openSUSE Commits
Threads by month
- ----- 2024 -----
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
August 2024
- 2 participants
- 1399 discussions
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package 389-ds-container for openSUSE:Factory checked in at 2024-08-05 17:21:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/389-ds-container (Old)
and /work/SRC/openSUSE:Factory/.389-ds-container.new.7232 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "389-ds-container"
Mon Aug 5 17:21:18 2024 rev:13 rq:1191353 version:unknown
Changes:
--------
--- /work/SRC/openSUSE:Factory/389-ds-container/389-ds-container.changes 2024-08-02 17:27:55.050740028 +0200
+++ /work/SRC/openSUSE:Factory/.389-ds-container.new.7232/389-ds-container.changes 2024-08-05 17:21:46.216340979 +0200
@@ -1,0 +2,5 @@
+Sat Aug 3 08:56:51 UTC 2024 - Dirk Mueller <dmueller(a)suse.com>
+
+- set OCI.authors attribute instead of deprecated MAINTAINER
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ Dockerfile ++++++
--- /var/tmp/diff_new_pack.FX4YP7/_old 2024-08-05 17:21:46.824365891 +0200
+++ /var/tmp/diff_new_pack.FX4YP7/_new 2024-08-05 17:21:46.828366054 +0200
@@ -20,10 +20,9 @@
FROM opensuse/tumbleweed:latest
-MAINTAINER william.brown(a)suse.com
-
# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=org.opensuse.application.389-ds
+LABEL org.opencontainers.image.authors="william.brown(a)suse.com"
LABEL org.opencontainers.image.title="openSUSE Tumbleweed 389 Directory Server"
LABEL org.opencontainers.image.description="389 Directory Server container based on the openSUSE Tumbleweed Base Container Image."
LABEL org.opencontainers.image.version="%%389ds_version%%"
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package gopass for openSUSE:Factory checked in at 2024-08-05 17:21:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gopass (Old)
and /work/SRC/openSUSE:Factory/.gopass.new.7232 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gopass"
Mon Aug 5 17:21:16 2024 rev:4 rq:1191446 version:1.15.14
Changes:
--------
--- /work/SRC/openSUSE:Factory/gopass/gopass.changes 2024-04-11 19:41:43.983047817 +0200
+++ /work/SRC/openSUSE:Factory/.gopass.new.7232/gopass.changes 2024-08-05 17:21:43.900246083 +0200
@@ -1,0 +2,18 @@
+Sat Aug 3 17:01:14 UTC 2024 - Marcus Rueckert <mrueckert(a)suse.de>
+
+- Update to 1.15.14:
+ - 4d3d95ed chore: More logging when gpg operations fails (#2914)
+ - 51c2bdc8 cli/decrypt: improve debugging of gpg command (#2913)
+ - e302ae75 [bugfix] Fix parsing of key-value pairs according to
+ the gitconfig (#2911)
+ - 70dbabe0 gpg: Log gpg output to LogWriter (#2869)
+ - 2a190edb updating our linter and fixing the current linter
+ issues (#2907)
+ - 2761beaa feat: on pinentry request, allow password to be cached
+ in os keyring (#2881)
+ - d6669e15 chore: Switch to static list of linters (#2882)
+ - 0fc2ad27 Reduce dependabot frequency (#2868)
+ - 3acb20e5 chore: fix function names in comment (#2861)
+ - adaae659 Fix postrel helper
+
+-------------------------------------------------------------------
Old:
----
gopass-1.15.13.tar.gz
New:
----
gopass-1.15.14.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gopass.spec ++++++
--- /var/tmp/diff_new_pack.YapuQQ/_old 2024-08-05 17:21:44.640276403 +0200
+++ /var/tmp/diff_new_pack.YapuQQ/_new 2024-08-05 17:21:44.640276403 +0200
@@ -18,7 +18,7 @@
%global make_args PREFIX=%{_prefix} GOPASS_REVISION=v%{version}
Name: gopass
-Version: 1.15.13
+Version: 1.15.14
Release: 0
Summary: The slightly more awesome standard unix password manager for teams
License: MIT
@@ -28,13 +28,13 @@
Source2: system_config
Source9: series
Patch0: do-not-strip.patch
+BuildRequires: fish
BuildRequires: golang-packaging
-BuildRequires: golang(API) >= 1.22
BuildRequires: gpg2
BuildRequires: pkgconfig
-BuildRequires: pkgconfig(bash-completion)
BuildRequires: zsh
-BuildRequires: fish
+BuildRequires: golang(API) >= 1.22
+BuildRequires: pkgconfig(bash-completion)
Requires: git-core
%{go_nostrip}
++++++ gopass-1.15.13.tar.gz -> gopass-1.15.14.tar.gz ++++++
++++ 1840 lines of diff (skipped)
++++++ vendor.tar.xz ++++++
++++ 182769 lines of diff (skipped)
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package emacs-jinx for openSUSE:Factory checked in at 2024-08-05 17:21:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/emacs-jinx (Old)
and /work/SRC/openSUSE:Factory/.emacs-jinx.new.7232 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "emacs-jinx"
Mon Aug 5 17:21:14 2024 rev:7 rq:1191443 version:1.10
Changes:
--------
--- /work/SRC/openSUSE:Factory/emacs-jinx/emacs-jinx.changes 2024-07-08 19:08:36.719511897 +0200
+++ /work/SRC/openSUSE:Factory/.emacs-jinx.new.7232/emacs-jinx.changes 2024-08-05 17:21:41.376142664 +0200
@@ -1,0 +2,8 @@
+Sat Aug 03 16:43:27 UTC 2024 - Björn Bidar <bjorn.bidar(a)thaodan.de>
+
+- Rebase p0001-Only-export-necessary-symbols.-Fixes-105.patch
+ against version 1.10
+- Update to version 1.10:
+ * Add jinx--syntax-overrides to override syntax table
+
+-------------------------------------------------------------------
Old:
----
jinx-1.9.tar.gz
New:
----
jinx-1.10.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ emacs-jinx.spec ++++++
--- /var/tmp/diff_new_pack.4l5qQ8/_old 2024-08-05 17:21:42.908205436 +0200
+++ /var/tmp/diff_new_pack.4l5qQ8/_new 2024-08-05 17:21:42.924206091 +0200
@@ -20,7 +20,7 @@
%global _name jinx
Name: emacs-%{_name}
-Version: 1.9
+Version: 1.10
Release: 0
Summary: Enchanted Spell Checker for Emacs
License: GPL-3.0-or-later
++++++ 0001-Only-export-necessary-symbols.-Fixes-105.patch ++++++
--- /var/tmp/diff_new_pack.4l5qQ8/_old 2024-08-05 17:21:43.136214778 +0200
+++ /var/tmp/diff_new_pack.4l5qQ8/_new 2024-08-05 17:21:43.168216089 +0200
@@ -56,10 +56,10 @@
return 1; // Require Emacs binary compatibility
emacs_env* env = runtime->get_environment(runtime);
diff --git a/jinx.el b/jinx.el
-index c03aabdf6ea7f12a110d62324e35fa68b56e30af..55965d59082e19f5e14f2ba703e8572eb4fcad66 100644
+index f44192d69eee3ca323fcf0f7564f1f2409e25874..b9e1fba234731c5d03895fe7acd60784dfb701f4 100644
--- a/jinx.el
+++ b/jinx.el
-@@ -592,7 +592,7 @@ If CHECK is non-nil, always check first."
+@@ -601,7 +601,7 @@ If CHECK is non-nil, always check first."
(or (locate-library c-name t)
(error "Jinx: %s not found" c-name))))
(command
++++++ jinx-1.9.tar.gz -> jinx-1.10.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jinx-1.9/CHANGELOG.org new/jinx-1.10/CHANGELOG.org
--- old/jinx-1.9/CHANGELOG.org 2024-06-29 10:58:29.000000000 +0200
+++ new/jinx-1.10/CHANGELOG.org 2024-07-24 11:17:09.000000000 +0200
@@ -2,6 +2,12 @@
#+author: Daniel Mendler
#+language: en
+* Version 1.10 (2024-07-23)
+
+- Bump Compat dependency to Compat 30.
+- Add include and linkpaths from FreeBSD for compilation.
+- Add ~jinx--syntax-overrides~ to override syntax table.
+
* Version 1.9 (2024-06-29)
- Bugfix: In some rare scenarios, Jinx could hang when checking pending regions.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jinx-1.9/jinx.el new/jinx-1.10/jinx.el
--- old/jinx-1.9/jinx.el 2024-06-29 10:58:29.000000000 +0200
+++ new/jinx-1.10/jinx.el 2024-07-24 11:17:09.000000000 +0200
@@ -5,8 +5,8 @@
;; Author: Daniel Mendler <mail(a)daniel-mendler.de>
;; Maintainer: Daniel Mendler <mail(a)daniel-mendler.de>
;; Created: 2023
-;; Version: 1.9
-;; Package-Requires: ((emacs "27.1") (compat "29.1.4.4"))
+;; Version: 1.10
+;; Package-Requires: ((emacs "27.1") (compat "30"))
;; Homepage: https://github.com/minad/jinx
;; Keywords: convenience, text
@@ -291,7 +291,13 @@
(modify-syntax-entry '(#x1cf00 . #x1d7ff) "_" st) ;; Znamenny Musical - Math. Alpha.
(modify-syntax-entry '(#x1ee00 . #x1fbff) "_" st) ;; Arabic Math. - Legacy Computing
st)
- "Base syntax table for spell checking.")
+ "Parent syntax table of `jinx--syntax-table'.")
+
+(defvar jinx--syntax-overrides
+ '((?' . "w")
+ (?’ . "w")
+ (?. . "."))
+ "Syntax table overrides used for `jinx--syntax-table'.")
(defvar jinx--select-keys
"123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
@@ -319,7 +325,10 @@
"List of dictionaries.")
(defvar-local jinx--syntax-table nil
- "Syntax table used during checking.")
+ "Syntax table used during checking.
+The table inherits from `jinx--base-syntax-table'. The table is
+configured according to the word characters defined by the local
+dictionaries. Afterwards `jinx--syntax-overrides' are applied.")
(defvar-local jinx--session-words nil
"List of words accepted in this session.")
@@ -597,7 +606,7 @@
,@(split-string-and-unquote
(condition-case nil
(car (process-lines "pkg-config" "--cflags" "--libs" "enchant-2"))
- (error "-I/usr/include/enchant-2 -lenchant-2"))))))
+ (error "-I/usr/include/enchant-2 -I/usr/local/include/enchant-2 -L/usr/local/lib -lenchant-2"))))))
(with-current-buffer (get-buffer-create "*jinx module compilation*")
(let ((inhibit-read-only t))
(erase-buffer)
@@ -864,9 +873,8 @@
(dolist (dict jinx--dicts)
(cl-loop for c across (jinx--mod-wordchars dict) do
(modify-syntax-entry c "w" jinx--syntax-table)))
- (modify-syntax-entry ?' "w" jinx--syntax-table)
- (modify-syntax-entry ?’ "w" jinx--syntax-table)
- (modify-syntax-entry ?. "." jinx--syntax-table))
+ (cl-loop for (k . v) in jinx--syntax-overrides do
+ (modify-syntax-entry k v jinx--syntax-table)))
(defun jinx--bounds-of-word ()
"Return bounds of word at point using `jinx--syntax-table'."
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package tree-sitter-haskell for openSUSE:Factory checked in at 2024-08-05 17:21:13
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tree-sitter-haskell (Old)
and /work/SRC/openSUSE:Factory/.tree-sitter-haskell.new.7232 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tree-sitter-haskell"
Mon Aug 5 17:21:13 2024 rev:2 rq:1191440 version:0.21.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/tree-sitter-haskell/tree-sitter-haskell.changes 2024-03-27 20:42:11.296281066 +0100
+++ /work/SRC/openSUSE:Factory/.tree-sitter-haskell.new.7232/tree-sitter-haskell.changes 2024-08-05 17:21:32.367773568 +0200
@@ -1,0 +2,8 @@
+Sat Aug 03 16:06:12 UTC 2024 - Björn Bidar <bjorn.bidar(a)thaodan.de>
+
+- Update to version 0.21.0:
+ * refactor(scanner): use alloc and array header, and rely on `TREE_SITTER_DEBUG` for debugging
+ * fix: allow imports after the first declaration for resilience
+ * Rewrite the grammar once again.
