rpm: switch to openssl from nss

nss is a problematic library in many ways, but openssl seems to work just fine. rpm was the only user of nss in oe-core, which opens the possibility of moving it out. Add a backported patch to enable builds with latest openssl. (From OE-Core rev: 8c35a01dc771bf48f74129daa58d365100d18081) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Alexander Kanavin <alex.kanavin@gmail.com> 2020-01-14 14:59:48 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-01-16 22:33:09 +0000
commit: 8f2f1af3630264f34f454dab71861e64c820f6db (patch)
tree: dcd12e08e80aa494829e1e47d32259ab0bf66600 /meta/recipes-devtools/rpm
parent: b11fc7795cd1a6d74c9bb50b922d928f4a17722d (diff)
download: poky-8f2f1af3630264f34f454dab71861e64c820f6db.tar.gz
2 files changed, 84 insertions, 2 deletions
diff --git a/meta/recipes-devtools/rpm/files/0001-Rip-out-partial-support-for-unused-MD2-and-RIPEMD160.patch b/meta/recipes-devtools/rpm/files/0001-Rip-out-partial-support-for-unused-MD2-and-RIPEMD160.patch
new file mode 100644
index 0000000000..734e38bb39
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/0001-Rip-out-partial-support-for-unused-MD2-and-RIPEMD160.patch
@@ -0,0 +1,81 @@
+From 2d53d1e308a5bd15a16cc289fa7e1f264ea706be Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Tue, 26 Jun 2018 10:46:14 +0300
+Subject: [PATCH] Rip out partial support for unused MD2 and RIPEMD160 digests
+Inspired by #453, adding configure-checks for unused digests algorithms
+seems nonsensical, at no point in rpm history have these algorithms been
+used for anything in rpm so there's not even backward compatibility to
+care about. So the question becomes why do we appear to have (some)
+support for those unused algorithms? So lets don't, problem solved...
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/ff4b9111aeba01dd025dd133ce617fb80f7398a0]
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ rpmio/digest_beecrypt.c | 7 -------
+ rpmio/digest_nss.c      | 2 --
+ rpmio/digest_openssl.c  | 6 ------
+ 3 files changed, 15 deletions(-)
+diff --git a/rpmio/digest_beecrypt.c b/rpmio/digest_beecrypt.c
+index 597027e25..653a39491 100644
+--- a/rpmio/digest_beecrypt.c
+++ b/rpmio/digest_beecrypt.c
+@@ -132,10 +132,6 @@ DIGEST_CTX rpmDigestInit(int hashalgo, rpmDigestFlags flags)
+        ctx->Digest = (void *) sha512Digest;
+        break;
+ #endif
+-    case PGPHASHALGO_RIPEMD160:
+-    case PGPHASHALGO_MD2:
+-    case PGPHASHALGO_TIGER192:
+-    case PGPHASHALGO_HAVAL_5_160:
+     default:
+        free(ctx);
+        return NULL;
+@@ -292,9 +288,6 @@ static int pgpVerifySigRSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig, uint8_t *hash, si
+     case PGPHASHALGO_SHA1:
+         prefix = "3021300906052b0e03021a05000414";
+         break;
+-    case PGPHASHALGO_MD2:
+-        prefix = "3020300c06082a864886f70d020205000410";
+-        break;
+     case PGPHASHALGO_SHA256:
+         prefix = "3031300d060960864801650304020105000420";
+         break;
+diff --git a/rpmio/digest_nss.c b/rpmio/digest_nss.c
+index e11920e3e..b3d2b5595 100644
+--- a/rpmio/digest_nss.c
+++ b/rpmio/digest_nss.c
+@@ -117,7 +117,6 @@ static HASH_HashType getHashType(int hashalgo)
+ {
+     switch (hashalgo) {
+     case PGPHASHALGO_MD5:      return HASH_AlgMD5;
+-    case PGPHASHALGO_MD2:      return HASH_AlgMD2;
+     case PGPHASHALGO_SHA1:     return HASH_AlgSHA1;
+ #ifdef SHA224_LENGTH
+     case PGPHASHALGO_SHA224:   return HASH_AlgSHA224;
+@@ -217,7 +216,6 @@ static SECOidTag getHashAlg(unsigned int hashalgo)
+ {
+     switch (hashalgo) {
