November 2022 - openSUSE Commits - openSUSE Mailing Lists

commit rage-encryption for openSUSE:Factory
by Source-Sync 01 Nov '22

01 Nov '22

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rage-encryption for openSUSE:Factory checked in at 2022-11-01 13:42:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rage-encryption (Old) and /work/SRC/openSUSE:Factory/.rage-encryption.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "rage-encryption" Tue Nov 1 13:42:56 2022 rev:8 rq:1032554 version:0.9.0+0 Changes: -------- --- /work/SRC/openSUSE:Factory/rage-encryption/rage-encryption.changes 2022-08-13 22:36:41.054647374 +0200 +++ /work/SRC/openSUSE:Factory/.rage-encryption.new.2275/rage-encryption.changes 2022-11-01 13:42:57.316019621 +0100 @@ -1,0 +2,11 @@ +Mon Oct 31 02:20:35 UTC 2022 - william.brown(a)suse.com + +- Update to version 0.9.0+0: + * v0.9.0 + * use pkcs1 crate to parse RSAPrivateKey ASN.1 object + * qa: Add workflow that runs `cargo vet --locked` + * qa: Import `cargo vet` audits from Firefox and zcashd + * qa: Add `crypto-reviewed` criteria or `cargo vet` + * qa: `cargo vet init` + +------------------------------------------------------------------- Old: ---- rage-0.8.1+0.tar.gz New: ---- rage-0.9.0+0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rage-encryption.spec ++++++ --- /var/tmp/diff_new_pack.Drw8Ac/_old 2022-11-01 13:42:58.408025430 +0100 +++ /var/tmp/diff_new_pack.Drw8Ac/_new 2022-11-01 13:42:58.412025452 +0100 @@ -20,7 +20,7 @@ Name: rage-encryption # This will be set by osc services, that will run after this. -Version: 0.8.1+0 +Version: 0.9.0+0 Release: 0 Summary: Simple, modern, and secure file encryption tool # If you know the license, put it's SPDX string here. ++++++ _service ++++++ --- /var/tmp/diff_new_pack.Drw8Ac/_old 2022-11-01 13:42:58.448025643 +0100 +++ /var/tmp/diff_new_pack.Drw8Ac/_new 2022-11-01 13:42:58.452025664 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/str4d/rage.git</param> <param name="versionformat">@PARENT_TAG@+@TAG_OFFSET@</param> <param name="scm">git</param> - <param name="revision">v0.8.1</param> + <param name="revision">v0.9.0</param> <param name="match-tag">*</param> <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param> <param name="versionrewrite-replacement">\1</param> ++++++ rage-0.8.1+0.tar.gz -> rage-0.9.0+0.tar.gz ++++++ ++++ 10363 lines of diff (skipped) ++++++ vendor.tar.xz ++++++ /work/SRC/openSUSE:Factory/rage-encryption/vendor.tar.xz /work/SRC/openSUSE:Factory/.rage-encryption.new.2275/vendor.tar.xz differ: char 25, line 1

1 0

commit python-azure-mgmt-netapp for openSUSE:Factory
by Source-Sync 01 Nov '22

01 Nov '22

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-azure-mgmt-netapp for openSUSE:Factory checked in at 2022-11-01 13:42:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-azure-mgmt-netapp (Old) and /work/SRC/openSUSE:Factory/.python-azure-mgmt-netapp.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python-azure-mgmt-netapp" Tue Nov 1 13:42:54 2022 rev:20 rq:1032551 version:9.0.1 Changes: -------- --- /work/SRC/openSUSE:Factory/python-azure-mgmt-netapp/python-azure-mgmt-netapp.changes 2022-09-29 18:12:41.287176829 +0200 +++ /work/SRC/openSUSE:Factory/.python-azure-mgmt-netapp.new.2275/python-azure-mgmt-netapp.changes 2022-11-01 13:42:55.668010854 +0100 @@ -1,0 +2,8 @@ +Mon Oct 31 12:12:50 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz(a)suse.com> + +- New upstream release + + Version 9.0.1 + + For detailed information about changes see the + CHANGELOG.md file provided with this package + +------------------------------------------------------------------- Old: ---- azure-mgmt-netapp-9.0.0.zip New: ---- azure-mgmt-netapp-9.0.1.zip ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-azure-mgmt-netapp.spec ++++++ --- /var/tmp/diff_new_pack.uHLUUA/_old 2022-11-01 13:42:56.196013663 +0100 +++ /var/tmp/diff_new_pack.uHLUUA/_new 2022-11-01 13:42:56.204013705 +0100 @@ -21,7 +21,7 @@ %define skip_python2 1 %endif Name: python-azure-mgmt-netapp -Version: 9.0.0 +Version: 9.0.1 Release: 0 Summary: Microsoft Azure NetApp Files Management Client Library License: MIT

1 0

commit python-azure-mgmt-redis for openSUSE:Factory
by Source-Sync 01 Nov '22

01 Nov '22

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-azure-mgmt-redis for openSUSE:Factory checked in at 2022-11-01 13:42:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-azure-mgmt-redis (Old) and /work/SRC/openSUSE:Factory/.python-azure-mgmt-redis.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python-azure-mgmt-redis" Tue Nov 1 13:42:54 2022 rev:12 rq:1032552 version:14.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/python-azure-mgmt-redis/python-azure-mgmt-redis.changes 2022-09-07 11:05:58.944398257 +0200 +++ /work/SRC/openSUSE:Factory/.python-azure-mgmt-redis.new.2275/python-azure-mgmt-redis.changes 2022-11-01 13:42:56.352014493 +0100 @@ -1,0 +2,9 @@ +Mon Oct 31 12:32:24 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz(a)suse.com> + +- New upstream release + + Version 14.1.0 + + For detailed information about changes see the + CHANGELOG.md file provided with this package +- Update Requires from setup.py + +------------------------------------------------------------------- Old: ---- azure-mgmt-redis-14.0.0.zip New: ---- azure-mgmt-redis-14.1.0.zip ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-azure-mgmt-redis.spec ++++++ --- /var/tmp/diff_new_pack.v2Hr84/_old 2022-11-01 13:42:56.808016919 +0100 +++ /var/tmp/diff_new_pack.v2Hr84/_new 2022-11-01 13:42:56.812016940 +0100 @@ -21,7 +21,7 @@ %define skip_python2 1 %endif Name: python-azure-mgmt-redis -Version: 14.0.0 +Version: 14.1.0 Release: 0 Summary: Microsoft Azure Redis Cache Management Client Library License: MIT @@ -42,6 +42,9 @@ Requires: python-azure-mgmt-nspkg >= 3.0.0 Requires: python-azure-nspkg >= 3.0.0 Requires: python-msrest >= 0.7.1 +%if %{python_version_nodots} < 38 +Requires: python-typing_extensions >= 4.3.0 +%endif Conflicts: python-azure-sdk <= 2.0.0 BuildArch: noarch

1 0

commit putty for openSUSE:Factory
by Source-Sync 01 Nov '22

01 Nov '22

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package putty for openSUSE:Factory checked in at 2022-11-01 13:42:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/putty (Old) and /work/SRC/openSUSE:Factory/.putty.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "putty" Tue Nov 1 13:42:52 2022 rev:29 rq:1032546 version:0.78 Changes: -------- --- /work/SRC/openSUSE:Factory/putty/putty.changes 2022-05-30 12:43:52.592384633 +0200 +++ /work/SRC/openSUSE:Factory/.putty.new.2275/putty.changes 2022-11-01 13:42:54.180002938 +0100 @@ -1,0 +2,27 @@ +Sun Oct 30 19:54:34 UTC 2022 - Jan Engelhardt <jengelh(a)inai.de> + +- Update to release 0.78 + * Support for OpenSSH certificates, for both user + authentication keys and host keys. + * New SSH proxy modes, for running a custom shell command or + subsystem on the proxy server instead of forwarding a port + through it. + * New plugin system to allow a helper program to provide + responses in keyboard-interactive authentication, intended to + automate one-time password systems. + * Support for NTRU Prime post-quantum key exchange, + * Support for AES-GCM (in the OpenSSH style rather than + RFC��5647). + * Support for more forms of Diffie-Hellman key exchange: new + larger integer groups (such as group16 and group18), and + support for using those and ECDH with GSSAPI. + * Bug fix: server-controlled window title setting now works + again even if the character set is ISO 8859 (or a few other + affected single-byte character sets). + * Bug fix: certain forms of OSC escape sequences (sent by some + real servers) could cause PuTTY to crash. + * Bug fix: the -pwfile/-pw options no longer affect local key + passphrase prompts, and no longer suppress Plink's + anti-spoofing measures. + +------------------------------------------------------------------- Old: ---- putty-0.77.tar.gz putty-0.77.tar.gz.gpg New: ---- putty-0.78.tar.gz putty-0.78.tar.gz.gpg ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ putty.spec ++++++ --- /var/tmp/diff_new_pack.Njh987/_old 2022-11-01 13:42:54.808006279 +0100 +++ /var/tmp/diff_new_pack.Njh987/_new 2022-11-01 13:42:54.812006300 +0100 @@ -17,7 +17,7 @@ Name: putty -Version: 0.77 +Version: 0.78 Release: 0 Summary: SSH client with optional GTK-based terminal emulator frontend License: MIT ++++++ putty-0.77.tar.gz -> putty-0.78.tar.gz ++++++ ++++ 47502 lines of diff (skipped) ++++++ putty-03-config.diff ++++++ --- /var/tmp/diff_new_pack.Njh987/_old 2022-11-01 13:42:55.200008364 +0100 +++ /var/tmp/diff_new_pack.Njh987/_new 2022-11-01 13:42:55.204008385 +0100 @@ -10,21 +10,21 @@ windows/utils/defaults.c | 2 - 3 files changed, 35 insertions(+), 22 deletions(-) -Index: putty-0.77/settings.c +Index: putty-0.78/settings.c =================================================================== ---- putty-0.77.orig/settings.c -+++ putty-0.77/settings.c -@@ -17,8 +17,8 @@ - static const struct keyvalwhere ciphernames[] = { +--- putty-0.78.orig/settings.c ++++ putty-0.78/settings.c +@@ -18,8 +18,8 @@ static const struct keyvalwhere cipherna { "aes", CIPHER_AES, -1, -1 }, { "chacha20", CIPHER_CHACHA20, CIPHER_AES, +1 }, + { "aesgcm", CIPHER_AESGCM, CIPHER_CHACHA20, +1 }, - { "3des", CIPHER_3DES, -1, -1 }, { "WARN", CIPHER_WARN, -1, -1 }, + { "3des", CIPHER_3DES, -1, -1 }, { "des", CIPHER_DES, -1, -1 }, { "blowfish", CIPHER_BLOWFISH, -1, -1 }, { "arcfour", CIPHER_ARCFOUR, -1, -1 }, -@@ -862,7 +862,7 @@ void load_open_settings(settings_r *sess +@@ -878,7 +878,7 @@ void load_open_settings(settings_r *sess } gppb(sesskey, "TCPNoDelay", true, conf, CONF_tcp_nodelay); gppb(sesskey, "TCPKeepalives", false, conf, CONF_tcp_keepalives); @@ -33,7 +33,7 @@ gpps(sesskey, "TerminalSpeed", "38400,38400", conf, CONF_termspeed); if (gppmap(sesskey, "TerminalModes", conf, CONF_ttymodes)) { /* -@@ -1046,12 +1046,12 @@ void load_open_settings(settings_r *sess +@@ -1064,12 +1064,12 @@ void load_open_settings(settings_r *sess gppb(sesskey, "PassiveTelnet", false, conf, CONF_passive_telnet); gppb(sesskey, "BackspaceIsDelete", true, conf, CONF_bksp_is_delete); gppb(sesskey, "RXVTHomeEnd", false, conf, CONF_rxvt_homeend); @@ -48,7 +48,7 @@ gppb(sesskey, "NoRemoteResize", false, conf, CONF_no_remote_resize); gppb(sesskey, "NoAltScreen", false, conf, CONF_no_alt_screen); gppb(sesskey, "NoRemoteWinTitle", false, conf, CONF_no_remote_wintitle); -@@ -1073,9 +1073,9 @@ void load_open_settings(settings_r *sess +@@ -1091,9 +1091,9 @@ void load_open_settings(settings_r *sess gppb(sesskey, "ApplicationKeypad", false, conf, CONF_app_keypad); gppb(sesskey, "NetHackKeypad", false, conf, CONF_nethack_keypad); gppb(sesskey, "AltF4", true, conf, CONF_alt_f4); @@ -60,7 +60,7 @@ gppb(sesskey, "CtrlAltKeys", true, conf, CONF_ctrlaltkeys); #ifdef OSX_META_KEY_CONFIG gppb(sesskey, "OSXOptionMeta", true, conf, CONF_osx_option_meta); -@@ -1087,12 +1087,12 @@ void load_open_settings(settings_r *sess +@@ -1105,12 +1105,12 @@ void load_open_settings(settings_r *sess gppi(sesskey, "LocalEdit", AUTO, conf, CONF_localedit); gpps(sesskey, "Answerback", "PuTTY", conf, CONF_answerback); gppb(sesskey, "AlwaysOnTop", false, conf, CONF_alwaysontop); @@ -75,7 +75,7 @@ gppb(sesskey, "BlinkCur", false, conf, CONF_blink_cur); /* pedantic compiler tells me I can't use conf, CONF_beep as an int * :-) */ gppi(sesskey, "Beep", 1, conf, CONF_beep); -@@ -1127,10 +1127,10 @@ void load_open_settings(settings_r *sess +@@ -1145,10 +1145,10 @@ void load_open_settings(settings_r *sess gppb(sesskey, "CRImpliesLF", false, conf, CONF_crhaslf); gppb(sesskey, "DisableArabicShaping", false, conf, CONF_no_arabicshaping); gppb(sesskey, "DisableBidi", false, conf, CONF_no_bidi); @@ -88,7 +88,7 @@ gppfont(sesskey, "Font", conf, CONF_font); gppi(sesskey, "FontQuality", FQ_DEFAULT, conf, CONF_font_quality); gppi(sesskey, "FontVTMode", VT_UNICODE, conf, CONF_vtmode); -@@ -1143,11 +1143,28 @@ void load_open_settings(settings_r *sess +@@ -1161,11 +1161,28 @@ void load_open_settings(settings_r *sess for (i = 0; i < 22; i++) { static const char *const defaults[] = { @@ -122,7 +122,7 @@ }; char buf[20], *buf2; int c0, c1, c2; -@@ -1205,7 +1222,7 @@ void load_open_settings(settings_r *sess +@@ -1223,7 +1240,7 @@ void load_open_settings(settings_r *sess * The empty default for LineCodePage will be converted later * into a plausible default for the locale. */ @@ -131,11 +131,11 @@ gppb(sesskey, "CJKAmbigWide", false, conf, CONF_cjk_ambig_wide); gppb(sesskey, "UTF8Override", true, conf, CONF_utf8_override); gpps(sesskey, "Printer", "", conf, CONF_printer); -Index: putty-0.77/unix/platform.h +Index: putty-0.78/unix/platform.h =================================================================== ---- putty-0.77.orig/unix/platform.h -+++ putty-0.77/unix/platform.h -@@ -389,11 +389,7 @@ void setup_fd_socket(Socket *s, int infd +--- putty-0.78.orig/unix/platform.h ++++ putty-0.78/unix/platform.h +@@ -394,11 +394,7 @@ void fd_socket_set_psb_prefix(Socket *s, /* * Default font setting, which can vary depending on NOT_X_WINDOWS. */ @@ -148,10 +148,10 @@ /* * pty.c. -Index: putty-0.77/windows/utils/defaults.c +Index: putty-0.78/windows/utils/defaults.c =================================================================== ---- putty-0.77.orig/windows/utils/defaults.c -+++ putty-0.77/windows/utils/defaults.c +--- putty-0.78.orig/windows/utils/defaults.c ++++ putty-0.78/windows/utils/defaults.c @@ -9,7 +9,7 @@ FontSpec *platform_default_fontspec(const char *name) {

