summaryrefslogtreecommitdiff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorRicardo Wurmus <rekado@elephly.net>2021-12-05 19:17:41 +0100
committerRicardo Wurmus <rekado@elephly.net>2021-12-05 19:17:41 +0100
commit9bc0f45df5d6aed217020b1183dca54989844fb0 (patch)
treed927e89949ff7f65b5059bc94273c53fd43d0763 /gnu/packages/patches
parent6db3c536e89deb8a204e756f427614925a7d2582 (diff)
parent10554e0a57feeea470127a1d0441957d1776b0bd (diff)
Merge remote-tracking branch 'origin/master' into core-updates-frozen
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/coq-fix-envvars.patch139
-rw-r--r--gnu/packages/patches/dynaconf-unvendor-deps.patch179
-rw-r--r--gnu/packages/patches/icecat-78-makeicecat.patch110
-rw-r--r--gnu/packages/patches/icecat-CVE-2021-43527.patch354
-rw-r--r--gnu/packages/patches/nss-CVE-2021-43527.patch354
-rw-r--r--gnu/packages/patches/racket-minimal-backport-1629887.patch28
-rw-r--r--gnu/packages/patches/u-boot-rk3399-enable-emmc-phy.patch26
-rw-r--r--gnu/packages/patches/yggdrasil-extra-config.patch78
8 files changed, 1102 insertions, 166 deletions
diff --git a/gnu/packages/patches/coq-fix-envvars.patch b/gnu/packages/patches/coq-fix-envvars.patch
new file mode 100644
index 0000000000..deecf5ce74
--- /dev/null
+++ b/gnu/packages/patches/coq-fix-envvars.patch
@@ -0,0 +1,139 @@
+From ebe09fcac72b21d17c4e8fe6edc1b6076a4ae97c Mon Sep 17 00:00:00 2001
+From: Julien Lepiller <julien@lepiller.eu>
+Date: Sun, 21 Nov 2021 00:38:03 +0100
+Subject: [PATCH] Fix environment variable usage.
+
+---
+ checker/checker.ml | 2 ++
+ lib/envars.ml | 26 ++++++++++++++++----------
+ sysinit/coqargs.ml | 3 ++-
+ sysinit/coqloadpath.ml | 3 ++-
+ sysinit/coqloadpath.mli | 2 +-
+ tools/coqdep.ml | 2 +-
+ 6 files changed, 24 insertions(+), 14 deletions(-)
+
+diff --git a/checker/checker.ml b/checker/checker.ml
+index f55ed9e8d6..3b797729ed 100644
+--- a/checker/checker.ml
++++ b/checker/checker.ml
+@@ -104,6 +104,7 @@ let set_include d p =
+ (* Initializes the LoadPath *)
+ let init_load_path () =
+ let coqlib = Envars.coqlib () in
++ let coqcorelib = Envars.coqcorelib () in
+ let user_contrib = coqlib/"user-contrib" in
+ let xdg_dirs = Envars.xdg_dirs in
+ let coqpath = Envars.coqpath in
+@@ -111,6 +112,7 @@ let init_load_path () =
+ CPath.choose_existing
+ [ CPath.make [ coqlib ; "plugins" ]
+ ; CPath.make [ coqlib ; ".."; "coq-core"; "plugins" ]
++ ; CPath.make [ coqcorelib ; "plugins" ]
+ ] |> function
+ | None ->
+ CErrors.user_err (Pp.str "Cannot find plugins directory")
+diff --git a/lib/envars.ml b/lib/envars.ml
+index 750bd60e71..c7affbd437 100644
+--- a/lib/envars.ml
++++ b/lib/envars.ml
+@@ -127,15 +127,21 @@ let check_file_else ~dir ~file oth =
+ let guess_coqlib fail =
+ getenv_else "COQLIB" (fun () ->
+ let prelude = "theories/Init/Prelude.vo" in
+- check_file_else ~dir:Coq_config.coqlibsuffix ~file:prelude
+- (fun () ->
+- if Sys.file_exists (Coq_config.coqlib / prelude)
+- then Coq_config.coqlib
+- else
+- fail "cannot guess a path for Coq libraries; please use -coqlib option \
+- or ensure you have installed the package containing Coq's stdlib (coq-stdlib in OPAM) \
+- If you intend to use Coq without a standard library, the -boot -noinit options must be used.")
+- )
++ let coqlibpath = getenv_else "COQLIBPATH" (fun () -> Coq_config.coqlibsuffix) in
++ let paths = path_to_list coqlibpath in
++ let valid_paths =
++ List.filter
++ (fun dir -> (check_file_else ~dir:dir ~file:prelude (fun () -> "")) <> "")
++ paths in
++ match valid_paths with
++ | [] ->
++ if Sys.file_exists (Coq_config.coqlib / prelude)
++ then Coq_config.coqlib
++ else
++ fail "cannot guess a path for Coq libraries; please use -coqlib option \
++ or ensure you have installed the package containing Coq's stdlib (coq-stdlib in OPAM) \
++ If you intend to use Coq without a standard library, the -boot -noinit options must be used."
