openSUSE Commits
Threads by month
- ----- 2024 -----
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
November 2022
- 1 participants
- 2423 discussions
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rage-encryption for openSUSE:Factory checked in at 2022-11-01 13:42:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rage-encryption (Old)
and /work/SRC/openSUSE:Factory/.rage-encryption.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rage-encryption"
Tue Nov 1 13:42:56 2022 rev:8 rq:1032554 version:0.9.0+0
Changes:
--------
--- /work/SRC/openSUSE:Factory/rage-encryption/rage-encryption.changes 2022-08-13 22:36:41.054647374 +0200
+++ /work/SRC/openSUSE:Factory/.rage-encryption.new.2275/rage-encryption.changes 2022-11-01 13:42:57.316019621 +0100
@@ -1,0 +2,11 @@
+Mon Oct 31 02:20:35 UTC 2022 - william.brown(a)suse.com
+
+- Update to version 0.9.0+0:
+ * v0.9.0
+ * use pkcs1 crate to parse RSAPrivateKey ASN.1 object
+ * qa: Add workflow that runs `cargo vet --locked`
+ * qa: Import `cargo vet` audits from Firefox and zcashd
+ * qa: Add `crypto-reviewed` criteria or `cargo vet`
+ * qa: `cargo vet init`
+
+-------------------------------------------------------------------
Old:
----
rage-0.8.1+0.tar.gz
New:
----
rage-0.9.0+0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rage-encryption.spec ++++++
--- /var/tmp/diff_new_pack.Drw8Ac/_old 2022-11-01 13:42:58.408025430 +0100
+++ /var/tmp/diff_new_pack.Drw8Ac/_new 2022-11-01 13:42:58.412025452 +0100
@@ -20,7 +20,7 @@
Name: rage-encryption
# This will be set by osc services, that will run after this.
-Version: 0.8.1+0
+Version: 0.9.0+0
Release: 0
Summary: Simple, modern, and secure file encryption tool
# If you know the license, put it's SPDX string here.
++++++ _service ++++++
--- /var/tmp/diff_new_pack.Drw8Ac/_old 2022-11-01 13:42:58.448025643 +0100
+++ /var/tmp/diff_new_pack.Drw8Ac/_new 2022-11-01 13:42:58.452025664 +0100
@@ -3,7 +3,7 @@
<param name="url">https://github.com/str4d/rage.git</param>
<param name="versionformat">@PARENT_TAG@+@TAG_OFFSET@</param>
<param name="scm">git</param>
- <param name="revision">v0.8.1</param>
+ <param name="revision">v0.9.0</param>
<param name="match-tag">*</param>
<param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
<param name="versionrewrite-replacement">\1</param>
++++++ rage-0.8.1+0.tar.gz -> rage-0.9.0+0.tar.gz ++++++
++++ 10363 lines of diff (skipped)
++++++ vendor.tar.xz ++++++
/work/SRC/openSUSE:Factory/rage-encryption/vendor.tar.xz /work/SRC/openSUSE:Factory/.rage-encryption.new.2275/vendor.tar.xz differ: char 25, line 1
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-azure-mgmt-netapp for openSUSE:Factory checked in at 2022-11-01 13:42:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-azure-mgmt-netapp (Old)
and /work/SRC/openSUSE:Factory/.python-azure-mgmt-netapp.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-azure-mgmt-netapp"
Tue Nov 1 13:42:54 2022 rev:20 rq:1032551 version:9.0.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-azure-mgmt-netapp/python-azure-mgmt-netapp.changes 2022-09-29 18:12:41.287176829 +0200
+++ /work/SRC/openSUSE:Factory/.python-azure-mgmt-netapp.new.2275/python-azure-mgmt-netapp.changes 2022-11-01 13:42:55.668010854 +0100
@@ -1,0 +2,8 @@
+Mon Oct 31 12:12:50 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz(a)suse.com>
+
+- New upstream release
+ + Version 9.0.1
+ + For detailed information about changes see the
+ CHANGELOG.md file provided with this package
+
+-------------------------------------------------------------------
Old:
----
azure-mgmt-netapp-9.0.0.zip
New:
----
azure-mgmt-netapp-9.0.1.zip
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-azure-mgmt-netapp.spec ++++++
--- /var/tmp/diff_new_pack.uHLUUA/_old 2022-11-01 13:42:56.196013663 +0100
+++ /var/tmp/diff_new_pack.uHLUUA/_new 2022-11-01 13:42:56.204013705 +0100
@@ -21,7 +21,7 @@
%define skip_python2 1
%endif
Name: python-azure-mgmt-netapp
-Version: 9.0.0
+Version: 9.0.1
Release: 0
Summary: Microsoft Azure NetApp Files Management Client Library
License: MIT
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-azure-mgmt-redis for openSUSE:Factory checked in at 2022-11-01 13:42:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-azure-mgmt-redis (Old)
and /work/SRC/openSUSE:Factory/.python-azure-mgmt-redis.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-azure-mgmt-redis"
Tue Nov 1 13:42:54 2022 rev:12 rq:1032552 version:14.1.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-azure-mgmt-redis/python-azure-mgmt-redis.changes 2022-09-07 11:05:58.944398257 +0200
+++ /work/SRC/openSUSE:Factory/.python-azure-mgmt-redis.new.2275/python-azure-mgmt-redis.changes 2022-11-01 13:42:56.352014493 +0100
@@ -1,0 +2,9 @@
+Mon Oct 31 12:32:24 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz(a)suse.com>
+
+- New upstream release
+ + Version 14.1.0
+ + For detailed information about changes see the
+ CHANGELOG.md file provided with this package
+- Update Requires from setup.py
+
+-------------------------------------------------------------------
Old:
----
azure-mgmt-redis-14.0.0.zip
New:
----
azure-mgmt-redis-14.1.0.zip
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-azure-mgmt-redis.spec ++++++
--- /var/tmp/diff_new_pack.v2Hr84/_old 2022-11-01 13:42:56.808016919 +0100
+++ /var/tmp/diff_new_pack.v2Hr84/_new 2022-11-01 13:42:56.812016940 +0100
@@ -21,7 +21,7 @@
%define skip_python2 1
%endif
Name: python-azure-mgmt-redis
-Version: 14.0.0
+Version: 14.1.0
Release: 0
Summary: Microsoft Azure Redis Cache Management Client Library
License: MIT
@@ -42,6 +42,9 @@
Requires: python-azure-mgmt-nspkg >= 3.0.0
Requires: python-azure-nspkg >= 3.0.0
Requires: python-msrest >= 0.7.1
+%if %{python_version_nodots} < 38
+Requires: python-typing_extensions >= 4.3.0
+%endif
Conflicts: python-azure-sdk <= 2.0.0
BuildArch: noarch
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package putty for openSUSE:Factory checked in at 2022-11-01 13:42:52
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/putty (Old)
and /work/SRC/openSUSE:Factory/.putty.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "putty"
Tue Nov 1 13:42:52 2022 rev:29 rq:1032546 version:0.78
Changes:
--------
--- /work/SRC/openSUSE:Factory/putty/putty.changes 2022-05-30 12:43:52.592384633 +0200
+++ /work/SRC/openSUSE:Factory/.putty.new.2275/putty.changes 2022-11-01 13:42:54.180002938 +0100
@@ -1,0 +2,27 @@
+Sun Oct 30 19:54:34 UTC 2022 - Jan Engelhardt <jengelh(a)inai.de>
+
+- Update to release 0.78
+ * Support for OpenSSH certificates, for both user
+ authentication keys and host keys.
+ * New SSH proxy modes, for running a custom shell command or
+ subsystem on the proxy server instead of forwarding a port
+ through it.
+ * New plugin system to allow a helper program to provide
+ responses in keyboard-interactive authentication, intended to
+ automate one-time password systems.
+ * Support for NTRU Prime post-quantum key exchange,
+ * Support for AES-GCM (in the OpenSSH style rather than
+ RFC��5647).
+ * Support for more forms of Diffie-Hellman key exchange: new
+ larger integer groups (such as group16 and group18), and
+ support for using those and ECDH with GSSAPI.
+ * Bug fix: server-controlled window title setting now works
+ again even if the character set is ISO 8859 (or a few other
+ affected single-byte character sets).
+ * Bug fix: certain forms of OSC escape sequences (sent by some
+ real servers) could cause PuTTY to crash.
+ * Bug fix: the -pwfile/-pw options no longer affect local key
+ passphrase prompts, and no longer suppress Plink's
+ anti-spoofing measures.
+
+-------------------------------------------------------------------
Old:
----
putty-0.77.tar.gz
putty-0.77.tar.gz.gpg
New:
----
putty-0.78.tar.gz
putty-0.78.tar.gz.gpg
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ putty.spec ++++++
--- /var/tmp/diff_new_pack.Njh987/_old 2022-11-01 13:42:54.808006279 +0100
+++ /var/tmp/diff_new_pack.Njh987/_new 2022-11-01 13:42:54.812006300 +0100
@@ -17,7 +17,7 @@
Name: putty
-Version: 0.77
+Version: 0.78
Release: 0
Summary: SSH client with optional GTK-based terminal emulator frontend
License: MIT
++++++ putty-0.77.tar.gz -> putty-0.78.tar.gz ++++++
++++ 47502 lines of diff (skipped)
++++++ putty-03-config.diff ++++++
--- /var/tmp/diff_new_pack.Njh987/_old 2022-11-01 13:42:55.200008364 +0100
+++ /var/tmp/diff_new_pack.Njh987/_new 2022-11-01 13:42:55.204008385 +0100
@@ -10,21 +10,21 @@
windows/utils/defaults.c | 2 -
3 files changed, 35 insertions(+), 22 deletions(-)
-Index: putty-0.77/settings.c
+Index: putty-0.78/settings.c
===================================================================
---- putty-0.77.orig/settings.c
-+++ putty-0.77/settings.c
-@@ -17,8 +17,8 @@
- static const struct keyvalwhere ciphernames[] = {
+--- putty-0.78.orig/settings.c
++++ putty-0.78/settings.c
+@@ -18,8 +18,8 @@ static const struct keyvalwhere cipherna
{ "aes", CIPHER_AES, -1, -1 },
{ "chacha20", CIPHER_CHACHA20, CIPHER_AES, +1 },
+ { "aesgcm", CIPHER_AESGCM, CIPHER_CHACHA20, +1 },
- { "3des", CIPHER_3DES, -1, -1 },
{ "WARN", CIPHER_WARN, -1, -1 },
+ { "3des", CIPHER_3DES, -1, -1 },
{ "des", CIPHER_DES, -1, -1 },
{ "blowfish", CIPHER_BLOWFISH, -1, -1 },
{ "arcfour", CIPHER_ARCFOUR, -1, -1 },
-@@ -862,7 +862,7 @@ void load_open_settings(settings_r *sess
+@@ -878,7 +878,7 @@ void load_open_settings(settings_r *sess
}
gppb(sesskey, "TCPNoDelay", true, conf, CONF_tcp_nodelay);
gppb(sesskey, "TCPKeepalives", false, conf, CONF_tcp_keepalives);
@@ -33,7 +33,7 @@
gpps(sesskey, "TerminalSpeed", "38400,38400", conf, CONF_termspeed);
if (gppmap(sesskey, "TerminalModes", conf, CONF_ttymodes)) {
/*
-@@ -1046,12 +1046,12 @@ void load_open_settings(settings_r *sess
+@@ -1064,12 +1064,12 @@ void load_open_settings(settings_r *sess
gppb(sesskey, "PassiveTelnet", false, conf, CONF_passive_telnet);
gppb(sesskey, "BackspaceIsDelete", true, conf, CONF_bksp_is_delete);
gppb(sesskey, "RXVTHomeEnd", false, conf, CONF_rxvt_homeend);
@@ -48,7 +48,7 @@
gppb(sesskey, "NoRemoteResize", false, conf, CONF_no_remote_resize);
gppb(sesskey, "NoAltScreen", false, conf, CONF_no_alt_screen);
gppb(sesskey, "NoRemoteWinTitle", false, conf, CONF_no_remote_wintitle);
-@@ -1073,9 +1073,9 @@ void load_open_settings(settings_r *sess
+@@ -1091,9 +1091,9 @@ void load_open_settings(settings_r *sess
gppb(sesskey, "ApplicationKeypad", false, conf, CONF_app_keypad);
gppb(sesskey, "NetHackKeypad", false, conf, CONF_nethack_keypad);
gppb(sesskey, "AltF4", true, conf, CONF_alt_f4);
@@ -60,7 +60,7 @@
gppb(sesskey, "CtrlAltKeys", true, conf, CONF_ctrlaltkeys);
#ifdef OSX_META_KEY_CONFIG
gppb(sesskey, "OSXOptionMeta", true, conf, CONF_osx_option_meta);
-@@ -1087,12 +1087,12 @@ void load_open_settings(settings_r *sess
+@@ -1105,12 +1105,12 @@ void load_open_settings(settings_r *sess
gppi(sesskey, "LocalEdit", AUTO, conf, CONF_localedit);
gpps(sesskey, "Answerback", "PuTTY", conf, CONF_answerback);
gppb(sesskey, "AlwaysOnTop", false, conf, CONF_alwaysontop);
@@ -75,7 +75,7 @@
gppb(sesskey, "BlinkCur", false, conf, CONF_blink_cur);
/* pedantic compiler tells me I can't use conf, CONF_beep as an int * :-) */
gppi(sesskey, "Beep", 1, conf, CONF_beep);
-@@ -1127,10 +1127,10 @@ void load_open_settings(settings_r *sess
+@@ -1145,10 +1145,10 @@ void load_open_settings(settings_r *sess
gppb(sesskey, "CRImpliesLF", false, conf, CONF_crhaslf);
gppb(sesskey, "DisableArabicShaping", false, conf, CONF_no_arabicshaping);
gppb(sesskey, "DisableBidi", false, conf, CONF_no_bidi);
@@ -88,7 +88,7 @@
gppfont(sesskey, "Font", conf, CONF_font);
gppi(sesskey, "FontQuality", FQ_DEFAULT, conf, CONF_font_quality);
gppi(sesskey, "FontVTMode", VT_UNICODE, conf, CONF_vtmode);
-@@ -1143,11 +1143,28 @@ void load_open_settings(settings_r *sess
+@@ -1161,11 +1161,28 @@ void load_open_settings(settings_r *sess
for (i = 0; i < 22; i++) {
static const char *const defaults[] = {
@@ -122,7 +122,7 @@
};
char buf[20], *buf2;
int c0, c1, c2;
-@@ -1205,7 +1222,7 @@ void load_open_settings(settings_r *sess
+@@ -1223,7 +1240,7 @@ void load_open_settings(settings_r *sess
* The empty default for LineCodePage will be converted later
* into a plausible default for the locale.
*/
@@ -131,11 +131,11 @@
gppb(sesskey, "CJKAmbigWide", false, conf, CONF_cjk_ambig_wide);
gppb(sesskey, "UTF8Override", true, conf, CONF_utf8_override);
gpps(sesskey, "Printer", "", conf, CONF_printer);
-Index: putty-0.77/unix/platform.h
+Index: putty-0.78/unix/platform.h
===================================================================
---- putty-0.77.orig/unix/platform.h
-+++ putty-0.77/unix/platform.h
-@@ -389,11 +389,7 @@ void setup_fd_socket(Socket *s, int infd
+--- putty-0.78.orig/unix/platform.h
++++ putty-0.78/unix/platform.h
+@@ -394,11 +394,7 @@ void fd_socket_set_psb_prefix(Socket *s,
/*
* Default font setting, which can vary depending on NOT_X_WINDOWS.
