From patchwork Fri Sep 20 13:38:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 49356 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E065EC78843 for ; Fri, 20 Sep 2024 13:39:29 +0000 (UTC) Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) by mx.groups.io with SMTP id smtpd.web11.18269.1726839561004786354 for ; Fri, 20 Sep 2024 06:39:21 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=IxTlJ3RE; spf=softfail (domain: sakoman.com, ip: 209.85.210.177, mailfrom: steve@sakoman.com) Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-71971d2099cso1551380b3a.2 for ; Fri, 20 Sep 2024 06:39:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1726839560; x=1727444360; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=zCKZt8LkijkNyf8p66ruVew7pcWgkVYs0FQs4nW2TEw=; b=IxTlJ3REroEKBmuMlTHhJeD1LPwaHqp0i3BKWKtNv7xHfXxiZHxetPPbAso/IpOarC dR0nrXOLm+vhTwuBBJAred4U/5ze5iZ8dwogwhBI5IJSORn5n9aBm+hO8+lZ+D4oGeLK f9bduly0RH2jTp7RmJOYMsiG/rcNxPDh7ZkR3ZIyc1HFpMqcU1Roxh/HEdHOeInwWwMP uQKUCTvDNhYPjKe67VzxFYb63fQ4voekmFFCkm9Kg48p0L2AAXTGp1xiaKc3rbH1DlXE 0QnsO2BRnivSnnQS5cLnunmi4aqFCHzfcXlZMsafqirM2JsKsCYTAhxYd/VYTD2oqlbF Dy0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726839560; x=1727444360; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zCKZt8LkijkNyf8p66ruVew7pcWgkVYs0FQs4nW2TEw=; b=vebyw0QDw2OqWrNCFgAqby2C87SoeJPBl1CB7nCAWYz/fLmrVKk+kAzIILjZkuOdVY Mz0ZuOiWwtSi4JHmaTBSK0GZ6AFA8W6aeUhJL5mhO/aS94MSKaupP4hF1oP5drlVfC9+ +Lv3+JfjSQl2CCaU6eH0FI43y/hxIweLd6nlvoiuv5rkhaO52DoYDNm2ZusguQEwizrN HV4RrhHz2MvY4MDyQxOxyzg2dQyziIxChNfzXBXWXSkISspDTLbguvv2SSZuMI12iRer /IfG21cPJLaODsfyvoPetcMId8nGYNyQgff0bBiaCYo4iaP3QfyP4sel+u0UGvRpPGTG 2ILw== X-Gm-Message-State: AOJu0Yy3mlXZd07W9LZfPzKwbD4FYwf3Qdb7Lw0HZEYRu1eRb059dr34 iBKYzJkuJ0gk/43iH78IRUC99GP25BF3YcFfwLKzaFuqlah+PLTUsYNO2RzwJ1wPt5xl2tuwoaH d X-Google-Smtp-Source: AGHT+IGUJo7si8pSqwF0KLOKGJsN92RCWUJBBbctj8l7JmbPCeDyK0sgzoF5fI6jtX+4IyIJZS6QDg== X-Received: by 2002:a05:6a21:58b:b0:1cf:1b7d:8481 with SMTP id adf61e73a8af0-1d30a987fe9mr5034817637.32.1726839559919; Fri, 20 Sep 2024 06:39:19 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71944b97e45sm9811846b3a.164.2024.09.20.06.39.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Sep 2024 06:39:19 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 01/16] Revert "wpa-supplicant: Upgrade 2.10 -> 2.11" Date: Fri, 20 Sep 2024 06:38:59 -0700 Message-Id: <79ed0dba62404b9de3cd97bc861dea8779416afc.1726839438.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Sep 2024 13:39:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204740 This version bump adds new features and should not have been taken. This reverts commit 35c2b5f56bca789b9723a144fda0a130a67a860c. Signed-off-by: Steve Sakoman --- ...all-wpa_passphrase-when-not-disabled.patch | 33 +++ ...te-Phase-2-authentication-requiremen.patch | 213 ++++++++++++++++++ ...options-for-libwpa_client.so-and-wpa.patch | 73 ++++++ ...oval-of-wpa_passphrase-on-make-clean.patch | 26 +++ ...plicant_2.11.bb => wpa-supplicant_2.10.bb} | 10 +- 5 files changed, 352 insertions(+), 3 deletions(-) create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch rename meta/recipes-connectivity/wpa-supplicant/{wpa-supplicant_2.11.bb => wpa-supplicant_2.10.bb} (90%) diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch new file mode 100644 index 0000000000..c04c608bde --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch @@ -0,0 +1,33 @@ +From 57b12a1e43605f71239a21488cb9b541f0751dda Mon Sep 17 00:00:00 2001 +From: Alex Kiernan +Date: Thu, 21 Apr 2022 10:15:29 +0100 +Subject: [PATCH] Install wpa_passphrase when not disabled + +As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets +built, its not installed during `make install`. + +Fixes: cb41c214b78d ("build: Re-enable options for libwpa_client.so and wpa_passphrase") +Signed-off-by: Alex Kiernan +Signed-off-by: Alex Kiernan +Upstream-Status: Submitted [http://lists.infradead.org/pipermail/hostap/2022-April/040448.html] +--- + wpa_supplicant/Makefile | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile +index 0bab313f2355..12787c0c7d0f 100644 +--- a/wpa_supplicant/Makefile ++++ b/wpa_supplicant/Makefile +@@ -73,6 +73,9 @@ $(DESTDIR)$(BINDIR)/%: % + + install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL)) + $(MAKE) -C ../src install ++ifndef CONFIG_NO_WPA_PASSPHRASE ++ install -D wpa_passphrase $(DESTDIR)/$(BINDIR)/wpa_passphrase ++endif + ifdef CONFIG_BUILD_WPA_CLIENT_SO + install -m 0644 -D libwpa_client.so $(DESTDIR)/$(LIBDIR)/libwpa_client.so + install -m 0644 -D ../src/common/wpa_ctrl.h $(DESTDIR)/$(INCDIR)/wpa_ctrl.h +-- +2.35.1 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch new file mode 100644 index 0000000000..620560d3c7 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch @@ -0,0 +1,213 @@ +From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 8 Jul 2023 19:55:32 +0300 +Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements + +The previous PEAP client behavior allowed the server to skip Phase 2 +authentication with the expectation that the server was authenticated +during Phase 1 through TLS server certificate validation. Various PEAP +specifications are not exactly clear on what the behavior on this front +is supposed to be and as such, this ended up being more flexible than +the TTLS/FAST/TEAP cases. However, this is not really ideal when +unfortunately common misconfiguration of PEAP is used in deployed +devices where the server trust root (ca_cert) is not configured or the +user has an easy option for allowing this validation step to be skipped. + +Change the default PEAP client behavior to be to require Phase 2 +authentication to be successfully completed for cases where TLS session +resumption is not used and the client certificate has not been +configured. Those two exceptions are the main cases where a deployed +authentication server might skip Phase 2 and as such, where a more +strict default behavior could result in undesired interoperability +issues. Requiring Phase 2 authentication will end up disabling TLS +session resumption automatically to avoid interoperability issues. + +Allow Phase 2 authentication behavior to be configured with a new phase1 +configuration parameter option: +'phase2_auth' option can be used to control Phase 2 (i.e., within TLS +tunnel) behavior for PEAP: + * 0 = do not require Phase 2 authentication + * 1 = require Phase 2 authentication when client certificate + (private_key/client_cert) is no used and TLS session resumption was + not used (default) + * 2 = require Phase 2 authentication in all cases + +Signed-off-by: Jouni Malinen + +CVE: CVE-2023-52160 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c] + +Signed-off-by: Claus Stovgaard + +--- + src/eap_peer/eap_config.h | 8 ++++++ + src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++--- + src/eap_peer/eap_tls_common.c | 6 +++++ + src/eap_peer/eap_tls_common.h | 5 ++++ + wpa_supplicant/wpa_supplicant.conf | 7 ++++++ + 5 files changed, 63 insertions(+), 3 deletions(-) + +diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h +index 3238f74..047eec2 100644 +--- a/src/eap_peer/eap_config.h ++++ b/src/eap_peer/eap_config.h +@@ -469,6 +469,14 @@ struct eap_peer_config { + * 1 = use cryptobinding if server supports it + * 2 = require cryptobinding + * ++ * phase2_auth option can be used to control Phase 2 (i.e., within TLS ++ * tunnel) behavior for PEAP: ++ * 0 = do not require Phase 2 authentication ++ * 1 = require Phase 2 authentication when client certificate ++ * (private_key/client_cert) is no used and TLS session resumption was ++ * not used (default) ++ * 2 = require Phase 2 authentication in all cases ++ * + * EAP-WSC (WPS) uses following options: pin=Device_Password and + * uuid=Device_UUID + * +diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c +index 12e30df..6080697 100644 +--- a/src/eap_peer/eap_peap.c ++++ b/src/eap_peer/eap_peap.c +@@ -67,6 +67,7 @@ struct eap_peap_data { + u8 cmk[20]; + int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) + * is enabled. */ ++ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth; + }; + + +@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data, + wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); + } + ++ if (os_strstr(phase1, "phase2_auth=0")) { ++ data->phase2_auth = NO_AUTH; ++ wpa_printf(MSG_DEBUG, ++ "EAP-PEAP: Do not require Phase 2 authentication"); ++ } else if (os_strstr(phase1, "phase2_auth=1")) { ++ data->phase2_auth = FOR_INITIAL; ++ wpa_printf(MSG_DEBUG, ++ "EAP-PEAP: Require Phase 2 authentication for initial connection"); ++ } else if (os_strstr(phase1, "phase2_auth=2")) { ++ data->phase2_auth = ALWAYS; ++ wpa_printf(MSG_DEBUG, ++ "EAP-PEAP: Require Phase 2 authentication for all cases"); ++ } + #ifdef EAP_TNC + if (os_strstr(phase1, "tnc=soh2")) { + data->soh = 2; +@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm) + data->force_peap_version = -1; + data->peap_outer_success = 2; + data->crypto_binding = OPTIONAL_BINDING; ++ data->phase2_auth = FOR_INITIAL; + + if (config && config->phase1) + eap_peap_parse_phase1(data, config->phase1); +@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm, + } + + ++static bool peap_phase2_sufficient(struct eap_sm *sm, ++ struct eap_peap_data *data) ++{ ++ if ((data->phase2_auth == ALWAYS || ++ (data->phase2_auth == FOR_INITIAL && ++ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) && ++ !data->ssl.client_cert_conf) || ++ data->phase2_eap_started) && ++ !data->phase2_eap_success) ++ return false; ++ return true; ++} ++ ++ + /** + * eap_tlv_process - Process a received EAP-TLV message and generate a response + * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() +@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, + " - force failed Phase 2"); + resp_status = EAP_TLV_RESULT_FAILURE; + ret->decision = DECISION_FAIL; ++ } else if (!peap_phase2_sufficient(sm, data)) { ++ wpa_printf(MSG_INFO, ++ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed"); ++ resp_status = EAP_TLV_RESULT_FAILURE; ++ ret->decision = DECISION_FAIL; + } else { + resp_status = EAP_TLV_RESULT_SUCCESS; + ret->decision = DECISION_UNCOND_SUCC; +@@ -887,8 +921,7 @@ continue_req: + /* EAP-Success within TLS tunnel is used to indicate + * shutdown of the TLS channel. The authentication has + * been completed. */ +- if (data->phase2_eap_started && +- !data->phase2_eap_success) { ++ if (!peap_phase2_sufficient(sm, data)) { + wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " + "Success used to indicate success, " + "but Phase 2 EAP was not yet " +@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, + static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) + { + struct eap_peap_data *data = priv; ++ + return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && +- data->phase2_success; ++ data->phase2_success && data->phase2_auth != ALWAYS; + } + + +diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c +index c1837db..a53eeb1 100644 +--- a/src/eap_peer/eap_tls_common.c ++++ b/src/eap_peer/eap_tls_common.c +@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, + + sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK); + ++ if (!phase2) ++ data->client_cert_conf = params->client_cert || ++ params->client_cert_blob || ++ params->private_key || ++ params->private_key_blob; ++ + return 0; + } + +diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h +index 9ac0012..3348634 100644 +--- a/src/eap_peer/eap_tls_common.h ++++ b/src/eap_peer/eap_tls_common.h +@@ -79,6 +79,11 @@ struct eap_ssl_data { + * tls_v13 - Whether TLS v1.3 or newer is used + */ + int tls_v13; ++ ++ /** ++ * client_cert_conf: Whether client certificate has been configured ++ */ ++ bool client_cert_conf; + }; + + +diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf +index 6619d6b..d63f73c 100644 +--- a/wpa_supplicant/wpa_supplicant.conf ++++ b/wpa_supplicant/wpa_supplicant.conf +@@ -1321,6 +1321,13 @@ fast_reauth=1 + # * 0 = do not use cryptobinding (default) + # * 1 = use cryptobinding if server supports it + # * 2 = require cryptobinding ++# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS ++# tunnel) behavior for PEAP: ++# * 0 = do not require Phase 2 authentication ++# * 1 = require Phase 2 authentication when client certificate ++# (private_key/client_cert) is no used and TLS session resumption was ++# not used (default) ++# * 2 = require Phase 2 authentication in all cases + # EAP-WSC (WPS) uses following options: pin= or + # pbc=1. + # diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch new file mode 100644 index 0000000000..6e930fc98d --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch @@ -0,0 +1,73 @@ +From cb41c214b78d6df187a31950342e48a403dbd769 Mon Sep 17 00:00:00 2001 +From: Sergey Matyukevich +Date: Tue, 22 Feb 2022 11:52:19 +0300 +Subject: [PATCH 1/2] build: Re-enable options for libwpa_client.so and + wpa_passphrase + +Commit a41a29192e5d ("build: Pull common fragments into a build.rules +file") introduced a regression into wpa_supplicant build process. The +build target libwpa_client.so is not built regardless of whether the +option CONFIG_BUILD_WPA_CLIENT_SO is set or not. This happens because +this config option is used before it is imported from the configuration +file. Moving its use after including build.rules does not help: the +variable ALL is processed by build.rules and further changes are not +applied. Similarly, option CONFIG_NO_WPA_PASSPHRASE also does not work +as expected: wpa_passphrase is always built regardless of whether the +option is set or not. + +Re-enable these options by adding both build targets to _all +dependencies. + +Fixes: a41a29192e5d ("build: Pull common fragments into a build.rules file") +Signed-off-by: Sergey Matyukevich +Upstream-Status: Backport +Signed-off-by: Alex Kiernan +Signed-off-by: Alex Kiernan +--- + wpa_supplicant/Makefile | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile +index cb66defac7c8..c456825ae75f 100644 +--- a/wpa_supplicant/Makefile ++++ b/wpa_supplicant/Makefile +@@ -1,24 +1,29 @@ + BINALL=wpa_supplicant wpa_cli + +-ifndef CONFIG_NO_WPA_PASSPHRASE +-BINALL += wpa_passphrase +-endif +- + ALL = $(BINALL) + ALL += systemd/wpa_supplicant.service + ALL += systemd/wpa_supplicant@.service + ALL += systemd/wpa_supplicant-nl80211@.service + ALL += systemd/wpa_supplicant-wired@.service + ALL += dbus/fi.w1.wpa_supplicant1.service +-ifdef CONFIG_BUILD_WPA_CLIENT_SO +-ALL += libwpa_client.so +-endif + + EXTRA_TARGETS=dynamic_eap_methods + + CONFIG_FILE=.config + include ../src/build.rules + ++ifdef CONFIG_BUILD_WPA_CLIENT_SO ++# add the dependency this way to allow CONFIG_BUILD_WPA_CLIENT_SO ++# being set in the config which is read by build.rules ++_all: libwpa_client.so ++endif ++ ++ifndef CONFIG_NO_WPA_PASSPHRASE ++# add the dependency this way to allow CONFIG_NO_WPA_PASSPHRASE ++# being set in the config which is read by build.rules ++_all: wpa_passphrase ++endif ++ + ifdef LIBS + # If LIBS is set with some global build system defaults, clone those for + # LIBS_c and LIBS_p to cover wpa_passphrase and wpa_cli as well. +-- +2.35.1 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch new file mode 100644 index 0000000000..53b0fcdf53 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch @@ -0,0 +1,26 @@ +From d001b301ba7987f4b39453a211631b85c48f2ff8 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Thu, 3 Mar 2022 13:26:42 +0200 +Subject: [PATCH 2/2] Fix removal of wpa_passphrase on 'make clean' + +Fixes: 0430bc8267b4 ("build: Add a common-clean target") +Signed-off-by: Jouni Malinen +Upstream-Status: Backport +Signed-off-by: Alex Kiernan +Signed-off-by: Alex Kiernan +--- + wpa_supplicant/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile +index c456825ae75f..4b4688931b1d 100644 +--- a/wpa_supplicant/Makefile ++++ b/wpa_supplicant/Makefile +@@ -2077,3 +2077,4 @@ clean: common-clean + rm -f libwpa_client.a + rm -f libwpa_client.so + rm -f libwpa_test1 libwpa_test2 ++ rm -f wpa_passphrase +-- +2.35.1 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb similarity index 90% rename from meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb rename to meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb index 03e4571cfb..22028ce957 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb @@ -5,8 +5,8 @@ BUGTRACKER = "http://w1.fi/security/" SECTION = "network" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=5ebcb90236d1ad640558c3d3cd3035df \ - file://README;beginline=1;endline=56;md5=6e4b25e7d74bfc44a32ba37bdf5210a6 \ - file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=f5ccd57ea91e04800edb88267bf8eae4" + file://README;beginline=1;endline=56;md5=e3d2f6c2948991e37c1ca4960de84747 \ + file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=76306a95306fee9a976b0ac1be70f705" DEPENDS = "dbus libnl" @@ -15,8 +15,12 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://wpa_supplicant.conf \ file://wpa_supplicant.conf-sane \ file://99_wpa_supplicant \ + file://0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch \ + file://0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch \ + file://0001-Install-wpa_passphrase-when-not-disabled.patch \ + file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \ " -SRC_URI[sha256sum] = "912ea06f74e30a8e36fbb68064d6cdff218d8d591db0fc5d75dee6c81ac7fc0a" +SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f" S = "${WORKDIR}/wpa_supplicant-${PV}" From patchwork Fri Sep 20 13:39:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 49357 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD22DC78844 for ; Fri, 20 Sep 2024 13:39:29 +0000 (UTC) Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) by mx.groups.io with SMTP id smtpd.web11.18271.1726839566647776599 for ; Fri, 20 Sep 2024 06:39:26 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=VmJnCyKB; spf=softfail (domain: sakoman.com, ip: 209.85.210.177, mailfrom: steve@sakoman.com) Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-718f4fd89e5so1761677b3a.0 for ; Fri, 20 Sep 2024 06:39:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1726839566; x=1727444366; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=SvBL+7yewHV4tNqiZLcm0O2aejr26Js9oFrbUejxVyI=; b=VmJnCyKBXQ5JXCGp82LmCNO+lsPmSs9sdUsmZI/V+nZbz/6IJfhYfUTBpipSJsa+Lp vtZHimjDRpPBM9EoKTNbGCrD4Bjn3pG8TA3PK/5wne3z2sM2ZsMazksV197WGFVzTm7K GwcaQrZ8HY9tCTGlc5wgET4EFmaVuK42+D3gjxzkhtrlx3GGvfT9AJa1USc4+OvPM5ol Dz7vZSxBJtOsS21/0lDBu8XaXB6GohUQNthpiJGf4dNqJaIdA/7RK9jk5r00jz33QtgJ HKdACUghDaMon0VIgAXBq5eFCYlNC0fhrmfJpiVI+UZV1WfH3OI5fAaOfEli2Skd5ztu mElA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726839566; x=1727444366; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SvBL+7yewHV4tNqiZLcm0O2aejr26Js9oFrbUejxVyI=; b=KMgxfKZyWX1/OVXDVow6hxnAPp5NdtleY6P4UaP2iOtfA22h5mjsF9IZT/i9iT8m/v /j3nkNwgoeyJAwOF1DuN1SGvpQPo5z95C35ce81wWtghvQZW0OdL4267g3BAHyuthUSz hqd3i7Vs0taSx3nSFJl5NCvht6ddXu/PQuLZfM5eECE9D/VfmFIFUFxxyMMcoYUV0a4T I6lSC/5w0p/IpEc6mtrVc85fsxqP4g9qxcQa/7ZBgWvXlvIandSaW4ZTuwnSKb7B0cND MJBEvBkoa0H/dwbOVXool7BPSfJODhBsAw8CL7mm/2373jVk+24aoQONTKsONBjfl04K wgxA== X-Gm-Message-State: AOJu0YzXOCwI+MGFcQCv/14x5bVcCxfcBBj2upfEJa237GM958TxCVpN 7HmGotsMLehEoAwXR/ux1FeK2W4lmz817rwmqXTotcQVHv0W1rolghNoNKI7LXg/Ebk/sMiPOvR C X-Google-Smtp-Source: AGHT+IFnmJGch5npwAVTya0js1+L416czcX8jWDKslOucC/9GaMgqE9WPnYk6MjDb7fxGYYVBi4CRg== X-Received: by 2002:a05:6a00:8d0:b0:70a:f576:beeb with SMTP id d2e1a72fcca58-7199c96d36dmr4349555b3a.15.1726839565381; Fri, 20 Sep 2024 06:39:25 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71944b97e45sm9811846b3a.164.2024.09.20.06.39.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Sep 2024 06:39:25 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 02/16] libpcap: Security fix for CVE-2023-7256 & CVE-2024-8006 Date: Fri, 20 Sep 2024 06:39:00 -0700 Message-Id: <00e809013a51c1af4979bcff0b3ae3eb7a4d4a20.1726839438.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Sep 2024 13:39:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204741 From: Vijay Anusuri Reference: https://security-tracker.debian.org/tracker/CVE-2023-7256 https://security-tracker.debian.org/tracker/CVE-2024-8006 Upstream commits: https://github.com/the-tcpdump-group/libpcap/commit/73da0d4d65ef0925772b7b7f82a5fbb3ff2c5e4f https://github.com/the-tcpdump-group/libpcap/commit/2aa69b04d8173b18a0e3492e0c8f2f7fabdf642d https://github.com/the-tcpdump-group/libpcap/commit/8a633ee5b9ecd9d38a587ac9b204e2380713b0d6 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../libpcap/libpcap/CVE-2023-7256-pre1.patch | 37 ++ .../libpcap/libpcap/CVE-2023-7256.patch | 365 ++++++++++++++++++ .../libpcap/libpcap/CVE-2024-8006.patch | 42 ++ .../libpcap/libpcap_1.10.4.bb | 7 +- 4 files changed, 450 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre1.patch create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256.patch create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2024-8006.patch diff --git a/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre1.patch b/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre1.patch new file mode 100644 index 0000000000..64abfb85cd --- /dev/null +++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre1.patch @@ -0,0 +1,37 @@ +From 73da0d4d65ef0925772b7b7f82a5fbb3ff2c5e4f Mon Sep 17 00:00:00 2001 +From: Rose <83477269+AtariDreams@users.noreply.github.com> +Date: Tue, 16 May 2023 12:37:11 -0400 +Subject: [PATCH] Remove unused variable retval in sock_present2network + +This quiets the compiler since it is not even returned anyway, and is a misleading variable name. + +(cherry picked from commit c7b90298984c46d820d3cee79a96d24870b5f200) + +Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/73da0d4d65ef0925772b7b7f82a5fbb3ff2c5e4f] +CVE: CVE-2023-7256 #Dependency Patch +Signed-off-by: Vijay Anusuri +--- + sockutils.