From patchwork Tue Feb 18 21:15:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57561 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7147EC021AA for ; Tue, 18 Feb 2025 21:15:38 +0000 (UTC) Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) by mx.groups.io with SMTP id smtpd.web10.7511.1739913335497911239 for ; Tue, 18 Feb 2025 13:15:35 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=yU2VULUd; spf=softfail (domain: sakoman.com, ip: 209.85.216.41, mailfrom: steve@sakoman.com) Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-2fbfa8c73a6so11120481a91.2 for ; Tue, 18 Feb 2025 13:15:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739913335; x=1740518135; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=UgkwGBuc+6zeBCYAlgEWZccrljlNra4lbnIdRVBll+w=; b=yU2VULUdVyLVeazfcLDeGphLLh6xko6iXnIb9/dpdPCkdwwZg536sHyLBWA1zzA2Nl qhYrPvLh1h+MLfsBlbmHR0KIL1wETr0TXhvkRwpcdqF11oGdEfHjahZPYofZC7Jt++gu LidQcVq52WSMIoJpxCHLvZ0iA/wfpUMfyUsc6vojN2sEhjnQnlzucahic/Np3H/8Wuef 2W2iU8laRs9/hR5RhuHUJGim+5ZJyoupjzJtooH0oEI5ggbWeSfG/rBNdLrQ9KplOwKF dKYodW3dJUY9nfJaEAHK+J60/PDrfPFqtM3QspkRHaA96mjQN1O4VemeZEzl9Lk3gSK5 YI5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739913335; x=1740518135; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UgkwGBuc+6zeBCYAlgEWZccrljlNra4lbnIdRVBll+w=; b=lnLIS+zJ4/sGBhRAnkjpsbRMMO38kLdvGllxRwk6318Os8xapY16VIojU5N3XRNuqz 21SqqQsJkhxl3u0L5dPpYh0fS3POHPixFvcwqYlzQeS/EDYxGvL/Yl/RlLXxwcqaHCq7 AGMi74qC/XSsPe7JIlIPFH22L/vriFsnNaPNLH9AF5tfWlQPctKcIEORpmM+/WPaGdXL bXTdqXv7BYgUXJU/glAZ9HgR1XDIwCIiaJfIpfNimLV/BGbXMb8WaSydhzJyGP7pMZZg C1SW3laYlvO49o9pW65VelKA+rrZ0OPKi+BtFUxLNrqRwXde1HQdY119wNM5cCQRQ1EQ T3TA== X-Gm-Message-State: AOJu0YxekcO1SgoxkIQPDqI50scWSJOll1Y/+7yrXsVJIh4RbdgbUbjx 4+pnJiFtx0006KTsVoCalF+76pDzbk3TuRCoYlFZiSogmRR6S3zvttEz3ia78g7G7pcvB75zdGE 3 X-Gm-Gg: ASbGncthr7nuQqi/JOOY0QlRHNy6WU36v5g1i1yvno31tDoDmRubX4YKgA6RTBh7hwE kIx99sSwOZ/zp5SXPxNAxq13V6zN8z4l3AOjkiPwofsLPT0+FwbAXPbwuE5/mcGj00x8C3WAUGp h7shW6/lMCsBLGWUtDchvVw0INWYxe2XBmAIOMZK2ouKdFcam2ETiNojKEc6wB/2AqYGulfYTSq 4nZyv6PEKshPoCeMj2JbH6xbNKYCrS3FER5T+1b7AEor+BCnrU+7y1cykgRJGTnw8YDkIGjkeQo f/iTFqo= X-Google-Smtp-Source: AGHT+IGENnL68Nl97jSLf5Tjrje71wKCLq0uoyfqeLPgQq/2RGzXH77oFnRW+BCXAAgLIFdkwLe2Hg== X-Received: by 2002:a17:90b:3b46:b0:2ee:b0b0:8e02 with SMTP id 98e67ed59e1d1-2fc410404a5mr22797560a91.28.1739913334740; Tue, 18 Feb 2025 13:15:34 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:83c7:94a9:a555:bf05]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-220d5349056sm93720055ad.22.2025.02.18.13.15.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 13:15:34 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 1/7] subversion: ignore CVE-2024-45720 Date: Tue, 18 Feb 2025 13:15:19 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Feb 2025 21:15:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211653 From: Peter Marko Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-45720 This CVE is relevant only for subversion running on Windows. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-devtools/subversion/subversion_1.14.3.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/subversion/subversion_1.14.3.bb b/meta/recipes-devtools/subversion/subversion_1.14.3.bb index 1ef3d498a5..679228cbb8 100644 --- a/meta/recipes-devtools/subversion/subversion_1.14.3.bb +++ b/meta/recipes-devtools/subversion/subversion_1.14.3.bb @@ -19,6 +19,8 @@ inherit autotools pkgconfig gettext python3native CVE_PRODUCT = "apache:subversion" +CVE_STATUS[CVE-2024-45720] = "not-applicable-platform: Issue only applies on Windows" + PACKAGECONFIG ?= "" PACKAGECONFIG[boost] = "--with-boost=${RECIPE_SYSROOT}${exec_prefix},--without-boost,boost" From patchwork Tue Feb 18 21:15:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57560 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F87DC021AD for ; Tue, 18 Feb 2025 21:15:38 +0000 (UTC) Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48]) by mx.groups.io with SMTP id smtpd.web10.7512.1739913337643989888 for ; Tue, 18 Feb 2025 13:15:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=DZegzJ4h; spf=softfail (domain: sakoman.com, ip: 209.85.216.48, mailfrom: steve@sakoman.com) Received: by mail-pj1-f48.google.com with SMTP id 98e67ed59e1d1-2fc11834404so8459132a91.0 for ; Tue, 18 Feb 2025 13:15:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739913337; x=1740518137; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=fGoSpPwMJPid39ZB1MKDW+lZAxOulD2ilL/dXzXS+RI=; b=DZegzJ4hVwzKSQd1QcTYVX6eKOwIoUwTRIJ2ioi240NNJvC/8O0fch5Qn4BkAPygSE +53ipoo2wyEHxBBfmVvDH7s/S5jSCNsKgPdbQjrNz2omQt89CtDDZDd7bz4tqABCZUbW W0pgLEYKORlMNpaHV/0NTT1Zp5bKyK1qOCGGeO0KdFsSx31FqsabrHQ3tpvbkpaguW8R sHDiIsK1Lcz49bAYFrpyxx71iwi98lbpSUX2c3AwmbeZrEcV9+Hf6aThpDcLIsriq5Dr 7p7Y82+Hp63RJKOXTrPMQfvlVp2b/aV431LVPx76DHA//4cm7GU6JI7y9ofoSyMaO57b undA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739913337; x=1740518137; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fGoSpPwMJPid39ZB1MKDW+lZAxOulD2ilL/dXzXS+RI=; b=aMAB5ZGg+MVUJqmIQK635b8CxHIF+nfBOfyKvr1KftTnkfmC+k6HSHcLY6zXJumt0V e8WWnDCcBNrANZu0dOsdM6qpWanSl8KaYcJrXID8XEI7Q62AFPvdWAU/NrBf8bL0Vvlm IXvDLvww+KDWVBCaaVqemUxjA8A0VE/25PG5aF1vjzyHbkez/UcN6HUB9FTCw3IKEClz miO45qePY8/If4ovZyPhQ4xB0DARCE6iJdWwIjdusGEZsEFCJAynf1tBZRqVgaYz5WK/ gSzGGemAv4PpCcKB77o2TelPoK3GXyb6+7eOHF/VPrU9Y14Q03laEzhxAvpXfi3ROFrX Ppyg== X-Gm-Message-State: AOJu0YwYUq9y8+XBhIWW6atuVzWo5Td3Q2Knn83aJ2tBk9DHT5ByeKDO 0WS9Cm2vAaw3IkLIEd4trBMImNOhHM3UREeGzxetAN0184yXbsaLE6KsTOV5fRvvNiUOXN+amfb q X-Gm-Gg: ASbGncsnVA8FN8nzjnELL0qFDbYvC1/tdimuHFn4PtMSepJuTKBC83HW5VX3XTuXcnm Xrvlnu6/kHp/4VtRqPckPC8PDi+4ionyFoLUymVHgFOWJVGwjf+VQlK66qZMONCqtSL/FsKNcMt PgXonmIHQJmM7cAiMe3bv4OFDAq4FbZfeod+4pDxq29XJtrZCOfN1bBfiRSOkqhHK1SS/n+CLZ6 l0As07/z1yMVsG1lXo/3TLPfPrnkHOfz1NXuLdUC/abrs6mn2huW4sMpo55TxkFj3mHA3voxCGY F09nZZU= X-Google-Smtp-Source: AGHT+IGv3aGlxjSiJdEhwKxz16onVwbjCQnh7SUHxKloDfiXDrzCJkZTw1M0Sao/yGcEmVS93RHEkw== X-Received: by 2002:a17:90b:17c7:b0:2ee:cd83:8fe7 with SMTP id 98e67ed59e1d1-2fc411679e8mr23204101a91.35.1739913336520; Tue, 18 Feb 2025 13:15:36 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:83c7:94a9:a555:bf05]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-220d5349056sm93720055ad.22.2025.02.18.13.15.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 13:15:36 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 2/7] gnutls: patch CVE-2024-12243 Date: Tue, 18 Feb 2025 13:15:20 -0800 Message-ID: <0a2c61707ff34b00cc559f0570d8d6aeadfaad40.1739913090.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Feb 2025 21:15:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211654 From: Peter Marko Backport following patch to address this CVE: https://gitlab.com/gnutls/gnutls/-/commit/4760bc63531e3f5039e70ede91a20e1194410892 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../gnutls/gnutls/CVE-2024-12243.patch | 1149 +++++++++++++++++ meta/recipes-support/gnutls/gnutls_3.8.4.bb | 1 + 2 files changed, 1150 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch new file mode 100644 index 0000000000..a7af87718f --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch @@ -0,0 +1,1149 @@ +From 4760bc63531e3f5039e70ede91a20e1194410892 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 18 Nov 2024 17:23:46 +0900 +Subject: [PATCH] x509: optimize name constraints processing + +This switches the representation name constraints from linked lists to +array lists to optimize the lookup performance from O(n) to O(1), also +enforces a limit of name constraint checks against subject alternative +names. + +Signed-off-by: Daiki Ueno + +CVE: CVE-2024-12243 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/4760bc63531e3f5039e70ede91a20e1194410892] +Signed-off-by: Peter Marko +--- + lib/datum.c | 7 +- + lib/x509/name_constraints.c | 595 +++++++++++++++++++++--------------- + lib/x509/x509_ext.c | 80 +++-- + lib/x509/x509_ext_int.h | 5 + + lib/x509/x509_int.h | 21 +- + 5 files changed, 399 insertions(+), 309 deletions(-) + +diff --git a/lib/datum.c b/lib/datum.c +index 66e016965..5577c2b4a 100644 +--- a/lib/datum.c ++++ b/lib/datum.c +@@ -29,6 +29,7 @@ + #include "num.h" + #include "datum.h" + #include "errors.h" ++#include "intprops.h" + + /* On error, @dat is not changed. */ + int _gnutls_set_datum(gnutls_datum_t *dat, const void *data, size_t data_size) +@@ -60,7 +61,11 @@ int _gnutls_set_strdatum(gnutls_datum_t *dat, const void *data, + if (data == NULL) + return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); + +- unsigned char *m = gnutls_malloc(data_size + 1); ++ size_t capacity; ++ if (!INT_ADD_OK(data_size, 1, &capacity)) ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ ++ unsigned char *m = gnutls_malloc(capacity); + if (!m) + return GNUTLS_E_MEMORY_ERROR; + +diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c +index 8327a9d94..3c6e30630 100644 +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -33,51 +33,98 @@ + #include + #include "x509_b64.h" + #include "x509_int.h" ++#include "x509_ext_int.h" + #include + + #include "ip.h" + #include "ip-in-cidr.h" ++#include "intprops.h" ++ ++#define MAX_NC_CHECKS (1 << 20) ++ ++struct name_constraints_node_st { ++ unsigned type; ++ gnutls_datum_t name; ++}; ++ ++struct name_constraints_node_list_st { ++ struct name_constraints_node_st **data; ++ size_t size; ++ size_t capacity; ++}; ++ ++struct gnutls_name_constraints_st { ++ struct name_constraints_node_list_st nodes; /* owns elements */ ++ struct name_constraints_node_list_st permitted; /* borrows elements */ ++ struct name_constraints_node_list_st excluded; /* borrows elements */ ++}; ++ ++static struct name_constraints_node_st * ++name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type, ++ unsigned char *data, unsigned int size); ++ ++static int ++name_constraints_node_list_add(struct name_constraints_node_list_st *list, ++ struct name_constraints_node_st *node) ++{ ++ if (!list->capacity || list->size == list->capacity) { ++ size_t new_capacity = list->capacity; ++ struct name_constraints_node_st **new_data; ++ ++ if (!INT_MULTIPLY_OK(new_capacity, 2, &new_capacity) || ++ !INT_ADD_OK(new_capacity, 1, &new_capacity)) ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ new_data = _gnutls_reallocarray( ++ list->data, new_capacity, ++ sizeof(struct name_constraints_node_st *)); ++ if (!new_data) ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ list->capacity = new_capacity; ++ list->data = new_data; ++ } ++ list->data[list->size++] = node; ++ return 0; ++} + + // for documentation see the implementation +-static int +-name_constraints_intersect_nodes(name_constraints_node_st *nc1, +- name_constraints_node_st *nc2, +- name_constraints_node_st **intersection); ++static int name_constraints_intersect_nodes( ++ gnutls_x509_name_constraints_t nc, ++ const struct name_constraints_node_st *node1, ++ const struct name_constraints_node_st *node2, ++ struct name_constraints_node_st **intersection); + + /*- +- * is_nc_empty: ++ * _gnutls_x509_name_constraints_is_empty: + * @nc: name constraints structure +- * @type: type (gnutls_x509_subject_alt_name_t) ++ * @type: type (gnutls_x509_subject_alt_name_t or 0) + * + * Test whether given name constraints structure has any constraints (permitted + * or excluded) of a given type. @nc must be allocated (not NULL) before the call. ++ * If @type is 0, type checking will be skipped. + * +- * Returns: 0 if @nc contains constraints of type @type, 1 otherwise ++ * Returns: false if @nc contains constraints of type @type, true otherwise + -*/ +-static unsigned is_nc_empty(struct gnutls_name_constraints_st *nc, +- unsigned type) ++bool _gnutls_x509_name_constraints_is_empty(gnutls_x509_name_constraints_t nc, ++ unsigned type) + { +- name_constraints_node_st *t; ++ if (nc->permitted.size == 0 && nc->excluded.size == 0) ++ return true; + +- if (nc->permitted == NULL && nc->excluded == NULL) +- return 1; ++ if (type == 0) ++ return false; + +- t = nc->permitted; +- while (t != NULL) { +- if (t->type == type) +- return 0; +- t = t->next; ++ for (size_t i = 0; i < nc->permitted.size; i++) { ++ if (nc->permitted.data[i]->type == type) ++ return false; + } + +- t = nc->excluded; +- while (t != NULL) { +- if (t->type == type) +- return 0; +- t = t->next; ++ for (size_t i = 0; i < nc->excluded.size; i++) { ++ if (nc->excluded.data[i]->type == type) ++ return false; + } + + /* no constraint for that type exists */ +- return 1; ++ return true; + } + + /*- +@@ -115,21 +162,16 @@ static int validate_name_constraints_node(gnutls_x509_subject_alt_name_t type, + return GNUTLS_E_SUCCESS; + } + +-int _gnutls_extract_name_constraints(asn1_node c2, const char *vstr, +- name_constraints_node_st **_nc) ++static int extract_name_constraints(gnutls_x509_name_constraints_t nc, ++ asn1_node c2, const char *vstr, ++ struct name_constraints_node_list_st *nodes) + { + int ret; + char tmpstr[128]; + unsigned indx; + gnutls_datum_t tmp = { NULL, 0 }; + unsigned int type; +- struct name_constraints_node_st *nc, *prev; +- +- prev = *_nc; +- if (prev != NULL) { +- while (prev->next != NULL) +- prev = prev->next; +- } ++ struct name_constraints_node_st *node; + + for (indx = 1;; indx++) { + snprintf(tmpstr, sizeof(tmpstr), "%s.?%u.base", vstr, indx); +@@ -172,25 +214,19 @@ int _gnutls_extract_name_constraints(asn1_node c2, const char *vstr, + goto cleanup; + } + +- nc = gnutls_malloc(sizeof(struct name_constraints_node_st)); +- if (nc == NULL) { ++ node = name_constraints_node_new(nc, type, tmp.data, tmp.size); ++ _gnutls_free_datum(&tmp); ++ if (node == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + +- memcpy(&nc->name, &tmp, sizeof(gnutls_datum_t)); +- nc->type = type; +- nc->next = NULL; +- +- if (prev == NULL) { +- *_nc = prev = nc; +- } else { +- prev->next = nc; +- prev = nc; ++ ret = name_constraints_node_list_add(nodes, node); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; + } +- +- tmp.data = NULL; + } + + assert(ret < 0); +@@ -205,84 +241,104 @@ cleanup: + return ret; + } + ++int _gnutls_x509_name_constraints_extract(asn1_node c2, ++ const char *permitted_name, ++ const char *excluded_name, ++ gnutls_x509_name_constraints_t nc) ++{ ++ int ret; ++ ++ ret = extract_name_constraints(nc, c2, permitted_name, &nc->permitted); ++ if (ret < 0) ++ return gnutls_assert_val(ret); ++ ret = extract_name_constraints(nc, c2, excluded_name, &nc->excluded); ++ if (ret < 0) ++ return gnutls_assert_val(ret); ++ ++ return ret; ++} ++ + /*- +- * _gnutls_name_constraints_node_free: ++ * name_constraints_node_free: + * @node: name constraints node + * +- * Deallocate a list of name constraints nodes starting at the given node. ++ * Deallocate a name constraints node. + -*/ +-void _gnutls_name_constraints_node_free(name_constraints_node_st *node) ++static void name_constraints_node_free(struct name_constraints_node_st *node) + { +- name_constraints_node_st *next, *t; +- +- t = node; +- while (t != NULL) { +- next = t->next; +- gnutls_free(t->name.data); +- gnutls_free(t); +- t = next; ++ if (node) { ++ gnutls_free(node->name.data); ++ gnutls_free(node); + } + } + + /*- + * name_constraints_node_new: + * @type: name constraints type to set (gnutls_x509_subject_alt_name_t) ++ * @nc: a %gnutls_x509_name_constraints_t + * @data: name.data to set or NULL + * @size: name.size to set + * + * Allocate a new name constraints node and set its type, name size and name data. +- * If @data is set to NULL, name data will be an array of \x00 (the length of @size). +- * The .next pointer is set to NULL. + * + * Returns: Pointer to newly allocated node or NULL in case of memory error. + -*/ +-static name_constraints_node_st * +-name_constraints_node_new(unsigned type, unsigned char *data, unsigned int size) ++static struct name_constraints_node_st * ++name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type, ++ unsigned char *data, unsigned int size) + { +- name_constraints_node_st *tmp = +- gnutls_malloc(sizeof(struct name_constraints_node_st)); ++ struct name_constraints_node_st *tmp; ++ int ret; ++ ++ tmp = gnutls_calloc(1, sizeof(struct name_constraints_node_st)); + if (tmp == NULL) + return NULL; + tmp->type = type; +- tmp->next = NULL; +- tmp->name.size = size; +- tmp->name.data = NULL; +- if (tmp->name.size > 0) { +- tmp->name.data = gnutls_malloc(tmp->name.size); +- if (tmp->name.data == NULL) { ++ ++ if (data) { ++ ret = _gnutls_set_strdatum(&tmp->name, data, size); ++ if (ret < 0) { ++ gnutls_assert(); + gnutls_free(tmp); + return NULL; + } +- if (data != NULL) { +- memcpy(tmp->name.data, data, size); +- } else { +- memset(tmp->name.data, 0, size); +- } + } ++ ++ ret = name_constraints_node_list_add(&nc->nodes, tmp); ++ if (ret < 0) { ++ gnutls_assert(); ++ name_constraints_node_free(tmp); ++ return NULL; ++ } ++ + return tmp; + } + + /*- +- * @brief _gnutls_name_constraints_intersect: +- * @_nc: first name constraints list (permitted) +- * @_nc2: name constraints list to merge with (permitted) +- * @_nc_excluded: Corresponding excluded name constraints list ++ * @brief name_constraints_node_list_intersect: ++ * @nc: %gnutls_x509_name_constraints_t ++ * @permitted: first name constraints list (permitted) ++ * @permitted2: name constraints list to merge with (permitted) ++ * @excluded: Corresponding excluded name constraints list + * +- * This function finds the intersection of @_nc and @_nc2. The result is placed in @_nc, +- * the original @_nc is deallocated. @_nc2 is not changed. If necessary, a universal ++ * This function finds the intersection of @permitted and @permitted2. The result is placed in @permitted, ++ * the original @permitted is modified. @permitted2 is not changed. If necessary, a universal + * excluded name constraint node of the right type is added to the list provided +- * in @_nc_excluded. ++ * in @excluded. + * + * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. + -*/ +-static int +-_gnutls_name_constraints_intersect(name_constraints_node_st **_nc, +- name_constraints_node_st *_nc2, +- name_constraints_node_st **_nc_excluded) ++static int name_constraints_node_list_intersect( ++ gnutls_x509_name_constraints_t nc, ++ struct name_constraints_node_list_st *permitted, ++ const struct name_constraints_node_list_st *permitted2, ++ struct name_constraints_node_list_st *excluded) + { +- name_constraints_node_st *nc, *nc2, *t, *tmp, *dest = NULL, +- *prev = NULL; ++ struct name_constraints_node_st *tmp; + int ret, type, used; ++ struct name_constraints_node_list_st removed = { .data = NULL, ++ .size = 0, ++ .capacity = 0 }; + + /* temporary array to see, if we need to add universal excluded constraints + * (see phase 3 for details) +@@ -291,61 +347,73 @@ _gnutls_name_constraints_intersect(name_constraints_node_st **_nc, + memset(types_with_empty_intersection, 0, + sizeof(types_with_empty_intersection)); + +- if (*_nc == NULL || _nc2 == NULL) ++ if (permitted->size == 0 || permitted2->size == 0) + return 0; + + /* Phase 1 +- * For each name in _NC, if a _NC2 does not contain a name +- * with the same type, preserve the original name. +- * Do this also for node of unknown type (not DNS, email, IP */ +- t = nc = *_nc; +- while (t != NULL) { +- name_constraints_node_st *next = t->next; +- nc2 = _nc2; +- while (nc2 != NULL) { +- if (t->type == nc2->type) { ++ * For each name in PERMITTED, if a PERMITTED2 does not contain a name ++ * with the same type, move the original name to REMOVED. ++ * Do this also for node of unknown type (not DNS, email, IP) */ ++ for (size_t i = 0; i < permitted->size;) { ++ struct name_constraints_node_st *t = permitted->data[i]; ++ const struct name_constraints_node_st *found = NULL; ++ ++ for (size_t j = 0; j < permitted2->size; j++) { ++ const struct name_constraints_node_st *t2 = ++ permitted2->data[j]; ++ if (t->type == t2->type) { + // check bounds (we will use 't->type' as index) +- if (t->type > GNUTLS_SAN_MAX || t->type == 0) +- return gnutls_assert_val( +- GNUTLS_E_INTERNAL_ERROR); ++ if (t->type > GNUTLS_SAN_MAX || t->type == 0) { ++ gnutls_assert(); ++ ret = GNUTLS_E_INTERNAL_ERROR; ++ goto cleanup; ++ } + // note the possibility of empty intersection for this type + // if we add something to the intersection in phase 2, + // we will reset this flag back to 0 then + types_with_empty_intersection[t->type - 1] = 1; ++ found = t2; + break; + } +- nc2 = nc2->next; + } +- if (nc2 == NULL || (t->type != GNUTLS_SAN_DNSNAME && +- t->type != GNUTLS_SAN_RFC822NAME && +- t->type != GNUTLS_SAN_IPADDRESS)) { +- /* move node from NC to DEST */ +- if (prev != NULL) +- prev->next = next; +- else +- prev = nc = next; +- t->next = dest; +- dest = t; +- } else { +- prev = t; ++ ++ if (found != NULL && (t->type == GNUTLS_SAN_DNSNAME || ++ t->type == GNUTLS_SAN_RFC822NAME || ++ t->type == GNUTLS_SAN_IPADDRESS)) { ++ /* move node from PERMITTED to REMOVED */ ++ ret = name_constraints_node_list_add(&removed, t); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ /* remove node by swapping */ ++ if (i < permitted->size - 1) ++ permitted->data[i] = ++ permitted->data[permitted->size - 1]; ++ permitted->size--; ++ continue; + } +- t = next; ++ i++; + } + + /* Phase 2 +- * iterate through all combinations from nc2 and nc1 ++ * iterate through all combinations from PERMITTED2 and PERMITTED + * and create intersections of nodes with same type */ +- nc2 = _nc2; +- while (nc2 != NULL) { +- // current nc2 node has not yet been used for any intersection +- // (and is not in DEST either) ++ for (size_t i = 0; i < permitted2->size; i++) { ++ const struct name_constraints_node_st *t2 = permitted2->data[i]; ++ ++ // current PERMITTED2 node has not yet been used for any intersection ++ // (and is not in REMOVED either) + used = 0; +- t = nc; +- while (t != NULL) { ++ for (size_t j = 0; j < removed.size; j++) { ++ const struct name_constraints_node_st *t = ++ removed.data[j]; + // save intersection of name constraints into tmp +- ret = name_constraints_intersect_nodes(t, nc2, &tmp); +- if (ret < 0) +- return gnutls_assert_val(ret); ++ ret = name_constraints_intersect_nodes(nc, t, t2, &tmp); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } + used = 1; + // if intersection is not empty + if (tmp != +@@ -360,32 +428,34 @@ _gnutls_name_constraints_intersect(name_constraints_node_st **_nc, + // we will not add universal excluded constraint for this type + types_with_empty_intersection[tmp->type - 1] = + 0; +- // add intersection node to DEST +- tmp->next = dest; +- dest = tmp; ++ // add intersection node to PERMITTED ++ ret = name_constraints_node_list_add(permitted, ++ tmp); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } + } +- t = t->next; + } +- // if the node from nc2 was not used for intersection, copy it to DEST ++ // if the node from PERMITTED2 was not used for intersection, copy it to DEST + // Beware: also copies nodes other than DNS, email, IP, + // since their counterpart may have been moved in phase 1. + if (!used) { + tmp = name_constraints_node_new( +- nc2->type, nc2->name.data, nc2->name.size); ++ nc, t2->type, t2->name.data, t2->name.size); + if (tmp == NULL) { +- _gnutls_name_constraints_node_free(dest); +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ gnutls_assert(); ++ ret = GNUTLS_E_MEMORY_ERROR; ++ goto cleanup; ++ } ++ ret = name_constraints_node_list_add(permitted, tmp); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; + } +- tmp->next = dest; +- dest = tmp; + } +- nc2 = nc2->next; + } + +- /* replace the original with the new */ +- _gnutls_name_constraints_node_free(nc); +- *_nc = dest; +- + /* Phase 3 + * For each type: If we have empty permitted name constraints now + * and we didn't have at the beginning, we have to add a new +@@ -400,63 +470,77 @@ _gnutls_name_constraints_intersect(name_constraints_node_st **_nc, + switch (type) { + case GNUTLS_SAN_IPADDRESS: + // add universal restricted range for IPv4 +- tmp = name_constraints_node_new(GNUTLS_SAN_IPADDRESS, +- NULL, 8); ++ tmp = name_constraints_node_new( ++ nc, GNUTLS_SAN_IPADDRESS, NULL, 8); + if (tmp == NULL) { +- _gnutls_name_constraints_node_free(dest); +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ gnutls_assert(); ++ ret = GNUTLS_E_MEMORY_ERROR; ++ goto cleanup; ++ } ++ ret = name_constraints_node_list_add(excluded, tmp); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; + } +- tmp->next = *_nc_excluded; +- *_nc_excluded = tmp; + // add universal restricted range for IPv6 +- tmp = name_constraints_node_new(GNUTLS_SAN_IPADDRESS, +- NULL, 32); ++ tmp = name_constraints_node_new( ++ nc, GNUTLS_SAN_IPADDRESS, NULL, 32); + if (tmp == NULL) { +- _gnutls_name_constraints_node_free(dest); +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ gnutls_assert(); ++ ret = GNUTLS_E_MEMORY_ERROR; ++ goto cleanup; ++ } ++ ret = name_constraints_node_list_add(excluded, tmp); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; + } +- tmp->next = *_nc_excluded; +- *_nc_excluded = tmp; + break; + case GNUTLS_SAN_DNSNAME: + case GNUTLS_SAN_RFC822NAME: +- tmp = name_constraints_node_new(type, NULL, 0); ++ tmp = name_constraints_node_new(nc, type, NULL, 0); + if (tmp == NULL) { +- _gnutls_name_constraints_node_free(dest); +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ gnutls_assert(); ++ ret = GNUTLS_E_MEMORY_ERROR; ++ goto cleanup; ++ } ++ ret = name_constraints_node_list_add(excluded, tmp); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; + } +- tmp->next = *_nc_excluded; +- *_nc_excluded = tmp; + break; + default: // do nothing, at least one node was already moved in phase 1 + break; + } + } +- return GNUTLS_E_SUCCESS; ++ ret = GNUTLS_E_SUCCESS; ++ ++cleanup: ++ gnutls_free(removed.data); ++ return ret; + } + +-static int _gnutls_name_constraints_append(name_constraints_node_st **_nc, +- name_constraints_node_st *_nc2) ++static int name_constraints_node_list_concat( ++ gnutls_x509_name_constraints_t nc, ++ struct name_constraints_node_list_st *nodes, ++ const struct name_constraints_node_list_st *nodes2) + { +- name_constraints_node_st *nc, *nc2; +- struct name_constraints_node_st *tmp; +- +- if (_nc2 == NULL) +- return 0; +- +- nc2 = _nc2; +- while (nc2) { +- nc = *_nc; +- +- tmp = name_constraints_node_new(nc2->type, nc2->name.data, +- nc2->name.size); +- if (tmp == NULL) ++ for (size_t i = 0; i < nodes2->size; i++) { ++ const struct name_constraints_node_st *node = nodes2->data[i]; ++ struct name_constraints_node_st *tmp; ++ int ret; ++ ++ tmp = name_constraints_node_new(nc, node->type, node->name.data, ++ node->name.size); ++ if (tmp == NULL) { + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- +- tmp->next = nc; +- *_nc = tmp; +- +- nc2 = nc2->next; ++ } ++ ret = name_constraints_node_list_add(nodes, tmp); ++ if (ret < 0) { ++ name_constraints_node_free(tmp); ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ } + } + + return 0; +@@ -524,6 +608,25 @@ cleanup: + return ret; + } + ++void _gnutls_x509_name_constraints_clear(gnutls_x509_name_constraints_t nc) ++{ ++ for (size_t i = 0; i < nc->nodes.size; i++) { ++ struct name_constraints_node_st *node = nc->nodes.data[i]; ++ name_constraints_node_free(node); ++ } ++ gnutls_free(nc->nodes.data); ++ nc->nodes.capacity = 0; ++ nc->nodes.size = 0; ++ ++ gnutls_free(nc->permitted.data); ++ nc->permitted.capacity = 0; ++ nc->permitted.size = 0; ++ ++ gnutls_free(nc->excluded.data); ++ nc->excluded.capacity = 0; ++ nc->excluded.size = 0; ++} ++ + /** + * gnutls_x509_name_constraints_deinit: + * @nc: The nameconstraints +@@ -534,9 +637,7 @@ cleanup: + **/ + void gnutls_x509_name_constraints_deinit(gnutls_x509_name_constraints_t nc) + { +- _gnutls_name_constraints_node_free(nc->permitted); +- _gnutls_name_constraints_node_free(nc->excluded); +- ++ _gnutls_x509_name_constraints_clear(nc); + gnutls_free(nc); + } + +@@ -552,12 +653,15 @@ void gnutls_x509_name_constraints_deinit(gnutls_x509_name_constraints_t nc) + **/ + int gnutls_x509_name_constraints_init(gnutls_x509_name_constraints_t *nc) + { +- *nc = gnutls_calloc(1, sizeof(struct gnutls_name_constraints_st)); +- if (*nc == NULL) { ++ struct gnutls_name_constraints_st *tmp; ++ ++ tmp = gnutls_calloc(1, sizeof(struct gnutls_name_constraints_st)); ++ if (tmp == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + ++ *nc = tmp; + return 0; + } + +@@ -565,36 +669,25 @@ static int name_constraints_add(gnutls_x509_name_constraints_t nc, + gnutls_x509_subject_alt_name_t type, + const gnutls_datum_t *name, unsigned permitted) + { +- struct name_constraints_node_st *tmp, *prev = NULL; ++ struct name_constraints_node_st *tmp; ++ struct name_constraints_node_list_st *nodes; + int ret; + + ret = validate_name_constraints_node(type, name); + if (ret < 0) + return gnutls_assert_val(ret); + +- if (permitted != 0) +- prev = tmp = nc->permitted; +- else +- prev = tmp = nc->excluded; ++ nodes = permitted ? &nc->permitted : &nc->excluded; + +- while (tmp != NULL) { +- tmp = tmp->next; +- if (tmp != NULL) +- prev = tmp; +- } +- +- tmp = name_constraints_node_new(type, name->data, name->size); ++ tmp = name_constraints_node_new(nc, type, name->data, name->size); + if (tmp == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- tmp->next = NULL; + +- if (prev == NULL) { +- if (permitted != 0) +- nc->permitted = tmp; +- else +- nc->excluded = tmp; +- } else +- prev->next = tmp; ++ ret = name_constraints_node_list_add(nodes, tmp); ++ if (ret < 0) { ++ name_constraints_node_free(tmp); ++ return gnutls_assert_val(ret); ++ } + + return 0; + } +@@ -620,14 +713,15 @@ int _gnutls_x509_name_constraints_merge(gnutls_x509_name_constraints_t nc, + { + int ret; + +- ret = _gnutls_name_constraints_intersect(&nc->permitted, nc2->permitted, +- &nc->excluded); ++ ret = name_constraints_node_list_intersect( ++ nc, &nc->permitted, &nc2->permitted, &nc->excluded); + if (ret < 0) { + gnutls_assert(); + return ret; + } + +- ret = _gnutls_name_constraints_append(&nc->excluded, nc2->excluded); ++ ret = name_constraints_node_list_concat(nc, &nc->excluded, ++ &nc2->excluded); + if (ret < 0) { + gnutls_assert(); + return ret; +@@ -804,50 +898,51 @@ static unsigned email_matches(const gnutls_datum_t *name, + * + * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. + -*/ +-static int +-name_constraints_intersect_nodes(name_constraints_node_st *nc1, +- name_constraints_node_st *nc2, +- name_constraints_node_st **_intersection) ++static int name_constraints_intersect_nodes( ++ gnutls_x509_name_constraints_t nc, ++ const struct name_constraints_node_st *node1, ++ const struct name_constraints_node_st *node2, ++ struct name_constraints_node_st **_intersection) + { + // presume empty intersection +- name_constraints_node_st *intersection = NULL; +- name_constraints_node_st *to_copy = NULL; ++ struct name_constraints_node_st *intersection = NULL; ++ const struct name_constraints_node_st *to_copy = NULL; + unsigned iplength = 0; + unsigned byte; + + *_intersection = NULL; + +- if (nc1->type != nc2->type) { ++ if (node1->type != node2->type) { + return GNUTLS_E_SUCCESS; + } +- switch (nc1->type) { ++ switch (node1->type) { + case GNUTLS_SAN_DNSNAME: +- if (!dnsname_matches(&nc2->name, &nc1->name)) ++ if (!dnsname_matches(&node2->name, &node1->name)) + return GNUTLS_E_SUCCESS; +- to_copy = nc2; ++ to_copy = node2; + break; + case GNUTLS_SAN_RFC822NAME: +- if (!email_matches(&nc2->name, &nc1->name)) ++ if (!email_matches(&node2->name, &node1->name)) + return GNUTLS_E_SUCCESS; +- to_copy = nc2; ++ to_copy = node2; + break; + case GNUTLS_SAN_IPADDRESS: +- if (nc1->name.size != nc2->name.size) ++ if (node1->name.size != node2->name.size) + return GNUTLS_E_SUCCESS; +- iplength = nc1->name.size / 2; ++ iplength = node1->name.size / 2; + for (byte = 0; byte < iplength; byte++) { +- if (((nc1->name.data[byte] ^ +- nc2->name.data[byte]) // XOR of addresses +- & +- nc1->name.data[byte + iplength] // AND mask from nc1 +- & +- nc2->name.data[byte + iplength]) // AND mask from nc2 ++ if (((node1->name.data[byte] ^ ++ node2->name.data[byte]) // XOR of addresses ++ & node1->name.data[byte + ++ iplength] // AND mask from nc1 ++ & node2->name.data[byte + ++ iplength]) // AND mask from nc2 + != 0) { + // CIDRS do not intersect + return GNUTLS_E_SUCCESS; + } + } +- to_copy = nc2; ++ to_copy = node2; + break; + default: + // for other types, we don't know how to do the intersection, assume empty +@@ -856,8 +951,9 @@ name_constraints_intersect_nodes(name_constraints_node_st *nc1, + + // copy existing node if applicable + if (to_copy != NULL) { +- *_intersection = name_constraints_node_new( +- to_copy->type, to_copy->name.data, to_copy->name.size); ++ *_intersection = name_constraints_node_new(nc, to_copy->type, ++ to_copy->name.data, ++ to_copy->name.size); + if (*_intersection == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + intersection = *_intersection; +@@ -869,12 +965,12 @@ name_constraints_intersect_nodes(name_constraints_node_st *nc1, + _gnutls_mask_ip(intersection->name.data, + intersection->name.data + iplength, + iplength); +- _gnutls_mask_ip(nc1->name.data, +- nc1->name.data + iplength, iplength); ++ _gnutls_mask_ip(node1->name.data, ++ node1->name.data + iplength, iplength); + // update intersection, if necessary (we already know one is subset of other) + for (byte = 0; byte < 2 * iplength; byte++) { + intersection->name.data[byte] |= +- nc1->name.data[byte]; ++ node1->name.data[byte]; + } + } + } +@@ -1177,10 +1273,17 @@ gnutls_x509_name_constraints_check_crt(gnutls_x509_name_constraints_t nc, + unsigned idx, t, san_type; + gnutls_datum_t n; + unsigned found_one; ++ size_t checks; + +- if (is_nc_empty(nc, type) != 0) ++ if (_gnutls_x509_name_constraints_is_empty(nc, type) != 0) + return 1; /* shortcut; no constraints to check */ + ++ if (!INT_ADD_OK(nc->permitted.size, nc->excluded.size, &checks) || ++ !INT_MULTIPLY_OK(checks, cert->san->size, &checks) || ++ checks > MAX_NC_CHECKS) { ++ return gnutls_assert_val(0); ++ } ++ + if (type == GNUTLS_SAN_RFC822NAME) { + found_one = 0; + for (idx = 0;; idx++) { +@@ -1378,20 +1481,13 @@ int gnutls_x509_name_constraints_get_permitted(gnutls_x509_name_constraints_t nc + unsigned idx, unsigned *type, + gnutls_datum_t *name) + { +- unsigned int i; +- struct name_constraints_node_st *tmp = nc->permitted; ++ const struct name_constraints_node_st *tmp; + +- for (i = 0; i < idx; i++) { +- if (tmp == NULL) +- return gnutls_assert_val( +- GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); +- +- tmp = tmp->next; +- } +- +- if (tmp == NULL) ++ if (idx >= nc->permitted.size) + return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + ++ tmp = nc->permitted.data[idx]; ++ + *type = tmp->type; + *name = tmp->name; + +@@ -1421,20 +1517,13 @@ int gnutls_x509_name_constraints_get_excluded(gnutls_x509_name_constraints_t nc, + unsigned idx, unsigned *type, + gnutls_datum_t *name) + { +- unsigned int i; +- struct name_constraints_node_st *tmp = nc->excluded; ++ const struct name_constraints_node_st *tmp; + +- for (i = 0; i < idx; i++) { +- if (tmp == NULL) +- return gnutls_assert_val( +- GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); +- +- tmp = tmp->next; +- } +- +- if (tmp == NULL) ++ if (idx >= nc->excluded.size) + return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + ++ tmp = nc->excluded.data[idx]; ++ + *type = tmp->type; + *name = tmp->name; + +diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c +index ad3af1430..064ca8357 100644 +--- a/lib/x509/x509_ext.c ++++ b/lib/x509/x509_ext.c +@@ -34,10 +34,6 @@ + #include "intprops.h" + + #define MAX_ENTRIES 64 +-struct gnutls_subject_alt_names_st { +- struct name_st *names; +- unsigned int size; +-}; + + /** + * gnutls_subject_alt_names_init: +@@ -389,22 +385,15 @@ int gnutls_x509_ext_import_name_constraints(const gnutls_datum_t *ext, + } + + if (flags & GNUTLS_NAME_CONSTRAINTS_FLAG_APPEND && +- (nc->permitted != NULL || nc->excluded != NULL)) { ++ !_gnutls_x509_name_constraints_is_empty(nc, 0)) { + ret = gnutls_x509_name_constraints_init(&nc2); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + +- ret = _gnutls_extract_name_constraints(c2, "permittedSubtrees", +- &nc2->permitted); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } +- +- ret = _gnutls_extract_name_constraints(c2, "excludedSubtrees", +- &nc2->excluded); ++ ret = _gnutls_x509_name_constraints_extract( ++ c2, "permittedSubtrees", "excludedSubtrees", nc2); + if (ret < 0) { + gnutls_assert(); + goto cleanup; +@@ -416,18 +405,10 @@ int gnutls_x509_ext_import_name_constraints(const gnutls_datum_t *ext, + goto cleanup; + } + } else { +- _gnutls_name_constraints_node_free(nc->permitted); +- _gnutls_name_constraints_node_free(nc->excluded); ++ _gnutls_x509_name_constraints_clear(nc); + +- ret = _gnutls_extract_name_constraints(c2, "permittedSubtrees", +- &nc->permitted); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } +- +- ret = _gnutls_extract_name_constraints(c2, "excludedSubtrees", +- &nc->excluded); ++ ret = _gnutls_x509_name_constraints_extract( ++ c2, "permittedSubtrees", "excludedSubtrees", nc); + if (ret < 0) { + gnutls_assert(); + goto cleanup; +@@ -463,9 +444,10 @@ int gnutls_x509_ext_export_name_constraints(gnutls_x509_name_constraints_t nc, + int ret, result; + uint8_t null = 0; + asn1_node c2 = NULL; +- struct name_constraints_node_st *tmp; ++ unsigned rtype; ++ gnutls_datum_t rname; + +- if (nc->permitted == NULL && nc->excluded == NULL) ++ if (_gnutls_x509_name_constraints_is_empty(nc, 0)) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + result = asn1_create_element(_gnutls_get_pkix(), +@@ -475,11 +457,20 @@ int gnutls_x509_ext_export_name_constraints(gnutls_x509_name_constraints_t nc, + return _gnutls_asn2err(result); + } + +- if (nc->permitted == NULL) { ++ ret = gnutls_x509_name_constraints_get_permitted(nc, 0, &rtype, &rname); ++ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + (void)asn1_write_value(c2, "permittedSubtrees", NULL, 0); + } else { +- tmp = nc->permitted; +- do { ++ for (unsigned i = 0;; i++) { ++ ret = gnutls_x509_name_constraints_get_permitted( ++ nc, i, &rtype, &rname); ++ if (ret < 0) { ++ if (ret == ++ GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ++ break; ++ gnutls_assert(); ++ goto cleanup; ++ } + result = asn1_write_value(c2, "permittedSubtrees", + "NEW", 1); + if (result != ASN1_SUCCESS) { +@@ -506,21 +497,29 @@ int gnutls_x509_ext_export_name_constraints(gnutls_x509_name_constraints_t nc, + } + + ret = _gnutls_write_general_name( +- c2, "permittedSubtrees.?LAST.base", tmp->type, +- tmp->name.data, tmp->name.size); ++ c2, "permittedSubtrees.?LAST.base", rtype, ++ rname.data, rname.size); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } +- tmp = tmp->next; +- } while (tmp != NULL); ++ } + } + +- if (nc->excluded == NULL) { ++ ret = gnutls_x509_name_constraints_get_excluded(nc, 0, &rtype, &rname); ++ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + (void)asn1_write_value(c2, "excludedSubtrees", NULL, 0); + } else { +- tmp = nc->excluded; +- do { ++ for (unsigned i = 0;; i++) { ++ ret = gnutls_x509_name_constraints_get_excluded( ++ nc, i, &rtype, &rname); ++ if (ret < 0) { ++ if (ret == ++ GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ++ break; ++ gnutls_assert(); ++ goto cleanup; ++ } + result = asn1_write_value(c2, "excludedSubtrees", "NEW", + 1); + if (result != ASN1_SUCCESS) { +@@ -546,14 +545,13 @@ int gnutls_x509_ext_export_name_constraints(gnutls_x509_name_constraints_t nc, + } + + ret = _gnutls_write_general_name( +- c2, "excludedSubtrees.?LAST.base", tmp->type, +- tmp->name.data, tmp->name.size); ++ c2, "excludedSubtrees.?LAST.base", rtype, ++ rname.data, rname.size); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } +- tmp = tmp->next; +- } while (tmp != NULL); ++ } + } + + ret = _gnutls_x509_der_encode(c2, "", ext, 0); +diff --git a/lib/x509/x509_ext_int.h b/lib/x509/x509_ext_int.h +index 558d61956..b37d74997 100644 +--- a/lib/x509/x509_ext_int.h ++++ b/lib/x509/x509_ext_int.h +@@ -29,6 +29,11 @@ struct name_st { + gnutls_datum_t othername_oid; + }; + ++struct gnutls_subject_alt_names_st { ++ struct name_st *names; ++ unsigned int size; ++}; ++ + int _gnutls_alt_name_process(gnutls_datum_t *out, unsigned type, + const gnutls_datum_t *san, unsigned raw); + +diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h +index 4ec55bd75..211743ced 100644 +--- a/lib/x509/x509_int.h ++++ b/lib/x509/x509_int.h +@@ -485,20 +485,13 @@ int _gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert, + int crl_list_length, + gnutls_verify_output_function func); + +-typedef struct gnutls_name_constraints_st { +- struct name_constraints_node_st *permitted; +- struct name_constraints_node_st *excluded; +-} gnutls_name_constraints_st; +- +-typedef struct name_constraints_node_st { +- unsigned type; +- gnutls_datum_t name; +- struct name_constraints_node_st *next; +-} name_constraints_node_st; +- +-int _gnutls_extract_name_constraints(asn1_node c2, const char *vstr, +- name_constraints_node_st **_nc); +-void _gnutls_name_constraints_node_free(name_constraints_node_st *node); ++bool _gnutls_x509_name_constraints_is_empty(gnutls_x509_name_constraints_t nc, ++ unsigned type); ++int _gnutls_x509_name_constraints_extract(asn1_node c2, ++ const char *permitted_name, ++ const char *excluded_name, ++ gnutls_x509_name_constraints_t nc); ++void _gnutls_x509_name_constraints_clear(gnutls_x509_name_constraints_t nc); + int _gnutls_x509_name_constraints_merge(gnutls_x509_name_constraints_t nc, + gnutls_x509_name_constraints_t