1 0

commit crash for openSUSE:Factory
by Source-Sync 01 Nov '22

01 Nov '22

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package crash for openSUSE:Factory checked in at 2022-11-01 13:42:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/crash (Old) and /work/SRC/openSUSE:Factory/.crash.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "crash" Tue Nov 1 13:42:50 2022 rev:180 rq:1032553 version:7.3.1 Changes: -------- --- /work/SRC/openSUSE:Factory/crash/crash.changes 2021-11-20 02:39:48.460648002 +0100 +++ /work/SRC/openSUSE:Factory/.crash.new.2275/crash.changes 2022-11-01 13:42:52.503994022 +0100 @@ -1,0 +2,48 @@ +Tue Oct 25 22:03:56 UTC 2022 - David Mair <dmair(a)suse.com> + +- make of crash extensions was failing due to extension shared + objects depending on extension source file plus defs.h. defs.h is + hardlinked from the crash base source directory before the .so + make rule but make reports it doesn't know how to make requirement + defs.h. I added a rule for defs.h in the extensions Makefile that + creates defs.h the same way as was previously used but satisfies + the dependency resolution on demand then the make succeeded. + * crash-extensions-rule-for-defs.patch + (bsc#1204587) + +------------------------------------------------------------------- +Tue Feb 15 19:48:44 UTC 2022 - David Mair <dmair(a)suse.com> + +- Update to crash 7.3.1 + - Refresh + * eppic-switch-to-system-lib.patch + - Remove patches present in version upgrade + * 0001-Fix-for-kmem-s-S-option-on-Linux-5.7-and-later-kerne.patch + * 0002-memory-Add-support-for-SECTION_TAINT_ZONE_DEVICE-fla.patch + * 0003-memory-Fix-for-kmem-n-option-to-display-NID-correctl.patch + * 0004-defs.h-Fix-the-value-of-TIF_SIGPENDING-macro.patch + * 0005-Fix-waitq-command-for-Linux-4.13-and-later-kernels.patch + * 0006-Handle-task_struct-state-member-changes-for-kernels-.patch + * 0007-arm64-rename-ARM64_PAGE_OFFSET_ACTUAL-to-ARM64_FLIP_.patch + * 0008-arm64-assign-page_offset-with-VA_BITS-kernel-configu.patch + * 0009-arm64-use-dedicated-bits-to-record-the-VA-space-layo.patch + * 0010-arm64-implement-switchable-PTOV-VTOP-for-kernels-5.1.patch + * 0011-diskdump-Fail-readmem-early-if-dump-is-incomplete.patch + * 0012-netdump-Permit-zero_excluded-for-incomplete-ELF-dump.patch + * 0013-diskdump-Print-total-number-of-dumpable-pages.patch + * 0014-diskdump-Introduce-read_pd.patch + * 0015-x86_64-Fix-check-for-__per_cpu_offset-initialization.patch + * 0016-arm64-Get-CPU-registers-from-ELF-notes-even-without-.patch + * 0017-ppc64-Add-MMU-type-info-in-machdep-command.patch + * 0018-diskdump-Add-support-for-reading-dumpfiles-compresse.patch + * 0020-arm64-Use-VA_BITS-for-page_offset-calculation.patch + * crash-mod-fix-module-object-file-lookup.patch + * crash-xen-pvops.patch + +------------------------------------------------------------------- +Thu Dec 16 10:05:36 UTC 2021 - Ludwig Nussel <lnussel(a)suse.de> + +- UsrMerge: debug info is in /usr/lib/debug/usr/lib/modules + (boo#1190434, crash-usrmerge.patch) + +------------------------------------------------------------------- Old: ---- 0001-Fix-for-kmem-s-S-option-on-Linux-5.7-and-later-kerne.patch 0002-memory-Add-support-for-SECTION_TAINT_ZONE_DEVICE-fla.patch 0003-memory-Fix-for-kmem-n-option-to-display-NID-correctl.patch 0004-defs.h-Fix-the-value-of-TIF_SIGPENDING-macro.patch 0005-Fix-waitq-command-for-Linux-4.13-and-later-kernels.patch 0006-Handle-task_struct-state-member-changes-for-kernels-.patch 0007-arm64-rename-ARM64_PAGE_OFFSET_ACTUAL-to-ARM64_FLIP_.patch 0008-arm64-assign-page_offset-with-VA_BITS-kernel-configu.patch 0009-arm64-use-dedicated-bits-to-record-the-VA-space-layo.patch 0010-arm64-implement-switchable-PTOV-VTOP-for-kernels-5.1.patch 0011-diskdump-Fail-readmem-early-if-dump-is-incomplete.patch 0012-netdump-Permit-zero_excluded-for-incomplete-ELF-dump.patch 0013-diskdump-Print-total-number-of-dumpable-pages.patch 0014-diskdump-Introduce-read_pd.patch 0015-x86_64-Fix-check-for-__per_cpu_offset-initialization.patch 0016-arm64-Get-CPU-registers-from-ELF-notes-even-without-.patch 0017-ppc64-Add-MMU-type-info-in-machdep-command.patch 0018-diskdump-Add-support-for-reading-dumpfiles-compresse.patch 0020-arm64-Use-VA_BITS-for-page_offset-calculation.patch crash-7.3.0.tar.gz crash-mod-fix-module-object-file-lookup.patch crash-xen-pvops.patch New: ---- crash-7.3.1.tar.gz crash-extensions-rule-for-defs.patch crash-usrmerge.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ crash.spec ++++++ --- /var/tmp/diff_new_pack.tosWPe/_old 2022-11-01 13:42:53.551999597 +0100 +++ /var/tmp/diff_new_pack.tosWPe/_new 2022-11-01 13:42:53.563999661 +0100 @@ -1,7 +1,7 @@ # # spec file for package crash # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -62,9 +62,9 @@ Summary: Crash utility for live systems; netdump, diskdump, LKCD or mcore dumpfiles License: GFDL-1.2-only AND GPL-3.0-or-later Group: Development/Tools/Debuggers -Version: 7.3.0 +Version: 7.3.1 Release: 0 -Source: https://github.com/crash-utility/crash/archive/7.3.0.tar.gz#/%{name}-%{vers… +Source: https://github.com/crash-utility/crash/archive/7.3.1.tar.gz#/%{name}-%{vers… Source1: http://ftp.gnu.org/gnu/gdb/gdb-7.6.tar.gz Source2: crash_whitepaper-%{whitepaper_version}.tar.bz2 Source3: README.SUSE @@ -97,31 +97,10 @@ Patch27: %{name}-Define-fallback-PN_XNUM.patch Patch29: eppic-remove-duplicate-symbols.patch Patch30: %{name}-enable-zstd-support.patch -# PATCH-FIX-UPSTREAM - https://github.com/crash-utility/crash/commit/4badc6229c69f5cd9da7eb7bdf400… -Patch46: %{name}-xen-pvops.patch -# PATCH-FIX-UPSTREAM - https://github.com/crash-utility/crash/commit/cf0c8d10e1870d89b39f40382634d… -Patch47: %{name}-mod-fix-module-object-file-lookup.patch -Patch48: 0001-Fix-for-kmem-s-S-option-on-Linux-5.7-and-later-kerne.patch -Patch49: 0002-memory-Add-support-for-SECTION_TAINT_ZONE_DEVICE-fla.patch -Patch50: 0003-memory-Fix-for-kmem-n-option-to-display-NID-correctl.patch -Patch51: 0004-defs.h-Fix-the-value-of-TIF_SIGPENDING-macro.patch -Patch52: 0005-Fix-waitq-command-for-Linux-4.13-and-later-kernels.patch -Patch53: 0006-Handle-task_struct-state-member-changes-for-kernels-.patch -Patch54: 0007-arm64-rename-ARM64_PAGE_OFFSET_ACTUAL-to-ARM64_FLIP_.patch -Patch55: 0008-arm64-assign-page_offset-with-VA_BITS-kernel-configu.patch -Patch56: 0009-arm64-use-dedicated-bits-to-record-the-VA-space-layo.patch -Patch57: 0010-arm64-implement-switchable-PTOV-VTOP-for-kernels-5.1.patch -Patch58: 0011-diskdump-Fail-readmem-early-if-dump-is-incomplete.patch -Patch59: 0012-netdump-Permit-zero_excluded-for-incomplete-ELF-dump.patch -Patch60: 0013-diskdump-Print-total-number-of-dumpable-pages.patch -Patch61: 0014-diskdump-Introduce-read_pd.patch -Patch62: 0015-x86_64-Fix-check-for-__per_cpu_offset-initialization.patch -Patch63: 0016-arm64-Get-CPU-registers-from-ELF-notes-even-without-.patch -Patch64: 0017-ppc64-Add-MMU-type-info-in-machdep-command.patch -Patch65: 0018-diskdump-Add-support-for-reading-dumpfiles-compresse.patch +Patch31: %{name}-extensions-rule-for-defs.patch Patch66: 0019-Add-kernel-version-dependent-check-for-getting-lengt.patch -Patch67: 0020-arm64-Use-VA_BITS-for-page_offset-calculation.patch Patch90: %{name}-sial-ps-2.6.29.diff +Patch99: %{name}-usrmerge.patch BuildRequires: bison BuildRequires: flex BuildRequires: libeppic-devel @@ -321,28 +300,7 @@ %patch24 -p1 %endif %patch27 -p1 -%patch46 -p1 -%patch47 -p1 -%patch48 -p1 -%patch49 -p1 -%patch50 -p1 -%patch51 -p1 -%patch52 -p1 -%patch53 -p1 -%patch54 -p1 -%patch55 -p1 -%patch56 -p1 -%patch57 -p1 -%patch58 -p1 -%patch59 -p1 -%patch60 -p1 -%patch61 -p1 -%patch62 -p1 -%patch63 -p1 -%patch64 -p1 -%patch65 -p1 %patch66 -p1 -%patch67 -p1 %if %{have_snappy} %patch15 -p1 %endif @@ -355,6 +313,8 @@ # cp "$f" "${base#%{name}-}" #done +%patch31 -p1 + ## SIAL patches cd sial-scripts-%{scripts_version} %patch90 -p1 @@ -369,6 +329,9 @@ cp %{S:3} . mkdir kbuild cp %{S:6} memory_driver +%if 0%{?suse_version} > 1550 +%patch99 -p1 +%endif %build %ifarch ppc64le ppc64 ++++++ crash-7.3.0.tar.gz -> crash-7.3.1.tar.gz ++++++ ++++ 2261 lines of diff (skipped) ++++++ crash-extensions-rule-for-defs.patch ++++++ Index: b/extensions/Makefile =================================================================== --- a/extensions/Makefile +++ b/extensions/Makefile @@ -32,6 +32,8 @@ link_defs: @rm -f defs.h @ln ../defs.h +defs.h: link_defs + $(CONTRIB_SO): %.so: %.c defs.h @if [ -f $*.mk ]; then \ make -f $*.mk; \ ++++++ crash-usrmerge.patch ++++++ From: Ludwig Nussel <lnussel(a)suse.de> Subject: debug info is in /usr/lib/debug/usr/lib/modules References: boo#1190434 Upstream: to be done (must not break Red Hat) --- defs.h | 2 +- help.c | 2 +- symbols.c | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) --- a/defs.h +++ b/defs.h @@ -406,7 +406,7 @@ struct number_option { #define PIPE_OPTIONS (FROM_COMMAND_LINE | FROM_INPUT_FILE | REDIRECT_TO_PIPE | \ REDIRECT_TO_STDPIPE | REDIRECT_TO_FILE) -#define DEFAULT_REDHAT_DEBUG_LOCATION "/usr/lib/debug/lib/modules" +#define DEFAULT_REDHAT_DEBUG_LOCATION "/usr/lib/debug/usr/lib/modules" #define MEMORY_DRIVER_MODULE "crash" #define MEMORY_DRIVER_DEVICE "/dev/crash" --- a/help.c +++ b/help.c @@ -9445,7 +9445,7 @@ README_ENTER_DIRECTORY, README_MEMORY_DRIVER, "", " If the kernel file is stored in /boot, /, /boot/efi, or in any /usr/src", -" or /usr/lib/debug/lib/modules subdirectory, then no command line arguments", +" or " DEFAULT_REDHAT_DEBUG_LOCATION " subdirectory, then no command line arguments", " are required -- the first kernel found that matches /proc/version will be", " used as the namelist.", " ", --- a/symbols.c +++ b/symbols.c @@ -299,7 +299,7 @@ check_gnu_debuglink(bfd *bfd) if ((pc->debuginfo_file = (char *) malloc(((strlen(namelist) + strlen("/.debug/") + - + strlen(".debug") + strlen(" /usr/lib/debug/boot/ "))*10) + + strlen(".debug") + strlen(" /usr/lib/debug/usr/lib/modules/ "))*10) + strlen(pc->namelist_debug ? pc->namelist_debug : " "))) == NULL) error(FATAL, "debuginfo file name malloc: %s\n", strerror(errno)); @@ -375,7 +375,7 @@ check_gnu_debuglink(bfd *bfd) } } - sprintf(pc->debuginfo_file, "/usr/lib/debug/boot/%s", contents); + sprintf(pc->debuginfo_file, "/usr/lib/debug/%s/%s", dirname, contents); if (separate_debug_file_exists(pc->debuginfo_file, crc32, &exists)) { if (CRASHDEBUG(1)) fprintf(fp, "%s: CRC matches\n", pc->debuginfo_file); ++++++ eppic-switch-to-system-lib.patch ++++++ --- /var/tmp/diff_new_pack.tosWPe/_old 2022-11-01 13:42:53.932001618 +0100 +++ /var/tmp/diff_new_pack.tosWPe/_new 2022-11-01 13:42:53.936001640 +0100 @@ -16,10 +16,10 @@ - if [ -f "$(GIT)" ]; \ - then \ - if [ -n "$(EPPIC_GIT_URL)" ]; then \ -- git clone "$(EPPIC_GIT_URL)" eppic; \ +- git clone $(EPPIC_GIT_OPTIONS) $(EPPIC_GIT_URL) eppic; \ - else \ - if ping -c 1 -W 5 github.com >/dev/null ; then \ -- git clone https://github.com/lucchouina/eppic.git eppic; \ +- git clone $(EPPIC_GIT_OPTIONS) https://github.com/lucchouina/eppic.git eppic; \ - fi; \ - fi; \ - else \

