Hello community, here is the log from the commit of package libressl for openSUSE:Factory checked in at 2017-08-28 15:16:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libressl (Old) and /work/SRC/openSUSE:Factory/.libressl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libressl" Mon Aug 28 15:16:29 2017 rev:31 rq:518756 version:2.5.5 Changes: -------- --- /work/SRC/openSUSE:Factory/libressl/libressl.changes 2017-05-09 18:10:40.253124932 +0200 +++ /work/SRC/openSUSE:Factory/.libressl.new/libressl.changes 2017-08-28 15:17:48.111358661 +0200 @@ -1,0 +2,11 @@ +Thu Aug 24 21:55:42 UTC 2017 - [email protected] + +- Update to new upstream release 2.5.5 + * Distinguish between self-issued certificates and self-signed + certificates. The certificate verification code has special + cases for self-signed certificates and without this change, + self-issued certificates (which it seems are common place + with openvpn/easyrsa) were also being included in this + category. + +------------------------------------------------------------------- Old: ---- libressl-2.5.4.tar.gz libressl-2.5.4.tar.gz.asc New: ---- libressl-2.5.5.tar.gz libressl-2.5.5.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libressl.spec ++++++ --- /var/tmp/diff_new_pack.S4uD2D/_old 2017-08-28 15:17:49.975096769 +0200 +++ /var/tmp/diff_new_pack.S4uD2D/_new 2017-08-28 15:17:49.991094521 +0200 @@ -17,7 +17,7 @@ Name: libressl -Version: 2.5.4 +Version: 2.5.5 Release: 0 Summary: An SSL/TLS protocol implementation License: OpenSSL ++++++ libressl-2.5.4.tar.gz -> libressl-2.5.5.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/CMakeLists.txt new/libressl-2.5.5/CMakeLists.txt --- old/libressl-2.5.4/CMakeLists.txt 2017-04-30 02:07:14.000000000 +0200 +++ new/libressl-2.5.5/CMakeLists.txt 2017-07-07 07:10:15.000000000 +0200 @@ -4,8 +4,9 @@ include(CheckIncludeFiles) include(CheckTypeSize) -set(CMAKE_MODULE_PATH "${CMAKE_SOURCE_DIR}" ${CMAKE_MODULE_PATH}) +set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}" ${CMAKE_MODULE_PATH}) include(cmake_export_symbol) +include(GNUInstallDirs) project (LibreSSL C) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/ChangeLog new/libressl-2.5.5/ChangeLog --- old/libressl-2.5.4/ChangeLog 2017-05-01 03:59:00.000000000 +0200 +++ new/libressl-2.5.5/ChangeLog 2017-07-09 12:57:25.000000000 +0200 @@ -28,6 +28,21 @@ LibreSSL Portable Release Notes: +2.5.5 - Bug fixes + * Distinguish between self-issued certificates and self-signed + certificates. The certificate verification code has special cases + for self-signed certificates and without this change, self-issued + certificates (which it seems are common place with + openvpn/easyrsa) were also being included in this category. + + * Fix a bug caused by the return value being set early to signal + successful DTLS cookie validation. This can mask a later failure and + result in a positive return value being returned from + ssl3_get_client_hello(), when it should return a negative value to + propagate the error. + + * Added getpagesize fallback, needed for Android bionic libc. + 2.5.4 - Security Updates * Revert a previous change that forced consistency between return diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/INSTALL new/libressl-2.5.5/INSTALL --- old/libressl-2.5.4/INSTALL 2015-09-10 18:51:21.000000000 +0200 +++ new/libressl-2.5.5/INSTALL 1970-01-01 01:00:00.000000000 +0100 @@ -1,370 +0,0 @@ -Installation Instructions -************************* - -Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation, -Inc. - - Copying and distribution of this file, with or without modification, -are permitted in any medium without royalty provided the copyright -notice and this notice are preserved. This file is offered as-is, -without warranty of any kind. - -Basic Installation -================== - - Briefly, the shell command `./configure && make && make install' -should configure, build, and install this package. The following -more-detailed instructions are generic; see the `README' file for -instructions specific to this package. Some packages provide this -`INSTALL' file but do not implement all of the features documented -below. The lack of an optional feature in a given package is not -necessarily a bug. More recommendations for GNU packages can be found -in *note Makefile Conventions: (standards)Makefile Conventions. - - The `configure' shell script attempts to guess correct values for -various system-dependent variables used during compilation. It uses -those values to create a `Makefile' in each directory of the package. -It may also create one or more `.h' files containing system-dependent -definitions. Finally, it creates a shell