Hello community, here is the log from the commit of package libressl for openSUSE:Factory checked in at 2020-05-26 17:21:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libressl (Old) and /work/SRC/openSUSE:Factory/.libressl.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libressl" Tue May 26 17:21:13 2020 rev:50 rq:808401 version:3.1.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libressl/libressl.changes 2020-05-11 13:45:07.505599649 +0200 +++ /work/SRC/openSUSE:Factory/.libressl.new.2738/libressl.changes 2020-05-26 17:21:28.800253380 +0200 @@ -1,0 +2,7 @@ +Sat May 23 13:17:11 UTC 2020 - Jan Engelhardt <[email protected]> + +- Update to release 3.1.2 + * A TLS client with peer verification disabled may crash when + contacting a server that sends an empty certificate list. + +------------------------------------------------------------------- Old: ---- libressl-3.1.1.tar.gz libressl-3.1.1.tar.gz.asc New: ---- libressl-3.1.2.tar.gz libressl-3.1.2.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libressl.spec ++++++ --- /var/tmp/diff_new_pack.yBCfac/_old 2020-05-26 17:21:29.456254791 +0200 +++ /var/tmp/diff_new_pack.yBCfac/_new 2020-05-26 17:21:29.456254791 +0200 @@ -17,7 +17,7 @@ Name: libressl -Version: 3.1.1 +Version: 3.1.2 Release: 0 Summary: An SSL/TLS protocol implementation License: OpenSSL ++++++ libressl-3.1.1.tar.gz -> libressl-3.1.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.1/CMakeLists.txt new/libressl-3.1.2/CMakeLists.txt --- old/libressl-3.1.1/CMakeLists.txt 2020-05-08 01:12:43.000000000 +0200 +++ new/libressl-3.1.2/CMakeLists.txt 2020-05-11 13:47:33.000000000 +0200 @@ -299,7 +299,7 @@ endif() elseif(APPLE AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64") set(HOST_ASM_MACOSX_X86_64 true) - elseif(MSVC AND "${CMAKE_GENERATOR}" MATCHES "Win64") + elseif(MSVC AND ("${CMAKE_GENERATOR}" MATCHES "Win64" OR "${CMAKE_GENERATOR_PLATFORM}" STREQUAL "x64")) set(HOST_ASM_MASM_X86_64 true) ENABLE_LANGUAGE(ASM_MASM) elseif(CMAKE_SYSTEM_NAME MATCHES "MINGW" AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.1/ChangeLog new/libressl-3.1.2/ChangeLog --- old/libressl-3.1.1/ChangeLog 2020-05-08 01:12:43.000000000 +0200 +++ new/libressl-3.1.2/ChangeLog 2020-05-20 14:11:06.000000000 +0200 @@ -28,6 +28,11 @@ LibreSSL Portable Release Notes: +3.1.2 - Bug fix + + * A TLS client with peer verification disabled may crash when + contacting a server that sends an empty certificate list. + 3.1.1 - Stable release * Improved cipher suite handling to automatically include TLSv1.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.1/VERSION new/libressl-3.1.2/VERSION --- old/libressl-3.1.1/VERSION 2020-05-08 01:41:48.000000000 +0200 +++ new/libressl-3.1.2/VERSION 2020-05-21 05:00:00.000000000 +0200 @@ -1,2 +1,2 @@ -3.1.1 +3.1.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.1/configure new/libressl-3.1.2/configure --- old/libressl-3.1.1/configure 2020-05-08 01:42:37.000000000 +0200 +++ new/libressl-3.1.2/configure 2020-05-21 05:00:49.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for libressl 3.1.1. +# Generated by GNU Autoconf 2.69 for libressl 3.1.2. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='libressl' PACKAGE_TARNAME='libressl' -PACKAGE_VERSION='3.1.1' -PACKAGE_STRING='libressl 3.1.1' +PACKAGE_VERSION='3.1.2' +PACKAGE_STRING='libressl 3.1.2' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1438,7 +1438,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libressl 3.1.1 to adapt to many kinds of systems. +\`configure' configures libressl 3.1.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1508,7 +1508,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libressl 3.1.1:";; + short | recursive ) echo "Configuration of libressl 3.1.2:";; esac cat <<\_ACEOF @@ -1625,7 +1625,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libressl configure 3.1.1 +libressl configure 3.1.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2173,7 +2173,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libressl $as_me 3.1.1, which was +It was created by libressl $as_me 3.1.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3114,7 +3114,7 @@ # Define the identity of the package. PACKAGE='libressl' - VERSION='3.1.1' + VERSION='3.1.2' cat >>confdefs.h <<_ACEOF @@ -14887,7 +14887,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libressl $as_me 3.1.1, which was +This file was extended by libressl $as_me 3.1.