*/
@@ -148,10 +148,10 @@
/*
* pty.c.
-Index: putty-0.77/windows/utils/defaults.c
+Index: putty-0.78/windows/utils/defaults.c
===================================================================
---- putty-0.77.orig/windows/utils/defaults.c
-+++ putty-0.77/windows/utils/defaults.c
+--- putty-0.78.orig/windows/utils/defaults.c
++++ putty-0.78/windows/utils/defaults.c
@@ -9,7 +9,7 @@
FontSpec *platform_default_fontspec(const char *name)
{
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package crash for openSUSE:Factory checked in at 2022-11-01 13:42:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/crash (Old)
and /work/SRC/openSUSE:Factory/.crash.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "crash"
Tue Nov 1 13:42:50 2022 rev:180 rq:1032553 version:7.3.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/crash/crash.changes 2021-11-20 02:39:48.460648002 +0100
+++ /work/SRC/openSUSE:Factory/.crash.new.2275/crash.changes 2022-11-01 13:42:52.503994022 +0100
@@ -1,0 +2,48 @@
+Tue Oct 25 22:03:56 UTC 2022 - David Mair <dmair(a)suse.com>
+
+- make of crash extensions was failing due to extension shared
+ objects depending on extension source file plus defs.h. defs.h is
+ hardlinked from the crash base source directory before the .so
+ make rule but make reports it doesn't know how to make requirement
+ defs.h. I added a rule for defs.h in the extensions Makefile that
+ creates defs.h the same way as was previously used but satisfies
+ the dependency resolution on demand then the make succeeded.
+ * crash-extensions-rule-for-defs.patch
+ (bsc#1204587)
+
+-------------------------------------------------------------------
+Tue Feb 15 19:48:44 UTC 2022 - David Mair <dmair(a)suse.com>
+
+- Update to crash 7.3.1
+ - Refresh
+ * eppic-switch-to-system-lib.patch
+ - Remove patches present in version upgrade
+ * 0001-Fix-for-kmem-s-S-option-on-Linux-5.7-and-later-kerne.patch
+ * 0002-memory-Add-support-for-SECTION_TAINT_ZONE_DEVICE-fla.patch
+ * 0003-memory-Fix-for-kmem-n-option-to-display-NID-correctl.patch
+ * 0004-defs.h-Fix-the-value-of-TIF_SIGPENDING-macro.patch
+ * 0005-Fix-waitq-command-for-Linux-4.13-and-later-kernels.patch
+ * 0006-Handle-task_struct-state-member-changes-for-kernels-.patch
+ * 0007-arm64-rename-ARM64_PAGE_OFFSET_ACTUAL-to-ARM64_FLIP_.patch
+ * 0008-arm64-assign-page_offset-with-VA_BITS-kernel-configu.patch
+ * 0009-arm64-use-dedicated-bits-to-record-the-VA-space-layo.patch
+ * 0010-arm64-implement-switchable-PTOV-VTOP-for-kernels-5.1.patch
+ * 0011-diskdump-Fail-readmem-early-if-dump-is-incomplete.patch
+ * 0012-netdump-Permit-zero_excluded-for-incomplete-ELF-dump.patch
+ * 0013-diskdump-Print-total-number-of-dumpable-pages.patch
+ * 0014-diskdump-Introduce-read_pd.patch
+ * 0015-x86_64-Fix-check-for-__per_cpu_offset-initialization.patch
+ * 0016-arm64-Get-CPU-registers-from-ELF-notes-even-without-.patch
+ * 0017-ppc64-Add-MMU-type-info-in-machdep-command.patch
+ * 0018-diskdump-Add-support-for-reading-dumpfiles-compresse.patch
+ * 0020-arm64-Use-VA_BITS-for-page_offset-calculation.patch
+ * crash-mod-fix-module-object-file-lookup.patch
+ * crash-xen-pvops.patch
+
+-------------------------------------------------------------------
+Thu Dec 16 10:05:36 UTC 2021 - Ludwig Nussel <lnussel(a)suse.de>
+
+- UsrMerge: debug info is in /usr/lib/debug/usr/lib/modules
+ (boo#1190434, crash-usrmerge.patch)
+
+-------------------------------------------------------------------
Old:
----
0001-Fix-for-kmem-s-S-option-on-Linux-5.7-and-later-kerne.patch
0002-memory-Add-support-for-SECTION_TAINT_ZONE_DEVICE-fla.patch
0003-memory-Fix-for-kmem-n-option-to-display-NID-correctl.patch
0004-defs.h-Fix-the-value-of-TIF_SIGPENDING-macro.patch
0005-Fix-waitq-command-for-Linux-4.13-and-later-kernels.patch
0006-Handle-task_struct-state-member-changes-for-kernels-.patch
0007-arm64-rename-ARM64_PAGE_OFFSET_ACTUAL-to-ARM64_FLIP_.patch
0008-arm64-assign-page_offset-with-VA_BITS-kernel-configu.patch
0009-arm64-use-dedicated-bits-to-record-the-VA-space-layo.patch
0010-arm64-implement-switchable-PTOV-VTOP-for-kernels-5.1.patch
0011-diskdump-Fail-readmem-early-if-dump-is-incomplete.patch
0012-netdump-Permit-zero_excluded-for-incomplete-ELF-dump.patch
0013-diskdump-Print-total-number-of-dumpable-pages.patch
0014-diskdump-Introduce-read_pd.patch
0015-x86_64-Fix-check-for-__per_cpu_offset-initialization.patch
0016-arm64-Get-CPU-registers-from-ELF-notes-even-without-.patch
0017-ppc64-Add-MMU-type-info-in-machdep-command.patch
0018-diskdump-Add-support-for-reading-dumpfiles-compresse.patch
0020-arm64-Use-VA_BITS-for-page_offset-calculation.patch
crash-7.3.0.tar.gz
crash-mod-fix-module-object-file-lookup.patch
crash-xen-pvops.patch
New:
----
crash-7.3.1.tar.gz
crash-extensions-rule-for-defs.patch
crash-usrmerge.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ crash.spec ++++++
--- /var/tmp/diff_new_pack.tosWPe/_old 2022-11-01 13:42:53.551999597 +0100
+++ /var/tmp/diff_new_pack.tosWPe/_new 2022-11-01 13:42:53.563999661 +0100
@@ -1,7 +1,7 @@
#
# spec file for package crash
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -62,9 +62,9 @@
Summary: Crash utility for live systems; netdump, diskdump, LKCD or mcore dumpfiles
License: GFDL-1.2-only AND GPL-3.0-or-later
Group: Development/Tools/Debuggers
-Version: 7.3.0
+Version: 7.3.1
Release: 0
-Source: https://github.com/crash-utility/crash/archive/7.3.0.tar.gz#/%{name}-%{vers…
+Source: https://github.com/crash-utility/crash/archive/7.3.1.tar.gz#/%{name}-%{vers…
Source1: http://ftp.gnu.org/gnu/gdb/gdb-7.6.tar.gz
Source2: crash_whitepaper-%{whitepaper_version}.tar.bz2
Source3: README.SUSE
@@ -97,31 +97,10 @@
Patch27: %{name}-Define-fallback-PN_XNUM.patch
Patch29: eppic-remove-duplicate-symbols.patch
Patch30: %{name}-enable-zstd-support.patch
-# PATCH-FIX-UPSTREAM - https://github.com/crash-utility/crash/commit/4badc6229c69f5cd9da7eb7bdf400…
-Patch46: %{name}-xen-pvops.patch
-# PATCH-FIX-UPSTREAM - https://github.com/crash-utility/crash/commit/cf0c8d10e1870d89b39f40382634d…
-Patch47: %{name}-mod-fix-module-object-file-lookup.patch
-Patch48: 0001-Fix-for-kmem-s-S-option-on-Linux-5.7-and-later-kerne.patch
-Patch49: 0002-memory-Add-support-for-SECTION_TAINT_ZONE_DEVICE-fla.patch
-Patch50: 0003-memory-Fix-for-kmem-n-option-to-display-NID-correctl.patch
-Patch51: 0004-defs.h-Fix-the-value-of-TIF_SIGPENDING-macro.patch
-Patch52: 0005-Fix-waitq-command-for-Linux-4.13-and-later-kernels.patch
-Patch53: 0006-Handle-task_struct-state-member-changes-for-kernels-.patch
-Patch54: 0007-arm64-rename-ARM64_PAGE_OFFSET_ACTUAL-to-ARM64_FLIP_.patch
-Patch55: 0008-arm64-assign-page_offset-with-VA_BITS-kernel-configu.patch
-Patch56: 0009-arm64-use-dedicated-bits-to-record-the-VA-space-layo.patch
-Patch57: 0010-arm64-implement-switchable-PTOV-VTOP-for-kernels-5.1.patch
-Patch58: 0011-diskdump-Fail-readmem-early-if-dump-is-incomplete.patch
-Patch59: 0012-netdump-Permit-zero_excluded-for-incomplete-ELF-dump.patch
-Patch60: 0013-diskdump-Print-total-number-of-dumpable-pages.patch
-Patch61: 0014-diskdump-Introduce-read_pd.patch
-Patch62: 0015-x86_64-Fix-check-for-__per_cpu_offset-initialization.patch
-Patch63: 0016-arm64-Get-CPU-registers-from-ELF-notes-even-without-.patch
-Patch64: 0017-ppc64-Add-MMU-type-info-in-machdep-command.patch
-Patch65: 0018-diskdump-Add-support-for-reading-dumpfiles-compresse.patch
+Patch31: %{name}-extensions-rule-for-defs.patch
Patch66: 0019-Add-kernel-version-dependent-check-for-getting-lengt.patch
-Patch67: 0020-arm64-Use-VA_BITS-for-page_offset-calculation.patch
Patch90: %{name}-sial-ps-2.6.29.diff
+Patch99: %{name}-usrmerge.patch
BuildRequires: bison
BuildRequires: flex
BuildRequires: libeppic-devel
@@ -321,28 +300,7 @@
%patch24 -p1
%endif
%patch27 -p1
-%patch46 -p1
-%patch47 -p1
-%patch48 -p1
-%patch49 -p1
-%patch50 -p1
-%patch51 -p1
-%patch52 -p1
-%patch53 -p1
-%patch54 -p1
-%patch55 -p1
-%patch56 -p1
-%patch57 -p1
-%patch58 -p1
-%patch59 -p1
-%patch60 -p1
-%patch61 -p1
-%patch62 -p1
-%patch63 -p1
-%patch64 -p1
-%patch65 -p1
%patch66 -p1
-%patch67 -p1
%if %{have_snappy}
%patch15 -p1
%endif
@@ -355,6 +313,8 @@
# cp "$f" "${base#%{name}-}"
#done
+%patch31 -p1
+
## SIAL patches
cd sial-scripts-%{scripts_version}
%patch90 -p1
@@ -369,6 +329,9 @@
cp %{S:3} .
mkdir kbuild
cp %{S:6} memory_driver
+%if 0%{?suse_version} > 1550
+%patch99 -p1
+%endif
%build
%ifarch ppc64le ppc64
++++++ crash-7.3.0.tar.gz -> crash-7.3.1.tar.gz ++++++
++++ 2261 lines of diff (skipped)
++++++ crash-extensions-rule-for-defs.patch ++++++
Index: b/extensions/Makefile
===================================================================
--- a/extensions/Makefile
+++ b/extensions/Makefile
@@ -32,6 +32,8 @@ link_defs:
@rm -f defs.h
@ln ../defs.h
+defs.h: link_defs
+
$(CONTRIB_SO): %.so: %.c defs.h
@if [ -f $*.mk ]; then \
make -f $*.mk; \
++++++ crash-usrmerge.patch ++++++
From: Ludwig Nussel <lnussel(a)suse.de>
Subject: debug info is in /usr/lib/debug/usr/lib/modules
References: boo#1190434
Upstream: to be done (must not break Red Hat)
---
defs.h | 2 +-
help.c | 2 +-
symbols.c | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
--- a/defs.h
+++ b/defs.h
@@ -406,7 +406,7 @@ struct number_option {
#define PIPE_OPTIONS (FROM_COMMAND_LINE | FROM_INPUT_FILE | REDIRECT_TO_PIPE | \
REDIRECT_TO_STDPIPE | REDIRECT_TO_FILE)
-#define DEFAULT_REDHAT_DEBUG_LOCATION "/usr/lib/debug/lib/modules"
+#define DEFAULT_REDHAT_DEBUG_LOCATION "/usr/lib/debug/usr/lib/modules"
#define MEMORY_DRIVER_MODULE "crash"
#define MEMORY_DRIVER_DEVICE "/dev/crash"
--- a/help.c
+++ b/help.c
@@ -9445,7 +9445,7 @@ README_ENTER_DIRECTORY,
README_MEMORY_DRIVER,
"",
" If the kernel file is stored in /boot, /, /boot/efi, or in any /usr/src",
-" or /usr/lib/debug/lib/modules subdirectory, then no command line arguments",
+" or " DEFAULT_REDHAT_DEBUG_LOCATION " subdirectory, then no command line arguments",
" are required -- the first kernel found that matches /proc/version will be",
" used as the namelist.",
" ",
--- a/symbols.c
+++ b/symbols.c
@@ -299,7 +299,7 @@ check_gnu_debuglink(bfd *bfd)
if ((pc->debuginfo_file = (char *)
malloc(((strlen(namelist) + strlen("/.debug/") +
- + strlen(".debug") + strlen(" /usr/lib/debug/boot/ "))*10)
+ + strlen(".debug") + strlen(" /usr/lib/debug/usr/lib/modules/ "))*10)
+ strlen(pc->namelist_debug ? pc->namelist_debug : " "))) == NULL)
error(FATAL, "debuginfo file name malloc: %s\n",
strerror(errno));
@@ -375,7 +375,7 @@ check_gnu_debuglink(bfd *bfd)
}
}
- sprintf(pc->debuginfo_file, "/usr/lib/debug/boot/%s", contents);
+ sprintf(pc->debuginfo_file, "/usr/lib/debug/%s/%s", dirname, contents);
if (separate_debug_file_exists(pc->debuginfo_file, crc32, &exists)) {
if (CRASHDEBUG(1))
fprintf(fp, "%s: CRC matches\n", pc->debuginfo_file);
++++++ eppic-switch-to-system-lib.patch ++++++
--- /var/tmp/diff_new_pack.tosWPe/_old 2022-11-01 13:42:53.932001618 +0100
+++ /var/tmp/diff_new_pack.tosWPe/_new 2022-11-01 13:42:53.936001640 +0100
@@ -16,10 +16,10 @@
- if [ -f "$(GIT)" ]; \
- then \
- if [ -n "$(EPPIC_GIT_URL)" ]; then \
-- git clone "$(EPPIC_GIT_URL)" eppic; \
+- git clone $(EPPIC_GIT_OPTIONS) $(EPPIC_GIT_URL) eppic; \
- else \
- if ping -c 1 -W 5 github.com >/dev/null ; then \
-- git clone https://github.com/lucchouina/eppic.git eppic; \
+- git clone $(EPPIC_GIT_OPTIONS) https://github.com/lucchouina/eppic.git eppic; \
- fi; \
- fi; \
- else \
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package dehydrated for openSUSE:Factory checked in at 2022-11-01 13:42:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/dehydrated (Old)
and /work/SRC/openSUSE:Factory/.dehydrated.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dehydrated"
Tue Nov 1 13:42:48 2022 rev:25 rq:1032541 version:0.7.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/dehydrated/dehydrated.changes 2022-09-08 14:23:53.974702926 +0200
+++ /work/SRC/openSUSE:Factory/.dehydrated.new.2275/dehydrated.changes 2022-11-01 13:42:50.191981722 +0100
@@ -1,0 +2,7 @@
+Sat Oct 29 05:03:26 UTC 2022 - Daniel Molkentin <daniel(a)molkentin.de>
+
+- Update to 0.7.1
+ * See https://github.com/dehydrated-io/dehydrated/releases/tag/v0.7.1
+ * Removes more-examples.patch
+
+-------------------------------------------------------------------
Old:
----
dehydrated-0.7.0.tar.gz
dehydrated-0.7.0.tar.gz.asc
more-examples.patch
New:
----
dehydrated-0.7.1.tar.gz
dehydrated-0.7.1.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ dehydrated.spec ++++++
--- /var/tmp/diff_new_pack.iceFQx/_old 2022-11-01 13:42:51.739989957 +0100
+++ /var/tmp/diff_new_pack.iceFQx/_new 2022-11-01 13:42:51.783990191 +0100
@@ -53,7 +53,7 @@
%endif
Name: dehydrated
-Version: 0.7.0
+Version: 0.7.1
Release: 0
Summary: A client for signing certificates with an ACME server
License: MIT
@@ -77,7 +77,6 @@
Source18: dehydrated-postrun-hooks.service
Source19: dehydrated-postrun-hooks@.service
Source20: README.postrun-hooks
-Patch: more-examples.patch
BuildRequires: %{_apache}
Requires: coreutils
Requires: curl
@@ -172,7 +171,6 @@
%prep
%setup -q
-%patch -p1
cp %{SOURCE9} .
cp %{SOURCE10} .
cp %{SOURCE20} .
