Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package mbedtls-2 for openSUSE:Factory
checked in at 2025-07-14 10:52:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mbedtls-2 (Old)
and /work/SRC/openSUSE:Factory/.mbedtls-2.new.7373 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mbedtls-2"
Mon Jul 14 10:52:40 2025 rev:11 rq:1292596 version:2.28.10
Changes:
--------
--- /work/SRC/openSUSE:Factory/mbedtls-2/mbedtls-2.changes 2025-05-09
18:51:42.293940392 +0200
+++ /work/SRC/openSUSE:Factory/.mbedtls-2.new.7373/mbedtls-2.changes
2025-07-14 10:58:25.253342791 +0200
@@ -1,0 +2,6 @@
+Fri Jul 11 14:27:38 UTC 2025 - Lucas Mulling <lucas.mull...@suse.com>
+
+- Fix build with gcc15:
+ * Add patch mbedtls-fix-build-with-gcc-15.patch
+
+-------------------------------------------------------------------
New:
----
mbedtls-fix-build-with-gcc-15.patch
----------(New B)----------
New:- Fix build with gcc15:
* Add patch mbedtls-fix-build-with-gcc-15.patch
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mbedtls-2.spec ++++++
--- /var/tmp/diff_new_pack.uWPUNg/_old 2025-07-14 10:58:25.789365012 +0200
+++ /var/tmp/diff_new_pack.uWPUNg/_new 2025-07-14 10:58:25.789365012 +0200
@@ -35,6 +35,8 @@
BuildRequires: pkgconfig(libpkcs11-helper-1)
BuildRequires: pkgconfig(zlib)
%{?suse_build_hwcaps_libs}
+# PATCH-FIX-UPSTREAM: Fix build with gcc15
+Patch0: mbedtls-fix-build-with-gcc-15.patch
%description
mbedtls implements the SSL3, TLS 1.0, 1.1 and 1.2 protocols. It
++++++ mbedtls-fix-build-with-gcc-15.patch ++++++
>From 2e1399f1e1ed6fa1072cf9584f5771322b0d001b Mon Sep 17 00:00:00 2001
From: Felix Conway <felix.con...@arm.com>
Date: Wed, 11 Jun 2025 16:04:30 +0100
Subject: [PATCH 1/4] Add __attribute__ ((nonstring)) to remove
unterminated-string-initialization warning
Signed-off-by: Felix Conway <felix.con...@arm.com>
---
library/ssl_tls13_keys.c | 3 ++-
library/ssl_tls13_keys.h | 3 ++-
tests/suites/test_suite_psa_crypto.function | 6 ++++--
.../suites/test_suite_psa_crypto_slot_management.function | 7 ++++---
tests/suites/test_suite_ssl_decrypt.function | 3 ++-
5 files changed, 14 insertions(+), 8 deletions(-)
Index: mbedtls-2.28.10/library/ssl_tls13_keys.c
===================================================================
--- mbedtls-2.28.10.orig/library/ssl_tls13_keys.c
+++ mbedtls-2.28.10/library/ssl_tls13_keys.c
@@ -67,7 +67,7 @@ struct mbedtls_ssl_tls1_3_labels_struct
* the HkdfLabel structure on success.
*/
-static const char tls1_3_label_prefix[6] = "tls13 ";
+static const char tls1_3_label_prefix[6] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING
= "tls13 ";
#define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN(label_len, context_len) \
(2 /* expansion length */ \
Index: mbedtls-2.28.10/library/ssl_tls13_keys.h
===================================================================
--- mbedtls-2.28.10.orig/library/ssl_tls13_keys.h
+++ mbedtls-2.28.10/library/ssl_tls13_keys.h
@@ -7,6 +7,8 @@
#if !defined(MBEDTLS_SSL_TLS1_3_KEYS_H)
#define MBEDTLS_SSL_TLS1_3_KEYS_H
+#include "common.h"
+
/* This requires MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) to be defined at
* the point of use. See e.g. the definition of mbedtls_ssl_tls1_3_labels_union
* below. */
@@ -30,8 +32,9 @@
MBEDTLS_SSL_TLS1_3_LABEL(res_binder, "res binder") \
MBEDTLS_SSL_TLS1_3_LABEL(derived, "derived")
+/* We need to tell the compiler that we meant to leave out the null character.
