[oe] [meta-networking][PATCH] bearssl: add new recipe

Thu, 13 Aug 2020 08:50:33 -0700 

Add recipe for BearSSL - an an implementation of the SSL/TLS protocol with
the approach of:
* Be correct and secure.
* Be small
* Be highly portable
* Be feature-rich and extensible

See https://bearssl.org for more details.

Signed-off-by: Jens Rehsack <[email protected]>
---
 ....mk-remove-fixed-command-definitions.patch | 57 +++++++++++++++++++
 ..._x509.c-fix-potential-overflow-issue.patch | 41 +++++++++++++
 .../bearssl/bearssl_0.6.bb                    | 31 ++++++++++
 3 files changed, 129 insertions(+)
 create mode 100644 
meta-networking/recipes-connectivity/bearssl/bearssl/0001-conf-Unix.mk-remove-fixed-command-definitions.patch
 create mode 100644 
meta-networking/recipes-connectivity/bearssl/bearssl/0002-test-test_x509.c-fix-potential-overflow-issue.patch
 create mode 100644 meta-networking/recipes-connectivity/bearssl/bearssl_0.6.bb

diff --git 
a/meta-networking/recipes-connectivity/bearssl/bearssl/0001-conf-Unix.mk-remove-fixed-command-definitions.patch
 
b/meta-networking/recipes-connectivity/bearssl/bearssl/0001-conf-Unix.mk-remove-fixed-command-definitions.patch
new file mode 100644
index 000000000..00be22499
--- /dev/null
+++ 
b/meta-networking/recipes-connectivity/bearssl/bearssl/0001-conf-Unix.mk-remove-fixed-command-definitions.patch
@@ -0,0 +1,57 @@
+From 4ba61c59d3488c263d106d486b656854a57ad79f Mon Sep 17 00:00:00 2001
+From: Jens Rehsack <[email protected]>
+Date: Thu, 13 Aug 2020 15:26:30 +0200
+Subject: [PATCH 1/2] conf/Unix.mk: remove fixed command definitions
+
+For cross compiling in Yocto or with appropriate SDKs, commands like
+`$CC` are reasonably predefined.
+
+Upstream-Status: Inappropriate
+
+Signed-off-by: Jens Rehsack <[email protected]>
+---
+ conf/Unix.mk | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/conf/Unix.mk b/conf/Unix.mk
+index 02f2b2b..05979fc 100644
+--- a/conf/Unix.mk
++++ b/conf/Unix.mk
+@@ -37,23 +37,19 @@ RM = rm -f
+ MKDIR = mkdir -p
+ 
+ # C compiler and flags.
+-CC = cc
+-CFLAGS = -W -Wall -Os -fPIC
+ CCOUT = -c -o 
+ 
+ # Static library building tool.
+-AR = ar
+ ARFLAGS = -rcs
+ AROUT =
+ 
+ # DLL building tool.
+-LDDLL = cc
++LDDLL = $(CCLD)
+ LDDLLFLAGS = -shared
+ LDDLLOUT = -o 
+ 
+ # Static linker.
+-LD = cc
+-LDFLAGS = 
++LD = $(CCLD)
+ LDOUT = -o 
+ 
+ # C# compiler; we assume usage of Mono.
+@@ -63,7 +59,7 @@ RUNT0COMP = mono T0Comp.exe
+ # Set the values to 'no' to disable building of the corresponding element
+ # by default. Building can still be invoked with an explicit target call
+ # (e.g. 'make dll' to force build the DLL).
+-#STATICLIB = no
++STATICLIB = no
+ #DLL = no
+ #TOOLS = no
+ #TESTS = no
+-- 
+2.17.1
+
diff --git 
a/meta-networking/recipes-connectivity/bearssl/bearssl/0002-test-test_x509.c-fix-potential-overflow-issue.patch
 