@@ -206,10 +204,12 @@
#!/bin/sh
systemctl reload apache2.service
EOF
+%if %{with nginx}
cat > %{buildroot}%{_sysconfdir}/dehydrated/postrun-hooks.d/reload-nginx.sh << EOF
#!/bin/sh
systemctl reload nginx.service
EOF
+%endif
%if %{with nginx}
install -m 0755 -d %{buildroot}%{_sysconfdir}/nginx
@@ -280,7 +280,7 @@
%{_bindir}/dehydrated
%attr(-,%{_user},root) %dir %{_localstatedir}/lib/acme-challenge
%{_mandir}/man1/*
-%doc LICENSE README.md docs/*.md docs/*.jpg
+%doc LICENSE README.md docs/*.md
%doc README.maintainer
%if %{defined redhat}
%doc README.Fedora
++++++ dehydrated-0.7.0.tar.gz -> dehydrated-0.7.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/CHANGELOG new/dehydrated-0.7.1/CHANGELOG
--- old/dehydrated-0.7.0/CHANGELOG 2020-12-10 16:54:26.000000000 +0100
+++ new/dehydrated-0.7.1/CHANGELOG 2022-10-31 15:12:38.000000000 +0100
@@ -1,6 +1,21 @@
# Change Log
This file contains a log of major changes in dehydrated
+## [0.7.1] - 2022-10-31
+## Changed
+- `--force` no longer forces domain name revalidation by default, a new argument `--force-validation` has been added for that
+- Added support for EC secp521r1 algorithm (works with e.g. zerossl)
+- `EC PARAMETERS` are no longer written to privkey.pem (didn't seem necessary and was causing issues with various software)
+
+## Fixed
+- Requests resulting in `badNonce` errors are now automatically retried (fixes operation with LE staging servers)
+- Deprecated `egrep` usage has been removed
+
+## Added
+- Implemented EC for account keys
+- Domain list now also read from domains.txt.d subdirectory (behaviour might change, see docs)
+- Implemented RFC 8738 (validating/signing certificates for IP addresses instead of domain names) support (this will not work with most public CAs, if any!)
+
## [0.7.0] - 2020-12-10
## Added
- Support for external account bindings
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/LICENSE new/dehydrated-0.7.1/LICENSE
--- old/dehydrated-0.7.0/LICENSE 2020-12-10 16:54:26.000000000 +0100
+++ new/dehydrated-0.7.1/LICENSE 2022-10-31 15:12:38.000000000 +0100
@@ -1,6 +1,6 @@
The MIT License (MIT)
-Copyright (c) 2015-2018 Lukas Schauer
+Copyright (c) 2015-2021 Lukas Schauer
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/README.md new/dehydrated-0.7.1/README.md
--- old/dehydrated-0.7.0/README.md 2020-12-10 16:54:26.000000000 +0100
+++ new/dehydrated-0.7.1/README.md 2022-10-31 15:12:38.000000000 +0100
@@ -1,9 +1,6 @@
# dehydrated [![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=23P9DSJBTY7C8)
-Quick note: dehydrated moved, the license will NOT change, and I will still take care of the project.
-See https://lukas.im/2020/01/30/selling-dehydrated/index.html for more details.
-
-![](docs/logo.jpg)
+![](docs/logo.png)
Dehydrated is a client for signing certificates with an ACME-server (e.g. Let's Encrypt) implemented as a relatively simple (zsh-compatible) bash-script.
This client supports both ACME v1 and the new ACME v2 including support for wildcard certificates!
@@ -17,6 +14,7 @@
- Signing of a custom CSR (either standalone or completely automated using hooks!)
- Renewal if a certificate is about to expire or defined set of domains changed
- Certificate revocation
+- and lots more..
Please keep in mind that this software, the ACME-protocol and all supported CA servers out there are relatively young and there might be a few issues. Feel free to report any issues you find with this script or contribute by submitting a pull request,
but please check for duplicates first (feel free to comment on those to get things rolling).
@@ -74,6 +72,7 @@
--alias certalias Use specified name for certificate directory (and per-certificate config) instead of the primary domain (only used if --domain is specified)
--keep-going (-g) Keep going after encountering an error while creating/renewing multiple certificates in cron mode
--force (-x) Force renew of certificate even if it is longer valid than value in RENEW_DAYS
+ --force-validation Force revalidation of domain names (used in combination with --force)
--no-lock (-n) Don't use lockfile (potentially dangerous!)
--lock-suffix example.com Suffix lockfile name with a string (useful for with -d)
--ocsp Sets option in CSR indicating OCSP stapling to be mandatory
@@ -84,28 +83,6 @@
--preferred-chain issuer-cn Use alternative certificate chain identified by issuer CN
--out (-o) certs/directory Output certificates into the specified directory
--alpn alpn-certs/directory Output alpn verification certificates into the specified directory
- --challenge (-t) http-01|dns-01 Which challenge should be used? Currently http-01 and dns-01 are supported
+ --challenge (-t) http-01|dns-01|tls-alpn-01 Which challenge should be used? Currently http-01, dns-01, and tls-alpn-01 are supported
--algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
```
-
-## Donate
-
-I'm a student hacker with a few (unfortunately) quite expensive hobbies (self-hosting, virtualization clusters, routing,
-high-speed networking, embedded hardware, etc.).
-I'm really having fun playing around with hard- and software and I'm steadily learning new things.
-Without those hobbies I probably would never have started working on dehydrated to begin with :)
-
-I'd really appreciate if you could [donate a bit of money](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id…
-so I can buy cool stuff (while still being able to afford food :D).
-
-If you have hardware laying around that you think I'd enjoy playing with (e.g. decommissioned but still modern-ish servers,
-10G networking hardware, enterprise grade routers or APs, interesting ARM/MIPS boards, etc.) and that you would be willing
-to ship to me please contact me at `donations(a)dehydrated.io` or on Twitter [@lukas2511](https://twitter.com/lukas2511).
-
-If you want your name to be added to the [donations list](https://dehydrated.io/donations.html) please add a note or send me an
-email `donations(a)dehydrated.io`. I respect your privacy and won't publish your name without permission.
-
-Other ways of donating:
- - [My Amazon Wishlist](http://www.amazon.de/registry/wishlist/1TUCFJK35IO4Q)
- - Monero: 4Kkf4tF4r9DakxLj37HDXLJgmpVfQoFhT7JLDvXwtUZZMTbsK9spsAPXivWPAFcDUj6jHhY8hJSHX8Cb8ndMhKeQHPSkBZZiK89Fx8NTHk
- - Bitcoin: 12487bHxcrREffTGwUDnoxF1uYxCA7ztKK
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/dehydrated new/dehydrated-0.7.1/dehydrated
--- old/dehydrated-0.7.0/dehydrated 2020-12-10 16:54:26.000000000 +0100
+++ new/dehydrated-0.7.1/dehydrated 2022-10-31 15:12:38.000000000 +0100
@@ -17,7 +17,7 @@
exec 3>&-
exec 4>&-
-VERSION="0.7.0"
+VERSION="0.7.1"
# Find directory in which this script is stored by traversing all symbolic links
SOURCE="${0}"
@@ -31,6 +31,22 @@
BASEDIR="${SCRIPTDIR}"
ORIGARGS=("${@}")
+noglob_set() {
+ if [[ -n "${ZSH_VERSION:-}" ]]; then
+ set +o noglob
+ else
+ set +f
+ fi
+}
+
+noglob_clear() {
+ if [[ -n "${ZSH_VERSION:-}" ]]; then
+ set -o noglob
+ else
+ set -f
+ fi
+}
+
# Generate json.sh path matching string
json_path() {
if [ ! "${1}" = "-p" ]; then
@@ -55,7 +71,6 @@
# Get sub-dictionary from json
get_json_dict_value() {
local filter
- echo "$(json_path "${1:-}" "${2:-}")"
filter="$(printf 's/.*\[%s\][[:space:]]*\(.*\)/\\1/p' "$(json_path "${1:-}" "${2:-}")")"
sed -n "${filter}" | jsonsh
}
@@ -88,7 +103,7 @@
awk_egrep () {
local pattern_string=$1
- gawk '{
+ awk '{
while ($0) {
start=match($0, pattern);
token=substr($0, start, RLENGTH);
@@ -103,14 +118,15 @@
local ESCAPE
local CHAR
- if echo "test string" | egrep -ao --color=never "test" >/dev/null 2>&1
+ if echo "test string" | grep -Eao --color=never "test" >/dev/null 2>&1
then
- GREP='egrep -ao --color=never'
+ GREP='grep -Eao --color=never'
else
- GREP='egrep -ao'
+ GREP='grep -Eao'
fi
- if echo "test string" | egrep -o "test" >/dev/null 2>&1
+ # shellcheck disable=SC2196
+ if echo "test string" | grep -Eao "test" >/dev/null 2>&1
then
ESCAPE='(\\[^u[:cntrl:]]|\\u[0-9a-fA-F]{4})'
CHAR='[^[:cntrl:]"\\]'
@@ -126,10 +142,11 @@
local SPACE='[[:space:]]+'
# Force zsh to expand $A into multiple words
- local is_wordsplit_disabled=$(unsetopt 2>/dev/null | grep -c '^shwordsplit$')
- if [ $is_wordsplit_disabled != 0 ]; then setopt shwordsplit; fi
- $GREP "$STRING|$NUMBER|$KEYWORD|$SPACE|." | egrep -v "^$SPACE$"
- if [ $is_wordsplit_disabled != 0 ]; then unsetopt shwordsplit; fi
+ local is_wordsplit_disabled
+ is_wordsplit_disabled="$(unsetopt 2>/dev/null | grep -c '^shwordsplit$')"
+ if [ "${is_wordsplit_disabled}" != "0" ]; then setopt shwordsplit; fi
+ $GREP "$STRING|$NUMBER|$KEYWORD|$SPACE|." | grep -Ev "^$SPACE$"
+ if [ "${is_wordsplit_disabled}" != "0" ]; then unsetopt shwordsplit; fi
}
parse_array () {
@@ -194,17 +211,14 @@
}
parse_value () {
- local jpath="${1:+$1,}${2:-}" isleaf=0 isempty=0 print=0
+ local jpath="${1:+$1,}${2:-}"
case "$token" in
'{') parse_object "$jpath" ;;
'[') parse_array "$jpath" ;;
# At this point, the only valid single-character tokens are digits.
''|[!0-9]) throw "EXPECTED value GOT ${token:-EOF}" ;;
- *) value=$token
+ *) value="${token/\\\///}"
# replace solidus ("\/") in json strings with normalized value: "/"
- value=$(echo "$value" | sed 's#\\/#/#g')
- isleaf=1
- [ "$value" = '""' ] && isempty=1
;;
esac
[ "$value" = '' ] && return
@@ -227,16 +241,26 @@
tokenize | parse
}
+# Convert IP addresses to their reverse dns variants.
+# Used for ALPN certs as validation for IPs uses this in SNI since IPs aren't allowed there.
+ip_to_ptr() {
+ ip="$(cat)"
+ if [[ "${ip}" =~ : ]]; then
+ printf "%sip6.arpa" "$(printf "%s" "${ip}" | awk -F: 'BEGIN {OFS=""; }{addCount = 9 - NF; for(i=1; i<=NF;i++){if(length($i) == 0){ for(j=1;j<=addCount;j++){$i = ($i "0000");} } else { $i = substr(("0000" $i), length($i)+5-4);}}; print}' | rev | sed -e "s/./&./g")"
+ else
+ printf "%s.in-addr.arpa" "$(printf "%s" "${ip}" | awk -F. '{print $4"."$3"." $2"."$1}')"
+ fi
+}
+
# Create (identifiable) temporary files
_mktemp() {
- # shellcheck disable=SC2068
- mktemp ${@:-} "${TMPDIR:-/tmp}/dehydrated-XXXXXX"
+ mktemp "${TMPDIR:-/tmp}/dehydrated-XXXXXX"
}
# Check for script dependencies
check_dependencies() {
# look for required binaries
- for binary in grep mktemp diff sed awk curl cut; do
+ for binary in grep mktemp diff sed awk curl cut head tail hexdump; do
bin_path="$(command -v "${binary}" 2>/dev/null)" || _exiterr "This script requires ${binary}."
