hcq/openGauss-third_party
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: hcq:master
Branches Tags
hcq:master hcq:v5.0.2-la-uos-desktop hcq:v5.0.2-loongarch hcq:6.0.0
...
pull from: hcq:v5.0.2-la-uos-desktop
Branches Tags
hcq:master hcq:v5.0.2-la-uos-desktop hcq:v5.0.2-loongarch hcq:6.0.0

35 Commits
master ... v5.0.2-la-

Author SHA1 Message Date
huchangqi
a479081fca 适配 uos 桌面系统 2024-10-17 16:14:54 +08:00
huchangqi
d104a52bf8 v5.0.2 版本适配 loongarch 
component 目录中的都是git子仓库,不方便提交,整体修改压缩。
build_all.sh 在 loongnix-server 8.4 上一次编译通过。
 2024-10-16 14:31:29 +08:00
opengauss_bot
9e0a4693e7 !226 适配龙芯平台 
Merge pull request !226 from ape/fix_loongarch64
 2024-05-22 09:46:02 +08:00
zhang_xubo
b52f5247d1 om依赖开源组件,在lib3.*外在保存一份,适配未合入【om适配多版本python】的特性场景 2024-04-16 16:13:05 +08:00
zhang_xubo
aca1368837 update ddes version 2024-03-30 14:24:41 +08:00
蒋宏博
2075000201 fix CVE-2023-38545 2024-03-30 10:58:09 +08:00
jianghongbo
0c2096405e 修复libcurl patch文件名称错误 2024-03-30 10:56:31 +08:00
jianghongbo
84c44e78cf fix CVE-2023-46218 2024-03-30 10:54:54 +08:00
jianghongbo
b2c62dd8e2 fix CVE-2023-49083 2024-03-30 10:54:22 +08:00
jianghongbo
f5b59c7fd8 fix CVE-2023-5678 2024-03-30 10:53:52 +08:00
jianghongbo
b92787be15 fix CVE-2023-44487 2024-03-30 10:49:59 +08:00
jianghongbo
ce1f204549 fix cve-2023-45853 2024-03-30 10:49:31 +08:00
jianghongbo
62115b640f 修复漏洞cve-2023-45322 2024-03-30 10:49:02 +08:00
jianghongbo
6f7e8afe49 fix CVE-2023-36054 2024-03-30 10:46:32 +08:00
jianghongbo
fe2bb49e6b fix CVE-2023-3817 2024-03-30 10:45:36 +08:00
jianghongbo
959e442e45 FIX CVE-2023-3446 2024-03-30 10:45:05 +08:00
jianghongbo
9179a7fc70 fix cve-2023-35945 2024-03-30 10:44:37 +08:00
jianghongbo
82891b451b fix issue #I7C4GW 2024-03-30 10:43:55 +08:00
jianghongbo
69e294646f fix CVE-2023-2650 and CVE-2023-0464 2024-03-30 10:43:05 +08:00
jianghongbo
32315eb5d0 fix CVE-2023-28322 2024-03-30 10:42:26 +08:00
lilong
cea87a1d9a libcurl编译不使能ldap和nghttp2 2024-03-30 10:41:59 +08:00
jianghongbo
f997e60357 fix CVE-2023-29469, CVE-2023-28484 2024-03-30 10:36:36 +08:00
jianghongbo
ba1514cc1b 修复zstd编译脚本 2024-03-30 10:32:11 +08:00
jianghongbo
dcc80ccb4c om屏蔽python版本差异 2024-03-30 10:31:30 +08:00
opengauss_bot
558f8c355e !244 fix CVE-2024-1013 on 5.0.0 
Merge pull request !244 from 蒋宏博/5.0.0
 2024-03-19 08:35:03 +00:00
蒋宏博
14f3589ea5 fix CVE-2024-1013 2024-03-19 16:23:27 +08:00
opengauss_bot
b5e0264e34 !239 fix CVE-2024-25062 on 5.0.0 
Merge pull request !239 from 蒋宏博/5.0.0
 2024-02-07 01:57:06 +00:00
蒋宏博
7403e3f1bb fix cve-2024-25062 2024-02-07 09:39:44 +08:00
opengauss_bot
6388aaf8ce !236 fix CVE-2023-50471&CVE-2023-50472 
Merge pull request !236 from 蒋宏博/5.0.0
 2024-02-06 03:56:47 +00:00
蒋宏博
021a1a1c1f fix CVE-2023-50471&cve-2023-50472 2024-02-06 10:12:10 +08:00
opengauss_bot
851056a826 !232 fix CVE-2024-0727 on 5.0.0 
Merge pull request !232 from 蒋宏博/5.0.0
 2024-02-05 11:47:40 +00:00
蒋宏博
b7032026ce fix cve-2024-0727 2024-02-04 11:22:24 +08:00
opengauss_bot
61d03845a9 !216 【Pick】同步 PR 214 到 5.0.0 
Merge pull request !216 from laishenghao/cherry-pick-1695349541
 2023-09-22 02:37:17 +00:00
Laishenghao
c7f6c4de27 fixed 1b39d78 from https://gitee.com/dodders/openGauss-third_party/pulls/214 
修改postgis 补丁,解决raster类型不对导致创建postgis_raster失败的问题
 2023-09-22 02:25:41 +00:00
opengauss-bot
4af4075d25 !194 同步master到5.0.0 
Merge pull request !194 from zhangxubo/master
 2023-04-04 09:26:06 +00:00
65 changed files with 5948 additions and 133 deletions
Expand all files Collapse all files

9
OpenSource.yml
View File

@ -126,6 +126,15 @@ opengauss:
pkg_name: "jemalloc-5.2.1.tar.gz"
down_load_type: "wget"
sha256: "ed51b0b37098af4ca6ed31c22324635263f8ad6471889e0592a9c0dba9136aea"
- github:
repo: "https://github.com/jemalloc/jemalloc.git"
url: "https://github.com/jemalloc/jemalloc/archive/refs/tags/5.3.0.tar.gz"
branch: "5.3.0"
path: "dependency/jemalloc"
name: "jemalloc"
pkg_name: "jemalloc-5.3.0.tar.gz"
down_load_type: "wget"
sha256: "ef6f74fd45e95ee4ef7f9e19ebe5b075ca6b7fbe0140612b2a161abafb7ee179"
- github:
repo: "https://github.com/krb5/krb5.git"
url: "https://github.com/krb5/krb5/archive/refs/tags/krb5-1.18.3-final.tar.gz"

1481
build-aux/config.guess vendored Normal file
View File

File diff suppressed because it is too large Load Diff

1852
build-aux/config.sub vendored Normal file
View File

File diff suppressed because it is too large Load Diff

2
build/build_all.sh
View File

@ -48,6 +48,8 @@ cd ${DEPENDENCY_BUILD_PATH}
sh build_dependency.sh
# build component
cd ${ROOT_PATH}
tar xzf component.tar.gz
cd ${COMPONENT_BUILD_PATH}
sh build_component.sh

3
build/get_PlatForm_str.sh
View File

@ -20,6 +20,9 @@ kernel=""
if [ -f "/etc/euleros-release" ]
then
kernel=$(cat /etc/euleros-release | awk -F ' ' '{print $1}' | tr A-Z a-z)
elif [ -f "/etc/os-release" ]
then
kernel=$(source /etc/os-release; echo $ID)
else
kernel=$(lsb_release -d | awk -F ' ' '{print $2}'| tr A-Z a-z)
fi

BIN
component.tar.gz Normal file
View File

Binary file not shown.

2
component/cbb/build.sh
View File

@ -11,7 +11,7 @@
# Clone CBB code to local dir
CBB_REPO=https://gitee.com/opengauss/CBB.git
CBB_BRANCH=master
CBB_BRANCH=v5.0.1
echo "clone dcc code"
if [ -d CBB ]; then

2
component/dcc/build.sh
View File

@ -11,7 +11,7 @@
# Clone DCC code to local dir
DCC_REPO=https://gitee.com/opengauss/DCC.git
DCC_BRANCH=master
DCC_BRANCH=v5.0.1
echo "clone dcc code"
if [ -d DCC ]; then

2
component/dcf/build.sh
View File

@ -11,7 +11,7 @@
# Clone DCF code to local dir
DCF_REPO=https://gitee.com/opengauss/DCF.git
DCF_BRANCH=master
DCF_BRANCH=v5.0.1
echo "clone dcf code"
if [ -d DCF ]; then

2
component/dms/build.sh
View File

@ -11,7 +11,7 @@
# Clone DMS code to local dir
DMS_REPO=https://gitee.com/opengauss/DMS.git
DMS_BRANCH=master
DMS_BRANCH=v5.0.1
echo "clone dms code"
if [ -d DMS ]; then

2
component/dss/build.sh
View File

@ -11,7 +11,7 @@
# Clone DSS code to local dir
DSS_REPO=https://gitee.com/opengauss/DSS.git
DSS_BRANCH=master
DSS_BRANCH=v5.0.1
echo "clone dss code"
if [ -d DSS ]; then

2
dependency/bcrypt/_bcrypt.py
View File

@ -1,7 +1,7 @@
def __bootstrap__():
global __bootstrap__, __loader__, __file__
import sys, pkg_resources, imp
__file__ = pkg_resources.resource_filename(__name__, '_bcrypt.so')
__file__ = pkg_resources.resource_filename(__name__, '_bcrypt.abi3.so')
__loader__ = None; del __bootstrap__, __loader__
imp.load_dynamic(__name__,__file__)
__bootstrap__()