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/sockutils.c b/sockutils.c +index 1c07f76fd1..6752f296af 100644 +--- a/sockutils.c ++++ b/sockutils.c +@@ -2082,7 +2082,6 @@ int sock_getascii_addrport(const struct sockaddr_storage *sockaddr, char *addres + */ + int sock_present2network(const char *address, struct sockaddr_storage *sockaddr, int addr_family, char *errbuf, int errbuflen) + { +- int retval; + struct addrinfo *addrinfo; + struct addrinfo hints; + +@@ -2090,7 +2089,7 @@ int sock_present2network(const char *address, struct sockaddr_storage *sockaddr, + + hints.ai_family = addr_family; + +- if ((retval = sock_initaddress(address, "22222" /* fake port */, &hints, &addrinfo, errbuf, errbuflen)) == -1) ++ if (sock_initaddress(address, "22222" /* fake port */, &hints, &addrinfo, errbuf, errbuflen) == -1) + return 0; + + if (addrinfo->ai_family == PF_INET) diff --git a/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256.patch b/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256.patch new file mode 100644 index 0000000000..fffcb2704a --- /dev/null +++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256.patch @@ -0,0 +1,365 @@ +From 2aa69b04d8173b18a0e3492e0c8f2f7fabdf642d Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Thu, 28 Sep 2023 00:37:57 -0700 +Subject: [PATCH] Have sock_initaddress() return the list of addrinfo + structures or NULL. + +Its return address is currently 0 for success and -1 for failure, with a +pointer to the first element of the list of struct addrinfos returned +through a pointer on success; change it to return that pointer on +success and NULL on failure. + +That way, we don't have to worry about what happens to the pointer +pointeed to by the argument in question on failure; we know that we got +NULL back if no struct addrinfos were found because getaddrinfo() +failed. Thus, we know that we have something to free iff +sock_initaddress() returned a pointer to that something rather than +returning NULL. + +This avoids a double-free in some cases. + +This is apparently CVE-2023-40400. + +(backported from commit 262e4f34979872d822ccedf9f318ed89c4d31c03) + +Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/2aa69b04d8173b18a0e3492e0c8f2f7fabdf642d] +CVE: CVE-2023-7256 +Signed-off-by: Vijay Anusuri +--- + pcap-rpcap.c | 48 ++++++++++++++++++++-------------------- + rpcapd/daemon.c | 8 +++++-- + rpcapd/rpcapd.c | 8 +++++-- + sockutils.c | 58 ++++++++++++++++++++++++++++--------------------- + sockutils.h | 5 ++--- + 5 files changed, 72 insertions(+), 55 deletions(-) + +diff --git a/pcap-rpcap.c b/pcap-rpcap.c +index ef0cd6e49c..f1992e4aea 100644 +--- a/pcap-rpcap.c ++++ b/pcap-rpcap.c +@@ -1024,7 +1024,6 @@ rpcap_remoteact_getsock(const char *host, int *error, char *errbuf) + { + struct activehosts *temp; /* temp var needed to scan the host list chain */ + struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */ +- int retval; + + /* retrieve the network address corresponding to 'host' */ + addrinfo = NULL; +@@ -1032,9 +1031,9 @@ rpcap_remoteact_getsock(const char *host, int *error, char *errbuf) + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + +- retval = sock_initaddress(host, NULL, &hints, &addrinfo, errbuf, ++ addrinfo = sock_initaddress(host, NULL, &hints, errbuf, + PCAP_ERRBUF_SIZE); +- if (retval != 0) ++ if (addrinfo == NULL) + { + *error = 1; + return NULL; +@@ -1186,7 +1185,9 @@ static int pcap_startcapture_remote(pcap_t *fp) + hints.ai_flags = AI_PASSIVE; /* Data connection is opened by the server toward the client */ + + /* Let's the server pick up a free network port for us */ +- if (sock_initaddress(NULL, NULL, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1) ++ addrinfo = sock_initaddress(NULL, NULL, &hints, fp->errbuf, ++ PCAP_ERRBUF_SIZE); ++ if (addrinfo == NULL) + goto error_nodiscard; + + if ((sockdata = sock_open(NULL, addrinfo, SOCKOPEN_SERVER, +@@ -1311,7 +1312,9 @@ static int pcap_startcapture_remote(pcap_t *fp) + snprintf(portstring, PCAP_BUF_SIZE, "%d", ntohs(startcapreply.portdata)); + + /* Let's the server pick up a free network port for us */ +- if (sock_initaddress(host, portstring, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1) ++ addrinfo = sock_initaddress(host, portstring, &hints, ++ fp->errbuf, PCAP_ERRBUF_SIZE); ++ if (addrinfo == NULL) + goto error; + + if ((sockdata = sock_open(host, addrinfo, SOCKOPEN_CLIENT, 0, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET) +@@ -2340,16 +2343,16 @@ rpcap_setup_session(const char *source, struct pcap_rmtauth *auth, + if (port[0] == 0) + { + /* the user chose not to specify the port */ +- if (sock_initaddress(host, RPCAP_DEFAULT_NETPORT, +- &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1) +- return -1; ++ addrinfo = sock_initaddress(host, RPCAP_DEFAULT_NETPORT, ++ &hints, errbuf, PCAP_ERRBUF_SIZE); + } + else + { +- if (sock_initaddress(host, port, &hints, &addrinfo, +- errbuf, PCAP_ERRBUF_SIZE) == -1) +- return -1; ++ addrinfo = sock_initaddress(host, port, &hints, ++ errbuf, PCAP_ERRBUF_SIZE); + } ++ if (addrinfo == NULL) ++ return -1; + + if ((*sockctrlp = sock_open(host, addrinfo, SOCKOPEN_CLIENT, 0, + errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET) +@@ -2950,19 +2953,19 @@ SOCKET pcap_remoteact_accept_ex(const char *address, const char *port, const cha + /* Do the work */ + if ((port == NULL) || (port[0] == 0)) + { +- if (sock_initaddress(address, RPCAP_DEFAULT_NETPORT_ACTIVE, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1) +- { +- return (SOCKET)-2; +- } ++ addrinfo = sock_initaddress(address, ++ RPCAP_DEFAULT_NETPORT_ACTIVE, &hints, errbuf, ++ PCAP_ERRBUF_SIZE); + } + else + { +- if (sock_initaddress(address, port, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1) +- { +- return (SOCKET)-2; +- } ++ addrinfo = sock_initaddress(address, port, &hints, errbuf, ++ PCAP_ERRBUF_SIZE); ++ } ++ if (addrinfo == NULL) ++ { ++ return (SOCKET)-2; + } +- + + if ((sockmain = sock_open(NULL, addrinfo, SOCKOPEN_SERVER, 1, errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET) + { +@@ -3122,7 +3125,6 @@ int pcap_remoteact_close(const char *host, char *errbuf) + { + struct activehosts *temp, *prev; /* temp var needed to scan the host list chain */ + struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */ +- int retval; + + temp = activeHosts; + prev = NULL; +@@ -3133,9 +3135,9 @@ int pcap_remoteact_close(const char *host, char *errbuf) + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + +- retval = sock_initaddress(host, NULL, &hints, &addrinfo, errbuf, ++ addrinfo = sock_initaddress(host, NULL, &hints, errbuf, + PCAP_ERRBUF_SIZE); +- if (retval != 0) ++ if (addrinfo == NULL) + { + return -1; + } +diff --git a/rpcapd/daemon.c b/rpcapd/daemon.c +index 8d620dd604..b04b29f107 100644 +--- a/rpcapd/daemon.c ++++ b/rpcapd/daemon.c +@@ -2085,7 +2085,9 @@ daemon_msg_startcap_req(uint8 ver, struct daemon_slpars *pars, uint32 plen, + goto error; + } + +- if (sock_initaddress(peerhost, portdata, &hints, &addrinfo, errmsgbuf, PCAP_ERRBUF_SIZE) == -1) ++ addrinfo = sock_initaddress(peerhost, portdata, &hints, ++ errmsgbuf, PCAP_ERRBUF_SIZE); ++ if (addrinfo == NULL) + goto error; + + if ((session->sockdata = sock_open(peerhost, addrinfo, SOCKOPEN_CLIENT, 0, errmsgbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET) +@@ -2096,7 +2098,9 @@ daemon_msg_startcap_req(uint8 ver, struct daemon_slpars *pars, uint32 plen, + hints.ai_flags = AI_PASSIVE; + + // Make the server socket pick up a free network port for us +- if (sock_initaddress(NULL, NULL, &hints, &addrinfo, errmsgbuf, PCAP_ERRBUF_SIZE) == -1) ++ addrinfo = sock_initaddress(NULL, NULL, &hints, errmsgbuf, ++ PCAP_ERRBUF_SIZE); ++ if (addrinfo == NULL) + goto error; + + if ((session->sockdata = sock_open(NULL, addrinfo, SOCKOPEN_SERVER, 1 /* max 1 connection in queue */, errmsgbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET) +diff --git a/rpcapd/rpcapd.c b/rpcapd/rpcapd.c +index e1f3f05299..d166522c9f 100644 +--- a/rpcapd/rpcapd.c ++++ b/rpcapd/rpcapd.c +@@ -611,7 +611,9 @@ void main_startup(void) + // + // Get a list of sockets on which to listen. + // +- if (sock_initaddress((address[0]) ? address : NULL, port, &mainhints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1) ++ addrinfo = sock_initaddress((address[0]) ? address : NULL, ++ port, &mainhints, errbuf, PCAP_ERRBUF_SIZE); ++ if (addrinfo == NULL) + { + rpcapd_log(LOGPRIO_DEBUG, "%s", errbuf); + return; +@@ -1350,7 +1352,9 @@ main_active(void *ptr) + memset(errbuf, 0, sizeof(errbuf)); + + // Do the work +- if (sock_initaddress(activepars->address, activepars->port, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1) ++ addrinfo = sock_initaddress(activepars->address, activepars->port, ++ &hints, errbuf, PCAP_ERRBUF_SIZE); ++ if (addrinfo == NULL) + { + rpcapd_log(LOGPRIO_DEBUG, "%s", errbuf); + return 0; +diff --git a/sockutils.c b/sockutils.c +index a1bfa1b5e2..823c2363e0 100644 +--- a/sockutils.c ++++ b/sockutils.c +@@ -1069,20 +1069,21 @@ get_gai_errstring(char *errbuf, int errbuflen, const char *prefix, int err, + * \param errbuflen: length of the buffer that will contains the error. The error message cannot be + * larger than 'errbuflen - 1' because the last char is reserved for the string terminator. + * +- * \return '0' if everything is fine, '-1' if some errors occurred. The error message is returned +- * in the 'errbuf' variable. The addrinfo variable that has to be used in the following sockets calls is +- * returned into the addrinfo parameter. ++ * \return a pointer to the first element in a list of addrinfo structures ++ * if everything is fine, NULL if some errors occurred. The error message ++ * is returned in the 'errbuf' variable. + * +- * \warning The 'addrinfo' variable has to be deleted by the programmer by calling freeaddrinfo() when +- * it is no longer needed. ++ * \warning The list of addrinfo structures returned has to be deleted by ++ * the programmer by calling freeaddrinfo() when it is no longer needed. + * + * \warning This function requires the 'hints' variable as parameter. The semantic of this variable is the same + * of the one of the corresponding variable used into the standard getaddrinfo() socket function. We suggest + * the programmer to look at that function in order to set the 'hints' variable appropriately. + */ +-int sock_initaddress(const char *host, const char *port, +- struct addrinfo *hints, struct addrinfo **addrinfo, char *errbuf, int errbuflen) ++struct addrinfo *sock_initaddress(const char *host, const char *port, ++ struct addrinfo *hints, char *errbuf, int errbuflen) + { ++ struct addrinfo *addrinfo; + int retval; + + /* +@@ -1094,9 +1095,13 @@ int sock_initaddress(const char *host, const char *port, + * as those messages won't talk about a problem with the port if + * no port was specified. + */ +- retval = getaddrinfo(host, port == NULL ? "0" : port, hints, addrinfo); ++ retval = getaddrinfo(host, port == NULL ? "0" : port, hints, &addrinfo); + if (retval != 0) + { ++ /* ++ * That call failed. ++ * Determine whether the problem is that the host is bad. ++ */ + if (errbuf) + { + if (host != NULL && port != NULL) { +@@ -1108,7 +1113,7 @@ int sock_initaddress(const char *host, const char *port, + int try_retval; + + try_retval = getaddrinfo(host, NULL, hints, +- addrinfo); ++ &addrinfo); + if (try_retval == 0) { + /* + * Worked with just the host, +@@ -1117,14 +1122,16 @@ int sock_initaddress(const char *host, const char *port, + * + * Free up the address info first. + */ +- freeaddrinfo(*addrinfo); ++ freeaddrinfo(addrinfo); + get_gai_errstring(errbuf, errbuflen, + "", retval, NULL, port); + } else { + /* + * Didn't work with just the host, + * so assume the problem is +- * with the host. ++ * with the host; we assume ++ * the original error indicates ++ * the underlying problem. + */ + get_gai_errstring(errbuf, errbuflen, + "", retval, host, NULL); +@@ -1132,13 +1139,14 @@ int sock_initaddress(const char *host, const char *port, + } else { + /* + * Either the host or port was null, so +- * there's nothing to determine. ++ * there's nothing to determine; report ++ * the error from the original call. + */ + get_gai_errstring(errbuf, errbuflen, "", + retval, host, port); + } + } +- return -1; ++ return NULL; + } + /* + * \warning SOCKET: I should check all the accept() in order to bind to all addresses in case +@@ -1153,30 +1161,28 @@ int sock_initaddress(const char *host, const char *port, + * ignore all addresses that are neither? (What, no IPX + * support? :-)) + */ +- if (((*addrinfo)->ai_family != PF_INET) && +- ((*addrinfo)->ai_family != PF_INET6)) ++ if ((addrinfo->ai_family != PF_INET) && ++ (addrinfo->ai_family != PF_INET6)) + { + if (errbuf) + snprintf(errbuf, errbuflen, "getaddrinfo(): socket type not supported"); +- freeaddrinfo(*addrinfo); +- *addrinfo = NULL; +- return -1; ++ freeaddrinfo(addrinfo); ++ return NULL; + } + + /* + * You can't do multicast (or broadcast) TCP. + */ +- if (((*addrinfo)->ai_socktype == SOCK_STREAM) && +- (sock_ismcastaddr((*addrinfo)->ai_addr) == 0)) ++ if ((addrinfo->ai_socktype == SOCK_STREAM) && ++ (sock_ismcastaddr(addrinfo->ai_addr) == 0)) + { + if (errbuf) + snprintf(errbuf, errbuflen, "getaddrinfo(): multicast addresses are not valid when using TCP streams"); +- freeaddrinfo(*addrinfo); +- *addrinfo = NULL; +- return -1; ++ freeaddrinfo(addrinfo); ++ return NULL; + } + +- return 0; ++ return addrinfo; + } + + /* +@@ -2089,7 +2095,9 @@ int sock_present2network(const char *address, struct sockaddr_storage *sockaddr, + + hints.ai_family = addr_family; + +- if (sock_initaddress(address, "22222" /* fake port */, &hints, &addrinfo, errbuf, errbuflen) == -1) ++ addrinfo = sock_initaddress(address, "22222" /* fake port */, &hints, ++ errbuf, errbuflen); ++ if (addrinfo == NULL) + return 0; + + if (addrinfo->ai_family == PF_INET) +diff --git a/sockutils.h b/sockutils.h +index a488d8fcb4..30b8cfe0b7 100644 +--- a/sockutils.h ++++ b/sockutils.h +@@ -138,9 +138,8 @@ void sock_fmterrmsg(char *errbuf, size_t errbuflen, int errcode, + PCAP_FORMAT_STRING(const char *fmt), ...) PCAP_PRINTFLIKE(4, 5); + void sock_geterrmsg(char *errbuf, size_t errbuflen, + PCAP_FORMAT_STRING(const char *fmt), ...) PCAP_PRINTFLIKE(3, 4); +-int sock_initaddress(const char *address, const char *port, +- struct addrinfo *hints, struct addrinfo **addrinfo, +- char *errbuf, int errbuflen); ++struct addrinfo *sock_initaddress(const char *address, const char *port, ++ struct addrinfo *hints, char *errbuf, int errbuflen); + int sock_recv(SOCKET sock, SSL *, void *buffer, size_t size, int receiveall, + char *errbuf, int errbuflen); + int sock_recv_dgram(SOCKET sock, SSL *, void *buffer, size_t size, diff --git a/meta/recipes-connectivity/libpcap/libpcap/CVE-2024-8006.patch b/meta/recipes-connectivity/libpcap/libpcap/CVE-2024-8006.patch new file mode 100644 index 0000000000..6819aedd20 --- /dev/null +++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2024-8006.patch @@ -0,0 +1,42 @@ +From 8a633ee5b9ecd9d38a587ac9b204e2380713b0d6 Mon Sep 17 00:00:00 2001 +From: Nicolas Badoux +Date: Mon, 19 Aug 2024 12:31:53 +0200 +Subject: [PATCH] makes pcap_findalldevs_ex errors out if the directory does + not exist + +(backported from commit 0f8a103469ce87d2b8d68c5130a46ddb7fb5eb29) + +Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/8a633ee5b9ecd9d38a587ac9b204e2380713b0d6] +CVE: CVE-2024-8006 +Signed-off-by: Vijay Anusuri +--- + pcap-new.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/pcap-new.c b/pcap-new.c +index be91b3f8db..d449ee623c 100644 +--- a/pcap-new.c ++++ b/pcap-new.c +@@ -230,6 +230,13 @@ int pcap_findalldevs_ex(const char *source, struct pcap_rmtauth *auth, pcap_if_t + #else + /* opening the folder */ + unixdir= opendir(path); ++ if (unixdir == NULL) { ++ DIAG_OFF_FORMAT_TRUNCATION ++ snprintf(errbuf, PCAP_ERRBUF_SIZE, ++ "Error when listing files: does folder '%s' exist?", path); ++ DIAG_ON_FORMAT_TRUNCATION ++ return -1; ++ } + + /* get the first file into it */ + filedata= readdir(unixdir); +@@ -237,7 +244,7 @@ int pcap_findalldevs_ex(const char *source, struct pcap_rmtauth *auth, pcap_if_t + if (filedata == NULL) + { + DIAG_OFF_FORMAT_TRUNCATION +- snprintf(errbuf, PCAP_ERRBUF_SIZE, "Error when listing files: does folder '%s' exist?", path); ++ snprintf(errbuf, PCAP_ERRBUF_SIZE, "Error when listing files: does folder '%s' contain files?", path); + DIAG_ON_FORMAT_TRUNCATION + closedir(unixdir); + return -1; diff --git a/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb b/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb index 166654e280..36eb4bca75 100644 --- a/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb +++ b/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb @@ -10,7 +10,12 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5eb289217c160e2920d2e35bddc36453 \ file://pcap.h;beginline=1;endline=32;md5=39af3510e011f34b8872f120b1dc31d2" DEPENDS = "flex-native bison-native" -SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz" +SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz \ + file://CVE-2023-7256-pre1.patch \ + file://CVE-2023-7256.patch \ + file://CVE-2024-8006.patch \ + " + SRC_URI[sha256sum] = "ed19a0383fad72e3ad435fd239d7cd80d64916b87269550159d20e47160ebe5f" inherit autotools binconfig-disabled pkgconfig From patchwork Fri Sep 20 13:39:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 49358 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D299C78845 for ; Fri, 20 Sep 2024 13:39:30 +0000 (UTC) Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com [209.85.215.180]) by mx.groups.io with SMTP id smtpd.web10.18439.1726839568909990256 for ; Fri, 20 Sep 2024 06:39:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=sBymZ2JV; spf=softfail (domain: sakoman.com, ip: 209.85.215.180, mailfrom: steve@sakoman.com) Received: by mail-pg1-f180.google.com with SMTP id 41be03b00d2f7-7db1f0e1641so679165a12.1 for ; Fri, 20 Sep 2024 06:39:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1726839568; x=1727444368; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=WyPNr1gBSB7HNduuIXun4Q5mIz567J6DdXTlyyD0AJo=; b=sBymZ2JVPyLGz2dhi5diHoX3rC2Cc7VkH5Eci2XL8NYcvbVV5A/pu4fTgKa0Xt9Fyw 7bhsuVasdfP06zGd1TfJ45HZuRLR6qtjoK6vCzEhnf31yROeQJt2v2zED2jlOsJr0c9D bBwLRotCClcJeNXKn2GFpkUECGo7sYjGe+Ji+jJjka0wmmIIo3JuOiX3z3I5zQ6qa1Zi Evx3unBip2rWFRlya28WM2F6rC6+aM3uzauKUxAChuFeg3iibJ8RexWWC4rT9sdWx1cE Wfbj35jxmKH/WGQi9xPxSByDgGM/E/yOh2hQPR/pMoMowEoz66TQklSNUMsvwftX/tVR pxLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726839568; x=1727444368; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WyPNr1gBSB7HNduuIXun4Q5mIz567J6DdXTlyyD0AJo=; b=VFnAPPW/aNTT6i75/VS3C7ADB8n/M14VWsfDs3QAFY0whu8lLLRytLj21yzRqVvTbx Iop+NQfM4i4tsab0ETPLawna5TrvQIsg8wAzYLax9Kn5shBqG7X+5W3H2eQLrR80Q5iP A71xyyMefYF1/97uGOPyxxFup6sN3S1N9MHHf7tjL1psSCuJ8Arn+VLyNxOMZ6skH/mi dbwIZJNfD3PvEOND0WR+llP0dJgx/UvlviWKXsgarvFQ7QuzyN8UCwjK6g03xanPQU00 i8vSJqt1VUiff88Xpy/1tbxadvoM6X/9YCk5QiQmg6OmFLUqQubiWn7CQ9Pz16luUQnx qs+w== X-Gm-Message-State: AOJu0YzGSJud9l0zoBXXa1oOOUodfaYR+Pf+0CsV5Vcg5kgedk2xaRxg z4+aG9FK1J7jMC2CJ7YdMkxHfTB8kpXBop+aiBgnE8qRA1zUfw4XUtSjH7yvWjmqLCONVMU9diZ O X-Google-Smtp-Source: AGHT+IHGTwkrRl1kHXfYgHlzvE1SqCL6TLoDGj+Q75NdcZxj+V3fZESEEZLcydSH0+q4aZbbhatvcQ== X-Received: by 2002:a05:6a20:cf8c:b0:1cf:1217:c953 with SMTP id adf61e73a8af0-1d30a947f70mr3882240637.2.1726839567470; Fri, 20 Sep 2024 06:39:27 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71944b97e45sm9811846b3a.164.2024.09.20.06.39.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Sep 2024 06:39:27 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 03/16] openssl: Upgrade 3.2.2 -> 3.2.3 Date: Fri, 20 Sep 2024 06:39:01 -0700 Message-Id: <2155e3016a98ae0db28488dcc5176437e6f8b24a.1726839438.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Sep 2024 13:39:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204742 From: Siddharth Doshi Updated SRC_URI link and format due to change in openssl website. CVE's Fixed by upgrade: CVE-2024-5535: Fixed possible buffer overread in SSL_select_next_proto(). CVE-2024-6119: Fixed possible denial of service in X.509 name checks - Removed backports of CVE-2024-5535 as it is already fixed. - Removed first hunk of 0001-Added-handshake-history-reporting-when-test-fails.patch as the copyright years are already updated in test/helpers/handshake.c file Detailed Information: https://github.com/openssl/openssl/blob/openssl-3.2/CHANGES.md#changes-between-322-and-323-3-sep-2024 Signed-off-by: Siddharth Doshi Signed-off-by: Steve Sakoman --- ...ke-history-reporting-when-test-fails.patch | 8 +- .../openssl/openssl/CVE-2024-5535_1.patch | 113 -- .../openssl/openssl/CVE-2024-5535_10.patch | 203 --- .../openssl/openssl/CVE-2024-5535_2.patch | 43 - .../openssl/openssl/CVE-2024-5535_3.patch | 38 - .../openssl/openssl/CVE-2024-5535_4.patch | 82 -- .../openssl/openssl/CVE-2024-5535_5.patch | 176 --- .../openssl/openssl/CVE-2024-5535_6.patch | 1173 ----------------- .../openssl/openssl/CVE-2024-5535_7.patch | 43 - .../openssl/openssl/CVE-2024-5535_8.patch | 66 - .../openssl/openssl/CVE-2024-5535_9.patch | 271 ---- .../{openssl_3.2.2.bb => openssl_3.2.3.bb} | 14 +- 12 files changed, 3 insertions(+), 2227 deletions(-) delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_10.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch rename meta/recipes-connectivity/openssl/{openssl_3.2.2.bb => openssl_3.2.3.bb} (94%) diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch index aa2e5bb800..9baa0c2d75 100644 --- a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch +++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch @@ -6,6 +6,7 @@ Subject: [PATCH] Added handshake history reporting when test fails Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481] Signed-off-by: William Lyu +Signed-off-by: Siddharth Doshi --- test/helpers/handshake.c | 139 +++++++++++++++++++++++++++++---------- test/helpers/handshake.h | 70 +++++++++++++++++++- @@ -16,13 +17,6 @@ diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c index e0422469e4..ae2ad59dd4 100644 --- a/test/helpers/handshake.c +++ b/test/helpers/handshake.c -@@ -1,5 +1,5 @@ - /* -- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy @@ -24,6 +24,102 @@ #include #endif diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch deleted file mode 100644 index d5c178eeab..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch +++ /dev/null @@ -1,113 +0,0 @@ -From b63b4db52e10677db4ab46b608aabd55a44668aa Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 11:14:33 +0100 -Subject: [PATCH 01/10] Fix SSL_select_next_proto - -Ensure that the provided client list is non-NULL and starts with a valid -entry. When called from the ALPN callback the client list should already -have been validated by OpenSSL so this should not cause a problem. When -called from the NPN callback the client list is locally configured and -will not have already been validated. Therefore SSL_select_next_proto -should not assume that it is correctly formatted. - -We implement stricter checking of the client protocol list. We also do the -same for the server list while we are about it. - -CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) - -Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e] -CVE: CVE-2024-5535 -Signed-off-by: Siddharth Doshi ---- - ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++------------------- - 1 file changed, 40 insertions(+), 23 deletions(-) - -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 016135f..cf52b31 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -3518,37 +3518,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, - unsigned int server_len, - const unsigned char *client, unsigned int client_len) - { -- unsigned int i, j; -- const unsigned char *result; -- int status = OPENSSL_NPN_UNSUPPORTED; -+ PACKET cpkt, csubpkt, spkt, ssubpkt; -+ -+ if (!PACKET_buf_init(&cpkt, client, client_len) -+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) -+ || PACKET_remaining(&csubpkt) == 0) { -+ *out = NULL; -+ *outlen = 0; -+ return OPENSSL_NPN_NO_OVERLAP; -+ } -+ -+ /* -+ * Set the default opportunistic protocol. Will be overwritten if we find -+ * a match. -+ */ -+ *out = (unsigned char *)PACKET_data(&csubpkt); -+ *outlen = (unsigned char)PACKET_remaining(&csubpkt); - - /* - * For each protocol in server preference order, see if we support it. - */ -- for (i = 0; i < server_len;) { -- for (j = 0; j < client_len;) { -- if (server[i] == client[j] && -- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { -- /* We found a match */ -- result = &server[i]; -- status = OPENSSL_NPN_NEGOTIATED; -- goto found; -+ if (PACKET_buf_init(&spkt, server, server_len)) { -+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { -+ if (PACKET_remaining(&ssubpkt) == 0) -+ continue; /* Invalid - ignore it */ -+ if (PACKET_buf_init(&cpkt, client, client_len)) { -+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { -+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), -+ PACKET_remaining(&ssubpkt))) { -+ /* We found a match */ -+ *out = (unsigned char *)PACKET_data(&ssubpkt); -+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); -+ return OPENSSL_NPN_NEGOTIATED; -+ } -+ } -+ /* Ignore spurious trailing bytes in the client list */ -+ } else { -+ /* This should never happen */ -+ return OPENSSL_NPN_NO_OVERLAP; - } -- j += client[j]; -- j++; - } -- i += server[i]; -- i++; -+ /* Ignore spurious trailing bytes in the server list */ - } - -- /* There's no overlap between our protocols and the server's list. */ -- result = client; -- status = OPENSSL_NPN_NO_OVERLAP; -- -- found: -- *out = (unsigned char *)result + 1; -- *outlen = result[0]; -- return status; -+ /* -+ * There's no overlap between our protocols and the server's list. We use -+ * the default opportunistic protocol selected earlier -+ */ -+ return OPENSSL_NPN_NO_OVERLAP; - } - - #ifndef OPENSSL_NO_NEXTPROTONEG --- -2.44.0 - diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_10.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_10.patch deleted file mode 100644 index 7cc36f20ab..