*/
#define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \
- const unsigned char name [sizeof(string) - 1];
+ const unsigned char name [sizeof(string) - 1]
MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING;
union mbedtls_ssl_tls1_3_labels_union {
MBEDTLS_SSL_TLS1_3_LABEL_LIST
Index: mbedtls-2.28.10/tests/suites/test_suite_psa_crypto.function
===================================================================
--- mbedtls-2.28.10.orig/tests/suites/test_suite_psa_crypto.function
+++ mbedtls-2.28.10/tests/suites/test_suite_psa_crypto.function
@@ -1990,7 +1990,9 @@ void mac_setup(int key_type_arg,
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
psa_status_t status = PSA_ERROR_GENERIC_ERROR;
#if defined(KNOWN_SUPPORTED_MAC_ALG)
- const uint8_t smoke_test_key_data[16] = "kkkkkkkkkkkkkkkk";
+ /* We need to tell the compiler that we meant to leave out the null
character. */
+ const uint8_t smoke_test_key_data[16]
MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING =
+ "kkkkkkkkkkkkkkkk";
#endif
PSA_ASSERT(psa_crypto_init());
@@ -2381,7 +2383,9 @@ void cipher_setup(int key_type_arg,
psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
psa_status_t status;
#if defined(KNOWN_SUPPORTED_CIPHER_ALG)
- const uint8_t smoke_test_key_data[16] = "kkkkkkkkkkkkkkkk";
+ /* We need to tell the compiler that we meant to leave out the null
character. */
+ const uint8_t smoke_test_key_data[16]
MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING =
+ "kkkkkkkkkkkkkkkk";
#endif
PSA_ASSERT(psa_crypto_init());
Index:
mbedtls-2.28.10/tests/suites/test_suite_psa_crypto_slot_management.function
===================================================================
---
mbedtls-2.28.10.orig/tests/suites/test_suite_psa_crypto_slot_management.function
+++ mbedtls-2.28.10/tests/suites/test_suite_psa_crypto_slot_management.function
@@ -1,6 +1,7 @@
/* BEGIN_HEADER */
#include <stdint.h>
+#include "common.h"
#include "psa_crypto_slot_management.h"
#include "psa_crypto_storage.h"
@@ -358,8 +359,9 @@ void create_existent(int lifetime_arg, i
mbedtls_svc_key_id_t returned_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t type1 = PSA_KEY_TYPE_RAW_DATA;
- const uint8_t material1[5] = "a key";
- const uint8_t material2[5] = "b key";
+ /* We need to tell the compiler that we meant to leave out the null
character. */
+ const uint8_t material1[5] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING = "a key";
+ const uint8_t material2[5] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING = "b key";
size_t bits1 = PSA_BYTES_TO_BITS(sizeof(material1));
uint8_t reexported[sizeof(material1)];
size_t reexported_length;
@@ -728,7 +730,7 @@ void invalid_handle(int handle_construct
psa_key_id_t key_id;
psa_status_t close_status = close_status_arg;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- uint8_t material[1] = "a";
+ uint8_t material[1] = { 'a' };
PSA_ASSERT(psa_crypto_init());
Index: mbedtls-2.28.10/tests/suites/test_suite_ssl_decrypt.function
===================================================================
--- mbedtls-2.28.10.orig/tests/suites/test_suite_ssl_decrypt.function
+++ mbedtls-2.28.10/tests/suites/test_suite_ssl_decrypt.function
@@ -36,7 +36,7 @@ void ssl_decrypt_stream(int cipher_type,
.cid = { 0 },
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
};
- const char sample_plaintext[3] = "ABC";
+ const char sample_plaintext[3] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING =
"ABC";
mbedtls_cipher_context_t cipher;
mbedtls_cipher_init(&cipher);
mbedtls_ssl_context ssl;
Index: mbedtls-2.28.10/library/common.h
===================================================================
--- mbedtls-2.28.10.orig/library/common.h
+++ mbedtls-2.28.10/library/common.h
@@ -378,4 +378,20 @@ static inline const unsigned char *mbedt
# define MBEDTLS_MAYBE_UNUSED
#endif
+/* GCC >= 15 has a warning 'unterminated-string-initialization' which
complains if you initialize
+ * a string into an array without space for a terminating NULL character. In
some places in the
+ * codebase this behaviour is intended, so we add the macro
MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING
+ * to suppress the warning in these places.
