++ new/ell-0.53/ell/tls-suites.c 2022-09-07 20:21:45.000000000 +0200
@@ -40,6 +40,68 @@
#include "ecdh.h"
#include "missing.h"
+enum signature_algorithm {
+ SIGNATURE_ALGORITHM_ANONYMOUS = 0,
+ SIGNATURE_ALGORITHM_RSA = 1,
+ SIGNATURE_ALGORITHM_DSA = 2,
+ SIGNATURE_ALGORITHM_ECDSA = 3,
+};
+
+static enum handshake_hash_type find_hash_by_id(uint8_t id)
+{
+ enum handshake_hash_type hash;
+
+ for (hash = 0; hash < __HANDSHAKE_HASH_COUNT; hash++)
+ if (tls_handshake_hash_data[hash].tls_id == id)
+ break;
+
+ return hash;
+}
+
+/*
+ * Sanitize DigitallySigned struct input, making sure the lengths
+ * are valid and correspond to what we expect.
+ *
+ * Returns: start of the opaque portion
+ */
+static const uint8_t *validate_digitally_signed(struct l_tls *tls,
+ const uint8_t *in, size_t in_len,
+ enum signature_algorithm expected_alg,
+ uint16_t *opaque_len)
+{
+ size_t offset = 2;
+ uint16_t len;
+
+ if (tls->negotiated_version < L_TLS_V12)
+ offset = 0;
+
+ if (in_len < offset + 2)
+ goto size_error;
+
+ len = l_get_be16(in + offset);
+ if (len != in_len - offset - 2)
+ goto size_error;
+
+ if (tls->negotiated_version >= L_TLS_V12) {
+ if (in[1] != expected_alg) {
+ TLS_DISCONNECT(TLS_ALERT_DECRYPT_ERROR, 0,
+ "Unknown signature algorithm %i",
+ in[1]);
+
+ return NULL;
+ }
+ }
+
+ *opaque_len = len;
+ return in + offset + 2;
+
+size_error:
+ TLS_DISCONNECT(TLS_ALERT_DECODE_ERROR, 0, "Signature msg too "
+ "short (%zi) or signature length doesn't match",
+ in_len);
+ return NULL;
+}
+
static bool tls_rsa_validate_cert_key(struct l_cert *cert)
{
return l_cert_get_pubkey_type(cert) == L_CERT_KEY_RSA;
@@ -112,48 +174,26 @@
enum l_checksum_type sign_checksum_type;
uint8_t expected[HANDSHAKE_HASH_MAX_SIZE + 36];
size_t expected_len;
- unsigned int offset;
+ const uint8_t *opaque;
+ uint16_t opaque_len;
bool success;
- /* 2 bytes for SignatureAndHashAlgorithm if version >= 1.2 */
- offset = 2;
- if (tls->negotiated_version < L_TLS_V12)
- offset = 0;
-
- if (in_len < offset + 2 ||
- (size_t) l_get_be16(in + offset) + offset + 2 !=
- in_len) {
- TLS_DISCONNECT(TLS_ALERT_DECODE_ERROR, 0, "Signature msg too "
- "short (%zi) or signature length doesn't match",
- in_len);
-
+ opaque = validate_digitally_signed(tls, in, in_len,
+ SIGNATURE_ALGORITHM_RSA, &opaque_len);
+ if (!opaque)
return false;
- }
/* Only the default hash type supported */
- if (in_len != offset + 2 + tls->peer_pubkey_size) {
+ if (opaque_len != tls->peer_pubkey_size) {
TLS_DISCONNECT(TLS_ALERT_DECODE_ERROR, 0,
- "Signature length %zi not equal %zi", in_len,
- offset + 2 + tls->peer_pubkey_size);
+ "Signature length %hu not equal %zi",
+ opaque_len, tls->peer_pubkey_size);
return false;
}
