Hello community, here is the log from the commit of package libressl for openSUSE:Factory checked in at 2020-06-25 15:07:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libressl (Old) and /work/SRC/openSUSE:Factory/.libressl.new.3060 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libressl" Thu Jun 25 15:07:02 2020 rev:51 rq:816834 version:3.1.3 Changes: -------- --- /work/SRC/openSUSE:Factory/libressl/libressl.changes 2020-05-26 17:21:28.800253380 +0200 +++ /work/SRC/openSUSE:Factory/.libressl.new.3060/libressl.changes 2020-06-25 15:08:07.181495488 +0200 @@ -1,0 +2,7 @@ +Wed Jun 17 12:22:52 UTC 2020 - Jan Engelhardt <[email protected]> + +- Update to release 3.1.3 + * Fixed libcrypto failing to build a valid certificate chain + due to expired untrusted issuer certificates. + +------------------------------------------------------------------- Old: ---- libressl-3.1.2.tar.gz libressl-3.1.2.tar.gz.asc New: ---- libressl-3.1.3.tar.gz libressl-3.1.3.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libressl.spec ++++++ --- /var/tmp/diff_new_pack.wGTkMc/_old 2020-06-25 15:08:08.101498376 +0200 +++ /var/tmp/diff_new_pack.wGTkMc/_new 2020-06-25 15:08:08.105498388 +0200 @@ -17,7 +17,7 @@ Name: libressl -Version: 3.1.2 +Version: 3.1.3 Release: 0 Summary: An SSL/TLS protocol implementation License: OpenSSL ++++++ libressl-3.1.2.tar.gz -> libressl-3.1.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.2/CMakeLists.txt new/libressl-3.1.3/CMakeLists.txt --- old/libressl-3.1.2/CMakeLists.txt 2020-05-11 13:47:33.000000000 +0200 +++ new/libressl-3.1.3/CMakeLists.txt 2020-05-24 10:15:38.000000000 +0200 @@ -1,9 +1,12 @@ if(MSVC) -cmake_minimum_required (VERSION 3.16.4) -cmake_policy(SET CMP0091 NEW) + cmake_minimum_required (VERSION 3.16.4) + cmake_policy(SET CMP0091 NEW) else() -cmake_minimum_required (VERSION 3.0) + cmake_minimum_required (VERSION 3.0) endif() + +project (LibreSSL C ASM) + include(CheckFunctionExists) include(CheckSymbolExists) include(CheckLibraryExists) @@ -14,8 +17,6 @@ include(cmake_export_symbol) include(GNUInstallDirs) -project (LibreSSL C ASM) - enable_testing() file(READ ${CMAKE_CURRENT_SOURCE_DIR}/ssl/VERSION SSL_VERSION) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.2/ChangeLog new/libressl-3.1.3/ChangeLog --- old/libressl-3.1.2/ChangeLog 2020-05-20 14:11:06.000000000 +0200 +++ new/libressl-3.1.3/ChangeLog 2020-06-12 16:40:03.000000000 +0200 @@ -28,6 +28,11 @@ LibreSSL Portable Release Notes: +3.1.3 - Bug fix + + * libcrypto may fail to build a valid certificate chain due to + expired untrusted issuer certificates. + 3.1.2 - Bug fix * A TLS client with peer verification disabled may crash when diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.2/Makefile.in new/libressl-3.1.3/Makefile.in --- old/libressl-3.1.2/Makefile.in 2020-05-21 05:00:51.000000000 +0200 +++ new/libressl-3.1.3/Makefile.in 2020-06-12 20:29:09.000000000 +0200 @@ -354,6 +354,7 @@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.2/VERSION new/libressl-3.1.3/VERSION --- old/libressl-3.1.2/VERSION 2020-05-21 05:00:00.000000000 +0200 +++ new/libressl-3.1.3/VERSION 2020-06-12 20:28:18.000000000 +0200 @@ -1,2 +1,2 @@ -3.1.2 +3.1.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.2/apps/Makefile.in new/libressl-3.1.3/apps/Makefile.in --- old/libressl-3.1.2/apps/Makefile.in 2020-05-21 05:00:51.000000000 +0200 +++ new/libressl-3.1.3/apps/Makefile.in 2020-06-12 20:29:10.000000000 +0200 @@ -300,6 +300,7 @@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.2/apps/nc/Makefile.in new/libressl-3.1.3/apps/nc/Makefile.in --- old/libressl-3.1.2/apps/nc/Makefile.in 2020-05-21 05:00:51.000000000 +0200 +++ new/libressl-3.1.3/apps/nc/Makefile.in 2020-06-12 20:29:10.000000000 +0200 @@ -354,6 +354,7 @@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.2/apps/ocspcheck/Makefile.in new/libressl-3.1.3/apps/ocspcheck/Makefile.in --- old/libressl-3.1.2/apps/ocspcheck/Makefile.in 2020-05-21 05:00:51.000000000 +0200 +++ new/libressl-3.1.3/apps/ocspcheck/Makefile.in 2020-06-12 20:29:10.000000000 +0200 @@ -335,6 +335,7 @@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.2/apps/openssl/Makefile.in new/libressl-3.1.3/apps/openssl/Makefile.in --- old/libressl-3.1.2/apps/openssl/Makefile.in 2020-05-21 05:00:51.000000000 +0200 +++ new/libressl-3.1.3/apps/openssl/Makefile.in 2020-06-12 20:29:10.000000000 +0200 @@ -392,6 +392,7 @@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.2/configure new/libressl-3.1.3/configure --- old/libressl-3.1.2/configure 2020-05-21 05:00:49.000000000 +0200 +++ new/libressl-3.1.3/configure 2020-06-12 20:29:08.