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_10.patch +++ /dev/null @@ -1,203 +0,0 @@ -From 61cad53901703944d22f1cd6a1b57460f2270599 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 21 Jun 2024 14:29:26 +0100 -Subject: [PATCH 10/10] Add a test for an empty NextProto message - -It is valid according to the spec for a NextProto message to have no -protocols listed in it. The OpenSSL implementation however does not allow -us to create such a message. In order to check that we work as expected -when communicating with a client that does generate such messages we have -to use a TLSProxy test. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) - -Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/301b870546d1c7b2d8f0d66e04a2596142f0399f] -CVE: CVE-2024-5535 -Signed-off-by: Siddharth Doshi ---- - test/recipes/70-test_npn.t | 73 +++++++++++++++++++++++++++++++++ - util/perl/TLSProxy/Message.pm | 9 ++++ - util/perl/TLSProxy/NextProto.pm | 54 ++++++++++++++++++++++++ - util/perl/TLSProxy/Proxy.pm | 1 + - 4 files changed, 137 insertions(+) - create mode 100644 test/recipes/70-test_npn.t - create mode 100644 util/perl/TLSProxy/NextProto.pm - -diff --git a/test/recipes/70-test_npn.t b/test/recipes/70-test_npn.t -new file mode 100644 -index 0000000..f82e71a ---- /dev/null -+++ b/test/recipes/70-test_npn.t -@@ -0,0 +1,73 @@ -+#! /usr/bin/env perl -+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+use strict; -+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/; -+use OpenSSL::Test::Utils; -+ -+use TLSProxy::Proxy; -+ -+my $test_name = "test_npn"; -+setup($test_name); -+ -+plan skip_all => "TLSProxy isn't usable on $^O" -+ if $^O =~ /^(VMS)$/; -+ -+plan skip_all => "$test_name needs the dynamic engine feature enabled" -+ if disabled("engine") || disabled("dynamic-engine"); -+ -+plan skip_all => "$test_name needs the sock feature enabled" -+ if disabled("sock"); -+ -+plan skip_all => "$test_name needs NPN enabled" -+ if disabled("nextprotoneg"); -+ -+plan skip_all => "$test_name needs TLSv1.2 enabled" -+ if disabled("tls1_2"); -+ -+my $proxy = TLSProxy::Proxy->new( -+ undef, -+ cmdstr(app(["openssl"]), display => 1), -+ srctop_file("apps", "server.pem"), -+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) -+); -+ -+$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -+plan tests => 1; -+ -+my $npnseen = 0; -+ -+# Test 1: Check sending an empty NextProto message from the client works. This is -+# valid as per the spec, but OpenSSL does not allow you to send it. -+# Therefore we must be prepared to receive such a message but we cannot -+# generate it except via TLSProxy -+$proxy->clear(); -+$proxy->filter(\&npn_filter); -+$proxy->clientflags("-nextprotoneg foo -no_tls1_3"); -+$proxy->serverflags("-nextprotoneg foo"); -+$proxy->start(); -+ok($npnseen && TLSProxy::Message->success(), "Empty NPN message"); -+ -+sub npn_filter -+{ -+ my $proxy = shift; -+ my $message; -+ -+ # The NextProto message always appears in flight 2 -+ return if $proxy->flight != 2; -+ -+ foreach my $message (@{$proxy->message_list}) { -+ if ($message->mt == TLSProxy::Message::MT_NEXT_PROTO) { -+ # Our TLSproxy NextProto message support doesn't support parsing of -+ # the message. If we repack it just creates an empty NextProto -+ # message - which is exactly the scenario we want to test here. -+ $message->repack(); -+ $npnseen = 1; -+ } -+ } -+} -diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm -index ce22187..fb41b2f 100644 ---- a/util/perl/TLSProxy/Message.pm -+++ b/util/perl/TLSProxy/Message.pm -@@ -384,6 +384,15 @@ sub create_message - [@message_frag_lens] - ); - $message->parse(); -+ } elsif ($mt == MT_NEXT_PROTO) { -+ $message = TLSProxy::NextProto->new( -+ $server, -+ $data, -+ [@message_rec_list], -+ $startoffset, -+ [@message_frag_lens] -+ ); -+ $message->parse(); - } else { - #Unknown message type - $message = TLSProxy::Message->new( -diff --git a/util/perl/TLSProxy/NextProto.pm b/util/perl/TLSProxy/NextProto.pm -new file mode 100644 -index 0000000..0e18347 ---- /dev/null -+++ b/util/perl/TLSProxy/NextProto.pm -@@ -0,0 +1,54 @@ -+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+use strict; -+ -+package TLSProxy::NextProto; -+ -+use vars '@ISA'; -+push @ISA, 'TLSProxy::Message'; -+ -+sub new -+{ -+ my $class = shift; -+ my ($server, -+ $data, -+ $records, -+ $startoffset, -+ $message_frag_lens) = @_; -+ -+ my $self = $class->SUPER::new( -+ $server, -+ TLSProxy::Message::MT_NEXT_PROTO, -+ $data, -+ $records, -+ $startoffset, -+ $message_frag_lens); -+ -+ return $self; -+} -+ -+sub parse -+{ -+ # We don't support parsing at the moment -+} -+ -+# This is supposed to reconstruct the on-the-wire message data following changes. -+# For now though since we don't support parsing we just create an empty NextProto -+# message - this capability is used in test_npn -+sub set_message_contents -+{ -+ my $self = shift; -+ my $data; -+ -+ $data = pack("C32", 0x00, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00); -+ $self->data($data); -+} -+1; -diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm -index 3de10ec..b707722 100644 ---- a/util/perl/TLSProxy/Proxy.pm -+++ b/util/perl/TLSProxy/Proxy.pm -@@ -23,6 +23,7 @@ use TLSProxy::CertificateRequest; - use TLSProxy::CertificateVerify; - use TLSProxy::ServerKeyExchange; - use TLSProxy::NewSessionTicket; -+use TLSProxy::NextProto; - - my $have_IPv6; - my $IP_factory; --- -2.44.0 - diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch deleted file mode 100644 index 768304f00b..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 6de1d37cd129b0af5b4a247c76f97b98e70b108b Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 11:18:27 +0100 -Subject: [PATCH 02/10] More correctly handle a selected_len of 0 when - processing NPN - -In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but -the selected_len is 0 we should fail. Previously this would fail with an -internal_error alert because calling OPENSSL_malloc(selected_len) will -return NULL when selected_len is 0. We make this error detection more -explicit and return a handshake failure alert. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) - -Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/015255851371757d54c2560643eb3b3a88123cf1] -CVE: CVE-2024-5535 -Signed-off-by: Siddharth Doshi ---- - ssl/statem/extensions_clnt.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c -index 381a6c9..1ab3c13 100644 ---- a/ssl/statem/extensions_clnt.c -+++ b/ssl/statem/extensions_clnt.c -@@ -1560,8 +1560,8 @@ int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, - if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s), - &selected, &selected_len, - PACKET_data(pkt), PACKET_remaining(pkt), -- sctx->ext.npn_select_cb_arg) != -- SSL_TLSEXT_ERR_OK) { -+ sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK -+ || selected_len == 0) { - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); - return 0; - } --- -2.44.0 - diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch deleted file mode 100644 index d6d4d869be..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 4f9334a33da89949f97927c8fe7df1003c42cda4 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 11:22:13 +0100 -Subject: [PATCH 03/10] Use correctly formatted ALPN data in tserver - -The QUIC test server was using incorrectly formatted ALPN data. With the -previous implementation of SSL_select_next_proto this went unnoticed. With -the new stricter implemenation it was failing. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) - -Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/6cc511826f09e513b4ec066d9b95acaf4f86d991] -CVE: CVE-2024-5535 -Signed-off-by: Siddharth Doshi ---- - ssl/quic/quic_tserver.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c -index 86187d0..15694e7 100644 ---- a/ssl/quic/quic_tserver.c -+++ b/ssl/quic/quic_tserver.c -@@ -58,7 +58,7 @@ static int alpn_select_cb(SSL *ssl, const unsigned char **out, - - if (srv->args.alpn == NULL) { - alpn = alpndeflt; -- alpnlen = sizeof(alpn); -+ alpnlen = sizeof(alpndeflt); - } else { - alpn = srv->args.alpn; - alpnlen = srv->args.alpnlen; --- -2.44.0 - diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch deleted file mode 100644 index 03fc1168f9..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 5145a1f50e44c9f86127a76f01519a9f25157290 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 11:46:38 +0100 -Subject: [PATCH 04/10] Clarify the SSL_select_next_proto() documentation - -We clarify the input preconditions and the expected behaviour in the event -of no overlap. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) - -Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/8e81c57adbbf703dfb63955f65599765fdacc741] -CVE: CVE-2024-5535 -Signed-off-by: Siddharth Doshi ---- - doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++-------- - 1 file changed, 18 insertions(+), 8 deletions(-) - -diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod -index 05fee2f..79e1a25 100644 ---- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod -+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod -@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated - SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to - set the list of protocols available to be negotiated. The B must be in - protocol-list format, described below. The length of B is specified in --B. -+B. Setting B to 0 clears any existing list of ALPN -+protocols and no ALPN extension will be sent to the server. - - SSL_CTX_set_alpn_select_cb() sets the application callback B used by a - server to select which protocol to use for the incoming connection. When B -@@ -73,9 +74,16 @@ B and B, B must be in the protocol-list format - described below. The first item in the B, B list that - matches an item in the B, B list is selected, and returned - in B, B. The B value will point into either B or --B, so it should be copied immediately. If no match is found, the first --item in B, B is returned in B, B. This --function can also be used in the NPN callback. -+B, so it should be copied immediately. The client list must include at -+least one valid (nonempty) protocol entry in the list. -+ -+The SSL_select_next_proto() helper function can be useful from either the ALPN -+callback or the NPN callback (described below). If no match is found, the first -+item in B, B is returned in B, B and -+B is returned. This can be useful when implementating -+the NPN callback. In the ALPN case, the value returned in B and B -+must be ignored if B has been returned from -+SSL_select_next_proto(). - - SSL_CTX_set_next_proto_select_cb() sets a callback B that is called when a - client needs to select a protocol from the server's provided list, and a -@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B). - The length of the protocol name must be written into B. The - server's advertised protocols are provided in B and B. The - callback can assume that B is syntactically valid. The client must --select a protocol. It is fatal to the connection if this callback returns --a value other than B. The B parameter is the pointer --set via SSL_CTX_set_next_proto_select_cb(). -+select a protocol (although it may be an empty, zero length protocol). It is -+fatal to the connection if this callback returns a value other than -+B or if the zero length protocol is selected. The B -+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb(). - - SSL_CTX_set_next_protos_advertised_cb() sets a callback B that is called - when a TLS server needs a list of supported protocols for Next Protocol -@@ -154,7 +163,8 @@ A match was found and is returned in B, B. - =item OPENSSL_NPN_NO_OVERLAP - - No match was found. The first item in B, B is returned in --B, B. -+B, B (or B and 0 in the case where the first entry in -+B is invalid). - - =back - --- -2.44.0 - diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch deleted file mode 100644 index e439d9b59a..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch +++ /dev/null @@ -1,176 +0,0 @@ -From 01d44bc7f50670002cad495654fd99a6371d7662 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 16:35:16 +0100 -Subject: [PATCH 05/10] Add a test for SSL_select_next_proto - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) - -Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/add5c52a25c549cec4a730cdf96e2252f0a1862d] -CVE: CVE-2024-5535 -Signed-off-by: Siddharth Doshi ---- - test/sslapitest.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 137 insertions(+) - -diff --git a/test/sslapitest.c b/test/sslapitest.c -index ce16332..15cb906 100644 ---- a/test/sslapitest.c -+++ b/test/sslapitest.c -@@ -11741,6 +11741,142 @@ static int test_multi_resume(int idx) - return testresult; - } - -+static struct next_proto_st { -+ int serverlen; -+ unsigned char server[40]; -+ int clientlen; -+ unsigned char client[40]; -+ int expected_ret; -+ size_t selectedlen; -+ unsigned char selected[40]; -+} next_proto_tests[] = { -+ { -+ 4, { 3, 'a', 'b', 'c' }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 4, { 3, 'a', 'b', 'c' }, -+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', }, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 4, { 3, 'a', 'b', 'c' }, -+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'}, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' }, -+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'}, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' }, -+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'}, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 4, { 3, 'b', 'c', 'd' }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 0, { 0 }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ -1, { 0 }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 4, { 3, 'a', 'b', 'c' }, -+ 0, { 0 }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 0, { 0 } -+ }, -+ { -+ 4, { 3, 'a', 'b', 'c' }, -+ -1, { 0 }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 0, { 0 } -+ }, -+ { -+ 3, { 3, 'a', 'b', 'c' }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 4, { 3, 'a', 'b', 'c' }, -+ 3, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 0, { 0 } -+ } -+}; -+ -+static int test_select_next_proto(int idx) -+{ -+ struct next_proto_st *np = &next_proto_tests[idx]; -+ int ret = 0; -+ unsigned char *out, *client, *server; -+ unsigned char outlen; -+ unsigned int clientlen, serverlen; -+ -+ if (np->clientlen == -1) { -+ client = NULL; -+ clientlen = 0; -+ } else { -+ client = np->client; -+ clientlen = (unsigned int)np->clientlen; -+ } -+ if (np->serverlen == -1) { -+ server = NULL; -+ serverlen = 0; -+ } else { -+ server = np->server; -+ serverlen = (unsigned int)np->serverlen; -+ } -+ -+ if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen, -+ client, clientlen), -+ np->expected_ret)) -+ goto err; -+ -+ if (np->selectedlen == 0) { -+ if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0)) -+ goto err; -+ } else { -+ if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen)) -+ goto err; -+ } -+ -+ ret = 1; -+ err: -+ return ret; -+} -+ - OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n") - - int setup_tests(void) -@@ -12053,6 +12189,7 @@ int setup_tests(void) - ADD_ALL_TESTS(test_handshake_retry, 16); - ADD_TEST(test_data_retry); - ADD_ALL_TESTS(test_multi_resume, 5); -+ ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests)); - return 1; - - err: --- -2.44.0 - diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch deleted file mode 100644 index df24702fa6..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch +++ /dev/null @@ -1,1173 +0,0 @@ -From e344d0b5860560ffa59415ea4028ba7760b2a773 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 4 Jun 2024 15:47:32 +0100 -Subject: [PATCH 06/10] Allow an empty NPN/ALPN protocol list in the tests - -Allow ourselves to configure an empty NPN/ALPN protocol list and test what -happens if we do. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) - -Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/7ea1f6a85b299b976cb3f756b2a7f0153f31b2b6] -CVE: CVE-2024-5535 -Signed-off-by: Siddharth Doshi ---- - test/helpers/handshake.c | 6 + - test/ssl-tests/08-npn.cnf | 553 +++++++++++++++++++--------------- - test/ssl-tests/08-npn.cnf.in | 35 +++ - test/ssl-tests/09-alpn.cnf | 66 +++- - test/ssl-tests/09-alpn.cnf.in | 33 ++ - 5 files changed, 449 insertions(+), 244 deletions(-) - -diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c -index ae2ad59..b66b2f5 100644 ---- a/test/helpers/handshake.c -+++ b/test/helpers/handshake.c -@@ -444,6 +444,12 @@ static int parse_protos(const char *protos, unsigned char **out, size_t *outlen) - - len = strlen(protos); - -+ if (len == 0) { -+ *out = NULL; -+ *outlen = 0; -+ return 1; -+ } -+ - /* Should never have reuse. */ - if (!TEST_ptr_null(*out) - /* Test values are small, so we omit length limit checks. */ -diff --git a/test/ssl-tests/08-npn.cnf b/test/ssl-tests/08-npn.cnf -index f38b3f6..1931d02 100644 ---- a/test/ssl-tests/08-npn.cnf -+++ b/test/ssl-tests/08-npn.cnf -@@ -1,6 +1,6 @@ - # Generated with generate_ssl_tests.pl - --num_tests = 20 -+num_tests = 22 - - test-0 = 0-npn-simple - test-1 = 1-npn-client-finds-match -@@ -8,20 +8,22 @@ test-2 = 2-npn-client-honours-server-pref - test-3 = 3-npn-client-first-pref-on-mismatch - test-4 = 4-npn-no-server-support - test-5 = 5-npn-no-client-support --test-6 = 6-npn-with-sni-no-context-switch --test-7 = 7-npn-with-sni-context-switch --test-8 = 8-npn-selected-sni-server-supports-npn --test-9 = 9-npn-selected-sni-server-does-not-support-npn --test-10 = 10-alpn-preferred-over-npn --test-11 = 11-sni-npn-preferred-over-alpn --test-12 = 12-npn-simple-resumption --test-13 = 13-npn-server-switch-resumption --test-14 = 14-npn-client-switch-resumption --test-15 = 15-npn-client-first-pref-on-mismatch-resumption --test-16 = 16-npn-no-server-support-resumption --test-17 = 17-npn-no-client-support-resumption --test-18 = 18-alpn-preferred-over-npn-resumption --test-19 = 19-npn-used-if-alpn-not-supported-resumption -+test-6 = 6-npn-empty-client-list -+test-7 = 7-npn-empty-server-list -+test-8 = 8-npn-with-sni-no-context-switch -+test-9 = 9-npn-with-sni-context-switch -+test-10 = 10-npn-selected-sni-server-supports-npn -+test-11 = 11-npn-selected-sni-server-does-not-support-npn -+test-12 = 12-alpn-preferred-over-npn -+test-13 = 13-sni-npn-preferred-over-alpn -+test-14 = 14-npn-simple-resumption -+test-15 = 15-npn-server-switch-resumption -+test-16 = 16-npn-client-switch-resumption -+test-17 = 17-npn-client-first-pref-on-mismatch-resumption -+test-18 = 18-npn-no-server-support-resumption -+test-19 = 19-npn-no-client-support-resumption -+test-20 = 20-alpn-preferred-over-npn-resumption -+test-21 = 21-npn-used-if-alpn-not-supported-resumption - # =========================================================== - - [0-npn-simple] -@@ -206,253 +208,318 @@ NPNProtocols = foo - - # =========================================================== - --[6-npn-with-sni-no-context-switch] --ssl_conf = 6-npn-with-sni-no-context-switch-ssl -+[6-npn-empty-client-list] -+ssl_conf = 6-npn-empty-client-list-ssl - --[6-npn-with-sni-no-context-switch-ssl] --server = 6-npn-with-sni-no-context-switch-server --client = 6-npn-with-sni-no-context-switch-client --server2 = 6-npn-with-sni-no-context-switch-server2 -+[6-npn-empty-client-list-ssl] -+server = 6-npn-empty-client-list-server -+client = 6-npn-empty-client-list-client - --[6-npn-with-sni-no-context-switch-server] -+[6-npn-empty-client-list-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[6-npn-with-sni-no-context-switch-server2] -+[6-npn-empty-client-list-client] -+CipherString = DEFAULT -+MaxProtocol = TLSv1.2 -+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -+VerifyMode = Peer -+ -+[test-6] -+ExpectedClientAlert = HandshakeFailure -+ExpectedResult = ClientFail -+server = 6-npn-empty-client-list-server-extra -+client = 6-npn-empty-client-list-client-extra -+ -+[6-npn-empty-client-list-server-extra] -+NPNProtocols = foo -+ -+[6-npn-empty-client-list-client-extra] -+NPNProtocols = -+ -+ -+# =========================================================== -+ -+[7-npn-empty-server-list] -+ssl_conf = 7-npn-empty-server-list-ssl -+ -+[7-npn-empty-server-list-ssl] -+server = 7-npn-empty-server-list-server -+client = 7-npn-empty-server-list-client -+ -+[7-npn-empty-server-list-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[6-npn-with-sni-no-context-switch-client] -+[7-npn-empty-server-list-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-6] -+[test-7] -+ExpectedNPNProtocol = foo -+server = 7-npn-empty-server-list-server-extra -+client = 7-npn-empty-server-list-client-extra -+ -+[7-npn-empty-server-list-server-extra] -+NPNProtocols = -+ -+[7-npn-empty-server-list-client-extra] -+NPNProtocols = foo -+ -+ -+# =========================================================== -+ -+[8-npn-with-sni-no-context-switch] -+ssl_conf = 8-npn-with-sni-no-context-switch-ssl -+ -+[8-npn-with-sni-no-context-switch-ssl] -+server = 8-npn-with-sni-no-context-switch-server -+client = 8-npn-with-sni-no-context-switch-client -+server2 = 8-npn-with-sni-no-context-switch-server2 -+ -+[8-npn-with-sni-no-context-switch-server] -+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -+CipherString = DEFAULT -+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -+ -+[8-npn-with-sni-no-context-switch-server2] -+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -+CipherString = DEFAULT -+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -+ -+[8-npn-with-sni-no-context-switch-client] -+CipherString = DEFAULT -+MaxProtocol = TLSv1.2 -+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -+VerifyMode = Peer -+ -+[test-8] - ExpectedNPNProtocol = foo - ExpectedServerName = server1 --server = 6-npn-with-sni-no-context-switch-server-extra --server2 = 6-npn-with-sni-no-context-switch-server2-extra --client = 6-npn-with-sni-no-context-switch-client-extra -+server = 8-npn-with-sni-no-context-switch-server-extra -+server2 = 8-npn-with-sni-no-context-switch-server2-extra -+client = 8-npn-with-sni-no-context-switch-client-extra - --[6-npn-with-sni-no-context-switch-server-extra] -+[8-npn-with-sni-no-context-switch-server-extra] - NPNProtocols = foo - ServerNameCallback = IgnoreMismatch - --[6-npn-with-sni-no-context-switch-server2-extra] -+[8-npn-with-sni-no-context-switch-server2-extra] - NPNProtocols = bar - --[6-npn-with-sni-no-context-switch-client-extra] -+[8-npn-with-sni-no-context-switch-client-extra] - NPNProtocols = foo,bar - ServerName = server1 - - - # =========================================================== - --[7-npn-with-sni-context-switch] --ssl_conf = 7-npn-with-sni-context-switch-ssl -+[9-npn-with-sni-context-switch] -+ssl_conf = 9-npn-with-sni-context-switch-ssl - --[7-npn-with-sni-context-switch-ssl] --server = 7-npn-with-sni-context-switch-server --client = 7-npn-with-sni-context-switch-client --server2 = 7-npn-with-sni-context-switch-server2 -+[9-npn-with-sni-context-switch-ssl] -+server = 9-npn-with-sni-context-switch-server -+client = 9-npn-with-sni-context-switch-client -+server2 = 9-npn-with-sni-context-switch-server2 - --[7-npn-with-sni-context-switch-server] -+[9-npn-with-sni-context-switch-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[7-npn-with-sni-context-switch-server2] -+[9-npn-with-sni-context-switch-server2] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[7-npn-with-sni-context-switch-client] -+[9-npn-with-sni-context-switch-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-7] -+[test-9] - ExpectedNPNProtocol = bar - ExpectedServerName = server2 --server = 7-npn-with-sni-context-switch-server-extra --server2 = 7-npn-with-sni-context-switch-server2-extra --client = 7-npn-with-sni-context-switch-client-extra -+server = 9-npn-with-sni-context-switch-server-extra -+server2 = 9-npn-with-sni-context-switch-server2-extra -+client = 9-npn-with-sni-context-switch-client-extra - --[7-npn-with-sni-context-switch-server-extra] -+[9-npn-with-sni-context-switch-server-extra] - NPNProtocols = foo - ServerNameCallback = IgnoreMismatch - --[7-npn-with-sni-context-switch-server2-extra] -+[9-npn-with-sni-context-switch-server2-extra] - NPNProtocols = bar - --[7-npn-with-sni-context-switch-client-extra] -+[9-npn-with-sni-context-switch-client-extra] - NPNProtocols = foo,bar - ServerName = server2 - - - # =========================================================== - --[8-npn-selected-sni-server-supports-npn] --ssl_conf = 8-npn-selected-sni-server-supports-npn-ssl -+[10-npn-selected-sni-server-supports-npn] -+ssl_conf = 10-npn-selected-sni-server-supports-npn-ssl - --[8-npn-selected-sni-server-supports-npn-ssl] --server = 8-npn-selected-sni-server-supports-npn-server --client = 8-npn-selected-sni-server-supports-npn-client --server2 = 8-npn-selected-sni-server-supports-npn-server2 -+[10-npn-selected-sni-server-supports-npn-ssl] -+server = 10-npn-selected-sni-server-supports-npn-server -+client = 10-npn-selected-sni-server-supports-npn-client -+server2 = 10-npn-selected-sni-server-supports-npn-server2 - --[8-npn-selected-sni-server-supports-npn-server] -+[10-npn-selected-sni-server-supports-npn-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[8-npn-selected-sni-server-supports-npn-server2] -+[10-npn-selected-sni-server-supports-npn-server2] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[8-npn-selected-sni-server-supports-npn-client] -+[10-npn-selected-sni-server-supports-npn-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-8] -+[test-10] - ExpectedNPNProtocol = bar - ExpectedServerName = server2 --server = 8-npn-selected-sni-server-supports-npn-server-extra --server2 = 8-npn-selected-sni-server-supports-npn-server2-extra --client = 8-npn-selected-sni-server-supports-npn-client-extra -+server = 10-npn-selected-sni-server-supports-npn-server-extra -+server2 = 10-npn-selected-sni-server-supports-npn-server2-extra -+client = 10-npn-selected-sni-server-supports-npn-client-extra - --[8-npn-selected-sni-server-supports-npn-server-extra] -+[10-npn-selected-sni-server-supports-npn-server-extra] - ServerNameCallback = IgnoreMismatch - --[8-npn-selected-sni-server-supports-npn-server2-extra] -+[10-npn-selected-sni-server-supports-npn-server2-extra] - NPNProtocols = bar - --[8-npn-selected-sni-server-supports-npn-client-extra] -+[10-npn-selected-sni-server-supports-npn-client-extra] - NPNProtocols = foo,bar - ServerName = server2 - - - # =========================================================== - --[9-npn-selected-sni-server-does-not-support-npn] --ssl_conf = 9-npn-selected-sni-server-does-not-support-npn-ssl -+[11-npn-selected-sni-server-does-not-support-npn] -+ssl_conf = 11-npn-selected-sni-server-does-not-support-npn-ssl - --[9-npn-selected-sni-server-does-not-support-npn-ssl] --server = 9-npn-selected-sni-server-does-not-support-npn-server --client = 9-npn-selected-sni-server-does-not-support-npn-client --server2 = 9-npn-selected-sni-server-does-not-support-npn-server2 -+[11-npn-selected-sni-server-does-not-support-npn-ssl] -+server = 11-npn-selected-sni-server-does-not-support-npn-server -+client = 11-npn-selected-sni-server-does-not-support-npn-client -+server2 = 11-npn-selected-sni-server-does-not-support-npn-server2 - --[9-npn-selected-sni-server-does-not-support-npn-server] -+[11-npn-selected-sni-server-does-not-support-npn-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[9-npn-selected-sni-server-does-not-support-npn-server2] -+[11-npn-selected-sni-server-does-not-support-npn-server2] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[9-npn-selected-sni-server-does-not-support-npn-client] -+[11-npn-selected-sni-server-does-not-support-npn-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-9] -+[test-11] - ExpectedServerName = server2 --server = 9-npn-selected-sni-server-does-not-support-npn-server-extra --client = 9-npn-selected-sni-server-does-not-support-npn-client-extra -+server = 11-npn-selected-sni-server-does-not-support-npn-server-extra -+client = 11-npn-selected-sni-server-does-not-support-npn-client-extra - --[9-npn-selected-sni-server-does-not-support-npn-server-extra] -+[11-npn-selected-sni-server-does-not-support-npn-server-extra] - NPNProtocols = bar - ServerNameCallback = IgnoreMismatch - --[9-npn-selected-sni-server-does-not-support-npn-client-extra] -+[11-npn-selected-sni-server-does-not-support-npn-client-extra] - NPNProtocols = foo,bar - ServerName = server2 - - - # =========================================================== - --[10-alpn-preferred-over-npn] --ssl_conf = 10-alpn-preferred-over-npn-ssl -+[12-alpn-preferred-over-npn] -+ssl_conf = 12-alpn-preferred-over-npn-ssl - --[10-alpn-preferred-over-npn-ssl] --server = 10-alpn-preferred-over-npn-server --client = 10-alpn-preferred-over-npn-client -+[12-alpn-preferred-over-npn-ssl] -+server = 12-alpn-preferred-over-npn-server -+client = 12-alpn-preferred-over-npn-client - --[10-alpn-preferred-over-npn-server] -+[12-alpn-preferred-over-npn-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[10-alpn-preferred-over-npn-client] -+[12-alpn-preferred-over-npn-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-10] -+[test-12] - ExpectedALPNProtocol = foo --server = 10-alpn-preferred-over-npn-server-extra --client = 10-alpn-preferred-over-npn-client-extra -+server = 12-alpn-preferred-over-npn-server-extra -+client = 12-alpn-preferred-over-npn-client-extra - --[10-alpn-preferred-over-npn-server-extra] -+[12-alpn-preferred-over-npn-server-extra] - ALPNProtocols = foo - NPNProtocols = bar - --[10-alpn-preferred-over-npn-client-extra] -+[12-alpn-preferred-over-npn-client-extra] - ALPNProtocols = foo - NPNProtocols = bar - - - # =========================================================== - --[11-sni-npn-preferred-over-alpn] --ssl_conf = 11-sni-npn-preferred-over-alpn-ssl -+[13-sni-npn-preferred-over-alpn] -+ssl_conf = 13-sni-npn-preferred-over-alpn-ssl - --[11-sni-npn-preferred-over-alpn-ssl] --server = 11-sni-npn-preferred-over-alpn-server --client = 11-sni-npn-preferred-over-alpn-client --server2 = 11-sni-npn-preferred-over-alpn-server2 -+[13-sni-npn-preferred-over-alpn-ssl] -+server = 13-sni-npn-preferred-over-alpn-server -+client = 13-sni-npn-preferred-over-alpn-client -+server2 = 13-sni-npn-preferred-over-alpn-server2 - --[11-sni-npn-preferred-over-alpn-server] -+[13-sni-npn-preferred-over-alpn-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[11-sni-npn-preferred-over-alpn-server2] -+[13-sni-npn-preferred-over-alpn-server2] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[11-sni-npn-preferred-over-alpn-client] -+[13-sni-npn-preferred-over-alpn-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-11] -+[test-13] - ExpectedNPNProtocol = bar - ExpectedServerName = server2 --server = 11-sni-npn-preferred-over-alpn-server-extra --server2 = 11-sni-npn-preferred-over-alpn-server2-extra --client = 11-sni-npn-preferred-over-alpn-client-extra -+server = 13-sni-npn-preferred-over-alpn-server-extra -+server2 = 13-sni-npn-preferred-over-alpn-server2-extra -+client = 13-sni-npn-preferred-over-alpn-client-extra - --[11-sni-npn-preferred-over-alpn-server-extra] -+[13-sni-npn-preferred-over-alpn-server-extra] - ALPNProtocols = foo - ServerNameCallback = IgnoreMismatch - --[11-sni-npn-preferred-over-alpn-server2-extra] -+[13-sni-npn-preferred-over-alpn-server2-extra] - NPNProtocols = bar - --[11-sni-npn-preferred-over-alpn-client-extra] -+[13-sni-npn-preferred-over-alpn-client-extra] - ALPNProtocols = foo - NPNProtocols = bar - ServerName = server2 -@@ -460,356 +527,356 @@ ServerName = server2 - - # =========================================================== - --[12-npn-simple-resumption] --ssl_conf = 12-npn-simple-resumption-ssl -+[14-npn-simple-resumption] -+ssl_conf = 14-npn-simple-resumption-ssl - --[12-npn-simple-resumption-ssl] --server = 12-npn-simple-resumption-server --client = 12-npn-simple-resumption-client --resume-server = 12-npn-simple-resumption-server --resume-client = 12-npn-simple-resumption-client -+[14-npn-simple-resumption-ssl] -+server = 14-npn-simple-resumption-server -+client = 14-npn-simple-resumption-client -+resume-server = 14-npn-simple-resumption-server -+resume-client = 14-npn-simple-resumption-client - --[12-npn-simple-resumption-server] -+[14-npn-simple-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[12-npn-simple-resumption-client] -+[14-npn-simple-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-12] -+[test-14] - ExpectedNPNProtocol = foo - HandshakeMode = Resume - ResumptionExpected = Yes --server = 12-npn-simple-resumption-server-extra --resume-server = 12-npn-simple-resumption-server-extra --client = 12-npn-simple-resumption-client-extra --resume-client = 12-npn-simple-resumption-client-extra -+server = 14-npn-simple-resumption-server-extra -+resume-server = 14-npn-simple-resumption-server-extra -+client = 14-npn-simple-resumption-client-extra -+resume-client = 14-npn-simple-resumption-client-extra - --[12-npn-simple-resumption-server-extra] -+[14-npn-simple-resumption-server-extra] - NPNProtocols = foo - --[12-npn-simple-resumption-client-extra] -+[14-npn-simple-resumption-client-extra] - NPNProtocols = foo - - - # =========================================================== - --[13-npn-server-switch-resumption] --ssl_conf = 13-npn-server-switch-resumption-ssl -+[15-npn-server-switch-resumption] -+ssl_conf = 15-npn-server-switch-resumption-ssl - --[13-npn-server-switch-resumption-ssl] --server = 13-npn-server-switch-resumption-server --client = 13-npn-server-switch-resumption-client --resume-server = 13-npn-server-switch-resumption-resume-server --resume-client = 13-npn-server-switch-resumption-client -+[15-npn-server-switch-resumption-ssl] -+server = 15-npn-server-switch-resumption-server -+client = 15-npn-server-switch-resumption-client -+resume-server = 15-npn-server-switch-resumption-resume-server -+resume-client = 15-npn-server-switch-resumption-client - --[13-npn-server-switch-resumption-server] -+[15-npn-server-switch-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[13-npn-server-switch-resumption-resume-server] -+[15-npn-server-switch-resumption-resume-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[13-npn-server-switch-resumption-client] -+[15-npn-server-switch-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-13] -+[test-15] - ExpectedNPNProtocol = baz - HandshakeMode = Resume - ResumptionExpected = Yes --server = 13-npn-server-switch-resumption-server-extra --resume-server = 13-npn-server-switch-resumption-resume-server-extra --client = 13-npn-server-switch-resumption-client-extra --resume-client = 13-npn-server-switch-resumption-client-extra -+server = 15-npn-server-switch-resumption-server-extra -+resume-server = 15-npn-server-switch-resumption-resume-server-extra -+client = 15-npn-server-switch-resumption-client-extra -+resume-client = 15-npn-server-switch-resumption-client-extra - --[13-npn-server-switch-resumption-server-extra] -+[15-npn-server-switch-resumption-server-extra] - NPNProtocols = bar,foo - --[13-npn-server-switch-resumption-resume-server-extra] -+[15-npn-server-switch-resumption-resume-server-extra] - NPNProtocols = baz,foo - --[13-npn-server-switch-resumption-client-extra] -+[15-npn-server-switch-resumption-client-extra] - NPNProtocols = foo,bar,baz - - - # =========================================================== - --[14-npn-client-switch-resumption] --ssl_conf = 14-npn-client-switch-resumption-ssl -+[16-npn-client-switch-resumption] -+ssl_conf = 16-npn-client-switch-resumption-ssl - --[14-npn-client-switch-resumption-ssl] --server = 14-npn-client-switch-resumption-server --client = 14-npn-client-switch-resumption-client --resume-server = 14-npn-client-switch-resumption-server --resume-client = 14-npn-client-switch-resumption-resume-client -+[16-npn-client-switch-resumption-ssl] -+server = 16-npn-client-switch-resumption-server -+client = 16-npn-client-switch-resumption-client -+resume-server = 16-npn-client-switch-resumption-server -+resume-client = 16-npn-client-switch-resumption-resume-client - --[14-npn-client-switch-resumption-server] -+[16-npn-client-switch-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[14-npn-client-switch-resumption-client] -+[16-npn-client-switch-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[14-npn-client-switch-resumption-resume-client] -+[16-npn-client-switch-resumption-resume-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-14] -+[test-16] - ExpectedNPNProtocol = bar - HandshakeMode = Resume - ResumptionExpected = Yes --server = 14-npn-client-switch-resumption-server-extra --resume-server = 14-npn-client-switch-resumption-server-extra --client = 14-npn-client-switch-resumption-client-extra --resume-client = 14-npn-client-switch-resumption-resume-client-extra -+server = 16-npn-client-switch-resumption-server-extra -+resume-server = 16-npn-client-switch-resumption-server-extra -+client = 16-npn-client-switch-resumption-client-extra -+resume-client = 16-npn-client-switch-resumption-resume-client-extra - --[14-npn-client-switch-resumption-server-extra] -+[16-npn-client-switch-resumption-server-extra] - NPNProtocols = foo,bar,baz - --[14-npn-client-switch-resumption-client-extra] -+[16-npn-client-switch-resumption-client-extra] - NPNProtocols = foo,baz - --[14-npn-client-switch-resumption-resume-client-extra] -+[16-npn-client-switch-resumption-resume-client-extra] - NPNProtocols = bar,baz - - - # =========================================================== - --[15-npn-client-first-pref-on-mismatch-resumption] --ssl_conf = 15-npn-client-first-pref-on-mismatch-resumption-ssl -+[17-npn-client-first-pref-on-mismatch-resumption] -+ssl_conf = 17-npn-client-first-pref-on-mismatch-resumption-ssl - --[15-npn-client-first-pref-on-mismatch-resumption-ssl] --server = 15-npn-client-first-pref-on-mismatch-resumption-server --client = 15-npn-client-first-pref-on-mismatch-resumption-client --resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server --resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client -+[17-npn-client-first-pref-on-mismatch-resumption-ssl] -+server = 17-npn-client-first-pref-on-mismatch-resumption-server -+client = 17-npn-client-first-pref-on-mismatch-resumption-client -+resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server -+resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client - --[15-npn-client-first-pref-on-mismatch-resumption-server] -+[17-npn-client-first-pref-on-mismatch-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[15-npn-client-first-pref-on-mismatch-resumption-resume-server] -+[17-npn-client-first-pref-on-mismatch-resumption-resume-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[15-npn-client-first-pref-on-mismatch-resumption-client] -+[17-npn-client-first-pref-on-mismatch-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-15] -+[test-17] - ExpectedNPNProtocol = foo - HandshakeMode = Resume - ResumptionExpected = Yes --server = 15-npn-client-first-pref-on-mismatch-resumption-server-extra --resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra --client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra --resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra -+server = 17-npn-client-first-pref-on-mismatch-resumption-server-extra -+resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra -+client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra -+resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra - --[15-npn-client-first-pref-on-mismatch-resumption-server-extra] -+[17-npn-client-first-pref-on-mismatch-resumption-server-extra] - NPNProtocols = bar - --[15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra] -+[17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra] - NPNProtocols = baz - --[15-npn-client-first-pref-on-mismatch-resumption-client-extra] -+[17-npn-client-first-pref-on-mismatch-resumption-client-extra] - NPNProtocols = foo,bar - - - # =========================================================== - --[16-npn-no-server-support-resumption] --ssl_conf = 16-npn-no-server-support-resumption-ssl -+[18-npn-no-server-support-resumption] -+ssl_conf = 18-npn-no-server-support-resumption-ssl - --[16-npn-no-server-support-resumption-ssl] --server = 16-npn-no-server-support-resumption-server --client = 16-npn-no-server-support-resumption-client --resume-server = 16-npn-no-server-support-resumption-resume-server --resume-client = 16-npn-no-server-support-resumption-client -+[18-npn-no-server-support-resumption-ssl] -+server = 18-npn-no-server-support-resumption-server -+client = 18-npn-no-server-support-resumption-client -+resume-server = 18-npn-no-server-support-resumption-resume-server -+resume-client = 18-npn-no-server-support-resumption-client - --[16-npn-no-server-support-resumption-server] -+[18-npn-no-server-support-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[16-npn-no-server-support-resumption-resume-server] -+[18-npn-no-server-support-resumption-resume-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[16-npn-no-server-support-resumption-client] -+[18-npn-no-server-support-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-16] -+[test-18] - HandshakeMode = Resume - ResumptionExpected = Yes --server = 16-npn-no-server-support-resumption-server-extra --client = 16-npn-no-server-support-resumption-client-extra --resume-client = 16-npn-no-server-support-resumption-client-extra -+server = 18-npn-no-server-support-resumption-server-extra -+client = 18-npn-no-server-support-resumption-client-extra -+resume-client = 18-npn-no-server-support-resumption-client-extra - --[16-npn-no-server-support-resumption-server-extra] -+[18-npn-no-server-support-resumption-server-extra] - NPNProtocols = foo - --[16-npn-no-server-support-resumption-client-extra] -+[18-npn-no-server-support-resumption-client-extra] - NPNProtocols = foo - - - # =========================================================== - --[17-npn-no-client-support-resumption] --ssl_conf = 17-npn-no-client-support-resumption-ssl -+[19-npn-no-client-support-resumption] -+ssl_conf = 19-npn-no-client-support-resumption-ssl - --[17-npn-no-client-support-resumption-ssl] --server = 17-npn-no-client-support-resumption-server --client = 17-npn-no-client-support-resumption-client --resume-server = 17-npn-no-client-support-resumption-server --resume-client = 17-npn-no-client-support-resumption-resume-client -+[19-npn-no-client-support-resumption-ssl] -+server = 19-npn-no-client-support-resumption-server -+client = 19-npn-no-client-support-resumption-client -+resume-server = 19-npn-no-client-support-resumption-server -+resume-client = 19-npn-no-client-support-resumption-resume-client - --[17-npn-no-client-support-resumption-server] -+[19-npn-no-client-support-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[17-npn-no-client-support-resumption-client] -+[19-npn-no-client-support-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[17-npn-no-client-support-resumption-resume-client] -+[19-npn-no-client-support-resumption-resume-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-17] -+[test-19] - HandshakeMode = Resume - ResumptionExpected = Yes --server = 17-npn-no-client-support-resumption-server-extra --resume-server = 17-npn-no-client-support-resumption-server-extra --client = 17-npn-no-client-support-resumption-client-extra -+server = 19-npn-no-client-support-resumption-server-extra -+resume-server = 19-npn-no-client-support-resumption-server-extra -+client = 19-npn-no-client-support-resumption-client-extra - --[17-npn-no-client-support-resumption-server-extra] -+[19-npn-no-client-support-resumption-server-extra] - NPNProtocols = foo - --[17-npn-no-client-support-resumption-client-extra] -+[19-npn-no-client-support-resumption-client-extra] - NPNProtocols = foo - - - # =========================================================== - --[18-alpn-preferred-over-npn-resumption] --ssl_conf = 18-alpn-preferred-over-npn-resumption-ssl -+[20-alpn-preferred-over-npn-resumption] -+ssl_conf = 20-alpn-preferred-over-npn-resumption-ssl - --[18-alpn-preferred-over-npn-resumption-ssl] --server = 18-alpn-preferred-over-npn-resumption-server --client = 18-alpn-preferred-over-npn-resumption-client --resume-server = 18-alpn-preferred-over-npn-resumption-resume-server --resume-client = 18-alpn-preferred-over-npn-resumption-client -+[20-alpn-preferred-over-npn-resumption-ssl] -+server = 20-alpn-preferred-over-npn-resumption-server -+client = 20-alpn-preferred-over-npn-resumption-client -+resume-server = 20-alpn-preferred-over-npn-resumption-resume-server -+resume-client = 20-alpn-preferred-over-npn-resumption-client - --[18-alpn-preferred-over-npn-resumption-server] -+[20-alpn-preferred-over-npn-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[18-alpn-preferred-over-npn-resumption-resume-server] -+[20-alpn-preferred-over-npn-resumption-resume-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[18-alpn-preferred-over-npn-resumption-client] -+[20-alpn-preferred-over-npn-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-18] -+[test-20] - ExpectedALPNProtocol = foo - HandshakeMode = Resume - ResumptionExpected = Yes --server = 18-alpn-preferred-over-npn-resumption-server-extra --resume-server = 18-alpn-preferred-over-npn-resumption-resume-server-extra --client = 18-alpn-preferred-over-npn-resumption-client-extra --resume-client = 18-alpn-preferred-over-npn-resumption-client-extra -+server = 20-alpn-preferred-over-npn-resumption-server-extra -+resume-server = 20-alpn-preferred-over-npn-resumption-resume-server-extra -+client = 20-alpn-preferred-over-npn-resumption-client-extra -+resume-client = 20-alpn-preferred-over-npn-resumption-client-extra - --[18-alpn-preferred-over-npn-resumption-server-extra] -+[20-alpn-preferred-over-npn-resumption-server-extra] - NPNProtocols = bar - --[18-alpn-preferred-over-npn-resumption-resume-server-extra] -+[20-alpn-preferred-over-npn-resumption-resume-server-extra] - ALPNProtocols = foo - NPNProtocols = baz - --[18-alpn-preferred-over-npn-resumption-client-extra] -+[20-alpn-preferred-over-npn-resumption-client-extra] - ALPNProtocols = foo - NPNProtocols = bar,baz - - - # =========================================================== - --[19-npn-used-if-alpn-not-supported-resumption] --ssl_conf = 19-npn-used-if-alpn-not-supported-resumption-ssl -+[21-npn-used-if-alpn-not-supported-resumption] -+ssl_conf = 21-npn-used-if-alpn-not-supported-resumption-ssl - --[19-npn-used-if-alpn-not-supported-resumption-ssl] --server = 19-npn-used-if-alpn-not-supported-resumption-server --client = 19-npn-used-if-alpn-not-supported-resumption-client --resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server --resume-client = 19-npn-used-if-alpn-not-supported-resumption-client -+[21-npn-used-if-alpn-not-supported-resumption-ssl] -+server = 21-npn-used-if-alpn-not-supported-resumption-server -+client = 21-npn-used-if-alpn-not-supported-resumption-client -+resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server -+resume-client = 21-npn-used-if-alpn-not-supported-resumption-client - --[19-npn-used-if-alpn-not-supported-resumption-server] -+[21-npn-used-if-alpn-not-supported-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[19-npn-used-if-alpn-not-supported-resumption-resume-server] -+[21-npn-used-if-alpn-not-supported-resumption-resume-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[19-npn-used-if-alpn-not-supported-resumption-client] -+[21-npn-used-if-alpn-not-supported-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-19] -+[test-21] - ExpectedNPNProtocol = baz - HandshakeMode = Resume - ResumptionExpected = Yes --server = 19-npn-used-if-alpn-not-supported-resumption-server-extra --resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server-extra --client = 19-npn-used-if-alpn-not-supported-resumption-client-extra --resume-client = 19-npn-used-if-alpn-not-supported-resumption-client-extra -+server = 21-npn-used-if-alpn-not-supported-resumption-server-extra -+resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server-extra -+client = 21-npn-used-if-alpn-not-supported-resumption-client-extra -+resume-client = 21-npn-used-if-alpn-not-supported-resumption-client-extra - --[19-npn-used-if-alpn-not-supported-resumption-server-extra] -+[21-npn-used-if-alpn-not-supported-resumption-server-extra] - ALPNProtocols = foo - NPNProtocols = bar - --[19-npn-used-if-alpn-not-supported-resumption-resume-server-extra] -+[21-npn-used-if-alpn-not-supported-resumption-resume-server-extra] - NPNProtocols = baz - --[19-npn-used-if-alpn-not-supported-resumption-client-extra] -+[21-npn-used-if-alpn-not-supported-resumption-client-extra] - ALPNProtocols = foo - NPNProtocols = bar,baz - -diff --git a/test/ssl-tests/08-npn.cnf.in b/test/ssl-tests/08-npn.cnf.in -index 30783e4..1dc2704 100644 ---- a/test/ssl-tests/08-npn.cnf.in -+++ b/test/ssl-tests/08-npn.cnf.in -@@ -110,6 +110,41 @@ our @tests = ( - "ExpectedNPNProtocol" => undef, - }, - }, -+ { -+ name => "npn-empty-client-list", -+ server => { -+ extra => { -+ "NPNProtocols" => "foo", -+ }, -+ }, -+ client => { -+ extra => { -+ "NPNProtocols" => "", -+ }, -+ "MaxProtocol" => "TLSv1.2" -+ }, -+ test => { -+ "ExpectedResult" => "ClientFail", -+ "ExpectedClientAlert" => "HandshakeFailure" -+ }, -+ }, -+ { -+ name => "npn-empty-server-list", -+ server => { -+ extra => { -+ "NPNProtocols" => "", -+ }, -+ }, -+ client => { -+ extra => { -+ "NPNProtocols" => "foo", -+ }, -+ "MaxProtocol" => "TLSv1.2" -+ }, -+ test => { -+ "ExpectedNPNProtocol" => "foo" -+ }, -+ }, - { - name => "npn-with-sni-no-context-switch", - server => { -diff --git a/test/ssl-tests/09-alpn.cnf b/test/ssl-tests/09-alpn.cnf -index e7e6cb9..dd66873 100644 ---- a/test/ssl-tests/09-alpn.cnf -+++ b/test/ssl-tests/09-alpn.cnf -@@ -1,6 +1,6 @@ - # Generated with generate_ssl_tests.pl - --num_tests = 16 -+num_tests = 18 - - test-0 = 0-alpn-simple - test-1 = 1-alpn-server-finds-match -@@ -18,6 +18,8 @@ test-12 = 12-alpn-client-switch-resumption - test-13 = 13-alpn-alert-on-mismatch-resumption - test-14 = 14-alpn-no-server-support-resumption - test-15 = 15-alpn-no-client-support-resumption -+test-16 = 16-alpn-empty-client-list -+test-17 = 17-alpn-empty-server-list - # =========================================================== - - [0-alpn-simple] -@@ -617,3 +619,65 @@ ALPNProtocols = foo - ALPNProtocols = foo - - -+# =========================================================== -+ -+[16-alpn-empty-client-list] -+ssl_conf = 16-alpn-empty-client-list-ssl -+ -+[16-alpn-empty-client-list-ssl] -+server = 16-alpn-empty-client-list-server -+client = 16-alpn-empty-client-list-client -+ -+[16-alpn-empty-client-list-server] -+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -+CipherString = DEFAULT -+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -+ -+[16-alpn-empty-client-list-client] -+CipherString = DEFAULT -+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -+VerifyMode = Peer -+ -+[test-16] -+server = 16-alpn-empty-client-list-server-extra -+client = 16-alpn-empty-client-list-client-extra -+ -+[16-alpn-empty-client-list-server-extra] -+ALPNProtocols = foo -+ -+[16-alpn-empty-client-list-client-extra] -+ALPNProtocols = -+ -+ -+# =========================================================== -+ -+[17-alpn-empty-server-list] -+ssl_conf = 17-alpn-empty-server-list-ssl -+ -+[17-alpn-empty-server-list-ssl] -+server = 17-alpn-empty-server-list-server -+client = 17-alpn-empty-server-list-client -+ -+[17-alpn-empty-server-list-server] -+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -+CipherString = DEFAULT -+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -+ -+[17-alpn-empty-server-list-client] -+CipherString = DEFAULT -+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -+VerifyMode = Peer -+ -+[test-17] -+ExpectedResult = ServerFail -+ExpectedServerAlert = NoApplicationProtocol -+server = 17-alpn-empty-server-list-server-extra -+client = 17-alpn-empty-server-list-client-extra -+ -+[17-alpn-empty-server-list-server-extra] -+ALPNProtocols = -+ -+[17-alpn-empty-server-list-client-extra] -+ALPNProtocols = foo -+ -+ -diff --git a/test/ssl-tests/09-alpn.cnf.in b/test/ssl-tests/09-alpn.cnf.in -index 8133075..322b709 100644 ---- a/test/ssl-tests/09-alpn.cnf.in -+++ b/test/ssl-tests/09-alpn.cnf.in -@@ -322,4 +322,37 @@ our @tests = ( - "ExpectedALPNProtocol" => undef, - }, - }, -+ { -+ name => "alpn-empty-client-list", -+ server => { -+ extra => { -+ "ALPNProtocols" => "foo", -+ }, -+ }, -+ client => { -+ extra => { -+ "ALPNProtocols" => "", -+ }, -+ }, -+ test => { -+ "ExpectedALPNProtocol" => undef, -+ }, -+ }, -+ { -+ name => "alpn-empty-server-list", -+ server => { -+ extra => { -+ "ALPNProtocols" => "", -+ }, -+ }, -+ client => { -+ extra => { -+ "ALPNProtocols" => "foo", -+ }, -+ }, -+ test => { -+ "ExpectedResult" => "ServerFail", -+ "ExpectedServerAlert" => "NoApplicationProtocol", -+ }, -+ }, - ); --- -2.44.0 - diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch deleted file mode 100644 index 7319d27bb8..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 86351b8dd4c499de7a0c02313ee54966e978150f Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 21 Jun 2024 10:41:55 +0100 -Subject: [PATCH 07/10] Correct return values for - tls_construct_stoc_next_proto_neg - -Return EXT_RETURN_NOT_SENT in the event that we don't send the extension, -rather than EXT_RETURN_SENT. This actually makes no difference at all to -the current control flow since this return value is ignored in this case -anyway. But lets make it correct anyway. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) - -Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/53f5677f358c4a4f69830d944ea40e71950673b8] -CVE: CVE-2024-5535 -Signed-off-by: Siddharth Doshi ---- - ssl/statem/extensions_srvr.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c -index 64ccb3e..b821c7c 100644 ---- a/ssl/statem/extensions_srvr.c -+++ b/ssl/statem/extensions_srvr.c -@@ -1496,9 +1496,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt, - return EXT_RETURN_FAIL; - } - s->s3.npn_seen = 1; -+ return EXT_RETURN_SENT; - } - -- return EXT_RETURN_SENT; -+ return EXT_RETURN_NOT_SENT; - } - #endif - --- -2.44.0 - diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch deleted file mode 100644 index f64938a5ca..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 29f860914824cde6b0aea6ad818b93132930137f Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 21 Jun 2024 11:51:54 +0100 -Subject: [PATCH 08/10] Add ALPN validation in the client - -The ALPN protocol selected by the server must be one that we originally -advertised. We should verify that it is. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) - -Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/195e15421df113d7283aab2ccff8b8fb06df5465] -CVE: CVE-2024-5535 -Signed-off-by: Siddharth Doshi ---- - ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++ - 1 file changed, 24 insertions(+) - -diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c -index 1ab3c13..ff9c009 100644 ---- a/ssl/statem/extensions_clnt.c -+++ b/ssl/statem/extensions_clnt.c -@@ -1590,6 +1590,8 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, - X509 *x, size_t chainidx) - { - size_t len; -+ PACKET confpkt, protpkt; -+ int valid = 0; - - /* We must have requested it. */ - if (!s->s3.alpn_sent) { -@@ -1608,6 +1610,28 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, - SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); - return 0; - } -+ -+ /* It must be a protocol that we sent */ -+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) { -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) { -+ if (PACKET_remaining(&protpkt) != len) -+ continue; -+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) { -+ /* Valid protocol found */ -+ valid = 1; -+ break; -+ } -+ } -+ -+ if (!valid) { -+ /* The protocol sent from the server does not match one we advertised */ -+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); -+ return 0; -+ } -+ - OPENSSL_free(s->s3.alpn_selected); - s->s3.alpn_selected = OPENSSL_malloc(len); - if (s->s3.alpn_selected == NULL) { --- -2.44.0 - diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch deleted file mode 100644 index fb1cef5067..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch +++ /dev/null @@ -1,271 +0,0 @@ -From 6a5484b0d3fcf9a868c7e3e5b62e5eedc90b6080 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 21 Jun 2024 10:09:41 +0100 -Subject: [PATCH 09/10] Add explicit testing of ALN and NPN in sslapitest - -We already had some tests elsewhere - but this extends that testing with -additional tests. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) - -Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/7c95191434415d1c9b7fe9b130df13cce630b6b5] -CVE: CVE-2024-5535 -Signed-off-by: Siddharth Doshi ---- - test/sslapitest.c | 229 ++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 229 insertions(+) - -diff --git a/test/sslapitest.c b/test/sslapitest.c -index 15cb906..7a55a2b 100644 ---- a/test/sslapitest.c -+++ b/test/sslapitest.c -@@ -11877,6 +11877,231 @@ static int test_select_next_proto(int idx) - return ret; - } - -+static const unsigned char fooprot[] = {3, 'f', 'o', 'o' }; -+static const unsigned char barprot[] = {3, 'b', 'a', 'r' }; -+ -+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) -+static int npn_advert_cb(SSL *ssl, const unsigned char **out, -+ unsigned int *outlen, void *arg) -+{ -+ int *idx = (int *)arg; -+ -+ switch (*idx) { -+ default: -+ case 0: -+ *out = fooprot; -+ *outlen = sizeof(fooprot); -+ return SSL_TLSEXT_ERR_OK; -+ -+ case 1: -+ *outlen = 0; -+ return SSL_TLSEXT_ERR_OK; -+ -+ case 2: -+ return SSL_TLSEXT_ERR_NOACK; -+ } -+} -+ -+static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen, -+ const unsigned char *in, unsigned int inlen, void *arg) -+{ -+ int *idx = (int *)arg; -+ -+ switch (*idx) { -+ case 0: -+ case 1: -+ *out = (unsigned char *)(fooprot + 1); -+ *outlen = *fooprot; -+ return SSL_TLSEXT_ERR_OK; -+ -+ case 3: -+ *out = (unsigned char *)(barprot + 1); -+ *outlen = *barprot; -+ return SSL_TLSEXT_ERR_OK; -+ -+ case 4: -+ *outlen = 0; -+ return SSL_TLSEXT_ERR_OK; -+ -+ default: -+ case 2: -+ return SSL_TLSEXT_ERR_ALERT_FATAL; -+ } -+} -+ -+/* -+ * Test the NPN callbacks -+ * Test 0: advert = foo, select = foo -+ * Test 1: advert = , select = foo -+ * Test 2: no advert -+ * Test 3: advert = foo, select = bar -+ * Test 4: advert = foo, select = (should fail) -+ */ -+static int test_npn(int idx) -+{ -+ SSL_CTX *sctx = NULL, *cctx = NULL; -+ SSL *serverssl = NULL, *clientssl = NULL; -+ int testresult = 0; -+ -+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), -+ TLS_client_method(), 0, TLS1_2_VERSION, -+ &sctx, &cctx, cert, privkey))) -+ goto end; -+ -+ SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx); -+ SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx); -+ -+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, -+ NULL))) -+ goto end; -+ -+ if (idx == 4) { -+ /* We don't allow empty selection of NPN, so this should fail */ -+ if (!TEST_false(create_ssl_connection(serverssl, clientssl, -+ SSL_ERROR_NONE))) -+ goto end; -+ } else { -+ const unsigned char *prot; -+ unsigned int protlen; -+ -+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, -+ SSL_ERROR_NONE))) -+ goto end; -+ -+ SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen); -+ switch (idx) { -+ case 0: -+ case 1: -+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot)) -+ goto end; -+ break; -+ case 2: -+ if (!TEST_uint_eq(protlen, 0)) -+ goto end; -+ break; -+ case 3: -+ if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot)) -+ goto end; -+ break; -+ default: -+ TEST_error("Should not get here"); -+ goto end; -+ } -+ } -+ -+ testresult = 1; -+ end: -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ SSL_CTX_free(sctx); -+ SSL_CTX_free(cctx); -+ -+ return testresult; -+} -+#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */ -+ -+static int alpn_select_cb2(SSL *ssl, const unsigned char **out, -+ unsigned char *outlen, const unsigned char *in, -+ unsigned int inlen, void *arg) -+{ -+ int *idx = (int *)arg; -+ -+ switch (*idx) { -+ case 0: -+ *out = (unsigned char *)(fooprot + 1); -+ *outlen = *fooprot; -+ return SSL_TLSEXT_ERR_OK; -+ -+ case 2: -+ *out = (unsigned char *)(barprot + 1); -+ *outlen = *barprot; -+ return SSL_TLSEXT_ERR_OK; -+ -+ case 3: -+ *outlen = 0; -+ return SSL_TLSEXT_ERR_OK; -+ -+ default: -+ case 1: -+ return SSL_TLSEXT_ERR_ALERT_FATAL; -+ } -+ return 0; -+} -+ -+/* -+ * Test the ALPN callbacks -+ * Test 0: client = foo, select = foo -+ * Test 1: client = , select = none -+ * Test 2: client = foo, select = bar (should fail) -+ * Test 3: client = foo, select = (should fail) -+ */ -+static int test_alpn(int idx) -+{ -+ SSL_CTX *sctx = NULL, *cctx = NULL; -+ SSL *serverssl = NULL, *clientssl = NULL; -+ int testresult = 0; -+ const unsigned char *prots = fooprot; -+ unsigned int protslen = sizeof(fooprot); -+ -+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), -+ TLS_client_method(), 0, 0, -+ &sctx, &cctx, cert, privkey))) -+ goto end; -+ -+ SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx); -+ -+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, -+ NULL))) -+ goto end; -+ -+ if (idx == 1) { -+ prots = NULL; -+ protslen = 0; -+ } -+ -+ /* SSL_set_alpn_protos returns 0 for success! */ -+ if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen))) -+ goto end; -+ -+ if (idx == 2 || idx == 3) { -+ /* We don't allow empty selection of NPN, so this should fail */ -+ if (!TEST_false(create_ssl_connection(serverssl, clientssl, -+ SSL_ERROR_NONE))) -+ goto end; -+ } else { -+ const unsigned char *prot; -+ unsigned int protlen; -+ -+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, -+ SSL_ERROR_NONE))) -+ goto end; -+ -+ SSL_get0_alpn_selected(clientssl, &prot, &protlen); -+ switch (idx) { -+ case 0: -+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot)) -+ goto end; -+ break; -+ case 1: -+ if (!TEST_uint_eq(protlen, 0)) -+ goto end; -+ break; -+ default: -+ TEST_error("Should not get here"); -+ goto end; -+ } -+ } -+ -+ testresult = 1; -+ end: -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ SSL_CTX_free(sctx); -+ SSL_CTX_free(cctx); -+ -+ return testresult; -+} -+ - OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n") - - int setup_tests(void) -@@ -12190,6 +12415,10 @@ int setup_tests(void) - ADD_TEST(test_data_retry); - ADD_ALL_TESTS(test_multi_resume, 5); - ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests)); -+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) -+ ADD_ALL_TESTS(test_npn, 5); -+#endif -+ ADD_ALL_TESTS(test_alpn, 4); - return 1; - - err: --- -2.44.0 - diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.2.bb b/meta/recipes-connectivity/openssl/openssl_3.2.3.bb similarity index 94% rename from meta/recipes-connectivity/openssl/openssl_3.2.2.bb rename to meta/recipes-connectivity/openssl/openssl_3.2.3.bb index 3242dd69c6..53139df40c 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.2.2.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.2.3.bb @@ -7,28 +7,18 @@ SECTION = "libs/network" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04" -SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ +SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/openssl-${PV}.tar.gz \ file://run-ptest \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ file://0001-Added-handshake-history-reporting-when-test-fails.patch \ - file://CVE-2024-5535_1.patch \ - file://CVE-2024-5535_2.patch \ - file://CVE-2024-5535_3.patch \ - file://CVE-2024-5535_4.patch \ - file://CVE-2024-5535_5.patch \ - file://CVE-2024-5535_6.patch \ - file://CVE-2024-5535_7.patch \ - file://CVE-2024-5535_8.patch \ - file://CVE-2024-5535_9.patch \ - file://CVE-2024-5535_10.patch \ " SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "197149c18d9e9f292c43f0400acaba12e5f52cacfe050f3d199277ea738ec2e7" +SRC_URI[sha256sum] = "52b5f1c6b8022bc5868c308c54fb77705e702d6c6f4594f99a0df216acf46239" inherit lib_package multilib_header multilib_script ptest perlnative manpages MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" From patchwork Fri Sep 20 13:39:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 49362 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 098E7C78849 for ; Fri, 20 Sep 2024 13:39:40 +0000 (UTC) Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by mx.groups.io with SMTP id smtpd.web11.18275.1726839571515402228 for ; Fri, 20 Sep 2024 06:39:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=icmtnKd+; spf=softfail (domain: sakoman.com, ip: 209.85.210.176, mailfrom: steve@sakoman.com) Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-718816be6cbso1585945b3a.1 for ; Fri, 20 Sep 2024 06:39:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1726839571; x=1727444371; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=2s+jlZy9q610+trA3pSYKwI8NIFnfoHF5Rezwb+tW9Y=; b=icmtnKd+OH9GdkAIH5etZ82gBKgI3ysUkkiCVVsAIz4J/6WK8V38sd3Fn5YXTc0O/b apEIjYHs0ep0bXMyrbRwmgDtFt/PigffsyGvOmC7AuAQxfpRuP64i2PzfcfFG8P3/6JP VcG5qPUtCC6EV+KBtAY7H69khB79PYMFJt5ZRcMLE3YAj+r4DISuS0cKo2oaN1iGEUiw sJX0m3yeoK2+Ty+XjAQJL4i0BlM5iNjbby44BpI3J760P/JdQeBAMAxodP/BlKEebQKA CoH+vKobh4x5yzccUCZThUHzPyNBCy8Z3y7jpz3+n2HRwFvRDoVZWmYt18D4SFImGAq6 361Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726839571; x=1727444371; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=2s+jlZy9q610+trA3pSYKwI8NIFnfoHF5Rezwb+tW9Y=; b=JBKkAkUIVrXn+1C+kf4uTD//vZKlHngWPdeOEs9Txy/U8O24UP6dLewGPptEQfJClv 1MRvMDcX+G4IzhrtxpMmhrKgLWNi32p1tvUhkmr5Ddp/+KQ9juUsleBmaAwbBlF/FBaK JMAshCO3NwHEGsBTlTL9dlOOXyklJVDmfR5dWiq2nG0TBtXdABxq2vqOAzcRrvygppEO gf85+nvMVzDh8Nu9Tdx8dgwyHr1Q+7wGtVAXxNvu7N8uaXx2HrCjkRHCZNRwu2ExAuTD irZXTx3PVovIUIwLMQo62Vj5YGTolaQwCIyYCAGhsDVykw18s9alAv26Ka7fhdmQNRL6 2skg== X-Gm-Message-State: AOJu0YwsV90jf4PbT/J/XyxXdyAS0QXT0CH8wKhYk1dqsicHQDu1aLos 6t6J+exqOQ6tdNCFtAzV5CiT26sedb+UwpXzIu8EV+Y0YdIOf9mPNBfC5CtwW4BEh3zMduUHWKA R X-Google-Smtp-Source: AGHT+IGANA91+AG7MzmzUqLjqfTqeBEgBZL98B3jvOqY2Rxh5bWDRiorWwYW9nkse58zQKoC+9kuJg== X-Received: by 2002:a05:6a00:178d:b0:717:93d7:166f with SMTP id d2e1a72fcca58-7199ca4a382mr2895683b3a.20.1726839569218; Fri, 20 Sep 2024 06:39:29 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71944b97e45sm9811846b3a.164.2024.09.20.06.39.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Sep 2024 06:39:28 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 04/16] python3: upgrade 3.12.4 -> 3.12.5 Date: Fri, 20 Sep 2024 06:39:02 -0700 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Sep 2024 13:39:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204744 From: Trevor Gamblin Changelog: https://docs.python.org/release/3.12.5/whatsnew/changelog.html (From OE-Core rev: d9e2ebd6b24b802d1d4cd38b3b910e068c308809) Signed-off-by: Trevor Gamblin Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../python/{python3_3.12.4.bb => python3_3.12.5.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-devtools/python/{python3_3.12.4.bb => python3_3.12.5.bb} (99%) diff --git a/meta/recipes-devtools/python/python3_3.12.4.bb b/meta/recipes-devtools/python/python3_3.12.5.bb similarity index 99% rename from meta/recipes-devtools/python/python3_3.12.4.bb rename to meta/recipes-devtools/python/python3_3.12.5.bb index 3ac83166ac..5c3b7a92f8 100644 --- a/meta/recipes-devtools/python/python3_3.12.4.bb +++ b/meta/recipes-devtools/python/python3_3.12.5.bb @@ -42,7 +42,7 @@ SRC_URI:append:class-native = " \ file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \ " -SRC_URI[sha256sum] = "f6d419a6d8743ab26700801b4908d26d97e8b986e14f95de31b32de2b0e79554" +SRC_URI[sha256sum] = "fa8a2e12c5e620b09f53e65bcd87550d2e5a1e2e04bf8ba991dcc55113876397" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P\d+(\.\d+)+).tar" From patchwork Fri Sep 20 13:39:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 49360 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB725C78845 for ; Fri, 20 Sep 2024 13:39:39 +0000 (UTC) Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) by mx.groups.io with SMTP id smtpd.web10.18440.1726839571443730777 for ; Fri, 20 Sep 2024 06:39:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=CQNZ35UE; spf=softfail (domain: sakoman.com, ip: 209.85.210.175, mailfrom: steve@sakoman.com) Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-71781f42f75so1925421b3a.1 for ; Fri, 20 Sep 2024 06:39:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1726839571; x=1727444371; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=M6tqB7gj8m0d6TQaI9aSm8sPZ7RkehQA+QOudc0TPpI=; b=CQNZ35UEw+uUa9lByF5t87m/rTUwgV3vYNJy8rY2qI97SkSJ+RsAloY+5TTexONJY4 gmLWyY3txRqOC41/nuj2sWR/e9uFT43YooMvkQPm5l1XCqsOJE/DC7AjwAK7VecYKPUz 4xsgZd81h5m9foqzfrtWtQbVvGbEfa79UlzTBjcqBNh72dSkCIdc7LU+KcXS66UqI2l7 xjprPtA7QY0qp7MvlLKwZibcQ0ysSRobWgVvQVbHNuYrd0DFitCv8+eH72PdyuSB1pDB 7eIo/ENsB2aMi4a5FCqJaY0lHGHCdwzTB41EQ6DxoRCobd/LgsB/c5+5Co2q7YCEHYS5 JVEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726839571; x=1727444371; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=M6tqB7gj8m0d6TQaI9aSm8sPZ7RkehQA+QOudc0TPpI=; b=VgBpgB9jU+kvnk/eJtTArJYotJbt338LQmuYbi6Dhn6E5y1naVIDus+icIYo3s1vKH UYY92MwTCGBUKdoaojJ6agMME1ZOp0VizoNZY6eJaOGl2Hre6HnTR59w5bicYQdWKJAU C7IhzWMm/3HBx0zrEU4FDWNc5Eves2HK28Rn/asv+ZFG9U3Aicily5BOiH+FWaT2gF8f yoK1an7cxXvhgPKO7/O0HrmYywGzcu5w06DXTMorHOhAjoYKza1ah5aYCgRpsbFA+EDl Ki04n5UH71763jm1GvwLgd1g5qUQp5TKh5I7N70Cn/YhyvJkSszZ+u0bQdgi1CZl1Y2c u0sw== X-Gm-Message-State: AOJu0YwDxk4rgu8DykxR2ltIxRBRj3EnNqeUHladSeNp+A+HR43l68F+ o0JUjf9S2IvgLFEkBFKjcqrnOLf1vG0gwTr1qnZ9T4kx6ghddpnNP91Mbe60XskDoXTsBb4HdVG v X-Google-Smtp-Source: AGHT+IHh4oP1P4HryMhd6oswXG0SSXNf1EQaSDRfkilMSmcCff5jylFiAo/63PGvVp6LFpn0n5Dyyg== X-Received: by 2002:a05:6a21:3a85:b0:1cf:337e:9920 with SMTP id adf61e73a8af0-1d30cb66274mr3479763637.47.1726839570671; Fri, 20 Sep 2024 06:39:30 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71944b97e45sm9811846b3a.164.2024.09.20.06.39.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Sep 2024 06:39:30 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 05/16] python3: skip readline limited history tests Date: Fri, 20 Sep 2024 06:39:03 -0700 Message-Id: <98b3a3e3f79a3edaa4cf2cfbf58eb84553d65e1e.1726839438.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Sep 2024 13:39:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204743 From: Trevor Gamblin Python 3.12.5 is failing a newer ptest for reading/writing limited history when editline (default) is set in PACKAGECONFIG. Skip it for now until a proper fix (if any) is determined. A bug has been opened upstream: https://github.com/python/cpython/issues/123018 (From OE-Core rev: de569ddffd5ea36b70c56df21dec9c892e5dee7d) Signed-off-by: Trevor Gamblin Signed-off-by: Richard Purdie Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- ...t_readline-skip-limited-history-test.patch | 41 +++++++++++++++++++ .../recipes-devtools/python/python3_3.12.5.bb | 1 + 2 files changed, 42 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch diff --git a/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch b/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch new file mode 100644 index 0000000000..50a4609f7a --- /dev/null +++ b/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch @@ -0,0 +1,41 @@ +From d9d916d5ea946c945323679d1709de1b87029b96 Mon Sep 17 00:00:00 2001 +From: Trevor Gamblin +Date: Tue, 13 Aug 2024 11:07:05 -0400 +Subject: [PATCH] test_readline: skip limited history test + +This test was added recently and is failing on the ptest image when +using the default PACKAGECONFIG settings (i.e. with editline instead of +readline).. Disable it until the proper fix is determined. + +A bug has been opened upstream: https://github.com/python/cpython/issues/123018 + +Upstream-Status: Inappropriate [OE-specific] + +Signed-off-by: Trevor Gamblin +--- + Lib/test/test_readline.