nc2); + diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb index 20139b4dd4..e77960724b 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb @@ -23,6 +23,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch \ file://run-ptest \ file://Add-ptest-support.patch \ + file://CVE-2024-12243.patch \ " SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b" From patchwork Tue Feb 18 21:15:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57563 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 515E7C021AA for ; Tue, 18 Feb 2025 21:15:48 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web11.7320.1739913339348280988 for ; Tue, 18 Feb 2025 13:15:39 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=HpT+ppyn; spf=softfail (domain: sakoman.com, ip: 209.85.214.170, mailfrom: steve@sakoman.com) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-220d132f16dso86893895ad.0 for ; Tue, 18 Feb 2025 13:15:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739913339; x=1740518139; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=5df8Ac8UNmjeAZ96Cmvj9cSwCpDVCIn7SUrffYNpOTQ=; b=HpT+ppynbvuG2JMkwX/HFENMyLMCNY3dAQPJXfp4PYQyl7GXwOvGBJspTv4bhdCcyM PofWdBKJ0QrYBh0q6wbCgy7YBep+ljEE2b7dEHKoOrdnoytXQrTlYsB/UhTrsj1im6fv YDcWvrktpOGIdtrweURUq+KlHqeWGd5MhX81/m9jzxiBHF8us39lAMQy0Q20Nctgfn9u bN+ZtiL1wXZTVF/EF2wTXiFe7Ds7yj/qPCbG0OtXmmJGsvAJPe1dC5bUVFEYERLIl0Lb SKEOCBFKQddszaraVu+RTo+XRncg9wdS3bnFeuGC3qvPretjH3IXmQz5oyo5LHy8D0+r TqCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739913339; x=1740518139; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5df8Ac8UNmjeAZ96Cmvj9cSwCpDVCIn7SUrffYNpOTQ=; b=nliQfD9Mf237wKGuCam0bFl4phR2YrsYmhXarUVpPu/MLHmapYPgCZBfDxx8OEZdM1 hYCfHiP6tTWUJrXTwny/zpDaBK9lg1yQQ4caEbETwe9mMegEpPv4N1Oi1OXUypiHaei4 0qAn/rDT8nDF1bkPVr+lk4GR40LeIg9aYSe6iAWbtjRWQp6kD/BdavGAawwWvPmPMGl7 nR/5aiKbNHofibOuqdaMmGPt9T8ABkZXANCi8OHeNnypDGzvwt39B3nh2BTgF+TgkXaH us6sZBxLtUTibNEqKlkfQ+epvCu4FOUgbLnQ5Tp5p8dA035whFqsjZjFY/BgR0nL2xAJ rIKQ== X-Gm-Message-State: AOJu0YzCSt7hi5A1ZAcoLIWA8SBwlt6+1J0zbWbhCY6G9bh80gT0kRHu 1/Yw8guPVWDseqd3Kx//zxmuadjSyudxYiCABdryIYCXQFo8kcm/Q5VrgAe9eRWeaGfetJC1bRF M X-Gm-Gg: ASbGncv6tSas93QH280W7UfpIE0Nt1RiIUwZaKoTXJ3dkXm3Qnfv1eXJLRqusV6S2hw aB6uHXfxdn84JGup5mZ4/ShEOt0k9OnSZADKV1OX0A77K5l4QCsnandT6f84GrcJBA3c5cWlNPt 4KKryLAughbzjj9/7jAT8TzqsgxkPMJr7VgRnsvsT4k8bXHh1HYUnjUQZD2yErK3Z7y8h1x2fYx yrsh6fgzoHx+ZF4TJGkGdFMeWLixCGx0naTDda0JWkz2OZeBdAbLrZsR34whoa6G9v9G6UTHu0/ Rs6pEYk= X-Google-Smtp-Source: AGHT+IHyKv5hCZuw8SItKFQ3fu2R4zTUaRUihKwyVA35tckfRzwrTB8qbCxDY7RPYJ98BHAfx9q03w== X-Received: by 2002:a17:903:32c5:b0:220:c2a8:6fbc with SMTP id d9443c01a7336-221711a75camr16590835ad.34.1739913338404; Tue, 18 Feb 2025 13:15:38 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:83c7:94a9:a555:bf05]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-220d5349056sm93720055ad.22.2025.02.18.13.15.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 13:15:37 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 3/7] openssl: upgrade 3.2.3 -> 3.2.4 Date: Tue, 18 Feb 2025 13:15:21 -0800 Message-ID: <5c4372723bf804383e5bcc98aeb6fe17ae38a24e.1739913090.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Feb 2025 21:15:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211655 From: Peter Marko Release information: https://github.com/openssl/openssl/blob/openssl-3.2/NEWS.md#major-changes-between-openssl-323-and-openssl-324-11-feb-2025 Handles CVE-2024-12797 in addition to already patched CVEs. Refresh patches and remove CVE patches included in the new version. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- ...ke-history-reporting-when-test-fails.patch | 40 ++-- ...1-Configure-do-not-tweak-mips-cflags.patch | 2 +- ...sysroot-and-debug-prefix-map-from-co.patch | 4 +- .../openssl/openssl/CVE-2024-13176.patch | 126 ----------- .../openssl/openssl/CVE-2024-9143.patch | 202 ------------------ .../{openssl_3.2.3.bb => openssl_3.2.4.bb} | 4 +- 6 files changed, 24 insertions(+), 354 deletions(-) delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch delete mode 100755 meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch rename meta/recipes-connectivity/openssl/{openssl_3.2.3.bb => openssl_3.2.4.bb} (98%) diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch index 9baa0c2d75..b05d7abf7c 100644 --- a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch +++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch @@ -8,10 +8,10 @@ Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481] Signed-off-by: William Lyu Signed-off-by: Siddharth Doshi --- - test/helpers/handshake.c | 139 +++++++++++++++++++++++++++++---------- + test/helpers/handshake.c | 137 +++++++++++++++++++++++++++++---------- test/helpers/handshake.h | 70 +++++++++++++++++++- test/ssl_test.c | 44 +++++++++++++ - 3 files changed, 218 insertions(+), 35 deletions(-) + 3 files changed, 217 insertions(+), 34 deletions(-) diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c index e0422469e4..ae2ad59dd4 100644 @@ -20,7 +20,7 @@ index e0422469e4..ae2ad59dd4 100644 @@ -24,6 +24,102 @@ #include #endif - + +/* Shamelessly copied from test/helpers/ssl_test_ctx.c */ +/* Maps string names to various enumeration type */ +typedef struct { @@ -120,10 +120,10 @@ index e0422469e4..ae2ad59dd4 100644 HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void) { HANDSHAKE_RESULT *ret; -@@ -719,15 +815,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client, +@@ -725,15 +821,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client, SSL_set_post_handshake_auth(client, 1); } - + -/* The status for each connection phase. */ -typedef enum { - PEER_SUCCESS, @@ -136,10 +136,10 @@ index e0422469e4..ae2ad59dd4 100644 /* An SSL object and associated read-write buffers. */ typedef struct peer_st { SSL *ssl; -@@ -1074,17 +1161,6 @@ static void do_shutdown_step(PEER *peer) +@@ -1080,17 +1167,6 @@ static void do_shutdown_step(PEER *peer) } } - + -typedef enum { - HANDSHAKE, - RENEG_APPLICATION_DATA, @@ -154,10 +154,10 @@ index e0422469e4..ae2ad59dd4 100644 static int renegotiate_op(const SSL_TEST_CTX *test_ctx) { switch (test_ctx->handshake_mode) { -@@ -1162,19 +1238,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer, +@@ -1168,19 +1244,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer, } } - + -typedef enum { - /* Both parties succeeded. */ - HANDSHAKE_SUCCESS, @@ -174,10 +174,10 @@ index e0422469e4..ae2ad59dd4 100644 /* * Determine the handshake outcome. * last_status: the status of the peer to have acted last. -@@ -1539,6 +1602,10 @@ static HANDSHAKE_RESULT *do_handshake_internal( - +@@ -1545,6 +1608,10 @@ static HANDSHAKE_RESULT *do_handshake_internal( + start = time(NULL); - + + save_loop_history(&(ret->history), + phase, status, server.status, client.status, + client_turn_count, client_turn); @@ -185,10 +185,10 @@ index e0422469e4..ae2ad59dd4 100644 /* * Half-duplex handshake loop. * Client and server speak to each other synchronously in the same process. -@@ -1560,6 +1627,10 @@ static HANDSHAKE_RESULT *do_handshake_internal( +@@ -1566,6 +1633,10 @@ static HANDSHAKE_RESULT *do_handshake_internal( 0 /* server went last */); } - + + save_loop_history(&(ret->history), + phase, status, server.status, client.status, + client_turn_count, client_turn); @@ -208,9 +208,9 @@ index 78b03f9f4b..b9967c2623 100644 * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -12,6 +12,11 @@ - + #include "ssl_test_ctx.h" - + +#define MAX_HANDSHAKE_HISTORY_ENTRY_BIT 4 +#define MAX_HANDSHAKE_HISTORY_ENTRY (1 << MAX_HANDSHAKE_HISTORY_ENTRY_BIT) +#define MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK \ @@ -222,7 +222,7 @@ index 78b03f9f4b..b9967c2623 100644 @@ -22,6 +27,63 @@ typedef struct ctx_data_st { char *session_ticket_app_data; } CTX_DATA; - + +typedef enum { + HANDSHAKE, + RENEG_APPLICATION_DATA, @@ -290,12 +290,12 @@ index 78b03f9f4b..b9967c2623 100644 + /* handshake loop history */ + HANDSHAKE_HISTORY history; } HANDSHAKE_RESULT; - + HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void); @@ -95,4 +159,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, CTX_DATA *server2_ctx_data, CTX_DATA *client_ctx_data); - + +const char *handshake_connect_phase_name(connect_phase_t phase); +const char *handshake_status_name(handshake_status_t handshake_status); +const char *handshake_peer_status_name(peer_status_t peer_status); @@ -308,7 +308,7 @@ index ea608518f9..9d6b093c81 100644 @@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL; /* Currently the section names are of the form test-, e.g. test-15. */ #define MAX_TESTCASE_NAME_LENGTH 100 - + +static void print_handshake_history(const HANDSHAKE_HISTORY *history) +{ + size_t first_idx; diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch index 502a7aaf32..3f6ab97795 100644 --- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch @@ -20,7 +20,7 @@ diff --git a/Configure b/Configure index 4569952..adf019b 100755 --- a/Configure +++ b/Configure -@@ -1422,16 +1422,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) +@@ -1485,16 +1485,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) push @{$config{shared_ldflag}}, "-mno-cygwin"; } diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch index bafdbaa46f..ce2acb2462 100644 --- a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch +++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch @@ -38,7 +38,7 @@ Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl =================================================================== --- openssl-3.0.4.orig/Configurations/unix-Makefile.tmpl +++ openssl-3.0.4/Configurations/unix-Makefile.tmpl -@@ -472,13 +472,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lfl +@@ -481,13 +481,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), '$(CNF_LDFLAGS)', '$(LDFLAGS)') -} BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS) @@ -67,7 +67,7 @@ Index: openssl-3.0.4/crypto/build.info =================================================================== --- openssl-3.0.4.orig/crypto/build.info +++ openssl-3.0.4/crypto/build.info -@@ -109,7 +109,7 @@ DEFINE[../libcrypto]=$UPLINKDEF +@@ -115,7 +115,7 @@ DEFINE[../libcrypto]=$UPLINKDEF DEPEND[info.o]=buildinf.h DEPEND[cversion.o]=buildinf.h diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch deleted file mode 100644 index 28d4dd706a..