diff options
| author | Jens Rehsack <rehsack@gmail.com> | 2020-08-19 17:36:27 +0200 |
|---|---|---|
| committer | Khem Raj <raj.khem@gmail.com> | 2020-08-19 14:02:48 -0700 |
| commit | 7527b1425fb28bbba328601323d1ef037b374684 (patch) | |
| tree | ba5ae55a3ca1224f4bf3a88a8915ce28d53cf043 | |
| parent | 7d35f4c3b15412d2a3ce94c48a69735d3c6c3942 (diff) | |
| download | meta-openembedded-7527b1425fb28bbba328601323d1ef037b374684.tar.gz | |
bearssl: add new recipe
Add recipe for BearSSL - an an implementation of the SSL/TLS protocol with
the approach of:
* Be correct and secure.
* Be small
* Be highly portable
* Be feature-rich and extensible
See https://bearssl.org for more details.
Signed-off-by: Jens Rehsack <sno@netbsd.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
3 files changed, 133 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/bearssl/bearssl/0001-conf-Unix.mk-remove-fixed-command-definitions.patch b/meta-networking/recipes-connectivity/bearssl/bearssl/0001-conf-Unix.mk-remove-fixed-command-definitions.patch new file mode 100644 index 0000000000..00be224990 --- /dev/null +++ b/meta-networking/recipes-connectivity/bearssl/bearssl/0001-conf-Unix.mk-remove-fixed-command-definitions.patch | |||
| @@ -0,0 +1,57 @@ | |||
| 1 | From 4ba61c59d3488c263d106d486b656854a57ad79f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jens Rehsack <sno@netbsd.org> | ||
| 3 | Date: Thu, 13 Aug 2020 15:26:30 +0200 | ||
| 4 | Subject: [PATCH 1/2] conf/Unix.mk: remove fixed command definitions | ||
| 5 | |||
| 6 | For cross compiling in Yocto or with appropriate SDKs, commands like | ||
| 7 | `$CC` are reasonably predefined. | ||
| 8 | |||
| 9 | Upstream-Status: Inappropriate | ||
| 10 | |||
| 11 | Signed-off-by: Jens Rehsack <sno@netbsd.org> | ||
| 12 | --- | ||
| 13 | conf/Unix.mk | 10 +++------- | ||
| 14 | 1 file changed, 3 insertions(+), 7 deletions(-) | ||
| 15 | |||
| 16 | diff --git a/conf/Unix.mk b/conf/Unix.mk | ||
| 17 | index 02f2b2b..05979fc 100644 | ||
| 18 | --- a/conf/Unix.mk | ||
| 19 | +++ b/conf/Unix.mk | ||
| 20 | @@ -37,23 +37,19 @@ RM = rm -f | ||
| 21 | MKDIR = mkdir -p | ||
| 22 | |||
| 23 | # C compiler and flags. | ||
| 24 | -CC = cc | ||
| 25 | -CFLAGS = -W -Wall -Os -fPIC | ||
| 26 | CCOUT = -c -o | ||
| 27 | |||
| 28 | # Static library building tool. | ||
| 29 | -AR = ar | ||
| 30 | ARFLAGS = -rcs | ||
| 31 | AROUT = | ||
| 32 | |||
| 33 | # DLL building tool. | ||
| 34 | -LDDLL = cc | ||
| 35 | +LDDLL = $(CCLD) | ||
| 36 | LDDLLFLAGS = -shared | ||
| 37 | LDDLLOUT = -o | ||
| 38 | |||
| 39 | # Static linker. | ||
| 40 | -LD = cc | ||
| 41 | -LDFLAGS = | ||
| 42 | +LD = $(CCLD) | ||
| 43 | LDOUT = -o | ||
| 44 | |||
| 45 | # C# compiler; we assume usage of Mono. | ||
| 46 | @@ -63,7 +59,7 @@ RUNT0COMP = mono T0Comp.exe | ||
| 47 | # Set the values to 'no' to disable building of the corresponding element | ||
| 48 | # by default. Building can still be invoked with an explicit target call | ||
| 49 | # (e.g. 'make dll' to force build the DLL). | ||
| 50 | -#STATICLIB = no | ||
| 51 | +STATICLIB = no | ||
| 52 | #DLL = no | ||
| 53 | #TOOLS = no | ||
| 54 | #TESTS = no | ||
| 55 | -- | ||
| 56 | 2.17.1 | ||
| 57 | |||
diff --git a/meta-networking/recipes-connectivity/bearssl/bearssl/0002-test-test_x509.c-fix-potential-overflow-issue.patch b/meta-networking/recipes-connectivity/bearssl/bearssl/0002-test-test_x509.c-fix-potential-overflow-issue.patch new file mode 100644 index 0000000000..94abd27faf --- /dev/null +++ b/meta-networking/recipes-connectivity/bearssl/bearssl/0002-test-test_x509.c-fix-potential-overflow-issue.patch | |||
| @@ -0,0 +1,41 @@ | |||
| 1 | From 542380a13f178d97851751b57054a6b5be555d1c Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jens Rehsack <sno@netbsd.org> | ||
| 3 | Date: Thu, 13 Aug 2020 16:16:44 +0200 | ||
| 4 | Subject: [PATCH 2/2] test/test_x509.c: fix potential overflow issue | ||
| 5 | |||