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for libressl 3.1.2. +# Generated by GNU Autoconf 2.69 for libressl 3.1.3. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='libressl' PACKAGE_TARNAME='libressl' -PACKAGE_VERSION='3.1.2' -PACKAGE_STRING='libressl 3.1.2' +PACKAGE_VERSION='3.1.3' +PACKAGE_STRING='libressl 3.1.3' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -847,6 +847,7 @@ docdir oldincludedir includedir +runstatedir localstatedir sharedstatedir sysconfdir @@ -936,6 +937,7 @@ sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' +runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' @@ -1188,6 +1190,15 @@ | -silent | --silent | --silen | --sile | --sil) silent=yes ;; + -runstatedir | --runstatedir | --runstatedi | --runstated \ + | --runstate | --runstat | --runsta | --runst | --runs \ + | --run | --ru | --r) + ac_prev=runstatedir ;; + -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ + | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ + | --run=* | --ru=* | --r=*) + runstatedir=$ac_optarg ;; + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ @@ -1325,7 +1336,7 @@ for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir + libdir localedir mandir runstatedir do eval ac_val=\$$ac_var # Remove trailing slashes. @@ -1438,7 +1449,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libressl 3.1.2 to adapt to many kinds of systems. +\`configure' configures libressl 3.1.3 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1478,6 +1489,7 @@ --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] + --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] @@ -1508,7 +1520,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libressl 3.1.2:";; + short | recursive ) echo "Configuration of libressl 3.1.3:";; esac cat <<\_ACEOF @@ -1625,7 +1637,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libressl configure 3.1.2 +libressl configure 3.1.3 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2173,7 +2185,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libressl $as_me 3.1.2, which was +It was created by libressl $as_me 3.1.3, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3114,7 +3126,7 @@ # Define the identity of the package. PACKAGE='libressl' - VERSION='3.1.2' + VERSION='3.1.3' cat >>confdefs.h <<_ACEOF @@ -14887,7 +14899,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libressl $as_me 3.1.2, which was +This file was extended by libressl $as_me 3.1.3, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -14944,7 +14956,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -libressl config.status 3.1.2 +libressl config.status 3.1.3 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.2/crypto/Makefile.in new/libressl-3.1.3/crypto/Makefile.in --- old/libressl-3.1.2/crypto/Makefile.in 2020-05-21 05:00:56.000000000 +0200 +++ new/libressl-3.1.3/crypto/Makefile.in 2020-06-12 20:29:14.000000000 +0200 @@ -1783,6 +1783,7 @@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.2/crypto/x509/x509_vfy.c new/libressl-3.1.3/crypto/x509/x509_vfy.c --- old/libressl-3.1.2/crypto/x509/x509_vfy.c 2019-03-19 11:24:51.000000000 +0100 +++ new/libressl-3.1.3/crypto/x509/x509_vfy.c 2020-06-12 20:28:17.000000000 +0200 @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.72 2019/03/06 05:06:58 tb Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.72.6.1 2020/06/10 03:56:22 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young ([email protected]) * All rights reserved. * @@ -117,7 +117,8 @@ static int null_callback(int ok, X509_STORE_CTX *e); static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); -static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); +static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x, + int allow_expired); static int check_chain_extensions(X509_STORE_CTX *ctx); static int check_name_constraints(X509_STORE_CTX *ctx); static int check_trust(X509_STORE_CTX *ctx); @@ -324,7 +325,25 @@ } /* If we were passed a cert chain, use it first */ if (ctx->untrusted != NULL) { - xtmp = find_issuer(ctx, sktmp, x); + /* + * If we do not find a non-expired untrusted cert, peek + * ahead and see if we can satisify this from the trusted + * store. If not, see if we have an expired untrusted cert. + */ + xtmp = find_issuer(ctx, sktmp, x, 0); + if (xtmp == NULL && + !