diff options
author | Ricardo Wurmus <rekado@elephly.net> | 2021-12-05 19:17:41 +0100 |
---|---|---|
committer | Ricardo Wurmus <rekado@elephly.net> | 2021-12-05 19:17:41 +0100 |
commit | 9bc0f45df5d6aed217020b1183dca54989844fb0 (patch) | |
tree | d927e89949ff7f65b5059bc94273c53fd43d0763 /gnu/packages/patches | |
parent | 6db3c536e89deb8a204e756f427614925a7d2582 (diff) | |
parent | 10554e0a57feeea470127a1d0441957d1776b0bd (diff) | |
download | guix-9bc0f45df5d6aed217020b1183dca54989844fb0.tar guix-9bc0f45df5d6aed217020b1183dca54989844fb0.tar.gz |
Merge remote-tracking branch 'origin/master' into core-updates-frozen
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/coq-fix-envvars.patch | 139 | ||||
-rw-r--r-- | gnu/packages/patches/dynaconf-unvendor-deps.patch | 179 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-78-makeicecat.patch | 110 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2021-43527.patch | 354 | ||||
-rw-r--r-- | gnu/packages/patches/nss-CVE-2021-43527.patch | 354 | ||||
-rw-r--r-- | gnu/packages/patches/racket-minimal-backport-1629887.patch | 28 | ||||
-rw-r--r-- | gnu/packages/patches/u-boot-rk3399-enable-emmc-phy.patch | 26 | ||||
-rw-r--r-- | gnu/packages/patches/yggdrasil-extra-config.patch | 78 |
8 files changed, 1102 insertions, 166 deletions
diff --git a/gnu/packages/patches/coq-fix-envvars.patch b/gnu/packages/patches/coq-fix-envvars.patch new file mode 100644 index 0000000000..deecf5ce74 --- /dev/null +++ b/gnu/packages/patches/coq-fix-envvars.patch @@ -0,0 +1,139 @@ +From ebe09fcac72b21d17c4e8fe6edc1b6076a4ae97c Mon Sep 17 00:00:00 2001 +From: Julien Lepiller <julien@lepiller.eu> +Date: Sun, 21 Nov 2021 00:38:03 +0100 +Subject: [PATCH] Fix environment variable usage. + +--- + checker/checker.ml | 2 ++ + lib/envars.ml | 26 ++++++++++++++++---------- + sysinit/coqargs.ml | 3 ++- + sysinit/coqloadpath.ml | 3 ++- + sysinit/coqloadpath.mli | 2 +- + tools/coqdep.ml | 2 +- + 6 files changed, 24 insertions(+), 14 deletions(-) + +diff --git a/checker/checker.ml b/checker/checker.ml +index f55ed9e8d6..3b797729ed 100644 +--- a/checker/checker.ml ++++ b/checker/checker.ml +@@ -104,6 +104,7 @@ let set_include d p = + (* Initializes the LoadPath *) + let init_load_path () = + let coqlib = Envars.coqlib () in ++ let coqcorelib = Envars.coqcorelib () in + let user_contrib = coqlib/"user-contrib" in + let xdg_dirs = Envars.xdg_dirs in + let coqpath = Envars.coqpath in +@@ -111,6 +112,7 @@ let init_load_path () = + CPath.choose_existing + [ CPath.make [ coqlib ; "plugins" ] + ; CPath.make [ coqlib ; ".."; "coq-core"; "plugins" ] ++ ; CPath.make [ coqcorelib ; "plugins" ] + ] |> function + | None -> + CErrors.user_err (Pp.str "Cannot find plugins directory") +diff --git a/lib/envars.ml b/lib/envars.ml +index 750bd60e71..c7affbd437 100644 +--- a/lib/envars.ml ++++ b/lib/envars.ml +@@ -127,15 +127,21 @@ let check_file_else ~dir ~file oth = + let guess_coqlib fail = + getenv_else "COQLIB" (fun () -> + let prelude = "theories/Init/Prelude.vo" in +- check_file_else ~dir:Coq_config.coqlibsuffix ~file:prelude +- (fun () -> +- if Sys.file_exists (Coq_config.coqlib / prelude) +- then Coq_config.coqlib +- else +- fail "cannot guess a path for Coq libraries; please use -coqlib option \ +- or ensure you have installed the package containing Coq's stdlib (coq-stdlib in OPAM) \ +- If you intend to use Coq without a standard library, the -boot -noinit options must be used.") +- ) ++ let coqlibpath = getenv_else "COQLIBPATH" (fun () -> Coq_config.coqlibsuffix) in ++ let paths = path_to_list coqlibpath in ++ let valid_paths = ++ List.filter ++ (fun dir -> (check_file_else ~dir:dir ~file:prelude (fun () -> "")) <> "") ++ paths in ++ match valid_paths with ++ | [] -> ++ if Sys.file_exists (Coq_config.coqlib / prelude) ++ then Coq_config.coqlib ++ else ++ fail "cannot guess a path for Coq libraries; please use -coqlib option \ ++ or ensure you have installed the package containing Coq's stdlib (coq-stdlib in OPAM) \ ++ If you intend to use Coq without a standard library, the -boot -noinit options must be used." ++ | p::_ -> p) + + let coqlib_ref : string option ref = ref None + let set_user_coqlib path = coqlib_ref := Some path +@@ -208,7 +214,7 @@ let xdg_dirs ~warn = + let print_config ?(prefix_var_name="") f coq_src_subdirs = + let open Printf in + fprintf f "%sCOQLIB=%s/\n" prefix_var_name (coqlib ()); +- fprintf f "%sCOQCORELIB=%s/\n" prefix_var_name (coqlib () / "../coq-core/"); ++ fprintf f "%sCOQCORELIB=%s/\n" prefix_var_name (coqcorelib ()); + fprintf f "%sDOCDIR=%s/\n" prefix_var_name (docdir ()); + fprintf f "%sOCAMLFIND=%s\n" prefix_var_name (ocamlfind ()); + fprintf f "%sCAMLFLAGS=%s\n" prefix_var_name Coq_config.caml_flags; +diff --git a/sysinit/coqargs.ml b/sysinit/coqargs.ml +index 00f70a5fea..8325623a63 100644 +--- a/sysinit/coqargs.ml ++++ b/sysinit/coqargs.ml +@@ -453,7 +453,8 @@ let build_load_path opts = + if opts.pre.boot then [],[] + else + let coqlib = Envars.coqlib () in +- Coqloadpath.init_load_path ~coqlib in ++ let coqcorelib = Envars.coqcorelib () in ++ Coqloadpath.init_load_path ~coqlib ~coqcorelib in + ml_path @ opts.pre.ml_includes , + vo_path @ opts.pre.vo_includes + +diff --git a/sysinit/coqloadpath.ml b/sysinit/coqloadpath.ml +index 95ae5da3de..a58cfe6928 100644 +--- a/sysinit/coqloadpath.ml ++++ b/sysinit/coqloadpath.ml +@@ -35,7 +35,7 @@ let build_userlib_path ~unix_path = + else [], [] + + (* LoadPath for Coq user libraries *) +-let init_load_path ~coqlib = ++let init_load_path ~coqlib ~coqcorelib = + + let open Loadpath in + let user_contrib = coqlib/"user-contrib" in +@@ -50,6 +50,7 @@ let init_load_path ~coqlib = + CPath.choose_existing + [ CPath.make [ coqlib ; "plugins" ] + ; CPath.make [ coqlib ; ".."; "coq-core"; "plugins" ] ++ ; CPath.make [ coqcorelib ; "plugins" ] + ] |> function + | None -> + CErrors.user_err (Pp.str "Cannot find plugins directory") +diff --git a/sysinit/coqloadpath.mli b/sysinit/coqloadpath.mli +index d853e9ea54..43c6dfa134 100644 +--- a/sysinit/coqloadpath.mli ++++ b/sysinit/coqloadpath.mli +@@ -12,5 +12,5 @@ + includes (in-order) Coq's standard library, Coq's [user-contrib] + folder, and directories specified in [COQPATH] and [XDG_DIRS] *) + val init_load_path +- : coqlib:CUnix.physical_path ++ : coqlib:CUnix.physical_path -> coqcorelib:CUnix.physical_path + -> CUnix.physical_path list * Loadpath.vo_path list +diff --git a/tools/coqdep.ml b/tools/coqdep.ml +index c1c87993e1..6c78e10866 100644 +--- a/tools/coqdep.ml ++++ b/tools/coqdep.ml +@@ -33,7 +33,7 @@ let coqdep () = + let coqlib = Envars.coqlib () in + let coq_plugins_dir = Filename.concat (Envars.coqcorelib ()) "plugins" in + if not (Sys.file_exists coq_plugins_dir) then +- CErrors.user_err Pp.(str "coqdep: cannot find plugins directory for coqlib: " ++ str coqlib ++ fnl ()); ++ CErrors.user_err Pp.(str "coqdep: cannot find plugins directory " ++ str coq_plugins_dir ++ str " for coqlib: " ++ str coqlib ++ fnl ()); + CD.add_rec_dir_import CD.add_coqlib_known (coqlib//"theories") ["Coq"]; + CD.add_rec_dir_import CD.add_coqlib_known (coq_plugins_dir) ["Coq"]; + let user = coqlib//"user-contrib" in +-- +2.33.1 diff --git a/gnu/packages/patches/dynaconf-unvendor-deps.patch b/gnu/packages/patches/dynaconf-unvendor-deps.patch new file mode 100644 index 0000000000..550e311363 --- /dev/null +++ b/gnu/packages/patches/dynaconf-unvendor-deps.patch @@ -0,0 +1,179 @@ +From 3f7b48195500cbbbbecd3cac2f5308c64004479b Mon Sep 17 00:00:00 2001 +From: Giacomo Leidi <goodoldpaul@autistici.org> +Date: Sun, 29 Aug 2021 23:39:27 +0200 +Subject: [PATCH] Use system site dependencies. + +Box was not unvendored because it appears to be heavily patched. +--- + dynaconf/cli.py | 4 ++-- + dynaconf/default_settings.py | 2 +- + dynaconf/loaders/env_loader.py | 2 +- + dynaconf/loaders/toml_loader.py | 2 +- + dynaconf/loaders/yaml_loader.py | 2 +- + dynaconf/utils/parse_conf.py | 2 +- + dynaconf/vendor/box/converters.py | 4 ++-- + dynaconf/vendor/box/from_file.py | 4 ++-- + dynaconf/vendor_src/box/converters.py | 4 ++-- + dynaconf/vendor_src/box/from_file.py | 4 ++-- + tests/test_cli.py | 2 +- + 11 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/dynaconf/cli.py b/dynaconf/cli.py +index 5bb8316..1341a95 100644 +--- a/dynaconf/cli.py ++++ b/dynaconf/cli.py +@@ -20,8 +20,8 @@ from dynaconf.utils.functional import empty + from dynaconf.utils.parse_conf import parse_conf_data + from dynaconf.validator import ValidationError + from dynaconf.validator import Validator +-from dynaconf.vendor import click +-from dynaconf.vendor import toml ++import click ++import toml + + + CWD = Path.cwd() +diff --git a/dynaconf/default_settings.py b/dynaconf/default_settings.py +index 66601b0..9605fc5 100644 +--- a/dynaconf/default_settings.py ++++ b/dynaconf/default_settings.py +@@ -8,7 +8,7 @@ from dynaconf.utils import upperfy + from dynaconf.utils import warn_deprecations + from dynaconf.utils.files import find_file + from dynaconf.utils.parse_conf import parse_conf_data +-from dynaconf.vendor.dotenv import load_dotenv ++from dotenv import load_dotenv + + + def try_renamed(key, value, older_key, current_key): +diff --git a/dynaconf/loaders/env_loader.py b/dynaconf/loaders/env_loader.py +index e7b13bd..b034c8a 100644 +--- a/dynaconf/loaders/env_loader.py ++++ b/dynaconf/loaders/env_loader.py +@@ -2,7 +2,7 @@ from os import environ + + from dynaconf.utils import upperfy + from dynaconf.utils.parse_conf import parse_conf_data +-from dynaconf.vendor.dotenv import cli as dotenv_cli ++from dotenv import cli as dotenv_cli + + + IDENTIFIER = "env" +diff --git a/dynaconf/loaders/toml_loader.py b/dynaconf/loaders/toml_loader.py +index 07b973f..d81d675 100644 +--- a/dynaconf/loaders/toml_loader.py ++++ b/dynaconf/loaders/toml_loader.py +@@ -5,7 +5,7 @@ from dynaconf import default_settings + from dynaconf.constants import TOML_EXTENSIONS + from dynaconf.loaders.base import BaseLoader + from dynaconf.utils import object_merge +-from dynaconf.vendor import toml ++import toml + + + def load(obj, env=None, silent=True, key=None, filename=None): +diff --git a/dynaconf/loaders/yaml_loader.py b/dynaconf/loaders/yaml_loader.py +index 33c6532..3ef419a 100644 +--- a/dynaconf/loaders/yaml_loader.py ++++ b/dynaconf/loaders/yaml_loader.py +@@ -7,7 +7,7 @@ from dynaconf.constants import YAML_EXTENSIONS + from dynaconf.loaders.base import BaseLoader + from dynaconf.utils import object_merge + from dynaconf.utils.parse_conf import try_to_encode +-from dynaconf.vendor.ruamel import yaml ++from ruamel import yaml + + # Add support for Dynaconf Lazy values to YAML dumper + yaml.SafeDumper.yaml_representers[ +diff --git a/dynaconf/utils/parse_conf.py b/dynaconf/utils/parse_conf.py +index c42b07a..01ccdae 100644 +--- a/dynaconf/utils/parse_conf.py ++++ b/dynaconf/utils/parse_conf.py +@@ -9,7 +9,7 @@ from dynaconf.utils import isnamedtupleinstance + from dynaconf.utils import multi_replace + from dynaconf.utils import recursively_evaluate_lazy_format + from dynaconf.utils.boxing import DynaBox +-from dynaconf.vendor import toml ++import toml + + try: + from jinja2 import Environment +diff --git a/dynaconf/vendor/box/converters.py b/dynaconf/vendor/box/converters.py +index 93cdcfb..e34c7dc 100644 +--- a/dynaconf/vendor/box/converters.py ++++ b/dynaconf/vendor/box/converters.py +@@ -7,9 +7,9 @@ _B='utf-8' + _A=None + import csv,json,sys,warnings + from pathlib import Path +-import dynaconf.vendor.ruamel.yaml as yaml ++import ruamel.yaml as yaml + from dynaconf.vendor.box.exceptions import