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -14944,7 +14944,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -libressl config.status 3.1.1 +libressl config.status 3.1.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.1/crypto/CMakeLists.txt new/libressl-3.1.2/crypto/CMakeLists.txt --- old/libressl-3.1.1/crypto/CMakeLists.txt 2020-05-08 01:12:43.000000000 +0200 +++ new/libressl-3.1.2/crypto/CMakeLists.txt 2020-05-11 13:47:33.000000000 +0200 @@ -936,7 +936,8 @@ add_definitions(-DOPENSSL_NO_ASM) else() if(MSVC) - if(NOT "${CMAKE_GENERATOR}" MATCHES "Win64") + if((NOT "${CMAKE_GENERATOR}" MATCHES "Win64") AND + (NOT "${CMAKE_GENERATOR_PLATFORM}" STREQUAL "x64")) add_definitions(-DOPENSSL_NO_ASM) endif() elseif(WIN32) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.1/include/openssl/opensslv.h new/libressl-3.1.2/include/openssl/opensslv.h --- old/libressl-3.1.1/include/openssl/opensslv.h 2020-05-07 12:54:37.000000000 +0200 +++ new/libressl-3.1.2/include/openssl/opensslv.h 2020-05-21 04:59:35.000000000 +0200 @@ -1,11 +1,11 @@ -/* $OpenBSD: opensslv.h,v 1.57 2020/05/06 15:45:22 tb Exp $ */ +/* $OpenBSD: opensslv.h,v 1.57.4.1 2020/05/21 02:27:34 bcook Exp $ */ #ifndef HEADER_OPENSSLV_H #define HEADER_OPENSSLV_H /* These will change with each release of LibreSSL-portable */ -#define LIBRESSL_VERSION_NUMBER 0x3010100fL +#define LIBRESSL_VERSION_NUMBER 0x3010200fL /* ^ Patch starts here */ -#define LIBRESSL_VERSION_TEXT "LibreSSL 3.1.1" +#define LIBRESSL_VERSION_TEXT "LibreSSL 3.1.2" /* These will never change */ #define OPENSSL_VERSION_NUMBER 0x20000000L diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.1/ssl/tls13_client.c new/libressl-3.1.2/ssl/tls13_client.c --- old/libressl-3.1.1/ssl/tls13_client.c 2020-05-01 10:55:39.000000000 +0200 +++ new/libressl-3.1.2/ssl/tls13_client.c 2020-05-21 04:59:35.000000000 +0200 @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.54 2020/04/28 20:37:22 jsing Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.54.4.1 2020/05/19 20:22:33 tb Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <[email protected]> * @@ -587,6 +587,14 @@ cert = NULL; } + /* A server must always provide a non-empty certificate list. */ + if (sk_X509_num(certs) < 1) { + ctx->alert = SSL_AD_DECODE_ERROR; + tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, + "peer failed to provide a certificate", NULL); + goto err; + } + /* * At this stage we still have no proof of possession. As such, it would * be preferable to keep the chain and verify once we have successfully diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.1/ssl/tls13_internal.h new/libressl-3.1.2/ssl/tls13_internal.h --- old/libressl-3.1.1/ssl/tls13_internal.h 2020-05-01 10:55:39.000000000 +0200 +++ new/libressl-3.1.2/ssl/tls13_internal.h 2020-05-21 04:59:35.000000000 +0200 @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_internal.h,v 1.67 2020/04/28 20:37:22 jsing Exp $ */ +/* $OpenBSD: tls13_internal.h,v 1.67.4.1 2020/05/19 20:22:33 tb Exp $ */ /* * Copyright (c) 2018 Bob Beck <[email protected]> * Copyright (c) 2018 Theo Buehler <[email protected]> @@ -43,6 +43,7 @@ #define TLS13_ERR_HRR_FAILED 17 #define TLS13_ERR_TRAILING_DATA 18 #define TLS13_ERR_NO_SHARED_CIPHER 19 +#define TLS13_ERR_NO_PEER_CERTIFICATE 21 typedef void (*tls13_alert_cb)(uint8_t _alert_desc, void *_cb_arg); typedef ssize_t (*tls13_phh_recv_cb)(void *_cb_arg, CBS *_cbs); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.1/ssl/tls13_legacy.c new/libressl-3.1.2/ssl/tls13_legacy.c --- old/libressl-3.1.1/ssl/tls13_legacy.c 2020-05-01 10:55:39.000000000 +0200 +++ new/libressl-3.1.2/ssl/tls13_legacy.c 2020-05-21 04:59:35.000000000 +0200 @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_legacy.c,v 1.3 2020/04/28 20:37:22 jsing Exp $ */ +/* $OpenBSD: tls13_legacy.c,v 1.3.4.1 2020/05/19 20:22:33 tb Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <[email protected]> * @@ -119,6 +119,9 @@ case TLS13_ERR_NO_SHARED_CIPHER: reason = SSL_R_NO_SHARED_CIPHER; break; + case TLS13_ERR_NO_PEER_CERTIFICATE: + reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE; + break; } /* Something (probably libcrypto) already pushed an error on the stack. */