[[ -x "${bin_path}" ]] || _exiterr "${binary} found in PATH but it's not executable"
done
@@ -254,7 +278,10 @@
store_configvars() {
__KEY_ALGO="${KEY_ALGO}"
__OCSP_MUST_STAPLE="${OCSP_MUST_STAPLE}"
+ __OCSP_FETCH="${OCSP_FETCH}"
+ __OCSP_DAYS="${OCSP_DAYS}"
__PRIVATE_KEY_RENEW="${PRIVATE_KEY_RENEW}"
+ __PRIVATE_KEY_ROLLOVER="${PRIVATE_KEY_ROLLOVER}"
__KEYSIZE="${KEYSIZE}"
__CHALLENGETYPE="${CHALLENGETYPE}"
__HOOK="${HOOK}"
@@ -269,7 +296,10 @@
reset_configvars() {
KEY_ALGO="${__KEY_ALGO}"
OCSP_MUST_STAPLE="${__OCSP_MUST_STAPLE}"
+ OCSP_FETCH="${__OCSP_FETCH}"
+ OCSP_DAYS="${__OCSP_DAYS}"
PRIVATE_KEY_RENEW="${__PRIVATE_KEY_RENEW}"
+ PRIVATE_KEY_ROLLOVER="${__PRIVATE_KEY_ROLLOVER}"
KEYSIZE="${__KEYSIZE}"
CHALLENGETYPE="${__CHALLENGETYPE}"
HOOK="${__HOOK}"
@@ -298,7 +328,7 @@
if [[ "${CHALLENGETYPE}" = "http-01" && ! -d "${WELLKNOWN}" && ! "${COMMAND:-}" = "register" ]]; then
_exiterr "WELLKNOWN directory doesn't exist, please create ${WELLKNOWN} and set appropriate permissions."
fi
- [[ "${KEY_ALGO}" == "rsa" || "${KEY_ALGO}" == "prime256v1" || "${KEY_ALGO}" == "secp384r1" ]] || _exiterr "Unknown public key algorithm ${KEY_ALGO}... cannot continue."
+ [[ "${KEY_ALGO}" == "rsa" || "${KEY_ALGO}" == "prime256v1" || "${KEY_ALGO}" == "secp384r1" || "${KEY_ALGO}" == "secp521r1" ]] || _exiterr "Unknown public key algorithm ${KEY_ALGO}... cannot continue."
if [[ -n "${IP_VERSION}" ]]; then
[[ "${IP_VERSION}" = "4" || "${IP_VERSION}" = "6" ]] || _exiterr "Unknown IP version ${IP_VERSION}... cannot continue."
fi
@@ -332,6 +362,8 @@
CERTDIR=
ALPNCERTDIR=
ACCOUNTDIR=
+ ACCOUNT_KEYSIZE="4096"
+ ACCOUNT_KEY_ALGO=rsa
CHALLENGETYPE="http-01"
CONFIG_D=
CURL_OPTS=
@@ -379,7 +411,7 @@
fi
# Allow globbing
- [[ -n "${ZSH_VERSION:-}" ]] && set +o noglob || set +f
+ noglob_set
for check_config_d in "${CONFIG_D}"/*.sh; do
if [[ -f "${check_config_d}" ]] && [[ -r "${check_config_d}" ]]; then
@@ -392,7 +424,7 @@
done
# Disable globbing
- [[ -n "${ZSH_VERSION:-}" ]] && set -o noglob || set -f
+ noglob_clear
fi
# Check for missing dependencies
@@ -473,6 +505,7 @@
fi
fi
+ # shellcheck disable=SC1090
[[ -f "${ACCOUNTDIR}/${CAHASH}/config" ]] && . "${ACCOUNTDIR}/${CAHASH}/config"
ACCOUNT_KEY="${ACCOUNTDIR}/${CAHASH}/account_key.pem"
ACCOUNT_KEY_JSON="${ACCOUNTDIR}/${CAHASH}/registration_info.json"
@@ -512,6 +545,10 @@
[[ -n "${PARAM_OCSP_MUST_STAPLE:-}" ]] && OCSP_MUST_STAPLE="${PARAM_OCSP_MUST_STAPLE}"
[[ -n "${PARAM_IP_VERSION:-}" ]] && IP_VERSION="${PARAM_IP_VERSION}"
+ if [ "${PARAM_FORCE_VALIDATION:-no}" = "yes" ] && [ "${PARAM_FORCE:-no}" = "no" ]; then
+ _exiterr "Argument --force-validation can only be used in combination with --force (-x)"
+ fi
+
if [ ! "${1:-}" = "noverify" ]; then
verify_config
fi
@@ -539,8 +576,8 @@
grep -q newOrder <<< "${CA_DIRECTORY}" && API=2 || API=1
fi
- if [[ ${API} -eq 1 ]]; then
- # shellcheck disable=SC2015
+ # shellcheck disable=SC2015
+ if [[ "${API}" = "1" ]]; then
CA_NEW_CERT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value new-cert)" &&
CA_NEW_AUTHZ="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value new-authz)" &&
CA_NEW_REG="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value new-reg)" &&
@@ -551,7 +588,6 @@
# Since reg URI is missing from directory we will assume it is the same as CA_NEW_REG without the new part
CA_REG=${CA_NEW_REG/new-reg/reg}
else
- # shellcheck disable=SC2015
CA_NEW_ORDER="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value newOrder)" &&
CA_NEW_NONCE="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value newNonce)" &&
CA_NEW_ACCOUNT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value newAccount)" &&
@@ -559,8 +595,6 @@
CA_REQUIRES_EAB="$(printf "%s" "${CA_DIRECTORY}" | get_json_bool_value -p '"meta","externalAccountRequired"' || echo false)" &&
CA_REVOKE_CERT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value revokeCert)" ||
_exiterr "Problem retrieving ACME/CA-URLs, check if your configured CA points to the directory entrypoint."
- # Since acct URI is missing from directory we will assume it is the same as CA_NEW_ACCOUNT without the new part
- CA_ACCOUNT=${CA_NEW_ACCOUNT/new-acct/acct}
fi
# Export some environment variables to be used in hook script
@@ -582,26 +616,63 @@
if [[ ! "${PARAM_ACCEPT_TERMS:-}" = "yes" ]]; then
printf '\n' >&2
printf 'To use dehydrated with this certificate authority you have to agree to their terms of service which you can find here: %s\n\n' "${CA_TERMS}" >&2
- printf 'To accept these terms of service run `%s --register --accept-terms`.\n' "${0}" >&2
+ printf 'To accept these terms of service run "%s --register --accept-terms".\n' "${0}" >&2
exit 1
fi
echo "+ Generating account key..."
generated="true"
- local tmp_account_key="$(_mktemp)"
- _openssl genrsa -out "${tmp_account_key}" "${KEYSIZE}"
+ local tmp_account_key
+ tmp_account_key="$(_mktemp)"
+ if [[ ${API} -eq 1 && ! "${ACCOUNT_KEY_ALGO}" = "rsa" ]]; then
+ _exiterr "ACME API version 1 does not support EC account keys"
+ fi
+ case "${ACCOUNT_KEY_ALGO}" in
+ rsa) _openssl genrsa -out "${tmp_account_key}" "${ACCOUNT_KEYSIZE}";;
+ prime256v1|secp384r1|secp521r1) _openssl ecparam -genkey -name "${ACCOUNT_KEY_ALGO}" -out "${tmp_account_key}" -noout;;
+ esac
cat "${tmp_account_key}" > "${ACCOUNT_KEY}"
rm "${tmp_account_key}"
register_new_key="yes"
fi
fi
- "${OPENSSL}" rsa -in "${ACCOUNT_KEY}" -check 2>/dev/null > /dev/null || _exiterr "Account key is not valid, cannot continue."
- # Get public components from private key and calculate thumbprint
- pubExponent64="$(printf '%x' "$("${OPENSSL}" rsa -in "${ACCOUNT_KEY}" -noout -text | awk '/publicExponent/ {print $2}')" | hex2bin | urlbase64)"
- pubMod64="$("${OPENSSL}" rsa -in "${ACCOUNT_KEY}" -noout -modulus | cut -d'=' -f2 | hex2bin | urlbase64)"
+ if ("${OPENSSL}" rsa -in "${ACCOUNT_KEY}" -check 2>/dev/null > /dev/null); then
+ # Get public components from private key and calculate thumbprint
+ pubExponent64="$(printf '%x' "$("${OPENSSL}" rsa -in "${ACCOUNT_KEY}" -noout -text | awk '/publicExponent/ {print $2}')" | hex2bin | urlbase64)"
+ pubMod64="$("${OPENSSL}" rsa -in "${ACCOUNT_KEY}" -noout -modulus | cut -d'=' -f2 | hex2bin | urlbase64)"
+
+ account_key_info="$(printf '{"e":"%s","kty":"RSA","n":"%s"}' "${pubExponent64}" "${pubMod64}")"
+ account_key_sigalgo=RS256
+ elif ("${OPENSSL}" ec -in "${ACCOUNT_KEY}" -check 2>/dev/null > /dev/null); then
+ curve="$("${OPENSSL}" ec -in "${ACCOUNT_KEY}" -noout -text 2>/dev/null | grep 'NIST CURVE' | cut -d':' -f2 | tr -d ' ')"
+ pubkey="$("${OPENSSL}" ec -in "${ACCOUNT_KEY}" -noout -text 2>/dev/null | tr -d '\n ' | grep -Eo 'pub:.*ASN1' | _sed -e 's/^pub://' -e 's/ASN1$//' | tr -d ':')"
+
+ if [ "${curve}" = "P-256" ]; then
+ account_key_sigalgo="ES256"
+ elif [ "${curve}" = "P-384" ]; then
+ account_key_sigalgo="ES384"
+ elif [ "${curve}" = "P-521" ]; then
+ account_key_sigalgo="ES512"
+ else
+ _exiterr "Unknown account key curve: ${curve}"
+ fi
+
+ ec_x_offset=2
+ ec_x_len=$((${#pubkey}/2 - 1))
+ ec_x="${pubkey:$ec_x_offset:$ec_x_len}"
+ ec_x64="$(printf "%s" "${ec_x}" | hex2bin | urlbase64)"
+
+ ec_y_offset=$((ec_x_offset+ec_x_len))
+ ec_y_len=$((${#pubkey}-ec_y_offset))
+ ec_y="${pubkey:$ec_y_offset:$ec_y_len}"
+ ec_y64="$(printf "%s" "${ec_y}" | hex2bin | urlbase64)"
- thumbprint="$(printf '{"e":"%s","kty":"RSA","n":"%s"}' "${pubExponent64}" "${pubMod64}" | "${OPENSSL}" dgst -sha256 -binary | urlbase64)"
+ account_key_info="$(printf '{"crv":"%s","kty":"EC","x":"%s","y":"%s"}' "${curve}" "${ec_x64}" "${ec_y64}")"
+ else
+ _exiterr "Account key is not valid, cannot continue."
+ fi
+ thumbprint="$(printf '%s' "${account_key_info}" | "${OPENSSL}" dgst -sha256 -binary | urlbase64)"
# If we generated a new private key in the step above we have to register it with the acme-server
if [[ "${register_new_key}" = "yes" ]]; then
@@ -654,7 +725,7 @@
if [[ -n "${EAB_KID:-}" ]] && [[ -n "${EAB_HMAC_KEY:-}" ]]; then
eab_url="${CA_NEW_ACCOUNT}"
eab_protected64="$(printf '{"alg":"HS256","kid":"%s","url":"%s"}' "${EAB_KID}" "${eab_url}" | urlbase64)"
- eab_payload64="$(printf "%s" '{"e": "'"${pubExponent64}"'", "kty": "RSA", "n": "'"${pubMod64}"'"}' | urlbase64)"
+ eab_payload64="$(printf "%s" "${account_key_info}" | urlbase64)"
eab_key="$(printf "%s" "${EAB_HMAC_KEY}" | deurlbase64 | bin2hex)"
eab_signed64="$(printf '%s' "${eab_protected64}.${eab_payload64}" | "${OPENSSL}" dgst -binary -sha256 -mac HMAC -macopt "hexkey:${eab_key}" | urlbase64)"
@@ -692,16 +763,16 @@
# Read account information or request from CA if missing
if [[ -e "${ACCOUNT_KEY_JSON}" ]]; then
if [[ ${API} -eq 1 ]]; then
- ACCOUNT_ID="$(cat "${ACCOUNT_KEY_JSON}" | jsonsh | get_json_int_value id)"
+ ACCOUNT_ID="$(jsonsh < "${ACCOUNT_KEY_JSON}" | get_json_int_value id)"
ACCOUNT_URL="${CA_REG}/${ACCOUNT_ID}"
else
if [[ -e "${ACCOUNT_ID_JSON}" ]]; then
- ACCOUNT_URL="$(cat "${ACCOUNT_ID_JSON}" | jsonsh | get_json_string_value url)"
+ ACCOUNT_URL="$(jsonsh < "${ACCOUNT_ID_JSON}" | get_json_string_value url)"
fi
# if account URL is not storred, fetch it from the CA
if [[ -z "${ACCOUNT_URL:-}" ]]; then
echo "+ Fetching account URL..."