29
dependency/bcrypt/build.sh
View File

@ -1,5 +1,3 @@
#!/bin/bash
#######################################################################
# Copyright (c): 2012-2019, Huawei Tech. Co., Ltd.
# description: the script that make install bcrypt
# version: 3.1.7
@ -7,6 +5,7 @@
# history:
#######################################################################
set -e
ROOT_DIR=$(pwd)
PLATFORM=$(sh $(pwd)/../../build/get_PlatForm_str.sh)
mkdir -p $(pwd)/../../output/install_tools/
python_version=`python3 -V | awk -F ' ' '{print $2}' |awk -F '.' -v OFS='.' '{print $1,$2}'`
@ -23,14 +22,32 @@ mkdir ${SOURCE_FILE}
tar -zxf $TAR_SOURCE_FILE -C $SOURCE_FILE --strip-components 1
cd $SOURCE_FILE
CFLAGS='-fstack-protector-all' LDFLAGS='-Wl,-z,relro,-z,now -z,noexecstack' python3 setup.py build
version_num=("3.6" "3.7" "3.8" "3.9" "3.10")
lib_dir=""
for (( i=0;i<${#version_num[*]};i++ ))
do
if [[ $(python3 -V | awk '{print $2}') =~ ${version_num[$i]} ]]; then
lib_dir="lib${version_num[$i]}"
break
fi
done
if [[ "$PLATFORM" == centos* ]]; then
CPU_BIT=$(uname -m)
if [ X"$CPU_BIT" = X"x86_64" ]; then
gcc -pthread -shared -Wl,-z,relro,-z,now,-z,noexecstack -s -ftrapv -g build/temp.linux-x86_64-$python_version/build/temp.linux-x86_64-$python_version/_bcrypt.o build/temp.linux-x86_64-$python_version/src/_csrc/blf.o build/temp.linux-x86_64-$python_version/src/_csrc/bcrypt.o build/temp.linux-x86_64-$python_version/src/_csrc/bcrypt_pbkdf.o build/temp.linux-x86_64-$python_version/src/_csrc/sha2.o build/temp.linux-x86_64-$python_version/src/_csrc/timingsafe_bcmp.o -o build/lib.linux-x86_64-$python_version/bcrypt/_bcrypt.abi3.so
fi
fi
python3 setup.py install --user
cp -r build/lib*/* $TARGET_PATH
preloader_dir_path=$(PYTHONPATH='' pip3 show bcrypt | awk '/Location/{ print $2 }')
cp ${preloader_dir_path}/bcrypt/_bcrypt.py $TARGET_PATH/bcrypt/
python3 setup.py install --user
if [[ -d "$TARGET_PATH/bcrypt" ]]; then
mkdir -p $TARGET_PATH/bcrypt/$lib_dir
cp build/lib*/bcrypt/_bcrypt.abi3.so $TARGET_PATH/bcrypt/$lib_dir
else
cp -r build/lib*/* $TARGET_PATH
mkdir -p $TARGET_PATH/bcrypt/$lib_dir
cp $TARGET_PATH/bcrypt/_bcrypt.abi3.so $TARGET_PATH/bcrypt/$lib_dir
fi
cp $ROOT_DIR/_bcrypt.py $TARGET_PATH/bcrypt/

2
dependency/boost/build_component.sh
View File

@ -46,7 +46,7 @@ function build_component()
comm|llt)
mkdir -p ${LOCAL_DIR}/install_${COMPILE_TYPE}
log "[Notice] boost configure string: ./bootstrap.sh --prefix=${LOCAL_DIR}/install_${COMPILE_TYPE}"
./bootstrap.sh --prefix=${LOCAL_DIR}/install_${COMPILE_TYPE}
./bootstrap.sh --prefix=${LOCAL_DIR}/install_${COMPILE_TYPE} --with-python=python3
./tools/build/src/engine/bjam cflags='-fPIC -D_GLIBCXX_USE_CXX11_ABI=0' cxxflags='-fPIC -D_GLIBCXX_USE_CXX11_ABI=0'
if [ $? -ne 0 ]; then
die "[Error] boost configure failed."

23
dependency/bottle/abovePython310.patch Normal file
View File

@ -0,0 +1,23 @@
diff -Naur a/bottle.py b/bottle.py
--- a/bottle.py 2023-02-25 16:33:57.484154733 +0800
+++ b/bottle.py 2023-02-25 16:24:53.631418542 +0800
@@ -64,6 +64,7 @@
py3k = py >= (3, 0, 0)
py25 = py < (2, 6, 0)
py31 = (3, 1, 0) <= py < (3, 2, 0)
+py310 = py >= (3, 10)
# Workaround for the missing "as" keyword in py3k.
def _e(): return sys.exc_info()[1]
@@ -84,7 +85,10 @@
from urllib.parse import urlencode, quote as urlquote, unquote as urlunquote
urlunquote = functools.partial(urlunquote, encoding='latin1')
from http.cookies import SimpleCookie
- from collections import MutableMapping as DictMixin
+ if py310:
+ from _collections_abc import MutableMapping as DictMixin
+ else:
+ from collections import MutableMapping as DictMixin
import pickle
from io import BytesIO
from configparser import ConfigParser

1
dependency/bottle/build.sh
View File

@ -20,6 +20,7 @@ mkdir ${SOURCE_FILE}
tar -zxf $TAR_SOURCE_FILE -C $SOURCE_FILE --strip-components 1
cd $SOURCE_FILE
patch -p1 < ../0001-patch-repo.patch
patch -p1 < ../abovePython310.patch
python3 setup.py build
sed -i "s/scripts=/#scripts=/g" setup.py
python3 setup.py install --user

16
dependency/build/build_dependency.sh
View File

@ -25,7 +25,11 @@ echo "[cJSON] is " $use_tm
echo ------------------------------jemalloc---------------------------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../jemalloc
if [ "$ARCH"x != "loongarch64"x ];then
python3 build.py -m all -t "release|debug" -f jemalloc-5.2.1.tar.gz >>../build/build_result.log
else
python3 build.py -m all -t "release|debug" -f jemalloc-5.3.0.tar.gz >>../build/build_result.log
fi
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[jemalloc] is " $use_tm
@ -67,7 +71,9 @@ echo "[iperf] is " $use_tm
echo -------------------------------llvm------------------------------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../llvm
sh -x build.sh -m all -c comm >>../build/build_result.log
if [[ "$ARCH"x != "loongarch64"x ]];then
bash -x build.sh -m all -c comm >>../build/build_result.log
fi
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo $use_tm
@ -298,7 +304,9 @@ echo "[esdk_obs_api] $use_tm"
echo ---------------------------------------pljava-----------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../../dependency/pljava
sh build.sh -m build >>../build/build_result.log
if [[ "$ARCH"x != "loongarch64"x ]];then
bash build.sh -m build >>../build/build_result.log
fi
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[pljava] $use_tm"
@ -312,7 +320,9 @@ echo "[sqlparse] $use_tm"
echo ---------------------------------------masstree-----------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../masstree
sh build.sh >>../build/build_result.log
if [[ "$ARCH"x != "loongarch64"x ]];then
bash build.sh >>../build/build_result.log
fi
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[masstree] $use_tm"

22
dependency/build/om_build.sh Normal file
View File

@ -0,0 +1,22 @@
#!/bin/bash
version_list=("7 8 9 10")
ORIGIN_PATH=${PATH}
for version in ${version_list};
do
unset LD_LIBRARY_PATH
export PYTHONHOME=/usr/local/python3${version}
export LD_LIBRARY_PATH=$PYTHONHOME/lib:$LD_LIBRARY_PATH
export PATH=$PYTHONHOME/bin:${ORIGIN_PATH}
export DPYTHON_INCLUDE_PATH=$PYTHONHOME/include/python3.${version}
echo "++++++++++++++++++++++++++++++++++++++$(python3 -V)++++++++++++++++++++++++++++++++++++++++++++"
sh om_build_dependency.sh
if [ $? != 0 ]; then
echo "om dependency build failed.....python version: $(python3 -V)"
exit 1
fi
done

155
dependency/build/om_build_dependency.sh Normal file
View File

@ -0,0 +1,155 @@
#!/bin/bash
# *************************************************************************
# Copyright: (c) Huawei Technologies Co., Ltd. 2020. All rights reserved
#
# description: the script that make install dependency
# date: 2020-10-21
# version: 1.0
# history:
#
# *************************************************************************
set -e
ARCH=$(uname -m)
ROOT_DIR="${PWD}/../.."
PLATFORM="$(bash ${ROOT_DIR}/build/get_PlatForm_str.sh)"
[ -f build_all.log ] && rm -rf build_all.log
echo --------------------------------openssl-------------------------------------------------
start_tm=$(date +%s%N)
[ -f demo.log ] && rm -rf demo.log
cd $(pwd)/../openssl
python3 build.py -m all -f openssl-OpenSSL_1_1_1n.tar.gz -t "comm|llt" >>../build/demo.log
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[openssl] $use_tm"
echo -------------------------------asn1crypto-------------------------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../asn1crypto
sh build.sh >>../build/build_result.log
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[asn1crypto] $use_tm"
echo ---------------------------------six-----------------------------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../six
sh build.sh >>../build/build_result.log
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[six] $use_tm"
echo -------------------------------ipaddres--------------------------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../ipaddress
sh build.sh >>../build/demo.log
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[ipaddress] $use_tm"
echo -------------------------------pycparser-------------------------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../pycparser
sh build.sh >>../build/build_result.log
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[pycparser] $use_tm"
echo ---------------------------------cffi----------------------------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../cffi
sh build.sh >>../build/build_result.log
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[cffi] $use_tm"
echo -------------------------------cryptography----------------------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../cryptography
sh build.sh >>../build/build_result.log
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[cryptography] $use_tm"
echo ---------------------------------bcrypt--------------------------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../bcrypt
sh build.sh >>../build/build_result.log
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[bcrypt] $use_tm"
echo ---------------------------------bottle--------------------------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../bottle
sh build.sh >>../build/build_result.log
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[bottle] $use_tm"
echo ----------------------------------idna---------------------------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../idna
sh build.sh >>../build/build_result.log
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[idna] $use_tm"
echo ----------------------------------netifaces----------------------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../netifaces
sh build.sh >>../build/build_result.log
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[netifaces] $use_tm"
echo -------------------------------------paste-----------------------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../paste
sh build.sh >>../build/build_result.log
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[paste] $use_tm"
echo -------------------------------------psutil----------------------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../psutil
sh build.sh >>../build/build_result.log
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[psutil] $use_tm"
echo -------------------------------------pyasn1----------------------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../pyasn1
sh build.sh >>../build/build_result.log
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[pyasn1] $use_tm"
echo --------------------------------------pynacl---------------------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../pynacl
sh build.sh >>../build/build_result.log
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[pynacl] $use_tm"
echo -----------------------------------paramiko----------------------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../paramiko
sh build.sh >>../build/build_result.log
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[paramiko] $use_tm"
echo --------------------------------------pyOpenSSL------------------------------------------
start_tm=$(date +%s%N)
cd $(pwd)/../pyOpenSSL
sh build.sh >>../build/build_result.log
end_tm=$(date +%s%N)
use_tm=$(echo $end_tm $start_tm | awk '{ print ($1 - $2) / 1000000000}' | xargs printf "%.2f")
echo "[pyOpenSSL] $use_tm"