1 0

commit dehydrated for openSUSE:Factory
by Source-Sync 01 Nov '22

01 Nov '22

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package dehydrated for openSUSE:Factory checked in at 2022-11-01 13:42:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dehydrated (Old) and /work/SRC/openSUSE:Factory/.dehydrated.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "dehydrated" Tue Nov 1 13:42:48 2022 rev:25 rq:1032541 version:0.7.1 Changes: -------- --- /work/SRC/openSUSE:Factory/dehydrated/dehydrated.changes 2022-09-08 14:23:53.974702926 +0200 +++ /work/SRC/openSUSE:Factory/.dehydrated.new.2275/dehydrated.changes 2022-11-01 13:42:50.191981722 +0100 @@ -1,0 +2,7 @@ +Sat Oct 29 05:03:26 UTC 2022 - Daniel Molkentin <daniel(a)molkentin.de> + +- Update to 0.7.1 + * See https://github.com/dehydrated-io/dehydrated/releases/tag/v0.7.1 + * Removes more-examples.patch + +------------------------------------------------------------------- Old: ---- dehydrated-0.7.0.tar.gz dehydrated-0.7.0.tar.gz.asc more-examples.patch New: ---- dehydrated-0.7.1.tar.gz dehydrated-0.7.1.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dehydrated.spec ++++++ --- /var/tmp/diff_new_pack.iceFQx/_old 2022-11-01 13:42:51.739989957 +0100 +++ /var/tmp/diff_new_pack.iceFQx/_new 2022-11-01 13:42:51.783990191 +0100 @@ -53,7 +53,7 @@ %endif Name: dehydrated -Version: 0.7.0 +Version: 0.7.1 Release: 0 Summary: A client for signing certificates with an ACME server License: MIT @@ -77,7 +77,6 @@ Source18: dehydrated-postrun-hooks.service Source19: dehydrated-postrun-hooks@.service Source20: README.postrun-hooks -Patch: more-examples.patch BuildRequires: %{_apache} Requires: coreutils Requires: curl @@ -172,7 +171,6 @@ %prep %setup -q -%patch -p1 cp %{SOURCE9} . cp %{SOURCE10} . cp %{SOURCE20} . @@ -206,10 +204,12 @@ #!/bin/sh systemctl reload apache2.service EOF +%if %{with nginx} cat > %{buildroot}%{_sysconfdir}/dehydrated/postrun-hooks.d/reload-nginx.sh << EOF #!/bin/sh systemctl reload nginx.service EOF +%endif %if %{with nginx} install -m 0755 -d %{buildroot}%{_sysconfdir}/nginx @@ -280,7 +280,7 @@ %{_bindir}/dehydrated %attr(-,%{_user},root) %dir %{_localstatedir}/lib/acme-challenge %{_mandir}/man1/* -%doc LICENSE README.md docs/*.md docs/*.jpg +%doc LICENSE README.md docs/*.md %doc README.maintainer %if %{defined redhat} %doc README.Fedora ++++++ dehydrated-0.7.0.tar.gz -> dehydrated-0.7.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/CHANGELOG new/dehydrated-0.7.1/CHANGELOG --- old/dehydrated-0.7.0/CHANGELOG 2020-12-10 16:54:26.000000000 +0100 +++ new/dehydrated-0.7.1/CHANGELOG 2022-10-31 15:12:38.000000000 +0100 @@ -1,6 +1,21 @@ # Change Log This file contains a log of major changes in dehydrated +## [0.7.1] - 2022-10-31 +## Changed +- `--force` no longer forces domain name revalidation by default, a new argument `--force-validation` has been added for that +- Added support for EC secp521r1 algorithm (works with e.g. zerossl) +- `EC PARAMETERS` are no longer written to privkey.pem (didn't seem necessary and was causing issues with various software) + +## Fixed +- Requests resulting in `badNonce` errors are now automatically retried (fixes operation with LE staging servers) +- Deprecated `egrep` usage has been removed + +## Added +- Implemented EC for account keys +- Domain list now also read from domains.txt.d subdirectory (behaviour might change, see docs) +- Implemented RFC 8738 (validating/signing certificates for IP addresses instead of domain names) support (this will not work with most public CAs, if any!) + ## [0.7.0] - 2020-12-10 ## Added - Support for external account bindings diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/LICENSE new/dehydrated-0.7.1/LICENSE --- old/dehydrated-0.7.0/LICENSE 2020-12-10 16:54:26.000000000 +0100 +++ new/dehydrated-0.7.1/LICENSE 2022-10-31 15:12:38.000000000 +0100 @@ -1,6 +1,6 @@ The MIT License (MIT) -Copyright (c) 2015-2018 Lukas Schauer +Copyright (c) 2015-2021 Lukas Schauer Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/README.md new/dehydrated-0.7.1/README.md --- old/dehydrated-0.7.0/README.md 2020-12-10 16:54:26.000000000 +0100 +++ new/dehydrated-0.7.1/README.md 2022-10-31 15:12:38.000000000 +0100 @@ -1,9 +1,6 @@ # dehydrated [![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=23P9DSJBTY7C8) -Quick note: dehydrated moved, the license will NOT change, and I will still take care of the project. -See https://lukas.im/2020/01/30/selling-dehydrated/index.html for more details. - -![](docs/logo.jpg) +![](docs/logo.png) Dehydrated is a client for signing certificates with an ACME-server (e.g. Let's Encrypt) implemented as a relatively simple (zsh-compatible) bash-script. This client supports both ACME v1 and the new ACME v2 including support for wildcard certificates! @@ -17,6 +14,7 @@ - Signing of a custom CSR (either standalone or completely automated using hooks!) - Renewal if a certificate is about to expire or defined set of domains changed - Certificate revocation +- and lots more.. Please keep in mind that this software, the ACME-protocol and all supported CA servers out there are relatively young and there might be a few issues. Feel free to report any issues you find with this script or contribute by submitting a pull request, but please check for duplicates first (feel free to comment on those to get things rolling). @@ -74,6 +72,7 @@ --alias certalias Use specified name for certificate directory (and per-certificate config) instead of the primary domain (only used if --domain is specified) --keep-going (-g) Keep going after encountering an error while creating/renewing multiple certificates in cron mode --force (-x) Force renew of certificate even if it is longer valid than value in RENEW_DAYS + --force-validation Force revalidation of domain names (used in combination with --force) --no-lock (-n) Don't use lockfile (potentially dangerous!) --lock-suffix example.com Suffix lockfile name with a string (useful for with -d) --ocsp Sets option in CSR indicating OCSP stapling to be mandatory @@ -84,28 +83,6 @@ --preferred-chain issuer-cn Use alternative certificate chain identified by issuer CN --out (-o) certs/directory Output certificates into the specified directory --alpn alpn-certs/directory Output alpn verification certificates into the specified directory - --challenge (-t) http-01|dns-01 Which challenge should be used? Currently http-01 and dns-01 are supported + --challenge (-t) http-01|dns-01|tls-alpn-01 Which challenge should be used? Currently http-01, dns-01, and tls-alpn-01 are supported --algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1 ``` - -## Donate - -I'm a student hacker with a few (unfortunately) quite expensive hobbies (self-hosting, virtualization clusters, routing, -high-speed networking, embedded hardware, etc.). -I'm really having fun playing around with hard- and software and I'm steadily learning new things. -Without those hobbies I probably would never have started working on dehydrated to begin with :) - -I'd really appreciate if you could [donate a bit of money](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id… -so I can buy cool stuff (while still being able to afford food :D). - -If you have hardware laying around that you think I'd enjoy playing with (e.g. decommissioned but still modern-ish servers, -10G networking hardware, enterprise grade routers or APs, interesting ARM/MIPS boards, etc.) and that you would be willing -to ship to me please contact me at `donations(a)dehydrated.io` or on Twitter [@lukas2511](https://twitter.com/lukas2511). - -If you want your name to be added to the [donations list](https://dehydrated.io/donations.html) please add a note or send me an -email `donations(a)dehydrated.io`. I respect your privacy and won't publish your name without permission. - -Other ways of donating: - - [My Amazon Wishlist](http://www.amazon.de/registry/wishlist/1TUCFJK35IO4Q) - - Monero: 4Kkf4tF4r9DakxLj37HDXLJgmpVfQoFhT7JLDvXwtUZZMTbsK9spsAPXivWPAFcDUj6jHhY8hJSHX8Cb8ndMhKeQHPSkBZZiK89Fx8NTHk - - Bitcoin: 12487bHxcrREffTGwUDnoxF1uYxCA7ztKK diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/dehydrated new/dehydrated-0.7.1/dehydrated --- old/dehydrated-0.7.0/dehydrated 2020-12-10 16:54:26.000000000 +0100 +++ new/dehydrated-0.7.1/dehydrated 2022-10-31 15:12:38.000000000 +0100 @@ -17,7 +17,7 @@ exec 3>&- exec 4>&- -VERSION="0.7.0" +VERSION="0.7.1" # Find directory in which this script is stored by traversing all symbolic links SOURCE="${0}" @@ -31,6 +31,22 @@ BASEDIR="${SCRIPTDIR}" ORIGARGS=("${@}") +noglob_set() { + if [[ -n "${ZSH_VERSION:-}" ]]; then + set +o noglob + else + set +f + fi +} + +noglob_clear() { + if [[ -n "${ZSH_VERSION:-}" ]]; then + set -o noglob + else + set -f + fi +} + # Generate json.sh path matching string json_path() { if [ ! "${1}" = "-p" ]; then @@ -55,7 +71,6 @@ # Get sub-dictionary from json get_json_dict_value() { local filter - echo "$(json_path "${1:-}" "${2:-}")" filter="$(printf 's/.*\[%s\][[:space:]]*$.*$/\\1/p' "$(json_path "${1:-}" "${2:-}")")" sed -n "${filter}" | jsonsh } @@ -88,7 +103,7 @@ awk_egrep () { local pattern_string=$1 - gawk '{ + awk '{ while ($0) { start=match($0, pattern); token=substr($0, start, RLENGTH); @@ -103,14 +118,15 @@ local ESCAPE local CHAR - if echo "test string" | egrep -ao --color=never "test" >/dev/null 2>&1 + if echo "test string" | grep -Eao --color=never "test" >/dev/null 2>&1 then - GREP='egrep -ao --color=never' + GREP='grep -Eao --color=never' else - GREP='egrep -ao' + GREP='grep -Eao' fi - if echo "test string" | egrep -o "test" >/dev/null 2>&1 + # shellcheck disable=SC2196 + if echo "test string" | grep -Eao "test" >/dev/null 2>&1 then ESCAPE='(\\[^u[:cntrl:]]|\\u[0-9a-fA-F]{4})' CHAR='[^[:cntrl:]"\\]' @@ -126,10 +142,11 @@ local SPACE='[[:space:]]+' # Force zsh to expand $A into multiple words - local is_wordsplit_disabled=$(unsetopt 2>/dev/null | grep -c '^shwordsplit$') - if [ $is_wordsplit_disabled != 0 ]; then setopt shwordsplit; fi - $GREP "$STRING|$NUMBER|$KEYWORD|$SPACE|." | egrep -v "^$SPACE$" - if [ $is_wordsplit_disabled != 0 ]; then unsetopt shwordsplit; fi + local is_wordsplit_disabled + is_wordsplit_disabled="$(unsetopt 2>/dev/null | grep -c '^shwordsplit$')" + if [ "${is_wordsplit_disabled}" != "0" ]; then setopt shwordsplit; fi + $GREP "$STRING|$NUMBER|$KEYWORD|$SPACE|." | grep -Ev "^$SPACE$" + if [ "${is_wordsplit_disabled}" != "0" ]; then unsetopt shwordsplit; fi } parse_array () { @@ -194,17 +211,14 @@ } parse_value () { - local jpath="${1:+$1,}${2:-}" isleaf=0 isempty=0 print=0 + local jpath="${1:+$1,}${2:-}" case "$token" in '{') parse_object "$jpath" ;; '[') parse_array "$jpath" ;; # At this point, the only valid single-character tokens are digits. ''|[!0-9]) throw "EXPECTED value GOT ${token:-EOF}" ;; - *) value=$token + *) value="${token/\\\///}" # replace solidus ("\/") in json strings with normalized value: "/" - value=$(echo "$value" | sed 's#\\/#/#g') - isleaf=1 - [ "$value" = '""' ] && isempty=1 ;; esac [ "$value" = '' ] && return @@ -227,16 +241,26 @@ tokenize | parse } +# Convert IP addresses to their reverse dns variants. +# Used for ALPN certs as validation for IPs uses this in SNI since IPs aren't allowed there. +ip_to_ptr() { + ip="$(cat)" + if [[ "${ip}" =~ : ]]; then + printf "%sip6.arpa" "$(printf "%s" "${ip}" | awk -F: 'BEGIN {OFS=""; }{addCount = 9 - NF; for(i=1; i<=NF;i++){if(length($i) == 0){ for(j=1;j<=addCount;j++){$i = ($i "0000");} } else { $i = substr(("0000" $i), length($i)+5-4);}}; print}' | rev | sed -e "s/./&./g")" + else + printf "%s.in-addr.arpa" "$(printf "%s" "${ip}" | awk -F. '{print $4"."$3"." $2"."