script `config.status' that -you can run in the future to recreate the current configuration, and a -file `config.log' containing compiler output (useful mainly for -debugging `configure'). - - It can also use an optional file (typically called `config.cache' -and enabled with `--cache-file=config.cache' or simply `-C') that saves -the results of its tests to speed up reconfiguring. Caching is -disabled by default to prevent problems with accidental use of stale -cache files. - - If you need to do unusual things to compile the package, please try -to figure out how `configure' could check whether to do them, and mail -diffs or instructions to the address given in the `README' so they can -be considered for the next release. If you are using the cache, and at -some point `config.cache' contains results you don't want to keep, you -may remove or edit it. - - The file `configure.ac' (or `configure.in') is used to create -`configure' by a program called `autoconf'. You need `configure.ac' if -you want to change it or regenerate `configure' using a newer version -of `autoconf'. - - The simplest way to compile this package is: - - 1. `cd' to the directory containing the package's source code and type - `./configure' to configure the package for your system. - - Running `configure' might take a while. While running, it prints - some messages telling which features it is checking for. - - 2. Type `make' to compile the package. - - 3. Optionally, type `make check' to run any self-tests that come with - the package, generally using the just-built uninstalled binaries. - - 4. Type `make install' to install the programs and any data files and - documentation. When installing into a prefix owned by root, it is - recommended that the package be configured and built as a regular - user, and only the `make install' phase executed with root - privileges. - - 5. Optionally, type `make installcheck' to repeat any self-tests, but - this time using the binaries in their final installed location. - This target does not install anything. Running this target as a - regular user, particularly if the prior `make install' required - root privileges, verifies that the installation completed - correctly. - - 6. You can remove the program binaries and object files from the - source code directory by typing `make clean'. To also remove the - files that `configure' created (so you can compile the package for - a different kind of computer), type `make distclean'. There is - also a `make maintainer-clean' target, but that is intended mainly - for the package's developers. If you use it, you may have to get - all sorts of other programs in order to regenerate files that came - with the distribution. - - 7. Often, you can also type `make uninstall' to remove the installed - files again. In practice, not all packages have tested that - uninstallation works correctly, even though it is required by the - GNU Coding Standards. - - 8. Some packages, particularly those that use Automake, provide `make - distcheck', which can by used by developers to test that all other - targets like `make install' and `make uninstall' work correctly. - This target is generally not run by end users. - -Compilers and Options -===================== - - Some systems require unusual options for compilation or linking that -the `configure' script does not know about. Run `./configure --help' -for details on some of the pertinent environment variables. - - You can give `configure' initial values for configuration parameters -by setting variables in the command line or in the environment. Here -is an example: - - ./configure CC=c99 CFLAGS=-g LIBS=-lposix - - *Note Defining Variables::, for more details. - -Compiling For Multiple Architectures -==================================== - - You can compile the package for more than one kind of computer at the -same time, by placing the object files for each architecture in their -own directory. To do this, you can use GNU `make'. `cd' to the -directory where you want the object files and executables to go and run -the `configure' script. `configure' automatically checks for the -source code in the directory that `configure' is in and in `..'