+
+-------------------------------------------------------------------
Old:
----
tree-sitter-haskell-0.15.0.tar.gz
New:
----
tree-sitter-haskell-0.21.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tree-sitter-haskell.spec ++++++
--- /var/tmp/diff_new_pack.4OJa3z/_old 2024-08-05 17:21:33.199807659 +0200
+++ /var/tmp/diff_new_pack.4OJa3z/_new 2024-08-05 17:21:33.199807659 +0200
@@ -19,7 +19,7 @@
%define _name haskell
Summary: Haskell grammar for tree-sitter
Name: tree-sitter-%{_name}
-Version: 0.15.0
+Version: 0.21.0
Release: 0
License: MIT
Group: Development/Tools/Other
@@ -41,6 +41,8 @@
%install
%treesitter_install
+%check
+
%files
%{treesitter_files}
%license LICENSE
++++++ tree-sitter-haskell-0.15.0.tar.gz -> tree-sitter-haskell-0.21.0.tar.gz ++++++
++++ 1562467 lines of diff (skipped)
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package tree-sitter-cpp for openSUSE:Factory checked in at 2024-08-05 17:21:10
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tree-sitter-cpp (Old)
and /work/SRC/openSUSE:Factory/.tree-sitter-cpp.new.7232 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tree-sitter-cpp"
Mon Aug 5 17:21:10 2024 rev:3 rq:1191438 version:0.22.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/tree-sitter-cpp/tree-sitter-cpp.changes 2024-04-30 17:28:59.085716511 +0200
+++ /work/SRC/openSUSE:Factory/.tree-sitter-cpp.new.7232/tree-sitter-cpp.changes 2024-08-05 17:21:15.495082250 +0200
@@ -1,0 +2,9 @@
+Thu Aug 01 21:52:23 UTC 2024 - Björn Bidar <bjorn.bidar(a)thaodan.de>
+
+- Update to version 0.22.3:
+ * Add tests for template/comparison ambiguities
+ * Fix ambiguity between template and comparison
+ * fix: remove `choice` wrapper around 'virtual'
+ * fix(query): remove duplicate rule
+
+-------------------------------------------------------------------
Old:
----
tree-sitter-cpp-0.22.0.tar.gz
New:
----
tree-sitter-cpp-0.22.3.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tree-sitter-cpp.spec ++++++
--- /var/tmp/diff_new_pack.iZZf9g/_old 2024-08-05 17:21:16.159109457 +0200
+++ /var/tmp/diff_new_pack.iZZf9g/_new 2024-08-05 17:21:16.163109622 +0200
@@ -19,7 +19,7 @@
%define _name cpp
Summary: C++ grammar for tree-sitter
Name: tree-sitter-%{_name}
-Version: 0.22.0
+Version: 0.22.3
Release: 0
License: MIT
Group: Development/Tools/Other
++++++ tree-sitter-cpp-0.22.0.tar.gz -> tree-sitter-cpp-0.22.3.tar.gz ++++++
++++ 960447 lines of diff (skipped)
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rnp for openSUSE:Factory checked in at 2024-08-05 17:21:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rnp (Old)
and /work/SRC/openSUSE:Factory/.rnp.new.7232 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rnp"
Mon Aug 5 17:21:08 2024 rev:16 rq:1191411 version:0.17.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/rnp/rnp.changes 2024-07-29 21:53:34.715612834 +0200
+++ /work/SRC/openSUSE:Factory/.rnp.new.7232/rnp.changes 2024-08-05 17:21:13.547002433 +0200
@@ -1,0 +2,5 @@
+Tue Jul 30 20:17:53 UTC 2024 - Andreas Stieger <andreas.stieger(a)gmx.de>
+
+- Build with Botan 3 on Tumbleweed
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rnp.spec ++++++
--- /var/tmp/diff_new_pack.6TYnCm/_old 2024-08-05 17:21:14.083024395 +0200
+++ /var/tmp/diff_new_pack.6TYnCm/_new 2024-08-05 17:21:14.087024559 +0200
@@ -31,12 +31,16 @@
BuildRequires: gpg2 >= 2.2
BuildRequires: gtest
BuildRequires: pkgconfig
-BuildRequires: pkgconfig(botan-2) >= 2.14.0
BuildRequires: pkgconfig(bzip2)
BuildRequires: pkgconfig(json-c) >= 0.11
BuildRequires: pkgconfig(sexpp) >= 0.8.7
BuildRequires: pkgconfig(zlib)
BuildRequires: rubygem(asciidoctor)
+%if 0%{?suse_version} > 1600
+BuildRequires: pkgconfig(botan-3) >= 3.0.0
+%else
+BuildRequires: pkgconfig(botan-2) >= 2.14.0
+%endif
%description
RNP is a set of OpenPGP (RFC4880) tools, an alternative to GnuPG.
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package mingw64-filesystem for openSUSE:Factory checked in at 2024-08-05 17:21:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mingw64-filesystem (Old)
and /work/SRC/openSUSE:Factory/.mingw64-filesystem.new.7232 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mingw64-filesystem"
Mon Aug 5 17:21:00 2024 rev:27 rq:1191501 version:20240803
Changes:
--------
--- /work/SRC/openSUSE:Factory/mingw64-filesystem/mingw64-filesystem.changes 2023-06-21 22:39:24.602208989 +0200
+++ /work/SRC/openSUSE:Factory/.mingw64-filesystem.new.7232/mingw64-filesystem.changes 2024-08-05 17:21:08.326788547 +0200
@@ -1,0 +2,13 @@
+Sat Aug 3 06:38:13 UTC 2024 - Ralf Habacker <ralf.habacker(a)freenet.de>
+
+- Update version to 20240803
+- Do not block adding native debug package when using
+ mingw64-cross-filesystem (boo#1228778)
+
+-------------------------------------------------------------------
+Wed Jul 31 23:24:10 UTC 2024 - Ralf Habacker <ralf.habacker(a)freenet.de>
+
+- Update version to 20240801
+- Add missing man language ca@valencia required by KDE Frameworks 5.103
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mingw64-filesystem.spec ++++++
--- /var/tmp/diff_new_pack.1VDBpz/_old 2024-08-05 17:21:08.994815919 +0200
+++ /var/tmp/diff_new_pack.1VDBpz/_new 2024-08-05 17:21:08.994815919 +0200
@@ -1,7 +1,7 @@
#
# spec file for package mingw64-filesystem
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -31,7 +31,7 @@
%define _rpmmacrodir %{_sysconfdir}/rpm
%endif
Name: mingw64-filesystem
-Version: 20230614
+Version: 20240803
Release: 0
Summary: MinGW base filesystem and environment
License: GPL-2.0-or-later
++++++ languages.man ++++++
--- /var/tmp/diff_new_pack.1VDBpz/_old 2024-08-05 17:21:09.070819032 +0200
+++ /var/tmp/diff_new_pack.1VDBpz/_new 2024-08-05 17:21:09.074819196 +0200
@@ -1,4 +1,5 @@
ca
+ca@valencia
cs
da
de
++++++ macros.mingw64 ++++++
--- /var/tmp/diff_new_pack.1VDBpz/_old 2024-08-05 17:21:09.098820179 +0200
+++ /var/tmp/diff_new_pack.1VDBpz/_new 2024-08-05 17:21:09.102820343 +0200
@@ -158,9 +158,9 @@
%global __objdump %{_mingw64_objdump} \
%global __os_install_post %{_mingw64_install_post}
-# this macro also disables the default debug package
+# see also macros.mingw64-cross
%_mingw64_package_header_debug \
- %global debug_package %{nil} \
+ %{?!__mingw64_cross_debug_package:%global debug_package %{nil}} \
%global __strip %{_mingw64_strip} \
%global __objdump %{_mingw64_objdump} \
%global __os_install_post %{_mingw64_debug_install_post} \\\
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libzypp for openSUSE:Factory checked in at 2024-08-05 17:20:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libzypp (Old)
and /work/SRC/openSUSE:Factory/.libzypp.new.7232 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libzypp"
Mon Aug 5 17:20:51 2024 rev:497 rq:1191639 version:17.35.9
Changes:
--------
--- /work/SRC/openSUSE:Factory/libzypp/libzypp.changes 2024-07-31 13:29:12.951611234 +0200
+++ /work/SRC/openSUSE:Factory/.libzypp.new.7232/libzypp.changes 2024-08-05 17:20:57.202332752 +0200
@@ -1,0 +2,19 @@
+Mon Aug 5 12:04:25 CEST 2024 - ma(a)suse.de
+
+- single_rpmtrans: fix installation of .src.rpms (bsc#1228647)
+- version 17.35.9 (35)
+
+-------------------------------------------------------------------
+Fri Aug 2 12:46:50 CEST 2024 - ma(a)suse.de
+
+- Make sure not to statically linked installed tools (bsc#1228787)
+- version 17.35.8 (35)
+
+-------------------------------------------------------------------
+Thu Aug 1 17:35:44 CEST 2024 - ma(a)suse.de
+
+- MediaPluginType must be resolved to a valid MediaHandler
+ (bsc#1228208)
+- version 17.35.7 (35)
+
+-------------------------------------------------------------------
Old:
----
libzypp-17.35.6.tar.bz2
New:
----
libzypp-17.35.9.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libzypp.spec ++++++
--- /var/tmp/diff_new_pack.NlWj4e/_old 2024-08-05 17:20:58.074368481 +0200
+++ /var/tmp/diff_new_pack.NlWj4e/_new 2024-08-05 17:20:58.090369137 +0200
@@ -57,7 +57,7 @@
%bcond_with enable_preview_single_rpmtrans_as_default_for_zypper
Name: libzypp
-Version: 17.35.6
+Version: 17.35.9
Release: 0
License: GPL-2.0-or-later
URL: https://github.com/openSUSE/libzypp
++++++ libzypp-17.35.6.tar.bz2 -> libzypp-17.35.9.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.35.6/VERSION.cmake new/libzypp-17.35.9/VERSION.cmake
--- old/libzypp-17.35.6/VERSION.cmake 2024-07-30 17:00:08.000000000 +0200
+++ new/libzypp-17.35.9/VERSION.cmake 2024-08-05 12:05:52.000000000 +0200
@@ -61,8 +61,8 @@
SET(LIBZYPP_MAJOR "17")
SET(LIBZYPP_COMPATMINOR "35")
SET(LIBZYPP_MINOR "35")
-SET(LIBZYPP_PATCH "6")
+SET(LIBZYPP_PATCH "9")
#
-# LAST RELEASED: 17.35.6 (35)
+# LAST RELEASED: 17.35.9 (35)
# (The number in parenthesis is LIBZYPP_COMPATMINOR)
#=======
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.35.6/package/libzypp.changes new/libzypp-17.35.9/package/libzypp.changes
--- old/libzypp-17.35.6/package/libzypp.changes 2024-07-30 17:00:08.000000000 +0200
+++ new/libzypp-17.35.9/package/libzypp.changes 2024-08-05 12:05:52.000000000 +0200
@@ -1,4 +1,23 @@
-------------------------------------------------------------------
+Mon Aug 5 12:04:25 CEST 2024 - ma(a)suse.de
+
+- single_rpmtrans: fix installation of .src.rpms (bsc#1228647)
+- version 17.35.9 (35)
+
+-------------------------------------------------------------------
+Fri Aug 2 12:46:50 CEST 2024 - ma(a)suse.de
+
+- Make sure not to statically linked installed tools (bsc#1228787)
+- version 17.35.8 (35)
+
+-------------------------------------------------------------------
+Thu Aug 1 17:35:44 CEST 2024 - ma(a)suse.de
+
+- MediaPluginType must be resolved to a valid MediaHandler
+ (bsc#1228208)
+- version 17.35.7 (35)
+
+-------------------------------------------------------------------
Tue Jul 30 16:59:53 CEST 2024 - ma(a)suse.de
- Export CredentialManager for legacy YAST versions (bsc#1228420)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.35.6/tools/CMakeLists.txt new/libzypp-17.35.9/tools/CMakeLists.txt
--- old/libzypp-17.35.6/tools/CMakeLists.txt 2024-07-08 14:00:08.000000000 +0200
+++ new/libzypp-17.35.9/tools/CMakeLists.txt 2024-08-02 12:47:28.000000000 +0200
@@ -2,12 +2,21 @@
FILE( GLOB ALLCC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "*.cc" )
STRING( REPLACE ".cc" ";" APLLPROG ${ALLCC} )
+
+# make sure not to statically linked installed tools