if (tls->negotiated_version >= L_TLS_V12) {
- enum handshake_hash_type hash;
-
- /* Only RSA supported */
- if (in[1] != 1 /* RSA_sign */) {
- TLS_DISCONNECT(TLS_ALERT_DECRYPT_ERROR, 0,
- "Unknown signature algorithm %i",
- in[1]);
-
- return false;
- }
-
- for (hash = 0; hash < __HANDSHAKE_HASH_COUNT; hash++)
- if (tls_handshake_hash_data[hash].tls_id == in[0])
- break;
+ enum handshake_hash_type hash = find_hash_by_id(in[0]);
if (hash == __HANDSHAKE_HASH_COUNT) {
TLS_DISCONNECT(TLS_ALERT_DECRYPT_ERROR, 0,
@@ -203,7 +243,7 @@
}
success = l_key_verify(tls->peer_pubkey, L_KEY_RSA_PKCS1_V1_5,
- sign_checksum_type, expected, in + offset + 2,
+ sign_checksum_type, expected, opaque,
expected_len, tls->peer_pubkey_size);
if (!success)
@@ -222,6 +262,81 @@
.verify = tls_rsa_verify,
};
+static bool tls_ecdsa_validate_cert_key(struct l_cert *cert)
+{
+ return l_cert_get_pubkey_type(cert) == L_CERT_KEY_ECC;
+}
+
+static bool tls_ecdsa_verify(struct l_tls *tls,
+ const uint8_t *in, size_t in_len,
+ tls_get_hash_t get_hash,
+ const uint8_t *data, size_t data_len)
+{
+ /* RFC 8422, Section 5.10: "SHA-1 is used in TLS 1.1 and earlier" */
+ enum handshake_hash_type hash = HANDSHAKE_HASH_SHA1;
+ enum l_checksum_type sign_checksum_type;
+ const uint8_t *opaque;
+ uint16_t opaque_len;
+ uint8_t expected[HANDSHAKE_HASH_MAX_SIZE];
+ size_t expected_len;
+ bool success;
+
+ opaque = validate_digitally_signed(tls, in, in_len,
+ SIGNATURE_ALGORITHM_ECDSA, &opaque_len);
+ if (!opaque)
+ return false;
+
+ if (tls->negotiated_version >= L_TLS_V12) {
+ hash = find_hash_by_id(in[0]);
+ if (hash == __HANDSHAKE_HASH_COUNT) {
+ TLS_DISCONNECT(TLS_ALERT_DECRYPT_ERROR, 0,
+ "Unknown hash type %i", in[0]);
+ return false;
+ }
+
+ /* Hash should match the curve, refer to RFC 5480, Section 4 */
+ switch (tls->peer_pubkey_size) {
+ case 32:
+ if (hash != HANDSHAKE_HASH_SHA256 &&
+ hash != HANDSHAKE_HASH_SHA384)
+ goto bad_hash;
+
+ break;
+ case 48:
+ if (hash != HANDSHAKE_HASH_SHA384)
+ goto bad_hash;
+
+ break;
+ bad_hash:
+ default:
+ TLS_DISCONNECT(TLS_ALERT_DECRYPT_ERROR, 0,
+ "Invalid hash %i",
+ in[0]);
+ }
+ }
+
+ get_hash(tls, hash, data, data_len, expected, &expected_len);
+ sign_checksum_type = tls_handshake_hash_data[hash].l_id;
+
+ success = l_key_verify(tls->peer_pubkey, L_KEY_ECDSA_X962,
+ sign_checksum_type, expected, opaque,
+ expected_len, opaque_len);
+
+ if (!success)
+ TLS_DISCONNECT(TLS_ALERT_DECRYPT_ERROR, 0,
+ "Peer signature verification failed");
+ else
+ TLS_DEBUG("Peer signature verified");
+
+ return success;
+}
+
+static struct tls_signature_algorithm tls_ecdsa_signature = {
+ .id = 3, /* SignatureAlgorithm.ecdsa */
+ .validate_cert_key_type = tls_ecdsa_validate_cert_key,