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 4b1cb94a734a7d4ec363ac0a215a25c181e11f65 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Wed, 15 Jan 2025 18:27:02 +0100 -Subject: [PATCH] Fix timing side-channel in ECDSA signature computation - -There is a timing signal of around 300 nanoseconds when the top word of -the inverted ECDSA nonce value is zero. This can happen with significant -probability only for some of the supported elliptic curves. In particular -the NIST P-521 curve is affected. To be able to measure this leak, the -attacker process must either be located in the same physical computer or -must have a very fast network connection with low latency. - -Attacks on ECDSA nonce are also known as Minerva attack. - -Fixes CVE-2024-13176 - -Reviewed-by: Tim Hudson -Reviewed-by: Neil Horman -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/26429) - -(cherry picked from commit 63c40a66c5dc287485705d06122d3a6e74a6a203) -(cherry picked from commit 392dcb336405a0c94486aa6655057f59fd3a0902) - -CVE: CVE-2024-13176 -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65] -Signed-off-by: Peter Marko ---- - crypto/bn/bn_exp.c | 21 +++++++++++++++------ - crypto/ec/ec_lib.c | 7 ++++--- - include/crypto/bn.h | 3 +++ - 3 files changed, 22 insertions(+), 9 deletions(-) - -diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c -index b876edbfac36e..af52e2ced6914 100644 ---- a/crypto/bn/bn_exp.c -+++ b/crypto/bn/bn_exp.c -@@ -606,7 +606,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, - * out by Colin Percival, - * http://www.daemonology.net/hyperthreading-considered-harmful/) - */ --int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, -+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, - BN_MONT_CTX *in_mont) - { -@@ -623,10 +623,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, - unsigned int t4 = 0; - #endif - -- bn_check_top(a); -- bn_check_top(p); -- bn_check_top(m); -- - if (!BN_is_odd(m)) { - ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS); - return 0; -@@ -1146,7 +1142,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, - goto err; - } else - #endif -- if (!BN_from_montgomery(rr, &tmp, mont, ctx)) -+ if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx)) - goto err; - ret = 1; - err: -@@ -1160,6 +1156,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, - return ret; - } - -+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, -+ const BIGNUM *m, BN_CTX *ctx, -+ BN_MONT_CTX *in_mont) -+{ -+ bn_check_top(a); -+ bn_check_top(p); -+ bn_check_top(m); -+ if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont)) -+ return 0; -+ bn_correct_top(rr); -+ return 1; -+} -+ - int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) - { -diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c -index c92b4dcb0ac45..a79fbb98cf6fa 100644 ---- a/crypto/ec/ec_lib.c -+++ b/crypto/ec/ec_lib.c -@@ -21,6 +21,7 @@ - #include - #include - #include "crypto/ec.h" -+#include "crypto/bn.h" - #include "internal/nelem.h" - #include "ec_local.h" - -@@ -1261,10 +1262,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, - if (!BN_sub(e, group->order, e)) - goto err; - /*- -- * Exponent e is public. -- * No need for scatter-gather or BN_FLG_CONSTTIME. -+ * Although the exponent is public we want the result to be -+ * fixed top. - */ -- if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data)) -+ if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data)) - goto err; - - ret = 1; -diff --git a/include/crypto/bn.h b/include/crypto/bn.h -index 302f031c2ff1d..499e1d10efab0 100644 ---- a/include/crypto/bn.h -+++ b/include/crypto/bn.h -@@ -73,6 +73,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words); - */ - int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - BN_MONT_CTX *mont, BN_CTX *ctx); -+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, -+ const BIGNUM *m, BN_CTX *ctx, -+ BN_MONT_CTX *in_mont); - int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, - BN_CTX *ctx); - int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch deleted file mode 100755 index 99c16cd573..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch +++ /dev/null @@ -1,202 +0,0 @@ -From bc7e04d7c8d509fb78fc0e285aa948fb0da04700 Mon Sep 17 00:00:00 2001 -From: Viktor Dukhovni -Date: Thu, 19 Sep 2024 01:02:40 +1000 -Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse. - -The BN_GF2m_poly2arr() function converts characteristic-2 field -(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask, -to a compact array with just the exponents of the non-zero terms. - -These polynomials are then used in BN_GF2m_mod_arr() to perform modular -reduction. A precondition of calling BN_GF2m_mod_arr() is that the -polynomial must have a non-zero constant term (i.e. the array has `0` as -its final element). - -Internally, callers of BN_GF2m_poly2arr() did not verify that -precondition, and binary EC curve parameters with an invalid polynomial -could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr(). - -The precondition is always true for polynomials that arise from the -standard form of EC parameters for characteristic-two fields (X9.62). -See the "Finite Field Identification" section of: - - https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html - -The OpenSSL GF(2^m) code supports only the trinomial and pentanomial -basis X9.62 forms. - -This commit updates BN_GF2m_poly2arr() to return `0` (failure) when -the constant term is zero (i.e. the input bitmask BIGNUM is not odd). - -Additionally, the return value is made unambiguous when there is not -enough space to also pad the array with a final `-1` sentinel value. -The return value is now always the number of elements (including the -final `-1`) that would be filled when the output array is sufficiently -large. Previously the same count was returned both when the array has -just enough room for the final `-1` and when it had only enough space -for non-sentinel values. - -Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose -degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against -CPU exhausition attacks via excessively large inputs. - -The above issues do not arise in processing X.509 certificates. These -generally have EC keys from "named curves", and RFC5840 (Section 2.1.1) -disallows explicit EC parameters. The TLS code in OpenSSL enforces this -constraint only after the certificate is decoded, but, even if explicit -parameters are specified, they are in X9.62 form, which cannot represent -problem values as noted above. - -Initially reported as oss-fuzz issue 71623. - -A closely related issue was earlier reported in -. - -Severity: Low, CVE-2024-9143 - -Reviewed-by: Matt Caswell -Reviewed-by: Bernd Edlinger -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/25639) - -(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2) - -CVE: CVE-2024-9143 -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700] -Signed-off-by: Peter Marko ---- - crypto/bn/bn_gf2m.c | 28 +++++++++++++++------- - test/ec_internal_test.c | 51 +++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 71 insertions(+), 8 deletions(-) - -diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c -index 444c5ca7a3755..ae7e9d751c29c 100644 ---- a/crypto/bn/bn_gf2m.c -+++ b/crypto/bn/bn_gf2m.c -@@ -15,6 +15,7 @@ - #include "bn_local.h" - - #ifndef OPENSSL_NO_EC2M -+# include - - /* - * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should -@@ -1130,16 +1131,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - /* - * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i * - * x^i) into an array of integers corresponding to the bits with non-zero -- * coefficient. Array is terminated with -1. Up to max elements of the array -- * will be filled. Return value is total number of array elements that would -- * be filled if array was large enough. -+ * coefficient. The array is intended to be suitable for use with -+ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be -+ * zero. This translates to a requirement that the input BIGNUM `a` is odd. -+ * -+ * Given sufficient room, the array is terminated with -1. Up to max elements -+ * of the array will be filled. -+ * -+ * The return value is total number of array elements that would be filled if -+ * array was large enough, including the terminating `-1`. It is `0` when `a` -+ * is not odd or the constant term is zero contrary to requirement. -+ * -+ * The return value is also `0` when the leading exponent exceeds -+ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks, - */ - int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) - { - int i, j, k = 0; - BN_ULONG mask; - -- if (BN_is_zero(a)) -+ if (!BN_is_odd(a)) - return 0; - - for (i = a->top - 1; i >= 0; i--) { -@@ -1157,12 +1168,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) - } - } - -- if (k < max) { -+ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS) -+ return 0; -+ -+ if (k < max) - p[k] = -1; -- k++; -- } - -- return k; -+ return k + 1; - } - - /* -diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c -index 5076f9894d5b8..92904cfc42b20 100644 ---- a/test/ec_internal_test.c -+++ b/test/ec_internal_test.c -@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void) - } - - #ifndef OPENSSL_NO_EC2M -+/* Test that decoding of invalid GF2m field parameters fails. */ -+static int ec2m_field_sanity(void) -+{ -+ int ret = 0; -+ BN_CTX *ctx = BN_CTX_new(); -+ BIGNUM *p, *a, *b; -+ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL; -+ -+ TEST_info("Testing GF2m hardening\n"); -+ -+ BN_CTX_start(ctx); -+ p = BN_CTX_get(ctx); -+ a = BN_CTX_get(ctx); -+ if (!TEST_ptr(b = BN_CTX_get(ctx)) -+ || !TEST_true(BN_one(a)) -+ || !TEST_true(BN_one(b))) -+ goto out; -+ -+ /* Even pentanomial value should be rejected */ -+ if (!TEST_true(BN_set_word(p, 0xf2))) -+ goto out; -+ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) -+ TEST_error("Zero constant term accepted in GF2m polynomial"); -+ -+ /* Odd hexanomial should also be rejected */ -+ if (!TEST_true(BN_set_word(p, 0xf3))) -+ goto out; -+ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) -+ TEST_error("Hexanomial accepted as GF2m polynomial"); -+ -+ /* Excessive polynomial degree should also be rejected */ -+ if (!TEST_true(BN_set_word(p, 0x71)) -+ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1))) -+ goto out; -+ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) -+ TEST_error("GF2m polynomial degree > %d accepted", -+ OPENSSL_ECC_MAX_FIELD_BITS); -+ -+ ret = group1 == NULL && group2 == NULL && group3 == NULL; -+ -+ out: -+ EC_GROUP_free(group1); -+ EC_GROUP_free(group2); -+ EC_GROUP_free(group3); -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); -+ -+ return ret; -+} -+ - /* test EC_GF2m_simple_method directly */ - static int field_tests_ec2_simple(void) - { -@@ -443,6 +493,7 @@ int setup_tests(void) - ADD_TEST(field_tests_ecp_simple); - ADD_TEST(field_tests_ecp_mont); - #ifndef OPENSSL_NO_EC2M -+ ADD_TEST(ec2m_field_sanity); - ADD_TEST(field_tests_ec2_simple); - #endif - ADD_ALL_TESTS(field_tests_default, crv_len); diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.3.bb b/meta/recipes-connectivity/openssl/openssl_3.2.4.bb similarity index 98% rename from meta/recipes-connectivity/openssl/openssl_3.2.3.bb rename to meta/recipes-connectivity/openssl/openssl_3.2.4.bb index 0b47bab550..bada192fe9 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.2.3.