+SET( LINKALLSYM CalculateReusableBlocks DownloadFiles )
+
FOREACH( loop_var ${APLLPROG} )
ADD_EXECUTABLE( ${loop_var}
${loop_var}.cc
)
TARGET_LINK_LIBRARIES( ${loop_var} PUBLIC zypp_exe_compiler_flags ${Boost_PROGRAM_OPTIONS_LIBRARY} )
- TARGET_LINK_LIBRARIES( ${loop_var} PUBLIC zypp-allsym )
+ LIST( FIND LINKALLSYM ${loop_var} NEEDALLSYM )
+ if ( NEEDALLSYM EQUAL -1 )
+ TARGET_LINK_LIBRARIES( ${loop_var} PUBLIC zypp )
+ ELSE()
+ TARGET_LINK_LIBRARIES( ${loop_var} PUBLIC zypp-allsym )
+ ENDIF()
ENDFOREACH( loop_var )
## ############################################################
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.35.6/tools/zypp-rpm/main.cc new/libzypp-17.35.9/tools/zypp-rpm/main.cc
--- old/libzypp-17.35.6/tools/zypp-rpm/main.cc 2024-06-07 10:50:10.000000000 +0200
+++ new/libzypp-17.35.9/tools/zypp-rpm/main.cc 2024-08-05 12:05:52.000000000 +0200
@@ -1,3 +1,6 @@
+#include <optional>
+#include <vector>
+
#include <zypp-core/zyppng/core/ByteArray>
#include <zypp-core/zyppng/rpc/stompframestream.h>
#include <zypp-core/zyppng/base/private/linuxhelpers_p.h>
@@ -51,6 +54,86 @@
}
} // namespace env
+namespace dbg
+{
+ struct _dumpTransactionStep
+ {
+ _dumpTransactionStep( const zypp::proto::target::TransactionStep *const step_r )
+ : _step { step_r }
+ {}
+ std::ostream & dumpOn( std::ostream & str ) const
+ {
+ str << "TStep(";
+ if ( _step ) {
+ if ( std::holds_alternative<zypp::proto::target::InstallStep>(*_step) ) {
+ const auto &step = std::get<zypp::proto::target::InstallStep>(*_step);
+ str << step.stepId << "|" << step.pathname;
+ } else if ( std::holds_alternative<zypp::proto::target::RemoveStep>(*_step) ) {
+ const auto &step = std::get<zypp::proto::target::RemoveStep>(*_step);
+ str << step.stepId << "|" << step.name << "-" << step.version << "-" << step.release << "." << step.arch;
+ } else {
+ str << "OOPS";
+ }
+ } else {
+ str << "NULL";
+ }
+ return str << ")";
+ }
+ const zypp::proto::target::TransactionStep *const _step;
+ };
+ inline std::ostream & operator<<( std::ostream & str, const _dumpTransactionStep & obj )
+ { return obj.dumpOn( str ); }
+ inline _dumpTransactionStep dump( const zypp::proto::target::TransactionStep *const obj )
+ { return _dumpTransactionStep( obj ); }
+ inline _dumpTransactionStep dump( const zypp::proto::target::TransactionStep & obj )
+ { return _dumpTransactionStep( &obj ); }
+
+ struct _dumpRpmCallbackType
+ {
+ _dumpRpmCallbackType( rpmCallbackType_e flag_r )
+ : _flag { flag_r }
+ {}
+ std::ostream & dumpOn( std::ostream & str ) const
+ {
+ str << "RPMCALLBACK";
+ if ( _flag ) {
+#define OUTS(E) if ( _flag & RPMCALLBACK_##E ) str << "_" << #E
+ OUTS( INST_PROGRESS );
+ OUTS( INST_START );
+ OUTS( INST_OPEN_FILE );
+ OUTS( INST_CLOSE_FILE );
+ OUTS( TRANS_PROGRESS );
+ OUTS( TRANS_START );
+ OUTS( TRANS_STOP );
+ OUTS( UNINST_PROGRESS );
+ OUTS( UNINST_START );
+ OUTS( UNINST_STOP );
+ OUTS( UNPACK_ERROR );
+ OUTS( CPIO_ERROR );
+ OUTS( SCRIPT_ERROR );
+ OUTS( SCRIPT_START );
+ OUTS( SCRIPT_STOP );
+ OUTS( INST_STOP );
+ OUTS( ELEM_PROGRESS );
+#ifdef HAVE_RPM_VERIFY_TRANSACTION_STEP
+ OUTS( VERIFY_PROGRESS );
+ OUTS( VERIFY_START );
+ OUTS( VERIFY_STOP );
+#endif
+#undef OUTS
+ } else {
+ str << "_UNKNOWN";
+ }
+ return str;
+ }
+ rpmCallbackType_e _flag;
+ };
+ inline std::ostream & operator<<( std::ostream & str, const _dumpRpmCallbackType & obj )
+ { return obj.dumpOn( str ); }
+ inline _dumpRpmCallbackType dump( rpmCallbackType obj )
+ { return _dumpRpmCallbackType( obj ); }
+}
+
// this is the order we expect the FDs we need to communicate to be set up
// by the parent. This is not pretty but it works and is less effort than
// setting up a Unix Domain Socket and sending FDs over that.
@@ -174,15 +257,38 @@
return std::make_pair( h, res );
}
+// Remember 'install source rpm' transaction steps (bsc#1228647, installed separately)
+struct SourcePackageInstallHelper
+{
+ // < transaction step index, path to the .src.rpm >
+ using StepIndex = std::pair<std::size_t,zypp::Pathname>;
+ using StepIndices = std::vector<StepIndex>;
+
+ void remember( std::size_t stepIndex_r, zypp::Pathname pathname_r )
+ {
+ if ( not stepIndices ) stepIndices = StepIndices();
+ stepIndices->push_back( {stepIndex_r, std::move(pathname_r)} );
+ }
+
+ std::optional<StepIndices> stepIndices; // Remembered source rpm installs
+ std::optional<std::size_t> currentStep; // Current transaction step index for rpmLibCallback
+};
struct TransactionData {
+ TransactionData( zypp::proto::target::Commit & commitData_r )
+ : commitData { commitData_r }
+ {}
+
zypp::proto::target::Commit &commitData;
// dbinstance of removals to transaction step index
- std::unordered_map<int, int> removePckIndex = {};
+ std::unordered_map<int, std::size_t> removePckIndex = {};
// the fd used by rpm to dump script output
zypp::AutoDispose<FD_t> rpmFd = {};
+
+ // Remember 'install source rpm' transaction steps (bsc#1228647, installed separately)
+ SourcePackageInstallHelper sourcePackageInstallHelper;
};
int main( int, char ** )
@@ -341,7 +447,7 @@
// do we care about knowing the public key?
const bool allowUntrusted = ( rpmInstFlags & RpmInstFlag::RPMINST_ALLOWUNTRUSTED );
- for ( int i = 0; i < msg.transactionSteps.size(); i++ ) {
+ for ( std::size_t i = 0; i < msg.transactionSteps.size(); ++i ) {
const auto &step = msg.transactionSteps[i];
if ( std::holds_alternative<zypp::proto::target::InstallStep>(step) ) {
@@ -382,6 +488,14 @@
return FailedToReadPackage;
}
+ // bsc#1228647: ::rpmtsInstallElement accepts source rpms without an error, but
+ // is not able to handle them correctly within ::rpmtsRun. We need to remember
+ // them and run ::rpmInstallSourcePackage after the ::rpmtsRun is done.
+ if ( ::headerIsSource( rpmHeader.first.get() ) ) {
+ data.sourcePackageInstallHelper.remember( i, install.pathname );
+ continue;
+ }
+
const auto res = ::rpmtsAddInstallElement( ts, rpmHeader.first.get(), &step, !install.multiversion, nullptr );
if ( res ) {
ZERR << zypp::str::Format( "Failed to add %1% to the transaction." )% file << std::endl;
@@ -549,6 +663,27 @@
return err;
}
+ // bsc#1228647: ::rpmtsInstallElement accepts source rpms without an error, but
+ // is not able to handle them correctly within ::rpmtsRun. We need to remember
+ // them and run ::rpmInstallSourcePackage after the ::rpmtsRun is done.
+ if ( data.sourcePackageInstallHelper.stepIndices ) {
+ ::rpmtsEmpty( ts ); // Re-create an empty transaction set.
+ auto err = NoError;
+ for ( const auto & [stepi,path] : *data.sourcePackageInstallHelper.stepIndices ) {
+ zypp::AutoDispose<FD_t> fd { ::Fopen( path.c_str(), "r" ), ::Fclose };
+ data.sourcePackageInstallHelper.currentStep = stepi; // rpmLibCallback needs to look it up
+ ::rpmRC res = ::rpmInstallSourcePackage( ts, fd, nullptr, nullptr );
+ if ( res != 0 ) {
+ ZERR << "RPM InstallSourcePackage " << path << " failed: " << res << std::endl;
+ err = RpmFinishedWithError;
+ }
+ }
+ data.sourcePackageInstallHelper.currentStep = std::nullopt; // done
+ if ( err != NoError ) {
+ return err;
+ }
+ }
+
//ZDBG << "Success !!!!" << std::endl;
return NoError;
@@ -596,15 +731,30 @@
const BinHeader header( (Header)h );
auto iStep = key ? reinterpret_cast< const zypp::proto::target::TransactionStep * >( key ) : nullptr;
- if ( !iStep && h ) {
- auto key = headerGetInstance( header.get() );
- if ( key > 0 ) {
- auto i = that->removePckIndex.find(key);
- if ( i != that->removePckIndex.end() )
- iStep = &that->commitData.transactionSteps[i->second];
+ if ( !iStep ) {
+ if ( that->sourcePackageInstallHelper.currentStep ) {
+ // we're in ::rpmInstallSourcePackage
+ iStep = &that->commitData.transactionSteps[*(that->sourcePackageInstallHelper.currentStep)];
+ }
+ else if ( h ) {
+ auto key = headerGetInstance( header.get() );
+ if ( key > 0 ) {
+ auto i = that->removePckIndex.find(key);
+ if ( i != that->removePckIndex.end() )
+ iStep = &that->commitData.transactionSteps[i->second];
+ }
}
}
+#if 0
+ // dbg log callback sequence (collapsing RPMCALLBACK_INST_PROGRESS)
+ static rpmCallbackType prev = RPMCALLBACK_UNKNOWN;
+ if ( what != RPMCALLBACK_INST_PROGRESS || prev != RPMCALLBACK_INST_PROGRESS ) {
+ ZDBG << "LibCB " << dbg::dump(what) << ": " << dbg::dump(iStep) << " - " << header.nvra() << std::endl;
+ prev = what;
+ }
+#endif
+
const auto &sendEndOfScriptTag = [&](){
//ZDBG << "Send end of script" << std::endl;
::Fflush( that->rpmFd );
@@ -687,7 +837,7 @@
case RPMCALLBACK_INST_STOP: {
if ( !iStep ) {
- ZERR << "Could not find package " << header << " in transaction elements for " << what << std::endl;
+ ZERR << "Could not find package " << header << " in transaction elements for " << dbg::dump(what) << std::endl;
return rc;
}
@@ -729,7 +879,7 @@
case RPMCALLBACK_UNPACK_ERROR: {
if ( !iStep ) {
- ZERR << "Could not find package " << header << " in transaction elements for " << what << std::endl;
+ ZERR << "Could not find package " << header << " in transaction elements for " << dbg::dump(what) << std::endl;
return rc;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.35.6/zypp/media/MediaHandlerFactory.cc new/libzypp-17.35.9/zypp/media/MediaHandlerFactory.cc
--- old/libzypp-17.35.6/zypp/media/MediaHandlerFactory.cc 2024-06-04 11:50:11.000000000 +0200
+++ new/libzypp-17.35.9/zypp/media/MediaHandlerFactory.cc 2024-08-01 17:36:13.000000000 +0200
@@ -54,19 +54,16 @@
ZYPP_THROW(MediaBadUrlException(o_url));
}
- std::unique_ptr<MediaHandler> _handler;
-
UrlResolverPlugin::HeaderList custom_headers;
Url url = UrlResolverPlugin::resolveUrl(o_url, custom_headers);
+ MIL << "Trying scheme '" << url.getScheme() << "'" << std::endl;
-
- MIL << "Trying scheme '" << o_url.getScheme() << "'" << std::endl;
-
- const auto hdlType = handlerType( o_url );
+ const auto hdlType = handlerType( url );
if ( !hdlType ) {
ZYPP_THROW(MediaUnsupportedUrlSchemeException(url));
}
+ std::unique_ptr<MediaHandler> _handler;
switch(*hdlType) {
case MediaCDType: {
_handler = std::make_unique<MediaCD> (url,preferred_attach_point);
@@ -152,7 +149,10 @@
break;
}
case MediaPluginType: {
- _handler = std::make_unique<MediaPlugin> (url,preferred_attach_point);
+ // bsc#1228208: MediaPluginType must be resolved to a valid schema by the
+ // above UrlResolverPlugin::resolveUrl call. MediaPlugin exists as a stub,
+ // but is not a usable handler type.