++ | p::_ -> p)
+
+ let coqlib_ref : string option ref = ref None
+ let set_user_coqlib path = coqlib_ref := Some path
+@@ -208,7 +214,7 @@ let xdg_dirs ~warn =
+ let print_config ?(prefix_var_name="") f coq_src_subdirs =
+ let open Printf in
+ fprintf f "%sCOQLIB=%s/\n" prefix_var_name (coqlib ());
+- fprintf f "%sCOQCORELIB=%s/\n" prefix_var_name (coqlib () / "../coq-core/");
++ fprintf f "%sCOQCORELIB=%s/\n" prefix_var_name (coqcorelib ());
+ fprintf f "%sDOCDIR=%s/\n" prefix_var_name (docdir ());
+ fprintf f "%sOCAMLFIND=%s\n" prefix_var_name (ocamlfind ());
+ fprintf f "%sCAMLFLAGS=%s\n" prefix_var_name Coq_config.caml_flags;
+diff --git a/sysinit/coqargs.ml b/sysinit/coqargs.ml
+index 00f70a5fea..8325623a63 100644
+--- a/sysinit/coqargs.ml
++++ b/sysinit/coqargs.ml
+@@ -453,7 +453,8 @@ let build_load_path opts =
+ if opts.pre.boot then [],[]
+ else
+ let coqlib = Envars.coqlib () in
+- Coqloadpath.init_load_path ~coqlib in
++ let coqcorelib = Envars.coqcorelib () in
++ Coqloadpath.init_load_path ~coqlib ~coqcorelib in
+ ml_path @ opts.pre.ml_includes ,
+ vo_path @ opts.pre.vo_includes
+
+diff --git a/sysinit/coqloadpath.ml b/sysinit/coqloadpath.ml
+index 95ae5da3de..a58cfe6928 100644
+--- a/sysinit/coqloadpath.ml
++++ b/sysinit/coqloadpath.ml
+@@ -35,7 +35,7 @@ let build_userlib_path ~unix_path =
+ else [], []
+
+ (* LoadPath for Coq user libraries *)
+-let init_load_path ~coqlib =
++let init_load_path ~coqlib ~coqcorelib =
+
+ let open Loadpath in
+ let user_contrib = coqlib/"user-contrib" in
+@@ -50,6 +50,7 @@ let init_load_path ~coqlib =
+ CPath.choose_existing
+ [ CPath.make [ coqlib ; "plugins" ]
+ ; CPath.make [ coqlib ; ".."; "coq-core"; "plugins" ]
++ ; CPath.make [ coqcorelib ; "plugins" ]
+ ] |> function
+ | None ->
+ CErrors.user_err (Pp.str "Cannot find plugins directory")
+diff --git a/sysinit/coqloadpath.mli b/sysinit/coqloadpath.mli
+index d853e9ea54..43c6dfa134 100644
+--- a/sysinit/coqloadpath.mli
++++ b/sysinit/coqloadpath.mli
+@@ -12,5 +12,5 @@
+ includes (in-order) Coq's standard library, Coq's [user-contrib]
+ folder, and directories specified in [COQPATH] and [XDG_DIRS] *)
+ val init_load_path
+- : coqlib:CUnix.physical_path
++ : coqlib:CUnix.physical_path -> coqcorelib:CUnix.physical_path
+ -> CUnix.physical_path list * Loadpath.vo_path list
+diff --git a/tools/coqdep.ml b/tools/coqdep.ml
+index c1c87993e1..6c78e10866 100644
+--- a/tools/coqdep.ml
++++ b/tools/coqdep.ml
+@@ -33,7 +33,7 @@ let coqdep () =
+ let coqlib = Envars.coqlib () in
+ let coq_plugins_dir = Filename.concat (Envars.coqcorelib ()) "plugins" in
+ if not (Sys.file_exists coq_plugins_dir) then
+- CErrors.user_err Pp.(str "coqdep: cannot find plugins directory for coqlib: " ++ str coqlib ++ fnl ());
++ CErrors.user_err Pp.(str "coqdep: cannot find plugins directory " ++ str coq_plugins_dir ++ str " for coqlib: " ++ str coqlib ++ fnl ());
+ CD.add_rec_dir_import CD.add_coqlib_known (coqlib//"theories") ["Coq"];
+ CD.add_rec_dir_import CD.add_coqlib_known (coq_plugins_dir) ["Coq"];
+ let user = coqlib//"user-contrib" in
+--
+2.33.1
diff --git a/gnu/packages/patches/dynaconf-unvendor-deps.patch b/gnu/packages/patches/dynaconf-unvendor-deps.patch
new file mode 100644
index 0000000000..550e311363
--- /dev/null
+++ b/gnu/packages/patches/dynaconf-unvendor-deps.patch
@@ -0,0 +1,179 @@
+From 3f7b48195500cbbbbecd3cac2f5308c64004479b Mon Sep 17 00:00:00 2001
+From: Giacomo Leidi <goodoldpaul@autistici.org>
+Date: Sun, 29 Aug 2021 23:39:27 +0200
+Subject: [PATCH] Use system site dependencies.
+
+Box was not unvendored because it appears to be heavily patched.
+---
+ dynaconf/cli.py | 4 ++--
+ dynaconf/default_settings.py | 2 +-
+ dynaconf/loaders/env_loader.py | 2 +-
+ dynaconf/loaders/toml_loader.py | 2 +-
+ dynaconf/loaders/yaml_loader.py | 2 +-
+ dynaconf/utils/parse_conf.py | 2 +-
+ dynaconf/vendor/box/converters.py | 4 ++--
+ dynaconf/vendor/box/from_file.py | 4 ++--
+ dynaconf/vendor_src/box/converters.py | 4 ++--
+ dynaconf/vendor_src/box/from_file.py | 4 ++--
+ tests/test_cli.py | 2 +-
+ 11 files changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/dynaconf/cli.py b/dynaconf/cli.py
+index 5bb8316..1341a95 100644
+--- a/dynaconf/cli.py
++++ b/dynaconf/cli.py
+@@ -20,8 +20,8 @@ from dynaconf.utils.functional import empty
+ from dynaconf.utils.parse_conf import parse_conf_data
+ from dynaconf.validator import ValidationError
+ from dynaconf.validator import Validator
+-from dynaconf.vendor import click
+-from dynaconf.vendor import toml
++import click
++import toml
+
+
+ CWD = Path.cwd()
+diff --git a/dynaconf/default_settings.py b/dynaconf/default_settings.py
+index 66601b0..9605fc5 100644
+--- a/dynaconf/default_settings.py
++++ b/dynaconf/default_settings.py
+@@ -8,7 +8,7 @@ from dynaconf.utils import upperfy
+ from dynaconf.utils import warn_deprecations
+ from dynaconf.utils.files import find_file
+ from dynaconf.utils.parse_conf import parse_conf_data
+-from dynaconf.vendor.dotenv import load_dotenv
++from dotenv import load_dotenv
+
+
+ def try_renamed(key, value, older_key, current_key):
+diff --git a/dynaconf/loaders/env_loader.py b/dynaconf/loaders/env_loader.py
+index e7b13bd..b034c8a 100644
+--- a/dynaconf/loaders/env_loader.py
++++ b/dynaconf/loaders/env_loader.py
+@@ -2,7 +2,7 @@ from os import environ
+
+ from dynaconf.utils import upperfy
+ from dynaconf.utils.parse_conf import parse_conf_data
+-from dynaconf.vendor.dotenv import cli as dotenv_cli
++from dotenv import cli as dotenv_cli
+
+
+ IDENTIFIER = "env"
+diff --git a/dynaconf/loaders/toml_loader.py b/dynaconf/loaders/toml_loader.py
+index 07b973f..d81d675 100644
+--- a/dynaconf/loaders/toml_loader.py
++++ b/dynaconf/loaders/toml_loader.py
+@@ -5,7 +5,7 @@ from dynaconf import default_settings
+ from dynaconf.constants import TOML_EXTENSIONS
+ from dynaconf.loaders.base import BaseLoader
+ from dynaconf.utils import object_merge
+-from dynaconf.vendor import toml
++import toml
+
+
+ def load(obj, env=None, silent=True, key=None, filename=None):
+diff --git a/dynaconf/loaders/yaml_loader.py b/dynaconf/loaders/yaml_loader.py
+index 33c6532..3ef419a 100644
+--- a/dynaconf/loaders/yaml_loader.py
++++ b/dynaconf/loaders/yaml_loader.py
+@@ -7,7 +7,7 @@ from dynaconf.constants import YAML_EXTENSIONS
+ from dynaconf.loaders.base import BaseLoader
+ from dynaconf.utils import object_merge
+ from dynaconf.utils.parse_conf import try_to_encode
+-from dynaconf.vendor.ruamel import yaml
++from ruamel import yaml
+