87
dependency/cJSON/CVE-2023-50471andCVE-2023-50472.patch Normal file
View File

@ -0,0 +1,87 @@
diff -Naur a/cJSON.c b/cJSON.c
--- a/cJSON.c 2024-02-05 19:23:06.722566273 +0800
+++ b/cJSON.c 2024-02-05 19:22:33.685276776 +0800
@@ -401,7 +401,12 @@
{
char *copy = NULL;
/* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */
- if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
+ if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference))
+ {
+ return NULL;
+ }
+ /* return NULL if the object is corrupted */
+ if (object->valuestring == NULL)
{
return NULL;
}
@@ -2260,7 +2265,7 @@
{
cJSON *after_inserted = NULL;
- if (which < 0)
+ if (which < 0 || newitem == NULL)
{
return false;
}
@@ -2271,6 +2276,11 @@
return add_item_to_array(array, newitem);
}
+ if (after_inserted != array->child && after_inserted->prev == NULL) {
+ /* return false if after_inserted is a corrupted array item */
+ return false;
+ }
+
newitem->next = after_inserted;
newitem->prev = after_inserted->prev;
after_inserted->prev = newitem;
diff -Naur a/tests/misc_tests.c b/tests/misc_tests.c
--- a/tests/misc_tests.c 2024-02-05 19:23:06.726566308 +0800
+++ b/tests/misc_tests.c 2024-02-05 19:22:33.689276811 +0800
@@ -353,6 +353,19 @@
{
char buffer[10];
cJSON *item = cJSON_CreateString("item");
+ cJSON *array = cJSON_CreateArray();
+ cJSON *item1 = cJSON_CreateString("item1");
+ cJSON *item2 = cJSON_CreateString("corrupted array item3");
+ cJSON *corruptedString = cJSON_CreateString("corrupted");
+ struct cJSON *originalPrev;
+
+ add_item_to_array(array, item1);
+ add_item_to_array(array, item2);
+
+ originalPrev = item2->prev;
+ item2->prev = NULL;
+ free(corruptedString->valuestring);
+ corruptedString->valuestring = NULL;
cJSON_InitHooks(NULL);
TEST_ASSERT_NULL(cJSON_Parse(NULL));
@@ -412,6 +425,8 @@
cJSON_DeleteItemFromObject(item, NULL);
cJSON_DeleteItemFromObjectCaseSensitive(NULL, "item");
cJSON_DeleteItemFromObjectCaseSensitive(item, NULL);
+ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 0, NULL));
+ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 1, item));
TEST_ASSERT_FALSE(cJSON_InsertItemInArray(NULL, 0, item));
TEST_ASSERT_FALSE(cJSON_InsertItemInArray(item, 0, NULL));
TEST_ASSERT_FALSE(cJSON_ReplaceItemViaPointer(NULL, item, item));
@@ -428,10 +443,16 @@
TEST_ASSERT_NULL(cJSON_Duplicate(NULL, true));
TEST_ASSERT_FALSE(cJSON_Compare(item, NULL, false));
TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false));
+ TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test"));
+ TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test"));
cJSON_Minify(NULL);
/* skipped because it is only used via a macro that checks for NULL */
/* cJSON_SetNumberHelper(NULL, 0); */
+ /* restore corrupted item2 to delete it */
+ item2->prev = originalPrev;
+ cJSON_Delete(corruptedString);
+ cJSON_Delete(array);
cJSON_Delete(item);
}

2
dependency/cJSON/build_component.sh
View File

@ -60,7 +60,7 @@ function build_component()
log "[Notice] cjson using \"${COMPILE_TYPE}\" Begin make install"
make install
cd ${LOCAL_DIR}/install_${COMPILE_TYPE}
mv lib64 lib
#mv lib64 lib
if [ $? -ne 0 ]; then
die "[Error] cjson make install failed."
fi

17
dependency/cffi/build.sh
View File

@ -3,11 +3,14 @@
#sudo yum install -y libffi-devel
set -e
mkdir -p $(pwd)/../../output/install_tools
export TARGET_PATH=$(pwd)/../../output/install_tools/
export TARGET_PATH=$(pwd)/../../output/install_tools
export LD_LIBRARY_PATH=$TARGET_PATH:$LD_LIBRARY_PATH:/usr/lib64
export PATH=$TARGET_PATH:$PATH
export PYTHONPATH=$TARGET_PATH:$LIBRARY_PATH
version_list=("3.6" "3.7" "3.8" "3.9" "3.10")
python_version=`python3 -V | awk -F ' ' '{print $2}' | awk -F '.' -v OFS='.' '{print $1,$2}'`
TAR_SOURCE_FILE=cffi-1.15.0.tar.gz
SOURCE_FILE=cffi-1.15.0
if [ -d ${SOURCE_FILE} ]; then
@ -20,6 +23,16 @@ CFLAGS='-fstack-protector-all' LDFLAGS='-Wl,-z,relro,-z,now -z,noexecstack' pyth
PYTHONHASHSEED=0 python3 setup.py install --user
cp -r build/lib*/* $TARGET_PATH
for version in ${version_list[@]}
do
if [ $version == $python_version ]; then
mkdir -p $TARGET_PATH/_cffi_backend_${version}
mv $TARGET_PATH/_cffi_backend.*.so $TARGET_PATH/_cffi_backend.so
cp -r $TARGET_PATH/_cffi_backend.so $TARGET_PATH/_cffi_backend.so_UCS4_$python_version
cp $TARGET_PATH/_cffi_backend.so $TARGET_PATH/_cffi_backend_${version}/
cp $TARGET_PATH/_cffi_backend_${version}/_cffi_backend.so $TARGET_PATH/_cffi_backend.so_UCS4_$python_version
break
fi
done
cp ./../_cffi_backend.py $TARGET_PATH/_cffi_backend.py

30
dependency/cryptography/CVE-2023-49083.patch Normal file
View File

@ -0,0 +1,30 @@
diff -Naur a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
--- a/src/cryptography/hazmat/backends/openssl/backend.py 2023-12-02 16:06:27.029247885 +0800
+++ b/src/cryptography/hazmat/backends/openssl/backend.py 2023-12-02 16:03:19.239094195 +0800
@@ -2664,6 +2664,10 @@
_Reasons.UNSUPPORTED_SERIALIZATION,
)
+ certs: list[x509.Certificate] = []
+ if p7.d.sign == self._ffi.NULL:
+ return certs
+
sk_x509 = p7.d.sign.cert
num = self._lib.sk_X509_num(sk_x509)
certs = []
diff -Naur a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
--- a/tests/hazmat/primitives/test_pkcs7.py 2023-12-02 16:06:27.037247977 +0800
+++ b/tests/hazmat/primitives/test_pkcs7.py 2023-12-02 16:03:19.251094333 +0800
@@ -80,6 +80,12 @@
mode="rb",
)
+ def test_load_pkcs7_empty_certificates(self):
+ der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
+
+ certificates = pkcs7.load_der_pkcs7_certificates(der)
+ assert certificates == []
+
# We have no public verification API and won't be adding one until we get
# some requirements from users so this function exists to give us basic

7
dependency/cryptography/_openssl.py Normal file
View File

@ -0,0 +1,7 @@
def __bootstrap__():
global __bootstrap__, __loader__, __file__
import sys, pkg_resources, imp
__file__ = pkg_resources.resource_filename(__name__, '_openssl.abi3.so')
__loader__ = None; del __bootstrap__, __loader__
imp.load_dynamic(__name__,__file__)
__bootstrap__()

7
dependency/cryptography/_padding.py Normal file
View File

@ -0,0 +1,7 @@
def __bootstrap__():
global __bootstrap__, __loader__, __file__
import sys, pkg_resources, imp
__file__ = pkg_resources.resource_filename(__name__, '_padding.abi3.so')
__loader__ = None; del __bootstrap__, __loader__
imp.load_dynamic(__name__,__file__)
__bootstrap__()