+ ZYPP_THROW(MediaUnsupportedUrlSchemeException(url));
break;
}
}
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package gtk4 for openSUSE:Factory checked in at 2024-08-05 17:20:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gtk4 (Old)
and /work/SRC/openSUSE:Factory/.gtk4.new.7232 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gtk4"
Mon Aug 5 17:20:48 2024 rev:77 rq:1191428 version:4.15.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/gtk4/gtk4.changes 2024-08-01 22:04:16.088067566 +0200
+++ /work/SRC/openSUSE:Factory/.gtk4.new.7232/gtk4.changes 2024-08-05 17:20:54.102205731 +0200
@@ -1,0 +2,6 @@
+Fri Aug 2 20:17:08 UTC 2024 - Joshua Smith <smolsheep(a)opensuse.org>
+
+- Add 0002-Revert-no-pointer-viewport.patch --
+ Fixes https://gitlab.gnome.org/GNOME/gtk/-/issues/6620
+
+-------------------------------------------------------------------
New:
----
0002-Revert-no-pointer-viewport.patch
BETA DEBUG BEGIN:
New:
- Add 0002-Revert-no-pointer-viewport.patch --
Fixes https://gitlab.gnome.org/GNOME/gtk/-/issues/6620
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gtk4.spec ++++++
--- /var/tmp/diff_new_pack.lT7b5n/_old 2024-08-05 17:20:54.982241789 +0200
+++ /var/tmp/diff_new_pack.lT7b5n/_new 2024-08-05 17:20:54.982241789 +0200
@@ -46,6 +46,10 @@
# PATCH-FIX-OPENSUSE 0001-Revert-Meson-Simplify-pkgconfig-file-generator.patch -- Revert "Meson: Simplify pkgconfig file generator"
Patch0: 0001-Revert-Meson-Simplify-pkgconfig-file-generator.patch
+# https://gitlab.gnome.org/GNOME/gtk/-/issues/6620
+# PATCH-FIX-UPSTREAM 0002-Revert-no-pointer-viewport.patch -- Fix the gigantic cursor issue pulled in latest version
+Patch1: 0002-Revert-no-pointer-viewport.patch
+
BuildRequires: cups-devel >= 2.0
# We do not support building against cups 2.3 betas
BuildConflicts: (cups-devel > 2.3 with cups-devel < 2.3.0)
++++++ 0002-Revert-no-pointer-viewport.patch ++++++
From 3d802177be2f2e5fb95fdb988108dd1b048c5579 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen(a)redhat.com>
Date: Wed, 31 Jul 2024 07:29:37 -0400
Subject: [PATCH] wayland: No viewporter for cursors
The outlook for mutter supporting this in GNOME 47 are cloudy,
so lets flip the switch back. You can still set
USE_POINTER_VIEWPORT in the environment to try this code.
---
gdk/wayland/gdkdevice-wayland.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/gdk/wayland/gdkdevice-wayland.c b/gdk/wayland/gdkdevice-wayland.c
index 1070d7f9e1d..139c22cd39b 100644
--- a/gdk/wayland/gdkdevice-wayland.c
+++ b/gdk/wayland/gdkdevice-wayland.c
@@ -265,13 +265,13 @@ gdk_wayland_device_update_surface_cursor (GdkDevice *device)
guint next_image_index, next_image_delay;
gboolean retval = G_SOURCE_REMOVE;
GdkWaylandTabletData *tablet;
- gboolean use_viewport;
+ gboolean use_viewport = FALSE;
tablet = gdk_wayland_seat_find_tablet (seat, device);
- use_viewport = pointer->pointer_surface_viewport != NULL;
- if (g_getenv ("NO_POINTER_VIEWPORT"))
- use_viewport = FALSE;
+ if (pointer->pointer_surface_viewport &&
+ g_getenv ("USE_POINTER_VIEWPORT"))
+ use_viewport = TRUE;
if (pointer->cursor)
{
--
GitLab
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package mozilla-nss for openSUSE:Factory checked in at 2024-08-05 17:20:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mozilla-nss (Old)
and /work/SRC/openSUSE:Factory/.mozilla-nss.new.7232 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozilla-nss"
Mon Aug 5 17:20:45 2024 rev:220 rq:1191334 version:3.102.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/mozilla-nss/mozilla-nss.changes 2024-07-14 08:53:57.852045841 +0200
+++ /work/SRC/openSUSE:Factory/.mozilla-nss.new.7232/mozilla-nss.changes 2024-08-05 17:20:48.725985458 +0200
@@ -1,0 +2,38 @@
+Fri Aug 2 08:04:51 UTC 2024 - Martin Sirringhaus <martin.sirringhaus(a)suse.com>
+
+- update to NSS 3.102.1
+ * bmo#1905691 - ChaChaXor to return after the function
+
+- update to NSS 3.102
+ * bmo#1880351 - Add Valgrind annotations to freebl Chacha20-Poly1305.
+ * bmo#1901932 - missing sqlite header.
+ * bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
+ * bmo#1615298 - improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling.
+ * bmo#1660676 - correct length of raw SPKI data before printing in pp utility.
+
+-------------------------------------------------------------------
+Mon Jul 29 12:44:11 UTC 2024 - Martin Sirringhaus <martin.sirringhaus(a)suse.com>
+
+- Require `sed` for mozilla-nss-sysinit, as setup-nsssysinit.sh
+ depends on it and will create a broken, empty config, if sed is
+ missing (bsc#1227918)
+
+-------------------------------------------------------------------
+Wed Jul 10 13:21:13 UTC 2024 - Hans Petter Jansson <hpj(a)suse.com>
+
+- Added nss-fips-safe-memset.patch, fixing bsc#1222811.
+- Removed some dead code from nss-fips-constructor-self-tests.patch.
+- Rebased nss-fips-approved-crypto-non-ec.patch on above changes.
+
+- Added nss-fips-aes-gcm-restrict.patch, fixing bsc#1222830.
+- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222813,
+ bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118.
+
+- Updated nss-fips-approved-crypto-non-ec.patch and
+ nss-fips-constructor-self-tests.patch, fixing bsc#1222807,
+ bsc#1222828, bsc#1222834.
+
+- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222804,
+ bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116.
+
+-------------------------------------------------------------------
Old:
----
nss-3.101.1.tar.gz
New:
----
nss-3.102.1.tar.gz
nss-fips-aes-gcm-restrict.patch
nss-fips-safe-memset.patch
BETA DEBUG BEGIN:
New:
- Added nss-fips-aes-gcm-restrict.patch, fixing bsc#1222830.
- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222813,
New:
- Added nss-fips-safe-memset.patch, fixing bsc#1222811.
- Removed some dead code from nss-fips-constructor-self-tests.patch.
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mozilla-nss.spec ++++++
--- /var/tmp/diff_new_pack.IKpQDo/_old 2024-08-05 17:20:52.734149679 +0200
+++ /var/tmp/diff_new_pack.IKpQDo/_new 2024-08-05 17:20:52.734149679 +0200
@@ -17,15 +17,15 @@
#
-%global nss_softokn_fips_version 3.101.1
+%global nss_softokn_fips_version 3.102.1
%define NSPR_min_version 4.35
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
%define nssdbdir %{_sysconfdir}/pki/nssdb
-%global crypto_policies_version 20210118
+%global crypto_policies_version 20210218
Name: mozilla-nss
-Version: 3.101.1
+Version: 3.102.1
Release: 0
-%define underscore_version 3_101_1
+%define underscore_version 3_102_1
Summary: Network Security Services
License: MPL-2.0
Group: System/Libraries
@@ -81,6 +81,8 @@
Patch48: nss-fips-test.patch
Patch49: nss-allow-slow-tests-s390x.patch
Patch50: nss-fips-bsc1223724.patch
+Patch51: nss-fips-aes-gcm-restrict.patch
+Patch52: nss-fips-safe-memset.patch
%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
# aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
BuildRequires: gcc9-c++
@@ -150,6 +152,7 @@
Summary: System NSS Initialization
Group: System/Management
Requires: mozilla-nss >= %{version}
+Requires(post): sed
Requires(post): coreutils
%description sysinit
@@ -245,6 +248,11 @@
%patch -P 49 -p1
%endif
%patch -P 50 -p1
+%patch -P 51 -p1
+%if 0%{?sle_version} >= 150000
+# glibc on SLE-12 is too old and doesn't have explicit_bzero yet.
+%patch -P 52 -p1
+%endif
# additional CA certificates
#cd security/nss/lib/ckfw/builtins
++++++ malloc.patch ++++++
--- /var/tmp/diff_new_pack.IKpQDo/_old 2024-08-05 17:20:52.878155579 +0200
+++ /var/tmp/diff_new_pack.IKpQDo/_new 2024-08-05 17:20:52.882155744 +0200
@@ -2,7 +2,7 @@
===================================================================
--- nss.orig/tests/ssl/ssl.sh
+++ nss/tests/ssl/ssl.sh
-@@ -1696,6 +1696,7 @@ ssl_run_tests()
+@@ -1661,6 +1661,7 @@ ssl_run_tests()
################################# main #################################
++++++ nss-3.101.1.tar.gz -> nss-3.102.1.tar.gz ++++++
/work/SRC/openSUSE:Factory/mozilla-nss/nss-3.101.1.tar.gz /work/SRC/openSUSE:Factory/.mozilla-nss.new.7232/nss-3.102.1.tar.gz differ: char 5, line 1
++++++ nss-fips-aes-gcm-restrict.patch ++++++
Index: nss/lib/softoken/sftkmessage.c
===================================================================
--- nss.orig/lib/softoken/sftkmessage.c
+++ nss/lib/softoken/sftkmessage.c
@@ -151,6 +151,37 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes
if (crv != CKR_OK)
return crv;
+ if (context->isFIPS && (contextType == SFTK_MESSAGE_ENCRYPT)) {
+ if ((pParameter == NULL) || (ulParameterLen != sizeof(CK_GCM_MESSAGE_PARAMS))) {
+ context->isFIPS = PR_FALSE;
+ } else {
+ CK_GCM_MESSAGE_PARAMS *p = (CK_GCM_MESSAGE_PARAMS *)pParameter;
+ switch (p->ivGenerator) {
+ default:
+ case CKG_NO_GENERATE:
+ context->isFIPS = PR_FALSE;
+ break;
+ case CKG_GENERATE_RANDOM:
+ if ((p->ulIvLen < 96 / PR_BITS_PER_BYTE) ||
+ (p->ulIvFixedBits != 0)) {
+ context->isFIPS = PR_FALSE;
+ }
+ break;
+ case CKG_GENERATE_COUNTER_XOR:
+ if ((p->ulIvLen != 96 / PR_BITS_PER_BYTE) ||
+ (p->ulIvFixedBits != 32)) {
+ context->isFIPS = PR_FALSE;
+ }
+ break;
+ case CKG_GENERATE_COUNTER:
+ if ((p->ulIvFixedBits < 32) ||
+ ((p->ulIvLen * PR_BITS_PER_BYTE - p->ulIvFixedBits) < 32)) {
+ context->isFIPS = PR_FALSE;
+ }
+ }
+ }
+ }
+
if (!pOuttext) {
*pulOuttextLen = ulIntextLen;
return CKR_OK;
++++++ nss-fips-approved-crypto-non-ec.patch ++++++
++++ 621 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/mozilla-nss/nss-fips-approved-crypto-non-ec.patch
++++ and /work/SRC/openSUSE:Factory/.mozilla-nss.new.7232/nss-fips-approved-crypto-non-ec.patch
++++++ nss-fips-bsc1223724.patch ++++++
--- /var/tmp/diff_new_pack.IKpQDo/_old 2024-08-05 17:20:52.986160004 +0200
+++ /var/tmp/diff_new_pack.IKpQDo/_new 2024-08-05 17:20:52.990160168 +0200
@@ -2,7 +2,7 @@
===================================================================
--- nss.orig/lib/pk11wrap/pk11skey.c
+++ nss/lib/pk11wrap/pk11skey.c
-@@ -520,6 +520,14 @@ PK11_ImportDataKey(PK11SlotInfo *slot, C
+@@ -521,6 +521,14 @@ PK11_ImportDataKey(PK11SlotInfo *slot, C
CK_OBJECT_HANDLE handle;
PK11GenericObject *genObject;
++++++ nss-fips-combined-hash-sign-dsa-ecdsa.patch ++++++
--- /var/tmp/diff_new_pack.IKpQDo/_old 2024-08-05 17:20:53.018161316 +0200
+++ /var/tmp/diff_new_pack.IKpQDo/_new 2024-08-05 17:20:53.022161480 +0200
@@ -68,16 +68,7 @@
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
-@@ -2677,7 +2677,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
- static SECStatus
- nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
- unsigned int *sigLen, unsigned int maxSigLen,
-- void *dataBuf, unsigned int dataLen)
-+ const void *dataBuf, unsigned int dataLen)
- {
- NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx;
- SECItem signature = { siBuffer, (unsigned char *)sigBuf, maxSigLen };
-@@ -2690,6 +2690,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
+@@ -2744,6 +2744,38 @@ nsc_EDDSASignStub(void *ctx, void *sigBu
return rv;
}
@@ -97,22 +88,6 @@
+ return rv;
+}
+
- static SECStatus
- nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
- void *dataBuf, unsigned int dataLen)
-@@ -2703,7 +2719,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
- static SECStatus
- nsc_ECDSASignStub(void *ctx, void *sigBuf,
- unsigned int *sigLen, unsigned int maxSigLen,
-- void *dataBuf, unsigned int dataLen)
-+ const void *dataBuf, unsigned int dataLen)
- {
- NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx;
- SECItem signature = { siBuffer, (unsigned char *)sigBuf, maxSigLen };
-@@ -2744,6 +2760,22 @@ nsc_EDDSASignStub(void *ctx, void *sigBu
- return rv;
- }
-
+SECStatus
+ECDSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key,
+ unsigned char *sig, unsigned int *sigLen, unsigned int maxLen,
@@ -155,7 +130,7 @@
switch (pMechanism->mechanism) {
INIT_RSA_VFY_MECH(MD5)
INIT_RSA_VFY_MECH(MD2)
-@@ -4904,6 +4952,73 @@ loser:
+@@ -4905,6 +4953,73 @@ loser:
#define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */
#define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */
@@ -229,7 +204,7 @@
/*
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
*
-@@ -4957,8 +5072,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -4958,8 +5073,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
/* Variables used for Signature/Verification functions. */
/* Must be at least 256 bits for DSA2 digest */
@@ -238,7 +213,7 @@
CK_ULONG signature_length;
if (keyType == CKK_RSA) {
-@@ -5112,80 +5225,36 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -5113,80 +5226,36 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
}
}
++++++ nss-fips-constructor-self-tests.patch ++++++
--- /var/tmp/diff_new_pack.IKpQDo/_old 2024-08-05 17:20:53.034161971 +0200
+++ /var/tmp/diff_new_pack.IKpQDo/_new 2024-08-05 17:20:53.038162136 +0200
@@ -449,7 +449,7 @@
===================================================================
--- /dev/null
+++ nss/lib/freebl/fips.h
-@@ -0,0 +1,16 @@
+@@ -0,0 +1,15 @@
+/*
+ * PKCS #11 FIPS Power-Up Self Test.