+ # Add support for Dynaconf Lazy values to YAML dumper
+ yaml.SafeDumper.yaml_representers[
+diff --git a/dynaconf/utils/parse_conf.py b/dynaconf/utils/parse_conf.py
+index c42b07a..01ccdae 100644
+--- a/dynaconf/utils/parse_conf.py
++++ b/dynaconf/utils/parse_conf.py
+@@ -9,7 +9,7 @@ from dynaconf.utils import isnamedtupleinstance
+ from dynaconf.utils import multi_replace
+ from dynaconf.utils import recursively_evaluate_lazy_format
+ from dynaconf.utils.boxing import DynaBox
+-from dynaconf.vendor import toml
++import toml
+
+ try:
+ from jinja2 import Environment
+diff --git a/dynaconf/vendor/box/converters.py b/dynaconf/vendor/box/converters.py
+index 93cdcfb..e34c7dc 100644
+--- a/dynaconf/vendor/box/converters.py
++++ b/dynaconf/vendor/box/converters.py
+@@ -7,9 +7,9 @@ _B='utf-8'
+ _A=None
+ import csv,json,sys,warnings
+ from pathlib import Path
+-import dynaconf.vendor.ruamel.yaml as yaml
++import ruamel.yaml as yaml
+ from dynaconf.vendor.box.exceptions import BoxError,BoxWarning
+-from dynaconf.vendor import toml
++import toml
+ BOX_PARAMETERS='default_box','default_box_attr','conversion_box','frozen_box','camel_killer_box','box_safe_prefix','box_duplicates','ordered_box','default_box_none_transform','box_dots','modify_tuples_box','box_intact_types','box_recast'
+ def _exists(filename,create=_E):
+ A=filename;B=Path(A)
+diff --git a/dynaconf/vendor/box/from_file.py b/dynaconf/vendor/box/from_file.py
+index daa1137..d75940b 100644
+--- a/dynaconf/vendor/box/from_file.py
++++ b/dynaconf/vendor/box/from_file.py
+@@ -1,8 +1,8 @@
+ from json import JSONDecodeError
+ from pathlib import Path
+ from typing import Union
+-from dynaconf.vendor.toml import TomlDecodeError
+-from dynaconf.vendor.ruamel.yaml import YAMLError
++from toml import TomlDecodeError
++from ruamel.yaml import YAMLError
+ from .exceptions import BoxError
+ from .box import Box
+ from .box_list import BoxList
+diff --git a/dynaconf/vendor_src/box/converters.py b/dynaconf/vendor_src/box/converters.py
+index c9a2293..ae42bf6 100644
+--- a/dynaconf/vendor_src/box/converters.py
++++ b/dynaconf/vendor_src/box/converters.py
+@@ -9,9 +9,9 @@ import sys
+ import warnings
+ from pathlib import Path
+
+-import dynaconf.vendor.ruamel.yaml as yaml
++import ruamel.yaml as yaml
+ from dynaconf.vendor.box.exceptions import BoxError, BoxWarning
+-from dynaconf.vendor import toml
++import toml
+
+
+ BOX_PARAMETERS = ('default_box', 'default_box_attr', 'conversion_box',
+diff --git a/dynaconf/vendor_src/box/from_file.py b/dynaconf/vendor_src/box/from_file.py
+index 2e2a6ad..3f76819 100644
+--- a/dynaconf/vendor_src/box/from_file.py
++++ b/dynaconf/vendor_src/box/from_file.py
+@@ -3,8 +3,8 @@
+ from json import JSONDecodeError
+ from pathlib import Path
+ from typing import Union
+-from dynaconf.vendor.toml import TomlDecodeError
+-from dynaconf.vendor.ruamel.yaml import YAMLError
++from toml import TomlDecodeError
++from ruamel.yaml import YAMLError
+
+
+ from .exceptions import BoxError
+diff --git a/tests/test_cli.py b/tests/test_cli.py
+index 6693701..df44409 100644
+--- a/tests/test_cli.py
++++ b/tests/test_cli.py
+@@ -11,7 +11,7 @@ from dynaconf.cli import main
+ from dynaconf.cli import read_file_in_root_directory
+ from dynaconf.cli import WRITERS
+ from dynaconf.utils.files import read_file
+-from dynaconf.vendor.click.testing import CliRunner
++from click.testing import CliRunner
+
+
+ runner = CliRunner()
+
+base-commit: ebf7b17cffd5e08b212948bd8036d580718d5bf8
+--
+2.32.0
diff --git a/gnu/packages/patches/icecat-78-makeicecat.patch b/gnu/packages/patches/icecat-78-makeicecat.patch
deleted file mode 100644
index edd1ced257..0000000000
--- a/gnu/packages/patches/icecat-78-makeicecat.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-Make some of the changes needed to the 'makeicecat' script, to allow it to run
-in a snippet without network access. After this patch is applied, some
-additional changes will be made using 'substitute*'.
-
-diff --git a/makeicecat b/makeicecat
-index 8be2362..48716f2 100755
---- a/makeicecat
-+++ b/makeicecat
-@@ -31,55 +31,55 @@ SOURCEDIR=icecat-$FFVERSION
-
- DATA="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"/data
-
--mkdir -p output
--cd output
-+# mkdir -p output
-+# cd output
-
- ###############################################################################
- # Retrieve FF source code
- ###############################################################################
-
--rm mozilla-esr${FFMAJOR} $SOURCEDIR -rf
--
--wget -N https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/${FFVERSION}esr/source/firefox-${FFVERSION}esr.source.tar.xz
--wget -N https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/${FFVERSION}esr/source/firefox-${FFVERSION}esr.source.tar.xz.asc
--gpg --recv-keys --keyserver keyserver.ubuntu.com 14F26682D0916CDD81E37B6D61B7B526D98F0353
--gpg --verify firefox-${FFVERSION}esr.source.tar.xz.asc
--echo -n 1aa041db28cd742e93d663a9da8defd33040b38d8b9470350538473251621643 firefox-${FFVERSION}esr.source.tar.xz |sha256sum -c -
--
--echo Extracting Firefox tarball
--tar -xf firefox-${FFVERSION}esr.source.tar.xz
--
--mv firefox-${FFVERSION} $SOURCEDIR
-+# rm mozilla-esr${FFMAJOR} $SOURCEDIR -rf
-+#
-+# wget -N https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/${FFVERSION}esr/source/firefox-${FFVERSION}esr.source.tar.xz
-+# wget -N https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/${FFVERSION}esr/source/firefox-${FFVERSION}esr.source.tar.xz.asc
-+# gpg --recv-keys --keyserver keyserver.ubuntu.com 14F26682D0916CDD81E37B6D61B7B526D98F0353
-+# gpg --verify firefox-${FFVERSION}esr.source.tar.xz.asc
-+# echo -n 1aa041db28cd742e93d663a9da8defd33040b38d8b9470350538473251621643 firefox-${FFVERSION}esr.source.tar.xz |sha256sum -c -
-+#
-+# echo Extracting Firefox tarball
-+# tar -xf firefox-${FFVERSION}esr.source.tar.xz
-+#
-+# mv firefox-${FFVERSION} $SOURCEDIR
-
- ###############################################################################
- # Retrieve l10n
- ###############################################################################
-
--mkdir l10n
--cd l10n
--while read line;do
-- line=$(echo $line |cut -d' ' -f1)
-- #[ $line = "es-ES" ] || continue # To speed up testing
-- [ $line = "en-US" ] && continue
-- hg clone https://hg.mozilla.org/l10n-central/$line
-- mkdir -p $line/browser/chrome/browser/preferences
-- touch $line/browser/chrome/browser/preferences/advanced-scripts.dtd
-- rm -rf $line/.hg*
--done < ../$SOURCEDIR/browser/locales/shipped-locales
--cd ..