+     case PGPHASHALGO_MD5:      return SEC_OID_MD5;
+-    case PGPHASHALGO_MD2:      return SEC_OID_MD2;
+     case PGPHASHALGO_SHA1:     return SEC_OID_SHA1;
+ #ifdef SHA224_LENGTH
+     case PGPHASHALGO_SHA224:   return SEC_OID_SHA224;
+diff --git a/rpmio/digest_openssl.c b/rpmio/digest_openssl.c
+index 18e52a724..0ae48dd1d 100644
+--- a/rpmio/digest_openssl.c
+++ b/rpmio/digest_openssl.c
+@@ -172,12 +172,6 @@ static const EVP_MD *getEVPMD(int hashalgo)
+     case PGPHASHALGO_SHA1:
+         return EVP_sha1();
+ 
+-    case PGPHASHALGO_RIPEMD160:
+-        return EVP_ripemd160();
+-
+-    case PGPHASHALGO_MD2:
+-        return EVP_md2();
+-
+     case PGPHASHALGO_SHA256:
+         return EVP_sha256();
+ 
diff --git a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
index c37330eb4c..339bd7b834 100644
--- a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
@@ -42,6 +42,7 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.14.x \
           file://0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch \
           file://0016-rpmscript.c-change-logging-level-around-scriptlets-t.patch \
           file://0001-mono-find-provides-requires-do-not-use-monodis-from-.patch \
+           file://0001-Rip-out-partial-support-for-unused-MD2-and-RIPEMD160.patch \
           "
 PE = "1"
@@ -49,7 +50,7 @@ SRCREV = "4a9440006398646583f0d9ae1837dad2875013aa"
 S = "${WORKDIR}/git"
-DEPENDS = "nss libarchive db file popt xz bzip2 dbus elfutils python3"
+DEPENDS = "openssl libarchive db file popt xz bzip2 dbus elfutils python3"
 DEPENDS_append_class-native = " file-replacement-native bzip2-replacement-native"
 inherit autotools gettext pkgconfig python3native
@@ -58,7 +59,7 @@ export PYTHON_ABI
 # OE-core patches autoreconf to additionally run gnu-configize, which fails with this recipe
 EXTRA_AUTORECONF_append = " --exclude=gnu-configize"
-EXTRA_OECONF_append = " --without-lua --enable-python"
+EXTRA_OECONF_append = " --without-lua --enable-python --with-crypto=openssl"
 EXTRA_OECONF_append_libc-musl = " --disable-nls"
 # --sysconfdir prevents rpm from attempting to access machine-specific configuration in sysroot/etc; we need to have it in rootfs
author	Alexander Kanavin <alex.kanavin@gmail.com>	2020-01-14 14:59:48 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:33:09 +0000
commit	8f2f1af3630264f34f454dab71861e64c820f6db (patch)
tree	dcd12e08e80aa494829e1e47d32259ab0bf66600 /meta/recipes-devtools/rpm
parent	b11fc7795cd1a6d74c9bb50b922d928f4a17722d (diff)
download	poky-8f2f1af3630264f34f454dab71861e64c820f6db.tar.gz

diff --git a/meta/recipes-devtools/rpm/files/0001-Rip-out-partial-support-for-unused-MD2-and-RIPEMD160.patch b/meta/recipes-devtools/rpm/files/0001-Rip-out-partial-support-for-unused-MD2-and-RIPEMD160.patch new file mode 100644 index 0000000000..734e38bb39 --- /dev/null +++ b/meta/recipes-devtools/rpm/files/0001-Rip-out-partial-support-for-unused-MD2-and-RIPEMD160.patch
@@ -0,0 +1,81 @@
		1	From 2d53d1e308a5bd15a16cc289fa7e1f264ea706be Mon Sep 17 00:00:00 2001
		2	From: Panu Matilainen <pmatilai@redhat.com>
		3	Date: Tue, 26 Jun 2018 10:46:14 +0300
		4	Subject: [PATCH] Rip out partial support for unused MD2 and RIPEMD160 digests
		5
		6	Inspired by #453, adding configure-checks for unused digests algorithms
		7	seems nonsensical, at no point in rpm history have these algorithms been
		8	used for anything in rpm so there's not even backward compatibility to
		9	care about. So the question becomes why do we appear to have (some)
		10	support for those unused algorithms? So lets don't, problem solved...