. This -is known as a "VPATH" build. - - With a non-GNU `make', it is safer to compile the package for one -architecture at a time in the source code directory. After you have -installed the package for one architecture, use `make distclean' before -reconfiguring for another architecture. - - On MacOS X 10.5 and later systems, you can create libraries and -executables that work on multiple system types--known as "fat" or -"universal" binaries--by specifying multiple `-arch' options to the -compiler but only a single `-arch' option to the preprocessor. Like -this: - - ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ - CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ - CPP="gcc -E" CXXCPP="g++ -E" - - This is not guaranteed to produce working output in all cases, you -may have to build one architecture at a time and combine the results -using the `lipo' tool if you have problems. - -Installation Names -================== - - By default, `make install' installs the package's commands under -`/usr/local/bin', include files under `/usr/local/include', etc. You -can specify an installation prefix other than `/usr/local' by giving -`configure' the option `--prefix=PREFIX', where PREFIX must be an -absolute file name. - - You can specify separate installation prefixes for -architecture-specific files and architecture-independent files. If you -pass the option `--exec-prefix=PREFIX' to `configure', the package uses -PREFIX as the prefix for installing programs and libraries. -Documentation and other data files still use the regular prefix. - - In addition, if you use an unusual directory layout you can give -options like `--bindir=DIR' to specify different values for particular -kinds of files. Run `configure --help' for a list of the directories -you can set and what kinds of files go in them. In general, the -default for these options is expressed in terms of `${prefix}', so that -specifying just `--prefix' will affect all of the other directory -specifications that were not explicitly provided. - - The most portable way to affect installation locations is to pass the -correct locations to `configure'; however, many packages provide one or -both of the following shortcuts of passing variable assignments to the -`make install' command line to change installation locations without -having to reconfigure or recompile. - - The first method involves providing an override variable for each -affected directory. For example, `make install -prefix=/alternate/directory' will choose an alternate location for all -directory configuration variables that were expressed in terms of -`${prefix}'. Any directories that were specified during `configure', -but not in terms of `${prefix}', must each be overridden at install -time for the entire installation to be relocated. The approach of -makefile variable overrides for each directory variable is required by -the GNU Coding Standards, and ideally causes no recompilation. -However, some platforms have known limitations with the semantics of -shared libraries that end up requiring recompilation when using this -method, particularly noticeable in packages that use GNU Libtool. - - The second method involves providing the `DESTDIR' variable. For -example, `make install DESTDIR=/alternate/directory' will prepend -`/alternate/directory' before all installation names. The approach of -`DESTDIR' overrides is not required by the GNU Coding Standards, and -does not work on platforms that have drive letters. On the other hand, -it does better at avoiding recompilation issues, and works well even -when some directory options were not specified in terms of `${prefix}' -at `configure' time. - -Optional Features -================= - - If the package supports it, you can cause programs to be installed -with an extra prefix or suffix on their names by giving `configure' the -option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. - - Some packages pay attention to `--enable-FEATURE' options to -`configure', where FEATURE indicates an optional part of the package. -They may also pay attention to `--with-PACKAGE' options, where PACKAGE -is something like `gnu-as' or `x' (for the X Window System). The -`README' should mention any `--enable-' and `--with-' options that the -package recognizes. - - For packages that use the X Window System, `configure' can usually -find the X include and library files automatically, but if it doesn't, -you can use the `configure' options `--x-includes=DIR' and -`--x-libraries=DIR' to specify their locations. - - Some packages offer the ability to configure how verbose the -execution of `make' will be. For these packages, running `./configure ---enable-silent-rules' sets the default to minimal output, which can be -overridden with `make V=1'; while running `./configure ---disable-silent-rules' sets the default to verbose, which can be -overridden with `make V=0'. - -Particular systems -================== - - On HP-UX, the default C compiler is not ANSI C compatible. If GNU -CC is not installed, it is recommended to use the following options in -order to use an ANSI C compiler: - - ./configure CC="cc -Ae -D_XOPEN_SOURCE=500" - -and