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/Lib/test/test_readline.py b/Lib/test/test_readline.py +index 91fd7dd13f9..d81f9bf8eed 100644 +--- a/Lib/test/test_readline.py ++++ b/Lib/test/test_readline.py +@@ -132,6 +132,7 @@ def test_nonascii_history(self): + self.assertEqual(readline.get_history_item(1), "entrée 1") + self.assertEqual(readline.get_history_item(2), "entrée 22") + ++ @unittest.skip("Skipping problematic test") + def test_write_read_limited_history(self): + previous_length = readline.get_history_length() + self.addCleanup(readline.set_history_length, previous_length) +@@ -349,6 +350,7 @@ def test_history_size(self): + self.assertEqual(len(lines), history_size) + self.assertEqual(lines[-1].strip(), b"last input") + ++ @unittest.skip("Skipping problematic test") + def test_write_read_limited_history(self): + previous_length = readline.get_history_length() + self.addCleanup(readline.set_history_length, previous_length) +-- +2.39.2 + diff --git a/meta/recipes-devtools/python/python3_3.12.5.bb b/meta/recipes-devtools/python/python3_3.12.5.bb index 5c3b7a92f8..92109d58ce 100644 --- a/meta/recipes-devtools/python/python3_3.12.5.bb +++ b/meta/recipes-devtools/python/python3_3.12.5.bb @@ -34,6 +34,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch \ file://0001-test_deadlock-skip-problematic-test.patch \ file://0001-test_active_children-skip-problematic-test.patch \ + file://0001-test_readline-skip-limited-history-test.patch \ file://CVE-2024-7592.patch \ file://CVE-2024-8088.patch \ " From patchwork Fri Sep 20 13:39:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 49365 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19430C7884C for ; Fri, 20 Sep 2024 13:39:40 +0000 (UTC) Received: from mail-pg1-f169.google.com (mail-pg1-f169.google.com [209.85.215.169]) by mx.groups.io with SMTP id smtpd.web11.18276.1726839573203289791 for ; Fri, 20 Sep 2024 06:39:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=R/ruYSLj; spf=softfail (domain: sakoman.com, ip: 209.85.215.169, mailfrom: steve@sakoman.com) Received: by mail-pg1-f169.google.com with SMTP id 41be03b00d2f7-7c6b4222fe3so1324146a12.3 for ; Fri, 20 Sep 2024 06:39:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1726839572; x=1727444372; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=WAr2HbDeyEM4l2BySfArraP7OwCCunF1lSvIJLvsDFA=; b=R/ruYSLj+gUFw/GoLcc1hTMMns2P9gXtVQaVt4B2wtl0IeaAZRwgC5yMldY1d36ubz 5PNtTxltIYvVdeBZ/A1+HhRkelNgN+JPy5dXYSA6UpaEjO15NWw0IAAlo40IhT7wmRne bK57SL+nTu+KkOBqnpoPCQNk8KtLoQ2UBonvnSvlDY2/dwhIHAqeyypxV2FseNk3BIDC j7Rffaan+cy1+l5yqZ8jBi8MzNQdbVwj2Ff3+40IpvxhsuwiuLOSG3Z6rkFaVUXuL8OK 0FmYwI1uZVr2FvmzWLXAVN+l9n+Q84Y0LxeJ2raaD2497bp3QIgl6PCA+88PEhWLEafY fXwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726839572; x=1727444372; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WAr2HbDeyEM4l2BySfArraP7OwCCunF1lSvIJLvsDFA=; b=etHVrZaugTXXT+a6h2USCH7BG/r9UO+QcGQ/+OD1mRiFfBdFl6fP+zunrXqrdc736D IoDc2FCDoavrdR17z9ek/NH5LfdR8fmBKM2qqaKVr+FXW1WrbLx+9v+8Vk+DrHt80opb TR9qZGrHS2kLCrYsUkkoKuoI8m6HoE5pDNjcL82/O2F9JL8TjRMhn2tiHcBXFR60/Hi1 5shSVbBfod9XerjeOBQ+QPKTRxv4XEjgxLGWCnyjKKb0D3gh/+YhhR0+8ALwnVIKQwBn /lPMGhtNIezJC2Suxf10BaV20BtcTUpbSemDJlTmKyA3QSx+b1u28icxbrKpDgVVvyxJ PvPQ== X-Gm-Message-State: AOJu0YyFFh0whv9PnzVwcVdY+B+67WJiDSp/0yU8L/gIrNgmEryRszqk ddw4pNN/jghNM9stLiRxpT3r4mdj9GhAP4/2veWakAimvEUlXmw5j0ZwJW1qjF3tuNZKTH6Vf71 a X-Google-Smtp-Source: AGHT+IEJkVFN0bC+qEg0Ickq69CidcxAbLaPzYfomxyo+08hMDRrEK/ctl/YiOcNIHPddfbm3GJe6g== X-Received: by 2002:a05:6a21:38c:b0:1cf:476f:2d10 with SMTP id adf61e73a8af0-1d30cb6fb99mr3801073637.49.1726839572329; Fri, 20 Sep 2024 06:39:32 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71944b97e45sm9811846b3a.164.2024.09.20.06.39.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Sep 2024 06:39:31 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 06/16] python3: Upgrade 3.12.5 -> 3.12.6 Date: Fri, 20 Sep 2024 06:39:04 -0700 Message-Id: <6688a8ff2e1cbf6ad8ebd1b89ec6c929caf6a161.1726839438.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Sep 2024 13:39:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204745 From: Peter Marko Includes security fixes for CVE-2024-7592, CVE-2024-8088, CVE-2024-6232, CVE-2023-27043 and other bug fixes. Removed below patches, as the fix is included in 3.12.6 upgrade: 1. CVE-2024-7592.patch 2. CVE-2024-8088.patch Release Notes: https://www.python.org/downloads/release/python-3126/ (From OE-Core rev: aa492b1fd5973c37b8fa2cd17d28199eba46afcc) Signed-off-by: Divya Chellam Signed-off-by: Richard Purdie Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- ...t_readline-skip-limited-history-test.patch | 19 +-- .../python/python3/CVE-2024-7592.patch | 143 ------------------ .../python/python3/CVE-2024-8088.patch | 128 ---------------- .../{python3_3.12.5.bb => python3_3.12.6.bb} | 4 +- 4 files changed, 9 insertions(+), 285 deletions(-) delete mode 100644 meta/recipes-devtools/python/python3/CVE-2024-7592.patch delete mode 100644 meta/recipes-devtools/python/python3/CVE-2024-8088.patch rename meta/recipes-devtools/python/{python3_3.12.5.bb => python3_3.12.6.bb} (99%) diff --git a/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch b/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch index 50a4609f7a..e8d297c721 100644 --- a/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch +++ b/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch @@ -16,11 +16,11 @@ Signed-off-by: Trevor Gamblin Lib/test/test_readline.py | 2 ++ 1 file changed, 2 insertions(+) -diff --git a/Lib/test/test_readline.py b/Lib/test/test_readline.py -index 91fd7dd13f9..d81f9bf8eed 100644 ---- a/Lib/test/test_readline.py -+++ b/Lib/test/test_readline.py -@@ -132,6 +132,7 @@ def test_nonascii_history(self): +Index: Python-3.12.6/Lib/test/test_readline.py +=================================================================== +--- Python-3.12.6.orig/Lib/test/test_readline.py ++++ Python-3.12.6/Lib/test/test_readline.py +@@ -133,6 +133,7 @@ class TestHistoryManipulation (unittest. self.assertEqual(readline.get_history_item(1), "entrée 1") self.assertEqual(readline.get_history_item(2), "entrée 22") @@ -28,14 +28,11 @@ index 91fd7dd13f9..d81f9bf8eed 100644 def test_write_read_limited_history(self): previous_length = readline.get_history_length() self.addCleanup(readline.set_history_length, previous_length) -@@ -349,6 +350,7 @@ def test_history_size(self): - self.assertEqual(len(lines), history_size) - self.assertEqual(lines[-1].strip(), b"last input") +@@ -371,6 +372,7 @@ readline.write_history_file(history_file + self.assertIn(b"done", output) + + @unittest.skip("Skipping problematic test") def test_write_read_limited_history(self): previous_length = readline.get_history_length() self.addCleanup(readline.set_history_length, previous_length) --- -2.39.2 - diff --git a/meta/recipes-devtools/python/python3/CVE-2024-7592.patch b/meta/recipes-devtools/python/python3/CVE-2024-7592.patch deleted file mode 100644 index 7a6d63005c..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2024-7592.patch +++ /dev/null @@ -1,143 +0,0 @@ -From dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Sun, 25 Aug 2024 00:37:11 +0200 -Subject: [PATCH] gh-123067: Fix quadratic complexity in parsing "-quoted - cookie values with backslashes (GH-123075) (#123104) - -gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) - -This fixes CVE-2024-7592. -(cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef) - -Co-authored-by: Serhiy Storchaka - -CVE: CVE-2024-7592 - -Upstream-Status: Backport [https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1] - -Signed-off-by: Soumya Sambu ---- - Lib/http/cookies.py | 34 ++++------------- - Lib/test/test_http_cookies.py | 38 +++++++++++++++++++ - ...-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | 1 + - 3 files changed, 47 insertions(+), 26 deletions(-) - create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst - -diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py -index 35ac2dc..2c1f021 100644 ---- a/Lib/http/cookies.py -+++ b/Lib/http/cookies.py -@@ -184,8 +184,13 @@ def _quote(str): - return '"' + str.translate(_Translator) + '"' - - --_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]") --_QuotePatt = re.compile(r"[\\].") -+_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))').sub -+ -+def _unquote_replace(m): -+ if m[1]: -+ return chr(int(m[1], 8)) -+ else: -+ return m[2] - - def _unquote(str): - # If there aren't any doublequotes, -@@ -205,30 +210,7 @@ def _unquote(str): - # \012 --> \n - # \" --> " - # -- i = 0 -- n = len(str) -- res = [] -- while 0 <= i < n: -- o_match = _OctalPatt.search(str, i) -- q_match = _QuotePatt.search(str, i) -- if not o_match and not q_match: # Neither matched -- res.append(str[i:]) -- break -- # else: -- j = k = -1 -- if o_match: -- j = o_match.start(0) -- if q_match: -- k = q_match.start(0) -- if q_match and (not o_match or k < j): # QuotePatt matched -- res.append(str[i:k]) -- res.append(str[k+1]) -- i = k + 2 -- else: # OctalPatt matched -- res.append(str[i:j]) -- res.append(chr(int(str[j+1:j+4], 8))) -- i = j + 4 -- return _nulljoin(res) -+ return _unquote_sub(_unquote_replace, str) - - # The _getdate() routine is used to set the expiration time in the cookie's HTTP - # header. By default, _getdate() returns the current time in the appropriate -diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py -index 925c869..8879902 100644 ---- a/Lib/test/test_http_cookies.py -+++ b/Lib/test/test_http_cookies.py -@@ -5,6 +5,7 @@ import unittest - import doctest - from http import cookies - import pickle -+from test import support - - - class CookieTests(unittest.TestCase): -@@ -58,6 +59,43 @@ class CookieTests(unittest.TestCase): - for k, v in sorted(case['dict'].items()): - self.assertEqual(C[k].value, v) - -+ def test_unquote(self): -+ cases = [ -+ (r'a="b=\""', 'b="'), -+ (r'a="b=\\"', 'b=\\'), -+ (r'a="b=\="', 'b=='), -+ (r'a="b=\n"', 'b=n'), -+ (r'a="b=\042"', 'b="'), -+ (r'a="b=\134"', 'b=\\'), -+ (r'a="b=\377"', 'b=\xff'), -+ (r'a="b=\400"', 'b=400'), -+ (r'a="b=\42"', 'b=42'), -+ (r'a="b=\\042"', 'b=\\042'), -+ (r'a="b=\\134"', 'b=\\134'), -+ (r'a="b=\\\""', 'b=\\"'), -+ (r'a="b=\\\042"', 'b=\\"'), -+ (r'a="b=\134\""', 'b=\\"'), -+ (r'a="b=\134\042"', 'b=\\"'), -+ ] -+ for encoded, decoded in cases: -+ with self.subTest(encoded): -+ C = cookies.SimpleCookie() -+ C.load(encoded) -+ self.assertEqual(C['a'].value, decoded) -+ -+ @support.requires_resource('cpu') -+ def test_unquote_large(self): -+ n = 10**6 -+ for encoded in r'\\', r'\134': -+ with self.subTest(encoded): -+ data = 'a="b=' + encoded*n + ';"' -+ C = cookies.SimpleCookie() -+ C.load(data) -+ value = C['a'].value -+ self.assertEqual(value[:3], 'b=\\') -+ self.assertEqual(value[-2:], '\\;') -+ self.assertEqual(len(value), n + 3) -+ - def test_load(self): - C = cookies.SimpleCookie() - C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme') -diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst -new file mode 100644 -index 0000000..6a23456 ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst -@@ -0,0 +1 @@ -+Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`. --- -2.40.0 diff --git a/meta/recipes-devtools/python/python3/CVE-2024-8088.patch b/meta/recipes-devtools/python/python3/CVE-2024-8088.patch deleted file mode 100644 index 13836f1ccc..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2024-8088.patch +++ /dev/null @@ -1,128 +0,0 @@ -From dcc5182f27c1500006a1ef78e10613bb45788dea Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Mon, 12 Aug 2024 02:35:17 +0200 -Subject: [PATCH] gh-122905: Sanitize names in zipfile.Path. (GH-122906) - (#122923) - -CVE: CVE-2024-8088 - -Upstream-Status: Backport [https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea] - -Signed-off-by: Soumya Sambu ---- - Lib/test/test_zipfile/_path/test_path.py | 17 +++++ - Lib/zipfile/_path/__init__.py | 64 ++++++++++++++++++- - ...-08-11-14-08-04.gh-issue-122905.7tDsxA.rst | 1 + - 3 files changed, 81 insertions(+), 1 deletion(-) - create mode 100644 Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst - -diff --git a/Lib/test/test_zipfile/_path/test_path.py b/Lib/test/test_zipfile/_path/test_path.py -index 06d5aab..90885db 100644 ---- a/Lib/test/test_zipfile/_path/test_path.py -+++ b/Lib/test/test_zipfile/_path/test_path.py -@@ -577,3 +577,20 @@ class TestPath(unittest.TestCase): - zipfile.Path(alpharep) - with self.assertRaises(KeyError): - alpharep.getinfo('does-not-exist') -+ -+ def test_malformed_paths(self): -+ """ -+ Path should handle malformed paths. -+ """ -+ data = io.BytesIO() -+ zf = zipfile.ZipFile(data, "w") -+ zf.writestr("/one-slash.txt", b"content") -+ zf.writestr("//two-slash.txt", b"content") -+ zf.writestr("../parent.txt", b"content") -+ zf.filename = '' -+ root = zipfile.Path(zf) -+ assert list(map(str, root.iterdir())) == [ -+ 'one-slash.txt', -+ 'two-slash.txt', -+ 'parent.txt', -+ ] -diff --git a/Lib/zipfile/_path/__init__.py b/Lib/zipfile/_path/__init__.py -index 78c4135..42f9fde 100644 ---- a/Lib/zipfile/_path/__init__.py -+++ b/Lib/zipfile/_path/__init__.py -@@ -83,7 +83,69 @@ class InitializedState: - super().__init__(*args, **kwargs) - - --class CompleteDirs(InitializedState, zipfile.ZipFile): -+class SanitizedNames: -+ """ -+ ZipFile mix-in to ensure names are sanitized. -+ """ -+ -+ def namelist(self): -+ return list(map(self._sanitize, super().namelist())) -+ -+ @staticmethod -+ def _sanitize(name): -+ r""" -+ Ensure a relative path with posix separators and no dot names. -+ -+ Modeled after -+ https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813 -+ but provides consistent cross-platform behavior. -+ -+ >>> san = SanitizedNames._sanitize -+ >>> san('/foo/bar') -+ 'foo/bar' -+ >>> san('//foo.txt') -+ 'foo.txt' -+ >>> san('foo/.././bar.txt') -+ 'foo/bar.txt' -+ >>> san('foo../.bar.txt') -+ 'foo../.bar.txt' -+ >>> san('\\foo\\bar.txt') -+ 'foo/bar.txt' -+ >>> san('D:\\foo.txt') -+ 'D/foo.txt' -+ >>> san('\\\\server\\share\\file.txt') -+ 'server/share/file.txt' -+ >>> san('\\\\?\\GLOBALROOT\\Volume3') -+ '?/GLOBALROOT/Volume3' -+ >>> san('\\\\.\\PhysicalDrive1\\root') -+ 'PhysicalDrive1/root' -+ -+ Retain any trailing slash. -+ >>> san('abc/') -+ 'abc/' -+ -+ Raises a ValueError if the result is empty. -+ >>> san('../..') -+ Traceback (most recent call last): -+ ... -+ ValueError: Empty filename -+ """ -+ -+ def allowed(part): -+ return part and part not in {'..', '.'} -+ -+ # Remove the drive letter. -+ # Don't use ntpath.splitdrive, because that also strips UNC paths -+ bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE) -+ clean = bare.replace('\\', '/') -+ parts = clean.split('/') -+ joined = '/'.join(filter(allowed, parts)) -+ if not joined: -+ raise ValueError("Empty filename") -+ return joined + '/' * name.endswith('/') -+ -+ -+class CompleteDirs(InitializedState, SanitizedNames, zipfile.ZipFile): - """ - A ZipFile subclass that ensures that implied directories - are always included in the namelist. -diff --git a/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst -new file mode 100644 -index 0000000..1be44c9 ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst -@@ -0,0 +1 @@ -+:class:`zipfile.Path` objects now sanitize names from the zipfile. --- -2.40.0 diff --git a/meta/recipes-devtools/python/python3_3.12.5.bb b/meta/recipes-devtools/python/python3_3.12.6.bb similarity index 99% rename from meta/recipes-devtools/python/python3_3.12.5.bb rename to meta/recipes-devtools/python/python3_3.12.6.bb index 92109d58ce..ae69f0e781 100644 --- a/meta/recipes-devtools/python/python3_3.12.5.bb +++ b/meta/recipes-devtools/python/python3_3.12.6.bb @@ -35,15 +35,13 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-test_deadlock-skip-problematic-test.patch \ file://0001-test_active_children-skip-problematic-test.patch \ file://0001-test_readline-skip-limited-history-test.patch \ - file://CVE-2024-7592.patch \ - file://CVE-2024-8088.patch \ " SRC_URI:append:class-native = " \ file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \ " -SRC_URI[sha256sum] = "fa8a2e12c5e620b09f53e65bcd87550d2e5a1e2e04bf8ba991dcc55113876397" +SRC_URI[sha256sum] = "1999658298cf2fb837dffed8ff3c033ef0c98ef20cf73c5d5f66bed5ab89697c" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P\d+(\.\d+)+).tar" From patchwork Fri Sep 20 13:39:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 49363 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28A6DC78850 for ; Fri, 20 Sep 2024 13:39:40 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.web10.18442.1726839574657900077 for ; Fri, 20 Sep 2024 06:39:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=KzPvOQTZ; spf=softfail (domain: sakoman.com, ip: 209.85.210.172, mailfrom: steve@sakoman.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-718e3c98b5aso1488969b3a.0 for ; Fri, 20 Sep 2024 06:39:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1726839574; x=1727444374; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=mAPqTmD61SY6qHOaDpZXSeIoQRfU6PO2miW6SG2+IDE=; b=KzPvOQTZ8RM/7KjAmcZPt4lb1fQPkxLcfn6Hhfj1t3+wN2ASzOFiWRWJqYWthWsvmv z/XulUSg8RAUvxEcg1472S2iCfsF3rOo2tnAvWBNQ68Hcyzer1wapUWu2HynDEDd90np f5vLzojr+lujcaByYBVroyjhv8cXW+sGPHfqejxT4FiGgj4CPaLq+rpGamoPBT13zBvg GQfbjg+HkPbqV5H2I9Y+3/huP4ro8Wudz8b1XZQTj6GI9mRPbzYbAHkPFtbtKyz0MweX cygsfTlNCIlJsBhsjubYjOPs6mm14gxDAWLF6+gVRJJl5JPrSv/c6cD6IlOsai76op7f +nyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726839574; x=1727444374; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mAPqTmD61SY6qHOaDpZXSeIoQRfU6PO2miW6SG2+IDE=; b=Uq4uvNlFbx8yBGJb7pOUo7Zln+MbGkg7sy2h8c+RQYhLlOaDw/tUJayZiWsYIaRIBL qQIP9BtVKsnrSfetU9oPyaAWgkOSCJYS2uwyRPzIyvhO5IMaYGuHexlIlvpYwL6lrZ3m lyuu6M8bCqREuS1r12QYvAa4vxxAYCqBXY4AFJciK/qs4uwM2W8fO5mCreezTahPYdL7 3qwS7iOeoEzpQd3FI12fORZ5PsUj1cIDPOnDrziGupCHpIKmXJAa8s/EpEpbQacY64hq TdqtouPeQjPCc8DJy2KQj/o5H84Taix6iTqHIvEr93uIJEKXPWTRQFPgUkTXAlTOJr26 jqSw== X-Gm-Message-State: AOJu0YxqzMcUtLIzVFMFRgh2O1M9gWYLVniV0MjH/huZ+MQhbWSsRA0w xxsUuVET0SpFL533C+oB/i7UC2KusPTHw7JJGkOvDEwt+kQtvGgjkP8WsAhsSjboRcOmoZNhLoc G X-Google-Smtp-Source: AGHT+IE+w6cCWHEgB2p8/xI4VH5qliY0XWbB6bYhpz3bKOgprtafySuXuF6CsoZ0KJxpqZqB5w3PnQ== X-Received: by 2002:a05:6a20:c78e:b0:1c0:ef24:4125 with SMTP id adf61e73a8af0-1d30ca212fdmr3279040637.26.1726839573786; Fri, 20 Sep 2024 06:39:33 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71944b97e45sm9811846b3a.164.2024.09.20.06.39.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Sep 2024 06:39:33 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 07/16] buildhistory: Fix intermittent package file list creation Date: Fri, 20 Sep 2024 06:39:05 -0700 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Sep 2024 13:39:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204746 From: Pedro Ferreira The directory that buildhistory_list_pkg_files writes to during do_package is created by do_packagedata so a clean buildhistory doesn't have files-in-package written during the first build since packagedata happens after do_package. Ensure the output package folder is created to avoid missing files-in-package.txt files. Also it ensures that in case of `find` fails we leave with a hard error instead of hiding the error on the for loop. Signed-off-by: Pedro Silva Ferreira Signed-off-by: Richard Purdie (cherry picked from commit 8de9b8c1e199896b9a7bc5ed64967c6bfbf84bea) Signed-off-by: Steve Sakoman --- meta/classes/buildhistory.bbclass | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass index fd53e92402..d219519f86 100644 --- a/meta/classes/buildhistory.bbclass +++ b/meta/classes/buildhistory.bbclass @@ -599,15 +599,12 @@ buildhistory_list_files_no_owners() { buildhistory_list_pkg_files() { # Create individual files-in-package for each recipe's package - for pkgdir in $(find ${PKGDEST}/* -maxdepth 0 -type d); do + pkgdirlist=$(find ${PKGDEST}/* -maxdepth 0 -type d) + for pkgdir in $pkgdirlist; do pkgname=$(basename $pkgdir) outfolder="${BUILDHISTORY_DIR_PACKAGE}/$pkgname" outfile="$outfolder/files-in-package.txt" - # Make sure the output folder exists so we can create the file - if [ ! -d $outfolder ] ; then - bbdebug 2 "Folder $outfolder does not exist, file $outfile not created" - continue - fi + mkdir -p $outfolder buildhistory_list_files $pkgdir $outfile fakeroot done } From patchwork Fri Sep 20 13:39:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 49359 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E9242C78848 for ; Fri, 20 Sep 2024 13:39:39 +0000 (UTC) Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) by mx.groups.io with SMTP id smtpd.web10.18444.1726839576041132738 for ; Fri, 20 Sep 2024 06:39:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=YrVI467u; spf=softfail (domain: sakoman.com, ip: 209.85.210.171, mailfrom: steve@sakoman.com) Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-719858156f4so1667614b3a.3 for ; Fri, 20 Sep 2024 06:39:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1726839575; x=1727444375; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=zYXrKwI6OCxAGq6gTZvwN0sg8X4P2c0MieoHlYM4qcY=; b=YrVI467uUSSUkbFf9CRsR5EGlWGehshwC2/i9SVKjpCBz39QrkJIZIBHMAm3MbpMOF zk5HTFNe2eczMuakDiOyjrCFutASRW9xTWhFv4MJH2G0KIacrSGIhfFC/U/xqyc4m9NK BxHUg0blFb1JKVfFxXjOrG9chaIrfelwT+CuUlslsaMOM3VyjaZjQPN9dllN8+6MjLEC NCNR75bVpYNygmrpDIjTm987nMQkpIwCtX/gv6I04lFPzjdOGv3ixZBYHMHqMj0S3mM7 lilzggcROaWt8xTY2VIW8YJ0SUs/Eh6pPJoWWWoDtVsIp4cbaLyUFLZgcXx75FB+J+tY 1GOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726839575; x=1727444375; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zYXrKwI6OCxAGq6gTZvwN0sg8X4P2c0MieoHlYM4qcY=; b=S3/KoVuyM7O9FfAl2BZd9BRSAHuQUieDL9EtKi9Y/0UBeQ8R9tmaWz05P5VJpFPiup JE3m/nR8SSSAao5EMQeispAntiPstLaW78Cw4DcStTDzIeclkPbxex5XUa36cSSUpRRG jFuPMGMQFU+7rsYcxi7Q3Frwd9FUoRSjyW1oi/XFtdfjH3sZxa4XEdg6mZZkH8tdAgF3 5j84T5vPJ1DracEV9YlNM/Cu9gr9XZC8G5YgljtgAlLngB/GRQVacp6jn+w6lqxSjkoH xw6j1z7J3gpR3MQpAxWaPBMyRf7IQpH5JveA4JBiVcMs+neubqU5XIGo2BOm4bDcSdI6 6oTA== X-Gm-Message-State: AOJu0YzpRp0Rm3fd6FliKcUv9nAx0HqMnWB1NKY3VLBSDUj+4pNi1AyQ U3dIX+ZBMIlyqGB2wy6y2RZRJnxGy1uh8BaDcowN6JIkVWIckxuAOjOMbytll+PNrIhe5LRsQex l X-Google-Smtp-Source: AGHT+IE/vMCi3HE7q+16Qsmj/ttaI+CqE2BOyGi7SmVWmXLTTkM4me9m1y/3VzPJlxjn3/FoTyxykA== X-Received: by 2002:a05:6a00:4b52:b0:710:7fd2:c91 with SMTP id d2e1a72fcca58-7199ca4dfa4mr3817744b3a.26.1726839575166; Fri, 20 Sep 2024 06:39:35 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71944b97e45sm9811846b3a.164.2024.09.20.06.39.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Sep 2024 06:39:34 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 08/16] buildhistory: Restoring files from preserve list Date: Fri, 20 Sep 2024 06:39:06 -0700 Message-Id: <93ee5b0ee71a51daba9a332e8dba93d78a849677.1726839438.