$1}')" + fi +} + # Create (identifiable) temporary files _mktemp() { - # shellcheck disable=SC2068 - mktemp ${@:-} "${TMPDIR:-/tmp}/dehydrated-XXXXXX" + mktemp "${TMPDIR:-/tmp}/dehydrated-XXXXXX" } # Check for script dependencies check_dependencies() { # look for required binaries - for binary in grep mktemp diff sed awk curl cut; do + for binary in grep mktemp diff sed awk curl cut head tail hexdump; do bin_path="$(command -v "${binary}" 2>/dev/null)" || _exiterr "This script requires ${binary}." [[ -x "${bin_path}" ]] || _exiterr "${binary} found in PATH but it's not executable" done @@ -254,7 +278,10 @@ store_configvars() { __KEY_ALGO="${KEY_ALGO}" __OCSP_MUST_STAPLE="${OCSP_MUST_STAPLE}" + __OCSP_FETCH="${OCSP_FETCH}" + __OCSP_DAYS="${OCSP_DAYS}" __PRIVATE_KEY_RENEW="${PRIVATE_KEY_RENEW}" + __PRIVATE_KEY_ROLLOVER="${PRIVATE_KEY_ROLLOVER}" __KEYSIZE="${KEYSIZE}" __CHALLENGETYPE="${CHALLENGETYPE}" __HOOK="${HOOK}" @@ -269,7 +296,10 @@ reset_configvars() { KEY_ALGO="${__KEY_ALGO}" OCSP_MUST_STAPLE="${__OCSP_MUST_STAPLE}" + OCSP_FETCH="${__OCSP_FETCH}" + OCSP_DAYS="${__OCSP_DAYS}" PRIVATE_KEY_RENEW="${__PRIVATE_KEY_RENEW}" + PRIVATE_KEY_ROLLOVER="${__PRIVATE_KEY_ROLLOVER}" KEYSIZE="${__KEYSIZE}" CHALLENGETYPE="${__CHALLENGETYPE}" HOOK="${__HOOK}" @@ -298,7 +328,7 @@ if [[ "${CHALLENGETYPE}" = "http-01" && ! -d "${WELLKNOWN}" && ! "${COMMAND:-}" = "register" ]]; then _exiterr "WELLKNOWN directory doesn't exist, please create ${WELLKNOWN} and set appropriate permissions." fi - [[ "${KEY_ALGO}" == "rsa" || "${KEY_ALGO}" == "prime256v1" || "${KEY_ALGO}" == "secp384r1" ]] || _exiterr "Unknown public key algorithm ${KEY_ALGO}... cannot continue." + [[ "${KEY_ALGO}" == "rsa" || "${KEY_ALGO}" == "prime256v1" || "${KEY_ALGO}" == "secp384r1" || "${KEY_ALGO}" == "secp521r1" ]] || _exiterr "Unknown public key algorithm ${KEY_ALGO}... cannot continue." if [[ -n "${IP_VERSION}" ]]; then [[ "${IP_VERSION}" = "4" || "${IP_VERSION}" = "6" ]] || _exiterr "Unknown IP version ${IP_VERSION}... cannot continue." fi @@ -332,6 +362,8 @@ CERTDIR= ALPNCERTDIR= ACCOUNTDIR= + ACCOUNT_KEYSIZE="4096" + ACCOUNT_KEY_ALGO=rsa CHALLENGETYPE="http-01" CONFIG_D= CURL_OPTS= @@ -379,7 +411,7 @@ fi # Allow globbing - [[ -n "${ZSH_VERSION:-}" ]] && set +o noglob || set +f + noglob_set for check_config_d in "${CONFIG_D}"/*.sh; do if [[ -f "${check_config_d}" ]] && [[ -r "${check_config_d}" ]]; then @@ -392,7 +424,7 @@ done # Disable globbing - [[ -n "${ZSH_VERSION:-}" ]] && set -o noglob || set -f + noglob_clear fi # Check for missing dependencies @@ -473,6 +505,7 @@ fi fi + # shellcheck disable=SC1090 [[ -f "${ACCOUNTDIR}/${CAHASH}/config" ]] && . "${ACCOUNTDIR}/${CAHASH}/config" ACCOUNT_KEY="${ACCOUNTDIR}/${CAHASH}/account_key.pem" ACCOUNT_KEY_JSON="${ACCOUNTDIR}/${CAHASH}/registration_info.json" @@ -512,6 +545,10 @@ [[ -n "${PARAM_OCSP_MUST_STAPLE:-}" ]] && OCSP_MUST_STAPLE="${PARAM_OCSP_MUST_STAPLE}" [[ -n "${PARAM_IP_VERSION:-}" ]] && IP_VERSION="${PARAM_IP_VERSION}" + if [ "${PARAM_FORCE_VALIDATION:-no}" = "yes" ] && [ "${PARAM_FORCE:-no}" = "no" ]; then + _exiterr "Argument --force-validation can only be used in combination with --force (-x)" + fi + if [ ! "${1:-}" = "noverify" ]; then verify_config fi @@ -539,8 +576,8 @@ grep -q newOrder <<< "${CA_DIRECTORY}" && API=2 || API=1 fi - if [[ ${API} -eq 1 ]]; then - # shellcheck disable=SC2015 + # shellcheck disable=SC2015 + if [[ "${API}" = "1" ]]; then CA_NEW_CERT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value new-cert)" && CA_NEW_AUTHZ="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value new-authz)" && CA_NEW_REG="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value new-reg)" && @@ -551,7 +588,6 @@ # Since reg URI is missing from directory we will assume it is the same as CA_NEW_REG without the new part CA_REG=${CA_NEW_REG/new-reg/reg} else - # shellcheck disable=SC2015 CA_NEW_ORDER="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value newOrder)" && CA_NEW_NONCE="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value newNonce)" && CA_NEW_ACCOUNT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value newAccount)" && @@ -559,8 +595,6 @@ CA_REQUIRES_EAB="$(printf "%s" "${CA_DIRECTORY}" | get_json_bool_value -p '"meta","externalAccountRequired"' || echo false)" && CA_REVOKE_CERT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value revokeCert)" || _exiterr "Problem retrieving ACME/CA-URLs, check if your configured CA points to the directory entrypoint." - # Since acct URI is missing from directory we will assume it is the same as CA_NEW_ACCOUNT without the new part - CA_ACCOUNT=${CA_NEW_ACCOUNT/new-acct/acct} fi # Export some environment variables to be used in hook script @@ -582,26 +616,63 @@ if [[ ! "${PARAM_ACCEPT_TERMS:-}" = "yes" ]]; then printf '\n' >&2 printf 'To use dehydrated with this certificate authority you have to agree to their terms of service which you can find here: %s\n\n' "${CA_TERMS}" >&2 - printf 'To accept these terms of service run `%s --register --accept-terms`.\n' "${0}" >&2 + printf 'To accept these terms of service run "%s --register --accept-terms".\n' "${0}" >&2 exit 1 fi echo "+ Generating account key..." generated="true" - local tmp_account_key="$(_mktemp)" - _openssl genrsa -out "${tmp_account_key}" "${KEYSIZE}" + local tmp_account_key + tmp_account_key="$(_mktemp)" + if [[ ${API} -eq 1 && ! "${ACCOUNT_KEY_ALGO}" = "rsa" ]]; then + _exiterr "ACME API version 1 does not support EC account keys" + fi + case "${ACCOUNT_KEY_ALGO}" in + rsa) _openssl genrsa -out "${tmp_account_key}" "${ACCOUNT_KEYSIZE}";; + prime256v1|secp384r1|secp521r1) _openssl ecparam -genkey -name "${ACCOUNT_KEY_ALGO}" -out "${tmp_account_key}" -noout;; + esac cat "${tmp_account_key}" > "${ACCOUNT_KEY}" rm "${tmp_account_key}" register_new_key="yes" fi fi - "${OPENSSL}" rsa -in "${ACCOUNT_KEY}" -check 2>/dev/null > /dev/null || _exiterr "Account key is not valid, cannot continue." - # Get public components from private key and calculate thumbprint - pubExponent64="$(printf '%x' "$("${OPENSSL}" rsa -in "${ACCOUNT_KEY}" -noout -text | awk '/publicExponent/ {print $2}')" | hex2bin | urlbase64)" - pubMod64="$("${OPENSSL}" rsa -in "${ACCOUNT_KEY}" -noout -modulus | cut -d'=' -f2 | hex2bin | urlbase64)" + if ("${OPENSSL}" rsa -in "${ACCOUNT_KEY}" -check 2>/dev/null > /dev/null); then + # Get public components from private key and calculate thumbprint + pubExponent64="$(printf '%x' "$("${OPENSSL}" rsa -in "${ACCOUNT_KEY}" -noout -text | awk '/publicExponent/ {print $2}')" | hex2bin | urlbase64)" + pubMod64="$("${OPENSSL}" rsa -in "${ACCOUNT_KEY}" -noout -modulus | cut -d'=' -f2 | hex2bin | urlbase64)" + + account_key_info="$(printf '{"e":"%s","kty":"RSA","n":"%s"}' "${pubExponent64}" "${pubMod64}")" + account_key_sigalgo=RS256 + elif ("${OPENSSL}" ec -in "${ACCOUNT_KEY}" -check 2>/dev/null > /dev/null); then + curve="$("${OPENSSL}" ec -in "${ACCOUNT_KEY}" -noout -text 2>/dev/null | grep 'NIST CURVE' | cut -d':' -f2 | tr -d ' ')" + pubkey="$("${OPENSSL}" ec -in "${ACCOUNT_KEY}" -noout -text 2>/dev/null | tr -d '\n ' | grep -Eo 'pub:.*ASN1' | _sed -e 's/^pub://' -e 's/ASN1$//' | tr -d ':')" + + if [ "${curve}" = "P-256" ]; then + account_key_sigalgo="ES256" + elif [ "${curve}" = "P-384" ]; then + account_key_sigalgo="ES384" + elif [ "${curve}" = "P-521" ]; then + account_key_sigalgo="ES512" + else + _exiterr "Unknown account key curve: ${curve}" + fi + + ec_x_offset=2 + ec_x_len=$((${#pubkey}/2 - 1)) + ec_x="${pubkey:$ec_x_offset:$ec_x_len}" + ec_x64="$(printf "%s" "${ec_x}" | hex2bin | urlbase64)" + + ec_y_offset=$((ec_x_offset+ec_x_len)) + ec_y_len=$((${#pubkey}-ec_y_offset)) + ec_y="${pubkey:$ec_y_offset:$ec_y_len}" + ec_y64="$(printf "%s" "${ec_y}" | hex2bin | urlbase64)" - thumbprint="$(printf '{"e":"%s","kty":"RSA","n":"%s"}' "${pubExponent64}" "${pubMod64}" | "${OPENSSL}" dgst -sha256 -binary | urlbase64)" + account_key_info="$(printf '{"crv":"%s","kty":"EC","x":"%s","y":"%s"}' "${curve}" "${ec_x64}" "${ec_y64}")" + else + _exiterr "Account key is not valid, cannot continue." + fi + thumbprint="$(printf '%s' "${account_key_info}" | "${OPENSSL}" dgst -sha256 -binary | urlbase64)" # If we generated a new private key in the step above we have to register it with the acme-server if [[ "${register_new_key}" = "yes" ]]; then @@ -654,7 +725,7 @@ if [[ -n "${EAB_KID:-}" ]] && [[ -n "${EAB_HMAC_KEY:-}" ]]; then eab_url="${CA_NEW_ACCOUNT}" eab_protected64="$(printf '{"alg":"HS256","kid":"%s","url":"%s"}' "${EAB_KID}" "${eab_url}" | urlbase64)" - eab_payload64="$(printf "%s" '{"e": "'"${pubExponent64}"'", "kty": "RSA", "n": "'"${pubMod64}"'"}' | urlbase64)" + eab_payload64="$(printf "%s" "${account_key_info}" | urlbase64)" eab_key="$(printf "%s" "${EAB_HMAC_KEY}" | deurlbase64 | bin2hex)" eab_signed64="$(printf '%s' "${eab_protected64}.${eab_payload64}" | "${OPENSSL}" dgst -binary -sha256 -mac HMAC -macopt "hexkey:${eab_key}" | urlbase64)" @@ -692,16 +763,16 @@ # Read account information or request from CA if missing if [[ -e "${ACCOUNT_KEY_JSON}" ]]; then if [[ ${API} -eq 1 ]]; then - ACCOUNT_ID="$(cat "${ACCOUNT_KEY_JSON}" | jsonsh | get_json_int_value id)" + ACCOUNT_ID="$(jsonsh < "${ACCOUNT_KEY_JSON}" | get_json_int_value id)" ACCOUNT_URL="${CA_REG}/${ACCOUNT_ID}" else if [[ -e "${ACCOUNT_ID_JSON}" ]]; then - ACCOUNT_URL="$(cat "${ACCOUNT_ID_JSON}" | jsonsh | get_json_string_value url)" + ACCOUNT_URL="$(jsonsh < "${ACCOUNT_ID_JSON}" | get_json_string_value url)" fi # if account URL is not storred, fetch it from the CA if [[ -z "${ACCOUNT_URL:-}" ]]; then echo "+ Fetching account URL..." - ACCOUNT_URL="$(signed_request "${CA_NEW_ACCOUNT}" '{"onlyReturnExisting": true}' 4>&1 | grep -i ^Location: | awk '{print $2}' | tr -d '\r\n')" + ACCOUNT_URL="$(signed_request "${CA_NEW_ACCOUNT}" '{"onlyReturnExisting": true}' 4>&1 | grep -i ^Location: | cut -d':' -f2- | tr -d ' \t\r\n')" if [[ -z "${ACCOUNT_URL}" ]]; then _exiterr "Unknown error on fetching account information" fi @@ -713,7 +784,7 @@ if [[ ${API} -eq 1 ]]; then _exiterr "This is not implemented for ACMEv1! Consider switching to ACMEv2 :)" else - ACCOUNT_URL="$(signed_request "${CA_NEW_ACCOUNT}" '{"onlyReturnExisting": true}' 4>&1 | grep -i ^Location: | awk '{print $2}' | tr -d '\r\n')" + ACCOUNT_URL="$(signed_request "${CA_NEW_ACCOUNT}" '{"onlyReturnExisting": true}' 4>&1 | grep -i ^Location: | cut -d':' -f2- | tr -d ' \t\r\n')" ACCOUNT_INFO="$(signed_request "${ACCOUNT_URL}" '{}')" fi echo "${ACCOUNT_INFO}" > "${ACCOUNT_KEY_JSON}" @@ -734,7 +805,7 @@ if [ -n "${1:-}" ]; then echo "ERROR: ${1}" >&2 fi - [[ "${skip_exit_hook:-no}" = "no" ]] && [[ -n "${HOOK:-}" ]] && ("${HOOK}" "exit_hook" "${1}" || echo 'exit_hook returned with non-zero exit code!' >&2) + [[ "${skip_exit_hook:-no}" = "no" ]] && [[ -n "${HOOK:-}" ]] && ("${HOOK}" "exit_hook" "${1:-}" || echo 'exit_hook returned with non-zero exit code!' >&2) exit 1 } @@ -762,12 +833,13 @@ # Convert hex string to binary data hex2bin() { # Remove spaces, add leading zero, escape as hex string and parse with printf - printf -- "$(cat | _sed -e 's/[[:space:]]//g' -e 's/^(.(.{2})*)$/0\1/' -e 's/(.{2})/\\x\1/g')" + # shellcheck disable=SC2059 + printf "%b" "$(cat | _sed -e 's/[[:space:]]//g' -e 's/^(.(.{2})*)$/0\1/' -e 's/(.{2})/\\x\1/g')" } # Convert binary data to hex string bin2hex() { - hexdump -e '16/1 "%02x"' + hexdump -v -e '/1 "%02x"' } # OpenSSL writes to stderr/stdout even when there are no errors. So just @@ -797,6 +869,7 @@ fi set +e + # shellcheck disable=SC2086 if [[ "${1}" = "head" ]]; then statuscode="$(curl ${ip_version:-} ${CURL_OPTS} -A "dehydrated/${VERSION} curl/${CURL_VERSION}" -s -w "%{http_code}" -o "${tempcont}" "${2}" -I)" curlret="${?}" @@ -826,6 +899,10 @@ elif [[ -n "${CA_REVOKE_CERT:-}" ]] && [[ "${2}" = "${CA_REVOKE_CERT:-}" ]] && [[ "${statuscode}" = "409" ]]; then grep -q "Certificate already revoked" "${tempcont}" && return else + if grep -q "urn:ietf:params:acme:error:badNonce" "${tempcont}"; then + printf "badnonce %s" "$(grep -Eoi "^replay-nonce:.*$" "${tempheaders}" | sed 's/ //' | cut -d: -f2)" + return 0 + fi echo " + ERROR: An error occurred while sending ${1}-request to ${2} (Status ${statuscode})" >&2 echo >&2 echo "Details:" >&2 @@ -836,8 +913,8 @@ # An exclusive hook for the {1}-request error might be useful (e.g., for sending an e-mail to admins) if [[ -n "${HOOK}" ]]; then - errtxt="$(cat ${tempcont})" - errheaders="$(cat ${tempheaders})" + errtxt="$(cat "${tempcont}")" + errheaders="$(cat "${tempheaders}")" "${HOOK}" "request_failure" "${statuscode}" "${errtxt}" "${1}" "${errheaders}" || _exiterr 'request_failure hook returned with non-zero exit code' fi @@ -863,16 +940,17 @@ # Encode payload as urlbase64 payload64="$(printf '%s' "${2}" | urlbase64)" - # Retrieve nonce from acme-server - if [[ ${API} -eq 1 ]]; then - nonce="$(http_request head "${CA}" | grep -i ^Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')" + if [ -n "${3:-}" ]; then + nonce="$(printf "%s" "${3}" | tr -d ' \t\n\r')" else - nonce="$(http_request head "${CA_NEW_NONCE}" | grep -i ^Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')" + # Retrieve nonce from acme-server + if [[ ${API} -eq 1 ]]; then + nonce="$(http_request head "${CA}" | grep -i ^Replay-Nonce: | cut -d':' -f2- | tr -d ' \t\n\r')" + else + nonce="$(http_request head "${CA_NEW_NONCE}" | grep -i ^Replay-Nonce: | cut -d':' -f2- | tr -d ' \t\n\r')" + fi fi - # Build header with just our public key and algorithm information - header='{"alg": "RS256", "jwk": {"e": "'"${pubExponent64}"'", "kty": "RSA", "n": "'"${pubMod64}"'"}}' - if [[ ${API} -eq 1 ]]; then # Build another header which also contains the previously received nonce and encode it as urlbase64 protected='{"alg": "RS256", "jwk": {"e": "'"${pubExponent64}"'", "kty": "RSA", "n": "'"${pubMod64}"'"}, "nonce": "'"${nonce}"'"}' @@ -880,17 +958,37 @@ else # Build another header which also contains the previously received nonce and url and encode it as urlbase64 if [[ -n "${ACCOUNT_URL:-}" ]]; then - protected='{"alg": "RS256", "kid": "'"${ACCOUNT_URL}"'", "url": "'"${1}"'", "nonce": "'"${nonce}"'"}' + protected='{"alg": "'"${account_key_sigalgo}"'", "kid": "'"${ACCOUNT_URL}"'", "url": "'"${1}"'", "nonce": "'"${nonce}"'"}' else - protected='{"alg": "RS256", "jwk": {"e": "'"${pubExponent64}"'", "kty": "RSA", "n": "'"${pubMod64}"'"}, "url": "'"${1}"'", "nonce": "'"${nonce}"'"}' + protected='{"alg": "'"${account_key_sigalgo}"'", "jwk": '"${account_key_info}"', "url": "'"${1}"'", "nonce": "'"${nonce}"'"}' fi protected64="$(printf '%s' "${protected}" | urlbase64)" fi # Sign header with nonce and our payload with our private key and encode signature as urlbase64 - signed64="$(printf '%s' "${protected64}.