27
dependency/cryptography/build.sh
View File

@ -1,6 +1,7 @@
#!/bin/bash
# Copyright (c): 2012-2019, Huawei Tech. Co., Ltd.
set -e
ROOT_DIR=$(pwd)
mkdir -p $(pwd)/../python-lib
mkdir -p $(pwd)/../../output/install_tools
python_version=`python3 -V | awk -F ' ' '{print $2}' |awk -F '.' -v OFS='.' '{print $1,$2}'`
@ -15,10 +16,32 @@ if [ -d ${SOURCE_FILE} ]; then
rm -rf ${SOURCE_FILE}
fi
mkdir ${SOURCE_FILE}
version_num=("3.6" "3.7" "3.8" "3.9" "3.10")
lib_dir=""
for (( i=0;i<${#version_num[*]};i++ ))
do
if [[ $(python3 -V | awk '{print $2}') =~ ${version_num[$i]} ]]; then
lib_dir="lib${version_num[$i]}"
break
fi
done
tar -zxf $TAR_SOURCE_FILE -C $SOURCE_FILE --strip-components 1
cd $SOURCE_FILE
patch -p1 < ../CVE-2023-49083.patch
CFLAGS='-fstack-protector-all' LDFLAGS='-Wl,-z,relro,-z,now -z,noexecstack' python3 setup.py build_ext --inplace --library-dirs=${OPENSSL_ROOT_DIR}/lib --include-dirs=${OPENSSL_ROOT_DIR}/include
python3 setup.py install --user
if [[ -d "$TARGET_PATH/cryptography/hazmat/bindings" ]]; then
mkdir -p $TARGET_PATH/cryptography/hazmat/bindings/$lib_dir
cp build/lib*/cryptography/hazmat/bindings/*.so $TARGET_PATH/cryptography/hazmat/bindings/$lib_dir
else
cp -r build/lib*/* $TARGET_PATH
preloader_dir_path=$(PYTHONPATH='' pip3 show cryptography | awk '/Location/{ print $2 }')
\cp -r ${preloader_dir_path}/cryptography/hazmat/bindings/_*.py $TARGET_PATH/cryptography/hazmat/bindings/
mkdir -p $TARGET_PATH/cryptography/hazmat/bindings/$lib_dir
cp $TARGET_PATH/cryptography/hazmat/bindings/*.so $TARGET_PATH/cryptography/hazmat/bindings/$lib_dir
fi
cp $ROOT_DIR/_openssl.py $TARGET_PATH/cryptography/hazmat/bindings/
cp $ROOT_DIR/_padding.py $TARGET_PATH/cryptography/hazmat/bindings/

3
dependency/esdk_obs_api/build.sh
View File

@ -65,6 +65,9 @@ main()
cd ${SRC_DIR}
log "[Info] patching ......... "
patch -p1 < ../obs.patch >> $LOG_FILE 2>&1
if [[ "$ARCH"x = "loongarch64"x ]];then
cp -rf ${TRUNK_DIR}/build-aux/* ./platform/eSDK_LogAPI_V2.1.10/log4cpp/config/
fi
cd ..
cp Makefile huaweicloud-sdk-c-obs/platform/eSDK_LogAPI_V2.1.10/eSDKLogAPI/

2
dependency/iperf/build.py
View File

@ -130,7 +130,7 @@ class OPOperator():
add_pie_cmd2 = "cd %s/%s; sed -i 's/iperf3_LDFLAGS = -g/iperf3_LDFLAGS = -g -pie/' src/Makefile.in" % (self.local_dir, source_code_path)
ret = self.exe_cmd(add_pie_cmd2)
self.error_handler(ret, add_pie_cmd2)
config_cmd = "cd %s/%s; ./configure --prefix=%s/install_comm CFLAGS='-fstack-protector-all' LDFLAGS='-Wl,-z,relro,-z,now -z,noexecstack'" % (self.local_dir, source_code_path, self.local_dir)
config_cmd = "cd %s/%s; cp ../../../build-aux/config.* ./config/; ./configure --prefix=%s/install_comm CFLAGS='-fstack-protector-all' LDFLAGS='-Wl,-z,relro,-z,now -z,noexecstack'" % (self.local_dir, source_code_path, self.local_dir)
ret = self.exe_cmd(config_cmd)
self.error_handler(ret, config_cmd)
make_cmd = 'cd %s/%s; make && make install ' % (self.local_dir, source_code_path)

BIN
dependency/jemalloc/jemalloc-5.3.0.tar.gz Normal file
View File

Binary file not shown.

35
dependency/kerberos/CVE-2023-36054.patch Normal file
View File

@ -0,0 +1,35 @@
diff -Naur a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
--- a/src/lib/kadm5/kadm_rpc_xdr.c 2023-09-01 16:16:12.843658117 +0800
+++ b/src/lib/kadm5/kadm_rpc_xdr.c 2023-09-01 16:12:03.704811364 +0800
@@ -390,6 +390,7 @@
int v)
{
unsigned int n;
+ bool_t r;
if (!xdr_krb5_principal(xdrs, &objp->principal)) {
return (FALSE);
@@ -443,6 +444,9 @@
if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
return (FALSE);
}
+ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
+ return (FALSE);
+ }
if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
return (FALSE);
}
@@ -451,9 +455,10 @@
return FALSE;
}
n = objp->n_key_data;
- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
- &n, ~0, sizeof(krb5_key_data),
- xdr_krb5_key_data_nocontents)) {
+ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
+ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
+ objp->n_key_data = n;
+ if (!r) {
return (FALSE);
}

6
dependency/kerberos/build.py
View File

@ -122,6 +122,12 @@ class OPOperator():
patch_cmd = 'cd %s/%s; patch -p1 < ../%s' % (self.local_dir, source_code_path, pre_patch)
ret = self.exe_cmd(patch_cmd)
self.error_handler(ret)
status, output = subprocess.getstatusoutput('uname -m')
self.error_handler(status)
cpu_arch = output
if cpu_arch in ('loongarch64') :
ret = self.exe_cmd('cd %s/%s; cp -rf %s/../../build-aux/* ./src/config/' % (self.local_dir, source_code_path, self.local_dir))
self.error_handler(ret)
gen_cmd="cd %s/%s/src; rm configure; autoconf; autoheader; sed -i 's/lcom_err/lcom_err_gauss/g' configure" % (self.local_dir, source_code_path)
ret = self.exe_cmd(gen_cmd)
self.error_handler(ret)