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Sep 2024 13:39:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204747 From: Pedro Ferreira This fix will ensure that, when we activate feature `BUILDHISTORY_RESET`, files marked to keep on feature `BUILDHISTORY_PRESERVE` will indeed exist is buildhistory final path since they are moved to buildhistory/old but not restored at any point. Signed-off-by: Pedro Ferreira Signed-off-by: Richard Purdie (cherry picked from commit 9f68a45aa238ae5fcdfaca71ba0e7015e9cb720e) Signed-off-by: Steve Sakoman --- meta/classes/buildhistory.bbclass | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass index d219519f86..08970aafea 100644 --- a/meta/classes/buildhistory.bbclass +++ b/meta/classes/buildhistory.bbclass @@ -110,6 +110,7 @@ python buildhistory_emit_pkghistory() { import json import shlex import errno + import shutil pkghistdir = d.getVar('BUILDHISTORY_DIR_PACKAGE') oldpkghistdir = d.getVar('BUILDHISTORY_OLD_DIR_PACKAGE') @@ -223,6 +224,20 @@ python buildhistory_emit_pkghistory() { items.sort() return ' '.join(items) + def preservebuildhistoryfiles(pkg, preserve): + if os.path.exists(os.path.join(oldpkghistdir, pkg)): + listofobjs = os.listdir(os.path.join(oldpkghistdir, pkg)) + for obj in listofobjs: + if obj not in preserve: + continue + try: + bb.utils.mkdirhier(os.path.join(pkghistdir, pkg)) + shutil.copyfile(os.path.join(oldpkghistdir, pkg, obj), os.path.join(pkghistdir, pkg, obj)) + except IOError as e: + bb.note("Unable to copy file. %s" % e) + except EnvironmentError as e: + bb.note("Unable to copy file. %s" % e) + pn = d.getVar('PN') pe = d.getVar('PE') or "0" pv = d.getVar('PV') @@ -250,6 +265,14 @@ python buildhistory_emit_pkghistory() { if not os.path.exists(pkghistdir): bb.utils.mkdirhier(pkghistdir) else: + # We need to make sure that all files kept in + # buildhistory/old are restored successfully + # otherwise next block of code wont have files to + # check and purge + if d.getVar("BUILDHISTORY_RESET"): + for pkg in packagelist: + preservebuildhistoryfiles(pkg, preserve) + # Remove files for packages that no longer exist for item in os.listdir(pkghistdir): if item not in preserve: From patchwork Fri Sep 20 13:39:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 49361 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EFFCAC7884A for ; Fri, 20 Sep 2024 13:39:39 +0000 (UTC) Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by mx.groups.io with SMTP id smtpd.web11.18280.1726839577460006727 for ; Fri, 20 Sep 2024 06:39:37 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=P02OPNhI; spf=softfail (domain: sakoman.com, ip: 209.85.210.176, mailfrom: steve@sakoman.com) Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-71971d20a95so1496057b3a.3 for ; Fri, 20 Sep 2024 06:39:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1726839577; x=1727444377; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=sFNrE0Hp08ElZR2987IkLV12YVZ/iCMoGcgURpo+qGE=; b=P02OPNhIKgrB86OPCkWpzzpIx2WWd3PKgbBoCx8DifSCMUeqgBOmu0xMvthIXfrJSg HS3GsM4y3gdJtBYnmDEOxqiW7V2FGpbgvoRl0OfbF/TgZVIuxPy/+/IZF1mHIzCX04Ta hMbs57167VkpfWv+qUlK1k40QIHHWzFZIaAuYgCjB7MoQI1lWCbiqznBq0IWiCZ9S+6n TZj6MLOiK2Pw9koXcBDaM3pLNlysD9kxvAwpnW2ReOILN5t0tvMq2k55GEWFO45AcxpT 3h5PtFEXdzuAPDftbNdu7VGEg4NLyShnSwv6VUAiJY1/nBG/WXdDhUhAnSeGNvPGfzC4 omfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726839577; x=1727444377; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sFNrE0Hp08ElZR2987IkLV12YVZ/iCMoGcgURpo+qGE=; b=KWQKY0vWF8cTlw7ZKX04vIjmyyn8wYdTUlAT9WUmhX+xQLVK36W0YT62eq6Z4nB3P3 Q0Gy5UVOk5POvtODMrdKTpQlU80VE48v78WgCxQdECn1BJSThuoFkGzW8QE8ccy1emkj JThT423eNnNgiWL5vJqkh4gkXYc3EnPe7AKoDY+z73LLIZLJgv3voJhCV1tw9tCcOTsH Icw1aoRQCrLAEaORu/YSwkd0VSFakl/arERZXcWCBnNncXyu7AEkIkC5Z6HjQpjskmMy HyFr9uw5FUlWR/ASpbsEpZJY8vD1Q6nD7Reda53Y0eRwHCMcHQ2g7XTK8GHiw16nZ2nO pyHQ== X-Gm-Message-State: AOJu0Ywfyh2xPQ1vFeCppSnYmn+Cw9A7Tmo4Ge3/zn02Ta5MCC72r1yM ux8kow8IYsFhnuZpOltbgCQQYU5DzovbbzyrFmbX4LSPn5MEdk0ahCHhe/RenDYQtycwZ5uZ3c+ o X-Google-Smtp-Source: AGHT+IH2WPMggJgu0mLw/1AkYHD1MS12kEt0DRJncuyd3UNMeqnrpD54ZAVhJR7/x/dlfeywmBCV2Q== X-Received: by 2002:a05:6a00:c82:b0:714:173f:7e6b with SMTP id d2e1a72fcca58-7199c9395d7mr4083660b3a.2.1726839576580; Fri, 20 Sep 2024 06:39:36 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71944b97e45sm9811846b3a.164.2024.09.20.06.39.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Sep 2024 06:39:36 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 09/16] buildhistory: Simplify intercept call sites and drop SSTATEPOSTINSTFUNC usage Date: Fri, 20 Sep 2024 06:39:07 -0700 Message-Id: <466c505b779dec2ba790f4e6cde7fbb35037f4ef.1726839438.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Sep 2024 13:39:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204748 From: Richard Purdie We planned to drop SSTATEPOSTINSTFUNC some time ago with the introduction of postfuncs. Finally get around to doing that which should make the buildhistory code a little more readable. Unfortunately ordering the buildhistory function calls after the sstate ones is difficult without coding that into the sstate class. This patch does that to ensure everything functions as expected until we can find a better way. This is still likely preferable than the generic sstate postfuncs support since the function flow is much more readable. Signed-off-by: Richard Purdie (cherry picked from commit c9e2a8fa2f0305ef1247ec405555612326f798f8) Signed-off-by: Steve Sakoman --- meta/classes-global/sstate.bbclass | 5 +++- meta/classes/buildhistory.bbclass | 39 +++++++++++++++--------------- 2 files changed, 23 insertions(+), 21 deletions(-) diff --git a/meta/classes-global/sstate.bbclass b/meta/classes-global/sstate.bbclass index 76a7b59636..93df5fa9e6 100644 --- a/meta/classes-global/sstate.bbclass +++ b/meta/classes-global/sstate.bbclass @@ -161,7 +161,10 @@ python () { d.setVar('SSTATETASKS', " ".join(unique_tasks)) for task in unique_tasks: d.prependVarFlag(task, 'prefuncs', "sstate_task_prefunc ") - d.appendVarFlag(task, 'postfuncs', " sstate_task_postfunc") + # Generally sstate should be last, execpt for buildhistory functions + postfuncs = (d.getVarFlag(task, 'postfuncs') or "").split() + newpostfuncs = [p for p in postfuncs if "buildhistory" not in p] + ["sstate_task_postfunc"] + [p for p in postfuncs if "buildhistory" in p] + d.setVarFlag(task, 'postfuncs', " ".join(newpostfuncs)) d.setVarFlag(task, 'network', '1') d.setVarFlag(task + "_setscene", 'network', '1') } diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass index 08970aafea..0b1bd518fe 100644 --- a/meta/classes/buildhistory.bbclass +++ b/meta/classes/buildhistory.bbclass @@ -47,11 +47,18 @@ BUILDHISTORY_PUSH_REPO ?= "" BUILDHISTORY_TAG ?= "build" BUILDHISTORY_PATH_PREFIX_STRIP ?= "" -SSTATEPOSTINSTFUNCS:append = " buildhistory_emit_pkghistory" -# We want to avoid influencing the signatures of sstate tasks - first the function itself: -sstate_install[vardepsexclude] += "buildhistory_emit_pkghistory" -# then the value added to SSTATEPOSTINSTFUNCS: -SSTATEPOSTINSTFUNCS[vardepvalueexclude] .= "| buildhistory_emit_pkghistory" +# We want to avoid influencing the signatures of the task so use vardepsexclude +do_populate_sysroot[postfuncs] += "buildhistory_emit_sysroot" +do_populate_sysroot_setscene[postfuncs] += "buildhistory_emit_sysroot" +do_populate_sysroot[vardepsexclude] += "buildhistory_emit_sysroot" + +do_package[postfuncs] += "buildhistory_list_pkg_files" +do_package_setscene[postfuncs] += "buildhistory_list_pkg_files" +do_package[vardepsexclude] += "buildhistory_list_pkg_files" + +do_packagedata[postfuncs] += "buildhistory_emit_pkghistory" +do_packagedata_setscene[postfuncs] += "buildhistory_emit_pkghistory" +do_packagedata[vardepsexclude] += "buildhistory_emit_pkghistory" # Similarly for our function that gets the output signatures SSTATEPOSTUNPACKFUNCS:append = " buildhistory_emit_outputsigs" @@ -91,27 +98,15 @@ buildhistory_emit_sysroot() { # Write out metadata about this package for comparison when writing future packages # python buildhistory_emit_pkghistory() { - if d.getVar('BB_CURRENTTASK') in ['populate_sysroot', 'populate_sysroot_setscene']: - bb.build.exec_func("buildhistory_emit_sysroot", d) - return 0 - - if not "package" in (d.getVar('BUILDHISTORY_FEATURES') or "").split(): - return 0 - - if d.getVar('BB_CURRENTTASK') in ['package', 'package_setscene']: - # Create files-in-.txt files containing a list of files of each recipe's package - bb.build.exec_func("buildhistory_list_pkg_files", d) - return 0 - - if not d.getVar('BB_CURRENTTASK') in ['packagedata', 'packagedata_setscene']: - return 0 - import re import json import shlex import errno import shutil + if not "package" in (d.getVar('BUILDHISTORY_FEATURES') or "").split(): + return 0 + pkghistdir = d.getVar('BUILDHISTORY_DIR_PACKAGE') oldpkghistdir = d.getVar('BUILDHISTORY_OLD_DIR_PACKAGE') @@ -621,6 +616,10 @@ buildhistory_list_files_no_owners() { } buildhistory_list_pkg_files() { + if [ "${@bb.utils.contains('BUILDHISTORY_FEATURES', 'package', '1', '0', d)}" = "0" ] ; then + return + fi + # Create individual files-in-package for each recipe's package pkgdirlist=$(find ${PKGDEST}/* -maxdepth 0 -type d) for pkgdir in $pkgdirlist; do From patchwork Fri Sep 20 13:39:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 49364 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1757AC7884F for ; Fri, 20 Sep 2024 13:39:40 +0000 (UTC) Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.web11.18282.1726839579052610476 for ; Fri, 20 Sep 2024 06:39:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=CFhYRko4; spf=softfail (domain: sakoman.com, ip: 209.85.210.169, mailfrom: steve@sakoman.com) Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-71957eb256bso1729834b3a.3 for ; Fri, 20 Sep 2024 06:39:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1726839578; x=1727444378; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=OqNMU1kc40UysLixlmKUqzDBnAZNTUKqjCHkaYTw9DM=; b=CFhYRko4xpBvpa3Ixf/GDeY15pdC6ycwByjtcR1qYSUTHdlIcZNJQs37s2bAmB7eUE MgaOiSDVbNr+XDW3qSErytBgeEPIWxnjLNXFnfLtGhxrbV5csTnKW9FIgrkq0wGKClQN lcz7LvlWKOddXAZdbRpdV5EQCsaP8Cq3TsqeTFs4yNrpCbWqFvX+MhdtvxLvmt8NVnHh 9MWY1EOMu1S5pSPIDui6MC4bwF6W9EILqCUgeGKjsLMDoJHxoEiq9KunLS/aq6urWunZ A9TvkUrzl3MGJHmdM2p/lcN+nUqxkqTFmvYkv9yPghfoKXp/tzoIQ8vpM3MCASwGHsOr RgtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726839578; x=1727444378; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OqNMU1kc40UysLixlmKUqzDBnAZNTUKqjCHkaYTw9DM=; b=m72StTglGxM29u3g6DSCAOsIg3VYevc+IF/QPhA3Y4GM/qF+qjRK9x2E3sRGPLZQhz mQod5MwkdjxOCcBMIweSxCIIebb04ELXd0mOto0tlQZDUK/h/haK7hVuZVVLyAyG5WI6 GNbab3xTryK3JDhVuslctPxdHWCwfFZejwcTvYkiYEW5uuUKIEIpfOP2uVHaddv7lof5 yxSg0Iv56D09AI4mnmKxhVrQQ71wVUXO2KrjLh9h1doC+G0xpduOHfjLxBSuAJRzMt5+ UbyCZ2Z0BoMNP8y3bXXTjFbVtZkYheYFp5qF3rydVdvtYDqA3FwRxtiIHo4MGHmc4n5R lLzQ== X-Gm-Message-State: AOJu0YzkO6+Be3+UF/qjWJT9tqDNYFuqandzJZ4wtw8ZtRBlP6oaG1Hx KYCIMWPp+BsaEWsbZhYQEeUiZNO4Oc3b1rNshXOidtXRMCoMKNKYDPfNdQoo2bE9B3HNPzHvLPA j X-Google-Smtp-Source: AGHT+IGeH2Vd7l+La9x/XQI9EJA2FUhUQVf9xYWsFW35Hb12fTkETGa5CWBlnvFXKi7Y0h1jEcZdEg== X-Received: by 2002:a05:6a20:8814:b0:1d3:e4e:ff55 with SMTP id adf61e73a8af0-1d30e4effe7mr2499478637.7.1726839578048; Fri, 20 Sep 2024 06:39:38 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71944b97e45sm9811846b3a.164.2024.09.20.06.39.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Sep 2024 06:39:37 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 10/16] qemu: back port patches to fix riscv64 build failure Date: Fri, 20 Sep 2024 06:39:08 -0700 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Sep 2024 13:39:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204749 From: Chen Qi Backport patches to fix riscv64 build failure. Signed-off-by: Chen Qi Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 3 + ...kvm-change-KVM_REG_RISCV_FP_F-to-u32.patch | 75 ++++++++++++ ...kvm-change-KVM_REG_RISCV_FP_D-to-u64.patch | 73 ++++++++++++ ...cv-kvm-change-timer-regs-size-to-u64.patch | 107 ++++++++++++++++++ 4 files changed, 258 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/0001-target-riscv-kvm-change-KVM_REG_RISCV_FP_F-to-u32.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0002-target-riscv-kvm-change-KVM_REG_RISCV_FP_D-to-u64.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0003-target-riscv-kvm-change-timer-regs-size-to-u64.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index a1d8a309a0..e9f63b9eaf 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -49,6 +49,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2024-7409-0002.patch \ file://CVE-2024-7409-0003.patch \ file://CVE-2024-7409-0004.patch \ + file://0001-target-riscv-kvm-change-KVM_REG_RISCV_FP_F-to-u32.patch \ + file://0002-target-riscv-kvm-change-KVM_REG_RISCV_FP_D-to-u64.patch \ + file://0003-target-riscv-kvm-change-timer-regs-size-to-u64.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/0001-target-riscv-kvm-change-KVM_REG_RISCV_FP_F-to-u32.patch b/meta/recipes-devtools/qemu/qemu/0001-target-riscv-kvm-change-KVM_REG_RISCV_FP_F-to-u32.patch new file mode 100644 index 0000000000..39a6a85162 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0001-target-riscv-kvm-change-KVM_REG_RISCV_FP_F-to-u32.patch @@ -0,0 +1,75 @@ +From bbdcc89678daa5cb131ef22a6cd41a5f7f9dcea9 Mon Sep 17 00:00:00 2001 +From: Daniel Henrique Barboza +Date: Fri, 8 Dec 2023 15:38:31 -0300 +Subject: [PATCH 1/3] target/riscv/kvm: change KVM_REG_RISCV_FP_F to u32 + +KVM_REG_RISCV_FP_F regs have u32 size according to the API, but by using +kvm_riscv_reg_id() in RISCV_FP_F_REG() we're returning u64 sizes when +running with TARGET_RISCV64. The most likely reason why no one noticed +this is because we're not implementing kvm_cpu_synchronize_state() in +RISC-V yet. + +Create a new helper that returns a KVM ID with u32 size and use it in +RISCV_FP_F_REG(). + +Reported-by: Andrew Jones +Signed-off-by: Daniel Henrique Barboza +Reviewed-by: Andrew Jones +Message-ID: <20231208183835.2411523-2-dbarboza@ventanamicro.com> +Signed-off-by: Alistair Francis +(cherry picked from commit 49c211ffca00fdf7c0c29072c224e88527a14838) +Signed-off-by: Michael Tokarev + +Upstream-Status: Backport [bbdcc89678daa5cb131ef22a6cd41a5f7f9dcea9] + +Signed-off-by: Chen Qi +--- + target/riscv/kvm/kvm-cpu.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c +index c1675158fe..2eef2be86a 100644 +--- a/target/riscv/kvm/kvm-cpu.c ++++ b/target/riscv/kvm/kvm-cpu.c +@@ -72,6 +72,11 @@ static uint64_t kvm_riscv_reg_id(CPURISCVState *env, uint64_t type, + return id; + } + ++static uint64_t kvm_riscv_reg_id_u32(uint64_t type, uint64_t idx) ++{ ++ return KVM_REG_RISCV | KVM_REG_SIZE_U32 | type | idx; ++} ++ + #define RISCV_CORE_REG(env, name) kvm_riscv_reg_id(env, KVM_REG_RISCV_CORE, \ + KVM_REG_RISCV_CORE_REG(name)) + +@@ -81,7 +86,7 @@ static uint64_t kvm_riscv_reg_id(CPURISCVState *env, uint64_t type, + #define RISCV_TIMER_REG(env, name) kvm_riscv_reg_id(env, KVM_REG_RISCV_TIMER, \ + KVM_REG_RISCV_TIMER_REG(name)) + +-#define RISCV_FP_F_REG(env, idx) kvm_riscv_reg_id(env, KVM_REG_RISCV_FP_F, idx) ++#define RISCV_FP_F_REG(idx) kvm_riscv_reg_id_u32(KVM_REG_RISCV_FP_F, idx) + + #define RISCV_FP_D_REG(env, idx) kvm_riscv_reg_id(env, KVM_REG_RISCV_FP_D, idx) + +@@ -586,7 +591,7 @@ static int kvm_riscv_get_regs_fp(CPUState *cs) + if (riscv_has_ext(env, RVF)) { + uint32_t reg; + for (i = 0; i < 32; i++) { +- ret = kvm_get_one_reg(cs, RISCV_FP_F_REG(env, i), ®); ++ ret = kvm_get_one_reg(cs, RISCV_FP_F_REG(i), ®); + if (ret) { + return ret; + } +@@ -620,7 +625,7 @@ static int kvm_riscv_put_regs_fp(CPUState *cs) + uint32_t reg; + for (i = 0; i < 32; i++) { + reg = env->fpr[i]; +- ret = kvm_set_one_reg(cs, RISCV_FP_F_REG(env, i), ®); ++ ret = kvm_set_one_reg(cs, RISCV_FP_F_REG(i), ®); + if (ret) { + return ret; + } +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0002-target-riscv-kvm-change-KVM_REG_RISCV_FP_D-to-u64.patch b/meta/recipes-devtools/qemu/qemu/0002-target-riscv-kvm-change-KVM_REG_RISCV_FP_D-to-u64.patch new file mode 100644 index 0000000000..9480d3e0b5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0002-target-riscv-kvm-change-KVM_REG_RISCV_FP_D-to-u64.patch @@ -0,0 +1,73 @@ +From 125b95d79e746cbab6b72683b3382dd372e38c61 Mon Sep 17 00:00:00 2001 +From: Daniel Henrique Barboza +Date: Fri, 8 Dec 2023 15:38:32 -0300 +Subject: [PATCH 2/3] target/riscv/kvm: change KVM_REG_RISCV_FP_D to u64 + +KVM_REG_RISCV_FP_D regs are always u64 size. Using kvm_riscv_reg_id() in +RISCV_FP_D_REG() ends up encoding the wrong size if we're running with +TARGET_RISCV32. + +Create a new helper that returns a KVM ID with u64 size and use it with +RISCV_FP_D_REG(). + +Reported-by: Andrew Jones +Signed-off-by: Daniel Henrique Barboza +Reviewed-by: Andrew Jones +Message-ID: <20231208183835.2411523-3-dbarboza@ventanamicro.com> +Signed-off-by: Alistair Francis +(cherry picked from commit 450bd6618fda3d2e2ab02b2fce1c79efd5b66084) +Signed-off-by: Michael Tokarev + +Upstream-Status: Backport [125b95d79e746cbab6b72683b3382dd372e38c61] + +Signed-off-by: Chen Qi +--- + target/riscv/kvm/kvm-cpu.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c +index 2eef2be86a..82ed4455a5 100644 +--- a/target/riscv/kvm/kvm-cpu.c ++++ b/target/riscv/kvm/kvm-cpu.c +@@ -77,6 +77,11 @@ static uint64_t kvm_riscv_reg_id_u32(uint64_t type, uint64_t idx) + return KVM_REG_RISCV | KVM_REG_SIZE_U32 | type | idx; + } + ++static uint64_t kvm_riscv_reg_id_u64(uint64_t type, uint64_t idx) ++{ ++ return KVM_REG_RISCV | KVM_REG_SIZE_U64 | type | idx; ++} ++ + #define RISCV_CORE_REG(env, name) kvm_riscv_reg_id(env, KVM_REG_RISCV_CORE, \ + KVM_REG_RISCV_CORE_REG(name)) + +@@ -88,7 +93,7 @@ static uint64_t kvm_riscv_reg_id_u32(uint64_t type, uint64_t idx) + + #define RISCV_FP_F_REG(idx) kvm_riscv_reg_id_u32(KVM_REG_RISCV_FP_F, idx) + +-#define RISCV_FP_D_REG(env, idx) kvm_riscv_reg_id(env, KVM_REG_RISCV_FP_D, idx) ++#define RISCV_FP_D_REG(idx) kvm_riscv_reg_id_u64(KVM_REG_RISCV_FP_D, idx) + + #define KVM_RISCV_GET_CSR(cs, env, csr, reg) \ + do { \ +@@ -579,7 +584,7 @@ static int kvm_riscv_get_regs_fp(CPUState *cs) + if (riscv_has_ext(env, RVD)) { + uint64_t reg; + for (i = 0; i < 32; i++) { +- ret = kvm_get_one_reg(cs, RISCV_FP_D_REG(env, i), ®); ++ ret = kvm_get_one_reg(cs, RISCV_FP_D_REG(i), ®); + if (ret) { + return ret; + } +@@ -613,7 +618,7 @@ static int kvm_riscv_put_regs_fp(CPUState *cs) + uint64_t reg; + for (i = 0; i < 32; i++) { + reg = env->fpr[i]; +- ret = kvm_set_one_reg(cs, RISCV_FP_D_REG(env, i), ®); ++ ret = kvm_set_one_reg(cs, RISCV_FP_D_REG(i), ®); + if (ret) { + return ret; + } +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0003-target-riscv-kvm-change-timer-regs-size-to-u64.patch b/meta/recipes-devtools/qemu/qemu/0003-target-riscv-kvm-change-timer-regs-size-to-u64.patch new file mode 100644 index 0000000000..1ea1bcfe70 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0003-target-riscv-kvm-change-timer-regs-size-to-u64.patch @@ -0,0 +1,107 @@ +From cbae1080988e0f1af0fb4c816205f7647f6de16f Mon Sep 17 00:00:00 2001 +From: Daniel Henrique Barboza +Date: Fri, 8 Dec 2023 15:38:33 -0300 +Subject: [PATCH 3/3] target/riscv/kvm: change timer regs size to u64 + +KVM_REG_RISCV_TIMER regs are always u64 according to the KVM API, but at +this moment we'll return u32 regs if we're running a RISCV32 target. + +Use the kvm_riscv_reg_id_u64() helper in RISCV_TIMER_REG() to fix it. + +Reported-by: Andrew Jones +Signed-off-by: Daniel Henrique Barboza +Reviewed-by: Andrew Jones +Message-ID: <20231208183835.2411523-4-dbarboza@ventanamicro.com> +Signed-off-by: Alistair Francis +(cherry picked from commit 10f86d1b845087d14b58d65dd2a6e3411d1b6529) +Signed-off-by: Michael Tokarev + +Upstream-Status: Backport [cbae1080988e0f1af0fb4c816205f7647f6de16f] + +Signed-off-by: Chen Qi +--- + target/riscv/kvm/kvm-cpu.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c +index 82ed4455a5..ddbe820e10 100644 +--- a/target/riscv/kvm/kvm-cpu.c ++++ b/target/riscv/kvm/kvm-cpu.c +@@ -88,7 +88,7 @@ static uint64_t kvm_riscv_reg_id_u64(uint64_t type, uint64_t idx) + #define RISCV_CSR_REG(env, name) kvm_riscv_reg_id(env, KVM_REG_RISCV_CSR, \ + KVM_REG_RISCV_CSR_REG(name)) + +-#define RISCV_TIMER_REG(env, name) kvm_riscv_reg_id(env, KVM_REG_RISCV_TIMER, \ ++#define RISCV_TIMER_REG(name) kvm_riscv_reg_id_u64(KVM_REG_RISCV_TIMER, \ + KVM_REG_RISCV_TIMER_REG(name)) + + #define RISCV_FP_F_REG(idx) kvm_riscv_reg_id_u32(KVM_REG_RISCV_FP_F, idx) +@@ -111,17 +111,17 @@ static uint64_t kvm_riscv_reg_id_u64(uint64_t type, uint64_t idx) + } \ + } while (0) + +-#define KVM_RISCV_GET_TIMER(cs, env, name, reg) \ ++#define KVM_RISCV_GET_TIMER(cs, name, reg) \ + do { \ +- int ret = kvm_get_one_reg(cs, RISCV_TIMER_REG(env, name), ®); \ ++ int ret = kvm_get_one_reg(cs, RISCV_TIMER_REG(name), ®); \ + if (ret) { \ + abort(); \ + } \ + } while (0) + +-#define KVM_RISCV_SET_TIMER(cs, env, name, reg) \ ++#define KVM_RISCV_SET_TIMER(cs, name, reg) \ + do { \ +- int ret = kvm_set_one_reg(cs, RISCV_TIMER_REG(env, name), ®); \ ++ int ret = kvm_set_one_reg(cs, RISCV_TIMER_REG(name), ®); \ + if (ret) { \ + abort(); \ + } \ +@@ -649,10 +649,10 @@ static void kvm_riscv_get_regs_timer(CPUState *cs) + return; + } + +- KVM_RISCV_GET_TIMER(cs, env, time, env->kvm_timer_time); +- KVM_RISCV_GET_TIMER(cs, env, compare, env->kvm_timer_compare); +- KVM_RISCV_GET_TIMER(cs, env, state, env->kvm_timer_state); +- KVM_RISCV_GET_TIMER(cs, env, frequency, env->kvm_timer_frequency); ++ KVM_RISCV_GET_TIMER(cs, time, env->kvm_timer_time); ++ KVM_RISCV_GET_TIMER(cs, compare, env->kvm_timer_compare); ++ KVM_RISCV_GET_TIMER(cs, state, env->kvm_timer_state); ++ KVM_RISCV_GET_TIMER(cs, frequency, env->kvm_timer_frequency); + + env->kvm_timer_dirty = true; + } +@@ -666,8 +666,8 @@ static void kvm_riscv_put_regs_timer(CPUState *cs) + return; + } + +- KVM_RISCV_SET_TIMER(cs, env, time, env->kvm_timer_time); +- KVM_RISCV_SET_TIMER(cs, env, compare, env->kvm_timer_compare); ++ KVM_RISCV_SET_TIMER(cs, time, env->kvm_timer_time); ++ KVM_RISCV_SET_TIMER(cs, compare, env->kvm_timer_compare); + + /* + * To set register of RISCV_TIMER_REG(state) will occur a error from KVM +@@ -676,7 +676,7 @@ static void kvm_riscv_put_regs_timer(CPUState *cs) + * TODO If KVM changes, adapt here. + */ + if (env->kvm_timer_state) { +- KVM_RISCV_SET_TIMER(cs, env, state, env->kvm_timer_state); ++ KVM_RISCV_SET_TIMER(cs, state, env->kvm_timer_state); + } + + /* +@@ -685,7 +685,7 @@ static void kvm_riscv_put_regs_timer(CPUState *cs) + * during the migration. + */ + if (migration_is_running(migrate_get_current()->state)) { +- KVM_RISCV_GET_TIMER(cs, env, frequency, reg); ++ KVM_RISCV_GET_TIMER(cs, frequency, reg); + if (reg != env->kvm_timer_frequency) { + error_report("Dst Hosts timer frequency != Src Hosts"); + } +-- +2.25.1 + From patchwork Fri Sep 20 13:39:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 49367 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D07FC78849 for ; Fri, 20 Sep 2024 13:39:50 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.web10.18448.1726839580315517816 for ; Fri, 20 Sep 2024 06:39:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=QoVWxuOv; spf=softfail (domain: sakoman.com, ip: 209.85.210.172, mailfrom: steve@sakoman.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-719858156f4so1667668b3a.3 for ; Fri, 20 Sep 2024 06:39:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1726839579; x=1727444379; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=n2LrArErj8Xt7VPPislNSqCTodYL4VLkPIT8RO0SSF0=; b=QoVWxuOvidSZXZZXf/vv7TtOZfN40YLKqHSmpH/qvc6YDdGPEOZnaZToWkHi5djpua nZmL7tFrg+Us8H63br9nnjULgZPis8OjVagR9EVPE4ekViI+bo6qMeYBKVqGvDI3dEE6 SL3jJDTvewjb61CI0qQLxcamUIXIrXZ+sHNjaarRO4Z3KvMxZsXsavogUue0Und91dqn mMlmSOMQJPAyIiAv8JeA4XSkYQDHaU9Z8L9u39Q8nC3LSNpi+69pid6qnJ6NGbRQM5SA ZeO7fVtzBVb8dR8zaGaLxB8BPoNNl+xrwzxZ3G3cP0j8prREu1giSQC3qA4YW/gRPdPk DVCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726839579; x=1727444379; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=n2LrArErj8Xt7VPPislNSqCTodYL4VLkPIT8RO0SSF0=; b=pgzuITXLTZ+WScK9DVQlRPaJIN48OpASa/9QksIWZZhKI5my4mDcFe/N60CBwh8ges +kO0h/Zj4Z5Nw2u+ePAsEmSDX4Ko+IqzlM8gZl2lobERZ6GtmaKqeXTZ1513nj8gG1YH iSiz20ZkktUCJohaKt8Y3XDypbDlbcS+t9I0MT0xNdek3wkslLibOVXgyh67PQGCK9RS RH4cYdoBa5JShzKl7aI8NlfOBB0STVO+pQekjIKFZ8WMMtRMtiD1OHOPpNWHBwfA2jtl eu8rLYaEPQisbr9cyMomoDIHGFwdEnISYMBRkATQ1CLBnZ0PmSS70ZOO8Lp7a+NAMNOG HUQg== X-Gm-Message-State: AOJu0Yy2/vW+U++DSpd3G9SGnhm2rHzAuX1lf7wu5zhcPdLc/Sw7mo27 Me0ArDScHfDGyj8JNEzGtzaYlf8N4bQZ8ea8o2F5+3rqc5seCt/DT2n1T2QMecak7Hly71i78xV v X-Google-Smtp-Source: AGHT+IEX7Wk6XZ6J2P07ZbIb8hx5iRzpNRg1KtDE1+0cocixFoP1nvXNd74ptcqyrOS7bZ4oUQ/O7g== X-Received: by 2002:a05:6a00:9284:b0:70d:2725:ebe4 with SMTP id d2e1a72fcca58-7199c9764d9mr4120534b3a.13.1726839579547; Fri, 20 Sep 2024 06:39:39 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71944b97e45sm9811846b3a.164.2024.09.20.06.39.