| 6 | Instead of doing a memcpy() which does static overflow checking, use | ||
| 7 | snprintf() for string copying which does the check dynamically. | ||
| 8 | |||
| 9 | Fixes: | ||
| 10 | | In file included from .../recipe-sysroot/usr/include/string.h:519, | ||
| 11 | | from test/test_x509.c:27: | ||
| 12 | | In function 'memcpy', | ||
| 13 | | inlined from 'parse_keyvalue' at test/test_x509.c:845:2, | ||
| 14 | | inlined from 'process_conf_file' at test/test_x509.c:1360:7, | ||
| 15 | | inlined from 'main' at test/test_x509.c:2038:2: | ||
| 16 | | .../recipe-sysroot/usr/include/bits/string_fortified.h:34:10: warning: '__builtin_memcpy' specified bound 4294967295 exceeds maximum object size 2147483647 [-Wstringop-overflow=] | ||
| 17 | | 34 | return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest)); | ||
| 18 | | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
| 19 | |||
| 20 | Signed-off-by: Jens Rehsack <sno@netbsd.org> | ||
| 21 | --- | ||
| 22 | test/test_x509.c | 3 +-- | ||
| 23 | 1 file changed, 1 insertion(+), 2 deletions(-) | ||
| 24 | |||
| 25 | diff --git a/test/test_x509.c b/test/test_x509.c | ||
| 26 | index 2c61cf5..76f6ab9 100644 | ||
| 27 | --- a/test/test_x509.c | ||
| 28 | +++ b/test/test_x509.c | ||
| 29 | @@ -842,8 +842,7 @@ parse_keyvalue(HT *d) | ||
| 30 | return -1; | ||
| 31 | } | ||
| 32 | name = xmalloc(u + 1); | ||
| 33 | - memcpy(name, buf, u); | ||
| 34 | - name[u] = 0; | ||
| 35 | + snprintf(name, u, "%s", buf); | ||
| 36 | if (HT_get(d, name) != NULL) { | ||
| 37 | xfree(name); | ||
| 38 | return -1; | ||
| 39 | -- | ||
| 40 | 2.17.1 | ||
| 41 | |||
diff --git a/meta-networking/recipes-connectivity/bearssl/bearssl_0.6.bb b/meta-networking/recipes-connectivity/bearssl/bearssl_0.6.bb new file mode 100644 index 0000000000..a0f64e9334 --- /dev/null +++ b/meta-networking/recipes-connectivity/bearssl/bearssl_0.6.bb | |||
| @@ -0,0 +1,35 @@ | |||
| 1 | SUMMARY = "BearSSL is an implementation of the SSL/TLS protocol (RFC 5246) written in C" | ||
| 2 | DESCRIPTION = "BearSSL is an implementation of the SSL/TLS protocol (RFC \ | ||
| 3 | 5246) written in C. It aims at offering the following features: \ | ||
| 4 | * Be correct and secure. In particular, insecure protocol versions and \ | ||
| 5 | choices of algorithms are not supported, by design; cryptographic \ | ||
| 6 | algorithm implementations are constant-time by default. \ | ||
| 7 | * Be small, both in RAM and code footprint. For instance, a minimal \ | ||
| 8 | server implementation may fit in about 20 kilobytes of compiled code \ | ||
| 9 | and 25 kilobytes of RAM. \ | ||
| 10 | * Be highly portable. BearSSL targets not only “big” operating systems \ | ||
| 11 | like Linux and Windows, but also small embedded systems and even special \ | ||
| 12 | contexts like bootstrap code. \ | ||
| 13 | * Be feature-rich and extensible. SSL/TLS has many defined cipher suites \ | ||
| 14 | and extensions; BearSSL should implement most of them, and allow extra \ | ||
| 15 | algorithm implementations to be added afterwards, possibly from third \ | ||
| 16 | parties." | ||
| 17 | HOMEPAGE = "https://bearssl.org" | ||
| 18 | |||
| 19 | SECTION = "libs" | ||
| 20 | |||
| 21 | LICENSE = "MIT" | ||
| 22 | LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=1fc37e1037ae673975fbcb96a98f7191" | ||
| 23 | |||
| 24 | SRCREV = "8ef7680081c61b486622f2d983c0d3d21e83caad" | ||
| 25 | SRC_URI = "git://www.bearssl.org/git/BearSSL;protocol=https;nobranch=1 \ | ||
| 26 | file://0001-conf-Unix.mk-remove-fixed-command-definitions.patch \ | ||
| 27 | file://0002-test-test_x509.c-fix-potential-overflow-issue.patch \ | ||
| 28 | " | ||
| 29 | |||
| 30 | # without compile errors like | ||
| 31 | # <..>/ld: build/obj/ghash_pclmul.o: warning: relocation against `br_ghash_pclmul' in read-only section `.text' | ||
| 32 | CFLAGS += "-fPIC" | ||
| 33 | |||
| 34 | S = "${WORKDIR}/git" | ||
| 35 | B = "${S}" | ||