--
--mv l10n $SOURCEDIR
--
--hg clone https://hg.mozilla.org/l10n/compare-locales/
--cd compare-locales/
--hg checkout RELEASE_8_0_0
--cd ..
--rm compare-locales/.hg* compare-locales/.git* -rf
--mv compare-locales $SOURCEDIR/l10n
-+# mkdir l10n
-+# cd l10n
-+# while read line;do
-+# line=$(echo $line |cut -d' ' -f1)
-+# #[ $line = "es-ES" ] || continue # To speed up testing
-+# [ $line = "en-US" ] && continue
-+# hg clone https://hg.mozilla.org/l10n-central/$line
-+# mkdir -p $line/browser/chrome/browser/preferences
-+# touch $line/browser/chrome/browser/preferences/advanced-scripts.dtd
-+# rm -rf $line/.hg*
-+# done < ../$SOURCEDIR/browser/locales/shipped-locales
-+# cd ..
-+#
-+# mv l10n $SOURCEDIR
-+#
-+# hg clone https://hg.mozilla.org/l10n/compare-locales/
-+# cd compare-locales/
-+# hg checkout RELEASE_8_0_0
-+# cd ..
-+# rm compare-locales/.hg* compare-locales/.git* -rf
-+# mv compare-locales $SOURCEDIR/l10n
-
- #######################################################
-
--cd $SOURCEDIR
-+# cd $SOURCEDIR
-
- shopt -s nullglob
- for patch in $DATA/patches/*.patch; do
-@@ -598,6 +598,6 @@ sed 's/777/755/;' -i toolkit/crashreporter/google-breakpad/Makefile.in
- # Fix CVE-2012-3386
- /bin/sed 's/chmod a+w/chmod u+w/' -i ./js/src/ctypes/libffi/Makefile.in ./toolkit/crashreporter/google-breakpad/Makefile.in ./toolkit/crashreporter/google-breakpad/src/third_party/glog/Makefile.in || true
-
--cd ..
--echo Packaging tarball
--tar cfj icecat-$ICECATVERSION.tar.bz2 $SOURCEDIR
-+# cd ..
-+# echo Packaging tarball
-+# tar cfj icecat-$ICECATVERSION.tar.bz2 $SOURCEDIR
diff --git a/gnu/packages/patches/icecat-CVE-2021-43527.patch b/gnu/packages/patches/icecat-CVE-2021-43527.patch
new file mode 100644
index 0000000000..66706ea5e0
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2021-43527.patch
@@ -0,0 +1,354 @@
+Fixes CVE-2021-43527.
+Copied from <https://hg.mozilla.org/projects/nss/rev/dea71cbef9e03636f37c6cb120f8deccce6e17dd>,
+but with the file names adjusted to allow easy use within GNU Guix.
+
+# HG changeset patch
+# User Dennis Jackson <djackson@mozilla.com>
+# Date 1637577642 0
+# Node ID dea71cbef9e03636f37c6cb120f8deccce6e17dd
+# Parent da3d22d708c9cc0a32cff339658aeb627575e371
+Bug 1737470 - Ensure DER encoded signatures are within size limits. r=jschanck,mt,bbeurdouche,rrelyea
+
+Differential Revision: https://phabricator.services.mozilla.com/D129514
+
+--- a/security/nss/lib/cryptohi/secvfy.c
++++ b/security/nss/lib/cryptohi/secvfy.c
+@@ -159,58 +159,89 @@ verifyPKCS1DigestInfo(const VFYContext *
+ SECItem pkcs1DigestInfo;
+ pkcs1DigestInfo.data = cx->pkcs1RSADigestInfo;
+ pkcs1DigestInfo.len = cx->pkcs1RSADigestInfoLen;
+ return _SGN_VerifyPKCS1DigestInfo(
+ cx->hashAlg, digest, &pkcs1DigestInfo,
+ PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
+ }
+
++static unsigned int
++checkedSignatureLen(const SECKEYPublicKey *pubk)
++{
++ unsigned int sigLen = SECKEY_SignatureLen(pubk);
++ if (sigLen == 0) {
++ /* Error set by SECKEY_SignatureLen */
++ return sigLen;
++ }
++ unsigned int maxSigLen;
++ switch (pubk->keyType) {
++ case rsaKey:
++ case rsaPssKey:
++ maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
++ break;
++ case dsaKey:
++ maxSigLen = DSA_MAX_SIGNATURE_LEN;
++ break;
++ case ecKey:
++ maxSigLen = 2 * MAX_ECKEY_LEN;
++ break;
++ default:
++ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
++ return 0;
++ }
++ if (sigLen > maxSigLen) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return 0;
++ }
++ return sigLen;
++}
++
+ /*
+ * decode the ECDSA or DSA signature from it's DER wrapping.
+ * The unwrapped/raw signature is placed in the buffer pointed
+ * to by dsig and has enough room for len bytes.
+ */
+ static SECStatus
+ decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig,
+ unsigned int len)
+ {
+ SECItem *dsasig = NULL; /* also used for ECDSA */
+- SECStatus rv = SECSuccess;
+
+- if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
+- (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
+- if (sig->len != len) {
+- PORT_SetError(SEC_ERROR_BAD_DER);
+- return SECFailure;
++ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */
++ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
++ if (len > DSA_MAX_SIGNATURE_LEN) {
++ goto loser;
+ }
+-
+- PORT_Memcpy(dsig, sig->data, sig->len);
+- return SECSuccess;
++ } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
++ if (len > MAX_ECKEY_LEN * 2) {
++ goto loser;
++ }
++ } else {
++ goto loser;
+ }
+
+- if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
+- if (len > MAX_ECKEY_LEN * 2) {
+- PORT_SetError(SEC_ERROR_BAD_DER);
+- return SECFailure;
+- }
++ /* Decode and pad to length */
++ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
++ if (dsasig == NULL) {
++ goto loser;
+ }
+- dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
+-
+- if ((dsasig == NULL) || (dsasig->len != len)) {
+- rv = SECFailure;
+- } else {
+- PORT_Memcpy(dsig, dsasig->data, dsasig->len);
++ if (dsasig->len != len) {
++ SECITEM_FreeItem(dsasig, PR_TRUE);
++ goto loser;
+ }
+
+- if (dsasig != NULL)
+- SECITEM_FreeItem(dsasig, PR_TRUE);
+- if (rv == SECFailure)
+- PORT_SetError(SEC_ERROR_BAD_DER);
+- return rv;
++ PORT_Memcpy(dsig, dsasig->data, len);
++ SECITEM_FreeItem(dsasig, PR_TRUE);
++
++ return SECSuccess;
++
++loser:
++ PORT_SetError(SEC_ERROR_BAD_DER);
++ return SECFailure;
+ }
+
+ const SEC_ASN1Template hashParameterTemplate[] =
+ {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECItem) },
+ { SEC_ASN1_OBJECT_ID, 0 },
+ { SEC_ASN1_SKIP_REST },
+ { 0 }
+@@ -276,17 +307,17 @@ sec_GetEncAlgFromSigAlg(SECOidTag sigAlg
+ *
+ * Returns: SECSuccess if the algorithm was acceptable, SECFailure if the
+ * algorithm was not found or was not a signing algorithm.