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)) { + ok = ctx->get_issuer(&xtmp, ctx, x); + if (ok < 0) { + ctx->error = X509_V_ERR_STORE_LOOKUP; + goto end; + } + if (ok > 0) { + X509_free(xtmp); + break; + } + xtmp = find_issuer(ctx, sktmp, x, 1); + } if (xtmp != NULL) { if (!sk_X509_push(ctx->chain, xtmp)) { X509error(ERR_R_MALLOC_FAILURE); @@ -562,7 +581,8 @@ */ static X509 * -find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) +find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x, + int allow_expired) { int i; X509 *issuer, *rv = NULL; @@ -570,9 +590,10 @@ for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); if (ctx->check_issued(ctx, x, issuer)) { - rv = issuer; - if (x509_check_cert_time(ctx, rv, -1)) - break; + if (x509_check_cert_time(ctx, issuer, -1)) + return issuer; + if (allow_expired) + rv = issuer; } } return rv; @@ -603,7 +624,7 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { - *issuer = find_issuer(ctx, ctx->other_ctx, x); + *issuer = find_issuer(ctx, ctx->other_ctx, x, 1); if (*issuer) { CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509); return 1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.2/include/Makefile.in new/libressl-3.1.3/include/Makefile.in --- old/libressl-3.1.2/include/Makefile.in 2020-05-21 05:00:56.000000000 +0200 +++ new/libressl-3.1.3/include/Makefile.in 2020-06-12 20:29:14.000000000 +0200 @@ -331,6 +331,7 @@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.2/include/openssl/Makefile.in new/libressl-3.1.3/include/openssl/Makefile.in --- old/libressl-3.1.2/include/openssl/Makefile.in 2020-05-21 05:00:56.000000000 +0200 +++ new/libressl-3.1.3/include/openssl/Makefile.in 2020-06-12 20:29:15.000000000 +0200 @@ -289,6 +289,7 @@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.2/include/openssl/opensslv.h new/libressl-3.1.3/include/openssl/opensslv.h --- old/libressl-3.1.2/include/openssl/opensslv.h 2020-05-21 04:59:35.000000000 +0200 +++ new/libressl-3.1.3/include/openssl/opensslv.h 2020-06-12 17:42:59.000000000 +0200 @@ -3,9 +3,9 @@ #define HEADER_OPENSSLV_H /* These will change with each release of LibreSSL-portable */ -#define LIBRESSL_VERSION_NUMBER 0x3010200fL +#define LIBRESSL_VERSION_NUMBER 0x3010300fL /* ^ Patch starts here */ -#define LIBRESSL_VERSION_TEXT "LibreSSL 3.1.2" +#define LIBRESSL_VERSION_TEXT "LibreSSL 3.1.3" /* These will never change */ #define OPENSSL_VERSION_NUMBER 0x20000000L diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.2/man/Makefile.in new/libressl-3.1.3/man/Makefile.in --- old/libressl-3.1.2/man/Makefile.in 2020-05-21 05:00:56.000000000 +0200 +++ new/libressl-3.1.3/man/Makefile.in 2020-06-12 20:29:15.000000000 +0200 @@ -272,6 +272,7 @@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.2/ssl/Makefile.in new/libressl-3.1.3/ssl/Makefile.in --- old/libressl-3.1.2/ssl/Makefile.in 2020-05-21 05:00:57.000000000 +0200 +++ new/libressl-3.1.3/ssl/Makefile.in 2020-06-12 20:29:15.000000000 +0200 @@ -364,6 +364,7 @@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.2/tests/Makefile.in new/libressl-3.1.3/tests/Makefile.in --- old/libressl-3.1.2/tests/Makefile.in 2020-05-21 05:00:57.000000000 +0200 +++ new/libressl-3.1.3/tests/Makefile.in 2020-06-12 20:29:16.000000000 +0200 @@ -1254,6 +1254,7 @@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-3.1.2/tls/Makefile.in new/libressl-3.1.3/tls/Makefile.in --- old/libressl-3.1.2/tls/Makefile.in 2020-05-21 05:00:57.000000000 +0200 +++ new/libressl-3.1.3/tls/Makefile.in 2020-06-12 20:29:16.000000000 +0200 @@ -356,6 +356,7 @@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@