+ .verify = tls_ecdsa_verify,
+};
+
static bool tls_send_rsa_client_key_xchg(struct l_tls *tls)
{
uint8_t buf[1024 + 32];
@@ -1147,7 +1262,6 @@
static struct tls_cipher_suite tls_rsa_with_3des_ede_cbc_sha = {
.id = { 0x00, 0x0a },
.name = "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
- .verify_data_length = 12,
.encryption = &tls_3des_ede,
.mac = &tls_sha,
.signature = &tls_rsa_signature,
@@ -1155,7 +1269,6 @@
}, tls_dhe_rsa_with_3des_ede_cbc_sha = {
.id = { 0x00, 0x16 },
.name = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
- .verify_data_length = 12,
.encryption = &tls_3des_ede,
.mac = &tls_sha,
.signature = &tls_rsa_signature,
@@ -1163,7 +1276,6 @@
}, tls_rsa_with_aes_128_cbc_sha = {
.id = { 0x00, 0x2f },
.name = "TLS_RSA_WITH_AES_128_CBC_SHA",
- .verify_data_length = 12,
.encryption = &tls_aes128,
.mac = &tls_sha,
.signature = &tls_rsa_signature,
@@ -1171,7 +1283,6 @@
}, tls_dhe_rsa_with_aes_128_cbc_sha = {
.id = { 0x00, 0x33 },
.name = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
- .verify_data_length = 12,
.encryption = &tls_aes128,
.mac = &tls_sha,
.signature = &tls_rsa_signature,
@@ -1179,7 +1290,6 @@
}, tls_rsa_with_aes_256_cbc_sha = {
.id = { 0x00, 0x35 },
.name = "TLS_RSA_WITH_AES_256_CBC_SHA",
- .verify_data_length = 12,
.encryption = &tls_aes256,
.mac = &tls_sha,
.signature = &tls_rsa_signature,
@@ -1187,7 +1297,6 @@
}, tls_dhe_rsa_with_aes_256_cbc_sha = {
.id = { 0x00, 0x39 },
.name = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
- .verify_data_length = 12,
.encryption = &tls_aes256,
.mac = &tls_sha,
.signature = &tls_rsa_signature,
@@ -1195,7 +1304,6 @@
}, tls_rsa_with_aes_128_cbc_sha256 = {
.id = { 0x00, 0x3c },
.name = "TLS_RSA_WITH_AES_128_CBC_SHA256",
- .verify_data_length = 12,
.encryption = &tls_aes128,
.mac = &tls_sha256,
.signature = &tls_rsa_signature,
@@ -1203,7 +1311,6 @@
}, tls_rsa_with_aes_256_cbc_sha256 = {
.id = { 0x00, 0x3d },
.name = "TLS_RSA_WITH_AES_256_CBC_SHA256",
- .verify_data_length = 12,
.encryption = &tls_aes256,
.mac = &tls_sha256,
.signature = &tls_rsa_signature,
@@ -1211,7 +1318,6 @@
}, tls_dhe_rsa_with_aes_128_cbc_sha256 = {
.id = { 0x00, 0x67 },
.name = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
- .verify_data_length = 12,
.encryption = &tls_aes128,
.mac = &tls_sha256,
.signature = &tls_rsa_signature,
@@ -1219,7 +1325,6 @@
}, tls_dhe_rsa_with_aes_256_cbc_sha256 = {
.id = { 0x00, 0x6b },
.name = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
- .verify_data_length = 12,
.encryption = &tls_aes256,
.mac = &tls_sha256,
.signature = &tls_rsa_signature,
@@ -1227,14 +1332,12 @@
}, tls_rsa_with_aes_128_gcm_sha256 = {
.id = { 0x00, 0x9c },
.name = "TLS_RSA_WITH_AES_128_GCM_SHA256",