+ */
+ SECStatus
+ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
+ const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg)
+ {
+- int len;
++ unsigned int len;
+ PLArenaPool *arena;
+ SECStatus rv;
+ SECItem oid;
+ SECOidTag encalg;
+
+ PR_ASSERT(hashalg != NULL);
+ PR_ASSERT(encalgp != NULL);
+
+@@ -461,58 +492,62 @@ vfy_CreateContext(const SECKEYPublicKey
+ cx->wincx = wincx;
+ cx->hasSignature = (sig != NULL);
+ cx->encAlg = encAlg;
+ cx->hashAlg = hashAlg;
+ cx->key = SECKEY_CopyPublicKey(key);
+ cx->pkcs1RSADigestInfo = NULL;
+ rv = SECSuccess;
+ if (sig) {
+- switch (type) {
+- case rsaKey:
+- rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
+- &cx->pkcs1RSADigestInfo,
+- &cx->pkcs1RSADigestInfoLen,
+- cx->key,
+- sig, wincx);
+- break;
+- case rsaPssKey:
+- sigLen = SECKEY_SignatureLen(key);
+- if (sigLen == 0) {
+- /* error set by SECKEY_SignatureLen */
+- rv = SECFailure;
++ rv = SECFailure;
++ if (type == rsaKey) {
++ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
++ &cx->pkcs1RSADigestInfo,
++ &cx->pkcs1RSADigestInfoLen,
++ cx->key,
++ sig, wincx);
++ } else {
++ sigLen = checkedSignatureLen(key);
++ /* Check signature length is within limits */
++ if (sigLen == 0) {
++ /* error set by checkedSignatureLen */
++ rv = SECFailure;
++ goto loser;
++ }
++ if (sigLen > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ rv = SECFailure;
++ goto loser;
++ }
++ switch (type) {
++ case rsaPssKey:
++ if (sig->len != sigLen) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ rv = SECFailure;
++ goto loser;
++ }
++ PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
++ rv = SECSuccess;
+ break;
+- }
+- if (sig->len != sigLen) {
+- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ case ecKey:
++ case dsaKey:
++ /* decodeECorDSASignature will check sigLen == sig->len after padding */
++ rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
++ break;
++ default:
++ /* Unreachable */
+ rv = SECFailure;
+- break;
+- }
+- PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
+- break;
+- case dsaKey:
+- case ecKey:
+- sigLen = SECKEY_SignatureLen(key);
+- if (sigLen == 0) {
+- /* error set by SECKEY_SignatureLen */
+- rv = SECFailure;
+- break;
+- }
+- rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
+- break;
+- default:
+- rv = SECFailure;
+- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+- break;
++ goto loser;
++ }
++ }
++ if (rv != SECSuccess) {
++ goto loser;
+ }
+ }
+
+- if (rv)
+- goto loser;
+-
+ /* check hash alg again, RSA may have changed it.*/
+ if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
+ /* error set by HASH_GetHashTypeByOidTag */
+ goto loser;
+ }
+ /* check the policy on the hash algorithm. Do this after
+ * the rsa decode because some uses of this function get hash implicitly
+ * from the RSA signature itself. */
+@@ -645,21 +680,26 @@ VFY_EndWithSignature(VFYContext *cx, SEC
+ if (cx->hashcx == NULL) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ (*cx->hashobj->end)(cx->hashcx, final, &part, sizeof(final));
+ switch (cx->key->keyType) {
+ case ecKey:
+ case dsaKey:
+- dsasig.data = cx->u.buffer;
+- dsasig.len = SECKEY_SignatureLen(cx->key);
++ dsasig.len = checkedSignatureLen(cx->key);
+ if (dsasig.len == 0) {
+ return SECFailure;
+ }
++ if (dsasig.len > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ return SECFailure;
++ }
++ dsasig.data = cx->u.buffer;
++
+ if (sig) {
+ rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
+ dsasig.len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+ }
+ }
+@@ -681,18 +721,23 @@ VFY_EndWithSignature(VFYContext *cx, SEC
+ cx->params,
+ &mech);
+ PORT_DestroyCheapArena(&tmpArena);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ rsasig.data = cx->u.buffer;
+- rsasig.len = SECKEY_SignatureLen(cx->key);
++ rsasig.len = checkedSignatureLen(cx->key);
+ if (rsasig.len == 0) {
++ /* Error set by checkedSignatureLen */
++ return SECFailure;
++ }
++ if (rsasig.len > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+ }
+ if (sig) {
+ if (sig->len != rsasig.len) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+ }
+ PORT_Memcpy(rsasig.data, sig->data, rsasig.len);
+@@ -744,37 +789,42 @@ VFY_End(VFYContext *cx)
+ static SECStatus
+ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
+ const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg,
+ void *wincx)
+ {
+ SECStatus rv;
+ VFYContext *cx;
+ SECItem dsasig; /* also used for ECDSA */
+-
+ rv = SECFailure;
+
+ cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
+ if (cx != NULL) {
+ switch (key->keyType) {
+ case rsaKey:
+ rv = verifyPKCS1DigestInfo(cx, digest);
++ /* Error (if any) set by verifyPKCS1DigestInfo */
+ break;
+- case dsaKey:
+ case ecKey:
++ case dsaKey:
+ dsasig.data = cx->u.buffer;
+- dsasig.len = SECKEY_SignatureLen(cx->key);
++ dsasig.len = checkedSignatureLen(cx->key);
+ if (dsasig.len == 0) {
++ /* Error set by checkedSignatureLen */
++ rv = SECFailure;
+ break;
+ }
+- if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
+- SECSuccess) {
++ if (dsasig.len > sizeof(cx->u)) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+- } else {
+- rv = SECSuccess;
++ rv = SECFailure;
++ break;
++ }
++ rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
++ if (rv != SECSuccess) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ }
+ break;
+ default:
+ break;
+ }
+ VFY_DestroyContext(cx, PR_TRUE);
+ }
+ return rv;
+
diff --git a/gnu/packages/patches/nss-CVE-2021-43527.patch b/gnu/packages/patches/nss-CVE-2021-43527.patch
new file mode 100644
index 0000000000..b619438f37
--- /dev/null
+++ b/gnu/packages/patches/nss-CVE-2021-43527.patch
@@ -0,0 +1,354 @@
+Fixes CVE-2021-43527.