BoxError,BoxWarning +-from dynaconf.vendor import toml ++import toml + BOX_PARAMETERS='default_box','default_box_attr','conversion_box','frozen_box','camel_killer_box','box_safe_prefix','box_duplicates','ordered_box','default_box_none_transform','box_dots','modify_tuples_box','box_intact_types','box_recast' + def _exists(filename,create=_E): + A=filename;B=Path(A) +diff --git a/dynaconf/vendor/box/from_file.py b/dynaconf/vendor/box/from_file.py +index daa1137..d75940b 100644 +--- a/dynaconf/vendor/box/from_file.py ++++ b/dynaconf/vendor/box/from_file.py +@@ -1,8 +1,8 @@ + from json import JSONDecodeError + from pathlib import Path + from typing import Union +-from dynaconf.vendor.toml import TomlDecodeError +-from dynaconf.vendor.ruamel.yaml import YAMLError ++from toml import TomlDecodeError ++from ruamel.yaml import YAMLError + from .exceptions import BoxError + from .box import Box + from .box_list import BoxList +diff --git a/dynaconf/vendor_src/box/converters.py b/dynaconf/vendor_src/box/converters.py +index c9a2293..ae42bf6 100644 +--- a/dynaconf/vendor_src/box/converters.py ++++ b/dynaconf/vendor_src/box/converters.py +@@ -9,9 +9,9 @@ import sys + import warnings + from pathlib import Path + +-import dynaconf.vendor.ruamel.yaml as yaml ++import ruamel.yaml as yaml + from dynaconf.vendor.box.exceptions import BoxError, BoxWarning +-from dynaconf.vendor import toml ++import toml + + + BOX_PARAMETERS = ('default_box', 'default_box_attr', 'conversion_box', +diff --git a/dynaconf/vendor_src/box/from_file.py b/dynaconf/vendor_src/box/from_file.py +index 2e2a6ad..3f76819 100644 +--- a/dynaconf/vendor_src/box/from_file.py ++++ b/dynaconf/vendor_src/box/from_file.py +@@ -3,8 +3,8 @@ + from json import JSONDecodeError + from pathlib import Path + from typing import Union +-from dynaconf.vendor.toml import TomlDecodeError +-from dynaconf.vendor.ruamel.yaml import YAMLError ++from toml import TomlDecodeError ++from ruamel.yaml import YAMLError + + + from .exceptions import BoxError +diff --git a/tests/test_cli.py b/tests/test_cli.py +index 6693701..df44409 100644 +--- a/tests/test_cli.py ++++ b/tests/test_cli.py +@@ -11,7 +11,7 @@ from dynaconf.cli import main + from dynaconf.cli import read_file_in_root_directory + from dynaconf.cli import WRITERS + from dynaconf.utils.files import read_file +-from dynaconf.vendor.click.testing import CliRunner ++from click.testing import CliRunner + + + runner = CliRunner() + +base-commit: ebf7b17cffd5e08b212948bd8036d580718d5bf8 +-- +2.32.0 diff --git a/gnu/packages/patches/icecat-78-makeicecat.patch b/gnu/packages/patches/icecat-78-makeicecat.patch deleted file mode 100644 index edd1ced257..0000000000 --- a/gnu/packages/patches/icecat-78-makeicecat.patch +++ /dev/null @@ -1,110 +0,0 @@ -Make some of the changes needed to the 'makeicecat' script, to allow it to run -in a snippet without network access. After this patch is applied, some -additional changes will be made using 'substitute*'. - -diff --git a/makeicecat b/makeicecat -index 8be2362..48716f2 100755 ---- a/makeicecat -+++ b/makeicecat -@@ -31,55 +31,55 @@ SOURCEDIR=icecat-$FFVERSION - - DATA="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"/data - --mkdir -p output --cd output -+# mkdir -p output -+# cd output - - ############################################################################### - # Retrieve FF source code - ############################################################################### - --rm mozilla-esr${FFMAJOR} $SOURCEDIR -rf -- --wget -N https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/${FFVERSION}esr/source/firefox-${FFVERSION}esr.source.tar.xz --wget -N https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/${FFVERSION}esr/source/firefox-${FFVERSION}esr.source.tar.xz.asc --gpg --recv-keys --keyserver keyserver.ubuntu.com 14F26682D0916CDD81E37B6D61B7B526D98F0353 --gpg --verify firefox-${FFVERSION}esr.source.tar.xz.asc --echo -n 1aa041db28cd742e93d663a9da8defd33040b38d8b9470350538473251621643 firefox-${FFVERSION}esr.source.tar.xz |sha256sum -c - -- --echo Extracting Firefox tarball --tar -xf firefox-${FFVERSION}esr.source.tar.xz -- --mv firefox-${FFVERSION} $SOURCEDIR -+# rm mozilla-esr${FFMAJOR} $SOURCEDIR -rf -+# -+# wget -N https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/${FFVERSION}esr/source/firefox-${FFVERSION}esr.source.tar.xz -+# wget -N https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/${FFVERSION}esr/source/firefox-${FFVERSION}esr.source.tar.xz.asc -+# gpg --recv-keys --keyserver keyserver.ubuntu.com 14F26682D0916CDD81E37B6D61B7B526D98F0353 -+# gpg --verify firefox-${FFVERSION}esr.source.tar.xz.asc -+# echo -n 1aa041db28cd742e93d663a9da8defd33040b38d8b9470350538473251621643 firefox-${FFVERSION}esr.source.tar.xz |sha256sum -c - -+# -+# echo Extracting Firefox tarball -+# tar -xf firefox-${FFVERSION}esr.source.tar.xz -+# -+# mv firefox-${FFVERSION} $SOURCEDIR - - ############################################################################### - # Retrieve l10n - ############################################################################### - --mkdir l10n --cd l10n --while read line;do -- line=$(echo $line |cut -d' ' -f1) -- #[ $line = "es-ES" ] || continue # To speed up testing -- [ $line = "en-US" ] && continue -- hg clone https://hg.mozilla.org/l10n-central/$line -- mkdir -p $line/browser/chrome/browser/preferences -- touch $line/browser/chrome/browser/preferences/advanced-scripts.dtd -- rm -rf $line/.hg* --done < ../$SOURCEDIR/browser/locales/shipped-locales --cd .. -- --mv l10n $SOURCEDIR -- --hg clone https://hg.mozilla.org/l10n/compare-locales/ --cd compare-locales/ --hg checkout RELEASE_8_0_0 --cd .. --rm compare-locales/.hg* compare-locales/.git* -rf --mv compare-locales $SOURCEDIR/l10n -+# mkdir l10n -+# cd l10n -+# while read line;do -+# line=$(echo $line |cut -d' ' -f1) -+# #[ $line = "es-ES" ] || continue # To speed up testing -+# [ $line = "en-US" ] && continue -+# hg clone https://hg.mozilla.org/l10n-central/$line -+# mkdir -p $line/browser/chrome/browser/preferences -+# touch $line/browser/chrome/browser/preferences/advanced-scripts.dtd -+# rm -rf $line/.hg* -+# done < ../$SOURCEDIR/browser/locales/shipped-locales -+# cd .. -+# -+# mv l10n $SOURCEDIR -+# -+# hg clone https://hg.mozilla.org/l10n/compare-locales/ -+# cd compare-locales/ -+# hg checkout RELEASE_8_0_0 -+# cd .. -+# rm compare-locales/.hg* compare-locales/.git* -rf -+# mv compare-locales $SOURCEDIR/l10n - - ####################################################### - --cd $SOURCEDIR -+# cd $SOURCEDIR - - shopt -s nullglob - for patch in $DATA/patches/*.patch; do -@@ -598,6 +598,6 @@ sed 's/777/755/;' -i toolkit/crashreporter/google-breakpad/Makefile.in - # Fix CVE-2012-3386 - /bin/sed 's/chmod a+w/chmod u+w/' -i ./js/src/ctypes/libffi/Makefile.in ./toolkit/crashreporter/google-breakpad/Makefile.in ./toolkit/crashreporter/google-breakpad/src/third_party/glog/Makefile.in || true - --cd .. --echo Packaging tarball --tar cfj icecat-$ICECATVERSION.tar.bz2 $SOURCEDIR -+# cd .. -+# echo Packaging tarball -+# tar cfj icecat-$ICECATVERSION.tar.bz2 $SOURCEDIR diff --git a/gnu/packages/patches/icecat-CVE-2021-43527.patch b/gnu/packages/patches/icecat-CVE-2021-43527.patch new file mode 100644 index 0000000000..66706ea5e0 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2021-43527.patch @@ -0,0 +1,354 @@ +Fixes CVE-2021-43527. +Copied from <https://hg.mozilla.org/projects/nss/rev/dea71cbef9e03636f37c6cb120f8deccce6e17dd>, +but with the file names adjusted to allow easy use within GNU Guix. + +# HG changeset patch +# User Dennis Jackson <djackson@mozilla.com> +# Date 1637577642 0 +# Node ID dea71cbef9e03636f37c6cb120f8deccce6e17dd +# Parent da3d22d708c9cc0a32cff339658aeb627575e371 +Bug 1737470 - Ensure DER encoded signatures are within size limits. r=jschanck,mt,bbeurdouche,rrelyea + +Differential Revision: https://phabricator.services.mozilla.com/D129514 + +--- a/security/nss/lib/cryptohi/secvfy.c ++++ b/security/nss/lib/cryptohi/secvfy.c +@@ -159,58 +159,89 @@ verifyPKCS1DigestInfo(const VFYContext * + SECItem pkcs1DigestInfo; + pkcs1DigestInfo.data = cx->pkcs1RSADigestInfo; + pkcs1DigestInfo.len = cx->pkcs1RSADigestInfoLen; + return _SGN_VerifyPKCS1DigestInfo( + cx->hashAlg, digest, &pkcs1DigestInfo, + PR_FALSE /*XXX: unsafeAllowMissingParameters*/); + } + ++static unsigned int ++checkedSignatureLen(const SECKEYPublicKey *pubk) ++{ ++ unsigned int sigLen = SECKEY_SignatureLen(pubk); ++ if (sigLen == 0) { ++ /* Error set by SECKEY_SignatureLen */ ++ return sigLen; ++ } ++ unsigned int maxSigLen; ++ switch (pubk->keyType) { ++ case rsaKey: ++ case rsaPssKey: ++ maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8; ++ break; ++ case dsaKey: ++ maxSigLen = DSA_MAX_SIGNATURE_LEN; ++ break; ++ case ecKey: ++ maxSigLen = 2 * MAX_ECKEY_LEN; ++ break; ++ default: ++ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); ++ return 0; ++ } ++ if (sigLen > maxSigLen) { ++ PORT_SetError(SEC_ERROR_INVALID_KEY); ++ return 0; ++ } ++ return sigLen; ++} ++ + /* + * decode the ECDSA or DSA signature from it's DER wrapping. + * The unwrapped/raw signature is placed in the buffer pointed + * to by dsig and has enough room for len bytes. + */ + static SECStatus + decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig, + unsigned int len) + { + SECItem *dsasig = NULL; /* also used for ECDSA */ +- SECStatus rv = SECSuccess; + +- if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) && +- (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) { +- if (sig->len != len) { +- PORT_SetError(SEC_ERROR_BAD_DER); +- return SECFailure; ++ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */ ++ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) { ++ if (len > DSA_MAX_SIGNATURE_LEN) { ++ goto loser; + } +- +- PORT_Memcpy(dsig, sig->data, sig->len); +- return SECSuccess; ++ } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { ++ if (len > MAX_ECKEY_LEN * 2) { ++ goto loser; ++ } ++ } else { ++ goto loser; + } + +- if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { +- if (len > MAX_ECKEY_LEN * 2) { +- PORT_SetError(SEC_ERROR_BAD_DER); +- return SECFailure; +- } ++ /* Decode and pad to length */ ++ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); ++ if (dsasig == NULL) { ++ goto loser; + } +- dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); +- +- if ((dsasig == NULL) || (dsasig->len != len)) { +- rv = SECFailure; +- } else { +- PORT_Memcpy(dsig, dsasig->data, dsasig->len); ++ if (dsasig->len != len) { ++ SECITEM_FreeItem(dsasig, PR_TRUE); ++ goto loser; + } + +- if (dsasig != NULL) +- SECITEM_FreeItem(dsasig, PR_TRUE); +- if (rv == SECFailure) +- PORT_SetError(SEC_ERROR_BAD_DER); +- return rv; ++ PORT_Memcpy(dsig, dsasig->data, len); ++ SECITEM_FreeItem(dsasig, PR_TRUE); ++ ++ return SECSuccess; ++ ++loser: ++ PORT_SetError(SEC_ERROR_BAD_DER); ++ return SECFailure; + } + + const SEC_ASN1Template hashParameterTemplate[] = + { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECItem) }, + { SEC_ASN1_OBJECT_ID, 0 }, + { SEC_ASN1_SKIP_REST }, + { 0 } +@@ -276,17 +307,17 @@ sec_GetEncAlgFromSigAlg(SECOidTag sigAlg + * + * Returns: SECSuccess if the algorithm was acceptable, SECFailure if the + * algorithm was not found or was not a signing algorithm. + */ + SECStatus + sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, + const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg) + { +- int len; ++ unsigned int len; + PLArenaPool *arena; + SECStatus rv; + SECItem oid; + SECOidTag encalg; + + PR_ASSERT(hashalg != NULL); + PR_ASSERT(encalgp != NULL); + +@@ -461,58 +492,62 @@ vfy_CreateContext(const SECKEYPublicKey + cx->wincx = wincx; + cx->hasSignature = (sig != NULL); + cx->encAlg = encAlg; + cx->hashAlg = hashAlg; + cx->key = SECKEY_CopyPublicKey(key); + cx->pkcs1RSADigestInfo = NULL; + rv = SECSuccess; + if (sig) { +- switch (type) { +- case rsaKey: +- rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg, +- &cx->pkcs1RSADigestInfo, +- &cx->pkcs1RSADigestInfoLen, +- cx->key, +- sig, wincx); +- break; +- case rsaPssKey: +- sigLen = SECKEY_SignatureLen(key); +- if (sigLen == 0) { +- /* error set by SECKEY_SignatureLen */ +- rv = SECFailure; ++ rv = SECFailure; ++ if (type == rsaKey) { ++ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg, ++ &cx->pkcs1RSADigestInfo, ++ &cx->pkcs1RSADigestInfoLen, ++ cx->key, ++ sig, wincx); ++ } else { ++ sigLen = checkedSignatureLen(key); ++ /* Check signature length is within limits */ ++ if (sigLen == 0) { ++ /* error set by checkedSignatureLen */ ++ rv = SECFailure; ++ goto loser; ++ } ++ if (sigLen > sizeof(cx->u)) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); ++ rv = SECFailure; ++ goto loser; ++ } ++ switch (type) { ++ case rsaPssKey: ++ if (sig->len != sigLen) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); ++ rv = SECFailure; ++ goto loser; ++ } ++ PORT_Memcpy(cx->u.buffer, sig->data, sigLen); ++ rv = SECSuccess; + break; +- } +- if (sig->len != sigLen) { +- PORT_SetError(SEC_ERROR_BAD_SIGNATURE); ++ case ecKey: ++ case dsaKey: ++ /* decodeECorDSASignature will check sigLen == sig->len after padding */ ++ rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen); ++ break; ++ default: ++ /* Unreachable */ + rv = SECFailure; +- break; +- } +- PORT_Memcpy(cx->u.buffer, sig->data, sigLen); +- break; +- case dsaKey: +- case ecKey: +- sigLen = SECKEY_SignatureLen(key); +- if (sigLen == 0) { +- /* error set by SECKEY_SignatureLen */ +- rv = SECFailure; +- break; +- } +- rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen); +- break; +- default: +- rv = SECFailure; +- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); +- break; ++ goto loser; ++ } ++ } ++ if (rv != SECSuccess) { ++ goto loser; + } + } + +- if (rv) +- goto loser; +- + /* check hash alg again, RSA may have changed it.*/ + if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) { + /* error set by HASH_GetHashTypeByOidTag */ + goto loser; + } + /* check the policy on the hash algorithm. Do this after + * the rsa decode because some uses of this function get hash implicitly + * from the RSA signature itself. */ +@@ -645,21 +680,26 @@ VFY_EndWithSignature(VFYContext *cx, SEC + if (cx->hashcx == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + (*cx->hashobj->end)(cx->hashcx, final, &part, sizeof(final)); + switch (cx->key->keyType) { + case ecKey: + case dsaKey: +- dsasig.data = cx->u.buffer; +- dsasig.len = SECKEY_SignatureLen(cx->key); ++ dsasig.len = checkedSignatureLen(cx->key); + if (dsasig.len == 0) { + return SECFailure; + } ++ if (dsasig.len > sizeof(cx->u)) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); ++ return SECFailure; ++ } ++ dsasig.data = cx->u.buffer; ++ + if (sig) { + rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data, + dsasig.len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + } +@@ -681,18 +721,23 @@ VFY_EndWithSignature(VFYContext *cx, SEC + cx->params, + &mech); + PORT_DestroyCheapArena(&tmpArena); + if (rv != SECSuccess) { + return SECFailure; + } + + rsasig.data = cx->u.buffer; +- rsasig.len = SECKEY_SignatureLen(cx->key); ++ rsasig.len = checkedSignatureLen(cx->key); + if (rsasig.len == 0) { ++ /* Error set by checkedSignatureLen */ ++ return SECFailure; ++ } ++ if (rsasig.len > sizeof(cx->u)) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + if (sig) { + if (sig->len != rsasig.len) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + PORT_Memcpy(rsasig.data, sig->data, rsasig.len); +@@ -744,37 +789,42 @@ VFY_End(VFYContext *cx) + static SECStatus + vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key, + const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, + void *wincx) + { + SECStatus rv; + VFYContext *cx; + SECItem dsasig; /* also used for ECDSA */ +- + rv = SECFailure; + + cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx); + if (cx != NULL) { + switch (key->keyType) { + case rsaKey: + rv = verifyPKCS1DigestInfo(cx, digest); ++ /* Error (if any) set by verifyPKCS1DigestInfo */ + break; +- case dsaKey: + case ecKey: ++ case dsaKey: + dsasig.data = cx->u.buffer; +- dsasig.len = SECKEY_SignatureLen(cx->key); ++ dsasig.len = checkedSignatureLen(cx->key); + if (dsasig.len == 0) { ++ /* Error set by checkedSignatureLen */ ++ rv = SECFailure; + break; + } +- if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) != +- SECSuccess) { ++ if (dsasig.len > sizeof(cx->u)) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); +- } else { +- rv = SECSuccess; ++ rv = SECFailure; ++ break; ++ } ++ rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx); ++ if (rv != SECSuccess) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + } + break; + default: + break; + } + VFY_DestroyContext(cx, PR_TRUE); + } + return rv; + diff --git a/gnu/packages/patches/nss-CVE-2021-43527.patch b/gnu/packages/patches/nss-CVE-2021-43527.patch new file mode 100644 index 0000000000..b619438f37 --- /dev/null +++ b/gnu/packages/patches/nss-CVE-2021-43527.patch @@ -0,0 +1,354 @@ +Fixes CVE-2021-43527. +Copied from <https://hg.mozilla.org/projects/nss/rev/dea71cbef9e03636f37c6cb120f8deccce6e17dd>, +but with the file names adjusted to allow easy use within GNU Guix. + +# HG changeset patch +# User Dennis Jackson <djackson@mozilla.com> +# Date 1637577642 0 +# Node ID dea71cbef9e03636f37c6cb120f8deccce6e17dd +# Parent da3d22d708c9cc0a32cff339658aeb627575e371 +Bug 1737470 - Ensure DER encoded signatures are within size limits. r=jschanck,mt,bbeurdouche,rrelyea + +Differential Revision: https://phabricator.services.mozilla.com/D129514 + +--- a/nss/lib/cryptohi/secvfy.c ++++ b/nss/lib/cryptohi/secvfy.c +@@ -159,58 +159,89 @@ verifyPKCS1DigestInfo(const VFYContext * + SECItem pkcs1DigestInfo; + pkcs1DigestInfo.data = cx->pkcs1RSADigestInfo; + pkcs1DigestInfo.len = cx->pkcs1RSADigestInfoLen; + return _SGN_VerifyPKCS1DigestInfo( + cx->hashAlg, digest, &pkcs1DigestInfo, + PR_FALSE /*XXX: unsafeAllowMissingParameters*/); + } + ++static unsigned int ++checkedSignatureLen(const SECKEYPublicKey *pubk) ++{ ++ unsigned int sigLen = SECKEY_SignatureLen(pubk); ++ if (sigLen == 0) { ++ /* Error set by SECKEY_SignatureLen */ ++ return sigLen; ++ } ++ unsigned int maxSigLen; ++ switch (pubk->keyType) { ++ case rsaKey: ++ case rsaPssKey: ++ maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8; ++ break; ++ case dsaKey: ++ maxSigLen = DSA_MAX_SIGNATURE_LEN; ++ break; ++ case ecKey: ++ maxSigLen = 2 * MAX_ECKEY_LEN; ++ break; ++ default: ++ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); ++ return 0; ++ } ++ if (sigLen > maxSigLen) { ++ PORT_SetError(SEC_ERROR_INVALID_KEY); ++ return 0; ++ } ++ return sigLen; ++} ++ + /* + * decode the ECDSA or DSA signature from it's DER wrapping. + * The unwrapped/raw signature is placed in the buffer pointed + * to by dsig and has enough room for len bytes. + */ + static SECStatus + decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig, + unsigned int len) + { + SECItem *dsasig = NULL; /* also used for ECDSA */ +- SECStatus rv = SECSuccess; + +- if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) && +- (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) { +- if (sig->len != len) { +- PORT_SetError(SEC_ERROR_BAD_DER); +- return SECFailure; ++ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */ ++ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) { ++ if (len > DSA_MAX_SIGNATURE_LEN) { ++ goto loser; + } +- +- PORT_Memcpy(dsig, sig->data, sig->len); +- return SECSuccess; ++ } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { ++ if (len > MAX_ECKEY_LEN * 2) { ++ goto loser; ++ } ++ } else { ++ goto loser; + } + +- if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { +- if (len > MAX_ECKEY_LEN * 2) { +- PORT_SetError(SEC_ERROR_BAD_DER); +- return SECFailure; +- } ++ /* Decode and pad to length */ ++ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); ++ if (dsasig == NULL) { ++ goto loser; + } +- dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); +- +- if ((dsasig == NULL) || (dsasig->len != len)) { +- rv = SECFailure; +- } else { +- PORT_Memcpy(dsig, dsasig->data, dsasig->len); ++ if (dsasig->len != len) { ++ SECITEM_FreeItem(dsasig, PR_TRUE); ++ goto loser; + } + +- if (dsasig != NULL) +- SECITEM_FreeItem(dsasig, PR_TRUE); +- if (rv == SECFailure) +- PORT_SetError(SEC_ERROR_BAD_DER); +- return rv; ++ PORT_Memcpy(dsig, dsasig->data, len); ++ SECITEM_FreeItem(dsasig, PR_TRUE); ++ ++ return SECSuccess; ++ ++loser: ++ PORT_SetError(SEC_ERROR_BAD_DER); ++ return SECFailure; + } + + const SEC_ASN1Template hashParameterTemplate[] = + { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECItem) }, + { SEC_ASN1_OBJECT_ID, 0 }, + { SEC_ASN1_SKIP_REST }, + { 0 } +@@ -276,17 +307,17 @@ sec_GetEncAlgFromSigAlg(SECOidTag sigAlg + * + * Returns: SECSuccess if the algorithm was acceptable, SECFailure if the + * algorithm was not found or was not a signing algorithm. + */ + SECStatus + sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, + const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg) + { +- int len; ++ unsigned int len; + PLArenaPool *arena; + SECStatus rv; + SECItem oid; + SECOidTag encalg; + + PR_ASSERT(hashalg != NULL); + PR_ASSERT(encalgp != NULL); + +@@ -461,58 +492,62 @@ vfy_CreateContext(const SECKEYPublicKey + cx->wincx = wincx; + cx->hasSignature = (sig != NULL); + cx->encAlg = encAlg; + cx->hashAlg = hashAlg; + cx->key = SECKEY_CopyPublicKey(key); + cx->pkcs1RSADigestInfo = NULL; + rv = SECSuccess; + if (sig) { +- switch (type) { +- case rsaKey: +- rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg, +- &cx->pkcs1RSADigestInfo, +- &cx->pkcs1RSADigestInfoLen, +- cx->key, +- sig, wincx); +- break; +- case rsaPssKey: +- sigLen = SECKEY_SignatureLen(key); +- if (sigLen == 0) { +- /* error set by SECKEY_SignatureLen */ +- rv = SECFailure; ++ rv = SECFailure; ++ if (type == rsaKey) { ++ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg, ++ &cx->pkcs1RSADigestInfo, ++ &cx->pkcs1RSADigestInfoLen, ++ cx->key, ++ sig, wincx); ++ } else { ++ sigLen = checkedSignatureLen(key); ++ /* Check signature length is within limits */ ++ if (sigLen == 0) { ++ /* error set by checkedSignatureLen */ ++ rv = SECFailure; ++ goto loser; ++ } ++ if (sigLen > sizeof(cx->u)) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); ++ rv = SECFailure; ++ goto loser; ++ } ++ switch (type) { ++ case rsaPssKey: ++ if (sig->len != sigLen) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); ++ rv = SECFailure; ++ goto loser; ++ } ++ PORT_Memcpy(cx->u.buffer, sig->data, sigLen); ++ rv = SECSuccess; + break; +- } +- if (sig->len != sigLen) { +- PORT_SetError(SEC_ERROR_BAD_SIGNATURE); ++ case ecKey: ++ case dsaKey: ++ /* decodeECorDSASignature will check sigLen == sig->len after padding */ ++ rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen); ++ break; ++ default: ++ /* Unreachable */ + rv = SECFailure; +- break; +- } +- PORT_Memcpy(cx->u.buffer, sig->data, sigLen); +- break; +- case dsaKey: +- case ecKey: +- sigLen = SECKEY_SignatureLen(key); +- if (sigLen == 0) { +- /* error set by SECKEY_SignatureLen */ +- rv = SECFailure; +- break; +- } +- rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen); +- break; +- default: +- rv = SECFailure; +- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); +- break; ++ goto loser; ++ } ++ } ++ if (rv != SECSuccess) { ++ goto loser; + } + } + +- if (rv) +- goto loser; +- + /* check hash alg again, RSA may have changed it.