- .verify_data_length = 12,
.encryption = &tls_aes128_gcm,
.signature = &tls_rsa_signature,
.key_xchg = &tls_rsa_key_xchg,
}, tls_rsa_with_aes_256_gcm_sha384 = {
.id = { 0x00, 0x9d },
.name = "TLS_RSA_WITH_AES_256_GCM_SHA384",
- .verify_data_length = 12,
.encryption = &tls_aes256_gcm,
.prf_hmac = L_CHECKSUM_SHA384,
.signature = &tls_rsa_signature,
@@ -1242,14 +1345,12 @@
}, tls_dhe_rsa_with_aes_128_gcm_sha256 = {
.id = { 0x00, 0x9e },
.name = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
- .verify_data_length = 12,
.encryption = &tls_aes128_gcm,
.signature = &tls_rsa_signature,
.key_xchg = &tls_dhe,
}, tls_dhe_rsa_with_aes_256_gcm_sha384 = {
.id = { 0x00, 0x9f },
.name = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
- .verify_data_length = 12,
.encryption = &tls_aes256_gcm,
.prf_hmac = L_CHECKSUM_SHA384,
.signature = &tls_rsa_signature,
@@ -1257,7 +1358,6 @@
}, tls_ecdhe_rsa_with_3des_ede_cbc_sha = {
.id = { 0xc0, 0x12 },
.name = "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
- .verify_data_length = 12,
.encryption = &tls_3des_ede,
.mac = &tls_sha,
.signature = &tls_rsa_signature,
@@ -1265,7 +1365,6 @@
}, tls_ecdhe_rsa_with_aes_128_cbc_sha = {
.id = { 0xc0, 0x13 },
.name = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
- .verify_data_length = 12,
.encryption = &tls_aes128,
.mac = &tls_sha,
.signature = &tls_rsa_signature,
@@ -1273,7 +1372,6 @@
}, tls_ecdhe_rsa_with_aes_256_cbc_sha = {
.id = { 0xc0, 0x14 },
.name = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
- .verify_data_length = 12,
.encryption = &tls_aes256,
.mac = &tls_sha,
.signature = &tls_rsa_signature,
@@ -1281,7 +1379,6 @@
}, tls_ecdhe_rsa_with_aes_128_cbc_sha256 = {
.id = { 0xc0, 0x27 },
.name = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
- .verify_data_length = 12,
.encryption = &tls_aes128,
.mac = &tls_sha256,
.signature = &tls_rsa_signature,
@@ -1289,7 +1386,6 @@
}, tls_ecdhe_rsa_with_aes_256_cbc_sha384 = {
.id = { 0xc0, 0x28 },
.name = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
- .verify_data_length = 12,
.encryption = &tls_aes256,
.mac = &tls_sha384,
.prf_hmac = L_CHECKSUM_SHA384,
@@ -1298,23 +1394,57 @@
}, tls_ecdhe_rsa_with_aes_128_gcm_sha256 = {
.id = { 0xc0, 0x2f },
.name = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
- .verify_data_length = 12,
.encryption = &tls_aes128_gcm,
.signature = &tls_rsa_signature,
.key_xchg = &tls_ecdhe,
}, tls_ecdhe_rsa_with_aes_256_gcm_sha384 = {
.id = { 0xc0, 0x30 },
.name = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
- .verify_data_length = 12,
.encryption = &tls_aes256_gcm,
.prf_hmac = L_CHECKSUM_SHA384,
.signature = &tls_rsa_signature,
.key_xchg = &tls_ecdhe,
+}, tls_ecdhe_ecdsa_with_3des_ede_cbc_sha = {