		11
		12	Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/ff4b9111aeba01dd025dd133ce617fb80f7398a0]
		13	Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
		14	---
		15	rpmio/digest_beecrypt.c \| 7 -------
		16	rpmio/digest_nss.c \| 2 --
		17	rpmio/digest_openssl.c \| 6 ------
		18	3 files changed, 15 deletions(-)
		19
		20	diff --git a/rpmio/digest_beecrypt.c b/rpmio/digest_beecrypt.c
		21	index 597027e25..653a39491 100644
		22	--- a/rpmio/digest_beecrypt.c
		23	+++ b/rpmio/digest_beecrypt.c
		24	@@ -132,10 +132,6 @@ DIGEST_CTX rpmDigestInit(int hashalgo, rpmDigestFlags flags)
		25	ctx->Digest = (void *) sha512Digest;
		26	break;
		27	#endif
		28	- case PGPHASHALGO_RIPEMD160:
		29	- case PGPHASHALGO_MD2:
		30	- case PGPHASHALGO_TIGER192:
		31	- case PGPHASHALGO_HAVAL_5_160:
		32	default:
		33	free(ctx);
		34	return NULL;
		35	@@ -292,9 +288,6 @@ static int pgpVerifySigRSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig, uint8_t *hash, si
		36	case PGPHASHALGO_SHA1:
		37	prefix = "3021300906052b0e03021a05000414";
		38	break;
		39	- case PGPHASHALGO_MD2:
		40	- prefix = "3020300c06082a864886f70d020205000410";
		41	- break;
		42	case PGPHASHALGO_SHA256:
		43	prefix = "3031300d060960864801650304020105000420";
		44	break;
		45	diff --git a/rpmio/digest_nss.c b/rpmio/digest_nss.c
		46	index e11920e3e..b3d2b5595 100644
		47	--- a/rpmio/digest_nss.c
		48	+++ b/rpmio/digest_nss.c
		49	@@ -117,7 +117,6 @@ static HASH_HashType getHashType(int hashalgo)
		50	{
		51	switch (hashalgo) {
		52	case PGPHASHALGO_MD5: return HASH_AlgMD5;
		53	- case PGPHASHALGO_MD2: return HASH_AlgMD2;
		54	case PGPHASHALGO_SHA1: return HASH_AlgSHA1;
		55	#ifdef SHA224_LENGTH
		56	case PGPHASHALGO_SHA224: return HASH_AlgSHA224;
		57	@@ -217,7 +216,6 @@ static SECOidTag getHashAlg(unsigned int hashalgo)
		58	{
		59	switch (hashalgo) {
		60	case PGPHASHALGO_MD5: return SEC_OID_MD5;
		61	- case PGPHASHALGO_MD2: return SEC_OID_MD2;
		62	case PGPHASHALGO_SHA1: return SEC_OID_SHA1;
		63	#ifdef SHA224_LENGTH
		64	case PGPHASHALGO_SHA224: return SEC_OID_SHA224;
		65	diff --git a/rpmio/digest_openssl.c b/rpmio/digest_openssl.c
		66	index 18e52a724..0ae48dd1d 100644
		67	--- a/rpmio/digest_openssl.c
		68	+++ b/rpmio/digest_openssl.c
		69	@@ -172,12 +172,6 @@ static const EVP_MD *getEVPMD(int hashalgo)
		70	case PGPHASHALGO_SHA1:
		71	return EVP_sha1();
		72
		73	- case PGPHASHALGO_RIPEMD160:
		74	- return EVP_ripemd160();
		75	-
		76	- case PGPHASHALGO_MD2:
		77	- return EVP_md2();
		78	-
		79	case PGPHASHALGO_SHA256:
		80	return EVP_sha256();
		81


diff --git a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb index c37330eb4c..339bd7b834 100644 --- a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb +++ b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
@@ -42,6 +42,7 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.14.x \
42	file://0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch \	42	file://0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch \
43	file://0016-rpmscript.c-change-logging-level-around-scriptlets-t.patch \	43	file://0016-rpmscript.c-change-logging-level-around-scriptlets-t.patch \
44	file://0001-mono-find-provides-requires-do-not-use-monodis-from-.patch \	44	file://0001-mono-find-provides-requires-do-not-use-monodis-from-.patch \
		45	file://0001-Rip-out-partial-support-for-unused-MD2-and-RIPEMD160.patch \
45	"	46	"
46		47
47	PE = "1"	48	PE = "1"
@@ -49,7 +50,7 @@ SRCREV = "4a9440006398646583f0d9ae1837dad2875013aa"
49		50
50	S = "${WORKDIR}/git"	51	S = "${WORKDIR}/git"
51		52
52	DEPENDS = "nss libarchive db file popt xz bzip2 dbus elfutils python3"	53	DEPENDS = "openssl libarchive db file popt xz bzip2 dbus elfutils python3"
53	DEPENDS_append_class-native = " file-replacement-native bzip2-replacement-native"	54	DEPENDS_append_class-native = " file-replacement-native bzip2-replacement-native"
54		55
55	inherit autotools gettext pkgconfig python3native	56	inherit autotools gettext pkgconfig python3native
@@ -58,7 +59,7 @@ export PYTHON_ABI
58	# OE-core patches autoreconf to additionally run gnu-configize, which fails with this recipe	59	# OE-core patches autoreconf to additionally run gnu-configize, which fails with this recipe
59	EXTRA_AUTORECONF_append = " --exclude=gnu-configize"	60	EXTRA_AUTORECONF_append = " --exclude=gnu-configize"
60		61
61	EXTRA_OECONF_append = " --without-lua --enable-python"	62	EXTRA_OECONF_append = " --without-lua --enable-python --with-crypto=openssl"
62	EXTRA_OECONF_append_libc-musl = " --disable-nls"	63	EXTRA_OECONF_append_libc-musl = " --disable-nls"
63		64
64	# --sysconfdir prevents rpm from attempting to access machine-specific configuration in sysroot/etc; we need to have it in rootfs	65	# --sysconfdir prevents rpm from attempting to access machine-specific configuration in sysroot/etc; we need to have it in rootfs