if that doesn't work, install pre-built binaries of GCC for HP-UX. - - HP-UX `make' updates targets which have the same time stamps as -their prerequisites, which makes it generally unusable when shipped -generated files such as `configure' are involved. Use GNU `make' -instead. - - On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot -parse its `<wchar.h>' header file. The option `-nodtk' can be used as -a workaround. If GNU CC is not installed, it is therefore recommended -to try - - ./configure CC="cc" - -and if that doesn't work, try - - ./configure CC="cc -nodtk" - - On Solaris, don't put `/usr/ucb' early in your `PATH'. This -directory contains several dysfunctional programs; working variants of -these programs are available in `/usr/bin'. So, if you need `/usr/ucb' -in your `PATH', put it _after_ `/usr/bin'. - - On Haiku, software installed for all users goes in `/boot/common', -not `/usr/local'. It is recommended to use the following options: - - ./configure --prefix=/boot/common - -Specifying the System Type -========================== - - There may be some features `configure' cannot figure out -automatically, but needs to determine by the type of machine the package -will run on. Usually, assuming the package is built to be run on the -_same_ architectures, `configure' can figure that out, but if it prints -a message saying it cannot guess the machine type, give it the -`--build=TYPE' option. TYPE can either be a short name for the system -type, such as `sun4', or a canonical name which has the form: - - CPU-COMPANY-SYSTEM - -where SYSTEM can have one of these forms: - - OS - KERNEL-OS - - See the file `config.sub' for the possible values of each field. If -`config.sub' isn't included in this package, then this package doesn't -need to know the machine type. - - If you are _building_ compiler tools for cross-compiling, you should -use the option `--target=TYPE' to select the type of system they will -produce code for. - - If you want to _use_ a cross compiler, that generates code for a -platform different from the build platform, you should specify the -"host" platform (i.e., that on which the generated programs will -eventually be run) with `--host=TYPE'. - -Sharing Defaults -================ - - If you want to set default values for `configure' scripts to share, -you can create a site shell script called `config.site' that gives -default values for variables like `CC', `cache_file', and `prefix'. -`configure' looks for `PREFIX/share/config.site' if it exists, then -`PREFIX/etc/config.site' if it exists. Or, you can set the -`CONFIG_SITE' environment variable to the location of the site script. -A warning: not all `configure' scripts look for a site script. - -Defining Variables -================== - - Variables not defined in a site shell script can be set in the -environment passed to `configure'. However, some packages may run -configure again during the build, and the customized values of these -variables may be lost. In order to avoid this problem, you should set -them in the `configure' command line, using `VAR=value'. For example: - - ./configure CC=/usr/local2/bin/gcc - -causes the specified `gcc' to be used as the C compiler (unless it is -overridden in the site shell script). - -Unfortunately, this technique does not work for `CONFIG_SHELL' due to -an Autoconf limitation. Until the limitation is lifted, you can use -this workaround: - - CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash - -`configure' Invocation -====================== - - `configure' recognizes the following options to control how it -operates. - -`--help' -`-h' - Print a summary of all of the options to `configure', and exit. - -`--help=short' -`--help=recursive' - Print a summary of the options unique to this package's - `configure', and exit. The `short' variant lists options used - only in the top level, while the `recursive' variant lists options - also present in any nested packages. - -`--version' -`-V' - Print the version of Autoconf used to generate the `configure' - script, and exit. - -`--cache-file=FILE' - Enable the cache: use and save the results of the tests in FILE, - traditionally `config.cache'. FILE defaults to `/dev/null' to - disable caching. - -`--config-cache' -`-C' - Alias for `--cache-file=config.cache'. - -`--quiet' -`--silent' -`-q' - Do not print messages saying which checks are being made. To - suppress all normal output, redirect it to `/dev/null' (any error - messages will still be shown). - -`--srcdir=DIR' - Look for the package's source code in directory DIR. Usually - `configure' can determine that directory automatically. - -`--prefix=DIR' - Use DIR as the installation prefix. *note Installation Names:: - for more details, including other options available for fine-tuning - the installation locations. - -`--no-create' -`-n' - Run the configure checks, but stop before creating any output - files. - -`configure' also accepts some other, not widely useful, options. Run -`configure --help' for more details. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/Makefile.in new/libressl-2.5.5/Makefile.in --- old/libressl-2.5.4/Makefile.in 2017-05-01 06:09:14.000000000 +0200 +++ new/libressl-2.5.5/Makefile.in 2017-07-09 13:00:06.000000000 +0200 @@ -193,9 +193,8 @@ DIST_SUBDIRS = $(SUBDIRS) am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/libcrypto.pc.in \ $(srcdir)/libssl.pc.in $(srcdir)/libtls.pc.in \ - $(srcdir)/openssl.pc.in COPYING ChangeLog INSTALL README \ - compile config.guess config.sub depcomp install-sh ltmain.sh \ - missing tap-driver.sh + $(srcdir)/openssl.pc.in COPYING ChangeLog compile config.guess \ + config.sub install-sh ltmain.sh missing tap-driver.sh DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/README new/libressl-2.5.5/README --- old/libressl-2.5.4/README 2016-11-04 18:56:27.000000000 +0100 +++ new/libressl-2.5.5/README 1970-01-01 01:00:00.000000000 +0100 @@ -1,86 +0,0 @@ - LibreSSL Portable Development Notes - -Quick start: - - * First, set LIBRESSL_GIT to point to where you want to check out the code from. - If you are logged into cvs.openbsd.org, you can use direct file access: - export LIBRESSL_GIT=/cvs.b/libressl - - To check out the repository over ssh from cvs.openbsd.org - export [email protected]:/cvs.b/libressl - - If you are checking out the read-only mirror from github, you can just - follow the instructions there. - - * Next, clone the repository and build it (it builds fine on OpenBSD): - git clone $LIBRESSL_GIT/portable libressl - cd libressl - ./autogen.sh - ./configure - make check - -Layout: - - The project consists of two git repositories and some helper scripts: - - /cvs.b/libressl/portable is the portable build framework repository - /cvs.b/libressl/openbsd is a partial mirror of the OpenBSD CVS source tree. - /cvs.b/libressl/update.sh updates the OpenBSD mirror from CVS to git - /cvs.b/libressl/github.sh mirrors portable and openbsd repositories to - http://github.com/libressl-portable - -Scripts in the portable build framework: - - * The 'update.sh' script copies files from the openbsd repository into their - appropriate locations for the portable build to find them, as well as - generating automake files with the file lists to build. - - * The 'autogen.sh' script runs the 'update.sh' script and runs - automake/autoconf to generate a ready-to-build project. - - * The 'dist.sh' script runs the 'autogen.sh' script and generates a - distribution-ready tarball of the LibreSSL portable project. - -To make and test changes: - - * If you are changing files in the 'portable' repository, it is easy. - 1. change the required files - 2. if you have built previously, run 'make check' and things will - automatically rebuild and run the unit tests. - 3. 'git commit' to commit your patch to your clone - 4. send review with 'git send-email', and/or 'git push' to the repository - - * If you are changing files in the 'openbsd' repository, it is a little more - complicated. Here is what works for me: - 1. make the change locally in the local openbsd clone - 2. run 'update.sh' or 'autogen.sh' to copy the file into place. - 3. run 'make check' to test - 4. if the patch is good, either: - a. run 'git diff' to extract the patch, apply it to your CVS tree, or: - b. 'git commit' commit to your local openbsd clone and: - use 'git send-email <hash>' to generate a patch for review - use 'git show -a <hash>' to generate a patch to apply to CVS - 5. if the patch is good, commit to CVS - 6. after your code is in CVS, resync the upstream openbsd git mirror - run /cvs.b/libressl/update.sh, wait 10-12 minutes for the sync to complete - 7. remove your local openbsd clone, or - reset your local openbsd clone with 'git reset --hard origin/master' - 8. run 'autogen.sh' again to checkout the latest openbsd clone and move - the openbsd files back into place - -Maintenance: - - * Periodically run /cvs.b/libressl/update.sh on cvs.openbsd.org to sync the - openbsd mirror with the CVS tree. - * Running /cvs.b/libressl/github.sh requires that you register a public SSH - key with github first before you can upload. - -Publishing a new release: - - * Edit the number in the VERSION file to the correct version - * Edit the branch in the OPENBSD_BRANCH file to point to the correct branch - * Check in and push the changes - * run './dist.sh' to