+ .id = { 0xc0, 0x08 },
+ .name = "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+ .encryption = &tls_3des_ede,
+ .mac = &tls_sha,
+ .signature = &tls_ecdsa_signature,
+ .key_xchg = &tls_ecdhe,
+}, tls_ecdhe_ecdsa_with_aes_128_cbc_sha = {
+ .id = { 0xc0, 0x09 },
+ .name = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+ .encryption = &tls_aes128,
+ .mac = &tls_sha,
+ .signature = &tls_ecdsa_signature,
+ .key_xchg = &tls_ecdhe,
+}, tls_ecdhe_ecdsa_with_aes_256_cbc_sha = {
+ .id = { 0xc0, 0x0a },
+ .name = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+ .encryption = &tls_aes256,
+ .mac = &tls_sha,
+ .signature = &tls_ecdsa_signature,
+ .key_xchg = &tls_ecdhe,
+}, tls_ecdhe_ecdsa_with_aes_128_gcm_sha256 = {
+ .id = { 0xc0, 0x2b },
+ .name = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ .encryption = &tls_aes128_gcm,
+ .signature = &tls_ecdsa_signature,
+ .key_xchg = &tls_ecdhe,
+}, tls_ecdhe_ecdsa_with_aes_256_gcm_sha384 = {
+ .id = { 0xc0, 0x2c },
+ .name = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+ .encryption = &tls_aes256_gcm,
+ .prf_hmac = L_CHECKSUM_SHA384,
+ .signature = &tls_ecdsa_signature,
+ .key_xchg = &tls_ecdhe,
};
struct tls_cipher_suite *tls_cipher_suite_pref[] = {
&tls_ecdhe_rsa_with_aes_256_cbc_sha,
+ &tls_ecdhe_ecdsa_with_aes_256_cbc_sha,
&tls_ecdhe_rsa_with_aes_128_cbc_sha,
+ &tls_ecdhe_ecdsa_with_aes_128_cbc_sha,
&tls_dhe_rsa_with_aes_256_cbc_sha,
&tls_dhe_rsa_with_aes_128_cbc_sha,
&tls_rsa_with_aes_256_cbc_sha,
@@ -1327,11 +1457,14 @@
&tls_rsa_with_aes_128_cbc_sha256,
&tls_ecdhe_rsa_with_aes_256_gcm_sha384,
&tls_ecdhe_rsa_with_aes_128_gcm_sha256,
+ &tls_ecdhe_ecdsa_with_aes_256_gcm_sha384,
+ &tls_ecdhe_ecdsa_with_aes_128_gcm_sha256,
&tls_dhe_rsa_with_aes_256_gcm_sha384,
&tls_dhe_rsa_with_aes_128_gcm_sha256,
&tls_rsa_with_aes_256_gcm_sha384,
&tls_rsa_with_aes_128_gcm_sha256,
&tls_ecdhe_rsa_with_3des_ede_cbc_sha,
+ &tls_ecdhe_ecdsa_with_3des_ede_cbc_sha,
&tls_dhe_rsa_with_3des_ede_cbc_sha,
&tls_rsa_with_3des_ede_cbc_sha,
NULL,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/ell/tls.c new/ell-0.53/ell/tls.c
--- old/ell-0.52/ell/tls.c 2022-06-04 21:58:23.000000000 +0200
+++ new/ell-0.53/ell/tls.c 2022-09-07 20:21:45.000000000 +0200
@@ -1370,11 +1370,25 @@
tls_tx_record(tls, TLS_CT_CHANGE_CIPHER_SPEC, &buf, 1);
}
+static size_t tls_verify_data_length(struct l_tls *tls, unsigned int index)
+{
+ /*
+ * RFC 5246, Section 7.4.9:
+ *
+ * In previous versions of TLS, the verify_data was always 12 octets
+ * long. In the current version of TLS, it depends on the cipher
+ * suite. Any cipher suite which does not explicitly specify
+ * verify_data_length has a verify_data_length equal to 12.