*/ + if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) { + /* error set by HASH_GetHashTypeByOidTag */ + goto loser; + } + /* check the policy on the hash algorithm. Do this after + * the rsa decode because some uses of this function get hash implicitly + * from the RSA signature itself. */ +@@ -645,21 +680,26 @@ VFY_EndWithSignature(VFYContext *cx, SEC + if (cx->hashcx == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + (*cx->hashobj->end)(cx->hashcx, final, &part, sizeof(final)); + switch (cx->key->keyType) { + case ecKey: + case dsaKey: +- dsasig.data = cx->u.buffer; +- dsasig.len = SECKEY_SignatureLen(cx->key); ++ dsasig.len = checkedSignatureLen(cx->key); + if (dsasig.len == 0) { + return SECFailure; + } ++ if (dsasig.len > sizeof(cx->u)) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); ++ return SECFailure; ++ } ++ dsasig.data = cx->u.buffer; ++ + if (sig) { + rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data, + dsasig.len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + } +@@ -681,18 +721,23 @@ VFY_EndWithSignature(VFYContext *cx, SEC + cx->params, + &mech); + PORT_DestroyCheapArena(&tmpArena); + if (rv != SECSuccess) { + return SECFailure; + } + + rsasig.data = cx->u.buffer; +- rsasig.len = SECKEY_SignatureLen(cx->key); ++ rsasig.len = checkedSignatureLen(cx->key); + if (rsasig.len == 0) { ++ /* Error set by checkedSignatureLen */ ++ return SECFailure; ++ } ++ if (rsasig.len > sizeof(cx->u)) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + if (sig) { + if (sig->len != rsasig.len) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + PORT_Memcpy(rsasig.data, sig->data, rsasig.len); +@@ -744,37 +789,42 @@ VFY_End(VFYContext *cx) + static SECStatus + vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key, + const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, + void *wincx) + { + SECStatus rv; + VFYContext *cx; + SECItem dsasig; /* also used for ECDSA */ +- + rv = SECFailure; + + cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx); + if (cx != NULL) { + switch (key->keyType) { + case rsaKey: + rv = verifyPKCS1DigestInfo(cx, digest); ++ /* Error (if any) set by verifyPKCS1DigestInfo */ + break; +- case dsaKey: + case ecKey: ++ case dsaKey: + dsasig.data = cx->u.buffer; +- dsasig.len = SECKEY_SignatureLen(cx->key); ++ dsasig.len = checkedSignatureLen(cx->key); + if (dsasig.len == 0) { ++ /* Error set by checkedSignatureLen */ ++ rv = SECFailure; + break; + } +- if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) != +- SECSuccess) { ++ if (dsasig.len > sizeof(cx->u)) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); +- } else { +- rv = SECSuccess; ++ rv = SECFailure; ++ break; ++ } ++ rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx); ++ if (rv != SECSuccess) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + } + break; + default: + break; + } + VFY_DestroyContext(cx, PR_TRUE); + } + return rv; + diff --git a/gnu/packages/patches/racket-minimal-backport-1629887.patch b/gnu/packages/patches/racket-minimal-backport-1629887.patch deleted file mode 100644 index aa060ef5aa..0000000000 --- a/gnu/packages/patches/racket-minimal-backport-1629887.patch +++ /dev/null @@ -1,28 +0,0 @@ -From fb1a6ab205fd63a46669a463931af473e2ac0c87 Mon Sep 17 00:00:00 2001 -From: Matthew Flatt <mflatt@racket-lang.org> -Date: Sat, 21 Aug 2021 15:29:59 -0600 -Subject: [PATCH] setup/variant: recognize starter executables - -Related to #3969 - -(cherry picked from commit 1629887071fe3cc8fe8af0a7aa0d3912509cb058) ---- - racket/collects/setup/variant.rkt | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/racket/collects/setup/variant.rkt b/racket/collects/setup/variant.rkt -index 81da6f5701..b23131e481 100644 ---- a/racket/collects/setup/variant.rkt -+++ b/racket/collects/setup/variant.rkt -@@ -25,7 +25,7 @@ - (and (file-exists? f) - (with-input-from-file f - (lambda () -- (define m (regexp-match #rx#"bINARy tYPe:..(.)" -+ (define m (regexp-match #rx#"bINARy tYPe:e?..(.)" - (current-input-port))) - (cond - [(not m) '3m] --- -2.30.2 - diff --git a/gnu/packages/patches/u-boot-rk3399-enable-emmc-phy.patch b/gnu/packages/patches/u-boot-rk3399-enable-emmc-phy.patch new file mode 100644 index 0000000000..f14a9ce104 --- /dev/null +++ b/gnu/packages/patches/u-boot-rk3399-enable-emmc-phy.patch @@ -0,0 +1,26 @@ +adapting commit ac804143cf ("mmc: rockchip_sdhci: add phy and clock +config for rk3399") to fix the issue "Not found emmc phy device". + +Signed-off-by: Yifeng Zhao <yifeng.zhao@rock-chips.com> +--- + + arch/arm/dts/rk3399-u-boot.dtsi | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/arm/dts/rk3399-u-boot.dtsi b/arch/arm/dts/rk3399-u-boot.dtsi +index 73922c328a..716b9a433a 100644 +--- a/arch/arm/dts/rk3399-u-boot.dtsi ++++ b/arch/arm/dts/rk3399-u-boot.dtsi +@@ -88,6 +88,10 @@ + u-boot,dm-pre-reloc; + }; + ++&emmc_phy { ++ u-boot,dm-pre-reloc; ++}; ++ + &grf { + u-boot,dm-pre-reloc; + }; +-- +2.17.1 diff --git a/gnu/packages/patches/yggdrasil-extra-config.patch b/gnu/packages/patches/yggdrasil-extra-config.patch index c21ca29a84..bd4bea7b9f 100644 --- a/gnu/packages/patches/yggdrasil-extra-config.patch +++ b/gnu/packages/patches/yggdrasil-extra-config.patch @@ -1,27 +1,39 @@ +From 779f980451d20079b34812f7006f2d7230738ad0 Mon Sep 17 00:00:00 2001 +From: csepp <raingloom@riseup.net> +Date: Wed, 3 Nov 2021 21:14:54 +0100 +Subject: [PATCH] add extra config file option