- ACCOUNT_URL="$(signed_request "${CA_NEW_ACCOUNT}" '{"onlyReturnExisting": true}' 4>&1 | grep -i ^Location: | awk '{print $2}' | tr -d '\r\n')"
+ ACCOUNT_URL="$(signed_request "${CA_NEW_ACCOUNT}" '{"onlyReturnExisting": true}' 4>&1 | grep -i ^Location: | cut -d':' -f2- | tr -d ' \t\r\n')"
if [[ -z "${ACCOUNT_URL}" ]]; then
_exiterr "Unknown error on fetching account information"
fi
@@ -713,7 +784,7 @@
if [[ ${API} -eq 1 ]]; then
_exiterr "This is not implemented for ACMEv1! Consider switching to ACMEv2 :)"
else
- ACCOUNT_URL="$(signed_request "${CA_NEW_ACCOUNT}" '{"onlyReturnExisting": true}' 4>&1 | grep -i ^Location: | awk '{print $2}' | tr -d '\r\n')"
+ ACCOUNT_URL="$(signed_request "${CA_NEW_ACCOUNT}" '{"onlyReturnExisting": true}' 4>&1 | grep -i ^Location: | cut -d':' -f2- | tr -d ' \t\r\n')"
ACCOUNT_INFO="$(signed_request "${ACCOUNT_URL}" '{}')"
fi
echo "${ACCOUNT_INFO}" > "${ACCOUNT_KEY_JSON}"
@@ -734,7 +805,7 @@
if [ -n "${1:-}" ]; then
echo "ERROR: ${1}" >&2
fi
- [[ "${skip_exit_hook:-no}" = "no" ]] && [[ -n "${HOOK:-}" ]] && ("${HOOK}" "exit_hook" "${1}" || echo 'exit_hook returned with non-zero exit code!' >&2)
+ [[ "${skip_exit_hook:-no}" = "no" ]] && [[ -n "${HOOK:-}" ]] && ("${HOOK}" "exit_hook" "${1:-}" || echo 'exit_hook returned with non-zero exit code!' >&2)
exit 1
}
@@ -762,12 +833,13 @@
# Convert hex string to binary data
hex2bin() {
# Remove spaces, add leading zero, escape as hex string and parse with printf
- printf -- "$(cat | _sed -e 's/[[:space:]]//g' -e 's/^(.(.{2})*)$/0\1/' -e 's/(.{2})/\\x\1/g')"
+ # shellcheck disable=SC2059
+ printf "%b" "$(cat | _sed -e 's/[[:space:]]//g' -e 's/^(.(.{2})*)$/0\1/' -e 's/(.{2})/\\x\1/g')"
}
# Convert binary data to hex string
bin2hex() {
- hexdump -e '16/1 "%02x"'
+ hexdump -v -e '/1 "%02x"'
}
# OpenSSL writes to stderr/stdout even when there are no errors. So just
@@ -797,6 +869,7 @@
fi
set +e
+ # shellcheck disable=SC2086
if [[ "${1}" = "head" ]]; then
statuscode="$(curl ${ip_version:-} ${CURL_OPTS} -A "dehydrated/${VERSION} curl/${CURL_VERSION}" -s -w "%{http_code}" -o "${tempcont}" "${2}" -I)"
curlret="${?}"
@@ -826,6 +899,10 @@
elif [[ -n "${CA_REVOKE_CERT:-}" ]] && [[ "${2}" = "${CA_REVOKE_CERT:-}" ]] && [[ "${statuscode}" = "409" ]]; then
grep -q "Certificate already revoked" "${tempcont}" && return
else
+ if grep -q "urn:ietf:params:acme:error:badNonce" "${tempcont}"; then
+ printf "badnonce %s" "$(grep -Eoi "^replay-nonce:.*$" "${tempheaders}" | sed 's/ //' | cut -d: -f2)"
+ return 0
+ fi
echo " + ERROR: An error occurred while sending ${1}-request to ${2} (Status ${statuscode})" >&2
echo >&2
echo "Details:" >&2
@@ -836,8 +913,8 @@
# An exclusive hook for the {1}-request error might be useful (e.g., for sending an e-mail to admins)
if [[ -n "${HOOK}" ]]; then
- errtxt="$(cat ${tempcont})"
- errheaders="$(cat ${tempheaders})"
+ errtxt="$(cat "${tempcont}")"
+ errheaders="$(cat "${tempheaders}")"
"${HOOK}" "request_failure" "${statuscode}" "${errtxt}" "${1}" "${errheaders}" || _exiterr 'request_failure hook returned with non-zero exit code'
fi
@@ -863,16 +940,17 @@
# Encode payload as urlbase64
payload64="$(printf '%s' "${2}" | urlbase64)"
- # Retrieve nonce from acme-server
- if [[ ${API} -eq 1 ]]; then
- nonce="$(http_request head "${CA}" | grep -i ^Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
+ if [ -n "${3:-}" ]; then
+ nonce="$(printf "%s" "${3}" | tr -d ' \t\n\r')"
else
- nonce="$(http_request head "${CA_NEW_NONCE}" | grep -i ^Replay-Nonce: | awk -F ': ' '{print $2}' | tr -d '\n\r')"
+ # Retrieve nonce from acme-server
+ if [[ ${API} -eq 1 ]]; then
+ nonce="$(http_request head "${CA}" | grep -i ^Replay-Nonce: | cut -d':' -f2- | tr -d ' \t\n\r')"
+ else
+ nonce="$(http_request head "${CA_NEW_NONCE}" | grep -i ^Replay-Nonce: | cut -d':' -f2- | tr -d ' \t\n\r')"
+ fi
fi
- # Build header with just our public key and algorithm information
- header='{"alg": "RS256", "jwk": {"e": "'"${pubExponent64}"'", "kty": "RSA", "n": "'"${pubMod64}"'"}}'
-
if [[ ${API} -eq 1 ]]; then
# Build another header which also contains the previously received nonce and encode it as urlbase64
protected='{"alg": "RS256", "jwk": {"e": "'"${pubExponent64}"'", "kty": "RSA", "n": "'"${pubMod64}"'"}, "nonce": "'"${nonce}"'"}'
@@ -880,17 +958,37 @@
else
# Build another header which also contains the previously received nonce and url and encode it as urlbase64
if [[ -n "${ACCOUNT_URL:-}" ]]; then
- protected='{"alg": "RS256", "kid": "'"${ACCOUNT_URL}"'", "url": "'"${1}"'", "nonce": "'"${nonce}"'"}'
+ protected='{"alg": "'"${account_key_sigalgo}"'", "kid": "'"${ACCOUNT_URL}"'", "url": "'"${1}"'", "nonce": "'"${nonce}"'"}'
else
- protected='{"alg": "RS256", "jwk": {"e": "'"${pubExponent64}"'", "kty": "RSA", "n": "'"${pubMod64}"'"}, "url": "'"${1}"'", "nonce": "'"${nonce}"'"}'
+ protected='{"alg": "'"${account_key_sigalgo}"'", "jwk": '"${account_key_info}"', "url": "'"${1}"'", "nonce": "'"${nonce}"'"}'
fi
protected64="$(printf '%s' "${protected}" | urlbase64)"
fi
# Sign header with nonce and our payload with our private key and encode signature as urlbase64
- signed64="$(printf '%s' "${protected64}.${payload64}" | "${OPENSSL}" dgst -sha256 -sign "${ACCOUNT_KEY}" | urlbase64)"
+ if [[ "${account_key_sigalgo}" = "RS256" ]]; then
+ signed64="$(printf '%s' "${protected64}.${payload64}" | "${OPENSSL}" dgst -sha256 -sign "${ACCOUNT_KEY}" | urlbase64)"
+ else
+ dgstparams="$(printf '%s' "${protected64}.${payload64}" | "${OPENSSL}" dgst -sha${account_key_sigalgo:2} -sign "${ACCOUNT_KEY}" | "${OPENSSL}" asn1parse -inform DER)"
+ dgst_parm_1="$(echo "$dgstparams" | head -n 2 | tail -n 1 | cut -d':' -f4)"
+ dgst_parm_2="$(echo "$dgstparams" | head -n 3 | tail -n 1 | cut -d':' -f4)"
+
+ # zero-padding (doesn't seem to be necessary, but other clients are doing this as well...
+ case "${account_key_sigalgo}" in
+ "ES256") siglen=64;;
+ "ES384") siglen=96;;
+ "ES512") siglen=132;;
+ esac
+ while [[ ${#dgst_parm_1} -lt $siglen ]]; do dgst_parm_1="0${dgst_parm_1}"; done
+ while [[ ${#dgst_parm_2} -lt $siglen ]]; do dgst_parm_2="0${dgst_parm_2}"; done
+
+ signed64="$(printf "%s%s" "${dgst_parm_1}" "${dgst_parm_2}" | hex2bin | urlbase64)"
+ fi
if [[ ${API} -eq 1 ]]; then
+ # Build header with just our public key and algorithm information
+ header='{"alg": "RS256", "jwk": {"e": "'"${pubExponent64}"'", "kty": "RSA", "n": "'"${pubMod64}"'"}}'
+
# Send header + extended header + payload + signature to the acme-server
data='{"header": '"${header}"', "protected": "'"${protected64}"'", "payload": "'"${payload64}"'", "signature": "'"${signed64}"'"}'
else
@@ -898,7 +996,14 @@
data='{"protected": "'"${protected64}"'", "payload": "'"${payload64}"'", "signature": "'"${signed64}"'"}'
fi
- http_request post "${1}" "${data}"
+ output="$(http_request post "${1}" "${data}")"
+
+ if grep -qE "^badnonce " <<< "${output}"; then
+ echo " ! Request failed (badNonce), retrying request..." >&2
+ signed_request "${1:-}" "${2:-}" "$(printf "%s" "${output}" | cut -d' ' -f2)"
+ else
+ printf "%s" "${output}"
+ fi
}
# Extracts all subject names from a CSR
@@ -917,23 +1022,23 @@
# split to one per line:
# shellcheck disable=SC1003
altnames="$( <<<"${altnames}" _sed -e 's/^[[:space:]]*//; s/, /\'$'\n''/g' )"
- # we can only get DNS: ones signed
- if grep -qEv '^(DNS|othername):' <<<"${altnames}"; then
- _exiterr "Certificate signing request contains non-DNS Subject Alternative Names"
+ # we can only get DNS/IP: ones signed
+ if grep -qEv '^(DNS|IP( Address)*|othername):' <<<"${altnames}"; then
+ _exiterr "Certificate signing request contains non-DNS/IP Subject Alternative Names"
fi
- # strip away the DNS: prefix
- altnames="$( <<<"${altnames}" _sed -e 's/^(DNS:|othername:<unsupported>)//' )"
+ # strip away the DNS/IP: prefix
+ altnames="$( <<<"${altnames}" _sed -e 's/^(DNS:|IP( Address)*:|othername:<unsupported>)//' )"
printf "%s" "${altnames}" | tr '\n' ' '
else
# No SANs, extract CN
- altnames="$( <<<"${reqtext}" grep '^[[:space:]]*Subject:' | _sed -e 's/.* CN ?= ?([^ /,]*).*/\1/' )"
+ altnames="$( <<<"${reqtext}" grep '^[[:space:]]*Subject:' | _sed -e 's/.*[ /]CN ?= ?([^ /,]*).*/\1/' )"
printf "%s" "${altnames}"
fi
}
# Get last issuer CN in certificate chain
get_last_cn() {
- <<<"${1}" _sed 'H;/-----BEGIN CERTIFICATE-----/h;$!d;x' | "${OPENSSL}" x509 -noout -issuer | head -n1 | _sed -e 's/.* CN ?= ?([^/,]*).*/\1/'
+ <<<"${1}" _sed 'H;/-----BEGIN CERTIFICATE-----/h;$!d;x' | "${OPENSSL}" x509 -noout -issuer | head -n1 | _sed -e 's/.*[ /]CN ?= ?([^/,]*).*/\1/'
}
# Create certificate for domain(s) and outputs it FD 3
@@ -968,12 +1073,16 @@
# Request new order and store authorization URIs
local challenge_identifiers=""
for altname in ${altnames}; do
- challenge_identifiers+="$(printf '{"type": "dns", "value": "%s"}, ' "${altname}")"
+ if [[ "${altname}" =~ ^ip: ]]; then
+ challenge_identifiers+="$(printf '{"type": "ip", "value": "%s"}, ' "${altname:3}")"
+ else
+ challenge_identifiers+="$(printf '{"type": "dns", "value": "%s"}, ' "${altname}")"
+ fi
done
challenge_identifiers="[${challenge_identifiers%, }]"
echo " + Requesting new certificate order from CA..."
- order_location="$(signed_request "${CA_NEW_ORDER}" '{"identifiers": '"${challenge_identifiers}"'}' 4>&1 | grep -i ^Location: | awk '{print $2}' | tr -d '\r\n')"
+ order_location="$(signed_request "${CA_NEW_ORDER}" '{"identifiers": '"${challenge_identifiers}"'}' 4>&1 | grep -i ^Location: | cut -d':' -f2- | tr -d ' \t\r\n')"
result="$(signed_request "${order_location}" "" | jsonsh)"
order_authorizations="$(echo "${result}" | get_json_array_values authorizations)"
@@ -1001,6 +1110,7 @@
# Receive authorization ($authorization is authz uri)
response="$(signed_request "$(echo "${authorization}" | _sed -e 's/\"(.*)".*/\1/')" "" | jsonsh)"
identifier="$(echo "${response}" | get_json_string_value -p '"identifier","value"')"
+ identifier_type="$(echo "${response}" | get_json_string_value -p '"identifier","type"')"
echo " + Handling authorization for ${identifier}"
else
# Request new authorization ($authorization is altname)
@@ -1010,9 +1120,13 @@
fi
# Check if authorization has already been validated
- if [ "$(echo "${response}" | _sed 's/"challenges": \[\{.*\}\]//' | get_json_string_value status)" = "valid" ] && [ ! "${PARAM_FORCE:-no}" = "yes" ]; then
- echo " + Found valid authorization for ${identifier}"
- continue
+ if [ "$(echo "${response}" | get_json_string_value status)" = "valid" ]; then
+ if [ "${PARAM_FORCE_VALIDATION:-no}" = "yes" ]; then
+ echo " + A valid authorization has been found but will be ignored"
+ else
+ echo " + Found valid authorization for ${identifier}"
+ continue
+ fi
fi
# Find challenge in authorization
@@ -1025,7 +1139,11 @@
challenge="$(echo "${response}" | get_json_dict_value -p '"challenges",'"${challengeindex}")"
# Gather challenge information
- challenge_names[${idx}]="${identifier}"
+ if [ "${identifier_type:-}" = "ip" ] && [ "${CHALLENGETYPE}" = "tls-alpn-01" ] ; then
+ challenge_names[${idx}]="$(echo "${identifier}" | ip_to_ptr)"
+ else
+ challenge_names[${idx}]="${identifier}"
+ fi
challenge_tokens[${idx}]="$(echo "${challenge}" | get_json_string_value token)"
if [[ ${API} -eq 2 ]]; then
@@ -1052,13 +1170,17 @@
keyauth_hook="$(printf '%s' "${keyauth}" | "${OPENSSL}" dgst -sha256 -binary | urlbase64)"
;;
"tls-alpn-01")
- keyauth_hook="$(printf '%s' "${keyauth}" | "${OPENSSL}" dgst -sha256 -c -hex | awk '{print $2}')"
- generate_alpn_certificate "${identifier}" "${keyauth_hook}"
+ keyauth_hook="$(printf '%s' "${keyauth}" | "${OPENSSL}" dgst -sha256 -c -hex | awk '{print $NF}')"
+ generate_alpn_certificate "${identifier}" "${identifier_type}" "${keyauth_hook}"
;;
esac
keyauths[${idx}]="${keyauth}"
- deploy_args[${idx}]="${identifier} ${challenge_tokens[${idx}]} ${keyauth_hook}"
+ if [ "${identifier_type:-}" = "ip" ] && [ "${CHALLENGETYPE}" = "tls-alpn-01" ]; then
+ deploy_args[${idx}]="$(echo "${identifier}" | ip_to_ptr) ${challenge_tokens[${idx}]} ${keyauth_hook}"
+ else
+ deploy_args[${idx}]="${identifier} ${challenge_tokens[${idx}]} ${keyauth_hook}"
+ fi
idx=$((idx+1))
done
@@ -1069,11 +1191,13 @@
if [[ ${num_pending_challenges} -ne 0 ]]; then
echo " + Deploying challenge tokens..."
if [[ -n "${HOOK}" ]] && [[ "${HOOK_CHAIN}" = "yes" ]]; then
+ # shellcheck disable=SC2068
"${HOOK}" "deploy_challenge" ${deploy_args[@]} || _exiterr 'deploy_challenge hook returned with non-zero exit code'
elif [[ -n "${HOOK}" ]]; then
# Run hook script to deploy the challenge token
local idx=0
while [ ${idx} -lt ${num_pending_challenges} ]; do
+ # shellcheck disable=SC2086
"${HOOK}" "deploy_challenge" ${deploy_args[${idx}]} || _exiterr 'deploy_challenge hook returned with non-zero exit code'
idx=$((idx+1))
done
@@ -1120,6 +1244,7 @@
echo " + Cleaning challenge tokens..."