${payload64}" | "${OPENSSL}" dgst -sha256 -sign "${ACCOUNT_KEY}" | urlbase64)" + if [[ "${account_key_sigalgo}" = "RS256" ]]; then + signed64="$(printf '%s' "${protected64}.${payload64}" | "${OPENSSL}" dgst -sha256 -sign "${ACCOUNT_KEY}" | urlbase64)" + else + dgstparams="$(printf '%s' "${protected64}.${payload64}" | "${OPENSSL}" dgst -sha${account_key_sigalgo:2} -sign "${ACCOUNT_KEY}" | "${OPENSSL}" asn1parse -inform DER)" + dgst_parm_1="$(echo "$dgstparams" | head -n 2 | tail -n 1 | cut -d':' -f4)" + dgst_parm_2="$(echo "$dgstparams" | head -n 3 | tail -n 1 | cut -d':' -f4)" + + # zero-padding (doesn't seem to be necessary, but other clients are doing this as well... + case "${account_key_sigalgo}" in + "ES256") siglen=64;; + "ES384") siglen=96;; + "ES512") siglen=132;; + esac + while [[ ${#dgst_parm_1} -lt $siglen ]]; do dgst_parm_1="0${dgst_parm_1}"; done + while [[ ${#dgst_parm_2} -lt $siglen ]]; do dgst_parm_2="0${dgst_parm_2}"; done + + signed64="$(printf "%s%s" "${dgst_parm_1}" "${dgst_parm_2}" | hex2bin | urlbase64)" + fi if [[ ${API} -eq 1 ]]; then + # Build header with just our public key and algorithm information + header='{"alg": "RS256", "jwk": {"e": "'"${pubExponent64}"'", "kty": "RSA", "n": "'"${pubMod64}"'"}}' + # Send header + extended header + payload + signature to the acme-server data='{"header": '"${header}"', "protected": "'"${protected64}"'", "payload": "'"${payload64}"'", "signature": "'"${signed64}"'"}' else @@ -898,7 +996,14 @@ data='{"protected": "'"${protected64}"'", "payload": "'"${payload64}"'", "signature": "'"${signed64}"'"}' fi - http_request post "${1}" "${data}" + output="$(http_request post "${1}" "${data}")" + + if grep -qE "^badnonce " <<< "${output}"; then + echo " ! Request failed (badNonce), retrying request..." >&2 + signed_request "${1:-}" "${2:-}" "$(printf "%s" "${output}" | cut -d' ' -f2)" + else + printf "%s" "${output}" + fi } # Extracts all subject names from a CSR @@ -917,23 +1022,23 @@ # split to one per line: # shellcheck disable=SC1003 altnames="$( <<<"${altnames}" _sed -e 's/^[[:space:]]*//; s/, /\'$'\n''/g' )" - # we can only get DNS: ones signed - if grep -qEv '^(DNS|othername):' <<<"${altnames}"; then - _exiterr "Certificate signing request contains non-DNS Subject Alternative Names" + # we can only get DNS/IP: ones signed + if grep -qEv '^(DNS|IP( Address)*|othername):' <<<"${altnames}"; then + _exiterr "Certificate signing request contains non-DNS/IP Subject Alternative Names" fi - # strip away the DNS: prefix - altnames="$( <<<"${altnames}" _sed -e 's/^(DNS:|othername:<unsupported>)//' )" + # strip away the DNS/IP: prefix + altnames="$( <<<"${altnames}" _sed -e 's/^(DNS:|IP( Address)*:|othername:<unsupported>)//' )" printf "%s" "${altnames}" | tr '\n' ' ' else # No SANs, extract CN - altnames="$( <<<"${reqtext}" grep '^[[:space:]]*Subject:' | _sed -e 's/.* CN ?= ?([^ /,]*).*/\1/' )" + altnames="$( <<<"${reqtext}" grep '^[[:space:]]*Subject:' | _sed -e 's/.*[ /]CN ?= ?([^ /,]*).*/\1/' )" printf "%s" "${altnames}" fi } # Get last issuer CN in certificate chain get_last_cn() { - <<<"${1}" _sed 'H;/-----BEGIN CERTIFICATE-----/h;$!d;x' | "${OPENSSL}" x509 -noout -issuer | head -n1 | _sed -e 's/.* CN ?= ?([^/,]*).*/\1/' + <<<"${1}" _sed 'H;/-----BEGIN CERTIFICATE-----/h;$!d;x' | "${OPENSSL}" x509 -noout -issuer | head -n1 | _sed -e 's/.*[ /]CN ?= ?([^/,]*).*/\1/' } # Create certificate for domain(s) and outputs it FD 3 @@ -968,12 +1073,16 @@ # Request new order and store authorization URIs local challenge_identifiers="" for altname in ${altnames}; do - challenge_identifiers+="$(printf '{"type": "dns", "value": "%s"}, ' "${altname}")" + if [[ "${altname}" =~ ^ip: ]]; then + challenge_identifiers+="$(printf '{"type": "ip", "value": "%s"}, ' "${altname:3}")" + else + challenge_identifiers+="$(printf '{"type": "dns", "value": "%s"}, ' "${altname}")" + fi done challenge_identifiers="[${challenge_identifiers%, }]" echo " + Requesting new certificate order from CA..." - order_location="$(signed_request "${CA_NEW_ORDER}" '{"identifiers": '"${challenge_identifiers}"'}' 4>&1 | grep -i ^Location: | awk '{print $2}' | tr -d '\r\n')" + order_location="$(signed_request "${CA_NEW_ORDER}" '{"identifiers": '"${challenge_identifiers}"'}' 4>&1 | grep -i ^Location: | cut -d':' -f2- | tr -d ' \t\r\n')" result="$(signed_request "${order_location}" "" | jsonsh)" order_authorizations="$(echo "${result}" | get_json_array_values authorizations)" @@ -1001,6 +1110,7 @@ # Receive authorization ($authorization is authz uri) response="$(signed_request "$(echo "${authorization}" | _sed -e 's/\"(.*)".*/\1/')" "" | jsonsh)" identifier="$(echo "${response}" | get_json_string_value -p '"identifier","value"')" + identifier_type="$(echo "${response}" | get_json_string_value -p '"identifier","type"')" echo " + Handling authorization for ${identifier}" else # Request new authorization ($authorization is altname) @@ -1010,9 +1120,13 @@ fi # Check if authorization has already been validated - if [ "$(echo "${response}" | _sed 's/"challenges": \[\{.*\}\]//' | get_json_string_value status)" = "valid" ] && [ ! "${PARAM_FORCE:-no}" = "yes" ]; then - echo " + Found valid authorization for ${identifier}" - continue + if [ "$(echo "${response}" | get_json_string_value status)" = "valid" ]; then + if [ "${PARAM_FORCE_VALIDATION:-no}" = "yes" ]; then + echo " + A valid authorization has been found but will be ignored" + else + echo " + Found valid authorization for ${identifier}" + continue + fi fi # Find challenge in authorization @@ -1025,7 +1139,11 @@ challenge="$(echo "${response}" | get_json_dict_value -p '"challenges",'"${challengeindex}")" # Gather challenge information - challenge_names[${idx}]="${identifier}" + if [ "${identifier_type:-}" = "ip" ] && [ "${CHALLENGETYPE}" = "tls-alpn-01" ] ; then + challenge_names[${idx}]="$(echo "${identifier}" | ip_to_ptr)" + else + challenge_names[${idx}]="${identifier}" + fi challenge_tokens[${idx}]="$(echo "${challenge}" | get_json_string_value token)" if [[ ${API} -eq 2 ]]; then @@ -1052,13 +1170,17 @@ keyauth_hook="$(printf '%s' "${keyauth}" | "${OPENSSL}" dgst -sha256 -binary | urlbase64)" ;; "tls-alpn-01") - keyauth_hook="$(printf '%s' "${keyauth}" | "${OPENSSL}" dgst -sha256 -c -hex | awk '{print $2}')" - generate_alpn_certificate "${identifier}" "${keyauth_hook}" + keyauth_hook="$(printf '%s' "${keyauth}" | "${OPENSSL}" dgst -sha256 -c -hex | awk '{print $NF}')" + generate_alpn_certificate "${identifier}" "${identifier_type}" "${keyauth_hook}" ;; esac keyauths[${idx}]="${keyauth}" - deploy_args[${idx}]="${identifier} ${challenge_tokens[${idx}]} ${keyauth_hook}" + if [ "${identifier_type:-}" = "ip" ] && [ "${CHALLENGETYPE}" = "tls-alpn-01" ]; then + deploy_args[${idx}]="$(echo "${identifier}" | ip_to_ptr) ${challenge_tokens[${idx}]} ${keyauth_hook}" + else + deploy_args[${idx}]="${identifier} ${challenge_tokens[${idx}]} ${keyauth_hook}" + fi idx=$((idx+1)) done @@ -1069,11 +1191,13 @@ if [[ ${num_pending_challenges} -ne 0 ]]; then echo " + Deploying challenge tokens..." if [[ -n "${HOOK}" ]] && [[ "${HOOK_CHAIN}" = "yes" ]]; then + # shellcheck disable=SC2068 "${HOOK}" "deploy_challenge" ${deploy_args[@]} || _exiterr 'deploy_challenge hook returned with non-zero exit code' elif [[ -n "${HOOK}" ]]; then # Run hook script to deploy the challenge token local idx=0 while [ ${idx} -lt ${num_pending_challenges} ]; do + # shellcheck disable=SC2086 "${HOOK}" "deploy_challenge" ${deploy_args[${idx}]} || _exiterr 'deploy_challenge hook returned with non-zero exit code' idx=$((idx+1)) done @@ -1120,6 +1244,7 @@ echo " + Cleaning challenge tokens..." # Clean challenge tokens using chained hook + # shellcheck disable=SC2068 [[ -n "${HOOK}" ]] && [[ "${HOOK_CHAIN}" = "yes" ]] && ("${HOOK}" "clean_challenge" ${deploy_args[@]} || _exiterr 'clean_challenge hook returned with non-zero exit code') # Clean remaining challenge tokens if validation has failed @@ -1130,6 +1255,7 @@ # Delete alpn verification certificates [[ "${CHALLENGETYPE}" = "tls-alpn-01" ]] && rm -f "${ALPNCERTDIR}/${challenge_names[${idx}]}.crt.pem" "${ALPNCERTDIR}/${challenge_names[${idx}]}.key.pem" # Clean challenge token using non-chained hook + # shellcheck disable=SC2086 [[ -n "${HOOK}" ]] && [[ "${HOOK_CHAIN}" != "yes" ]] && ("${HOOK}" "clean_challenge" ${deploy_args[${idx}]} || _exiterr 'clean_challenge hook returned with non-zero exit code') idx=$((idx+1)) done @@ -1177,8 +1303,8 @@ if [ "${altcn}" = "${PREFERRED_CHAIN}" ]; then foundaltchain=1 fi - if [ "${foundaltchain}" = "0" ]; then - while read altcrturl; do + if [ "${foundaltchain}" = "0" ] && (grep -Ei '^link:' "${resheaders}" | grep -q -Ei 'rel="alternate"'); then + while read -r altcrturl; do if [ "${foundaltchain}" = "0" ]; then altcrt="$(signed_request "${altcrturl}" "")" altcn="$(get_last_cn "${altcrt}")" @@ -1266,7 +1392,8 @@ # Generate ALPN verification certificate generate_alpn_certificate() { local altname="${1}" - local acmevalidation="${2}" + local identifier_type="${2}" + local acmevalidation="${3}" local alpncertdir="${ALPNCERTDIR}" if [[ ! -e "${alpncertdir}" ]]; then @@ -1277,10 +1404,17 @@ echo " + Generating ALPN certificate and key for ${1}..." tmp_openssl_cnf="$(_mktemp)" cat "${OPENSSL_CNF}" > "${tmp_openssl_cnf}" - printf "[SAN]\nsubjectAltName=DNS:%s\n" "${altname}" >> "${tmp_openssl_cnf}" - printf "1.3.6.1.5.5.7.1.31=critical,DER:04:20:${acmevalidation}\n" >> "${tmp_openssl_cnf}" + if [[ "${identifier_type}" = "ip" ]]; then + printf "\n[SAN]\nsubjectAltName=IP:%s\n" "${altname}" >> "${tmp_openssl_cnf}" + else + printf "\n[SAN]\nsubjectAltName=DNS:%s\n" "${altname}" >> "${tmp_openssl_cnf}" + fi + printf "1.3.6.1.5.5.7.1.31=critical,DER:04:20:%s\n" "${acmevalidation}" >> "${tmp_openssl_cnf}" SUBJ="/CN=${altname}/" [[ "${OSTYPE:0:5}" = "MINGW" ]] && SUBJ="/${SUBJ}" + if [[ "${identifier_type}" = "ip" ]]; then + altname="$(echo "${altname}" | ip_to_ptr)" + fi _openssl req -x509 -new -sha256 -nodes -newkey rsa:2048 -keyout "${alpncertdir}/${altname}.key.pem" -out "${alpncertdir}/${altname}.crt.pem" -subj "${SUBJ}" -extensions SAN -config "${tmp_openssl_cnf}" chmod g+r "${alpncertdir}/${altname}.key.pem" "${alpncertdir}/${altname}.crt.pem" rm -f "${tmp_openssl_cnf}" @@ -1312,10 +1446,11 @@ if [[ ! -r "${certdir}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then echo " + Generating private key..." privkey="privkey-${timestamp}.pem" - local tmp_privkey="$(_mktemp)" + local tmp_privkey + tmp_privkey="$(_mktemp)" case "${KEY_ALGO}" in rsa) _openssl genrsa -out "${tmp_privkey}" "${KEYSIZE}";; - prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${tmp_privkey}";; + prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${tmp_privkey}" -noout;; esac cat "${tmp_privkey}" > "${certdir}/privkey-${timestamp}.pem" rm "${tmp_privkey}" @@ -1332,7 +1467,7 @@ echo " + Generating private rollover key..." case "${KEY_ALGO}" in rsa) _openssl genrsa -out "${certdir}/privkey.roll.pem" "${KEYSIZE}";; - prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${certdir}/privkey.roll.pem";; + prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${certdir}/privkey.roll.pem" -noout;; esac fi # delete rolloverkeys if disabled @@ -1345,17 +1480,25 @@ echo " + Generating signing request..." SAN="" for altname in ${altnames}; do - SAN="${SAN}DNS:${altname}, " + if [[ "${altname}" =~ ^ip: ]]; then + SAN="${SAN}IP:${altname:3}, " + else + SAN="${SAN}DNS:${altname}, " + fi done + if [[ "${domain}" =~ ^ip: ]]; then + SUBJ="/CN=${domain:3}/" + else + SUBJ="/CN=${domain}/" + fi SAN="${SAN%%, }" local tmp_openssl_cnf tmp_openssl_cnf="$(_mktemp)" cat "${OPENSSL_CNF}" > "${tmp_openssl_cnf}" - printf "[SAN]\nsubjectAltName=%s" "${SAN}" >> "${tmp_openssl_cnf}" + printf "\n[SAN]\nsubjectAltName=%s" "${SAN}" >> "${tmp_openssl_cnf}" if [ "${OCSP_MUST_STAPLE}" = "yes" ]; then printf "\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >> "${tmp_openssl_cnf}" fi - SUBJ="/CN=${domain}/" if [[ "${OSTYPE:0:5}" = "MINGW" ]]; then # The subject starts with a /, so MSYS will assume it's a path and convert # it unless we escape it with another one: @@ -1426,20 +1569,21 @@ revision="$(cd "${SCRIPTDIR}"; git rev-parse HEAD 2>/dev/null || echo "unknown")" echo "GIT-Revision: ${revision}" echo "" - if [[ "${OSTYPE}" =~ "BSD" ]]; then + # shellcheck disable=SC1091 + if [[ "${OSTYPE}" =~ (BSD|Darwin) ]]; then echo "OS: $(uname -sr)" elif [[ -e /etc/os-release ]]; then ( . /etc/os-release && echo "OS: $PRETTY_NAME" ) elif [[ -e /usr/lib/os-release ]]; then ( . /usr/lib/os-release && echo "OS: $PRETTY_NAME" ) else - echo "OS: $(cat /etc/issue | grep -v ^$ | head -n1 | _sed 's/\\(r|n|l) .