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.2.4.bb @@ -12,15 +12,13 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ file://0001-Added-handshake-history-reporting-when-test-fails.patch \ - file://CVE-2024-9143.patch \ - file://CVE-2024-13176.patch \ " SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "52b5f1c6b8022bc5868c308c54fb77705e702d6c6f4594f99a0df216acf46239" +SRC_URI[sha256sum] = "b23ad7fd9f73e43ad1767e636040e88ba7c9e5775bfa5618436a0dd2c17c3716" inherit lib_package multilib_header multilib_script ptest perlnative manpages MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" From patchwork Tue Feb 18 21:15:22 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57565 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 63612C021AD for ; Tue, 18 Feb 2025 21:15:48 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web10.7514.1739913340572050194 for ; Tue, 18 Feb 2025 13:15:40 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=OdzGpFxv; spf=softfail (domain: sakoman.com, ip: 209.85.214.181, mailfrom: steve@sakoman.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-220ecbdb4c2so122838225ad.3 for ; Tue, 18 Feb 2025 13:15:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739913340; x=1740518140; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Ef6vvRjMWdqPIXNP9V4+maCc2GWlsx2j49kJGJFbL7w=; b=OdzGpFxvKqqzhjJXGZfsMS7Dtga9g9VAuWX9ZKQV3/FSR3f5ZnfuioIpmsnWKdHBqB 74SlQm5k0/wAVNX9uoh9dZCqfHBOK/i8zCMzRelJBY5i4W/epV4TiuoTu9tilPYnkDi+ munUHh1jMxDgxYXL1oLatQgHqB1h2/6GGMhLw4t0wm6+JA+K62oFB/pOTwQ1skqY/LIG 3sJ12tlurLLEGxhh72y85MP9mmwpLHqwlBKCe7q/oqHmZ62fTZsyjNUnG2Ea9swMEUdB 0n9lzdH8UpqRGiEQ0qN3bG/vfo36mdPgns536iHx9gsAM1pyTkCp/kAXb40DFswOBdEq dPgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739913340; x=1740518140; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Ef6vvRjMWdqPIXNP9V4+maCc2GWlsx2j49kJGJFbL7w=; b=nuTmyC7bp3BfOeZrg37hqcUvqEy4JH1QdfgGIV5kZgBhg62wzES64PEWX2xjl1ph6c EJ5fDxXnNfIUjDDhOHaL91VknUWdra/ovRwx8ElBcnthwTOR8u8gpdTsAMxCyxIeqnZE vlsvlZQvUr645MWdKOcxHA1EX3yUaKK24JY/WeWuNN4z5lsKP13WRdVZVytXNdBFv6DI DcBmXw948pYu+lpHTXcB9oK/z4LwhhX6QRJkWsfDdFVFXVSHFxgpCf6eVYYETDETzIK6 yCTB/cYZsi+PanYU1ZwF4EVUnBuH/7ttXZnDWcd6qexlHM2pB6maanf8sVp2nDDWT3ol kxuQ== X-Gm-Message-State: AOJu0YzTDWN1oRrDhOETeKenKRoMikQN5WCQBdBrcjiw/Pmw3KtXxKHE 6sQPmJenoJp9+9KdnvG3bpje0hrALd1kidyIIINSKzEh4pUaZfAkEQewSOC6gLG4laAle2cpeZr G X-Gm-Gg: ASbGncvrI60NDoaMfTFtTvnfqWSBZ8j4FSyEsVyfSbaoE1K/P7sALk24eHAdPJvDJTj q2Q+LizklGrjmYPftB9nGq6EiC3st6pUFPDE94F55HNqaSWLAKCMTkg/8HqEUkBou4zgaup7Rk6 vdK40RXgMLiRGizV36SOQvpS6agQ1tPHiPWFk4dlB82ph5opjPZFe5Sogn0gwiO6Xbz0fMv3FA2 DN/Rofg9aPobBPpVUHrTImn1oy+M817VwP5hPHRjoh2RtMeypuo+Q9dLch/85mqcC5OMZ+8K45u DQ8+tvM= X-Google-Smtp-Source: AGHT+IEH7cnMMH288WA8qXrlBhOdU0zA/w/1i8/HIH0wcV0qDYXC67VIBj+Us0OmnlNRbgB2ND3aVg== X-Received: by 2002:a17:903:2f8c:b0:21f:b483:2ad5 with SMTP id d9443c01a7336-22104038460mr226283045ad.20.1739913339812; Tue, 18 Feb 2025 13:15:39 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:83c7:94a9:a555:bf05]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-220d5349056sm93720055ad.22.2025.02.18.13.15.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 13:15:39 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 4/7] vim: Upgrade 9.1.0764 -> 9.1.1043 Date: Tue, 18 Feb 2025 13:15:22 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Feb 2025 21:15:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211656 From: Divya Chellam This includes CVE-fix for CVE-2025-22134 and CVE-2025-24014 Changes between 9.1.0764 -> 9.1.1043 ==================================== https://github.com/vim/vim/compare/v9.1.0764...v9.1.1043 Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 582eddcb9d..4ac9c58c80 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -18,8 +18,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".0764" -SRCREV = "51b62387be93c65fa56bbabe1c3c1ea5df187641" +PV .= ".1043" +SRCREV = "9d1bed5eccdbb46a26b8a484f5e9163c40e63919" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" From patchwork Tue Feb 18 21:15:23 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57564 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6E6C7C021B1 for ; Tue, 18 Feb 2025 21:15:48 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.web10.7518.1739913342038984663 for ; Tue, 18 Feb 2025 13:15:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=u3vS+HLE; spf=softfail (domain: sakoman.com, ip: 209.85.214.177, mailfrom: steve@sakoman.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-220e989edb6so120440135ad.1 for ; Tue, 18 Feb 2025 13:15:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739913341; x=1740518141; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=T/m+Jpqy8QO23CyizkqcNSr7y2U8znZ1f4hH9+RQm9k=; b=u3vS+HLEwKKDK3EzMcbpf09Go7VfABIJz4VxQnAIauhZAmCBX2pBW8ubY+ZRfeeeSd m+h31NeqP2pYd/9Tqwo0a0vLw9JRu90yhPGNu/S3bv566aAoGJX+yJTRN9d4trtPM6FH LbuluVxaiwXJfcZCbUYsMfuEqWuqf2OEvgEZ0ClAtNiPrJysxQ1Yoxm2tG9Sh4TjZFsB dOsxqrbuPO7WIOAdFYR0D5Q9Eg4ImgcOc8zRy72VMsL7CJjku5FO29RwxncrzrT3Pdoi O5VLBmcr4kSFi7dg2rfzfcwvlHCGNrtQ8hujpInV8ZLxeKngWUHyvStRAiQZWqEoQqRO gNOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739913341; x=1740518141; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=T/m+Jpqy8QO23CyizkqcNSr7y2U8znZ1f4hH9+RQm9k=; b=cW76DsBsr8bQwEwhFsadkyEgRPeRE2x7HBuONiwxBlhs3xHkvFZpU6x3//diba1LAn bF5DbMpHFd6XtTB3Zcir/th8XzgO+gi9rzHqCTgbUF9SL4qdhmf9e8kwZDquxWlwJQG6 pyDeqKnVwW4tQRDIhf/f686A4DIBwgu3Jtnd7QQPJpfxQqbWtFIe+MGReBsNP24BU8Lr 4y1pdFuXFIe+Z2a/1/vIPTiXaPH0WWZy6mF7liae8URtV8AuDJyhrGvONHapep/Wg5cr jDxt4F+gzg0ApLDMdGXwp7sv6fh5qlbea37CMbJb4swr8De6KgUJqaJml2sQCJhh6HRZ J9Zw== X-Gm-Message-State: AOJu0YzxqKSAYZmB31prnwLWOj31xux08yIfixdsrX87vEvhyY/jAGe8 uorgk3zNqjFEb3uaKlxj+EIDkToG9r4xju4rJmBsUckMi7z3cbHX93LSWdev5GWw75rnzD28itT + X-Gm-Gg: ASbGncuyGHZupEBGp5O9IQEwLmVp2VtQD1Bj9NGMOAs3vxmpyj8A5flzxOTUgXTne+f Yyq8hNkvMtuxP5VdKLYWUeuy3xqjm0SBOOJdDSdNseK1XxhRgSCp2emxp5ki+2li2kjWyJx0ncP IKkbwP3JJtjWPCZpcDL70L/2VnQsiMcHXjN76rRjX7/XNLOJ/+CfKQY/zx1Zjw6lwl31jfZHy5c N/m0N+0gNL4pDQ/hjSBkpOIfjDyOAwBAT6xkNQ9p6Wpo6dxHccWqTlcxrplIaJasFs5MuC1vBtI PrG6U8U= X-Google-Smtp-Source: AGHT+IE1eVnB8qFBxhiFHgzxLBxRrv8mwHrFqEKTcXllyUYBpv3z9MQAatHqEILd0Dfs1KVmO7YS6w== X-Received: by 2002:a17:902:e88a:b0:221:133:fcfb with SMTP id d9443c01a7336-22104042259mr219450385ad.20.1739913341362; Tue, 18 Feb 2025 13:15:41 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:83c7:94a9:a555:bf05]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-220d5349056sm93720055ad.22.2025.02.18.13.15.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 13:15:41 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 5/7] scripts/install-buildtools: Update to 5.0.7 Date: Tue, 18 Feb 2025 13:15:23 -0800 Message-ID: <46afde73632d0ee8bfeb06c0ae478fc0a3d12147.1739913090.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Feb 2025 21:15:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211657 From: Aleksandar Nikolic Update to the 5.0.7 release of the 5.0 series for buildtools. Signed-off-by: Aleksandar Nikolic Signed-off-by: Steve Sakoman --- scripts/install-buildtools | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/install-buildtools b/scripts/install-buildtools index 972671d50f..e4d472023d 100755 --- a/scripts/install-buildtools +++ b/scripts/install-buildtools @@ -57,8 +57,8 @@ logger = scriptutils.logger_create(PROGNAME, stream=sys.stdout) DEFAULT_INSTALL_DIR = os.path.join(os.path.split(scripts_path)[0],'buildtools') DEFAULT_BASE_URL = 'https://downloads.yoctoproject.org/releases/yocto' -DEFAULT_RELEASE = 'yocto-5.0.6' -DEFAULT_INSTALLER_VERSION = '5.0.6' +DEFAULT_RELEASE = 'yocto-5.0.7' +DEFAULT_INSTALLER_VERSION = '5.0.7' DEFAULT_BUILDDATE = '202110XX' # Python version sanity check From patchwork Tue Feb 18 21:15:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57566 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5D349C021B0 for ; Tue, 18 Feb 2025 21:15:48 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web11.7325.1739913343592919086 for ; Tue, 18 Feb 2025 13:15:43 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Er5LBdEr; spf=softfail (domain: sakoman.com, ip: 209.85.214.170, mailfrom: steve@sakoman.com) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-220c8f38febso111493805ad.2 for ; Tue, 18 Feb 2025 13:15:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739913343; x=1740518143; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=DfiZtkoai+zfrd5srM9dza8fy0L6yz3JFbR0WqiFyeY=; b=Er5LBdErhHoZooPBgiQmWWkBQAeneyhzkscChPli/e5gB+Qbhsh0YcyIz+JJEr13x8 kcSuGu6/a2yUung41Zs1QHiFszkzShbFb8IYoWbfh35dwSNPI9npeUS2x/e+PrtRpxVA YFD52pZBKa3srWWoESmSS0KWHjqMUHqLoKXFah+n68QWIjc1rYI/R97z6wLNQmoGibqM xK816ktj6s7umJN7NKg2XFo1Kupw92M5B5S2GbBjWl2c2KYePM+4s8IwRMi//B3CYPen PrloG1K65o6fZ1/pZLcwfqs6vxschz783q2zf+FHG/BRji9E+jmJe0OP9RAt5c/3cIBx Zppw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739913343; x=1740518143; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DfiZtkoai+zfrd5srM9dza8fy0L6yz3JFbR0WqiFyeY=; b=O4LTgNLd70+BCkO8xpU/3bs2PfcZ1Go/jcJ7NHplAZFkZYizHRCBd8CUAiJTNqlCPe vAan0mIsdLsDy4LFCmhnY2yBKXBjUg3BEUM9mha4eTNZ/AgQ/kjCXpgsMXAfuJsIGic5 MrMrNUDBCBObzhQ31Qg8dxmQsn73cGquf+QifUwWwO/kPwsrDhEUT6SsgAOmbxkxujd0 eDwd0KCSNuyYyon7zSEB7+IaHCMm6ZQ5l/mWD8LDRMnfcL6lnpPhHnw84HwKJ7xJhHkB tPnfSp9EvMLK4E4A0R9qFRcL4u+Tz9yldGT+Sg+fLkfpAUnyRyeLw+C8mzkKr7di2qC8 reXg== X-Gm-Message-State: AOJu0YwuyNFZ46nyGJMOHhlLaPrdIiP5ZKqwQlCKcT1Ledj7IAvhg1y2 eBXIPCcIw0Ba0Apv0laWUY7lj+CLMWzBrUp0+aBIhjeOJlGSzQ93uS0RsG+3l8vQOw7aWZadXvA j X-Gm-Gg: ASbGncvcWvmTnSQ3WNAugKBPW92BpYWtvuw3aIpfkLZK+NMvmnY1KcQuMpdGIQbarhy xS1+GuHMpd1jyq6OcRqjQpSapwD/DTboD5IzMFkOwAsya7N80oRhROXKd2hjbZseBfrGeHR2cZ4 PgCg7pUcPOORpn72AM7M5euanWxVGwE0KHShb+0llbqhNPiKMv2+tP4ligxugkBxzmiSg/a0BZ9 8TtOzkrGuxh+AYx3aPatp9l+e0hk+rGFo6ZG9azitR7O5iO+ksfeh2XHa4fZRVx5mFDaCPDxZFL VuprSd4= X-Google-Smtp-Source: AGHT+IEkrKmVSCC+m+19AleBl5/Uc7HiWg+vJyA98IIiX0t7kehoqk2j4evuWxEOtydiR3ZEyvCFKw== X-Received: by 2002:a17:903:2c6:b0:220:e63c:5b10 with SMTP id d9443c01a7336-221040a8faamr234728975ad.34.1739913342817; Tue, 18 Feb 2025 13:15:42 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:83c7:94a9:a555:bf05]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-220d5349056sm93720055ad.22.2025.02.18.13.15.