checkout the desired openbsd branch and generate a - distribution tarball. - * test the tarball on all target platforms - * Sign and copy the tarball and signify files to /home/libressl diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/VERSION new/libressl-2.5.5/VERSION --- old/libressl-2.5.4/VERSION 2017-05-01 06:08:54.000000000 +0200 +++ new/libressl-2.5.5/VERSION 2017-07-09 12:59:48.000000000 +0200 @@ -1,2 +1,2 @@ -2.5.4 +2.5.5 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/apps/nc/CMakeLists.txt new/libressl-2.5.5/apps/nc/CMakeLists.txt --- old/libressl-2.5.4/apps/nc/CMakeLists.txt 2017-01-07 14:22:01.000000000 +0100 +++ new/libressl-2.5.5/apps/nc/CMakeLists.txt 2017-07-07 07:10:15.000000000 +0200 @@ -53,8 +53,8 @@ target_link_libraries(nc tls ${OPENSSL_LIBS}) if(ENABLE_NC) - install(TARGETS nc DESTINATION bin) - install(FILES nc.1 DESTINATION share/man/man1) + install(TARGETS nc DESTINATION ${CMAKE_INSTALL_BINDIR}) + install(FILES nc.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1) endif() endif() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/apps/ocspcheck/CMakeLists.txt new/libressl-2.5.5/apps/ocspcheck/CMakeLists.txt --- old/libressl-2.5.4/apps/ocspcheck/CMakeLists.txt 2017-01-27 14:14:24.000000000 +0100 +++ new/libressl-2.5.5/apps/ocspcheck/CMakeLists.txt 2017-07-07 07:10:15.000000000 +0200 @@ -36,7 +36,7 @@ add_executable(ocspcheck ${OCSPCHECK_SRC}) target_link_libraries(ocspcheck tls ${OPENSSL_LIBS}) -install(TARGETS ocspcheck DESTINATION bin) -install(FILES ocspcheck.8 DESTINATION share/man/man8) +install(TARGETS ocspcheck DESTINATION ${CMAKE_INSTALL_BINDIR}) +install(FILES ocspcheck.8 DESTINATION ${CMAKE_INSTALL_MANDIR}/man8) endif() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/apps/openssl/CMakeLists.txt new/libressl-2.5.5/apps/openssl/CMakeLists.txt --- old/libressl-2.5.4/apps/openssl/CMakeLists.txt 2017-01-07 14:22:05.000000000 +0100 +++ new/libressl-2.5.5/apps/openssl/CMakeLists.txt 2017-07-07 07:10:15.000000000 +0200 @@ -76,8 +76,8 @@ add_executable(openssl ${OPENSSL_SRC}) target_link_libraries(openssl ${OPENSSL_LIBS}) -install(TARGETS openssl DESTINATION bin) -install(FILES openssl.1 DESTINATION share/man/man1) +install(TARGETS openssl DESTINATION ${CMAKE_INSTALL_BINDIR}) +install(FILES openssl.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1) if(NOT "${OPENSSLDIR}" STREQUAL "") set(CONF_DIR "${OPENSSLDIR}") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/configure new/libressl-2.5.5/configure --- old/libressl-2.5.4/configure 2017-05-01 06:09:13.000000000 +0200 +++ new/libressl-2.5.5/configure 2017-07-09 13:00:05.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for libressl 2.5.4. +# Generated by GNU Autoconf 2.69 for libressl 2.5.5. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='libressl' PACKAGE_TARNAME='libressl' -PACKAGE_VERSION='2.5.4' -PACKAGE_STRING='libressl 2.5.4' +PACKAGE_VERSION='2.5.5' +PACKAGE_STRING='libressl 2.5.5' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1420,7 +1420,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libressl 2.5.4 to adapt to many kinds of systems. +\`configure' configures libressl 2.5.5 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1490,7 +1490,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libressl 2.5.4:";; + short | recursive ) echo "Configuration of libressl 2.5.5:";; esac cat <<\_ACEOF @@ -1606,7 +1606,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libressl configure 2.5.4 +libressl configure 2.5.5 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2154,7 +2154,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libressl $as_me 2.5.4, which was +It was created by libressl $as_me 2.5.5, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3095,7 +3095,7 @@ # Define the identity of the package. PACKAGE='libressl' - VERSION='2.5.4' + VERSION='2.5.5' cat >>confdefs.h <<_ACEOF @@ -12228,8 +12228,6 @@ CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS" CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501" CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SPEED" - CFLAGS="$CFLAGS -static-libgcc" - LDFLAGS="$LDFLAGS -static-libgcc" PLATFORM_LDADD='-lws2_32' ;; @@ -14838,7 +14836,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libressl $as_me 2.5.4, which was +This file was extended by libressl $as_me 2.5.5, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -14895,7 +14893,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -libressl config.status 2.5.4 +libressl config.status 2.5.5 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/crypto/CMakeLists.txt new/libressl-2.5.5/crypto/CMakeLists.txt --- old/libressl-2.5.4/crypto/CMakeLists.txt 