*//g')" + echo "OS: $(grep -v '^$' /etc/issue | head -n1 | _sed 's/\\(r|n|l) .*//g')" fi echo "Used software:" [[ -n "${BASH_VERSION:-}" ]] && echo " bash: ${BASH_VERSION}" [[ -n "${ZSH_VERSION:-}" ]] && echo " zsh: ${ZSH_VERSION}" echo " curl: ${CURL_VERSION}" - if [[ "${OSTYPE}" =~ "BSD" ]]; then + if [[ "${OSTYPE}" =~ (BSD|Darwin) ]]; then echo " awk, sed, mktemp, grep, diff: BSD base system versions" else echo " awk: $(awk -W version 2>&1 | head -n1)" @@ -1518,6 +1662,20 @@ exit 0 } +# Parse contents of domains.txt and domains.txt.d +parse_domains_txt() { + # Allow globbing temporarily + noglob_set + local inputs=("${DOMAINS_TXT}" "${DOMAINS_TXT}.d"/*.txt) + noglob_clear + + cat "${inputs[@]}" | + tr -d '\r' | + awk '{print tolower($0)}' | + _sed -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*$//g' -e 's/[[:space:]]+/ /g' -e 's/([^ ])>/\1 >/g' -e 's/> />/g' | + (grep -vE '^(#|$)' || true) +} + # Usage: --cron (-c) # Description: Sign/renew non-existent/changed/expiring certificates. command_sign_domains() { @@ -1535,9 +1693,9 @@ if [[ -n "${PARAM_DOMAIN:-}" ]]; then DOMAINS_TXT="$(_mktemp)" if [[ -n "${PARAM_ALIAS:-}" ]]; then - printf -- "${PARAM_DOMAIN} > ${PARAM_ALIAS}" > "${DOMAINS_TXT}" + printf "%s > %s" "${PARAM_DOMAIN}" "${PARAM_ALIAS}" > "${DOMAINS_TXT}" else - printf -- "${PARAM_DOMAIN}" > "${DOMAINS_TXT}" + printf "%s" "${PARAM_DOMAIN}" > "${DOMAINS_TXT}" fi elif [[ -e "${DOMAINS_TXT}" ]]; then if [[ ! -r "${DOMAINS_TXT}" ]]; then @@ -1550,17 +1708,17 @@ # Generate certificates for all domains found in domains.txt. Check if existing certificate are about to expire ORIGIFS="${IFS}" IFS=$'\n' - for line in $(<"${DOMAINS_TXT}" tr -d '\r' | awk '{print tolower($0)}' | _sed -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*$//g' -e 's/[[:space:]]+/ /g' -e 's/([^ ])>/\1 >/g' -e 's/> />/g' | (grep -vE '^(#|$)' || true)); do + for line in $(parse_domains_txt); do reset_configvars IFS="${ORIGIFS}" alias="$(grep -Eo '>[^ ]+' <<< "${line}" || true)" line="$(_sed -e 's/>[^ ]+[ ]*//g' <<< "${line}")" aliascount="$(grep -Eo '>' <<< "${alias}" | awk 'END {print NR}' || true )" - [ ${aliascount} -gt 1 ] && _exiterr "Only one alias per line is allowed in domains.txt!" + [ "${aliascount}" -gt 1 ] && _exiterr "Only one alias per line is allowed in domains.txt!" domain="$(printf '%s\n' "${line}" | cut -d' ' -f1)" morenames="$(printf '%s\n' "${line}" | cut -s -d' ' -f2-)" - [ ${aliascount} -lt 1 ] && alias="${domain}" || alias="${alias#>}" + [ "${aliascount}" -lt 1 ] && alias="${domain}" || alias="${alias#>}" export alias if [[ -z "${morenames}" ]];then @@ -1614,6 +1772,8 @@ ); do config_var="$(echo "${cfgline:1}" | cut -d'=' -f1)" config_value="$(echo "${cfgline:1}" | cut -d'=' -f2- | tr -d "'")" + # All settings that are allowed here should also be stored and + # restored in store_configvars() and reset_configvars() case "${config_var}" in KEY_ALGO|OCSP_MUST_STAPLE|OCSP_FETCH|OCSP_DAYS|PRIVATE_KEY_RENEW|PRIVATE_KEY_ROLLOVER|KEYSIZE|CHALLENGETYPE|HOOK|PREFERRED_CHAIN|WELLKNOWN|HOOK_CHAIN|OPENSSL_CNF|RENEW_DAYS) echo " + ${config_var} = ${config_value}" @@ -1646,12 +1806,12 @@ fi # Check domain names of existing certificate - if [[ -e "${cert}" ]]; then + if [[ -e "${cert}" && "${force_renew}" = "no" ]]; then printf " + Checking domain name(s) of existing cert..." - certnames="$("${OPENSSL}" x509 -in "${cert}" -text -noout | grep DNS: | _sed 's/DNS://g' | tr -d ' ' | tr ',' '\n' | sort -u | tr '\n' ' ' | _sed 's/ $//')" - givennames="$(echo "${domain}" "${morenames}"| tr ' ' '\n' | sort -u | tr '\n' ' ' | _sed 's/ $//' | _sed 's/^ //')" - + certnames="$("${OPENSSL}" x509 -in "${cert}" -text -noout | grep -E '(DNS|IP( Address*)):' | _sed 's/(DNS|IP( Address)*)://g' | tr -d ' ' | tr ',' '\n' | sort -u | tr '\n' ' ' | _sed 's/ $//')" + givennames="$(echo "${domain}" "${morenames}"| tr ' ' '\n' | sort -u | tr '\n' ' ' | _sed 's/ip://g' | _sed 's/ $//' | _sed 's/^ //')" + if [[ "${certnames}" = "${givennames}" ]]; then echo " unchanged." else @@ -1692,13 +1852,14 @@ if [[ ! "${skip}" = "yes" ]]; then update_ocsp="yes" [[ -z "${csr}" ]] || printf "%s" "${csr}" > "${certdir}/cert-${timestamp}.csr" + # shellcheck disable=SC2086 if [[ "${PARAM_KEEP_GOING:-}" = "yes" ]]; then skip_exit_hook=yes - sign_domain "${certdir}" ${timestamp} ${domain} ${morenames} & + sign_domain "${certdir}" "${timestamp}" "${domain}" ${morenames} & wait $! || exit_with_errorcode=1 skip_exit_hook=no else - sign_domain "${certdir}" ${timestamp} ${domain} ${morenames} + sign_domain "${certdir}" "${timestamp}" "${domain}" ${morenames} fi fi @@ -1744,12 +1905,12 @@ # Usage: --signcsr (-s) path/to/csr.pem # Description: Sign a given CSR, output CRT on stdout (advanced usage) command_sign_csr() { + init_system + # redirect stdout to stderr # leave stdout over at fd 3 to output the cert exec 3>&1 1>&2 - init_system - # load csr csrfile="${1}" if [ ! -r "${csrfile}" ]; then @@ -1762,6 +1923,7 @@ # gen cert certfile="$(_mktemp)" + # shellcheck disable=SC2086 sign_csr "${csr}" ${altnames} 3> "${certfile}" # print cert @@ -1866,7 +2028,7 @@ fi # Allow globbing - [[ -n "${ZSH_VERSION:-}" ]] && set +o noglob || set +f + noglob_set # Loop over all certificate directories for certdir in "${CERTDIR}/"*; do @@ -1907,7 +2069,6 @@ # Check if current file is in use, if unused move to archive directory filename="$(basename "${file}")" if [[ ! "${filename}" = "${current}" ]] && [[ -f "${certdir}/${filename}" ]]; then - echo "${filename}" if [[ "${PARAM_CLEANUPDELETE:-}" = "yes" ]]; then echo "Deleting unused file: ${certname}/${filename}" rm "${certdir}/${filename}" @@ -1980,8 +2141,7 @@ fi } - # shellcheck disable=SC2199 - [[ -z "${@}" ]] && eval set -- "--help" + [[ -z "${*}" ]] && eval set -- "--help" while (( ${#} )); do case "${1}" in @@ -2107,6 +2267,12 @@ PARAM_FORCE="yes" ;; + # PARAM_Usage: --force-validation + # PARAM_Description: Force revalidation of domain names (used in combination with --force) + --force-validation) + PARAM_FORCE_VALIDATION="yes" + ;; + # PARAM_Usage: --no-lock (-n) # PARAM_Description: Don't use lockfile (potentially dangerous!) --no-lock|-n) @@ -2183,8 +2349,8 @@ PARAM_ALPNCERTDIR="${1}" ;; - # PARAM_Usage: --challenge (-t) http-01|dns-01 - # PARAM_Description: Which challenge should be used? Currently http-01 and dns-01 are supported + # PARAM_Usage: --challenge (-t) http-01|dns-01|tls-alpn-01 + # PARAM_Description: Which challenge should be used? Currently http-01, dns-01, and tls-alpn-01 are supported --challenge|-t) shift 1 check_parameters "${1:-}" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/docs/domains_txt.md new/dehydrated-0.7.1/docs/domains_txt.md --- old/dehydrated-0.7.0/docs/domains_txt.md 2020-12-10 16:54:26.000000000 +0100 +++ new/dehydrated-0.7.1/docs/domains_txt.md 2022-10-31 15:12:38.000000000 +0100 @@ -34,6 +34,30 @@ example.net www.example.net wiki.example.net > certalias ``` +This allows to set per certificates options. The options you can change are +explained in [Per Certificate Config](per-certificate-config.md). + +If you want to create different certificate types for the same domain +you can use: + +```text +*.service.example.org service.example.org > star_service_example_org_rsa +*.service.example.org service.example.org > star_service_example_org_ecdsa +``` + +Then add a config file `certs/star_service_example_org_rsa/config` with +the value + +``` +KEY_ALGO="rsa" +``` + +or respectively + +``` +KEY_ALGO="ecdsa" +``` + ### Wildcards Support for wildcards was added by the ACME v2 protocol. @@ -70,3 +94,14 @@ **Note:** The first certificate is valid for both `service.example.com` and for `*.service.example.com` which can be a useful way to create wildcard certificates. + +### Drop-in directory + +If a directory named `domains.txt.d` exists in the same location as +`domains.txt`, the contents of `*.txt` files in that directory are appended to +the list of domains, in alphabetical order of the filenames. This is useful for +automation, as it doesn't require editing an existing file to add new domains. + +Warning: Behaviour of this might change as the naming between `domains.txt.d` +and the `DOMAINS_D` config variable (which is used for per-certificate +configuration) is a bit confusing. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/docs/examples/domains.txt new/dehydrated-0.7.1/docs/examples/domains.txt --- old/dehydrated-0.7.0/docs/examples/domains.txt 2020-12-10 16:54:26.000000000 +0100 +++ new/dehydrated-0.7.1/docs/examples/domains.txt 2022-10-31 15:12:38.000000000 +0100 @@ -24,6 +24,15 @@ # NOTE: It is a certificate for 'service.example.org' *.service.example.org service.example.org > star_service_example_org +# Optionally you can also append the certificate algorithm here to create +# multiple certificate types for the same domain. +# +# This allows to set per certificates options. How to do this is +# explained in [domains.txt documentation](domains_txt.md). +# +*.service.example.org service.example.org > star_service_example_org_rsa +*.service.example.org service.example.org > star_service_example_org_ecdsa + # Create a certificate for 'service.example.net' with an alternative name of # '*.service.example.net' (which is a wildcard domain) and store it in the # directory ${CERTDIR}/service.example.net diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/docs/examples/hook.sh new/dehydrated-0.7.1/docs/examples/hook.sh --- old/dehydrated-0.7.0/docs/examples/hook.sh 2020-12-10 16:54:26.000000000 +0100 +++ new/dehydrated-0.7.1/docs/examples/hook.sh 2022-10-31 15:12:38.000000000 +0100 @@ -1,199 +1,199 @@ #!/usr/bin/env bash deploy_challenge() { - local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" + local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" - # This hook is called once for every domain that needs to be - # validated, including any alternative names you may have listed. - # - # Parameters: - # - DOMAIN - # The domain name (CN or subject alternative name) being - # validated. - # - TOKEN_FILENAME - # The name of the file containing the token to be served for HTTP - # validation. Should be served by your web server as - # /.well-known/acme-challenge/${TOKEN_FILENAME}. - # - TOKEN_VALUE - # The token value that needs to be served for validation. For DNS - # validation, this is what you want to put in the _acme-challenge - # TXT record. For HTTP validation it is the value that is expected - # be found in the $TOKEN_FILENAME file. + # This hook is called once for every domain that needs to be + # validated, including any alternative names you may have listed. + # + # Parameters: + # - DOMAIN + # The domain name (CN or subject alternative name) being + # validated. + # - TOKEN_FILENAME + # The name of the file containing the token to be served for HTTP + # validation. Should be served by your web server as + # /.well-known/acme-challenge/${TOKEN_FILENAME}. + # - TOKEN_VALUE + # The token value that needs to be served for validation. For DNS + # validation, this is what you want to put in the _acme-challenge + # TXT record. For HTTP validation it is the value that is expected + # be found in the $TOKEN_FILENAME file. - # Simple example: Use nsupdate with local named - # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key + # Simple example: Use nsupdate with local named + # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key } clean_challenge() { - local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" + local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" - # This hook is called after attempting to validate each domain, - # whether or not validation was successful. Here you can delete - # files or DNS records that are no longer needed. - # - # The parameters are the same as for deploy_challenge. + # This hook is called after attempting to validate each domain, + # whether or not validation was successful. Here you can delete + # files or DNS records that are no longer needed. + # + # The parameters are the same as for deploy_challenge. - # Simple example: Use nsupdate with local named - # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key + # Simple example: Use nsupdate with local named + # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key } sync_cert() { - local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}" + local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}" - # This hook is called after the certificates have been created but before - # they are symlinked. This allows you to sync the files to disk to prevent - # creating a symlink to empty files on unexpected system crashes. - # - # This hook is not intended to be used for further processing of