+Copied from <https://hg.mozilla.org/projects/nss/rev/dea71cbef9e03636f37c6cb120f8deccce6e17dd>,
+but with the file names adjusted to allow easy use within GNU Guix.
+
+# HG changeset patch
+# User Dennis Jackson <djackson@mozilla.com>
+# Date 1637577642 0
+# Node ID dea71cbef9e03636f37c6cb120f8deccce6e17dd
+# Parent da3d22d708c9cc0a32cff339658aeb627575e371
+Bug 1737470 - Ensure DER encoded signatures are within size limits. r=jschanck,mt,bbeurdouche,rrelyea
+
+Differential Revision: https://phabricator.services.mozilla.com/D129514
+
+--- a/nss/lib/cryptohi/secvfy.c
++++ b/nss/lib/cryptohi/secvfy.c
+@@ -159,58 +159,89 @@ verifyPKCS1DigestInfo(const VFYContext *
+ SECItem pkcs1DigestInfo;
+ pkcs1DigestInfo.data = cx->pkcs1RSADigestInfo;
+ pkcs1DigestInfo.len = cx->pkcs1RSADigestInfoLen;
+ return _SGN_VerifyPKCS1DigestInfo(
+ cx->hashAlg, digest, &pkcs1DigestInfo,
+ PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
+ }
+
++static unsigned int
++checkedSignatureLen(const SECKEYPublicKey *pubk)
++{
++ unsigned int sigLen = SECKEY_SignatureLen(pubk);
++ if (sigLen == 0) {
++ /* Error set by SECKEY_SignatureLen */
++ return sigLen;
++ }
++ unsigned int maxSigLen;
++ switch (pubk->keyType) {
++ case rsaKey:
++ case rsaPssKey:
++ maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
++ break;
++ case dsaKey:
++ maxSigLen = DSA_MAX_SIGNATURE_LEN;
++ break;
++ case ecKey:
++ maxSigLen = 2 * MAX_ECKEY_LEN;
++ break;
++ default:
++ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
++ return 0;
++ }
++ if (sigLen > maxSigLen) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return 0;
++ }
++ return sigLen;
++}
++
+ /*
+ * decode the ECDSA or DSA signature from it's DER wrapping.
+ * The unwrapped/raw signature is placed in the buffer pointed
+ * to by dsig and has enough room for len bytes.
+ */
+ static SECStatus
+ decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig,
+ unsigned int len)
+ {
+ SECItem *dsasig = NULL; /* also used for ECDSA */
+- SECStatus rv = SECSuccess;
+
+- if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
+- (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
+- if (sig->len != len) {
+- PORT_SetError(SEC_ERROR_BAD_DER);
+- return SECFailure;
++ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */
++ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
++ if (len > DSA_MAX_SIGNATURE_LEN) {
++ goto loser;
+ }
+-
+- PORT_Memcpy(dsig, sig->data, sig->len);
+- return SECSuccess;
++ } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
++ if (len > MAX_ECKEY_LEN * 2) {
++ goto loser;
++ }
++ } else {
++ goto loser;
+ }
+
+- if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
+- if (len > MAX_ECKEY_LEN * 2) {
+- PORT_SetError(SEC_ERROR_BAD_DER);
+- return SECFailure;
+- }
++ /* Decode and pad to length */
++ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
++ if (dsasig == NULL) {
++ goto loser;
+ }
+- dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
+-
+- if ((dsasig == NULL) || (dsasig->len != len)) {
+- rv = SECFailure;
+- } else {
+- PORT_Memcpy(dsig, dsasig->data, dsasig->len);
++ if (dsasig->len != len) {
++ SECITEM_FreeItem(dsasig, PR_TRUE);
++ goto loser;
+ }
+
+- if (dsasig != NULL)
+- SECITEM_FreeItem(dsasig, PR_TRUE);
+- if (rv == SECFailure)
+- PORT_SetError(SEC_ERROR_BAD_DER);
+- return rv;
++ PORT_Memcpy(dsig, dsasig->data, len);
++ SECITEM_FreeItem(dsasig, PR_TRUE);
++
++ return SECSuccess;
++
++loser:
++ PORT_SetError(SEC_ERROR_BAD_DER);
++ return SECFailure;
+ }
+
+ const SEC_ASN1Template hashParameterTemplate[] =
+ {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECItem) },
+ { SEC_ASN1_OBJECT_ID, 0 },
+ { SEC_ASN1_SKIP_REST },
+ { 0 }
+@@ -276,17 +307,17 @@ sec_GetEncAlgFromSigAlg(SECOidTag sigAlg
+ *
+ * Returns: SECSuccess if the algorithm was acceptable, SECFailure if the
+ * algorithm was not found or was not a signing algorithm.