+ */
+ return maxsize(tls->cipher_suite[index]->verify_data_length, 12);
+}
+
static void tls_send_finished(struct l_tls *tls)
{
uint8_t buf[512];
uint8_t *ptr = buf + TLS_HANDSHAKE_HEADER_SIZE;
uint8_t seed[HANDSHAKE_HASH_MAX_SIZE * 2];
+ size_t vdl = tls_verify_data_length(tls, 1);
size_t seed_len;
if (tls->negotiated_version >= L_TLS_V12) {
@@ -1391,8 +1405,8 @@
tls->server ? "server finished" :
"client finished",
seed, seed_len,
- ptr, tls->cipher_suite[1]->verify_data_length);
- ptr += tls->cipher_suite[1]->verify_data_length;
+ ptr, vdl);
+ ptr += vdl;
tls_tx_handshake(tls, TLS_FINISHED, buf, ptr - buf);
}
@@ -1400,14 +1414,14 @@
static bool tls_verify_finished(struct l_tls *tls, const uint8_t *received,
size_t len)
{
- uint8_t expected[tls->cipher_suite[0]->verify_data_length];
+ size_t vdl = tls_verify_data_length(tls, 0);
+ uint8_t expected[vdl];
uint8_t *seed;
size_t seed_len;
- if (len != (size_t) tls->cipher_suite[0]->verify_data_length) {
+ if (len != vdl) {
TLS_DISCONNECT(TLS_ALERT_DECODE_ERROR, 0,
- "TLS_FINISHED length not %i",
- tls->cipher_suite[0]->verify_data_length);
+ "TLS_FINISHED length not %zu", vdl);
return false;
}
@@ -1428,8 +1442,7 @@
tls->server ? "client finished" :
"server finished",
seed, seed_len,
- expected,
- tls->cipher_suite[0]->verify_data_length);
+ expected, vdl);
if (memcmp(received, expected, len)) {
TLS_DISCONNECT(TLS_ALERT_DECRYPT_ERROR, 0,
@@ -2028,12 +2041,22 @@
return;
}
- if (!l_key_get_info(tls->peer_pubkey, L_KEY_RSA_PKCS1_V1_5,
- L_CHECKSUM_NONE, &tls->peer_pubkey_size,
- &dummy)) {
+ switch (l_cert_get_pubkey_type(tls->peer_cert)) {
+ case L_CERT_KEY_RSA:
+ if (!l_key_get_info(tls->peer_pubkey, L_KEY_RSA_PKCS1_V1_5,
+ L_CHECKSUM_NONE,
+ &tls->peer_pubkey_size, &dummy))
+ goto pubkey_unsupported;
+ break;
+ case L_CERT_KEY_ECC:
+ if (!l_key_get_info(tls->peer_pubkey, L_KEY_ECDSA_X962,
+ L_CHECKSUM_SHA1,
+ &tls->peer_pubkey_size, &dummy))
+ goto pubkey_unsupported;
+ break;
+ case L_CERT_KEY_UNKNOWN:
TLS_DISCONNECT(TLS_ALERT_INTERNAL_ERROR, 0,
- "Can't l_key_get_info for peer public key");
-
+ "Unknown public key type");
return;
}
@@ -2047,6 +2070,10 @@
return;
+pubkey_unsupported:
+ TLS_DISCONNECT(TLS_ALERT_INTERNAL_ERROR, 0,
+ "Can't l_key_get_info for peer public key");
+ return;
decode_error:
TLS_DISCONNECT(TLS_ALERT_DECODE_ERROR, 0,
"TLS_CERTIFICATE decode error");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/ell/uintset.c new/ell-0.53/ell/uintset.c
--- old/ell-0.52/ell/uintset.c 2022-01-05 22:10:31.000000000 +0100
+++ new/ell-0.53/ell/uintset.c 2022-09-07 20:21:45.000000000 +0200
@@ -533,6 +533,43 @@
}
/**
+ * l_uintset_subtract:
+ * @set_a: The set of numbers
+ * @set_b: The set of numbers to subtract from set_a
+ *
+ * Subtracts two sets of numbers of an equal base, e.g.:
+ * l_uintset_get_min(set_a) must be equal to l_uintset_get_min(set_b) and