2017-04-30 04:42:14.000000000 +0200 +++ new/libressl-2.5.5/crypto/CMakeLists.txt 2017-07-07 07:10:15.000000000 +0200 @@ -823,9 +823,9 @@ ARCHIVE_OUTPUT_NAME crypto${CRYPTO_POSTFIX}) set_target_properties(crypto-shared PROPERTIES VERSION ${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION}) - install(TARGETS crypto crypto-shared DESTINATION lib) + install(TARGETS crypto crypto-shared DESTINATION ${CMAKE_INSTALL_LIBDIR}) else() add_library(crypto STATIC ${CRYPTO_SRC}) - install(TARGETS crypto DESTINATION lib) + install(TARGETS crypto DESTINATION ${CMAKE_INSTALL_LIBDIR}) endif() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/crypto/compat/getpagesize.c new/libressl-2.5.5/crypto/compat/getpagesize.c --- old/libressl-2.5.4/crypto/compat/getpagesize.c 2017-03-17 01:25:08.000000000 +0100 +++ new/libressl-2.5.5/crypto/compat/getpagesize.c 2017-07-06 05:18:20.000000000 +0200 @@ -1,12 +1,18 @@ /* $OpenBSD$ */ #include <unistd.h> + +#ifdef _MSC_VER #include <windows.h> +#endif int -getpagesize(void) -{ +getpagesize(void) { +#ifdef _MSC_VER SYSTEM_INFO system_info; GetSystemInfo(&system_info); return system_info.dwPageSize; +#else + return sysconf(_SC_PAGESIZE); +#endif } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/crypto/x509v3/v3_purp.c new/libressl-2.5.5/crypto/x509v3/v3_purp.c --- old/libressl-2.5.4/crypto/x509v3/v3_purp.c 2017-03-07 06:43:54.000000000 +0100 +++ new/libressl-2.5.5/crypto/x509v3/v3_purp.c 2017-07-09 12:59:47.000000000 +0200 @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_purp.c,v 1.29 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: v3_purp.c,v 1.29.4.1 2017/07/05 15:20:10 jsing Exp $ */ /* Written by Dr Stephen N Henson ([email protected]) for the OpenSSL * project 2001. */ @@ -65,6 +65,14 @@ #include <openssl/x509v3.h> #include <openssl/x509_vfy.h> +#define V1_ROOT (EXFLAG_V1|EXFLAG_SS) +#define ku_reject(x, usage) \ + (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) +#define xku_reject(x, usage) \ + (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage))) +#define ns_reject(x, usage) \ + (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) + static void x509v3_cache_extensions(X509 *x); static int check_ssl_ca(const X509 *x); @@ -427,19 +435,19 @@ ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; X509_EXTENSION *ex; - int i; + if (x->ex_flags & EXFLAG_SET) return; + #ifndef OPENSSL_NO_SHA X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); #endif - /* Does subject name match issuer ? */ - if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) - x->ex_flags |= EXFLAG_SI; + /* V1 should mean no extensions ... */ if (!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; + /* Handle basic constraints */ if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) { if (bs->ca) @@ -456,6 +464,7 @@ BASIC_CONSTRAINTS_free(bs); x->ex_flags |= EXFLAG_BCONS; } + /* Handle proxy certificates */ if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { if (x->ex_flags & EXFLAG_CA || @@ -477,6 +486,7 @@ PROXY_CERT_INFO_EXTENSION_free(pci); x->ex_flags |= EXFLAG_PROXY; } + /* Handle key usage */ if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { if (usage->length > 0) { @@ -541,6 +551,16 @@ x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); + + /* Does subject name match issuer? */ + if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) { + x->ex_flags |= EXFLAG_SI; + /* If SKID matches AKID also indicate self signed. */ + if (X509_check_akid(x, x->akid) == X509_V_OK && + !ku_reject(x, KU_KEY_CERT_SIGN)) + x->ex_flags |= EXFLAG_SS; + } + x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL); if (!x->nc && (i != -1)) @@ -571,14 +591,6 @@ * 4 basicConstraints absent but keyUsage present and keyCertSign asserted. */ -#define V1_ROOT (EXFLAG_V1|EXFLAG_SS) -#define ku_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) -#define xku_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage))) -#define ns_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) - static int check_ca(const X509 *x) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/include/CMakeLists.txt new/libressl-2.5.5/include/CMakeLists.txt --- old/libressl-2.5.4/include/CMakeLists.txt 2017-01-07 14:22:01.000000000 +0100 +++ new/libressl-2.5.5/include/CMakeLists.txt 2017-07-07 07:10:15.000000000 +0200 @@ -1,5 +1,5 @@ install(DIRECTORY . - DESTINATION include + DESTINATION ${CMAKE_INSTALL_INCLUDEDIR} PATTERN "CMakeLists.txt" EXCLUDE PATTERN "compat" EXCLUDE PATTERN "Makefile*" EXCLUDE) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/include/openssl/opensslv.h new/libressl-2.5.5/include/openssl/opensslv.h --- old/libressl-2.5.4/include/openssl/opensslv.h 