379
dependency/libcurl/CVE-2023-28322.patch Normal file
View File

@ -0,0 +1,379 @@
diff -Naur a/lib/curl_rtmp.c b/lib/curl_rtmp.c
--- a/lib/curl_rtmp.c 2023-06-08 21:47:27.846551637 +0800
+++ b/lib/curl_rtmp.c 2023-06-08 21:49:43.748132707 +0800
@@ -229,7 +229,7 @@
/* We have to know if it's a write before we send the
* connect request packet
*/
- if(data->set.upload)
+ if(data->state.upload)
r->Link.protocol |= RTMP_FEATURE_WRITE;
/* For plain streams, use the buffer toggle trick to keep data flowing */
@@ -261,7 +261,7 @@
if(!RTMP_ConnectStream(r, 0))
return CURLE_FAILED_INIT;
- if(data->set.upload) {
+ if(data->state.upload) {
Curl_pgrsSetUploadSize(data, data->state.infilesize);
Curl_setup_transfer(data, -1, -1, FALSE, FIRSTSOCKET);
}
diff -Naur a/lib/file.c b/lib/file.c
--- a/lib/file.c 2023-06-08 21:47:27.846551637 +0800
+++ b/lib/file.c 2023-06-08 21:49:43.744132660 +0800
@@ -200,7 +200,7 @@
file->freepath = real_path; /* free this when done */
file->fd = fd;
- if(!data->set.upload && (fd == -1)) {
+ if(!data->state.upload && (fd == -1)) {
failf(data, "Couldn't open file %s", data->state.up.path);
file_done(data, CURLE_FILE_COULDNT_READ_FILE, FALSE);
return CURLE_FILE_COULDNT_READ_FILE;
@@ -382,7 +382,7 @@
Curl_pgrsStartNow(data);
- if(data->set.upload)
+ if(data->state.upload)
return file_upload(data);
file = data->req.p.file;
diff -Naur a/lib/ftp.c b/lib/ftp.c
--- a/lib/ftp.c 2023-06-08 21:47:27.850551682 +0800
+++ b/lib/ftp.c 2023-06-08 21:49:43.740132613 +0800
@@ -1381,7 +1381,7 @@
data->set.str[STRING_CUSTOMREQUEST]?
data->set.str[STRING_CUSTOMREQUEST]:
(data->state.list_only?"NLST":"LIST"));
- else if(data->set.upload)
+ else if(data->state.upload)
result = Curl_pp_sendf(data, &ftpc->pp, "PRET STOR %s",
conn->proto.ftpc.file);
else
@@ -3365,7 +3365,7 @@
/* the response code from the transfer showed an error already so no
use checking further */
;
- else if(data->set.upload) {
+ else if(data->state.upload) {
if((-1 != data->state.infilesize) &&
(data->state.infilesize != data->req.writebytecount) &&
!data->set.crlf &&
@@ -3637,7 +3637,7 @@
connected back to us */
}
}
- else if(data->set.upload) {
+ else if(data->state.upload) {
result = ftp_nb_type(data, conn, data->state.prefer_ascii,
FTP_STOR_TYPE);
if(result)
@@ -4217,7 +4217,7 @@
ftpc->file = NULL; /* instead of point to a zero byte,
we make it a NULL pointer */
- if(data->set.upload && !ftpc->file && (ftp->transfer == PPTRANSFER_BODY)) {
+ if(data->state.upload && !ftpc->file && (ftp->transfer == PPTRANSFER_BODY)) {
/* We need a file name when uploading. Return error! */
failf(data, "Uploading to a URL without a file name!");
free(rawPath);
diff -Naur a/lib/http.c b/lib/http.c
--- a/lib/http.c 2023-06-08 21:47:27.846551637 +0800
+++ b/lib/http.c 2023-06-08 21:49:43.748132707 +0800
@@ -2028,7 +2028,7 @@
Curl_HttpReq httpreq = data->state.httpreq;
const char *request;
if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) &&
- data->set.upload)
+ data->state.upload)
httpreq = HTTPREQ_PUT;
/* Now set the 'request' pointer to the proper request string */
@@ -2343,7 +2343,7 @@
if((conn->handler->protocol & PROTO_FAMILY_HTTP) &&
(((httpreq == HTTPREQ_POST_MIME || httpreq == HTTPREQ_POST_FORM) &&
http->postsize < 0) ||
- ((data->set.upload || httpreq == HTTPREQ_POST) &&
+ ((data->state.upload || httpreq == HTTPREQ_POST) &&
data->state.infilesize == -1))) {
if(conn->bits.authneg)
/* don't enable chunked during auth neg */
diff -Naur a/lib/imap.c b/lib/imap.c
--- a/lib/imap.c 2023-06-08 21:47:27.842551592 +0800
+++ b/lib/imap.c 2023-06-08 21:54:45.259686242 +0800
@@ -1491,11 +1491,11 @@
result = status; /* use the already set error code */
}
else if(!data->set.connect_only && !imap->custom &&
- (imap->uid || imap->mindex || data->set.upload ||
+ (imap->uid || imap->mindex || data->state.upload ||
data->set.mimepost.kind != MIMEKIND_NONE)) {
/* Handle responses after FETCH or APPEND transfer has finished */
- if(!data->set.upload && data->set.mimepost.kind == MIMEKIND_NONE)
+ if(!data->state.upload && data->set.mimepost.kind == MIMEKIND_NONE)
state(data, IMAP_FETCH_FINAL);
else {
/* End the APPEND command first by sending an empty line */
@@ -1561,7 +1561,7 @@
selected = TRUE;
/* Start the first command in the DO phase */
- if(data->set.upload || data->set.mimepost.kind != MIMEKIND_NONE)
+ if(data->state.upload || data->set.mimepost.kind != MIMEKIND_NONE)
/* APPEND can be executed directly */
result = imap_perform_append(data);
else if(imap->custom && (selected || !imap->mailbox))
diff -Naur a/lib/rtsp.c b/lib/rtsp.c
--- a/lib/rtsp.c 2023-06-08 21:47:27.842551592 +0800
+++ b/lib/rtsp.c 2023-06-08 21:49:43.740132613 +0800
@@ -508,7 +508,7 @@
rtspreq == RTSPREQ_SET_PARAMETER ||
rtspreq == RTSPREQ_GET_PARAMETER) {
- if(data->set.upload) {
+ if(data->state.upload) {
putsize = data->state.infilesize;
data->state.httpreq = HTTPREQ_PUT;
@@ -527,7 +527,7 @@
result =
Curl_dyn_addf(&req_buffer,
"Content-Length: %" CURL_FORMAT_CURL_OFF_T"\r\n",
- (data->set.upload ? putsize : postsize));
+ (data->state.upload ? putsize : postsize));
if(result)
return result;
}
diff -Naur a/lib/setopt.c b/lib/setopt.c
--- a/lib/setopt.c 2023-06-08 22:22:59.219334893 +0800
+++ b/lib/setopt.c 2023-06-08 21:49:43.740132613 +0800
@@ -299,8 +299,8 @@
* We want to sent data to the remote host. If this is HTTP, that equals
* using the PUT request.
*/
- data->set.upload = (0 != va_arg(param, long)) ? TRUE : FALSE;
- if(data->set.upload) {
+ arg = va_arg(param, long);
+ if(arg) {
/* If this is HTTP, PUT is what's needed to "upload" */
data->set.method = HTTPREQ_PUT;
data->set.opt_no_body = FALSE; /* this is implied */
@@ -630,7 +630,6 @@
}
else
data->set.method = HTTPREQ_GET;
- data->set.upload = FALSE;
break;
case CURLOPT_HTTPPOST:
@@ -878,7 +877,6 @@
*/
if(va_arg(param, long)) {
data->set.method = HTTPREQ_GET;
- data->set.upload = FALSE; /* switch off upload */
data->set.opt_no_body = FALSE; /* this is implied */
}
break;
diff -Naur a/lib/smb.c b/lib/smb.c
--- a/lib/smb.c 2023-06-08 21:47:27.842551592 +0800
+++ b/lib/smb.c 2023-06-08 21:49:43.740132613 +0800
@@ -536,7 +536,7 @@
byte_count = strlen(req->path);
msg.name_length = smb_swap16((unsigned short)byte_count);
msg.share_access = smb_swap32(SMB_FILE_SHARE_ALL);
- if(data->set.upload) {
+ if(data->state.upload) {
msg.access = smb_swap32(SMB_GENERIC_READ | SMB_GENERIC_WRITE);
msg.create_disposition = smb_swap32(SMB_FILE_OVERWRITE_IF);
}
@@ -815,7 +815,7 @@
smb_m = (const struct smb_nt_create_response*) msg;
req->fid = smb_swap16(smb_m->fid);
data->req.offset = 0;
- if(data->set.upload) {
+ if(data->state.upload) {
data->req.size = data->state.infilesize;
Curl_pgrsSetUploadSize(data, data->req.size);
next_state = SMB_UPLOAD;
diff -Naur a/lib/smtp.c b/lib/smtp.c
--- a/lib/smtp.c 2023-06-08 21:47:27.842551592 +0800
+++ b/lib/smtp.c 2023-06-08 21:49:43.740132613 +0800
@@ -1387,7 +1387,7 @@
result = status; /* use the already set error code */
}
else if(!data->set.connect_only && data->set.mail_rcpt &&
- (data->set.upload || data->set.mimepost.kind)) {
+ (data->state.upload || data->set.mimepost.kind)) {
/* Calculate the EOB taking into account any terminating CRLF from the
previous line of the email or the CRLF of the DATA command when there
is "no mail data". RFC-5321, sect. 4.1.1.4.
@@ -1480,7 +1480,7 @@
smtp->eob = 2;
/* Start the first command in the DO phase */
- if((data->set.upload || data->set.mimepost.kind) && data->set.mail_rcpt)
+ if((data->state.upload || data->set.mimepost.kind) && data->set.mail_rcpt)
/* MAIL transfer */
result = smtp_perform_mail(data);
else
diff -Naur a/lib/tftp.c b/lib/tftp.c
--- a/lib/tftp.c 2023-06-08 21:47:27.846551637 +0800
+++ b/lib/tftp.c 2023-06-08 21:49:43.740132613 +0800
@@ -367,7 +367,7 @@
/* tsize should be ignored on upload: Who cares about the size of the
remote file? */
- if(!data->set.upload) {
+ if(!data->state.upload) {
if(!tsize) {
failf(data, "invalid tsize -:%s:- value in OACK packet", value);
return CURLE_TFTP_ILLEGAL;
@@ -448,7 +448,7 @@
return result;
}
- if(data->set.upload) {
+ if(data->state.upload) {
/* If we are uploading, send an WRQ */
setpacketevent(&state->spacket, TFTP_EVENT_WRQ);
state->data->req.upload_fromhere =
@@ -483,7 +483,7 @@
if(!data->set.tftp_no_options) {
char buf[64];
/* add tsize option */
- if(data->set.upload && (data->state.infilesize != -1))
+ if(data->state.upload && (data->state.infilesize != -1))
msnprintf(buf, sizeof(buf), "%" CURL_FORMAT_CURL_OFF_T,
data->state.infilesize);
else
@@ -537,7 +537,7 @@
break;
case TFTP_EVENT_OACK:
- if(data->set.upload) {
+ if(data->state.upload) {
result = tftp_connect_for_tx(state, event);
}
else {
diff -Naur a/lib/transfer.c b/lib/transfer.c
--- a/lib/transfer.c 2023-06-08 21:47:27.842551592 +0800
+++ b/lib/transfer.c 2023-06-08 21:49:43.744132660 +0800
@@ -1391,6 +1391,7 @@
{
data->state.fread_func = data->set.fread_func_set;
data->state.in = data->set.in_set;
+ data->state.upload = (data->state.httpreq == HTTPREQ_PUT);
}
/*
@@ -1764,7 +1765,6 @@
data->state.httpreq != HTTPREQ_POST_MIME) ||
!(data->set.keep_post & CURL_REDIR_POST_303))) {
data->state.httpreq = HTTPREQ_GET;
- data->set.upload = false;
infof(data, "Switch to %s",
data->set.opt_no_body?"HEAD":"GET");
}
@@ -1802,7 +1802,7 @@
/* if we're talking upload, we can't do the checks below, unless the protocol
is HTTP as when uploading over HTTP we will still get a response */
- if(data->set.upload &&
+ if(data->state.upload &&
!(conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_RTSP)))
return CURLE_OK;
diff -Naur a/lib/urldata.h b/lib/urldata.h
--- a/lib/urldata.h 2023-06-08 21:47:27.846551637 +0800
+++ b/lib/urldata.h 2023-06-08 21:49:43.740132613 +0800
@@ -1473,6 +1473,7 @@
BIT(url_alloc); /* URL string is malloc()'ed */
BIT(referer_alloc); /* referer string is malloc()ed */
BIT(wildcard_resolve); /* Set to true if any resolve change is a wildcard */
+ BIT(upload); /* upload request */
};
/*
@@ -1815,7 +1816,6 @@
BIT(http_auto_referer); /* set "correct" referer when following
location: */
BIT(opt_no_body); /* as set with CURLOPT_NOBODY */
- BIT(upload); /* upload request */
BIT(verbose); /* output verbosity */
BIT(krb); /* Kerberos connection requested */
BIT(reuse_forbid); /* forbidden to be reused, close after use */
diff -Naur a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c
--- a/lib/vssh/libssh2.c 2023-06-08 21:47:27.846551637 +0800
+++ b/lib/vssh/libssh2.c 2023-06-08 21:49:43.744132660 +0800
@@ -1840,7 +1840,7 @@
}
case SSH_SFTP_TRANS_INIT:
- if(data->set.upload)
+ if(data->state.upload)
state(data, SSH_SFTP_UPLOAD_INIT);
else {
if(sshp->path[strlen(sshp->path)-1] == '/')
@@ -2512,7 +2512,7 @@
break;
}
- if(data->set.upload) {
+ if(data->state.upload) {
if(data->state.infilesize < 0) {
failf(data, "SCP requires a known file size for upload");
sshc->actualcode = CURLE_UPLOAD_FAILED;
@@ -2652,7 +2652,7 @@
break;
case SSH_SCP_DONE:
- if(data->set.upload)
+ if(data->state.upload)
state(data, SSH_SCP_SEND_EOF);
else
state(data, SSH_SCP_CHANNEL_FREE);
diff -Naur a/lib/vssh/libssh.c b/lib/vssh/libssh.c
--- a/lib/vssh/libssh.c 2023-06-08 21:47:27.846551637 +0800
+++ b/lib/vssh/libssh.c 2023-06-08 21:49:43.744132660 +0800
@@ -1199,7 +1199,7 @@
}
case SSH_SFTP_TRANS_INIT:
- if(data->set.upload)
+ if(data->state.upload)
state(data, SSH_SFTP_UPLOAD_INIT);
else {
if(protop->path[strlen(protop->path)-1] == '/')
@@ -1812,7 +1812,7 @@
/* Functions from the SCP subsystem cannot handle/return SSH_AGAIN */
ssh_set_blocking(sshc->ssh_session, 1);
- if(data->set.upload) {
+ if(data->state.upload) {
if(data->state.infilesize < 0) {
failf(data, "SCP requires a known file size for upload");
sshc->actualcode = CURLE_UPLOAD_FAILED;
@@ -1917,7 +1917,7 @@
break;
}
case SSH_SCP_DONE:
- if(data->set.upload)
+ if(data->state.upload)
state(data, SSH_SCP_SEND_EOF);
else
state(data, SSH_SCP_CHANNEL_FREE);
diff -Naur a/lib/vssh/wolfssh.c b/lib/vssh/wolfssh.c
--- a/lib/vssh/wolfssh.c 2023-06-08 21:47:27.846551637 +0800
+++ b/lib/vssh/wolfssh.c 2023-06-08 21:49:43.744132660 +0800
@@ -553,7 +553,7 @@
}
break;
case SSH_SFTP_TRANS_INIT:
- if(data->set.upload)
+ if(data->state.upload)
state(data, SSH_SFTP_UPLOAD_INIT);
else {
if(sftp_scp->path[strlen(sftp_scp->path)-1] == '/')