# Clean challenge tokens using chained hook
+ # shellcheck disable=SC2068
[[ -n "${HOOK}" ]] && [[ "${HOOK_CHAIN}" = "yes" ]] && ("${HOOK}" "clean_challenge" ${deploy_args[@]} || _exiterr 'clean_challenge hook returned with non-zero exit code')
# Clean remaining challenge tokens if validation has failed
@@ -1130,6 +1255,7 @@
# Delete alpn verification certificates
[[ "${CHALLENGETYPE}" = "tls-alpn-01" ]] && rm -f "${ALPNCERTDIR}/${challenge_names[${idx}]}.crt.pem" "${ALPNCERTDIR}/${challenge_names[${idx}]}.key.pem"
# Clean challenge token using non-chained hook
+ # shellcheck disable=SC2086
[[ -n "${HOOK}" ]] && [[ "${HOOK_CHAIN}" != "yes" ]] && ("${HOOK}" "clean_challenge" ${deploy_args[${idx}]} || _exiterr 'clean_challenge hook returned with non-zero exit code')
idx=$((idx+1))
done
@@ -1177,8 +1303,8 @@
if [ "${altcn}" = "${PREFERRED_CHAIN}" ]; then
foundaltchain=1
fi
- if [ "${foundaltchain}" = "0" ]; then
- while read altcrturl; do
+ if [ "${foundaltchain}" = "0" ] && (grep -Ei '^link:' "${resheaders}" | grep -q -Ei 'rel="alternate"'); then
+ while read -r altcrturl; do
if [ "${foundaltchain}" = "0" ]; then
altcrt="$(signed_request "${altcrturl}" "")"
altcn="$(get_last_cn "${altcrt}")"
@@ -1266,7 +1392,8 @@
# Generate ALPN verification certificate
generate_alpn_certificate() {
local altname="${1}"
- local acmevalidation="${2}"
+ local identifier_type="${2}"
+ local acmevalidation="${3}"
local alpncertdir="${ALPNCERTDIR}"
if [[ ! -e "${alpncertdir}" ]]; then
@@ -1277,10 +1404,17 @@
echo " + Generating ALPN certificate and key for ${1}..."
tmp_openssl_cnf="$(_mktemp)"
cat "${OPENSSL_CNF}" > "${tmp_openssl_cnf}"
- printf "[SAN]\nsubjectAltName=DNS:%s\n" "${altname}" >> "${tmp_openssl_cnf}"
- printf "1.3.6.1.5.5.7.1.31=critical,DER:04:20:${acmevalidation}\n" >> "${tmp_openssl_cnf}"
+ if [[ "${identifier_type}" = "ip" ]]; then
+ printf "\n[SAN]\nsubjectAltName=IP:%s\n" "${altname}" >> "${tmp_openssl_cnf}"
+ else
+ printf "\n[SAN]\nsubjectAltName=DNS:%s\n" "${altname}" >> "${tmp_openssl_cnf}"
+ fi
+ printf "1.3.6.1.5.5.7.1.31=critical,DER:04:20:%s\n" "${acmevalidation}" >> "${tmp_openssl_cnf}"
SUBJ="/CN=${altname}/"
[[ "${OSTYPE:0:5}" = "MINGW" ]] && SUBJ="/${SUBJ}"
+ if [[ "${identifier_type}" = "ip" ]]; then
+ altname="$(echo "${altname}" | ip_to_ptr)"
+ fi
_openssl req -x509 -new -sha256 -nodes -newkey rsa:2048 -keyout "${alpncertdir}/${altname}.key.pem" -out "${alpncertdir}/${altname}.crt.pem" -subj "${SUBJ}" -extensions SAN -config "${tmp_openssl_cnf}"
chmod g+r "${alpncertdir}/${altname}.key.pem" "${alpncertdir}/${altname}.crt.pem"
rm -f "${tmp_openssl_cnf}"
@@ -1312,10 +1446,11 @@
if [[ ! -r "${certdir}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
echo " + Generating private key..."
privkey="privkey-${timestamp}.pem"
- local tmp_privkey="$(_mktemp)"
+ local tmp_privkey
+ tmp_privkey="$(_mktemp)"
case "${KEY_ALGO}" in
rsa) _openssl genrsa -out "${tmp_privkey}" "${KEYSIZE}";;
- prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${tmp_privkey}";;
+ prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${tmp_privkey}" -noout;;
esac
cat "${tmp_privkey}" > "${certdir}/privkey-${timestamp}.pem"
rm "${tmp_privkey}"
@@ -1332,7 +1467,7 @@
echo " + Generating private rollover key..."
case "${KEY_ALGO}" in
rsa) _openssl genrsa -out "${certdir}/privkey.roll.pem" "${KEYSIZE}";;
- prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${certdir}/privkey.roll.pem";;
+ prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${certdir}/privkey.roll.pem" -noout;;
esac
fi
# delete rolloverkeys if disabled
@@ -1345,17 +1480,25 @@
echo " + Generating signing request..."
SAN=""
for altname in ${altnames}; do
- SAN="${SAN}DNS:${altname}, "
+ if [[ "${altname}" =~ ^ip: ]]; then
+ SAN="${SAN}IP:${altname:3}, "
+ else
+ SAN="${SAN}DNS:${altname}, "
+ fi
done
+ if [[ "${domain}" =~ ^ip: ]]; then
+ SUBJ="/CN=${domain:3}/"
+ else
+ SUBJ="/CN=${domain}/"
+ fi
SAN="${SAN%%, }"
local tmp_openssl_cnf
tmp_openssl_cnf="$(_mktemp)"
cat "${OPENSSL_CNF}" > "${tmp_openssl_cnf}"
- printf "[SAN]\nsubjectAltName=%s" "${SAN}" >> "${tmp_openssl_cnf}"
+ printf "\n[SAN]\nsubjectAltName=%s" "${SAN}" >> "${tmp_openssl_cnf}"
if [ "${OCSP_MUST_STAPLE}" = "yes" ]; then
printf "\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05" >> "${tmp_openssl_cnf}"
fi
- SUBJ="/CN=${domain}/"
if [[ "${OSTYPE:0:5}" = "MINGW" ]]; then
# The subject starts with a /, so MSYS will assume it's a path and convert
# it unless we escape it with another one:
@@ -1426,20 +1569,21 @@
revision="$(cd "${SCRIPTDIR}"; git rev-parse HEAD 2>/dev/null || echo "unknown")"
echo "GIT-Revision: ${revision}"
echo ""
- if [[ "${OSTYPE}" =~ "BSD" ]]; then
+ # shellcheck disable=SC1091
+ if [[ "${OSTYPE}" =~ (BSD|Darwin) ]]; then
echo "OS: $(uname -sr)"
elif [[ -e /etc/os-release ]]; then
( . /etc/os-release && echo "OS: $PRETTY_NAME" )
elif [[ -e /usr/lib/os-release ]]; then
( . /usr/lib/os-release && echo "OS: $PRETTY_NAME" )
else
- echo "OS: $(cat /etc/issue | grep -v ^$ | head -n1 | _sed 's/\\(r|n|l) .*//g')"
+ echo "OS: $(grep -v '^$' /etc/issue | head -n1 | _sed 's/\\(r|n|l) .*//g')"
fi
echo "Used software:"
[[ -n "${BASH_VERSION:-}" ]] && echo " bash: ${BASH_VERSION}"
[[ -n "${ZSH_VERSION:-}" ]] && echo " zsh: ${ZSH_VERSION}"
echo " curl: ${CURL_VERSION}"
- if [[ "${OSTYPE}" =~ "BSD" ]]; then
+ if [[ "${OSTYPE}" =~ (BSD|Darwin) ]]; then
echo " awk, sed, mktemp, grep, diff: BSD base system versions"
else
echo " awk: $(awk -W version 2>&1 | head -n1)"
@@ -1518,6 +1662,20 @@
exit 0
}
+# Parse contents of domains.txt and domains.txt.d
+parse_domains_txt() {
+ # Allow globbing temporarily
+ noglob_set
+ local inputs=("${DOMAINS_TXT}" "${DOMAINS_TXT}.d"/*.txt)
+ noglob_clear
+
+ cat "${inputs[@]}" |
+ tr -d '\r' |
+ awk '{print tolower($0)}' |
+ _sed -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*$//g' -e 's/[[:space:]]+/ /g' -e 's/([^ ])>/\1 >/g' -e 's/> />/g' |
+ (grep -vE '^(#|$)' || true)
+}
+
# Usage: --cron (-c)
# Description: Sign/renew non-existent/changed/expiring certificates.
command_sign_domains() {
@@ -1535,9 +1693,9 @@
if [[ -n "${PARAM_DOMAIN:-}" ]]; then
DOMAINS_TXT="$(_mktemp)"
if [[ -n "${PARAM_ALIAS:-}" ]]; then
- printf -- "${PARAM_DOMAIN} > ${PARAM_ALIAS}" > "${DOMAINS_TXT}"
+ printf "%s > %s" "${PARAM_DOMAIN}" "${PARAM_ALIAS}" > "${DOMAINS_TXT}"
else
- printf -- "${PARAM_DOMAIN}" > "${DOMAINS_TXT}"
+ printf "%s" "${PARAM_DOMAIN}" > "${DOMAINS_TXT}"
fi
elif [[ -e "${DOMAINS_TXT}" ]]; then
if [[ ! -r "${DOMAINS_TXT}" ]]; then
@@ -1550,17 +1708,17 @@
# Generate certificates for all domains found in domains.txt. Check if existing certificate are about to expire
ORIGIFS="${IFS}"
IFS=$'\n'
- for line in $(<"${DOMAINS_TXT}" tr -d '\r' | awk '{print tolower($0)}' | _sed -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*$//g' -e 's/[[:space:]]+/ /g' -e 's/([^ ])>/\1 >/g' -e 's/> />/g' | (grep -vE '^(#|$)' || true)); do
+ for line in $(parse_domains_txt); do
reset_configvars
IFS="${ORIGIFS}"
alias="$(grep -Eo '>[^ ]+' <<< "${line}" || true)"
line="$(_sed -e 's/>[^ ]+[ ]*//g' <<< "${line}")"
aliascount="$(grep -Eo '>' <<< "${alias}" | awk 'END {print NR}' || true )"
- [ ${aliascount} -gt 1 ] && _exiterr "Only one alias per line is allowed in domains.txt!"
+ [ "${aliascount}" -gt 1 ] && _exiterr "Only one alias per line is allowed in domains.txt!"
domain="$(printf '%s\n' "${line}" | cut -d' ' -f1)"
morenames="$(printf '%s\n' "${line}" | cut -s -d' ' -f2-)"
- [ ${aliascount} -lt 1 ] && alias="${domain}" || alias="${alias#>}"
+ [ "${aliascount}" -lt 1 ] && alias="${domain}" || alias="${alias#>}"
export alias
if [[ -z "${morenames}" ]];then
@@ -1614,6 +1772,8 @@
); do
config_var="$(echo "${cfgline:1}" | cut -d'=' -f1)"
config_value="$(echo "${cfgline:1}" | cut -d'=' -f2- | tr -d "'")"
+ # All settings that are allowed here should also be stored and
+ # restored in store_configvars() and reset_configvars()
case "${config_var}" in
KEY_ALGO|OCSP_MUST_STAPLE|OCSP_FETCH|OCSP_DAYS|PRIVATE_KEY_RENEW|PRIVATE_KEY_ROLLOVER|KEYSIZE|CHALLENGETYPE|HOOK|PREFERRED_CHAIN|WELLKNOWN|HOOK_CHAIN|OPENSSL_CNF|RENEW_DAYS)
echo " + ${config_var} = ${config_value}"
@@ -1646,12 +1806,12 @@
fi
# Check domain names of existing certificate
- if [[ -e "${cert}" ]]; then
+ if [[ -e "${cert}" && "${force_renew}" = "no" ]]; then
printf " + Checking domain name(s) of existing cert..."
- certnames="$("${OPENSSL}" x509 -in "${cert}" -text -noout | grep DNS: | _sed 's/DNS://g' | tr -d ' ' | tr ',' '\n' | sort -u | tr '\n' ' ' | _sed 's/ $//')"
- givennames="$(echo "${domain}" "${morenames}"| tr ' ' '\n' | sort -u | tr '\n' ' ' | _sed 's/ $//' | _sed 's/^ //')"
-
+ certnames="$("${OPENSSL}" x509 -in "${cert}" -text -noout | grep -E '(DNS|IP( Address*)):' | _sed 's/(DNS|IP( Address)*)://g' | tr -d ' ' | tr ',' '\n' | sort -u | tr '\n' ' ' | _sed 's/ $//')"
+ givennames="$(echo "${domain}" "${morenames}"| tr ' ' '\n' | sort -u | tr '\n' ' ' | _sed 's/ip://g' | _sed 's/ $//' | _sed 's/^ //')"
+
if [[ "${certnames}" = "${givennames}" ]]; then
echo " unchanged."
else
@@ -1692,13 +1852,14 @@
if [[ ! "${skip}" = "yes" ]]; then
update_ocsp="yes"
[[ -z "${csr}" ]] || printf "%s" "${csr}" > "${certdir}/cert-${timestamp}.csr"
+ # shellcheck disable=SC2086
if [[ "${PARAM_KEEP_GOING:-}" = "yes" ]]; then
skip_exit_hook=yes
- sign_domain "${certdir}" ${timestamp} ${domain} ${morenames} &
+ sign_domain "${certdir}" "${timestamp}" "${domain}" ${morenames} &
wait $! || exit_with_errorcode=1
skip_exit_hook=no
else
- sign_domain "${certdir}" ${timestamp} ${domain} ${morenames}
+ sign_domain "${certdir}" "${timestamp}" "${domain}" ${morenames}
fi
fi
@@ -1744,12 +1905,12 @@
# Usage: --signcsr (-s) path/to/csr.pem
# Description: Sign a given CSR, output CRT on stdout (advanced usage)
command_sign_csr() {
+ init_system
+
# redirect stdout to stderr
# leave stdout over at fd 3 to output the cert
exec 3>&1 1>&2
- init_system
-
# load csr
csrfile="${1}"
if [ ! -r "${csrfile}" ]; then
@@ -1762,6 +1923,7 @@
# gen cert
certfile="$(_mktemp)"
+ # shellcheck disable=SC2086
sign_csr "${csr}" ${altnames} 3> "${certfile}"
# print cert
@@ -1866,7 +2028,7 @@
fi
# Allow globbing
- [[ -n "${ZSH_VERSION:-}" ]] && set +o noglob || set +f
+ noglob_set
# Loop over all certificate directories
for certdir in "${CERTDIR}/"*; do
@@ -1907,7 +2069,6 @@
# Check if current file is in use, if unused move to archive directory
filename="$(basename "${file}")"
if [[ ! "${filename}" = "${current}" ]] && [[ -f "${certdir}/${filename}" ]]; then
- echo "${filename}"
if [[ "${PARAM_CLEANUPDELETE:-}" = "yes" ]]; then
echo "Deleting unused file: ${certname}/${filename}"
rm "${certdir}/${filename}"
@@ -1980,8 +2141,7 @@
fi
}
- # shellcheck disable=SC2199
- [[ -z "${@}" ]] && eval set -- "--help"
+ [[ -z "${*}" ]] && eval set -- "--help"
while (( ${#} )); do
case "${1}" in
@@ -2107,6 +2267,12 @@
PARAM_FORCE="yes"
;;
+ # PARAM_Usage: --force-validation
+ # PARAM_Description: Force revalidation of domain names (used in combination with --force)
+ --force-validation)
+ PARAM_FORCE_VALIDATION="yes"
+ ;;
+
# PARAM_Usage: --no-lock (-n)
# PARAM_Description: Don't use lockfile (potentially dangerous!)
--no-lock|-n)
@@ -2183,8 +2349,8 @@
PARAM_ALPNCERTDIR="${1}"
;;
- # PARAM_Usage: --challenge (-t) http-01|dns-01
- # PARAM_Description: Which challenge should be used? Currently http-01 and dns-01 are supported
+ # PARAM_Usage: --challenge (-t) http-01|dns-01|tls-alpn-01
+ # PARAM_Description: Which challenge should be used? Currently http-01, dns-01, and tls-alpn-01 are supported
--challenge|-t)
shift 1
check_parameters "${1:-}"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/docs/domains_txt.md new/dehydrated-0.7.1/docs/domains_txt.md
--- old/dehydrated-0.7.0/docs/domains_txt.md 2020-12-10 16:54:26.000000000 +0100
+++ new/dehydrated-0.7.1/docs/domains_txt.md 2022-10-31 15:12:38.000000000 +0100
@@ -34,6 +34,30 @@
example.net www.example.net wiki.example.net > certalias
```
+This allows to set per certificates options. The options you can change are
+explained in [Per Certificate Config](per-certificate-config.md).