certificate - # files, see deploy_cert for that. - # - # Parameters: - # - KEYFILE - # The path of the file containing the private key. - # - CERTFILE - # The path of the file containing the signed certificate. - # - FULLCHAINFILE - # The path of the file containing the full certificate chain. - # - CHAINFILE - # The path of the file containing the intermediate certificate(s). - # - REQUESTFILE - # The path of the file containing the certificate signing request. + # This hook is called after the certificates have been created but before + # they are symlinked. This allows you to sync the files to disk to prevent + # creating a symlink to empty files on unexpected system crashes. + # + # This hook is not intended to be used for further processing of certificate + # files, see deploy_cert for that. + # + # Parameters: + # - KEYFILE + # The path of the file containing the private key. + # - CERTFILE + # The path of the file containing the signed certificate. + # - FULLCHAINFILE + # The path of the file containing the full certificate chain. + # - CHAINFILE + # The path of the file containing the intermediate certificate(s). + # - REQUESTFILE + # The path of the file containing the certificate signing request. - # Simple example: sync the files before symlinking them - # sync "${KEYFILE}" "${CERTFILE}" "${FULLCHAINFILE}" "${CHAINFILE}" "${REQUESTFILE}" + # Simple example: sync the files before symlinking them + # sync "${KEYFILE}" "${CERTFILE}" "${FULLCHAINFILE}" "${CHAINFILE}" "${REQUESTFILE}" } deploy_cert() { - local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}" + local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}" - # This hook is called once for each certificate that has been - # produced. Here you might, for instance, copy your new certificates - # to service-specific locations and reload the service. - # - # Parameters: - # - DOMAIN - # The primary domain name, i.e. the certificate common - # name (CN). - # - KEYFILE - # The path of the file containing the private key. - # - CERTFILE - # The path of the file containing the signed certificate. - # - FULLCHAINFILE - # The path of the file containing the full certificate chain. - # - CHAINFILE - # The path of the file containing the intermediate certificate(s). - # - TIMESTAMP - # Timestamp when the specified certificate was created. - - # Simple example: Copy file to nginx config - # cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl - # systemctl reload nginx + # This hook is called once for each certificate that has been + # produced. Here you might, for instance, copy your new certificates + # to service-specific locations and reload the service. + # + # Parameters: + # - DOMAIN + # The primary domain name, i.e. the certificate common + # name (CN). + # - KEYFILE + # The path of the file containing the private key. + # - CERTFILE + # The path of the file containing the signed certificate. + # - FULLCHAINFILE + # The path of the file containing the full certificate chain. + # - CHAINFILE + # The path of the file containing the intermediate certificate(s). + # - TIMESTAMP + # Timestamp when the specified certificate was created. + + # Simple example: Copy file to nginx config + # cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl + # systemctl reload nginx } deploy_ocsp() { - local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}" + local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}" - # This hook is called once for each updated ocsp stapling file that has - # been produced. Here you might, for instance, copy your new ocsp stapling - # files to service-specific locations and reload the service. - # - # Parameters: - # - DOMAIN - # The primary domain name, i.e. the certificate common - # name (CN). - # - OCSPFILE - # The path of the ocsp stapling file - # - TIMESTAMP - # Timestamp when the specified ocsp stapling file was created. - - # Simple example: Copy file to nginx config - # cp "${OCSPFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl - # systemctl reload nginx + # This hook is called once for each updated ocsp stapling file that has + # been produced. Here you might, for instance, copy your new ocsp stapling + # files to service-specific locations and reload the service. + # + # Parameters: + # - DOMAIN + # The primary domain name, i.e. the certificate common + # name (CN). + # - OCSPFILE + # The path of the ocsp stapling file + # - TIMESTAMP + # Timestamp when the specified ocsp stapling file was created. + + # Simple example: Copy file to nginx config + # cp "${OCSPFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl + # systemctl reload nginx } unchanged_cert() { - local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" + local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" - # This hook is called once for each certificate that is still - # valid and therefore wasn't reissued. - # - # Parameters: - # - DOMAIN - # The primary domain name, i.e. the certificate common - # name (CN). - # - KEYFILE - # The path of the file containing the private key. - # - CERTFILE - # The path of the file containing the signed certificate. - # - FULLCHAINFILE - # The path of the file containing the full certificate chain. - # - CHAINFILE - # The path of the file containing the intermediate certificate(s). + # This hook is called once for each certificate that is still + # valid and therefore wasn't reissued. + # + # Parameters: + # - DOMAIN + # The primary domain name, i.e. the certificate common + # name (CN). + # - KEYFILE + # The path of the file containing the private key. + # - CERTFILE + # The path of the file containing the signed certificate. + # - FULLCHAINFILE + # The path of the file containing the full certificate chain. + # - CHAINFILE + # The path of the file containing the intermediate certificate(s). } invalid_challenge() { - local DOMAIN="${1}" RESPONSE="${2}" + local DOMAIN="${1}" RESPONSE="${2}" - # This hook is called if the challenge response has failed, so domain - # owners can be aware and act accordingly. - # - # Parameters: - # - DOMAIN - # The primary domain name, i.e. the certificate common - # name (CN). - # - RESPONSE - # The response that the verification server returned + # This hook is called if the challenge response has failed, so domain + # owners can be aware and act accordingly. + # + # Parameters: + # - DOMAIN + # The primary domain name, i.e. the certificate common + # name (CN). + # - RESPONSE + # The response that the verification server returned - # Simple example: Send mail to root - # printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root + # Simple example: Send mail to root + # printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root } request_failure() { - local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}" + local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}" - # This hook is called when an HTTP request fails (e.g., when the ACME - # server is busy, returns an error, etc). It will be called upon any - # response code that does not start with '2'. Useful to alert admins - # about problems with requests. - # - # Parameters: - # - STATUSCODE - # The HTML status code that originated the error. - # - REASON - # The specified reason for the error. - # - REQTYPE - # The kind of request that was made (GET, POST...) - # - HEADERS - # HTTP headers returned by the CA + # This hook is called when an HTTP request fails (e.g., when the ACME + # server is busy, returns an error, etc). It will be called upon any + # response code that does not start with '2'. Useful to alert admins + # about problems with requests. + # + # Parameters: + # - STATUSCODE + # The HTML status code that originated the error. + # - REASON + # The specified reason for the error. + # - REQTYPE + # The kind of request that was made (GET, POST...) + # - HEADERS + # HTTP headers returned by the CA - # Simple example: Send mail to root - # printf "Subject: HTTP request failed failed!\n\nA http request failed with status ${STATUSCODE}!" | sendmail root + # Simple example: Send mail to root + # printf "Subject: HTTP request failed failed!\n\nA http request failed with status ${STATUSCODE}!" | sendmail root } generate_csr() { - local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}" + local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}" - # This hook is called before any certificate signing operation takes place. - # It can be used to generate or fetch a certificate signing request with external - # tools. - # The output should be just the certificate signing request formatted as PEM. - # - # Parameters: - # - DOMAIN - # The primary domain as specified in domains.txt. This does not need to - # match with the domains in the CSR, it's basically just the directory name. - # - CERTDIR - # Certificate output directory for this particular certificate. Can be used - # for storing additional files. - # - ALTNAMES - # All domain names for the current certificate as specified in domains.txt. - # Again, this doesn't need to match with the CSR, it's just there for convenience. - - # Simple example: Look for pre-generated CSRs - # if [ -e "${CERTDIR}/pre-generated.csr" ]; then - # cat "${CERTDIR}/pre-generated.csr" - # fi + # This hook is called before any certificate signing operation takes place. + # It can be used to generate or fetch a certificate signing request with external + # tools. + # The output should be just the certificate signing request formatted as PEM. + # + # Parameters: + # - DOMAIN + # The primary domain as specified in domains.txt. This does not need to + # match with the domains in the CSR, it's basically just the directory name. + # - CERTDIR + # Certificate output directory for this particular certificate. Can be used + # for storing additional files. + # - ALTNAMES + # All domain names for the current certificate as specified in domains.txt. + # Again, this doesn't need to match with the CSR, it's just there for convenience. + + # Simple example: Look for pre-generated CSRs + # if [ -e "${CERTDIR}/pre-generated.csr" ]; then + # cat "${CERTDIR}/pre-generated.csr" + # fi } startup_hook() { Binary files old/dehydrated-0.7.0/docs/logo.jpg and new/dehydrated-0.7.1/docs/logo.jpg differ Binary files old/dehydrated-0.7.0/docs/logo.png and new/dehydrated-0.7.1/docs/logo.png differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/docs/per-certificate-config.md new/dehydrated-0.7.1/docs/per-certificate-config.md --- old/dehydrated-0.7.0/docs/per-certificate-config.md 2020-12-10 16:54:26.000000000 +0100 +++ new/dehydrated-0.7.1/docs/per-certificate-config.md 2022-10-31 15:12:38.000000000 +0100 @@ -11,6 +11,8 @@ - KEY_ALGO - KEYSIZE - OCSP_MUST_STAPLE +- OCSP_FETCH +- OCSP_DAYS - CHALLENGETYPE - HOOK - HOOK_CHAIN diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/docs/staging.md new/dehydrated-0.7.1/docs/staging.md --- old/dehydrated-0.7.0/docs/staging.md 2020-12-10 16:54:26.000000000 +0100 +++ new/dehydrated-0.7.1/docs/staging.md 2022-10-31 15:12:38.000000000 +0100 @@ -8,10 +8,7 @@ To avoid this, please set the CA property to the Let��s Encrypt staging server URL in your config file: ```bash -CA="https://acme-staging.api.letsencrypt.org/directory" +CA="https://acme-staging-v02.api.letsencrypt.org/directory" ``` -# ACMEv2 staging - -You can use `CA="https://acme-staging-v02.api.letsencrypt.org/directory"` to test dehydrated with -the ACMEv2 staging endpoint. +Alternatively you can define the CA using the CLI argument `--ca letsencrypt-test` (`letsencrypt-test` is an integrated preset-CA corresponding to the URL above). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/docs/tls-alpn.md new/dehydrated-0.7.1/docs/tls-alpn.md --- old/dehydrated-0.7.0/docs/tls-alpn.md 2020-12-10 16:54:26.000000000 +0100 +++ new/dehydrated-0.7.1/docs/tls-alpn.md 2022-10-31 15:12:38.000000000 +0100 @@ -6,6 +6,26 @@ Dehydrated generates the required verification certificates, but the delivery is out of its scope. +### Example lighttpd config + +lighttpd can be configured to recognize ALPN `acme-tls/1` and to respond to such +requests using the specially crafted TLS certificates generated by dehydrated. +Configure lighttpd and dehydrated to use the same path for these certificates. +(Be sure to allow read access to the user account under which the lighttpd +server is running.) `mkdir -p /etc/dehydrated/alpn-certs` + +lighttpd.conf: +``` +ssl.acme-tls-1 = "/etc/dehydrated/alpn-certs" +``` + +When renewing certificates, specify `-t tls-alpn-01` and `--alpn /etc/dehydrated/alpn-certs` to dehydrated, e.g. +``` +dehydrated -t tls-alpn-01 --alpn /etc/dehydrated/alpn-certs -c --out /etc/lighttpd/certs -d www.example.com +# gracefully reload lighttpd to use the new certificates by sending lighttpd pid SIGUSR1 +systemctl reload lighttpd +``` + ### Example nginx config On an nginx tcp load-balancer you can use the `ssl_preread` module to map a different port for acme-tls