b/meta-networking/recipes-connectivity/bearssl/bearssl/0002-test-test_x509.c-fix-potential-overflow-issue.patch
new file mode 100644
index 000000000..94abd27fa
--- /dev/null
+++ 
b/meta-networking/recipes-connectivity/bearssl/bearssl/0002-test-test_x509.c-fix-potential-overflow-issue.patch
@@ -0,0 +1,41 @@
+From 542380a13f178d97851751b57054a6b5be555d1c Mon Sep 17 00:00:00 2001
+From: Jens Rehsack <[email protected]>
+Date: Thu, 13 Aug 2020 16:16:44 +0200
+Subject: [PATCH 2/2] test/test_x509.c: fix potential overflow issue
+
+Instead of doing a memcpy() which does static overflow checking, use
+snprintf() for string copying which does the check dynamically.
+
+Fixes:
+| In file included from .../recipe-sysroot/usr/include/string.h:519,
+|                  from test/test_x509.c:27:
+| In function 'memcpy',
+|     inlined from 'parse_keyvalue' at test/test_x509.c:845:2,
+|     inlined from 'process_conf_file' at test/test_x509.c:1360:7,
+|     inlined from 'main' at test/test_x509.c:2038:2:
+| .../recipe-sysroot/usr/include/bits/string_fortified.h:34:10: warning: 
'__builtin_memcpy' specified bound 4294967295 exceeds maximum object size 
2147483647 [-Wstringop-overflow=]
+|    34 |   return __builtin___memcpy_chk (__dest, __src, __len, __bos0 
(__dest));
+|       |          
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Jens Rehsack <[email protected]>
+---
+ test/test_x509.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/test/test_x509.c b/test/test_x509.c
+index 2c61cf5..76f6ab9 100644
+--- a/test/test_x509.c
++++ b/test/test_x509.c
+@@ -842,8 +842,7 @@ parse_keyvalue(HT *d)
+               return -1;
+       }
+       name = xmalloc(u + 1);
+-      memcpy(name, buf, u);
+-      name[u] = 0;
++      snprintf(name, u, "%s", buf);
+       if (HT_get(d, name) != NULL) {
+               xfree(name);
+               return -1;
+-- 
+2.17.1
+
diff --git a/meta-networking/recipes-connectivity/bearssl/bearssl_0.6.bb 
b/meta-networking/recipes-connectivity/bearssl/bearssl_0.6.bb
new file mode 100644
index 000000000..7bd0e549d
--- /dev/null
+++ b/meta-networking/recipes-connectivity/bearssl/bearssl_0.6.bb
@@ -0,0 +1,31 @@
+SUMMARY = "BearSSL is an implementation of the SSL/TLS protocol (RFC 5246) 
written in C"
+DESCRIPTION = "BearSSL is an implementation of the SSL/TLS protocol (RFC \
+5246) written in C. It aims at offering the following features: \
+  * Be correct and secure. In particular, insecure protocol versions and \
+    choices of algorithms are not supported, by design; cryptographic \
+    algorithm implementations are constant-time by default. \
+  * Be small, both in RAM and code footprint. For instance, a minimal \
+    server implementation may fit in about 20 kilobytes of compiled code \
+    and 25 kilobytes of RAM. \
+  * Be highly portable. BearSSL targets not only “big” operating systems \
+    like Linux and Windows, but also small embedded systems and even special \
+    contexts like bootstrap code. \
+  * Be feature-rich and extensible. SSL/TLS has many defined cipher suites \
+    and extensions; BearSSL should implement most of them, and allow extra \
+    algorithm implementations to be added afterwards, possibly from third \
+    parties."
+HOMEPAGE = "https://bearssl.org";
+
+SECTION = "libs"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=1fc37e1037ae673975fbcb96a98f7191"
+
+SRCREV = "8ef7680081c61b486622f2d983c0d3d21e83caad"
+SRC_URI = "git://www.bearssl.org/git/BearSSL;protocol=https;nobranch=1 \
+          file://0001-conf-Unix.mk-remove-fixed-command-definitions.patch \
+          file://0002-test-test_x509.c-fix-potential-overflow-issue.patch \
+          "
+
+S = "${WORKDIR}/git"
+B = "${S}"
-- 
2.17.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#86327): 
https://lists.openembedded.org/g/openembedded-devel/message/86327
Mute This Topic: https://lists.openembedded.org/mt/76170162/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub  
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to