+ * l_uintset_get_max(set_a) must be equal to l_uintset_get_max(set_b)
+ *
+ * Returns: A newly allocated l_uintset containing set_a - set_b
+ */
+LIB_EXPORT struct l_uintset *l_uintset_subtract(const struct l_uintset *set_a,
+ const struct l_uintset *set_b)
+{
+ struct l_uintset *subtraction;
+ uint32_t offset;
+ uint32_t offset_max;
+
+ if (unlikely(!set_a || !set_b))
+ return NULL;
+
+ if (unlikely(set_a->min != set_b->min || set_a->max != set_b->max))
+ return NULL;
+
+ subtraction = l_uintset_new_from_range(set_a->min, set_a->max);
+
+ offset_max = (set_a->size + BITS_PER_LONG - 1) / BITS_PER_LONG;
+
+ /* Subtract by: set_a & ~set_b */
+ for (offset = 0; offset < offset_max; offset++) {
+ subtraction->bits[offset] =
+ set_a->bits[offset] & ~(set_b->bits[offset]);
+ }
+
+ return subtraction;
+}
+
+/**
* l_uintset_isempty
* @set: The set of numbers
*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/ell/uintset.h new/ell-0.53/ell/uintset.h
--- old/ell-0.52/ell/uintset.h 2022-01-05 22:10:31.000000000 +0100
+++ new/ell-0.53/ell/uintset.h 2022-09-07 20:21:45.000000000 +0200
@@ -60,6 +60,9 @@
struct l_uintset *l_uintset_clone(const struct l_uintset *original);
struct l_uintset *l_uintset_intersect(const struct l_uintset *set_a,
const struct l_uintset *set_b);
+struct l_uintset *l_uintset_subtract(const struct l_uintset *set_a,
+ const struct l_uintset *set_b);
+
bool l_uintset_isempty(const struct l_uintset *set);
uint32_t l_uintset_size(const struct l_uintset *set);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/ell/useful.h new/ell-0.53/ell/useful.h
--- old/ell-0.52/ell/useful.h 2022-07-15 18:22:44.000000000 +0200
+++ new/ell-0.53/ell/useful.h 2022-09-07 20:21:45.000000000 +0200
@@ -38,6 +38,14 @@
return b;
}
+static inline size_t maxsize(size_t a, size_t b)
+{
+ if (a >= b)
+ return a;
+
+ return b;
+}
+
static inline void set_bit(void *addr, unsigned int bit)
{
unsigned char *field = addr;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/unit/test-tls.c new/ell-0.53/unit/test-tls.c
--- old/ell-0.52/unit/test-tls.c 2021-02-04 17:11:59.000000000 +0100
+++ new/ell-0.53/unit/test-tls.c 2022-09-07 20:21:45.000000000 +0200
@@ -325,6 +325,24 @@
l_queue_destroy(twocas, (l_queue_destroy_func_t) l_cert_free);
}
+static void test_ec_certificates(const void *data)
+{
+ struct l_queue *cacert;
+ struct l_certchain *chain;
+
+ cacert = l_pem_load_certificate_list(CERTDIR "ec-cert-ca.pem");
+ assert(cacert && !l_queue_isempty(cacert));
+
+ chain = l_pem_load_certificate_chain(CERTDIR "ec-cert-server.pem");
+ assert(chain);
+
+ assert(l_certchain_verify(chain, cacert, NULL));
+ assert(l_certchain_verify(chain, NULL, NULL));
+
+ l_certchain_free(chain);
+ l_queue_destroy(cacert, (l_queue_destroy_func_t) l_cert_free);
+}
+
struct tls_conn_test {