137
dependency/libcurl/CVE-2023-38545.patch Normal file
View File

@ -0,0 +1,137 @@
From e478fb5f5f2e26e2b060a51939dd2746041459ab Mon Sep 17 00:00:00 2001
From: Jay Satiro <raysatiro@yahoo.com>
Date: Mon, 9 Oct 2023 16:34:27 -0400
Subject: [PATCH] socks: return error if hostname too long for remote resolve
Prior to this change the state machine attempted to change the remote
resolve to a local resolve if the hostname was longer than 255
characters. Unfortunately that did not work as intended and caused a
security issue.
This patch applies to curl versions 7.78.0 - 7.80.0. Other versions
that are affected take a different patch. Refer to the CVE advisory
for more information.
Bug: https://curl.se/docs/CVE-2023-38545.html
---
lib/socks.c | 8 +++---
tests/data/Makefile.inc | 2 +-
tests/data/test728 | 67 +++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 72 insertions(+), 5 deletions(-)
create mode 100644 tests/data/test728
diff --git a/lib/socks.c b/lib/socks.c
index 91c4223..222660c 100644
--- a/lib/socks.c
+++ b/lib/socks.c
@@ -535,9 +535,9 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user,
/* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
if(!socks5_resolve_local && hostname_len > 255) {
- infof(data, "SOCKS5: server resolving disabled for hostnames of "
- "length > 255 [actual len=%zu]", hostname_len);
- socks5_resolve_local = TRUE;
+ failf(data, "SOCKS5: the destination hostname is too long to be "
+ "resolved remotely by the proxy.");
+ return CURLPX_LONG_HOSTNAME;
}
if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
@@ -857,7 +857,7 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user,
if(!socks5_resolve_local) {
socksreq[len++] = 3; /* ATYP: domain name = 3 */
- socksreq[len++] = (char) hostname_len; /* one byte address length */
+ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */
len += hostname_len;
infof(data, "SOCKS5 connect to %s:%d (remotely resolved)",
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 1636969..1067005 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -94,7 +94,7 @@ test670 test671 test672 test673 test674 test675 test676 test677 test678 \
\
test700 test701 test702 test703 test704 test705 test706 test707 test708 \
test709 test710 test711 test712 test713 test714 test715 test716 test717 \
-test718 \
+test718 test728 \
\
test800 test801 test802 test803 test804 test805 test806 test807 test808 \
test809 test810 test811 test812 test813 test814 test815 test816 test817 \
diff --git a/tests/data/test728 b/tests/data/test728
new file mode 100644
index 0000000..8673613
--- /dev/null
+++ b/tests/data/test728
@@ -0,0 +1,67 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+SOCKS5
+SOCKS5h
+followlocation
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+# The hostname in this redirect is 256 characters and too long (> 255) for
+# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
+<data>
+HTTP/1.1 301 Moved Permanently
+Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
+Content-Length: 0
+Connection: close
+
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+proxy
+</features>
+<server>
+http
+socks5
+</server>
+ <name>
+SOCKS5h with HTTP redirect to hostname too long
+ </name>
+ <command>
+--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<strippart>
+s/\r\n$/\n/
+</strippart>
+<protocol>
+GET /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+<errorcode>
+97
+</errorcode>
+# the error message is verified because error code CURLE_PROXY (97) may be
+# returned for any number of reasons and we need to make sure it is
+# specifically for the reason below so that we know the check is working.
+<stderr mode="text">
+curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy.
+</stderr>
+</verify>
+</testcase>
--
2.7.4

35
dependency/libcurl/CVE-2023-46218.patch Normal file
View File

@ -0,0 +1,35 @@
diff -Naur a/lib/cookie.c b/lib/cookie.c
--- a/lib/cookie.c 2023-12-18 10:05:27.017124540 +0800
+++ b/lib/cookie.c 2023-12-18 10:04:00.568115685 +0800
@@ -1026,15 +1026,23 @@
* dereference it.
*/
if(data && (domain && co->domain && !Curl_host_is_ipnum(co->domain))) {
- const psl_ctx_t *psl = Curl_psl_use(data);
- int acceptable;
-
- if(psl) {
- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
- Curl_psl_release(data);
+ bool acceptable = FALSE;
+ char lcase[256];
+ char lcookie[256];
+ size_t dlen = strlen(domain);
+ size_t clen = strlen(co->domain);
+ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
+ const psl_ctx_t *psl = Curl_psl_use(data);
+ if(psl) {
+ /* the PSL check requires lowercase domain name and pattern */
+ Curl_strntolower(lcase, domain, dlen + 1);
+ Curl_strntolower(lcookie, co->domain, clen + 1);
+ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
+ Curl_psl_release(data);
+ }
+ else
+ acceptable = !bad_domain(domain, strlen(domain));
}
- else
- acceptable = !bad_domain(domain);
if(!acceptable) {
infof(data, "cookie '%s' dropped, domain '%s' must not "

5
dependency/libcurl/build.sh
View File

@ -120,6 +120,9 @@ main()
patch -p1 < ../CVE-2023-27535-1.patch >> $LOG_FILE 2>&1
patch -p1 < ../CVE-2023-27535-0.patch >> $LOG_FILE 2>&1
patch -p1 < ../CVE-2023-27536.patch >> $LOG_FILE 2>&1
patch -p1 < ../CVE-2023-28322.patch >> $LOG_FILE 2>&1
patch -p1 < ../CVE-2023-46218.patch >> $LOG_FILE 2>&1
patch -p1 < ../CVE-2023-38545.patch >> $LOG_FILE 2>&1
checkret "Failed to patch huawei_curl.patch"
print_done
@ -128,7 +131,7 @@ main()
chmod a+x configure
log "[Info] configuring ...... "
./configure --prefix="$PREFIX_DIR" --with-ssl=$TRUNK_DIR/output/kernel/dependency/openssl/comm --without-libssh2 CFLAGS='-fstack-protector-strong -Wl,-z,relro,-z,now' --with-zlib=$TRUNK_DIR/output/kernel/dependency/zlib1.2.11/comm --with-gssapi_krb5_gauss-includes=$TRUNK_DIR/output/kernel/dependency/kerberos/comm/include --with-gssapi_krb5_gauss-libs=$TRUNK_DIR/output/kernel/dependency/kerberos/comm/lib >> $LOG_FILE 2>&1
./configure --prefix="$PREFIX_DIR" --disable-ldap --without-nghttp2 --with-ssl=$TRUNK_DIR/output/kernel/dependency/openssl/comm --without-libssh2 CFLAGS='-fstack-protector-strong -Wl,-z,relro,-z,now' --with-zlib=$TRUNK_DIR/output/kernel/dependency/zlib1.2.11/comm --with-gssapi_krb5_gauss-includes=$TRUNK_DIR/output/kernel/dependency/kerberos/comm/include --with-gssapi_krb5_gauss-libs=$TRUNK_DIR/output/kernel/dependency/kerberos/comm/lib >> $LOG_FILE 2>&1
checkret "Failed to configure libcurl."
print_done