+ */
+ SECStatus
+ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
+ const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg)
+ {
+- int len;
++ unsigned int len;
+ PLArenaPool *arena;
+ SECStatus rv;
+ SECItem oid;
+ SECOidTag encalg;
+
+ PR_ASSERT(hashalg != NULL);
+ PR_ASSERT(encalgp != NULL);
+
+@@ -461,58 +492,62 @@ vfy_CreateContext(const SECKEYPublicKey
+ cx->wincx = wincx;
+ cx->hasSignature = (sig != NULL);
+ cx->encAlg = encAlg;
+ cx->hashAlg = hashAlg;
+ cx->key = SECKEY_CopyPublicKey(key);
+ cx->pkcs1RSADigestInfo = NULL;
+ rv = SECSuccess;
+ if (sig) {
+- switch (type) {
+- case rsaKey:
+- rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
+- &cx->pkcs1RSADigestInfo,
+- &cx->pkcs1RSADigestInfoLen,
+- cx->key,
+- sig, wincx);
+- break;
+- case rsaPssKey:
+- sigLen = SECKEY_SignatureLen(key);
+- if (sigLen == 0) {
+- /* error set by SECKEY_SignatureLen */
+- rv = SECFailure;
++ rv = SECFailure;
++ if (type == rsaKey) {
++ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
++ &cx->pkcs1RSADigestInfo,
++ &cx->pkcs1RSADigestInfoLen,
++ cx->key,
++ sig, wincx);
++ } else {
++ sigLen = checkedSignatureLen(key);
++ /* Check signature length is within limits */
++ if (sigLen == 0) {
++ /* error set by checkedSignatureLen */
++ rv = SECFailure;
++ goto loser;
++ }
++ if (sigLen > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ rv = SECFailure;
++ goto loser;
++ }
++ switch (type) {
++ case rsaPssKey:
++ if (sig->len != sigLen) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ rv = SECFailure;
++ goto loser;
++ }
++ PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
++ rv = SECSuccess;
+ break;
+- }
+- if (sig->len != sigLen) {
+- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ case ecKey:
++ case dsaKey:
++ /* decodeECorDSASignature will check sigLen == sig->len after padding */
++ rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
++ break;
++ default:
++ /* Unreachable */
+ rv = SECFailure;
+- break;
+- }
+- PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
+- break;
+- case dsaKey:
+- case ecKey:
+- sigLen = SECKEY_SignatureLen(key);
+- if (sigLen == 0) {
+- /* error set by SECKEY_SignatureLen */
+- rv = SECFailure;
+- break;
+- }
+- rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
+- break;
+- default:
+- rv = SECFailure;
+- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+- break;
++ goto loser;
++ }
++ }
++ if (rv != SECSuccess) {
++ goto loser;
+ }
+ }
+
+- if (rv)
+- goto loser;
+-
+ /* check hash alg again, RSA may have changed it.*/
+ if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
+ /* error set by HASH_GetHashTypeByOidTag */
+ goto loser;
+ }
+ /* check the policy on the hash algorithm. Do this after
+ * the rsa decode because some uses of this function get hash implicitly
+ * from the RSA signature itself. */
+@@ -645,21 +680,26 @@ VFY_EndWithSignature(VFYContext *cx, SEC
+ if (cx->hashcx == NULL) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ (*cx->hashobj->end)(cx->hashcx, final, &part, sizeof(final));
+ switch (cx->key->keyType) {
+ case ecKey:
+ case dsaKey:
+- dsasig.data = cx->u.buffer;
+- dsasig.len = SECKEY_SignatureLen(cx->key);
++ dsasig.len = checkedSignatureLen(cx->key);
+ if (dsasig.len == 0) {
+ return SECFailure;
+ }
++ if (dsasig.len > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ return SECFailure;
++ }
++ dsasig.data = cx->u.buffer;
++
+ if (sig) {
+ rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
+ dsasig.len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+ }
+ }
+@@ -681,18 +721,23 @@ VFY_EndWithSignature(VFYContext *cx, SEC
+ cx->params,
+ &mech);
+ PORT_DestroyCheapArena(&tmpArena);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ rsasig.data = cx->u.buffer;
+- rsasig.len = SECKEY_SignatureLen(cx->key);
++ rsasig.len = checkedSignatureLen(cx->key);
+ if (rsasig.len == 0) {
++ /* Error set by checkedSignatureLen */
++ return SECFailure;
++ }
++ if (rsasig.len > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+ }
+ if (sig) {
+ if (sig->len != rsasig.len) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+ }
+ PORT_Memcpy(rsasig.data, sig->data, rsasig.len);
+@@ -744,37 +789,42 @@ VFY_End(VFYContext *cx)
+ static SECStatus
+ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
+ const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg,
+ void *wincx)
+ {
+ SECStatus rv;
+ VFYContext *cx;
+ SECItem dsasig; /* also used for ECDSA */
+-
+ rv = SECFailure;
+
+ cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
+ if (cx != NULL) {
+ switch (key->keyType) {
+ case rsaKey:
+ rv = verifyPKCS1DigestInfo(cx, digest);
++ /* Error (if any) set by verifyPKCS1DigestInfo */
+ break;
+- case dsaKey:
+ case ecKey:
++ case dsaKey:
+ dsasig.data = cx->u.buffer;
+- dsasig.len = SECKEY_SignatureLen(cx->key);
++ dsasig.len = checkedSignatureLen(cx->key);
+ if (dsasig.len == 0) {
++ /* Error set by checkedSignatureLen */
++ rv = SECFailure;
+ break;
+ }
+- if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
+- SECSuccess) {
++ if (dsasig.len > sizeof(cx->u)) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+- } else {
+- rv = SECSuccess;
++ rv = SECFailure;
++ break;
++ }
++ rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
++ if (rv != SECSuccess) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ }
+ break;
+ default:
+ break;
+ }
+ VFY_DestroyContext(cx, PR_TRUE);
+ }
+ return rv;
+
diff --git a/gnu/packages/patches/racket-minimal-backport-1629887.patch b/gnu/packages/patches/racket-minimal-backport-1629887.patch
deleted file mode 100644
index aa060ef5aa..0000000000
--- a/gnu/packages/patches/racket-minimal-backport-1629887.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From fb1a6ab205fd63a46669a463931af473e2ac0c87 Mon Sep 17 00:00:00 2001
-From: Matthew Flatt <mflatt@racket-lang.org>
-Date: Sat, 21 Aug 2021 15:29:59 -0600
-Subject: [PATCH] setup/variant: recognize starter executables
-
-Related to #3969
-
-(cherry picked from commit 1629887071fe3cc8fe8af0a7aa0d3912509cb058)
----
- racket/collects/setup/variant.rkt | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/racket/collects/setup/variant.rkt b/racket/collects/setup/variant.rkt
-index 81da6f5701..b23131e481 100644
---- a/racket/collects/setup/variant.rkt
-+++ b/racket/collects/setup/variant.rkt
-@@ -25,7 +25,7 @@
- (and (file-exists? f)
- (with-input-from-file f
- (lambda ()
-- (define m (regexp-match #rx#"bINARy tYPe:..(.)"
-+ (define m (regexp-match #rx#"bINARy tYPe:e?..(.)"
- (current-input-port)))
- (cond
- [(not m) '3m]
---
-2.30.2
-
diff --git a/gnu/packages/patches/u-boot-rk3399-enable-emmc-phy.patch b/gnu/packages/patches/u-boot-rk3399-enable-emmc-phy.patch
new file mode 100644
index 0000000000..f14a9ce104
--- /dev/null
+++ b/gnu/packages/patches/u-boot-rk3399-enable-emmc-phy.patch
@@ -0,0 +1,26 @@
+adapting commit ac804143cf ("mmc: rockchip_sdhci: add phy and clock
+config for rk3399") to fix the issue "Not found emmc phy device".
+
+Signed-off-by: Yifeng Zhao <yifeng.zhao@rock-chips.com>
+---
+
+ arch/arm/dts/rk3399-u-boot.dtsi | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/arm/dts/rk3399-u-boot.dtsi b/arch/arm/dts/rk3399-u-boot.dtsi
+index 73922c328a..716b9a433a 100644
+--- a/arch/arm/dts/rk3399-u-boot.dtsi
++++ b/arch/arm/dts/rk3399-u-boot.dtsi
+@@ -88,6 +88,10 @@
+ u-boot,dm-pre-reloc;
+ };
+
++&emmc_phy {
++ u-boot,dm-pre-reloc;
++};
++
+ &grf {
+ u-boot,dm-pre-reloc;
+ };
+--
+2.17.1
diff --git a/gnu/packages/patches/yggdrasil-extra-config.patch b/gnu/packages/patches/yggdrasil-extra-config.patch
index c21ca29a84..bd4bea7b9f 100644
--- a/gnu/packages/patches/yggdrasil-extra-config.patch
+++ b/gnu/packages/patches/yggdrasil-extra-config.patch
@@ -1,27 +1,39 @@
+From 779f980451d20079b34812f7006f2d7230738ad0 Mon Sep 17 00:00:00 2001
+From: csepp <raingloom@riseup.net>
+Date: Wed, 3 Nov 2021 21:14:54 +0100
+Subject: [PATCH] add extra config file option to yggdrasil command
+
+This is useful in Guix and Nix, because one config file can come
+from the world-readable store and another can be placed directly
+into /etc with much stricter permissions.