+ *
@@ -462,7 +462,6 @@
+
+int FIPS_mode(void);
+int FIPS_mode_allow_tests(void);
-+char* FIPS_rngDev(void);
+
+#endif
+
@@ -484,7 +483,94 @@
/*
* different platforms have different ways of calling and initial entry point
* when the dll/.so is loaded. Most platforms support either a posix pragma
-@@ -1807,17 +1814,19 @@ freebl_fips_RNG_PowerUpSelfTest(void)
+@@ -1663,38 +1670,39 @@ freebl_fips_DH_PowerUpSelfTest(void)
+ {
+ /* DH Known P (2048-bits) */
+ static const PRUint8 dh_known_P[] = {
+- 0xc2, 0x79, 0xbb, 0x76, 0x32, 0x0d, 0x43, 0xfd,
+- 0x1b, 0x8c, 0xa2, 0x3c, 0x00, 0xdd, 0x6d, 0xef,
+- 0xf8, 0x1a, 0xd9, 0xc1, 0xa2, 0xf5, 0x73, 0x2b,
+- 0xdb, 0x1a, 0x3e, 0x84, 0x90, 0xeb, 0xe7, 0x8e,
+- 0x5f, 0x5c, 0x6b, 0xb6, 0x61, 0x89, 0xd1, 0x03,
+- 0xb0, 0x5f, 0x91, 0xe4, 0xd2, 0x82, 0x90, 0xfc,
+- 0x3c, 0x49, 0x69, 0x59, 0xc1, 0x51, 0x6a, 0x85,
+- 0x71, 0xe7, 0x5d, 0x72, 0x5a, 0x45, 0xad, 0x01,
+- 0x6f, 0x82, 0xae, 0xec, 0x91, 0x08, 0x2e, 0x7c,
+- 0x64, 0x93, 0x46, 0x1c, 0x68, 0xef, 0xc2, 0x03,
+- 0x28, 0x1d, 0x75, 0x3a, 0xeb, 0x9c, 0x46, 0xf0,
+- 0xc9, 0xdb, 0x99, 0x95, 0x13, 0x66, 0x4d, 0xd5,
+- 0x1a, 0x78, 0x92, 0x51, 0x89, 0x72, 0x28, 0x7f,
+- 0x20, 0x70, 0x41, 0x49, 0xa2, 0x86, 0xe9, 0xf9,
+- 0x78, 0x5f, 0x8d, 0x2e, 0x5d, 0xfa, 0xdb, 0x57,
+- 0xd4, 0x71, 0xdf, 0x66, 0xe3, 0x9e, 0x88, 0x70,
+- 0xa4, 0x21, 0x44, 0x6a, 0xc7, 0xae, 0x30, 0x2c,
+- 0x9c, 0x1f, 0x91, 0x57, 0xc8, 0x24, 0x34, 0x2d,
+- 0x7a, 0x4a, 0x43, 0xc2, 0x5f, 0xab, 0x64, 0x2e,
+- 0xaa, 0x28, 0x32, 0x95, 0x42, 0x7b, 0xa0, 0xcc,
+- 0xdf, 0xfd, 0x22, 0xc8, 0x56, 0x84, 0xc1, 0x62,
+- 0x15, 0xb2, 0x77, 0x86, 0x81, 0xfc, 0xa5, 0x12,
+- 0x3c, 0xca, 0x28, 0x17, 0x8f, 0x03, 0x16, 0x6e,
+- 0xb8, 0x24, 0xfa, 0x1b, 0x15, 0x02, 0xfd, 0x8b,
+- 0xb6, 0x0a, 0x1a, 0xf7, 0x47, 0x41, 0xc5, 0x2b,
+- 0x37, 0x3e, 0xa1, 0xbf, 0x68, 0xda, 0x1c, 0x55,
+- 0x44, 0xc3, 0xee, 0xa1, 0x63, 0x07, 0x11, 0x3b,
+- 0x5f, 0x00, 0x84, 0xb4, 0xc4, 0xe4, 0xa7, 0x97,
+- 0x29, 0xf8, 0xce, 0xab, 0xfc, 0x27, 0x3e, 0x34,
+- 0xe4, 0xc7, 0x81, 0x52, 0x32, 0x0e, 0x27, 0x3c,
+- 0xa6, 0x70, 0x3f, 0x4a, 0x54, 0xda, 0xdd, 0x60,
+- 0x26, 0xb3, 0x6e, 0x45, 0x26, 0x19, 0x41, 0x6f
++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
++ 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A,
++ 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
++ 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95,
++ 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB,
++ 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
++ 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8,
++ 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A,
++ 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
++ 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0,
++ 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3,
++ 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
++ 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77,
++ 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72,
++ 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
++ 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A,
++ 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61,
++ 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
++ 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68,
++ 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4,
++ 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
++ 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70,
++ 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC,
++ 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
++ 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF,
++ 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83,
++ 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
++ 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05,
++ 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2,
++ 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
++ 0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97,
++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
++
+ };
+
+ static const PRUint8 dh_known_Y_1[] = {
+@@ -1740,10 +1748,10 @@ freebl_fips_DH_PowerUpSelfTest(void)
+ };
+
+ static const PRUint8 dh_known_hash_result[] = {
+- 0x93, 0xa2, 0x89, 0x1c, 0x8a, 0xc3, 0x70, 0xbf,
+- 0xa7, 0xdf, 0xb6, 0xd7, 0x82, 0xfb, 0x87, 0x81,
+- 0x09, 0x47, 0xf3, 0x9f, 0x5a, 0xbf, 0x4f, 0x3f,
+- 0x8e, 0x5e, 0x06, 0xca, 0x30, 0xa7, 0xaf, 0x10
++ 0x40, 0xe3, 0x7a, 0x34, 0x83, 0x2d, 0x94, 0x57,
++ 0x99, 0x3d, 0x66, 0xec, 0x54, 0xdf, 0x82, 0x4a,
++ 0x37, 0x0d, 0xf9, 0x01, 0xb3, 0xbc, 0x54, 0xe5,
++ 0x5e, 0x63, 0xd3, 0x46, 0x4e, 0xa3, 0xe2, 0x8a
+ };
+
+ /* DH variables. */
+@@ -1807,17 +1815,19 @@ freebl_fips_RNG_PowerUpSelfTest(void)
return (SECSuccess);
}
@@ -505,7 +591,7 @@
#define DO_FREEBL 1
#define DO_REST 2
-@@ -1929,11 +1938,13 @@ static PRBool self_tests_ran = PR_FALSE;
+@@ -1929,11 +1939,13 @@ static PRBool self_tests_ran = PR_FALSE;
static PRBool self_tests_freebl_success = PR_FALSE;
static PRBool self_tests_success = PR_FALSE;
@@ -520,7 +606,7 @@
{
SECStatus rv;
/* if the freebl self tests didn't run, there is something wrong with
-@@ -1946,7 +1957,7 @@ BL_POSTRan(PRBool freebl_only)
+@@ -1946,7 +1958,7 @@ BL_POSTRan(PRBool freebl_only)
return PR_TRUE;
}
/* if we only care about the freebl tests, we are good */
@@ -529,7 +615,7 @@
return PR_TRUE;
}
/* run the rest of the self tests */
-@@ -1965,32 +1976,16 @@ BL_POSTRan(PRBool freebl_only)
+@@ -1965,32 +1977,16 @@ BL_POSTRan(PRBool freebl_only)
return PR_TRUE;
}
@@ -567,7 +653,7 @@
self_tests_freebl_ran = PR_TRUE; /* we are running the tests */
if (!freebl_only) {
-@@ -2002,20 +1997,55 @@ bl_startup_tests(void)
+@@ -2002,20 +1998,55 @@ bl_startup_tests(void)
/* always run the post tests */
rv = freebl_fipsPowerUpSelfTest(freebl_only ? DO_FREEBL : DO_FREEBL | DO_REST);
if (rv != SECSuccess) {
@@ -625,7 +711,7 @@
}
/*
-@@ -2024,19 +2054,12 @@ bl_startup_tests(void)
+@@ -2024,19 +2055,12 @@ bl_startup_tests(void)
* power on selftest failed.