6
dependency/libiconv/build.sh
View File

@ -8,7 +8,7 @@
# 2020-04-18 update libiconv-1.15 to libiconv-1.16
set -e
ARCH=`uname -m`
iconv_dir=$(pwd)/libiconv-1.16/
build_dir=$(pwd)/install_comm
@ -25,6 +25,10 @@ cd $iconv_dir
patch -p1 < ../libiconv.patch
chmod 777 configure
if [[ "$ARCH"x = "loongarch64"x ]];then
cp -rf $(pwd)/../../../build-aux/* ./build-aux/
cp -rf $(pwd)/../../../build-aux/* ./libcharset/build-aux/
fi
./configure CFLAGS='-fPIC -fstack-protector-all --param ssp-buffer-size=4 -Wstack-protector' CPPFLAGS='-fPIC -fstack-protector-all --param ssp-buffer-size=4 -Wstack-protector' LDFLAGS='-Wl,-z,relro,-z,now' --prefix=$build_dir --disable-rpath

12
dependency/libxml2/CVE-2023-28484.patch Normal file
View File

@ -0,0 +1,12 @@
diff -Naur a/xmlschemas.c b/xmlschemas.c
--- a/xmlschemas.c 2023-04-26 11:44:01.081847541 +0800
+++ b/xmlschemas.c 2023-04-26 11:48:01.812564661 +0800
@@ -18608,7 +18608,7 @@
"allowed to appear inside other model groups",
NULL, NULL);
- } else if (! dummySequence) {
+ } else if ((!dummySequence) && (baseType->subtypes != NULL)) {
xmlSchemaTreeItemPtr effectiveContent =
(xmlSchemaTreeItemPtr) type->subtypes;
/*

12
dependency/libxml2/CVE-2023-29469.patch Normal file
View File

@ -0,0 +1,12 @@
--- a/dict.c 2023-04-26 10:32:58.249262852 +0800
+++ b/dict.c 2023-04-26 10:35:00.362658956 +0800
@@ -451,7 +451,8 @@
xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
unsigned long value = seed;
- if (name == NULL) return(0);
+ if ((name == NULL) || (namelen <= 0))
+ return(value);
value += *name;
value <<= 5;
if (namelen > 10) {

61
dependency/libxml2/CVE-2023-45322.patch Normal file
View File

@ -0,0 +1,61 @@
diff -Naur a/tree.c b/tree.c
--- a/tree.c 2023-10-13 11:54:20.649358250 +0800
+++ b/tree.c 2023-10-13 11:49:51.522272604 +0800
@@ -4370,29 +4370,28 @@
xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
xmlNodePtr ret = NULL;
xmlNodePtr p = NULL,q;
+ xmlDtdPtr newSubset = NULL;
while (node != NULL) {
-#ifdef LIBXML_TREE_ENABLED
if (node->type == XML_DTD_NODE ) {
- if (doc == NULL) {
+#ifdef LIBXML_TREE_ENABLED
+ if ((doc == NULL) || (doc->intSubset != NULL)) {
node = node->next;
continue;
}
- if (doc->intSubset == NULL) {
- q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
- if (q == NULL) return(NULL);
- q->doc = doc;
- q->parent = parent;
- doc->intSubset = (xmlDtdPtr) q;
- xmlAddChild(parent, q);
- } else {
- q = (xmlNodePtr) doc->intSubset;
- xmlAddChild(parent, q);
- }
- } else
+ q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+ if (q == NULL) goto error;
+ q->doc = doc;
+ q->parent = parent;
+ newSubset = (xmlDtdPtr) q;
+#else
+ node = node->next;
+ continue;
#endif /* LIBXML_TREE_ENABLED */
+ } else {
q = xmlStaticCopyNode(node, doc, parent, 1);
- if (q == NULL) return(NULL);
+ if (q == NULL) goto error;
+ }
if (ret == NULL) {
q->prev = NULL;
ret = p = q;
@@ -4404,7 +4403,13 @@
}
node = node->next;
}
+ if (newSubset != NULL)
+ doc->intSubset = newSubset;
return(ret);
+error:
+ xmlFreeNodeList(ret);
+ return(NULL);
+
}
/**

11
dependency/libxml2/CVE-2024-25062.patch Normal file
View File

@ -0,0 +1,11 @@
diff -Naur a/xmlreader.c b/xmlreader.c
--- a/xmlreader.c 2024-02-06 17:29:16.285516854 +0800
+++ b/xmlreader.c 2024-02-06 17:28:15.592980289 +0800
@@ -1586,6 +1586,7 @@
* Handle XInclude if asked for
*/
if ((reader->xinclude) && (reader->in_xinclude == 0) &&
+ (reader->state != XML_TEXTREADER_BACKTRACK) &&
(reader->node != NULL) &&
(reader->node->type == XML_ELEMENT_NODE) &&
(reader->node->ns != NULL) &&

4
dependency/libxml2/build_component.sh
View File

@ -28,6 +28,10 @@ function build_component()
patch -p1 < ../libxml2.patch
patch -p1 < ../libxml2-CVE-2022-40303.patch
patch -p1 < ../libxml2-CVE-2022-40304.patch
patch -p1 < ../CVE-2024-25062.patch
patch -p1 < ../CVE-2023-28484.patch
patch -p1 < ../CVE-2023-29469.patch
patch -p1 < ../CVE-2023-45322.patch
tmp_cpus=$(grep -w processor /proc/cpuinfo|wc -l)
./autogen.sh
chmod +x configure

BIN
dependency/mysql_fdw/mysql_fdw-REL-2_5_5.tar.gz
View File

Binary file not shown.