+ */
+#if defined(__has_attribute)
+#if __has_attribute(nonstring)
+#define MBEDTLS_HAS_ATTRIBUTE_NONSTRING
+#endif /* __has_attribute(nonstring) */
+#endif /* __has_attribute */
+#if defined(MBEDTLS_HAS_ATTRIBUTE_NONSTRING)
+#define MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING __attribute__((nonstring))
+#else
+#define MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING
+#endif /* MBEDTLS_HAS_ATTRIBUTE_NONSTRING */
+
#endif /* MBEDTLS_LIBRARY_COMMON_H */
Index: mbedtls-2.28.10/ChangeLog.d/unterminated-string-initialization.txt
===================================================================
--- /dev/null
+++ mbedtls-2.28.10/ChangeLog.d/unterminated-string-initialization.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Silence spurious -Wunterminated-string-initialization warnings introduced
+ by GCC 15. Fixes #9944.
Index: mbedtls-2.28.10/tests/src/psa_exercise_key.c
===================================================================
--- mbedtls-2.28.10.orig/tests/src/psa_exercise_key.c
+++ mbedtls-2.28.10/tests/src/psa_exercise_key.c
@@ -7,6 +7,8 @@
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
+#include "common.h"
+
#include <test/helpers.h>
#include <test/macros.h>
#include <test/psa_exercise_key.h>
@@ -150,7 +152,7 @@ static int exercise_cipher_key(mbedtls_s
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t key_type;
const unsigned char plaintext[16] = "Hello, world...";
- unsigned char ciphertext[32] = "(wabblewebblewibblewobblewubble)";
+ unsigned char ciphertext[32] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING =
"(wabblewebblewibblewobblewubble)";
size_t ciphertext_length = sizeof(ciphertext);
unsigned char decrypted[sizeof(ciphertext)];
size_t part_length;
Index: mbedtls-2.28.10/ChangeLog.d/union-initialization.txt
===================================================================
--- /dev/null
+++ mbedtls-2.28.10/ChangeLog.d/union-initialization.txt
@@ -0,0 +1,15 @@
+Bugfix
+ * Fix failures of PSA multipart or interruptible operations when the
+ library or the application is built with a compiler where
+ "union foo x = {0}" does not initialize non-default members of the
+ union, such as GCC 15 and some versions of Clang 18. This affected MAC
+ multipart operations, MAC-based key derivation operations, interruptible
+ signature, interruptible verification, and potentially other operations
+ when using third-party drivers. This also affected one-shot MAC
+ operations using the built-in implementation. Fixes #9814.
+ * On entry to PSA driver entry points that set up a multipart operation
+ ("xxx_setup"), the operation object is supposed to be all-bits-zero.
+ This was sometimes not the case when an operation object is reused,
+ or with compilers where "union foo x = {0}" does not initialize
+ non-default members of the union. The PSA core now ensures that this
+ guarantee is met in all cases. Fixes #9975.
Index: mbedtls-2.28.10/library/psa_crypto.c
===================================================================
--- mbedtls-2.28.10.orig/library/psa_crypto.c
+++ mbedtls-2.28.10/library/psa_crypto.c
@@ -2343,8 +2343,11 @@ psa_status_t psa_hash_setup(psa_hash_ope
goto exit;
}
- /* Ensure all of the context is zeroized, since PSA_HASH_OPERATION_INIT
only
- * directly zeroes the int-sized dummy member of the context union. */
+ /* Make sure the driver-dependent part of the operation is zeroed.
+ * This is a guarantee we make to drivers. Initializing the operation
+ * does not necessarily take care of it, since the context is a
+ * union and initializing a union does not necessarily initialize
+ * all of its members. */
memset(&operation->ctx, 0, sizeof(operation->ctx));
status = psa_driver_wrapper_hash_setup(operation, alg);
@@ -2539,6 +2542,13 @@ psa_status_t psa_hash_clone(const psa_ha
return PSA_ERROR_BAD_STATE;
}
+ /* Make sure the driver-dependent part of the operation is zeroed.