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 13:15:42 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 6/7] ppp: Revert lock path to /var/lock Date: Tue, 18 Feb 2025 13:15:24 -0800 Message-ID: <183d2ff42636afeb4fb2394dfa17ab9c2c0620ce.1739913090.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Feb 2025 21:15:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211658 From: Johannes Schneider ppp version 2.5.0 fails to run properly if an expected /run/pppd/lock directory does not exist, which is not usually created in a yocto built OS. Backport the patch from upstream version 2.5.1 that fixes the issue by reverting back to /var/lock. The related github issue upstream was: "lock directory moved in ppp-2.5.0 #419" [1] Link: https://github.com/ppp-project/ppp/issues/419 Signed-off-by: Johannes Schneider Signed-off-by: Steve Sakoman --- ...001-Revert-lock-path-to-var-lock-435.patch | 63 +++++++++++++++++++ meta/recipes-connectivity/ppp/ppp_2.5.0.bb | 1 + 2 files changed, 64 insertions(+) create mode 100644 meta/recipes-connectivity/ppp/ppp/0001-Revert-lock-path-to-var-lock-435.patch diff --git a/meta/recipes-connectivity/ppp/ppp/0001-Revert-lock-path-to-var-lock-435.patch b/meta/recipes-connectivity/ppp/ppp/0001-Revert-lock-path-to-var-lock-435.patch new file mode 100644 index 0000000000..573eb413b0 --- /dev/null +++ b/meta/recipes-connectivity/ppp/ppp/0001-Revert-lock-path-to-var-lock-435.patch @@ -0,0 +1,63 @@ +From 99cbf5e269994482edaf64624be8b1c806f9587c Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Tue, 10 Oct 2023 10:05:50 +0900 +Subject: [PATCH] Revert lock path to /var/lock (#435) + +lock dir changed on linux from /var/lock to /run/pppd/lock with +pppd-2.5.0, which makes pppd fail to start if the distribution does not +pre-create the directory. + +This reverts it back to /var/lock. + +The paths for other OS should be identical as LOCALSTATEDIR should be +/var, but also revert them back as well just in case. +Since the variable is no longer used remove it from makefiles. + +Fixes: 66a8c74c3f73 ("Let ./configure control the paths for pppd") +Fixes: #419 + +Signed-off-by: Dominique Martinet +Co-authored-by: Dominique Martinet + +Upstream-Status: Backport [https://github.com/ppp-project/ppp/commit/99cbf5e269994482edaf64624be8b1c806f9587c] +--- + pppd/Makefile.am | 2 +- + pppd/pathnames.h | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/pppd/Makefile.am b/pppd/Makefile.am +index e5bedf2..7cb3005 100644 +--- a/pppd/Makefile.am ++++ b/pppd/Makefile.am +@@ -83,7 +83,7 @@ pppd_SOURCES = \ + upap.c \ + utils.c + +-pppd_CPPFLAGS = -DSYSCONFDIR=\"${sysconfdir}\" -DLOCALSTATEDIR=\"${localstatedir}\" -DPPPD_RUNTIME_DIR='"@PPPD_RUNTIME_DIR@"' -DPPPD_LOGFILE_DIR='"@PPPD_LOGFILE_DIR@"' ++pppd_CPPFLAGS = -DSYSCONFDIR=\"${sysconfdir}\" -DPPPD_RUNTIME_DIR='"@PPPD_RUNTIME_DIR@"' -DPPPD_LOGFILE_DIR='"@PPPD_LOGFILE_DIR@"' + pppd_LDFLAGS = + pppd_LIBS = + +diff --git a/pppd/pathnames.h b/pppd/pathnames.h +index de2fb68..12609a9 100644 +--- a/pppd/pathnames.h ++++ b/pppd/pathnames.h +@@ -120,12 +120,12 @@ + #define PPP_PATH_PPPDB PPP_PATH_VARRUN "/pppd2.tdb" + + #ifdef __linux__ +-#define PPP_PATH_LOCKDIR PPP_PATH_VARRUN "/lock" ++#define PPP_PATH_LOCKDIR "/var/lock" + #else + #ifdef SVR4 +-#define PPP_PATH_LOCKDIR LOCALSTATEDIR "/spool/locks" ++#define PPP_PATH_LOCKDIR "/var/spool/locks" + #else +-#define PPP_PATH_LOCKDIR LOCALSTATEDIR "/spool/lock" ++#define PPP_PATH_LOCKDIR "/var/spool/lock" + #endif + #endif + +-- +2.43.0 + diff --git a/meta/recipes-connectivity/ppp/ppp_2.5.0.bb b/meta/recipes-connectivity/ppp/ppp_2.5.0.bb index 5f0c75de83..badf22db97 100644 --- a/meta/recipes-connectivity/ppp/ppp_2.5.0.bb +++ b/meta/recipes-connectivity/ppp/ppp_2.5.0.bb @@ -23,6 +23,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \ file://ppp_on_boot \ file://provider \ file://ppp@.service \ + file://0001-Revert-lock-path-to-var-lock-435.patch \ " SRC_URI[sha256sum] = "5cae0e8075f8a1755f16ca290eb44e6b3545d3f292af4da65ecffe897de636ff" From patchwork Tue Feb 18 21:15:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57562 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5B4A2C021AF for ; Tue, 18 Feb 2025 21:15:48 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web10.7524.1739913345006751668 for ; Tue, 18 Feb 2025 13:15:45 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=itHPYgM5; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-220e989edb6so120441055ad.1 for ; Tue, 18 Feb 2025 13:15:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739913344; x=1740518144; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=EC4QAr9BSNPvHtaY8BZ5R2gr7ZgX/w6k5VJtjc4fVXw=; b=itHPYgM5B0H8LvePK18s0NvffcEEHODWQma7jKjjQqK06kp2WN8wV3pwGWpT6RBsLQ Zj7BxICKOqK2QYkgGKphwq7P3Q8P/tU4fjjquxcjBps5zOo6LwE2HmlNnqn0Z/r1YpTk hN5pKZ5j95irr6H8T1nx7F0ruw2pHPP5TMPHPdkPBIY3wd7ASs9Qd+vFaAH/w22g+7oC FGBvDVTrfTmNsqy/z22j/MEn9n1Q5AHcCJ9w8pexRYcar4zvlSXuMiVO79q5JTsclWjC FudawMuHnxb645XWacpQhRQDfzqRZBo16Hgdmaek8l5PG55jGLQg/fNUTQmjz7QoP93s 97ag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739913344; x=1740518144; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EC4QAr9BSNPvHtaY8BZ5R2gr7ZgX/w6k5VJtjc4fVXw=; b=Neb5hdmVWAwTmvEYe5vvGogkX79+gb27cYx8O6nBHSGjmB7tE9WW5t2THI6EnPo9Rv BegI7xK6va4WzHaSsw+sN1o5m4hlmrkRQoYBSXZEPbcPl+wGX/6aKMChaYOxdItl/AiU BM+c881+p7evFctdNCpeAuJna+qAiv2H4jsriH0Ds1zysX74gEUitvj5IGLBmvB38t9k WRdQ7wrgSI76rJlIeQ1bSgqkJBVRWUtWSlDNPJLFMcBRovLB2AqVAWyUCBxfmXUDBrFX +WxhYqBKVHhL5v5rxHd4jL5h9NjGmT0a4PyMX6uFJJYGY6KsME3JxmKR9fYiT5cX8Wxl WpyQ== X-Gm-Message-State: AOJu0YwG/OF+7SRqZO5JxeJc72BUNL63TCdVoG3VXPZqPez6U7lsutoo /65y9/IJaX6fXk+YUZu4KKfUQdndImFdFGmWqQjhXZEYRtGkBb83ZnzjZOla4VCnewN5V+KI2QG I X-Gm-Gg: ASbGnct58kk9n/dGceJGkjkOWMRo9vVobJH/d8iwQfbaeTuk5x27IN0joCHtnVt9HkR DhK0afPqf+DEOh6tvEhHz1vD678OwdcvnMhFl61jl+dp7a0+v2/UpChC2b9kODesgyr1aTVuEqy 1xkQ06SJx+gKr682oIzCs4G28C01P9hHUZKIls4KOWd6J4h2uxS/JLQ6lPKfTiwh16IsY7yfXnU dKaN6aNRwOdXbjMT3VP9pFD6Y490oh5fn1YCS6P/eY00yyizZed19WGrBLn1EFvdduehpDw4pul +Y+44ys= X-Google-Smtp-Source: AGHT+IHj3wOQuIldrCNNwz9a0ns7J3igcB4twJk1aTgChgVCHqIYmpVLrSZI9uStis+KSj45QS1NNw== X-Received: by 2002:a17:902:d4c3:b0:21f:3abc:b9e8 with SMTP id d9443c01a7336-221040bd33cmr206228905ad.43.1739913344249; Tue, 18 Feb 2025 13:15:44 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:83c7:94a9:a555:bf05]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-220d5349056sm93720055ad.22.2025.02.18.13.15.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 13:15:43 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 7/7] icu: remove host references in nativesdk to fix reproducibility Date: Tue, 18 Feb 2025 13:15:25 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Feb 2025 21:15:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211659 From: Oleksandr Hnatiuk Fix is only done for target. Use same code for nativesdk. Backport from poky master: https://git.yoctoproject.org/poky/commit/?id=c63b8f28ac52047fad689b78d605aa792baf1ad8 (From OE-Core rev: dc6306883cc2c7d4d98d595442e5bf4037a160c5) Signed-off-by: Oleksiy Obitotskyy Signed-off-by: Oleksandr Hnatiuk Signed-off-by: Richard Purdie (cherry picked from commit c63b8f28ac52047fad689b78d605aa792baf1ad8) Signed-off-by: Bhabu Bindu Signed-off-by: Steve Sakoman --- meta/recipes-support/icu/icu_74-2.bb | 33 ++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/meta/recipes-support/icu/icu_74-2.bb b/meta/recipes-support/icu/icu_74-2.bb index 8352bf2a5b..53853e24a5 100644 --- a/meta/recipes-support/icu/icu_74-2.bb +++ b/meta/recipes-support/icu/icu_74-2.bb @@ -30,7 +30,7 @@ TARGET_CXXFLAGS:append = "${@oe.utils.conditional('SITEINFO_ENDIANNESS', 'be', ' ASNEEDED = "" -do_compile:prepend:class-target () { +remove_build_host_references_from_libicutu () { # Make sure certain build host references do not end up being compiled # in the image. This only affects libicutu and icu-dbg sed \ @@ -39,6 +39,14 @@ do_compile:prepend:class-target () { -i ${B}/tools/toolutil/Makefile } +do_compile:prepend:class-target () { + remove_build_host_references_from_libicutu +} + +do_compile:prepend:class-nativesdk () { + remove_build_host_references_from_libicutu +} + PREPROCESS_RELOCATE_DIRS = "${datadir}/${BPN}/${PV}" do_install:append:class-native() { mkdir -p ${D}/${STAGING_ICU_DIR_NATIVE}/config @@ -49,6 +57,15 @@ do_install:append:class-native() { cp -r ${B}/tools ${D}/${STAGING_ICU_DIR_NATIVE} } +remove_build_host_references() { + sed -i \ + -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \ + -e 's|${DEBUG_PREFIX_MAP}||g' \ + -e 's:${HOSTTOOLS_DIR}/::g' \ + ${D}/${libdir}/${BPN}/${@icu_install_folder(d)}/Makefile.inc \ + ${D}/${libdir}/${BPN}/${@icu_install_folder(d)}/pkgdata.inc +} + do_install:append:class-target() { # The native pkgdata can not generate the correct data file. # Use icupkg to re-generate it. @@ -56,14 +73,12 @@ do_install:append:class-target() { rm -f ${D}/${datadir}/${BPN}/${@icu_install_folder(d)}/icudt${ICU_MAJOR_VER}b.dat icupkg -tb ${S}/data/in/icudt${ICU_MAJOR_VER}l.dat ${D}/${datadir}/${BPN}/${@icu_install_folder(d)}/icudt${ICU_MAJOR_VER}b.dat fi - - # Remove build host references... - sed -i \ - -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \ - -e 's|${DEBUG_PREFIX_MAP}||g' \ - -e 's:${HOSTTOOLS_DIR}/::g' \ - ${D}/${libdir}/${BPN}/${@icu_install_folder(d)}/Makefile.inc \ - ${D}/${libdir}/${BPN}/${@icu_install_folder(d)}/pkgdata.inc + + remove_build_host_references +} + +do_install:append:class-nativesdk() { + remove_build_host_references } PACKAGES =+ "libicudata libicuuc libicui18n libicutu libicuio"