*/
SECStatus
@@ -647,7 +733,7 @@
if (rerun) {
/* reset the flags */
self_tests_freebl_ran = PR_FALSE;
-@@ -2050,10 +2073,104 @@ BL_FIPSEntryOK(PRBool freebl_only, PRBoo
+@@ -2050,10 +2074,89 @@ BL_FIPSEntryOK(PRBool freebl_only, PRBoo
return SECSuccess;
}
/* standalone freebl can initialize */
@@ -707,21 +793,6 @@
+ return fips;
+}
+
-+/* returns string specifying what system RNG file to use for seeding */
-+char *
-+FIPS_rngDev(void)
-+{
-+ switch (FIPS_mode()) {
-+ case 0:
-+ return RNG_DEV_FIPS0;
-+ case 1:
-+ return RNG_DEV_FIPS1;
-+ default:
-+ fatal("Fatal error: internal error at %s:%u"
-+ , __FILE__, __LINE__);
-+ }
-+}
-+
+/* either returns the input or aborts if in FIPS and the algorithm is not
+ * approved */
+PRBool
@@ -861,7 +932,7 @@
$(NULL)
MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h
-@@ -198,6 +199,7 @@ ALL_HDRS = \
+@@ -194,6 +195,7 @@ ALL_HDRS = \
shsign.h \
vis_proto.h \
seed.h \
@@ -1110,7 +1181,7 @@
===================================================================
--- nss.orig/lib/softoken/fipstest.c
+++ nss/lib/softoken/fipstest.c
-@@ -683,6 +683,327 @@ sftk_fips_HKDF_PowerUpSelfTest(void)
+@@ -683,6 +683,175 @@ sftk_fips_HKDF_PowerUpSelfTest(void)
return (SECSuccess);
}
@@ -1283,162 +1354,10 @@
+ return (SECSuccess);
+}
+
-+#define FIPS_ECDSA_DIGEST_LENGTH 28 /* 224-bits */
-+#define FIPS_ECDSA_SIGNATURE_LENGTH 64 /* 512-bits */
-+
-+/* Similar to freebl_fips_ECDSA_PowerUpSelfTest, but using ECDSA_HashSign() */
-+static SECStatus
-+sftk_fips_ECDSA_PowerUpSelfTest(void)
-+{
-+ /* EC Known curve nistp256 == ECCCurve_X9_62_PRIME_256V1 params */
-+ static const unsigned char p256_prime[] = {
-+ 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
-+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
-+ };
-+ static const unsigned char p256_a[] = {
-+ 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
-+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC
-+ };
-+ static const unsigned char p256_b[] = {
-+ 0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55, 0x76,
-+ 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6, 0x3B, 0xCE,
-+ 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B
-+ };
-+ static const unsigned char p256_base[] = {
-+ 0x04,
-+ 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5, 0x63,
-+ 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0, 0xF4, 0xA1,
-+ 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96,
-+ 0x4F, 0xE3, 0x42, 0xE2, 0xFE, 0x1A, 0x7F, 0x9B, 0x8E, 0xE7, 0xEB, 0x4A, 0x7C,
-+ 0x0F, 0x9E, 0x16, 0x2B, 0xCE, 0x33, 0x57, 0x6B, 0x31, 0x5E, 0xCE, 0xCB, 0xB6,
-+ 0x40, 0x68, 0x37, 0xBF, 0x51, 0xF5
-+ };
-+ static const unsigned char p256_order[] = {
-+ 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-+ 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9,
-+ 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
-+ };
-+ static const unsigned char p256_encoding[] = {
-+ 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
-+ };
-+ static ECParams ec_known_P256_Params = {
-+ NULL, ec_params_named, /* arena, type */
-+ /* fieldID */
-+ { 256, ec_field_plain, /* size and type */
-+ { { siBuffer, (unsigned char *)p256_prime, sizeof(p256_prime) } }, /* u.prime */
-+ 0,
-+ 0,
-+ 0 },
-+ /* curve */
-+ { /* a = curvea b = curveb */
-+ /* curve.a */
-+ { siBuffer, (unsigned char *)p256_a, sizeof(p256_a) },
-+ /* curve.b */
-+ { siBuffer, (unsigned char *)p256_b, sizeof(p256_b) },
-+ /* curve.seed */
-+ { siBuffer, NULL, 0 } },
-+ /* base = 04xy*/
-+ { siBuffer, (unsigned char *)p256_base, sizeof(p256_base) },
-+ /* order */
-+ { siBuffer, (unsigned char *)p256_order, sizeof(p256_order) },
-+ 1, /* cofactor */
-+ /* DEREncoding */
-+ { siBuffer, (unsigned char *)p256_encoding, sizeof(p256_encoding) },
-+ ECCurve_X9_62_PRIME_256V1,
-+ /* curveOID */
-+ { siBuffer, (unsigned char *)(p256_encoding) + 2, sizeof(p256_encoding) - 2 },
-+ };
-+ /* ECDSA Known Seed info for curves nistp256 and nistk283 */
-+ static const PRUint8 ecdsa_Known_Seed[] = {
-+ 0x6a, 0x9b, 0xf6, 0xf7, 0xce, 0xed, 0x79, 0x11,
-+ 0xf0, 0xc7, 0xc8, 0x9a, 0xa5, 0xd1, 0x57, 0xb1,
-+ 0x7b, 0x5a, 0x3b, 0x76, 0x4e, 0x7b, 0x7c, 0xbc,
-+ 0xf2, 0x76, 0x1c, 0x1c, 0x7f, 0xc5, 0x53, 0x2f
-+ };
-+ /* ECDSA Known Digest (224-bits) */
-+ static const PRUint8 ecdsa_known_digest[] = { "ECDSA Signature Digest, Longer" };
-+ /* ECDSA variables. */
-+ ECPrivateKey *ecdsa_private_key;
-+ SECStatus ecdsa_status;
-+ SECItem ecdsa_signature_item;
-+ SECItem ecdsa_digest_item;
-+ ECPublicKey ecdsa_public_key;
-+ PRUint8 ecdsa_computed_signature[2 * MAX_ECKEY_LEN];
-+ NSSLOWKEYPrivateKey lowkey_priv;
-+
-+ /*********************************************/
-+ /* Generate an ECDSA public/private key pair */
-+ /*********************************************/
-+
-+ ecdsa_status = EC_NewKeyFromSeed(&ec_known_P256_Params,
-+ &ecdsa_private_key,
-+ ecdsa_Known_Seed,
-+ sizeof (ecdsa_Known_Seed));
-+
-+ if (ecdsa_status != SECSuccess) {
-+ PORT_SetError(SEC_ERROR_NO_MEMORY);
-+ return (SECFailure);
-+ }
-+
-+ /* Construct public key from private key. */
-+ ecdsa_public_key.ecParams = ecdsa_private_key->ecParams;
-+ ecdsa_public_key.publicValue = ecdsa_private_key->publicValue;
-+
-+ /* Validate public key value. */
-+ ecdsa_status = EC_ValidatePublicKey(&ecdsa_public_key.ecParams,
-+ &ecdsa_public_key.publicValue);
-+ if (ecdsa_status != SECSuccess) {
-+ goto loser;
-+ }
-+
-+ /***********************************/
-+ /* ECDSA pairwise consistency test */
-+ /***********************************/
-+
-+ ecdsa_signature_item.data = ecdsa_computed_signature;
-+ ecdsa_signature_item.len = sizeof ecdsa_computed_signature;
-+
-+ ecdsa_digest_item.data = (unsigned char *)ecdsa_known_digest;
-+ ecdsa_digest_item.len = SHA224_LENGTH;
-+
-+ /* Perform ECDSA signature process. */
-+ lowkey_priv.u.ec = *ecdsa_private_key;
-+ ecdsa_status = ECDSA_HashSign (SEC_OID_SHA224, &lowkey_priv,
-+ ecdsa_signature_item.data, &ecdsa_signature_item.len,
-+ sizeof ecdsa_computed_signature,
-+ ecdsa_digest_item.data, SHA224_LENGTH);
-+
-+ /* Check that operation succeeded and that signature is different from hash */
-+ if ((ecdsa_status != SECSuccess) ||
-+ (ecdsa_signature_item.len != FIPS_ECDSA_SIGNATURE_LENGTH) ||
-+ (PORT_Memcmp(ecdsa_computed_signature, ecdsa_known_digest,
-+ PR_MIN (FIPS_ECDSA_SIGNATURE_LENGTH, FIPS_ECDSA_DIGEST_LENGTH)) == 0)) {
-+ ecdsa_status = SECFailure;
-+ } else {
-+ /* Perform ECDSA verification process. */
-+ ecdsa_status = ECDSA_VerifyDigest(&ecdsa_public_key,
-+ &ecdsa_signature_item,
-+ &ecdsa_digest_item);
-+ }
-+
-+loser:
-+ /* Free the memory for the private key arena */
-+ PORT_FreeArena(ecdsa_private_key->ecParams.arena, PR_FALSE);
-+
-+ if (ecdsa_status != SECSuccess) {
-+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-+ return SECFailure;
-+ }
-+
-+ return (SECSuccess);
-+}
-+
static PRBool sftk_self_tests_ran = PR_FALSE;
static PRBool sftk_self_tests_success = PR_FALSE;
-@@ -694,7 +1015,6 @@ void
+@@ -694,7 +863,6 @@ void
sftk_startup_tests_with_rerun(PRBool rerun)
{
SECStatus rv;
@@ -1446,7 +1365,7 @@
PORT_Assert(!sftk_self_tests_ran);
PORT_Assert(!sftk_self_tests_success);
-@@ -706,6 +1026,7 @@ sftk_startup_tests_with_rerun(PRBool rer
+@@ -706,6 +874,7 @@ sftk_startup_tests_with_rerun(PRBool rer
if (rv != SECSuccess) {
return;
}
@@ -1454,7 +1373,7 @@
/* make sure freebl is initialized, or our RSA check
* may fail. This is normally done at freebl load time, but it's
* possible we may have shut freebl down without unloading it. */
-@@ -723,12 +1044,21 @@ sftk_startup_tests_with_rerun(PRBool rer
+@@ -723,12 +892,15 @@ sftk_startup_tests_with_rerun(PRBool rer
if (rv != SECSuccess) {
return;
}
@@ -1469,18 +1388,12 @@
return;
}
+
-+ /* check the ECDSA combined functions in softoken */
-+ rv = sftk_fips_ECDSA_PowerUpSelfTest();
-+ if (rv != SECSuccess) {
-+ return;
-+ }
-+
+ /* Checksum is done by fips_initTestSoftoken() in fips.c */
+
rv = sftk_fips_IKE_PowerUpSelfTests();
if (rv != SECSuccess) {
return;
-@@ -766,17 +1096,10 @@ sftk_startup_tests(void)
+@@ -766,17 +938,10 @@ sftk_startup_tests(void)
CK_RV
sftk_FIPSEntryOK(PRBool rerun)
{
@@ -1499,7 +1412,7 @@
if (rerun) {
sftk_self_tests_ran = PR_FALSE;
sftk_self_tests_success = PR_FALSE;
-@@ -787,6 +1110,17 @@ sftk_FIPSEntryOK(PRBool rerun)
+@@ -787,6 +952,17 @@ sftk_FIPSEntryOK(PRBool rerun)
}
return CKR_OK;
}
@@ -1632,7 +1545,7 @@
ED_VerifyMessage,
ED_DerivePublicKey,
/* End of version 3.028 */
-+
++
+ /* SUSE patch: Goes last */
+ BL_FIPSRepeatIntegrityCheck
};
++++++ nss-fips-pairwise-consistency-check.patch ++++++
--- /var/tmp/diff_new_pack.IKpQDo/_old 2024-08-05 17:20:53.066163283 +0200
+++ /var/tmp/diff_new_pack.IKpQDo/_new 2024-08-05 17:20:53.070163446 +0200
@@ -14,7 +14,7 @@
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
-@@ -4843,8 +4843,8 @@ loser:
+@@ -4897,8 +4897,8 @@ loser:
return crv;
}
@@ -25,7 +25,7 @@
/*
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
-@@ -5847,6 +5847,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
+@@ -5960,6 +5960,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
(PRUint32)crv);
sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg);
}
++++++ nss-fips-pbkdf-kat-compliance.patch ++++++
--- /var/tmp/diff_new_pack.IKpQDo/_old 2024-08-05 17:20:53.082163939 +0200
+++ /var/tmp/diff_new_pack.IKpQDo/_new 2024-08-05 17:20:53.082163939 +0200
@@ -2,7 +2,7 @@
===================================================================
--- nss.orig/lib/softoken/lowpbe.c
+++ nss/lib/softoken/lowpbe.c
-@@ -1756,7 +1756,7 @@ loser:
+@@ -1755,7 +1755,7 @@ loser:
return ret_algid;
}
@@ -11,7 +11,7 @@
SECStatus
sftk_fips_pbkdf_PowerUpSelfTests(void)
{
-@@ -1766,16 +1766,22 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
+@@ -1765,16 +1765,22 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
unsigned char iteration_count = 5;
unsigned char keyLen = 64;
char *inKeyData = TEST_KEY;
@@ -43,7 +43,7 @@
};
sftk_PBELockInit();
-@@ -1804,11 +1810,12 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
+@@ -1803,11 +1809,12 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
* for NSSPKCS5_PBKDF2 */
pbe_params.iter = iteration_count;
pbe_params.keyLen = keyLen;
++++++ nss-fips-pct-pubkeys.patch ++++++
--- /var/tmp/diff_new_pack.IKpQDo/_old 2024-08-05 17:20:53.098164594 +0200
+++ /var/tmp/diff_new_pack.IKpQDo/_new 2024-08-05 17:20:53.102164758 +0200
@@ -5,15 +5,7 @@
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
-@@ -20,6 +20,7 @@
-
- #include <limits.h> /* for UINT_MAX and ULONG_MAX */
-
-+#include "lowkeyti.h"
- #include "seccomon.h"
- #include "secitem.h"
- #include "secport.h"
-@@ -4965,6 +4966,88 @@ pairwise_signverify_mech (CK_SESSION_HAN