+ * This is a guarantee we make to drivers. Initializing the operation
+ * does not necessarily take care of it, since the context is a
+ * union and initializing a union does not necessarily initialize
+ * all of its members. */
+ memset(&target_operation->ctx, 0, sizeof(target_operation->ctx));
+
psa_status_t status = psa_driver_wrapper_hash_clone(source_operation,
target_operation);
if (status != PSA_SUCCESS) {
@@ -2637,6 +2647,13 @@ static psa_status_t psa_mac_setup(psa_ma
goto exit;
}
+ /* Make sure the driver-dependent part of the operation is zeroed.
+ * This is a guarantee we make to drivers. Initializing the operation
+ * does not necessarily take care of it, since the context is a
+ * union and initializing a union does not necessarily initialize
+ * all of its members. */
+ memset(&operation->ctx, 0, sizeof(operation->ctx));
+
status = psa_get_and_lock_key_slot_with_policy(
key,
&slot,
@@ -3750,6 +3767,14 @@ static psa_status_t psa_cipher_setup(psa
.core = slot->attr
};
+
+ /* Make sure the driver-dependent part of the operation is zeroed.
+ * This is a guarantee we make to drivers. Initializing the operation
+ * does not necessarily take care of it, since the context is a
+ * union and initializing a union does not necessarily initialize
+ * all of its members. */
+ memset(&operation->ctx, 0, sizeof(operation->ctx));
+
/* Try doing the operation through a driver before using software
fallback. */
if (cipher_operation == MBEDTLS_ENCRYPT) {
status = psa_driver_wrapper_cipher_encrypt_setup(operation,
@@ -4283,6 +4308,17 @@ exit:
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+
+/** Internal helper to set up an HMAC operation with a key passed directly.
+ *
+ * \param[in,out] operation A MAC operation object. It does not need to
+ * be initialized.
+ * \param hash_alg The hash algorithm used for HMAC.
+ * \param hmac_key The HMAC key.
+ * \param hmac_key_length Length of \p hmac_key in bytes.
+ *
+ * \return A PSA status code.
+ */
static psa_status_t psa_key_derivation_start_hmac(
psa_mac_operation_t *operation,
psa_algorithm_t hash_alg,
@@ -4295,6 +4331,14 @@ static psa_status_t psa_key_derivation_s
psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(hmac_key_length));
psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
+ /* Make sure the whole the operation is zeroed.
+ * It isn't enough to require the caller to initialize operation to
+ * PSA_MAC_OPERATION_INIT, since one field is a union and initializing
+ * a union does not necessarily initialize all of its members.
+ * psa_mac_setup() would handle PSA_MAC_OPERATION_INIT, but here we
+ * bypass it and call lower-level functions directly. */
+ memset(operation, 0, sizeof(*operation));
+
operation->is_sign = 1;
operation->mac_size = PSA_HASH_LENGTH(hash_alg);
@@ -4491,7 +4535,7 @@ static psa_status_t psa_key_derivation_t
{
psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(alg);
uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
- psa_mac_operation_t hmac = PSA_MAC_OPERATION_INIT;
+ psa_mac_operation_t hmac;
size_t hmac_output_length;
psa_status_t status, cleanup_status;
Index: mbedtls-2.28.10/library/psa_crypto_mac.c
===================================================================
--- mbedtls-2.28.10.orig/library/psa_crypto_mac.c
+++ mbedtls-2.28.10/library/psa_crypto_mac.c
@@ -464,6 +464,15 @@ psa_status_t mbedtls_psa_mac_compute(
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
mbedtls_psa_mac_operation_t operation = MBEDTLS_PSA_MAC_OPERATION_INIT;
+ /* Make sure the whole operation is zeroed.
+ * PSA_MAC_OPERATION_INIT does not necessarily do it fully,
+ * since one field is a union and initializing a union does not
+ * necessarily initialize all of its members.
+ * In multipart operations, this is done in the API functions,
+ * before driver dispatch, since it needs to be done before calling
+ * the driver entry point. Here, we bypass the multipart API,
+ * so it's our job. */
+ memset(&operation, 0, sizeof(operation));
status = psa_mac_setup(&operation,
attributes, key_buffer, key_buffer_size,