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Sep 2024 06:39:39 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 11/16] gcc: Fix spurious '/' in GLIBC_DYNAMIC_LINKER on microblaze Date: Fri, 20 Sep 2024 06:39:09 -0700 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Sep 2024 13:39:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204750 From: Khem Raj Signed-off-by: Khem Raj Cc: Mark Hatle Signed-off-by: Richard Purdie Backport from master OE-Core rev: f0eac82b9a1e4549b7d918df768c369ed7ab5183 Signed-off-by: Mark Hatle Signed-off-by: Steve Sakoman --- ...fine-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/meta/recipes-devtools/gcc/gcc/0007-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch b/meta/recipes-devtools/gcc/gcc/0007-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch index b0b77dbfa0..9de883c2c7 100644 --- a/meta/recipes-devtools/gcc/gcc/0007-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch +++ b/meta/recipes-devtools/gcc/gcc/0007-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch @@ -1,4 +1,4 @@ -From aacfd6e14dd583b1fdc65691def61c5e1bc89708 Mon Sep 17 00:00:00 2001 +From 4067ae345f0ff1fbf37c0348f2af09257513b817 Mon Sep 17 00:00:00 2001 From: Khem Raj Date: Fri, 29 Mar 2013 09:24:50 +0400 Subject: [PATCH] Define GLIBC_DYNAMIC_LINKER and UCLIBC_DYNAMIC_LINKER @@ -185,7 +185,7 @@ index aecaa02a199..62f88f7f9a2 100644 #undef GNU_USER_TARGET_LINK_SPEC #define GNU_USER_TARGET_LINK_SPEC \ diff --git a/gcc/config/microblaze/linux.h b/gcc/config/microblaze/linux.h -index e2e2c421c52..6f26480e3b5 100644 +index 5ed8ee518be..299d1a62c81 100644 --- a/gcc/config/microblaze/linux.h +++ b/gcc/config/microblaze/linux.h @@ -28,7 +28,7 @@ @@ -193,7 +193,7 @@ index e2e2c421c52..6f26480e3b5 100644 #define TLS_NEEDS_GOT 1 -#define GLIBC_DYNAMIC_LINKER "/lib/ld.so.1" -+#define GLIBC_DYNAMIC_LINKER SYSTEMLIBS_DIR "/ld.so.1" ++#define GLIBC_DYNAMIC_LINKER SYSTEMLIBS_DIR "ld.so.1" #define UCLIBC_DYNAMIC_LINKER "/lib/ld-uClibc.so.0" #if TARGET_BIG_ENDIAN_DEFAULT == 0 /* LE */ From patchwork Fri Sep 20 13:39:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 49368 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31FE4C78853 for ; Fri, 20 Sep 2024 13:39:50 +0000 (UTC) Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by mx.groups.io with SMTP id smtpd.web10.18450.1726839581624180201 for ; Fri, 20 Sep 2024 06:39:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Y/Nw35yR; spf=softfail (domain: sakoman.com, ip: 209.85.210.180, mailfrom: steve@sakoman.com) Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-71798661a52so1639463b3a.0 for ; Fri, 20 Sep 2024 06:39:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1726839581; x=1727444381; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=dBExsiEe4YWWmFe8wZidS1x9VrnOys/4FFkzmDhWdbk=; b=Y/Nw35yRDbWTvFTyEgduDi5B+WKQhNa2PwjLod/FQYvRdFG/fQho1W5wPt/sj8O92I xbygv3LbSgx17Ogl7QsnnxlYD7x0GrZfJiOJguI3BRN05AAWeSgIxwQAcnnkY1zSBlCA /DjRaYrY3uBcMYRAcipcB66GU2mnKmf1nVrJsYZV/vPStIAHf6PgUI9t1dSbJX0942Ch LZAqFT4VwN0IpmtPNfsWWL0OBCdw0Snajxm90r1v0DOUG/R0OLaN1L/7vXhFS3C5AJlp ppJXdnWfLo3Y4isLsVIdDjORhxvelVi8uL0yDl1ovEqvOExVfAOFgoiPsWl1IH+Wxvci ZcPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726839581; x=1727444381; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dBExsiEe4YWWmFe8wZidS1x9VrnOys/4FFkzmDhWdbk=; b=PdDgZIHull2+GrlMkZaFMvF4TOi1zVSAUOSxpcM1OEOgHJdBrkL4pA3n/uZ2BAU2iC PJof9jLf29qCFvIev/5wH+mOD/9Q7xKI4AmDefDyQRgUp3mANhRsQKg0t6EnS/hahp5o nl41IXPC6oUZfFVAEeHsffxqfuaVhacb6PtjyYAvI0tH2AV1hoqUSXjVSXvLrtiQGS+0 bN4nyqeCy/6eieUXmRon20/sAdmjBqIRGG8XyIjJcRrHzTyIyiYlI6LYdS0q82y+HO0U sA6LNj+id2F7ZWsSHciXLFb73iVhmVCYCc1NmL5P6QI6y9WEX7IJgpIc9tma3L1oA1Zx HuMg== X-Gm-Message-State: AOJu0YxsxNPFNxY30UqHLea3c7q6ztFPiflkcaqVjWSM0pJPCWlCc1AZ WVm2Jw70Q/Sf22Gmlk3POXAsIa0AWPZvwYhV1N7/bvtbeFdokMtdlryrZUyZ1Blp0kTqnZzDxNW a X-Google-Smtp-Source: AGHT+IEAY5rJK04oXDWPzC1A1chnhD8nxN11+BlK5kujaCmY8pjgp6IXVtSA40c+3JAZ8Oi6ygyf7g== X-Received: by 2002:a05:6a00:810a:b0:719:110e:fc8f with SMTP id d2e1a72fcca58-7198e2436camr8887718b3a.1.1726839580832; Fri, 20 Sep 2024 06:39:40 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71944b97e45sm9811846b3a.164.2024.09.20.06.39.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Sep 2024 06:39:40 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 12/16] udev-extraconf: Add collect flag to mount Date: Fri, 20 Sep 2024 06:39:10 -0700 Message-Id: <33de458b758c2fe430b515ff419dd200ea97ca0b.1726839438.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Sep 2024 13:39:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204751 From: Colin McAllister Adds extra "--collect" flag to the mount command within automount_systemd. This is intended to fix an observed deadlock after rapidly inserting and removing external media. This is because if the mount command fails, the transient mount will enter a failed state. The next time the media is inserted, automount_systemd bails because the first consition finds that the file path for the failed transient mount still exists. This leaves the external media unmounted and cannot be mounted until the mount is fixed via systemctl or the device is rebooted. Adding "--collect" ensures that the transient mount is cleaned up after entering a failed state, which ensures that the media can still be mounted when it's re-inserted. (From OE-Core rev: f0cda74d73eb8c14cd6f695f514108f1e94984a6) Signed-off-by: Colin McAllister Signed-off-by: Richard Purdie Signed-off-by: Steve Sakoman --- meta/recipes-core/udev/udev-extraconf/mount.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/udev/udev-extraconf/mount.sh b/meta/recipes-core/udev/udev-extraconf/mount.sh index c19e2aa68a..eb84a468be 100644 --- a/meta/recipes-core/udev/udev-extraconf/mount.sh +++ b/meta/recipes-core/udev/udev-extraconf/mount.sh @@ -98,7 +98,7 @@ automount_systemd() { ;; esac - if ! $MOUNT --no-block -t auto $DEVNAME "$MOUNT_BASE/$name" + if ! $MOUNT --collect --no-block -t auto $DEVNAME "$MOUNT_BASE/$name" then #logger "mount.sh/automount" "$MOUNT -t auto $DEVNAME \"$MOUNT_BASE/$name\" failed!" rm_dir "$MOUNT_BASE/$name" From patchwork Fri Sep 20 13:39:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 49369 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3FD42C78855 for ; Fri, 20 Sep 2024 13:39:50 +0000 (UTC) Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) by mx.groups.io with SMTP id smtpd.web10.18452.1726839583381018310 for ; Fri, 20 Sep 2024 06:39:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=XtZB5ZW2; spf=softfail (domain: sakoman.com, ip: 209.85.210.177, mailfrom: steve@sakoman.com) Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-718e3c98b5aso1489068b3a.0 for ; Fri, 20 Sep 2024 06:39:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1726839583; x=1727444383; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=1U/qfF+QMPQgxpyxojf8ND9EuZHsbLWCN5UoZyTD6GA=; b=XtZB5ZW28rKEVGOGZVziw96shRfz8S6ztOBqggDaGbcr7kcRqQtRKuhqrJNDPBM8Gt xqvFgKdtKiZyxU8qMD4GGnH5V6ypWor3xMoA/g6aT5RReorOM6o3n1l0iLwf2gDSBMai PLeRRlwWJy6bkWHEbuuHdFVMrWL95SUNj2DWGN22BDaDIlPpHkbxR4eKJ/v9pD0XSvPW JGLkXZjGz+ep0V/BLJ3395UNgmNc62acpooYzG2wNhCt1HVdhs56os4l4FEsq5qo4W5C zHIpxRB9LrFhcNlS6Fo5KOEvPHUKFHCGAOp6nsnlyRaXNdT+Wc9zlsIMZhMGh2iMqA8S uPkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726839583; x=1727444383; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1U/qfF+QMPQgxpyxojf8ND9EuZHsbLWCN5UoZyTD6GA=; b=qwXgPfwDZkVu9hxoOmHRbBZZFSygmZeN9vEafW+mGHUTmzIsTfYkpCMaDboVjo9ueQ 91vGeeavhgO/p5HVK3LUwj+MWI8c2ojQqPqSCBc0x8/2Sw/ULFWB3sdM6cojWT/ptWwi GQF1ZYNUiZTs4BI/LZ+pLldxtQNlZD+Y9+awcMK4MQRIMRGpVCkqbvXXwtDXoqhJzB/g 836mJovmu+mdRPSYt8cc0hYisjG8Ok7ZsBGq4wK3xRyzdnh5HPjMTN8heLVlP2GYargG Py+pfe0xa9t2tTbNnFlm92W7w3W1zRe4r/Hs/7utRsg4GA4K4/pt92EDDz185VgDdpzH PGxg== X-Gm-Message-State: AOJu0Yw+4SvMzQuWouTQ3MVujvBNypSHDmQxnM4MmWa+WkxDJRWnFVpF qYTpYhca4mVihE5CH1Eik+5zttOfLUAndFpYFsBAVvNWsS26yDWwiUiCqDVVTcymXkbCr4JpjEl t X-Google-Smtp-Source: AGHT+IEVevAYSLR44D+GihSjtH4oL9qYSLonjNWYm2pjRCOzVNPL9m1Va4v1qdENSADfoK74QoUiag== X-Received: by 2002:a05:6a00:13a4:b0:714:3acb:9d4b with SMTP id d2e1a72fcca58-7199ce207bcmr3886090b3a.18.1726839582458; Fri, 20 Sep 2024 06:39:42 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71944b97e45sm9811846b3a.164.2024.09.20.06.39.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Sep 2024 06:39:42 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 13/16] busybox: Fix cut with "-s" flag Date: Fri, 20 Sep 2024 06:39:11 -0700 Message-Id: <5f75aaf0489f40bd35cdd27322e4d1189e30a9e4.1726839438.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Sep 2024 13:39:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204752 From: Colin McAllister This fixes and issue that allows blank lines to be incorrectly output when the "-s" flag is included. This issue propogates into the populate-volatile.sh script in initscripts. If a volatiles drop file contains blank lines, a blank line will be included in combined users, which will incorrectly result in a difference in the number of combined users versus defined users. If this happens, the volatiles file will not be executed. (From OE-Core rev: dfbcf0581ab3dd47037726a7b8aa06f777792473) Signed-off-by: Colin McAllister Signed-off-by: Richard Purdie Signed-off-by: Steve Sakoman --- ...1-cut-Fix-s-flag-to-omit-blank-lines.patch | 66 +++++++++++++++++++ meta/recipes-core/busybox/busybox_1.36.1.bb | 1 + 2 files changed, 67 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox/0001-cut-Fix-s-flag-to-omit-blank-lines.patch diff --git a/meta/recipes-core/busybox/busybox/0001-cut-Fix-s-flag-to-omit-blank-lines.patch b/meta/recipes-core/busybox/busybox/0001-cut-Fix-s-flag-to-omit-blank-lines.patch new file mode 100644 index 0000000000..a0a8607b23 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/0001-cut-Fix-s-flag-to-omit-blank-lines.patch @@ -0,0 +1,66 @@ +From 199606e960942c29fd8085be812edd3d3697825c Mon Sep 17 00:00:00 2001 +From: Colin McAllister +Date: Wed, 17 Jul 2024 07:58:52 -0500 +Subject: [PATCH 1/1] cut: Fix "-s" flag to omit blank lines + +Using cut with the delimiter flag ("-d") with the "-s" flag to only +output lines containing the delimiter will print blank lines. This is +deviant behavior from cut provided by GNU Coreutils. Blank lines should +be omitted if "-s" is used with "-d". + +This change introduces a somewhat naiive, yet efficient solution, where +line length is checked before looping though bytes. If line length is +zero and the "-s" flag is used, the code will jump to parsing the next +line to avoid printing a newline character. + +In addition, a test to cut.tests has been added to ensure that this +regression is fixed and will not happen again in the future. + +Upstream-Status: Submitted [http://lists.busybox.net/pipermail/busybox/2024-July/090834.html] + +Signed-off-by: Colin McAllister +--- + coreutils/cut.c | 6 ++++++ + testsuite/cut.tests | 9 +++++++++ + 2 files changed, 15 insertions(+) + +diff --git a/coreutils/cut.c b/coreutils/cut.c +index 55bdd9386..b7f986f26 100644 +--- a/coreutils/cut.c ++++ b/coreutils/cut.c +@@ -152,6 +152,12 @@ static void cut_file(FILE *file, const char *delim, const char *odelim, + unsigned uu = 0, start = 0, end = 0, out = 0; + int dcount = 0; + ++ /* Blank line? */ ++ if (!linelen) { ++ if (option_mask32 & CUT_OPT_SUPPRESS_FLGS) ++ goto next_line; ++ } ++ + /* Loop through bytes, finding next delimiter */ + for (;;) { + /* End of current range? */ +diff --git a/testsuite/cut.tests b/testsuite/cut.tests +index 2458c019c..0b401bc00 100755 +--- a/testsuite/cut.tests ++++ b/testsuite/cut.tests +@@ -65,6 +65,15 @@ testing "cut with -d -f( ) -s" "cut -d' ' -f3 -s input && echo yes" "yes\n" "$in + testing "cut with -d -f(a) -s" "cut -da -f3 -s input" "n\nsium:Jim\n\ncion:Ed\n" "$input" "" + testing "cut with -d -f(a) -s -n" "cut -da -f3 -s -n input" "n\nsium:Jim\n\ncion:Ed\n" "$input" "" + ++input="\ ++ ++foo bar baz ++ ++bing bong boop ++ ++" ++testing "cut with -d -s omits blank lines" "cut -d' ' -f2 -s input" "bar\nbong\n" "$input" "" ++ + # substitute for awk + optional FEATURE_CUT_REGEX + testing "cut -DF" "cut -DF 2,7,5" \ +-- +2.43.0 + diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb index bc1619d1a8..42dd5f71eb 100644 --- a/meta/recipes-core/busybox/busybox_1.36.1.bb +++ b/meta/recipes-core/busybox/busybox_1.36.1.bb @@ -56,6 +56,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://0001-awk-fix-precedence-of-relative-to.patch \ file://0002-awk-fix-ternary-operator-and-precedence-of.patch \ file://0001-awk.c-fix-CVE-2023-42366-bug-15874.patch \ + file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \ " SRC_URI:append:libc-musl = " file://musl.cfg " # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html From patchwork Fri Sep 20 13:39:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 49371 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4DEFFC78854 for ; Fri, 20 Sep 2024 13:39:50 +0000 (UTC) Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by mx.groups.io with SMTP id smtpd.web10.18456.1726839584771113743 for ; Fri, 20 Sep 2024 06:39:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=REak2XH1; spf=softfail (domain: sakoman.com, ip: 209.85.210.178, mailfrom: steve@sakoman.com) Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-71788bfe60eso1699723b3a.1 for ; Fri, 20 Sep 2024 06:39:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1726839584; x=1727444384; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=hOva2QKKEeDG8Nigq/TFtCqcMMI4RCpYTZV0Lv22ouU=; b=REak2XH1YJsvAxPRTFEiFt6vMDEm+fBCgHQyJ7jHr2MGz3CegEEnpVn7MKoxu/eAnl QYLFnJZ2oy/pkcB08rD1SqgXzzDe8JiXRwsaxHMZimw1TxquORPuF+LCR0B+4ObVCbvP 0hA+Li4OzGUnIM9yxuwl7Ns1STyC7oTx3n8sqXjn5/9FrsPGm1vKZ4v9qD7CS716h9Oq Qo+fg1bzcnVeBEhVk+ioJEeNRlHW4aLW0QNt1OHrghTNNka0OGDfgkbbssi0rjBVZMy0 pLsUXncShHdQScA8gi/cpYXc9/KJXueIiwr7BpuFiRUXPfhkvOxM/avqM5nb0b9hrUtO vRdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726839584; x=1727444384; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hOva2QKKEeDG8Nigq/TFtCqcMMI4RCpYTZV0Lv22ouU=; b=L2C4Twi095hixCutsc+HWx3ubA0SB+xHumlHBZvVU274SNWVRopLxrI9GoZDgZyamo BA21fXHuNyaFk2T38mP6SFrxgBzprxeqc1hEIuz2llt51fspMmJUHY/eFWwtNmES3n5p V1d+FgPvDPnk6wBy0Aeid8piKLl8AFulXijzOZlo8Wno2CJHmUXYtP1rfJgGyR377lnj uaMM9X0lDo78rE6l70uLPfIobFrvDDaFUZLkgcaBTdf3QWZ8Ne+gG9zf+Fnodn//jIlS 7W+GSRq3fibsNFhTyW9KTzJ7rotYUxFLFFqeVdXiqbP8JJrf+xEq+A+8cDmQyooYEwxn RhsA== X-Gm-Message-State: AOJu0YzWhkRHIJ5uA50kPuQ9CxMJqBIY11QQkAC20AMgfz4fUpc/0vlj iBnsfGeFvsC1G33AkiIayRW2rEEXqAw4ZumaM0bGYCfj2i44ulb31puaRtKAGt2lHD8MGaMAJkr q X-Google-Smtp-Source: AGHT+IE1WM2Twlca6gYr3YH59T7R9le+0LEaZOZrruYqOe7z2Z9OIcq6X57I00LNdcA7pUqMnEGRjg== X-Received: by 2002:a05:6a21:3409:b0:1d2:e888:3a8e with SMTP id adf61e73a8af0-1d30a97029bmr4670225637.18.1726839583924; Fri, 20 Sep 2024 06:39:43 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71944b97e45sm9811846b3a.164.2024.09.20.06.39.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Sep 2024 06:39:43 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 14/16] bluez5: remove redundant patch for MAX_INPUT Date: Fri, 20 Sep 2024 06:39:12 -0700 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Sep 2024 13:39:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204753 From: Guðni Már Gilbert The solution to the problem upstream was fixed by the following commit: https://github.com/bluez/bluez/commit/ca6546fe521360fcf905bc115b893f322e706cb2 Now MAX_INPUT is defined for non-glibc systems such as musl. This fix was added in BlueZ 5.67. Signed-off-by: Richard Purdie Signed-off-by: Guðni Már Gilbert Signed-off-by: Steve Sakoman --- meta/recipes-connectivity/bluez5/bluez5.inc | 1 - ...shared-util.c-include-linux-limits.h.patch | 27 ------------------- 2 files changed, 28 deletions(-) delete mode 100644 meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc index a31d7076ba..3f2f096aac 100644 --- a/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/meta/recipes-connectivity/bluez5/bluez5.inc @@ -54,7 +54,6 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ file://0001-test-gatt-Fix-hung-issue.patch \ - file://0004-src-shared-util.c-include-linux-limits.h.patch \ " S = "${WORKDIR}/bluez-${PV}" diff --git a/meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch b/meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch deleted file mode 100644 index 516d859069..0000000000 --- a/meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch +++ /dev/null @@ -1,27 +0,0 @@ -From b53df61b41088b68c127ac76cc71683ac3453b9d Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin -Date: Mon, 12 Dec 2022 13:10:19 +0100 -Subject: [PATCH] src/shared/util.c: include linux/limits.h - -MAX_INPUT is defined in that file. This matters on non-glibc -systems such as those using musl. - -Upstream-Status: Submitted [to linux-bluetooth@vger.kernel.org,luiz.von.dentz@intel.com,frederic.danis@collabora.com] -Signed-off-by: Alexander Kanavin - ---- - src/shared/util.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/shared/util.c b/src/shared/util.c -index c0c2c4a..036dc0d 100644 ---- a/src/shared/util.c -+++ b/src/shared/util.c -@@ -23,6 +23,7 @@ - #include - #include - #include -+#include - #include - - #ifdef HAVE_SYS_RANDOM_H From patchwork Fri Sep 20 13:39:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 49370 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25E70C78845 for ; Fri, 20 Sep 2024 13:39:50 +0000 (UTC) Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.web10.18457.1726839586203764624 for ; Fri, 20 Sep 2024 06:39:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=vlJKpBGu; spf=softfail (domain: sakoman.com, ip: 209.85.210.182, mailfrom: steve@sakoman.com) Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-71979bf5e7aso1458613b3a.1 for ; Fri, 20 Sep 2024 06:39:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1726839585; x=1727444385; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=pcfAy984+EqRTFM8jBdoM++e3/keMm8wI/koGhS1S2M=; b=vlJKpBGuwbl6REgN/7rwmAf9yKtHRyYj6k3xEAzSQ0/X17gKTVpu2sWhqeDAqFhSCo KV43ai6eTTvIGI8zcCegb0+ZFXd55m3np+1fgP/MgOJLayqCg69nMP1mytX0FCfg/cJU KArqVr3o2+CdUnc9022apURbE7p/udMRsqqtFXUIrmC6VE67cboCF2hmqsXbJVYZDVWx BTFHjeToypqS1eQFt6DKehLvqSIwytsc9Dj9to6bGv0rUJy6xQsjb6fiILW2Ws7fg36E 7XTOeX5pbPFK/Eqi1wWhRt00MCXXYNPJJIW0+lCsBStyY+o4n75RQTHdRprge7fVO7Ah fsBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726839585; x=1727444385; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pcfAy984+EqRTFM8jBdoM++e3/keMm8wI/koGhS1S2M=; b=WsjG7UqBc13tFcWrBnV8Pl/VfEyCnit7Azu6w/nWuNbswj5tXwBB5zBd07doXvcapj iMVepc0JkHWwA2gd155iM0Za1lUe3vPVXla5AnV2vDPdicdZS+2oWTacqZCE248vjHVq oX03o/aUVFxJfsHSGYkFgEKJMbR+sQuMhkwqE8uWBJ7GYZINJOxxbuxRjVn7v65tCQjs jlxqNdNelSoBhrpV4hf+IA/ATWmiPCv8DvHRM64FAyJGTxWBxjNU4K/h2ZnHBVfj4FFG OAG2OApo9w41DyndjOe8HsMlxwoACPtcSSWOtBKKNKATS8viHkfotDGHiqVH0LWhniuP 5VNQ== X-Gm-Message-State: AOJu0YxScBLDsA2L0/8GIiH6rbf77ursCiSuyA2fg6W6j7uNYfXQ69xm +GVnYZMzZtYyRbXqZiyxGWiFpIPum6w35/JICAoR2RABij6z8IUvUP87dJc7Lp+Wmx+Lf6ytSvp D X-Google-Smtp-Source: AGHT+IHtpFHyDIOmHO2zBt87ugEWa6fbH46/Ie9cvcWQ8/EIoLt0Rn/H/YimMFOIAPxlQZiufQIaXw== X-Received: by 2002:a05:6a00:3d4c:b0:719:8f48:ff01 with SMTP id d2e1a72fcca58-7199cd62dbcmr3513781b3a.6.1726839585320; Fri, 20 Sep 2024 06:39:45 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71944b97e45sm9811846b3a.164.2024.09.20.06.39.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Sep 2024 06:39:45 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 15/16] create-sdpx-2.2.bbclass: Switch from exists to isfile checking debugsrc Date: Fri, 20 Sep 2024 06:39:13 -0700 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Sep 2024 13:39:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204754 From: Mark Hatle While debugsrc is almost always a file (or link), there are apparently cases where a directory could be returned from the dwarfsrcfiles processing. When this happens, the hashing fails and an error results when building the SPDX documents. Signed-off-by: Mark Hatle Signed-off-by: Mark Hatle Signed-off-by: Richard Purdie (cherry picked from commit 02e262c291c0b2066132b4cb2ca5fda8145284a9) Signed-off-by: Mark Hatle Signed-off-by: Steve Sakoman --- meta/classes/create-spdx-2.2.bbclass | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index d104668ffd..ade1a04be3 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass @@ -315,7 +315,8 @@ def add_package_sources_from_debug(d, package_doc, spdx_package, package, packag debugsrc_path = search / debugsrc.replace('/usr/src/kernel/', '') else: debugsrc_path = search / debugsrc.lstrip("/") - if not debugsrc_path.exists(): + # We can only hash files below, skip directories, links, etc. + if not os.path.isfile(debugsrc_path): continue file_sha256 = bb.utils.sha256_file(debugsrc_path) From patchwork Fri Sep 20 13:39:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 49366 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2EA5CC78850 for ; Fri, 20 Sep 2024 13:39:50 +0000 (UTC) Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com [209.85.215.177]) by mx.groups.io with SMTP id smtpd.web11.18283.1726839587793327400 for ; Fri, 20 Sep 2024 06:39:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=JzLdHDRM; spf=softfail (domain: sakoman.com, ip: 209.85.215.177, mailfrom: steve@sakoman.com) Received: by mail-pg1-f177.google.com with SMTP id 41be03b00d2f7-7db637d1e4eso1532578a12.2 for ; Fri, 20 Sep 2024 06:39:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1726839587; x=1727444387; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=UKLbxdNbjzmsujrZaQbgrD+hD+Ssv0kYBG/XvjvuJj0=; b=JzLdHDRMUrQKq6yyJywSIwgobAxLlgZ0Ozh9bzbgYvMVBPoHLUas0nz7dBuHliYUW3 Mh7TXsZMLjJxHsxp7v/m/eC45QWNOZE/QFg+ZmM9Ywor4fftA/78gUxKbm2SZBn4LBcP NwfmI4wc9aGSNSMddSSUS5bX7oaivGTPKe9xXN1jBM8kzBFxrFdC0wIpFbMQh3EBFhhe w0QzPdmZTxOYcG9CEReVz4myY0LNyZLwnQoJ2O9+LQL3t7NOFJyoBIvGSgWD7B3r0LEP 1lNfjMQyhiDvkeLa7tFQn7l+UDvjgyWdcSQksOxg94Uwd+333dDViVEMVOLVpYd+476x nAfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726839587; x=1727444387; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UKLbxdNbjzmsujrZaQbgrD+hD+Ssv0kYBG/XvjvuJj0=; b=pHVdyjMRVN0Xn84Z5ec811OoAER1ZZAdHVH5sr0JItER69bZm6E8SfLZVrebfE8WQn Z522+C0JpFld2rl0ZkgPwxYrtb/91IIeGmulskHdUAERLLwqdR/F4OaBMGP6W+WfeT/9 0JNdW2OTwniLuhhXXyE9jJfP81w595jrc3fd771RtB0Lxq4ZsCYjh2U6QEQUrYdm4hnQ nuWmfr8oY1x3y7tPlAv0aUq91+4AiemIfo/+5ZR4ey4uqoG9vy9QXOQ/zQm6aPffefsp N7YLlqiO66V09sHglH3de6+Q2U8Y1lSSnrXbJSz0G8SVnTM6pQebw8THStw8eKmmAyow LNGg== X-Gm-Message-State: AOJu0Yxq9y9R2IhCQkhc8Fxgju7WX9s7Tma2JrDtrOjLBKzCnff7zFKX rz6cl8s3oORlDT/MDHYE0i3BfVoDWwarnxNzXhXm06QrgDZPyiw4yM6DUTxAxNa4cKVnbNI4AUP l X-Google-Smtp-Source: AGHT+IH0PWStZkdgIswezkCYIWw3FHnnjxX0xmeO8noDj/ORSD+4ZNpiePcE+WMwxUOiN/7iOgpNEA== X-Received: by 2002:a05:6a21:3389:b0:1d3:edb:d5cd with SMTP id adf61e73a8af0-1d30edbd6e4mr3333168637.16.1726839587050; Fri, 20 Sep 2024 06:39:47 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71944b97e45sm9811846b3a.164.2024.09.20.06.39.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Sep 2024 06:39:46 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 16/16] bind: Fix build with the `httpstats` package config enabled Date: Fri, 20 Sep 2024 06:39:14 -0700 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Sep 2024 13:39:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204755 From: Alban Bedel ------C65ED3E1A5DE826CA595746785F6AF6F To: openembedded-core@lists.openembedded.org CC: Alban Bedel Subject: [PATCH] bind: Fix build with the `httpstats` package config enabled Date: Wed, 11 Sep 2024 08:26:47 +0200 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain MIME-Version: 1.0 When the `httpstats` package config is enabled configure fails with the error: > configure: error: Specifying libxml2 installation path is not > supported, adjust PKG_CONFIG_PATH instead Drop the explicit path from `--with-libxml2` to solve this issue. Signed-off-by: Alban Bedel Signed-off-by: Richard Purdie (cherry picked from commit 9b076fa51f5e6fd685066fb817c47239960778e6) Signed-off-by: Steve Sakoman --- meta/recipes-connectivity/bind/bind_9.18.28.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-connectivity/bind/bind_9.18.28.bb b/meta/recipes-connectivity/bind/bind_9.18.28.bb index ca2aef233b..4b0948298e 100644 --- a/meta/recipes-connectivity/bind/bind_9.18.28.bb +++ b/meta/recipes-connectivity/bind/bind_9.18.28.bb @@ -34,7 +34,7 @@ inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-a # PACKAGECONFIGs readline and libedit should NOT be set at same time PACKAGECONFIG ?= "readline" -PACKAGECONFIG[httpstats] = "--with-libxml2=${STAGING_DIR_HOST}${prefix},--without-libxml2,libxml2" +PACKAGECONFIG[httpstats] = "--with-libxml2,--without-libxml2,libxml2" PACKAGECONFIG[readline] = "--with-readline=readline,,readline" PACKAGECONFIG[libedit] = "--with-readline=libedit,,libedit" PACKAGECONFIG[dns-over-http] = "--enable-doh,--disable-doh,nghttp2"