to yggdrasil command + +This is useful in Guix and Nix, because one config file can come +from the world-readable store and another can be placed directly +into /etc with much stricter permissions. +--- + cmd/yggdrasil/main.go | 29 ++++++++++++++++++++++------- + 1 file changed, 22 insertions(+), 7 deletions(-) + diff --git a/cmd/yggdrasil/main.go b/cmd/yggdrasil/main.go -index 813e950..08d35cc 100644 +index 58b8230..b9df98a 100644 --- a/cmd/yggdrasil/main.go +++ b/cmd/yggdrasil/main.go -@@ -40,11 +40,12 @@ type node struct { - admin module.Module // admin.AdminSocket +@@ -43,11 +43,12 @@ type node struct { + admin *admin.AdminSocket } --func readConfig(useconf *bool, useconffile *string, normaliseconf *bool) *config.NodeConfig { -+func readConfig(useconf *bool, useconffile *string, extraconffile *string, normaliseconf *bool) *config.NodeConfig { +-func readConfig(log *log.Logger, useconf bool, useconffile string, normaliseconf bool) *config.NodeConfig { ++func readConfig(log *log.Logger, useconf bool, useconffile string, extraconffile string, normaliseconf bool) *config.NodeConfig { // Use a configuration file. If -useconf, the configuration will be read // from stdin. If -useconffile, the configuration will be read from the // filesystem. var conf []byte + var extraconf []byte var err error - if *useconffile != "" { + if useconffile != "" { // Read the file from the filesystem -@@ -56,6 +57,21 @@ func readConfig(useconf *bool, useconffile *string, normaliseconf *bool) *config +@@ -59,6 +60,21 @@ func readConfig(log *log.Logger, useconf bool, useconffile string, normaliseconf if err != nil { panic(err) } -+ if *extraconffile != "" { -+ extraconf, err = ioutil.ReadFile(*extraconffile); ++ if extraconffile != "" { ++ extraconf, err = ioutil.ReadFile(extraconffile); + } + if err != nil { + panic(err) @@ -30,7 +42,7 @@ index 813e950..08d35cc 100644 + // then parse the configuration we loaded above on top of it. The effect + // of this is that any configuration item that is missing from the provided + // configuration will use a sane default. -+ cfg := config.GenerateConfig() ++ cfg := defaults.GenerateConfig() + var confs [2][]byte + confs[0]=conf + confs[1]=extraconf @@ -38,7 +50,7 @@ index 813e950..08d35cc 100644 // If there's a byte order mark - which Windows 10 is now incredibly fond of // throwing everywhere when it's converting things into UTF-16 for the hell // of it - remove it and decode back down into UTF-8. This is necessary -@@ -69,11 +85,6 @@ func readConfig(useconf *bool, useconffile *string, normaliseconf *bool) *config +@@ -72,11 +88,6 @@ func readConfig(log *log.Logger, useconf bool, useconffile string, normaliseconf panic(err) } } @@ -46,11 +58,11 @@ index 813e950..08d35cc 100644 - // then parse the configuration we loaded above on top of it. The effect - // of this is that any configuration item that is missing from the provided - // configuration will use a sane default. -- cfg := config.GenerateConfig() +- cfg := defaults.GenerateConfig() var dat map[string]interface{} if err := hjson.Unmarshal(conf, &dat); err != nil { panic(err) -@@ -112,6 +123,7 @@ func readConfig(useconf *bool, useconffile *string, normaliseconf *bool) *config +@@ -136,6 +147,7 @@ func readConfig(log *log.Logger, useconf bool, useconffile string, normaliseconf if err = mapstructure.Decode(dat, &cfg); err != nil { panic(err) } @@ -58,7 +70,15 @@ index 813e950..08d35cc 100644 return cfg } -@@ -164,6 +176,7 @@ func main() { +@@ -192,6 +204,7 @@ type yggArgs struct { + getaddr bool + getsnet bool + useconffile string ++ extraconffile string + logto string + loglevel string + } +@@ -200,6 +213,7 @@ func getArgs() yggArgs { genconf := flag.Bool("genconf", false, "print a new config to stdout") useconf := flag.Bool("useconf", false, "read HJSON/JSON config from stdin") useconffile := flag.String("useconffile", "", "read HJSON/JSON config from specified file path") @@ -66,21 +86,23 @@ index 813e950..08d35cc 100644 normaliseconf := flag.Bool("normaliseconf", false, "use in combination with either -useconf or -useconffile, outputs your configuration normalised") confjson := flag.Bool("json", false, "print configuration from -genconf or -normaliseconf as JSON instead of HJSON") autoconf := flag.Bool("autoconf", false, "automatic mode (dynamic IP, peer with IPv6 neighbors)") -@@ -187,7 +200,7 @@ func main() { - cfg = config.GenerateConfig() - case *useconffile != "" || *useconf: +@@ -213,6 +227,7 @@ func getArgs() yggArgs { + genconf: *genconf, + useconf: *useconf, + useconffile: *useconffile, ++ extraconffile: *extraconffile, + normaliseconf: *normaliseconf, + confjson: *confjson, + autoconf: *autoconf, +@@ -265,7 +280,7 @@ func run(args yggArgs, ctx context.Context, done chan struct{}) { + cfg = defaults.GenerateConfig() + case args.useconffile != "" || args.useconf: // Read the configuration from either stdin or from the filesystem -- cfg = readConfig(useconf, useconffile, normaliseconf) -+ cfg = readConfig(useconf, useconffile, extraconffile, normaliseconf) +- cfg = readConfig(logger, args.useconf, args.useconffile, args.normaliseconf) ++ cfg = readConfig(logger, args.useconf, args.useconffile, args.extraconffile, args.normaliseconf) // If the -normaliseconf option was specified then remarshal the above // configuration and print it back to stdout. This lets the user update // their configuration file with newly mapped names (like above) or to -@@ -332,7 +345,7 @@ func main() { - goto exit - case _ = <-r: - if *useconffile != "" { -- cfg = readConfig(useconf, useconffile, normaliseconf) -+ cfg = readConfig(useconf, useconffile, extraconffile, normaliseconf) - logger.Infoln("Reloading configuration from", *useconffile) - n.core.UpdateConfig(cfg) - n.tuntap.UpdateConfig(cfg) +-- +2.33.1 + |