const char *server_cert_path;
const char *server_key_path;
@@ -948,8 +966,10 @@
l_test_add("TLS 1.2 PRF with SHA512", test_tls12_prf,
&tls12_prf_sha512_0);
- if (l_key_is_supported(L_KEY_FEATURE_RESTRICT))
+ if (l_key_is_supported(L_KEY_FEATURE_RESTRICT)) {
l_test_add("Certificate chains", test_certificates, NULL);
+ l_test_add("ECDSA Certificates", test_ec_certificates, NULL);
+ }
if (!l_getrandom_is_supported()) {
printf("getrandom missing, skipping TLS connection tests...\n");
@@ -1030,6 +1050,9 @@
struct tls_bulk_encryption_algorithm *alg = suite->encryption;
bool supported;
+ if (l_str_has_prefix(suite->name, "TLS_ECDHE_ECDSA"))
+ continue;
+
if (alg->cipher_type == TLS_CIPHER_AEAD)
supported = l_aead_cipher_is_supported(alg->l_aead_id);
else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ell-0.52/unit/test-uintset.c
new/ell-0.53/unit/test-uintset.c
--- old/ell-0.52/unit/test-uintset.c 2022-01-05 22:10:31.000000000 +0100
+++ new/ell-0.53/unit/test-uintset.c 2022-09-07 20:21:45.000000000 +0200
@@ -388,6 +388,59 @@
l_uintset_free(set);
}
+static void test_uintset_subtract(const void *data)
+{
+ struct l_uintset *set_a = l_uintset_new_from_range(0, 10);
+ struct l_uintset *set_b = l_uintset_new_from_range(1, 11);
+ struct l_uintset *sub;
+
+ /* Some sanity checks */
+ assert(l_uintset_subtract(NULL, NULL) == NULL);
+ assert(l_uintset_subtract(set_a, set_b) == NULL);
+
+ l_uintset_free(set_a);
+ l_uintset_free(set_b);
+
+ set_a = l_uintset_new_from_range(0, 128);
+ set_b = l_uintset_new_from_range(0, 128);
+
+ /* (<empty>) - (<empty>) = (<empty>) */
+ sub = l_uintset_subtract(set_a, set_b);
+ assert(l_uintset_isempty(sub));
+ l_uintset_free(sub);
+
+ /* Sanity check this works across word boundaries */
+ l_uintset_put(set_b, 65);
+ l_uintset_put(set_b, 64);
+ l_uintset_put(set_b, 63);
+
+ /* (<empty>) - (65, 64, 63) = (<empty>) */
+ sub = l_uintset_subtract(set_a, set_b);
+ assert(!l_uintset_contains(sub, 64));
+ l_uintset_free(sub);
+
+ l_uintset_put(set_a, 64);
+
+ /* (64) - (65, 64, 63) = (<empty>) */
+ sub = l_uintset_subtract(set_a, set_b);
+ assert(!l_uintset_contains(sub, 64));
+ l_uintset_free(sub);
+
+ l_uintset_take(set_b, 64);
+
+ /* (64) - (65, 63) = (64) */
+ sub = l_uintset_subtract(set_a, set_b);
+ assert(l_uintset_contains(sub, 64));
+ l_uintset_free(sub);
+
+ /* (65, 63) - (64) = (65, 63) */
+ sub = l_uintset_subtract(set_b, set_a);
+ assert(l_uintset_contains(sub, 65));
+ assert(!l_uintset_contains(sub, 64));
+ assert(l_uintset_contains(sub, 63));
+ l_uintset_free(sub);
+}
+
int main(int argc, char *argv[])
{
l_test_init(&argc, &argv);
@@ -407,6 +460,7 @@
&intersect_data_2);
l_test_add("l_uintset isempty", test_uintset_isempty, NULL);
l_test_add("l_uintset size", test_uintset_size, NULL);
+ l_test_add("l_uintset_subtract", test_uintset_subtract, NULL);
return l_test_run();
}