+
+If you want to create different certificate types for the same domain
+you can use:
+
+```text
+*.service.example.org service.example.org > star_service_example_org_rsa
+*.service.example.org service.example.org > star_service_example_org_ecdsa
+```
+
+Then add a config file `certs/star_service_example_org_rsa/config` with
+the value
+
+```
+KEY_ALGO="rsa"
+```
+
+or respectively
+
+```
+KEY_ALGO="ecdsa"
+```
+
### Wildcards
Support for wildcards was added by the ACME v2 protocol.
@@ -70,3 +94,14 @@
**Note:** The first certificate is valid for both `service.example.com` and for
`*.service.example.com` which can be a useful way to create wildcard
certificates.
+
+### Drop-in directory
+
+If a directory named `domains.txt.d` exists in the same location as
+`domains.txt`, the contents of `*.txt` files in that directory are appended to
+the list of domains, in alphabetical order of the filenames. This is useful for
+automation, as it doesn't require editing an existing file to add new domains.
+
+Warning: Behaviour of this might change as the naming between `domains.txt.d`
+and the `DOMAINS_D` config variable (which is used for per-certificate
+configuration) is a bit confusing.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/docs/examples/domains.txt new/dehydrated-0.7.1/docs/examples/domains.txt
--- old/dehydrated-0.7.0/docs/examples/domains.txt 2020-12-10 16:54:26.000000000 +0100
+++ new/dehydrated-0.7.1/docs/examples/domains.txt 2022-10-31 15:12:38.000000000 +0100
@@ -24,6 +24,15 @@
# NOTE: It is a certificate for 'service.example.org'
*.service.example.org service.example.org > star_service_example_org
+# Optionally you can also append the certificate algorithm here to create
+# multiple certificate types for the same domain.
+#
+# This allows to set per certificates options. How to do this is
+# explained in [domains.txt documentation](domains_txt.md).
+#
+*.service.example.org service.example.org > star_service_example_org_rsa
+*.service.example.org service.example.org > star_service_example_org_ecdsa
+
# Create a certificate for 'service.example.net' with an alternative name of
# '*.service.example.net' (which is a wildcard domain) and store it in the
# directory ${CERTDIR}/service.example.net
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/docs/examples/hook.sh new/dehydrated-0.7.1/docs/examples/hook.sh
--- old/dehydrated-0.7.0/docs/examples/hook.sh 2020-12-10 16:54:26.000000000 +0100
+++ new/dehydrated-0.7.1/docs/examples/hook.sh 2022-10-31 15:12:38.000000000 +0100
@@ -1,199 +1,199 @@
#!/usr/bin/env bash
deploy_challenge() {
- local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
+ local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
- # This hook is called once for every domain that needs to be
- # validated, including any alternative names you may have listed.
- #
- # Parameters:
- # - DOMAIN
- # The domain name (CN or subject alternative name) being
- # validated.
- # - TOKEN_FILENAME
- # The name of the file containing the token to be served for HTTP
- # validation. Should be served by your web server as
- # /.well-known/acme-challenge/${TOKEN_FILENAME}.
- # - TOKEN_VALUE
- # The token value that needs to be served for validation. For DNS
- # validation, this is what you want to put in the _acme-challenge
- # TXT record. For HTTP validation it is the value that is expected
- # be found in the $TOKEN_FILENAME file.
+ # This hook is called once for every domain that needs to be
+ # validated, including any alternative names you may have listed.
+ #
+ # Parameters:
+ # - DOMAIN
+ # The domain name (CN or subject alternative name) being
+ # validated.
+ # - TOKEN_FILENAME
+ # The name of the file containing the token to be served for HTTP
+ # validation. Should be served by your web server as
+ # /.well-known/acme-challenge/${TOKEN_FILENAME}.
+ # - TOKEN_VALUE
+ # The token value that needs to be served for validation. For DNS
+ # validation, this is what you want to put in the _acme-challenge
+ # TXT record. For HTTP validation it is the value that is expected
+ # be found in the $TOKEN_FILENAME file.
- # Simple example: Use nsupdate with local named
- # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
+ # Simple example: Use nsupdate with local named
+ # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
}
clean_challenge() {
- local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
+ local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
- # This hook is called after attempting to validate each domain,
- # whether or not validation was successful. Here you can delete
- # files or DNS records that are no longer needed.
- #
- # The parameters are the same as for deploy_challenge.
+ # This hook is called after attempting to validate each domain,
+ # whether or not validation was successful. Here you can delete
+ # files or DNS records that are no longer needed.
+ #
+ # The parameters are the same as for deploy_challenge.
- # Simple example: Use nsupdate with local named
- # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
+ # Simple example: Use nsupdate with local named
+ # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
}
sync_cert() {
- local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}"
+ local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}"
- # This hook is called after the certificates have been created but before
- # they are symlinked. This allows you to sync the files to disk to prevent
- # creating a symlink to empty files on unexpected system crashes.
- #
- # This hook is not intended to be used for further processing of certificate
- # files, see deploy_cert for that.
- #
- # Parameters:
- # - KEYFILE
- # The path of the file containing the private key.
- # - CERTFILE
- # The path of the file containing the signed certificate.
- # - FULLCHAINFILE
- # The path of the file containing the full certificate chain.
- # - CHAINFILE
- # The path of the file containing the intermediate certificate(s).
- # - REQUESTFILE
- # The path of the file containing the certificate signing request.
+ # This hook is called after the certificates have been created but before
+ # they are symlinked. This allows you to sync the files to disk to prevent
+ # creating a symlink to empty files on unexpected system crashes.
+ #
+ # This hook is not intended to be used for further processing of certificate
+ # files, see deploy_cert for that.
+ #
+ # Parameters:
+ # - KEYFILE
+ # The path of the file containing the private key.
+ # - CERTFILE
+ # The path of the file containing the signed certificate.
+ # - FULLCHAINFILE
+ # The path of the file containing the full certificate chain.
+ # - CHAINFILE
+ # The path of the file containing the intermediate certificate(s).
+ # - REQUESTFILE
+ # The path of the file containing the certificate signing request.
- # Simple example: sync the files before symlinking them
- # sync "${KEYFILE}" "${CERTFILE}" "${FULLCHAINFILE}" "${CHAINFILE}" "${REQUESTFILE}"
+ # Simple example: sync the files before symlinking them
+ # sync "${KEYFILE}" "${CERTFILE}" "${FULLCHAINFILE}" "${CHAINFILE}" "${REQUESTFILE}"
}
deploy_cert() {
- local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
+ local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
- # This hook is called once for each certificate that has been
- # produced. Here you might, for instance, copy your new certificates
- # to service-specific locations and reload the service.
- #
- # Parameters:
- # - DOMAIN
- # The primary domain name, i.e. the certificate common
- # name (CN).
- # - KEYFILE
- # The path of the file containing the private key.
- # - CERTFILE
- # The path of the file containing the signed certificate.
- # - FULLCHAINFILE
- # The path of the file containing the full certificate chain.
- # - CHAINFILE
- # The path of the file containing the intermediate certificate(s).
- # - TIMESTAMP
- # Timestamp when the specified certificate was created.
-
- # Simple example: Copy file to nginx config
- # cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
- # systemctl reload nginx
+ # This hook is called once for each certificate that has been
+ # produced. Here you might, for instance, copy your new certificates
+ # to service-specific locations and reload the service.
+ #
+ # Parameters:
+ # - DOMAIN
+ # The primary domain name, i.e. the certificate common
+ # name (CN).
+ # - KEYFILE
+ # The path of the file containing the private key.
+ # - CERTFILE
+ # The path of the file containing the signed certificate.
+ # - FULLCHAINFILE
+ # The path of the file containing the full certificate chain.
+ # - CHAINFILE
+ # The path of the file containing the intermediate certificate(s).
+ # - TIMESTAMP
+ # Timestamp when the specified certificate was created.
+
+ # Simple example: Copy file to nginx config
+ # cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
+ # systemctl reload nginx
}
deploy_ocsp() {
- local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}"
+ local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}"
- # This hook is called once for each updated ocsp stapling file that has
- # been produced. Here you might, for instance, copy your new ocsp stapling
- # files to service-specific locations and reload the service.
- #
- # Parameters:
- # - DOMAIN
- # The primary domain name, i.e. the certificate common
- # name (CN).
- # - OCSPFILE
- # The path of the ocsp stapling file
- # - TIMESTAMP
- # Timestamp when the specified ocsp stapling file was created.
-
- # Simple example: Copy file to nginx config
- # cp "${OCSPFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
- # systemctl reload nginx
+ # This hook is called once for each updated ocsp stapling file that has
+ # been produced. Here you might, for instance, copy your new ocsp stapling
+ # files to service-specific locations and reload the service.
+ #
+ # Parameters:
+ # - DOMAIN
+ # The primary domain name, i.e. the certificate common
+ # name (CN).
+ # - OCSPFILE
+ # The path of the ocsp stapling file
+ # - TIMESTAMP
+ # Timestamp when the specified ocsp stapling file was created.
+
+ # Simple example: Copy file to nginx config
+ # cp "${OCSPFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
+ # systemctl reload nginx
}
unchanged_cert() {
- local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
+ local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
- # This hook is called once for each certificate that is still
- # valid and therefore wasn't reissued.
- #
- # Parameters:
- # - DOMAIN
- # The primary domain name, i.e. the certificate common
- # name (CN).
- # - KEYFILE
- # The path of the file containing the private key.
- # - CERTFILE
- # The path of the file containing the signed certificate.
- # - FULLCHAINFILE
- # The path of the file containing the full certificate chain.
- # - CHAINFILE
- # The path of the file containing the intermediate certificate(s).
+ # This hook is called once for each certificate that is still
+ # valid and therefore wasn't reissued.
+ #
+ # Parameters:
+ # - DOMAIN
+ # The primary domain name, i.e. the certificate common
+ # name (CN).
+ # - KEYFILE
+ # The path of the file containing the private key.
+ # - CERTFILE
+ # The path of the file containing the signed certificate.
+ # - FULLCHAINFILE
+ # The path of the file containing the full certificate chain.
+ # - CHAINFILE
+ # The path of the file containing the intermediate certificate(s).
}
invalid_challenge() {
- local DOMAIN="${1}" RESPONSE="${2}"
+ local DOMAIN="${1}" RESPONSE="${2}"
- # This hook is called if the challenge response has failed, so domain
- # owners can be aware and act accordingly.
- #
- # Parameters:
- # - DOMAIN
- # The primary domain name, i.e. the certificate common
- # name (CN).
- # - RESPONSE
- # The response that the verification server returned
+ # This hook is called if the challenge response has failed, so domain
+ # owners can be aware and act accordingly.
+ #
+ # Parameters:
+ # - DOMAIN
+ # The primary domain name, i.e. the certificate common
+ # name (CN).
+ # - RESPONSE
+ # The response that the verification server returned
- # Simple example: Send mail to root
- # printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root
+ # Simple example: Send mail to root
+ # printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root
}
request_failure() {
- local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}"
+ local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}"
- # This hook is called when an HTTP request fails (e.g., when the ACME
- # server is busy, returns an error, etc). It will be called upon any
- # response code that does not start with '2'. Useful to alert admins
- # about problems with requests.
- #
- # Parameters:
- # - STATUSCODE
- # The HTML status code that originated the error.
- # - REASON
- # The specified reason for the error.
- # - REQTYPE
- # The kind of request that was made (GET, POST...)
- # - HEADERS
- # HTTP headers returned by the CA
+ # This hook is called when an HTTP request fails (e.g., when the ACME
+ # server is busy, returns an error, etc). It will be called upon any
+ # response code that does not start with '2'. Useful to alert admins
+ # about problems with requests.
+ #
+ # Parameters:
+ # - STATUSCODE
+ # The HTML status code that originated the error.
+ # - REASON
+ # The specified reason for the error.
+ # - REQTYPE
+ # The kind of request that was made (GET, POST...)
+ # - HEADERS
+ # HTTP headers returned by the CA
- # Simple example: Send mail to root
- # printf "Subject: HTTP request failed failed!\n\nA http request failed with status ${STATUSCODE}!" | sendmail root
+ # Simple example: Send mail to root
+ # printf "Subject: HTTP request failed failed!\n\nA http request failed with status ${STATUSCODE}!" | sendmail root
}
generate_csr() {
- local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}"
+ local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}"
- # This hook is called before any certificate signing operation takes place.
- # It can be used to generate or fetch a certificate signing request with external
- # tools.
- # The output should be just the certificate signing request formatted as PEM.
- #
- # Parameters:
- # - DOMAIN
- # The primary domain as specified in domains.txt. This does not need to
- # match with the domains in the CSR, it's basically just the directory name.
- # - CERTDIR
- # Certificate output directory for this particular certificate. Can be used
- # for storing additional files.
- # - ALTNAMES
- # All domain names for the current certificate as specified in domains.txt.
- # Again, this doesn't need to match with the CSR, it's just there for convenience.
-
- # Simple example: Look for pre-generated CSRs
- # if [ -e "${CERTDIR}/pre-generated.csr" ]; then
- # cat "${CERTDIR}/pre-generated.csr"
- # fi
+ # This hook is called before any certificate signing operation takes place.
+ # It can be used to generate or fetch a certificate signing request with external
+ # tools.
+ # The output should be just the certificate signing request formatted as PEM.
+ #
+ # Parameters:
+ # - DOMAIN
+ # The primary domain as specified in domains.txt. This does not need to
+ # match with the domains in the CSR, it's basically just the directory name.
+ # - CERTDIR
+ # Certificate output directory for this particular certificate. Can be used
+ # for storing additional files.
+ # - ALTNAMES
+ # All domain names for the current certificate as specified in domains.txt.
+ # Again, this doesn't need to match with the CSR, it's just there for convenience.
+
+ # Simple example: Look for pre-generated CSRs
+ # if [ -e "${CERTDIR}/pre-generated.csr" ]; then
+ # cat "${CERTDIR}/pre-generated.csr"
+ # fi
}
startup_hook() {
Binary files old/dehydrated-0.7.0/docs/logo.jpg and new/dehydrated-0.7.1/docs/logo.jpg differ
Binary files old/dehydrated-0.7.0/docs/logo.png and new/dehydrated-0.7.1/docs/logo.png differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/docs/per-certificate-config.md new/dehydrated-0.7.1/docs/per-certificate-config.md
--- old/dehydrated-0.7.0/docs/per-certificate-config.md 2020-12-10 16:54:26.000000000 +0100
+++ new/dehydrated-0.7.1/docs/per-certificate-config.md 2022-10-31 15:12:38.000000000 +0100
@@ -11,6 +11,8 @@
- KEY_ALGO
- KEYSIZE
- OCSP_MUST_STAPLE
+- OCSP_FETCH
+- OCSP_DAYS
- CHALLENGETYPE
- HOOK
- HOOK_CHAIN
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/docs/staging.md new/dehydrated-0.7.1/docs/staging.md
--- old/dehydrated-0.7.0/docs/staging.md 2020-12-10 16:54:26.000000000 +0100
+++ new/dehydrated-0.7.1/docs/staging.md 2022-10-31 15:12:38.000000000 +0100
@@ -8,10 +8,7 @@
To avoid this, please set the CA property to the Let���s Encrypt staging server URL in your config file:
```bash
-CA="https://acme-staging.api.letsencrypt.org/directory"
+CA="https://acme-staging-v02.api.letsencrypt.org/directory"
```
-# ACMEv2 staging
-
-You can use `CA="https://acme-staging-v02.api.letsencrypt.org/directory"` to test dehydrated with
-the ACMEv2 staging endpoint.