+@@ -5020,6 +5020,88 @@ pairwise_signverify_mech (CK_SESSION_HAN
return crv;
}
@@ -102,7 +94,7 @@
/*
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
*
-@@ -5311,6 +5394,30 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -5370,6 +5452,30 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
}
}
++++++ nss-fips-rsa-keygen-strictness.patch ++++++
--- /var/tmp/diff_new_pack.IKpQDo/_old 2024-08-05 17:20:53.114165249 +0200
+++ /var/tmp/diff_new_pack.IKpQDo/_new 2024-08-05 17:20:53.114165249 +0200
@@ -65,7 +65,7 @@
/* The minimal required randomness is 64 bits */
/* EXP_BLINDING_RANDOMNESS_LEN is the length of the randomness in mp_digits */
-@@ -149,11 +151,24 @@ rsa_build_from_primes(const mp_int *p, c
+@@ -151,11 +153,24 @@ rsa_build_from_primes(const mp_int *p, c
err = mp_invmod(d, &phi, e);
} else {
err = mp_invmod(e, &phi, d);
@@ -92,7 +92,7 @@
if (err != MP_OKAY) {
if (err == MP_UNDEF) {
PORT_SetError(SEC_ERROR_NEED_RANDOM);
-@@ -286,10 +301,12 @@ RSA_NewKey(int keySizeInBits, SECItem *p
+@@ -288,10 +303,12 @@ RSA_NewKey(int keySizeInBits, SECItem *p
mp_int q = { 0, 0, 0, NULL };
mp_int e = { 0, 0, 0, NULL };
mp_int d = { 0, 0, 0, NULL };
@@ -106,7 +106,7 @@
int prerr = 0;
RSAPrivateKey *key = NULL;
PLArenaPool *arena = NULL;
-@@ -307,11 +324,40 @@ RSA_NewKey(int keySizeInBits, SECItem *p
+@@ -309,11 +326,40 @@ RSA_NewKey(int keySizeInBits, SECItem *p
PORT_SetError(SEC_ERROR_INVALID_ARGS);
goto cleanup;
}
@@ -151,7 +151,7 @@
}
#endif
-@@ -329,12 +375,7 @@ RSA_NewKey(int keySizeInBits, SECItem *p
+@@ -331,12 +377,7 @@ RSA_NewKey(int keySizeInBits, SECItem *p
key->arena = arena;
/* length of primes p and q (in bytes) */
primeLen = keySizeInBits / (2 * PR_BITS_PER_BYTE);
@@ -165,7 +165,7 @@
/* 3. Set the version number (PKCS1 v1.5 says it should be zero) */
SECITEM_AllocItem(arena, &key->version, 1);
key->version.data[0] = 0;
-@@ -345,13 +386,64 @@ RSA_NewKey(int keySizeInBits, SECItem *p
+@@ -347,13 +388,64 @@ RSA_NewKey(int keySizeInBits, SECItem *p
PORT_SetError(0);
CHECK_SEC_OK(generate_prime(&p, primeLen));
CHECK_SEC_OK(generate_prime(&q, primeLen));
@@ -231,7 +231,7 @@
/* Attempt to use these primes to generate a key */
rv = rsa_build_from_primes(&p, &q,
&e, PR_FALSE, /* needPublicExponent=false */
-@@ -374,7 +466,9 @@ cleanup:
+@@ -376,7 +468,9 @@ cleanup:
mp_clear(&q);
mp_clear(&e);
mp_clear(&d);
++++++ nss-fips-safe-memset.patch ++++++
Index: nss/lib/freebl/aeskeywrap.c
===================================================================
--- nss.orig/lib/freebl/aeskeywrap.c
+++ nss/lib/freebl/aeskeywrap.c
@@ -513,7 +513,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext
PORT_Memcpy(iv + AES_KEY_WRAP_BLOCK_SIZE, input, inputLen);
rv = AES_Encrypt(&cx->aescx, output, pOutputLen, maxOutputLen, iv,
outLen);
- PORT_Memset(iv, 0, sizeof(iv));
+ PORT_SafeZero(iv, sizeof(iv));
return rv;
}
@@ -529,7 +529,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext
PORT_ZFree(newBuf, paddedInputLen);
/* a little overkill, we only need to clear out the length, but this
* is easier to verify we got it all */
- PORT_Memset(iv, 0, sizeof(iv));
+ PORT_SafeZero(iv, sizeof(iv));
return rv;
}
@@ -632,12 +632,12 @@ AESKeyWrap_DecryptKWP(AESKeyWrapContext
loser:
/* if we failed, make sure we don't return any data to the user */
if ((rv != SECSuccess) && (output == newBuf)) {
- PORT_Memset(newBuf, 0, paddedLen);
+ PORT_SafeZero(newBuf, paddedLen);
}
/* clear out CSP sensitive data from the heap and stack */
if (allocBuf) {
PORT_ZFree(allocBuf, paddedLen);
}
- PORT_Memset(iv, 0, sizeof(iv));
+ PORT_SafeZero(iv, sizeof(iv));
return rv;
}
Index: nss/lib/freebl/blapii.h
===================================================================
--- nss.orig/lib/freebl/blapii.h
+++ nss/lib/freebl/blapii.h
@@ -113,10 +113,10 @@ PRBool ppc_crypto_support();
#ifdef NSS_FIPS_DISABLED
#define BLAPI_CLEAR_STACK(stack_size)
#else
-#define BLAPI_CLEAR_STACK(stack_size) \
- { \
- volatile char _stkclr[stack_size]; \
- PORT_Memset((void *)&_stkclr[0], 0, stack_size); \
+#define BLAPI_CLEAR_STACK(stack_size) \
+ { \
+ volatile char _stkclr[stack_size]; \
+ PORT_SafeZero((void *)&_stkclr[0], stack_size); \
}
#endif
Index: nss/lib/freebl/drbg.c
===================================================================
--- nss.orig/lib/freebl/drbg.c
+++ nss/lib/freebl/drbg.c
@@ -259,7 +259,7 @@ prng_initEntropy(void)
SHA256_Update(&ctx, block, sizeof(block));
SHA256_End(&ctx, globalrng->previousEntropyHash, NULL,
sizeof(globalrng->previousEntropyHash));
- PORT_Memset(block, 0, sizeof(block));
+ PORT_SafeZero(block, sizeof(block));
SHA256_DestroyContext(&ctx, PR_FALSE);
coRNGInitEntropy.status = PR_SUCCESS;
__sync_synchronize ();
@@ -311,8 +311,8 @@ prng_getEntropy(PRUint8 *buffer, size_t
}
out:
- PORT_Memset(hash, 0, sizeof hash);
- PORT_Memset(block, 0, sizeof block);
+ PORT_SafeZero(hash, sizeof hash);
+ PORT_SafeZero(block, sizeof block);
return rv;
}
@@ -458,8 +458,8 @@ prng_Hashgen(RNGContext *rng, PRUint8 *r
PRNG_ADD_CARRY_ONLY(data, (sizeof data) - 1, carry);
SHA256_DestroyContext(&ctx, PR_FALSE);
}
- PORT_Memset(data, 0, sizeof data);
- PORT_Memset(thisHash, 0, sizeof thisHash);
+ PORT_SafeZero(data, sizeof data);
+ PORT_SafeZero(thisHash, sizeof thisHash);
}
/*
@@ -520,7 +520,7 @@ prng_generateNewBytes(RNGContext *rng,
PRNG_ADD_CARRY_ONLY(rng->reseed_counter, (sizeof rng->reseed_counter) - 1, carry);
/* if the prng failed, don't return any output, signal softoken */
- PORT_Memset(H, 0, sizeof H);
+ PORT_SafeZero(H, sizeof H);
if (!rng->isValid) {
PORT_Memset(returned_bytes, 0, no_of_returned_bytes);
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
Index: nss/lib/freebl/dsa.c
===================================================================
--- nss.orig/lib/freebl/dsa.c
+++ nss/lib/freebl/dsa.c
@@ -471,7 +471,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECIt
err = MP_OKAY;
signature->len = dsa_signature_len;
cleanup:
- PORT_Memset(localDigestData, 0, DSA_MAX_SUBPRIME_LEN);
+ PORT_SafeZero(localDigestData, DSA_MAX_SUBPRIME_LEN);
mp_clear(&p);
mp_clear(&q);
mp_clear(&g);
@@ -532,7 +532,7 @@ DSA_SignDigest(DSAPrivateKey *key, SECIt
rv = dsa_SignDigest(key, signature, digest, kSeed);
} while (rv != SECSuccess && PORT_GetError() == SEC_ERROR_NEED_RANDOM &&
--retries > 0);
- PORT_Memset(kSeed, 0, sizeof kSeed);
+ PORT_SafeZero(kSeed, sizeof kSeed);
return rv;
}
@@ -673,7 +673,7 @@ DSA_VerifyDigest(DSAPublicKey *key, cons
verified = SECSuccess; /* Signature verified. */
}
cleanup:
- PORT_Memset(localDigestData, 0, sizeof localDigestData);
+ PORT_SafeZero(localDigestData, sizeof localDigestData);
mp_clear(&p);
mp_clear(&q);
mp_clear(&g);
Index: nss/lib/freebl/gcm.c
===================================================================
--- nss.orig/lib/freebl/gcm.c
+++ nss/lib/freebl/gcm.c
@@ -507,7 +507,7 @@ gcmHash_Final(gcmHashContext *ghash, uns
rv = SECSuccess;
cleanup:
- PORT_Memset(T, 0, sizeof(T));
+ PORT_SafeZero(T, sizeof(T));
return rv;
}
@@ -629,15 +629,15 @@ GCM_CreateContext(void *context, freeblC
if (rv != SECSuccess) {
goto loser;
}
- PORT_Memset(H, 0, AES_BLOCK_SIZE);
+ PORT_SafeZero(H, AES_BLOCK_SIZE);
gcm->ctr_context_init = PR_TRUE;
return gcm;
loser:
- PORT_Memset(H, 0, AES_BLOCK_SIZE);
+ PORT_SafeZero(H, AES_BLOCK_SIZE);
if (ghash && ghash->mem) {
void *mem = ghash->mem;
- PORT_Memset(ghash, 0, sizeof(gcmHashContext));
+ PORT_SafeZero(ghash, sizeof(gcmHashContext));
PORT_Free(mem);
}
if (gcm) {
@@ -717,11 +717,11 @@ gcm_InitCounter(GCMContext *gcm, const u
goto loser;
}
- PORT_Memset(&ctrParams, 0, sizeof ctrParams);
+ PORT_SafeZero(&ctrParams, sizeof ctrParams);
return SECSuccess;
loser:
- PORT_Memset(&ctrParams, 0, sizeof ctrParams);
+ PORT_SafeZero(&ctrParams, sizeof ctrParams);
if (freeCtr) {
CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
}
@@ -1212,10 +1212,10 @@ GCM_DecryptAEAD(GCMContext *gcm, unsigne
/* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
PORT_SetError(SEC_ERROR_BAD_DATA);
- PORT_Memset(tag, 0, sizeof(tag));
+ PORT_SafeZero(tag, sizeof(tag));
return SECFailure;
}
- PORT_Memset(tag, 0, sizeof(tag));
+ PORT_SafeZero(tag, sizeof(tag));
/* finish the decryption */
rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
inbuf, inlen, AES_BLOCK_SIZE);
Index: nss/lib/freebl/hmacct.c
===================================================================
--- nss.orig/lib/freebl/hmacct.c
+++ nss/lib/freebl/hmacct.c
@@ -274,10 +274,10 @@ MAC(unsigned char *mdOut,
hashObj->end(mdState, mdOut, mdOutLen, mdOutMax);
hashObj->destroy(mdState, PR_TRUE);
- PORT_Memset(lengthBytes, 0, sizeof lengthBytes);
- PORT_Memset(hmacPad, 0, sizeof hmacPad);
- PORT_Memset(firstBlock, 0, sizeof firstBlock);
- PORT_Memset(macOut, 0, sizeof macOut);
+ PORT_SafeZero(lengthBytes, sizeof lengthBytes);
+ PORT_SafeZero(hmacPad, sizeof hmacPad);
+ PORT_SafeZero(firstBlock, sizeof firstBlock);
+ PORT_SafeZero(macOut, sizeof macOut);
return SECSuccess;
}
Index: nss/lib/freebl/intel-gcm-wrap.c
===================================================================
--- nss.orig/lib/freebl/intel-gcm-wrap.c
+++ nss/lib/freebl/intel-gcm-wrap.c
@@ -195,7 +195,7 @@ intel_aes_gcmInitCounter(intel_AES_GCMCo
void
intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit)
{
- PORT_Memset(gcm, 0, sizeof(intel_AES_GCMContext));
+ PORT_SafeZero(gcm, sizeof(intel_AES_GCMContext));
if (freeit) {
PORT_Free(gcm);
}
Index: nss/lib/freebl/ppc-gcm-wrap.c
===================================================================
--- nss.orig/lib/freebl/ppc-gcm-wrap.c
+++ nss/lib/freebl/ppc-gcm-wrap.c
@@ -169,7 +169,7 @@ ppc_aes_gcmInitCounter(ppc_AES_GCMContex
void
ppc_AES_GCM_DestroyContext(ppc_AES_GCMContext *gcm, PRBool freeit)
{
- PORT_Memset(gcm, 0, sizeof(ppc_AES_GCMContext));
+ PORT_SafeZero(gcm, sizeof(ppc_AES_GCMContext));
if (freeit) {
PORT_Free(gcm);
}
Index: nss/lib/freebl/pqg.c
===================================================================
--- nss.orig/lib/freebl/pqg.c
+++ nss/lib/freebl/pqg.c
@@ -703,7 +703,7 @@ cleanup:
mp_clear(&a);
mp_clear(&z);
mp_clear(&two_length_minus_1);
- PORT_Memset(x, 0, sizeof(x));
+ PORT_SafeZero(x, sizeof(x));
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
@@ -859,7 +859,7 @@ cleanup:
mp_clear(&c);
mp_clear(&c0);
mp_clear(&one);
- PORT_Memset(x, 0, sizeof(x));
+ PORT_SafeZero(x, sizeof(x));
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
@@ -1072,7 +1072,7 @@ makePfromQandSeed(
CHECK_MPI_OK(mp_sub_d(&c, 1, &c)); /* c -= 1 */
CHECK_MPI_OK(mp_sub(&X, &c, P)); /* P = X - c */
cleanup:
- PORT_Memset(V_j, 0, sizeof V_j);
+ PORT_SafeZero(V_j, sizeof V_j);
mp_clear(&W);
mp_clear(&X);
mp_clear(&c);
@@ -1221,7 +1221,7 @@ makeGfromIndex(HASH_HashType hashtype,
/* step 11.