+---
+ cmd/yggdrasil/main.go | 29 ++++++++++++++++++++++-------
+ 1 file changed, 22 insertions(+), 7 deletions(-)
+
diff --git a/cmd/yggdrasil/main.go b/cmd/yggdrasil/main.go
-index 813e950..08d35cc 100644
+index 58b8230..b9df98a 100644
--- a/cmd/yggdrasil/main.go
+++ b/cmd/yggdrasil/main.go
-@@ -40,11 +40,12 @@ type node struct {
- admin module.Module // admin.AdminSocket
+@@ -43,11 +43,12 @@ type node struct {
+ admin *admin.AdminSocket
}
--func readConfig(useconf *bool, useconffile *string, normaliseconf *bool) *config.NodeConfig {
-+func readConfig(useconf *bool, useconffile *string, extraconffile *string, normaliseconf *bool) *config.NodeConfig {
+-func readConfig(log *log.Logger, useconf bool, useconffile string, normaliseconf bool) *config.NodeConfig {
++func readConfig(log *log.Logger, useconf bool, useconffile string, extraconffile string, normaliseconf bool) *config.NodeConfig {
// Use a configuration file. If -useconf, the configuration will be read
// from stdin. If -useconffile, the configuration will be read from the
// filesystem.
var conf []byte
+ var extraconf []byte
var err error
- if *useconffile != "" {
+ if useconffile != "" {
// Read the file from the filesystem
-@@ -56,6 +57,21 @@ func readConfig(useconf *bool, useconffile *string, normaliseconf *bool) *config
+@@ -59,6 +60,21 @@ func readConfig(log *log.Logger, useconf bool, useconffile string, normaliseconf
if err != nil {
panic(err)
}
-+ if *extraconffile != "" {
-+ extraconf, err = ioutil.ReadFile(*extraconffile);
++ if extraconffile != "" {
++ extraconf, err = ioutil.ReadFile(extraconffile);
+ }
+ if err != nil {
+ panic(err)
@@ -30,7 +42,7 @@ index 813e950..08d35cc 100644
+ // then parse the configuration we loaded above on top of it. The effect
+ // of this is that any configuration item that is missing from the provided
+ // configuration will use a sane default.
-+ cfg := config.GenerateConfig()
++ cfg := defaults.GenerateConfig()
+ var confs [2][]byte
+ confs[0]=conf
+ confs[1]=extraconf
@@ -38,7 +50,7 @@ index 813e950..08d35cc 100644
// If there's a byte order mark - which Windows 10 is now incredibly fond of
// throwing everywhere when it's converting things into UTF-16 for the hell
// of it - remove it and decode back down into UTF-8. This is necessary
-@@ -69,11 +85,6 @@ func readConfig(useconf *bool, useconffile *string, normaliseconf *bool) *config
+@@ -72,11 +88,6 @@ func readConfig(log *log.Logger, useconf bool, useconffile string, normaliseconf
panic(err)
}
}
@@ -46,11 +58,11 @@ index 813e950..08d35cc 100644
- // then parse the configuration we loaded above on top of it. The effect
- // of this is that any configuration item that is missing from the provided
- // configuration will use a sane default.
-- cfg := config.GenerateConfig()
+- cfg := defaults.GenerateConfig()
var dat map[string]interface{}
if err := hjson.Unmarshal(conf, &dat); err != nil {
panic(err)
-@@ -112,6 +123,7 @@ func readConfig(useconf *bool, useconffile *string, normaliseconf *bool) *config
+@@ -136,6 +147,7 @@ func readConfig(log *log.Logger, useconf bool, useconffile string, normaliseconf
if err = mapstructure.Decode(dat, &cfg); err != nil {
panic(err)
}
@@ -58,7 +70,15 @@ index 813e950..08d35cc 100644
return cfg
}
-@@ -164,6 +176,7 @@ func main() {
+@@ -192,6 +204,7 @@ type yggArgs struct {
+ getaddr bool
+ getsnet bool
+ useconffile string
++ extraconffile string
+ logto string
+ loglevel string
+ }
+@@ -200,6 +213,7 @@ func getArgs() yggArgs {
genconf := flag.Bool("genconf", false, "print a new config to stdout")
useconf := flag.Bool("useconf", false, "read HJSON/JSON config from stdin")
useconffile := flag.String("useconffile", "", "read HJSON/JSON config from specified file path")
@@ -66,21 +86,23 @@ index 813e950..08d35cc 100644
normaliseconf := flag.Bool("normaliseconf", false, "use in combination with either -useconf or -useconffile, outputs your configuration normalised")
confjson := flag.Bool("json", false, "print configuration from -genconf or -normaliseconf as JSON instead of HJSON")
autoconf := flag.Bool("autoconf", false, "automatic mode (dynamic IP, peer with IPv6 neighbors)")
-@@ -187,7 +200,7 @@ func main() {
- cfg = config.GenerateConfig()
- case *useconffile != "" || *useconf:
+@@ -213,6 +227,7 @@ func getArgs() yggArgs {
+ genconf: *genconf,
+ useconf: *useconf,
+ useconffile: *useconffile,
++ extraconffile: *extraconffile,
+ normaliseconf: *normaliseconf,
+ confjson: *confjson,
+ autoconf: *autoconf,
+@@ -265,7 +280,7 @@ func run(args yggArgs, ctx context.Context, done chan struct{}) {
+ cfg = defaults.GenerateConfig()
+ case args.useconffile != "" || args.useconf:
// Read the configuration from either stdin or from the filesystem
-- cfg = readConfig(useconf, useconffile, normaliseconf)
-+ cfg = readConfig(useconf, useconffile, extraconffile, normaliseconf)
+- cfg = readConfig(logger, args.useconf, args.useconffile, args.normaliseconf)
++ cfg = readConfig(logger, args.useconf, args.useconffile, args.extraconffile, args.normaliseconf)
// If the -normaliseconf option was specified then remarshal the above
// configuration and print it back to stdout. This lets the user update
// their configuration file with newly mapped names (like above) or to
-@@ -332,7 +345,7 @@ func main() {
- goto exit
- case _ = <-r:
- if *useconffile != "" {
-- cfg = readConfig(useconf, useconffile, normaliseconf)
-+ cfg = readConfig(useconf, useconffile, extraconffile, normaliseconf)
- logger.Infoln("Reloading configuration from", *useconffile)
- n.core.UpdateConfig(cfg)
- n.tuntap.UpdateConfig(cfg)
+--
+2.33.1
+