1 0

commit mimic for openSUSE:Factory
by Source-Sync 01 Nov '22

01 Nov '22

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package mimic for openSUSE:Factory checked in at 2022-11-01 13:42:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mimic (Old) and /work/SRC/openSUSE:Factory/.mimic.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "mimic" Tue Nov 1 13:42:36 2022 rev:4 rq:1032543 version:1.3.0.1 Changes: -------- --- /work/SRC/openSUSE:Factory/mimic/mimic.changes 2021-04-19 21:07:23.340154372 +0200 +++ /work/SRC/openSUSE:Factory/.mimic.new.2275/mimic.changes 2022-11-01 13:42:43.187944462 +0100 @@ -1,0 +2,6 @@ +Mon Oct 31 14:45:25 UTC 2022 - Dominique Leuenberger <dimstar(a)opensuse.org> + +- Add mimic-HTS_Free.patch: use HTS_free instead of libc's free() + function (https://github.com/MycroftAI/mimic1/issues/231). + +------------------------------------------------------------------- New: ---- mimic-HTS_Free.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mimic.spec ++++++ --- /var/tmp/diff_new_pack.tCxuQK/_old 2022-11-01 13:42:44.819953144 +0100 +++ /var/tmp/diff_new_pack.tCxuQK/_new 2022-11-01 13:42:44.823953165 +0100 @@ -1,7 +1,7 @@ # # spec file for package mimic # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,6 +25,7 @@ Group: Productivity/Text/Convertors URL: https://mimic.mycroft.ai Source: https://github.com/MycroftAI/mimic/archive/%{version}.tar.gz +Patch0: mimic-HTS_Free.patch BuildRequires: automake BuildRequires: gcc BuildRequires: libtool @@ -63,7 +64,7 @@ This package contains the headers and development libraries for mimic. %prep -%setup -q -n %{name}1-%{version} +%autosetup -p1 -n %{name}1-%{version} %build ./autogen.sh ++++++ mimic-HTS_Free.patch ++++++ Index: mimic1-1.3.0.1/src/hts/hts_engine_API/lib/HTS_model.c =================================================================== --- mimic1-1.3.0.1.orig/src/hts/hts_engine_API/lib/HTS_model.c +++ mimic1-1.3.0.1/src/hts/hts_engine_API/lib/HTS_model.c @@ -698,7 +698,7 @@ static HTS_Boolean HTS_Model_load_pdf(HT } if (result == FALSE) { model->npdf += 2; - free(model->npdf); + HTS_free(model->npdf); HTS_Model_initialize(model); return FALSE; }

1 0

commit libadlmidi for openSUSE:Factory
by Source-Sync 01 Nov '22

01 Nov '22

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libadlmidi for openSUSE:Factory checked in at 2022-11-01 13:42:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libadlmidi (Old) and /work/SRC/openSUSE:Factory/.libadlmidi.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libadlmidi" Tue Nov 1 13:42:35 2022 rev:5 rq:1032544 version:1.5.1 Changes: -------- --- /work/SRC/openSUSE:Factory/libadlmidi/libadlmidi.changes 2021-05-08 22:08:47.837384113 +0200 +++ /work/SRC/openSUSE:Factory/.libadlmidi.new.2275/libadlmidi.changes 2022-11-01 13:42:42.291939695 +0100 @@ -1,0 +2,17 @@ +Mon Oct 31 08:50:23 UTC 2022 - Martin Hauke <mardnh(a)gmx.de> + +- Update to version 1.5.1 + * Added an ability to disable the automatical arpeggio. + * Added an ability to set the count of loops (how many times to + play the song). + * Added an ability to disable/enable the playing of selected + MIDI channels. + * Fixed memory damages and crashes while playing XMI files. + * Added bank-specific MT32 defaults (to don't confuse XMI + playback between different games, works for AIL and IBK only, + and for WOPL if set at the header). + * Added the chip channels allocation mode option. + * Fixed the playback of multi-song XMI files. + * Added an ability to switch the XMI song on the fly. + +------------------------------------------------------------------- Old: ---- libADLMIDI-1.5.0.1-1.tar.gz New: ---- libADLMIDI-1.5.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libadlmidi.spec ++++++ --- /var/tmp/diff_new_pack.7snZTh/_old 2022-11-01 13:42:42.743942099 +0100 +++ /var/tmp/diff_new_pack.7snZTh/_new 2022-11-01 13:42:42.755942163 +0100 @@ -1,8 +1,8 @@ # # spec file for package libadlmidi # -# Copyright (c) 2021 SUSE LLC -# Copyright (c) 2019-2020, Martin Hauke <mardnh(a)gmx.de> +# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2019-2022, Martin Hauke <mardnh(a)gmx.de> # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,14 +20,14 @@ %define sover 1 %define libname libADLMIDI Name: libadlmidi -%define hyphver 1.5.0.1-1 -Version: 1.5.0.1.1 +%define hyphver 1.5.1 +Version: 1.5.1 Release: 0 Summary: A software MIDI synthesizer library with OPL3 emulation License: GPL-3.0-only AND LGPL-3.0-only Group: Development/Languages/C and C++ URL: https://github.com/Wohlstand/%{libname} -Source: %{URL}/archive/v%{hyphver}.tar.gz#/%{libname}-%{hyphver}.tar.gz +Source: https://github.com/Wohlstand/libADLMIDI/archive/refs/tags/v%{hyphver}.tar.g… BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: pkgconfig ++++++ libADLMIDI-1.5.0.1-1.tar.gz -> libADLMIDI-1.5.1.tar.gz ++++++ ++++ 11892 lines of diff (skipped)

1 0

commit rr for openSUSE:Factory
by Source-Sync 01 Nov '22

01 Nov '22

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rr for openSUSE:Factory checked in at 2022-11-01 13:42:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rr (Old) and /work/SRC/openSUSE:Factory/.rr.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "rr" Tue Nov 1 13:42:34 2022 rev:4 rq:1032539 version:5.6.0 Changes: -------- --- /work/SRC/openSUSE:Factory/rr/rr.changes 2022-08-16 17:08:06.235942733 +0200 +++ /work/SRC/openSUSE:Factory/.rr.new.2275/rr.changes 2022-11-01 13:42:41.735936738 +0100 @@ -1,0 +2,6 @@ +Mon Oct 31 14:09:34 UTC 2022 - Dominique Leuenberger <dimstar(a)opensuse.org> + +- Add 2979c60e.patch: Avoid creating a struct with elements after + ethtool_sset_info's variable-length-array. + +------------------------------------------------------------------- New: ---- 2979c60e.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rr.spec ++++++ --- /var/tmp/diff_new_pack.Wc96V8/_old 2022-11-01 13:42:42.115938759 +0100 +++ /var/tmp/diff_new_pack.Wc96V8/_new 2022-11-01 13:42:42.119938780 +0100 @@ -24,6 +24,7 @@ Group: Development/Languages/C and C++ URL: https://rr-project.org/ Source: https://github.com/mozilla/%{name}/archive/%{version}.tar.gz +Patch0: https://github.com/rr-debugger/rr/commit/2979c60e.patch BuildRequires: capnproto BuildRequires: cmake BuildRequires: gcc-c++ @@ -46,7 +47,7 @@ data watchpoints and quickly reverse-execute to where they were hit. %prep -%setup -q +%autosetup -p1 %build # Fix incorrect path to bash ++++++ 2979c60e.patch ++++++ From 2979c60ef8bbf7c940afd90172ddc5d8863f766e Mon Sep 17 00:00:00 2001 From: Robert O'Callahan <robert(a)ocallahan.org> Date: Thu, 25 Aug 2022 20:40:59 +1200 Subject: [PATCH] Avoid creating a struct with elements after ethtool_sset_info's variable-length-array. Resolves #3369 --- src/record_syscall.cc | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/src/record_syscall.cc b/src/record_syscall.cc index 2e4cdec35..48544e1df 100644 --- a/src/record_syscall.cc +++ b/src/record_syscall.cc @@ -1450,17 +1450,17 @@ template <typename Arch> void get_ethtool_gstrings_arch(RecordTask* t) { AutoRemoteSyscalls remote(t); // Do a ETHTOOL_GSSET_INFO to get the number of strings - struct SingleStringSet { - ethtool_sset_info et; - uint32_t data; - }; - SingleStringSet sss; - sss.et.cmd = ETHTOOL_GSSET_INFO; - sss.et.reserved = 0; - sss.et.sset_mask = 1 << et_gstrings.string_set; - AutoRestoreMem sss_mem(remote, &sss, sizeof(sss)); - - ifreq.ifr_ifru.ifru_data = sss_mem.get(); + ethtool_sset_info et; + et.cmd = ETHTOOL_GSSET_INFO; + et.reserved = 0; + et.sset_mask = 1 << et_gstrings.string_set; + std::vector<uint8_t> buffer; + buffer.resize(sizeof(et) + sizeof(uint32_t)); + memcpy(buffer.data(), &et, sizeof(et)); + memset(buffer.data() + sizeof(et), 0, sizeof(uint32_t)); + AutoRestoreMem et_mem(remote, buffer.data(), buffer.size()); + + ifreq.ifr_ifru.ifru_data = et_mem.get(); AutoRestoreMem ifr_mem(remote, &ifreq, sizeof(ifreq)); long ret = remote.syscall(regs.original_syscallno(), regs.arg1(), @@ -1470,8 +1470,7 @@ template <typename Arch> void get_ethtool_gstrings_arch(RecordTask* t) { return; } - sss = t->read_mem(sss_mem.get().cast<SingleStringSet>()); - + uint32_t data = t->read_mem((et_mem.get() + sizeof(et)).cast<uint32_t>()); // Now do the ETHTOOL_GSTRINGS call ret = remote.syscall(regs.original_syscallno(), regs.arg1(), SIOCETHTOOL, regs.arg3()); @@ -1479,7 +1478,7 @@ template <typename Arch> void get_ethtool_gstrings_arch(RecordTask* t) { if (ret < 0) { return; } - t->record_remote(orig_gstrings, sizeof(ethtool_gstrings) + ETH_GSTRING_LEN*sss.data); + t->record_remote(orig_gstrings, sizeof(ethtool_gstrings) + ETH_GSTRING_LEN*data); } static void get_ethtool_gstrings(RecordTask* t) {

1 0

commit sbcl for openSUSE:Factory
by Source-Sync 01 Nov '22

01 Nov '22

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sbcl for openSUSE:Factory checked in at 2022-11-01 13:42:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sbcl (Old) and /work/SRC/openSUSE:Factory/.sbcl.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "sbcl" Tue Nov 1 13:42:30 2022 rev:83 rq:1032537 version:2.2.10 Changes: -------- --- /work/SRC/openSUSE:Factory/sbcl/sbcl.changes 2022-10-01 17:43:05.077662293 +0200 +++ /work/SRC/openSUSE:Factory/.sbcl.new.2275/sbcl.changes 2022-11-01 13:42:40.503930183 +0100 @@ -1,0 +2,20 @@ +Mon Oct 31 14:36:47 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz(a)suse.com> + +- Update to version 2.2.10 + * platform support: + ** win32: improved handling of stack overflow exceptions. (lp#1302866) + ** Mac OS X: enforce stronger alignment when building the runtime. + (lp#1991485, reported by Yan) + ** arm64: support for building the system without the sb-unicode feature + (i.e. with 8-bit characters) is restored. + * bug fix: do not elide the GC store barrier in closures. (lp#1982608, + reported by Andrew Berkley) + * bug fix: make sb-introspect tests pass when the system is built without + support for source locations. (lp#1635349, reported by Tomas Hlavaty) + * bug fix: erroneous assumption that the format-control of a simple condition + was a string. (lp#1803727) + * bug fix: compiler consistency failure in modular arithmetic widening. + (lp#1990715) + * bug fix: provide a stub for a helper function (lp#1992316) + +------------------------------------------------------------------- Old: ---- sbcl-2.2.9-source.tar.bz2 New: ---- sbcl-2.2.10-source.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sbcl.spec ++++++ --- /var/tmp/diff_new_pack.wmWkS8/_old 2022-11-01 13:42:41.507935524 +0100 +++ /var/tmp/diff_new_pack.wmWkS8/_new 2022-11-01 13:42:41.511935546 +0100 @@ -21,7 +21,7 @@ Name: sbcl #!BuildIgnore: gcc-PIE -Version: 2.2.9 +Version: 2.2.10 Release: 0 Summary: Steel Bank Common Lisp License: BSD-3-Clause AND SUSE-Public-Domain ++++++ sbcl-2.2.9-source.tar.bz2 -> sbcl-2.2.10-source.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/sbcl/sbcl-2.2.9-source.tar.bz2 /work/SRC/openSUSE:Factory/.sbcl.new.2275/sbcl-2.2.10-source.tar.bz2 differ: char 11, line 1

1 0