2017-05-01 03:29:45.000000000 +0200 +++ new/libressl-2.5.5/include/openssl/opensslv.h 2017-07-09 12:59:47.000000000 +0200 @@ -1,10 +1,10 @@ -/* $OpenBSD: opensslv.h,v 1.39.4.2 2017/04/29 19:56:13 bcook Exp $ */ +/* $OpenBSD: opensslv.h,v 1.39.4.3 2017/07/07 05:28:12 bcook Exp $ */ #ifndef HEADER_OPENSSLV_H #define HEADER_OPENSSLV_H /* These will change with each release of LibreSSL-portable */ -#define LIBRESSL_VERSION_NUMBER 0x2050400fL -#define LIBRESSL_VERSION_TEXT "LibreSSL 2.5.4" +#define LIBRESSL_VERSION_NUMBER 0x2050500fL +#define LIBRESSL_VERSION_TEXT "LibreSSL 2.5.5" /* These will never change */ #define OPENSSL_VERSION_NUMBER 0x20000000L diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/include/openssl/x509v3.h new/libressl-2.5.5/include/openssl/x509v3.h --- old/libressl-2.5.4/include/openssl/x509v3.h 2017-03-07 06:43:54.000000000 +0100 +++ new/libressl-2.5.5/include/openssl/x509v3.h 2017-07-09 12:59:47.000000000 +0200 @@ -1,4 +1,4 @@ -/* $OpenBSD: x509v3.h,v 1.21 2016/12/30 16:19:24 jsing Exp $ */ +/* $OpenBSD: x509v3.h,v 1.21.4.1 2017/07/05 15:20:10 jsing Exp $ */ /* Written by Dr Stephen N Henson ([email protected]) for the OpenSSL * project 1999. */ @@ -411,23 +411,21 @@ /* X509_PURPOSE stuff */ -#define EXFLAG_BCONS 0x1 -#define EXFLAG_KUSAGE 0x2 -#define EXFLAG_XKUSAGE 0x4 -#define EXFLAG_NSCERT 0x8 - -#define EXFLAG_CA 0x10 -/* Really self issued not necessarily self signed */ -#define EXFLAG_SI 0x20 -#define EXFLAG_SS 0x20 -#define EXFLAG_V1 0x40 -#define EXFLAG_INVALID 0x80 -#define EXFLAG_SET 0x100 -#define EXFLAG_CRITICAL 0x200 -#define EXFLAG_PROXY 0x400 - -#define EXFLAG_INVALID_POLICY 0x800 +#define EXFLAG_BCONS 0x0001 +#define EXFLAG_KUSAGE 0x0002 +#define EXFLAG_XKUSAGE 0x0004 +#define EXFLAG_NSCERT 0x0008 + +#define EXFLAG_CA 0x0010 +#define EXFLAG_SI 0x0020 /* Self issued. */ +#define EXFLAG_V1 0x0040 +#define EXFLAG_INVALID 0x0080 +#define EXFLAG_SET 0x0100 +#define EXFLAG_CRITICAL 0x0200 +#define EXFLAG_PROXY 0x0400 +#define EXFLAG_INVALID_POLICY 0x0800 #define EXFLAG_FRESHEST 0x1000 +#define EXFLAG_SS 0x2000 /* Self signed. */ #define KU_DIGITAL_SIGNATURE 0x0080 #define KU_NON_REPUDIATION 0x0040 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/m4/check-os-options.m4 new/libressl-2.5.5/m4/check-os-options.m4 --- old/libressl-2.5.4/m4/check-os-options.m4 2017-01-24 12:55:15.000000000 +0100 +++ new/libressl-2.5.5/m4/check-os-options.m4 2017-07-07 07:09:42.000000000 +0200 @@ -106,8 +106,6 @@ CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS" CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501" CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SPEED" - CFLAGS="$CFLAGS -static-libgcc" - LDFLAGS="$LDFLAGS -static-libgcc" AC_SUBST([PLATFORM_LDADD], ['-lws2_32']) ;; *solaris*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/man/CMakeLists.txt new/libressl-2.5.5/man/CMakeLists.txt --- old/libressl-2.5.4/man/CMakeLists.txt 2017-01-27 12:37:08.000000000 +0100 +++ new/libressl-2.5.5/man/CMakeLists.txt 2017-07-07 07:10:15.000000000 +0200 @@ -1,9 +1,9 @@ install(DIRECTORY . - DESTINATION share/man/man3 + DESTINATION ${CMAKE_INSTALL_MANDIR}/man3 FILES_MATCHING PATTERN "*.3" ) install(DIRECTORY . - DESTINATION share/man/man1 + DESTINATION ${CMAKE_INSTALL_MANDIR}/man1 FILES_MATCHING PATTERN "*.1" ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/ssl/CMakeLists.txt new/libressl-2.5.5/ssl/CMakeLists.txt --- old/libressl-2.5.4/ssl/CMakeLists.txt 2017-03-07 17:07:46.000000000 +0100 +++ new/libressl-2.5.5/ssl/CMakeLists.txt 2017-07-07 07:10:15.000000000 +0200 @@ -60,8 +60,8 @@ ARCHIVE_OUTPUT_NAME ssl${SSL_POSTFIX}) set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION} SOVERSION ${SSL_MAJOR_VERSION}) - install(TARGETS ssl ssl-shared DESTINATION lib) + install(TARGETS ssl ssl-shared DESTINATION ${CMAKE_INSTALL_LIBDIR}) else() add_library(ssl STATIC ${SSL_SRC}) - install(TARGETS ssl DESTINATION lib) + install(TARGETS ssl DESTINATION ${CMAKE_INSTALL_LIBDIR}) endif() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.5.4/tls/CMakeLists.txt new/libressl-2.5.5/tls/CMakeLists.txt --- old/libressl-2.5.4/tls/CMakeLists.txt 2017-01-27 12:39:27.000000000 +0100 +++ new/libressl-2.5.5/tls/CMakeLists.txt 2017-07-07 07:10:15.000000000 +0200 @@ -39,9 +39,9 @@ ARCHIVE_OUTPUT_NAME tls${TLS_POSTFIX}) set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION} SOVERSION ${TLS_MAJOR_VERSION}) - install(TARGETS tls tls-shared DESTINATION lib) + install(TARGETS tls tls-shared DESTINATION ${CMAKE_INSTALL_LIBDIR}) else() add_library(tls STATIC ${TLS_SRC}) - install(TARGETS tls DESTINATION lib) + install(TARGETS tls DESTINATION ${CMAKE_INSTALL_LIBDIR}) endif()