+Alternatively you can define the CA using the CLI argument `--ca letsencrypt-test` (`letsencrypt-test` is an integrated preset-CA corresponding to the URL above).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dehydrated-0.7.0/docs/tls-alpn.md new/dehydrated-0.7.1/docs/tls-alpn.md
--- old/dehydrated-0.7.0/docs/tls-alpn.md 2020-12-10 16:54:26.000000000 +0100
+++ new/dehydrated-0.7.1/docs/tls-alpn.md 2022-10-31 15:12:38.000000000 +0100
@@ -6,6 +6,26 @@
Dehydrated generates the required verification certificates, but the delivery is out of its scope.
+### Example lighttpd config
+
+lighttpd can be configured to recognize ALPN `acme-tls/1` and to respond to such
+requests using the specially crafted TLS certificates generated by dehydrated.
+Configure lighttpd and dehydrated to use the same path for these certificates.
+(Be sure to allow read access to the user account under which the lighttpd
+server is running.) `mkdir -p /etc/dehydrated/alpn-certs`
+
+lighttpd.conf:
+```
+ssl.acme-tls-1 = "/etc/dehydrated/alpn-certs"
+```
+
+When renewing certificates, specify `-t tls-alpn-01` and `--alpn /etc/dehydrated/alpn-certs` to dehydrated, e.g.
+```
+dehydrated -t tls-alpn-01 --alpn /etc/dehydrated/alpn-certs -c --out /etc/lighttpd/certs -d www.example.com
+# gracefully reload lighttpd to use the new certificates by sending lighttpd pid SIGUSR1
+systemctl reload lighttpd
+```
+
### Example nginx config
On an nginx tcp load-balancer you can use the `ssl_preread` module to map a different port for acme-tls
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package mimic for openSUSE:Factory checked in at 2022-11-01 13:42:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mimic (Old)
and /work/SRC/openSUSE:Factory/.mimic.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mimic"
Tue Nov 1 13:42:36 2022 rev:4 rq:1032543 version:1.3.0.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/mimic/mimic.changes 2021-04-19 21:07:23.340154372 +0200
+++ /work/SRC/openSUSE:Factory/.mimic.new.2275/mimic.changes 2022-11-01 13:42:43.187944462 +0100
@@ -1,0 +2,6 @@
+Mon Oct 31 14:45:25 UTC 2022 - Dominique Leuenberger <dimstar(a)opensuse.org>
+
+- Add mimic-HTS_Free.patch: use HTS_free instead of libc's free()
+ function (https://github.com/MycroftAI/mimic1/issues/231).
+
+-------------------------------------------------------------------
New:
----
mimic-HTS_Free.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mimic.spec ++++++
--- /var/tmp/diff_new_pack.tCxuQK/_old 2022-11-01 13:42:44.819953144 +0100
+++ /var/tmp/diff_new_pack.tCxuQK/_new 2022-11-01 13:42:44.823953165 +0100
@@ -1,7 +1,7 @@
#
# spec file for package mimic
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -25,6 +25,7 @@
Group: Productivity/Text/Convertors
URL: https://mimic.mycroft.ai
Source: https://github.com/MycroftAI/mimic/archive/%{version}.tar.gz
+Patch0: mimic-HTS_Free.patch
BuildRequires: automake
BuildRequires: gcc
BuildRequires: libtool
@@ -63,7 +64,7 @@
This package contains the headers and development libraries for mimic.
%prep
-%setup -q -n %{name}1-%{version}
+%autosetup -p1 -n %{name}1-%{version}
%build
./autogen.sh
++++++ mimic-HTS_Free.patch ++++++
Index: mimic1-1.3.0.1/src/hts/hts_engine_API/lib/HTS_model.c
===================================================================
--- mimic1-1.3.0.1.orig/src/hts/hts_engine_API/lib/HTS_model.c
+++ mimic1-1.3.0.1/src/hts/hts_engine_API/lib/HTS_model.c
@@ -698,7 +698,7 @@ static HTS_Boolean HTS_Model_load_pdf(HT
}
if (result == FALSE) {
model->npdf += 2;
- free(model->npdf);
+ HTS_free(model->npdf);
HTS_Model_initialize(model);
return FALSE;
}
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libadlmidi for openSUSE:Factory checked in at 2022-11-01 13:42:35
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libadlmidi (Old)
and /work/SRC/openSUSE:Factory/.libadlmidi.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libadlmidi"
Tue Nov 1 13:42:35 2022 rev:5 rq:1032544 version:1.5.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/libadlmidi/libadlmidi.changes 2021-05-08 22:08:47.837384113 +0200
+++ /work/SRC/openSUSE:Factory/.libadlmidi.new.2275/libadlmidi.changes 2022-11-01 13:42:42.291939695 +0100
@@ -1,0 +2,17 @@
+Mon Oct 31 08:50:23 UTC 2022 - Martin Hauke <mardnh(a)gmx.de>
+
+- Update to version 1.5.1
+ * Added an ability to disable the automatical arpeggio.
+ * Added an ability to set the count of loops (how many times to
+ play the song).
+ * Added an ability to disable/enable the playing of selected
+ MIDI channels.
+ * Fixed memory damages and crashes while playing XMI files.
+ * Added bank-specific MT32 defaults (to don't confuse XMI
+ playback between different games, works for AIL and IBK only,
+ and for WOPL if set at the header).
+ * Added the chip channels allocation mode option.
+ * Fixed the playback of multi-song XMI files.
+ * Added an ability to switch the XMI song on the fly.
+
+-------------------------------------------------------------------
Old:
----
libADLMIDI-1.5.0.1-1.tar.gz
New:
----
libADLMIDI-1.5.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libadlmidi.spec ++++++
--- /var/tmp/diff_new_pack.7snZTh/_old 2022-11-01 13:42:42.743942099 +0100
+++ /var/tmp/diff_new_pack.7snZTh/_new 2022-11-01 13:42:42.755942163 +0100
@@ -1,8 +1,8 @@
#
# spec file for package libadlmidi
#
-# Copyright (c) 2021 SUSE LLC
-# Copyright (c) 2019-2020, Martin Hauke <mardnh(a)gmx.de>
+# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2019-2022, Martin Hauke <mardnh(a)gmx.de>
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -20,14 +20,14 @@
%define sover 1
%define libname libADLMIDI
Name: libadlmidi
-%define hyphver 1.5.0.1-1
-Version: 1.5.0.1.1
+%define hyphver 1.5.1
+Version: 1.5.1
Release: 0
Summary: A software MIDI synthesizer library with OPL3 emulation
License: GPL-3.0-only AND LGPL-3.0-only
Group: Development/Languages/C and C++
URL: https://github.com/Wohlstand/%{libname}
-Source: %{URL}/archive/v%{hyphver}.tar.gz#/%{libname}-%{hyphver}.tar.gz
+Source: https://github.com/Wohlstand/libADLMIDI/archive/refs/tags/v%{hyphver}.tar.g…
BuildRequires: cmake
BuildRequires: gcc-c++
BuildRequires: pkgconfig
++++++ libADLMIDI-1.5.0.1-1.tar.gz -> libADLMIDI-1.5.1.tar.gz ++++++
++++ 11892 lines of diff (skipped)
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rr for openSUSE:Factory checked in at 2022-11-01 13:42:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rr (Old)
and /work/SRC/openSUSE:Factory/.rr.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rr"
Tue Nov 1 13:42:34 2022 rev:4 rq:1032539 version:5.6.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/rr/rr.changes 2022-08-16 17:08:06.235942733 +0200
+++ /work/SRC/openSUSE:Factory/.rr.new.2275/rr.changes 2022-11-01 13:42:41.735936738 +0100
@@ -1,0 +2,6 @@
+Mon Oct 31 14:09:34 UTC 2022 - Dominique Leuenberger <dimstar(a)opensuse.org>
+
+- Add 2979c60e.patch: Avoid creating a struct with elements after
+ ethtool_sset_info's variable-length-array.
+
+-------------------------------------------------------------------
New:
----
2979c60e.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rr.spec ++++++
--- /var/tmp/diff_new_pack.Wc96V8/_old 2022-11-01 13:42:42.115938759 +0100
+++ /var/tmp/diff_new_pack.Wc96V8/_new 2022-11-01 13:42:42.119938780 +0100
@@ -24,6 +24,7 @@
Group: Development/Languages/C and C++
URL: https://rr-project.org/
Source: https://github.com/mozilla/%{name}/archive/%{version}.tar.gz
+Patch0: https://github.com/rr-debugger/rr/commit/2979c60e.patch
BuildRequires: capnproto
BuildRequires: cmake
BuildRequires: gcc-c++
@@ -46,7 +47,7 @@
data watchpoints and quickly reverse-execute to where they were hit.
%prep
-%setup -q
+%autosetup -p1
%build
# Fix incorrect path to bash
++++++ 2979c60e.patch ++++++
From 2979c60ef8bbf7c940afd90172ddc5d8863f766e Mon Sep 17 00:00:00 2001
From: Robert O'Callahan <robert(a)ocallahan.org>
Date: Thu, 25 Aug 2022 20:40:59 +1200
Subject: [PATCH] Avoid creating a struct with elements after
ethtool_sset_info's variable-length-array.
Resolves #3369
---
src/record_syscall.cc | 27 +++++++++++++--------------
1 file changed, 13 insertions(+), 14 deletions(-)
diff --git a/src/record_syscall.cc b/src/record_syscall.cc
index 2e4cdec35..48544e1df 100644
--- a/src/record_syscall.cc
+++ b/src/record_syscall.cc
@@ -1450,17 +1450,17 @@ template <typename Arch> void get_ethtool_gstrings_arch(RecordTask* t) {
AutoRemoteSyscalls remote(t);
// Do a ETHTOOL_GSSET_INFO to get the number of strings
- struct SingleStringSet {
- ethtool_sset_info et;
- uint32_t data;
- };
- SingleStringSet sss;
- sss.et.cmd = ETHTOOL_GSSET_INFO;
- sss.et.reserved = 0;
- sss.et.sset_mask = 1 << et_gstrings.string_set;
- AutoRestoreMem sss_mem(remote, &sss, sizeof(sss));
-
- ifreq.ifr_ifru.ifru_data = sss_mem.get();
+ ethtool_sset_info et;
+ et.cmd = ETHTOOL_GSSET_INFO;
+ et.reserved = 0;
+ et.sset_mask = 1 << et_gstrings.string_set;
+ std::vector<uint8_t> buffer;
+ buffer.resize(sizeof(et) + sizeof(uint32_t));
+ memcpy(buffer.data(), &et, sizeof(et));
+ memset(buffer.data() + sizeof(et), 0, sizeof(uint32_t));
+ AutoRestoreMem et_mem(remote, buffer.data(), buffer.size());
+
+ ifreq.ifr_ifru.ifru_data = et_mem.get();
AutoRestoreMem ifr_mem(remote, &ifreq, sizeof(ifreq));
long ret = remote.syscall(regs.original_syscallno(), regs.arg1(),
@@ -1470,8 +1470,7 @@ template <typename Arch> void get_ethtool_gstrings_arch(RecordTask* t) {
return;
}
- sss = t->read_mem(sss_mem.get().cast<SingleStringSet>());
-
+ uint32_t data = t->read_mem((et_mem.get() + sizeof(et)).cast<uint32_t>());
// Now do the ETHTOOL_GSTRINGS call
ret = remote.syscall(regs.original_syscallno(), regs.arg1(), SIOCETHTOOL,
regs.arg3());
@@ -1479,7 +1478,7 @@ template <typename Arch> void get_ethtool_gstrings_arch(RecordTask* t) {
if (ret < 0) {
return;
}
- t->record_remote(orig_gstrings, sizeof(ethtool_gstrings) + ETH_GSTRING_LEN*sss.data);
+ t->record_remote(orig_gstrings, sizeof(ethtool_gstrings) + ETH_GSTRING_LEN*data);
}
static void get_ethtool_gstrings(RecordTask* t) {
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package sbcl for openSUSE:Factory checked in at 2022-11-01 13:42:30
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sbcl (Old)
and /work/SRC/openSUSE:Factory/.sbcl.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sbcl"
Tue Nov 1 13:42:30 2022 rev:83 rq:1032537 version:2.2.10
Changes:
--------
--- /work/SRC/openSUSE:Factory/sbcl/sbcl.changes 2022-10-01 17:43:05.077662293 +0200
+++ /work/SRC/openSUSE:Factory/.sbcl.new.2275/sbcl.changes 2022-11-01 13:42:40.503930183 +0100
@@ -1,0 +2,20 @@
+Mon Oct 31 14:36:47 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz(a)suse.com>
+
+- Update to version 2.2.10
+ * platform support:
+ ** win32: improved handling of stack overflow exceptions. (lp#1302866)
+ ** Mac OS X: enforce stronger alignment when building the runtime.
+ (lp#1991485, reported by Yan)
+ ** arm64: support for building the system without the sb-unicode feature
+ (i.e. with 8-bit characters) is restored.
+ * bug fix: do not elide the GC store barrier in closures. (lp#1982608,
+ reported by Andrew Berkley)
+ * bug fix: make sb-introspect tests pass when the system is built without
+ support for source locations. (lp#1635349, reported by Tomas Hlavaty)
+ * bug fix: erroneous assumption that the format-control of a simple condition
+ was a string. (lp#1803727)
+ * bug fix: compiler consistency failure in modular arithmetic widening.
+ (lp#1990715)
+ * bug fix: provide a stub for a helper function (lp#1992316)
+
+-------------------------------------------------------------------
Old:
----
sbcl-2.2.9-source.tar.bz2
New:
----
sbcl-2.2.10-source.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sbcl.spec ++++++
--- /var/tmp/diff_new_pack.wmWkS8/_old 2022-11-01 13:42:41.507935524 +0100
+++ /var/tmp/diff_new_pack.wmWkS8/_new 2022-11-01 13:42:41.511935546 +0100
@@ -21,7 +21,7 @@
Name: sbcl
#!BuildIgnore: gcc-PIE
-Version: 2.2.9
+Version: 2.2.10
Release: 0
Summary: Steel Bank Common Lisp
License: BSD-3-Clause AND SUSE-Public-Domain
++++++ sbcl-2.2.9-source.tar.bz2 -> sbcl-2.2.10-source.tar.bz2 ++++++
/work/SRC/openSUSE:Factory/sbcl/sbcl-2.2.9-source.tar.bz2 /work/SRC/openSUSE:Factory/.sbcl.new.2275/sbcl-2.2.10-source.tar.bz2 differ: char 11, line 1
1
0