* return valid G */
cleanup:
- PORT_Memset(data, 0, sizeof(data));
+ PORT_SafeZero(data, sizeof(data));
if (hashcx) {
hashobj->destroy(hashcx, PR_TRUE);
}
Index: nss/lib/freebl/rijndael.c
===================================================================
--- nss.orig/lib/freebl/rijndael.c
+++ nss/lib/freebl/rijndael.c
@@ -1114,7 +1114,7 @@ AES_DestroyContext(AESContext *cx, PRBoo
cx->worker_cx = NULL;
cx->destroy = NULL;
}
- PORT_Memset(cx, 0, sizeof(AESContext));
+ PORT_SafeZero(cx, sizeof(AESContext));
if (freeit) {
PORT_Free(mem);
} else {
Index: nss/lib/freebl/rsa.c
===================================================================
--- nss.orig/lib/freebl/rsa.c
+++ nss/lib/freebl/rsa.c
@@ -145,8 +145,8 @@ rsa_build_from_primes(const mp_int *p, c
/* 2. Compute phi = (p-1)*(q-1) */
CHECK_MPI_OK(mp_sub_d(p, 1, &psub1));
CHECK_MPI_OK(mp_sub_d(q, 1, &qsub1));
+ CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi));
if (needPublicExponent || needPrivateExponent) {
- CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi));
/* 3. Compute d = e**-1 mod(phi) */
/* or e = d**-1 mod(phi) as necessary */
if (needPublicExponent) {
@@ -180,6 +180,15 @@ rsa_build_from_primes(const mp_int *p, c
goto cleanup;
}
+ /* make sure we weren't passed in a d or e = 1 mod phi */
+ /* just need to check d, because if one is = 1 mod phi, they both are */
+ CHECK_MPI_OK(mp_mod(d, &phi, &tmp));
+ if (mp_cmp_d(&tmp, 2) <= 0) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ rv = SECFailure;
+ goto cleanup;
+ }
+
/* 4. Compute exponent1 = d mod (p-1) */
CHECK_MPI_OK(mp_mod(d, &psub1, &tmp));
MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena);
@@ -1251,6 +1260,8 @@ rsa_PrivateKeyOpCRTCheckedPubKey(RSAPriv
/* Perform a public key operation v = m ** e mod n */
CHECK_MPI_OK(mp_exptmod(m, &e, &n, &v));
if (mp_cmp(&v, c) != 0) {
+ /* this error triggers a fips fatal error lock */
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
rv = SECFailure;
}
cleanup:
Index: nss/lib/freebl/rsapkcs.c
===================================================================
--- nss.orig/lib/freebl/rsapkcs.c
+++ nss/lib/freebl/rsapkcs.c
@@ -978,14 +978,14 @@ rsa_GetHMACContext(const SECHashObject *
/* now create the hmac key */
hmac = HMAC_Create(hash, keyHash, keyLen, PR_TRUE);
if (hmac == NULL) {
- PORT_Memset(keyHash, 0, sizeof(keyHash));
+ PORT_SafeZero(keyHash, sizeof(keyHash));
return NULL;
}
HMAC_Begin(hmac);
HMAC_Update(hmac, input, inputLen);
rv = HMAC_Finish(hmac, keyHash, &keyLen, sizeof(keyHash));
if (rv != SECSuccess) {
- PORT_Memset(keyHash, 0, sizeof(keyHash));
+ PORT_SafeZero(keyHash, sizeof(keyHash));
HMAC_Destroy(hmac, PR_TRUE);
return NULL;
}
@@ -993,7 +993,7 @@ rsa_GetHMACContext(const SECHashObject *
* reuse the original context allocated above so we don't
* need to allocate and free another one */
rv = HMAC_ReInit(hmac, hash, keyHash, keyLen, PR_TRUE);
- PORT_Memset(keyHash, 0, sizeof(keyHash));
+ PORT_SafeZero(keyHash, sizeof(keyHash));
if (rv != SECSuccess) {
HMAC_Destroy(hmac, PR_TRUE);
return NULL;
@@ -1043,7 +1043,7 @@ rsa_HMACPrf(HMACContext *hmac, const cha
return rv;
}
PORT_Memcpy(output, hmacLast, left);
- PORT_Memset(hmacLast, 0, sizeof(hmacLast));
+ PORT_SafeZero(hmacLast, sizeof(hmacLast));
}
return rv;
}
@@ -1088,7 +1088,7 @@ rsa_GetErrorLength(HMACContext *hmac, in
outLength = PORT_CT_SEL(PORT_CT_LT(candidate, maxLegalLen),
candidate, outLength);
}
- PORT_Memset(out, 0, sizeof(out));
+ PORT_SafeZero(out, sizeof(out));
return outLength;
}
Index: nss/lib/freebl/shvfy.c
===================================================================
--- nss.orig/lib/freebl/shvfy.c
+++ nss/lib/freebl/shvfy.c
@@ -365,7 +365,7 @@ blapi_SHVerifyDSACheck(PRFileDesc *shFD,
/* verify the hash against the check file */
rv = DSA_VerifyDigest(key, signature, &hash);
- PORT_Memset(hashBuf, 0, sizeof hashBuf);
+ PORT_SafeZero(hashBuf, sizeof hashBuf);
return (rv == SECSuccess) ? PR_TRUE : PR_FALSE;
}
#endif
@@ -427,7 +427,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
if (rv == SECSuccess) {
result = SECITEM_ItemsAreEqual(signature, &hash);
}
- PORT_Memset(hashBuf, 0, sizeof hashBuf);
+ PORT_SafeZero(hashBuf, sizeof hashBuf);
return result;
}
@@ -451,7 +451,7 @@ blapi_SHVerifyFile(const char *shName, P
#ifndef NSS_STRICT_INTEGRITY
DSAPublicKey key;
- PORT_Memset(&key, 0, sizeof(key));
+ PORT_SafeZero(&key, sizeof(key));
#endif
/* If our integrity check was never ran or failed, fail any other
@@ -600,7 +600,7 @@ blapi_SHVerifyFile(const char *shName, P
shFD = NULL;
loser:
- PORT_Memset(&header, 0, sizeof header);
+ PORT_SafeZero(&header, sizeof header);
if (checkName != NULL) {
PORT_Free(checkName);
}
Index: nss/lib/freebl/tlsprfalg.c
===================================================================
--- nss.orig/lib/freebl/tlsprfalg.c
+++ nss/lib/freebl/tlsprfalg.c
@@ -82,8 +82,8 @@ loser:
/* clear out state so it's not left on the stack */
if (cx)
HMAC_Destroy(cx, PR_TRUE);
- PORT_Memset(state, 0, sizeof(state));
- PORT_Memset(outbuf, 0, sizeof(outbuf));
+ PORT_SafeZero(state, sizeof(state));
+ PORT_SafeZero(outbuf, sizeof(outbuf));
return rv;
}
Index: nss/lib/freebl/unix_urandom.c
===================================================================
--- nss.orig/lib/freebl/unix_urandom.c
+++ nss/lib/freebl/unix_urandom.c
@@ -22,7 +22,7 @@ RNG_SystemInfoForRNG(void)
return;
}
RNG_RandomUpdate(bytes, numBytes);
- PORT_Memset(bytes, 0, sizeof bytes);
+ PORT_SafeZero(bytes, sizeof bytes);
}
size_t
Index: nss/lib/softoken/pkcs11c.c
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
@@ -4994,7 +4994,7 @@ pairwise_signverify_mech (CK_SESSION_HAN
if ((signature_length >= pairwise_digest_length) &&
(PORT_Memcmp(known_digest, signature + (signature_length - pairwise_digest_length), pairwise_digest_length) == 0)) {
PORT_Free(signature);
- return CKR_DEVICE_ERROR;
+ return CKR_GENERAL_ERROR;
}
/* Verify the known hash using the public key. */
Index: nss/lib/util/secport.h
===================================================================
--- nss.orig/lib/util/secport.h
+++ nss/lib/util/secport.h
@@ -36,6 +36,9 @@
#include <sys/types.h>
#include <ctype.h>
+/* ask for Annex K for memset_s. will set the appropriate #define
+ * if Annex K is supported */
+#define __STDC_WANT_LIB_EXT1__ 1
#include <string.h>
#include <stddef.h>
#include <stdlib.h>
@@ -182,6 +185,39 @@ SEC_END_PROTOS
#endif /*SUNOS4*/
#define PORT_Memset memset
+/* there are cases where the compiler optimizes away our attempt to clear
+ * out our stack variables. There are multiple solutions for this problem,
+ * but they aren't universally accepted on all platforms. This attempts
+ * to select the best solution available given our os, compilier, and libc */
+#ifdef __STDC_LIB_EXT1__
+/* if the os implements C11 annex K, use memset_s */
+#define PORT_SafeZero(p, n) memset_s(p, n, 0, n)
+#else
+#ifdef XP_WIN
+/* windows has a secure zero funtion */
+#define PORT_SafeZero(p, n) SecureZeroMemory(p, n)
+#else
+/* _DEFAULT_SORUCE == BSD source in GCC based environments
+ * if other environmens support explicit_bzero, their defines
+ * should be added here */
+#if defined(_DEFAULT_SOURCE) || defined(_BSD_SOURCE)
+#define PORT_SafeZero(p, n) explicit_bzero(p, n)
+#else
+/* if the os doesn't support one of the above, but does support
+ * memset_explicit, you can add the definition for memset with the
+ * appropriate define check here */
+/* define an explicitly implementated Safe zero if the OS
+ * doesn't provide one */
+#define PORT_SafeZero(p, n) \
+ if (p != NULL) { \
+ volatile unsigned char *__vl = (unsigned char *)p; \
+ size_t __nl = n; \
+ while (__nl--) *__vl++ = 0; \
+ }
+#endif /* no explicit_bzero */
+#endif /* no windows SecureZeroMemory */
+#endif /* no memset_s */
+
#define PORT_Strcasecmp PL_strcasecmp
#define PORT_Strcat strcat
#define PORT_Strchr strchr
1
0