909
dependency/nghttp2/CVE-2023-44487.patch Normal file
View File

@ -0,0 +1,909 @@
diff -Naur a/cmakeconfig.h.in b/cmakeconfig.h.in
--- a/cmakeconfig.h.in 2023-10-23 14:41:48.150948332 +0800
+++ b/cmakeconfig.h.in 2023-10-23 16:50:33.896373326 +0800
@@ -31,9 +31,15 @@
/* Define to 1 if you have the `accept4` function. */
#cmakedefine HAVE_ACCEPT4 1
+/* Define to 1 if you have the `clock_gettime` function. */
+#cmakedefine HAVE_CLOCK_GETTIME 1
+
/* Define to 1 if you have the `mkostemp` function. */
#cmakedefine HAVE_MKOSTEMP 1
+/* Define to 1 if you have the `GetTickCount64` function. */
+#cmakedefine HAVE_GETTICKCOUNT64 1
+
/* Define to 1 if you have the `initgroups` function. */
#cmakedefine01 HAVE_DECL_INITGROUPS
@@ -70,6 +76,9 @@
/* Define to 1 if you have the <sys/time.h> header file. */
#cmakedefine HAVE_SYS_TIME_H 1
+/* Define to 1 if you have the <sysinfoapi.h> header file. */
+#cmakedefine HAVE_SYSINFOAPI_H 1
+
/* Define to 1 if you have the <syslog.h> header file. */
#cmakedefine HAVE_SYSLOG_H 1
diff -Naur a/CMakeLists.txt b/CMakeLists.txt
--- a/CMakeLists.txt 2023-10-23 14:41:48.154948378 +0800
+++ b/CMakeLists.txt 2023-10-23 17:12:37.595875120 +0800
@@ -260,6 +260,7 @@
check_include_file("pwd.h" HAVE_PWD_H)
check_include_file("sys/socket.h" HAVE_SYS_SOCKET_H)
check_include_file("sys/time.h" HAVE_SYS_TIME_H)
+check_include_file("sysinfoapi.h" HAVE_SYSINFOAPI_H)
check_include_file("syslog.h" HAVE_SYSLOG_H)
check_include_file("time.h" HAVE_TIME_H)
check_include_file("unistd.h" HAVE_UNISTD_H)
@@ -300,9 +301,13 @@
include(CheckFunctionExists)
check_function_exists(_Exit HAVE__EXIT)
check_function_exists(accept4 HAVE_ACCEPT4)
+check_function_exists(clock_gettime HAVE_CLOCK_GETTIME)
check_function_exists(mkostemp HAVE_MKOSTEMP)
include(CheckSymbolExists)
+check_symbol_exists(GetTickCount64 sysinfoapi.h HAVE_GETTICKCOUNT64)
+
+include(CheckSymbolExists)
# XXX does this correctly detect initgroups (un)availability on cygwin?
check_symbol_exists(initgroups grp.h HAVE_DECL_INITGROUPS)
if(NOT HAVE_DECL_INITGROUPS AND HAVE_UNISTD_H)
diff -Naur a/configure.ac b/configure.ac
--- a/configure.ac 2023-10-23 14:41:48.154948378 +0800
+++ b/configure.ac 2023-10-23 16:50:33.900373373 +0800
@@ -607,6 +607,7 @@
string.h \
sys/socket.h \
sys/time.h \
+ sysinfoapi.h \
syslog.h \
time.h \
unistd.h \
@@ -681,6 +682,7 @@
AC_CHECK_FUNCS([ \
_Exit \
accept4 \
+ clock_gettime \
dup2 \
getcwd \
getpwnam \
@@ -706,6 +708,25 @@
AC_CHECK_FUNC([timerfd_create],
[have_timerfd_create=yes], [have_timerfd_create=no])
+AC_MSG_CHECKING([checking for GetTickCount64])
+AC_LINK_IFELSE([AC_LANG_PROGRAM(
+[[
+#include <sysinfoapi.h>
+]],
+[[
+GetTickCount64();
+]])],
+[have_gettickcount64=yes],
+[have_gettickcount64=no])
+
+if test "x${have_gettickcount64}" = "xyes"; then
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([HAVE_GETTICKCOUNT64], [1],
+ [Define to 1 if you have `GetTickCount64` function.])
+else
+ AC_MSG_RESULT([no])
+fi
+
# For cygwin: we can link initgroups, so AC_CHECK_FUNCS succeeds, but
# cygwin disables initgroups due to feature test macro magic with our
# configuration. FreeBSD declares initgroups() in unistd.h.
diff -Naur a/doc/Makefile.am b/doc/Makefile.am
--- a/doc/Makefile.am 2023-10-23 14:41:48.162948470 +0800
+++ b/doc/Makefile.am 2023-10-23 16:50:33.900373373 +0800
@@ -70,6 +70,7 @@
nghttp2_option_set_user_recv_extension_type.rst \
nghttp2_option_set_max_outbound_ack.rst \
nghttp2_option_set_max_settings.rst \
+ nghttp2_option_set_stream_reset_rate_limit.rst \
nghttp2_pack_settings_payload.rst \
nghttp2_priority_spec_check_default.rst \
nghttp2_priority_spec_default_init.rst \
diff -Naur a/lib/CMakeLists.txt b/lib/CMakeLists.txt
--- a/lib/CMakeLists.txt 2023-10-23 14:41:48.230949253 +0800
+++ b/lib/CMakeLists.txt 2023-10-23 16:50:33.908373466 +0800
@@ -23,6 +23,8 @@
nghttp2_mem.c
nghttp2_http.c
nghttp2_rcbuf.c
+ nghttp2_ratelim.c
+ nghttp2_time.c
nghttp2_debug.c
nghttp2_ksl.c
)
diff -Naur a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
--- a/lib/includes/nghttp2/nghttp2.h 2023-10-23 14:41:48.230949253 +0800
+++ b/lib/includes/nghttp2/nghttp2.h 2023-10-23 16:50:33.908373466 +0800
@@ -2722,6 +2722,23 @@
/**
* @function
*
+ * This function sets the rate limit for the incoming stream reset
+ * (RST_STREAM frame). It is server use only. It is a token-bucket
+ * based rate limiter. |burst| specifies the number of tokens that is
+ * initially available. The maximum number of tokens is capped to
+ * this value. |rate| specifies the number of tokens that are
+ * regenerated per second. An incoming RST_STREAM consumes one token.
+ * If there is no token available, GOAWAY is sent to tear down the
+ * connection. |burst| and |rate| default to 1000 and 33
+ * respectively.
+ */
+NGHTTP2_EXTERN void
+nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
+ uint64_t burst, uint64_t rate);
+
+/**
+ * @function
+ *
* Initializes |*session_ptr| for client use. The all members of
* |callbacks| are copied to |*session_ptr|. Therefore |*session_ptr|
* does not store |callbacks|. The |user_data| is an arbitrary user
diff -Naur a/lib/Makefile.am b/lib/Makefile.am
--- a/lib/Makefile.am 2023-10-23 14:41:48.230949253 +0800
+++ b/lib/Makefile.am 2023-10-23 16:50:33.908373466 +0800
@@ -49,6 +49,8 @@
nghttp2_mem.c \
nghttp2_http.c \
nghttp2_rcbuf.c \
+ nghttp2_ratelim.c \
+ nghttp2_time.c \
nghttp2_debug.c \
nghttp2_ksl.c
@@ -66,6 +68,8 @@
nghttp2_mem.h \
nghttp2_http.h \
nghttp2_rcbuf.h \
+ nghttp2_ratelim.h \
+ nghttp2_time.h \
nghttp2_debug.h \
nghttp2_ksl.h
diff -Naur a/lib/nghttp2_option.c b/lib/nghttp2_option.c
--- a/lib/nghttp2_option.c 2023-10-23 14:41:48.230949253 +0800
+++ b/lib/nghttp2_option.c 2023-10-23 16:50:33.908373466 +0800
@@ -126,3 +126,10 @@
option->opt_set_mask |= NGHTTP2_OPT_MAX_SETTINGS;
option->max_settings = val;
}
+
+void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
+ uint64_t burst, uint64_t rate) {
+ option->opt_set_mask |= NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT;
+ option->stream_reset_burst = burst;
+ option->stream_reset_rate = rate;
+}
diff -Naur a/lib/nghttp2_option.h b/lib/nghttp2_option.h
--- a/lib/nghttp2_option.h 2023-10-23 14:41:48.230949253 +0800
+++ b/lib/nghttp2_option.h 2023-10-23 16:50:33.908373466 +0800
@@ -68,6 +68,7 @@
NGHTTP2_OPT_NO_CLOSED_STREAMS = 1 << 10,
NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11,
NGHTTP2_OPT_MAX_SETTINGS = 1 << 12,
+ NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
} nghttp2_option_flag;
/**
@@ -75,6 +76,11 @@
*/
struct nghttp2_option {
/**
+ * NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT
+ */
+ uint64_t stream_reset_burst;
+ uint64_t stream_reset_rate;
+ /**
* NGHTTP2_OPT_MAX_SEND_HEADER_BLOCK_LENGTH
*/
size_t max_send_header_block_length;
diff -Naur a/lib/nghttp2_ratelim.c b/lib/nghttp2_ratelim.c
--- a/lib/nghttp2_ratelim.c 1970-01-01 08:00:00.000000000 +0800
+++ b/lib/nghttp2_ratelim.c 2023-10-23 16:50:33.908373466 +0800
@@ -0,0 +1,75 @@
+/*
+ * nghttp2 - HTTP/2 C Library
+ *
+ * Copyright (c) 2023 nghttp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#include "nghttp2_ratelim.h"
+#include "nghttp2_helper.h"
+
+void nghttp2_ratelim_init(nghttp2_ratelim *rl, uint64_t burst, uint64_t rate) {
+ rl->val = rl->burst = burst;
+ rl->rate = rate;
+ rl->tstamp = 0;
+}
+
+void nghttp2_ratelim_update(nghttp2_ratelim *rl, uint64_t tstamp) {
+ uint64_t d, gain;
+
+ if (tstamp == rl->tstamp) {
+ return;
+ }
+
+ if (tstamp > rl->tstamp) {
+ d = tstamp - rl->tstamp;
+ } else {
+ d = 1;
+ }
+
+ rl->tstamp = tstamp;
+
+ if (UINT64_MAX / d < rl->rate) {
+ rl->val = rl->burst;
+
+ return;
+ }
+
+ gain = rl->rate * d;
+
+ if (UINT64_MAX - gain < rl->val) {
+ rl->val = rl->burst;
+
+ return;
+ }
+
+ rl->val += gain;
+ rl->val = nghttp2_min(rl->val, rl->burst);
+}
+
+int nghttp2_ratelim_drain(nghttp2_ratelim *rl, uint64_t n) {
+ if (rl->val < n) {
+ return -1;
+ }
+
+ rl->val -= n;
+
+ return 0;
+}
diff -Naur a/lib/nghttp2_ratelim.h b/lib/nghttp2_ratelim.h
--- a/lib/nghttp2_ratelim.h 1970-01-01 08:00:00.000000000 +0800
+++ b/lib/nghttp2_ratelim.h 2023-10-23 16:50:33.908373466 +0800
@@ -0,0 +1,57 @@
+/*
+ * nghttp2 - HTTP/2 C Library
+ *
+ * Copyright (c) 2023 nghttp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#ifndef NGHTTP2_RATELIM_H
+#define NGHTTP2_RATELIM_H
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif /* HAVE_CONFIG_H */
+
+#include <nghttp2/nghttp2.h>
+
+typedef struct nghttp2_ratelim {
+ /* burst is the maximum value of val. */
+ uint64_t burst;
+ /* rate is the amount of value that is regenerated per 1 tstamp. */
+ uint64_t rate;
+ /* val is the amount of value available to drain. */
+ uint64_t val;
+ /* tstamp is the last timestamp in second resolution that is known
+ to this object. */
+ uint64_t tstamp;
+} nghttp2_ratelim;
+
+/* nghttp2_ratelim_init initializes |rl| with the given parameters. */
+void nghttp2_ratelim_init(nghttp2_ratelim *rl, uint64_t burst, uint64_t rate);
+
+/* nghttp2_ratelim_update updates rl->val with the current |tstamp|
+ given in second resolution. */
+void nghttp2_ratelim_update(nghttp2_ratelim *rl, uint64_t tstamp);
+
+/* nghttp2_ratelim_drain drains |n| from rl->val. It returns 0 if it
+ succeeds, or -1. */
+int nghttp2_ratelim_drain(nghttp2_ratelim *rl, uint64_t n);
+
+#endif /* NGHTTP2_RATELIM_H */
diff -Naur a/lib/nghttp2_session.c b/lib/nghttp2_session.c
--- a/lib/nghttp2_session.c 2023-10-23 14:41:48.230949253 +0800
+++ b/lib/nghttp2_session.c 2023-10-23 16:50:33.908373466 +0800
@@ -36,6 +36,7 @@
#include "nghttp2_option.h"
#include "nghttp2_http.h"
#include "nghttp2_pq.h"
+#include "nghttp2_time.h"
#include "nghttp2_debug.h"
/*
@@ -443,6 +444,10 @@
NGHTTP2_DEFAULT_MAX_CONCURRENT_STREAMS;
(*session_ptr)->pending_enable_push = 1;
+ nghttp2_ratelim_init(&(*session_ptr)->stream_reset_ratelim,
+ NGHTTP2_DEFAULT_STREAM_RESET_BURST,
+ NGHTTP2_DEFAULT_STREAM_RESET_RATE);
+
if (server) {
(*session_ptr)->server = 1;
}
@@ -527,6 +532,12 @@
option->max_settings) {
(*session_ptr)->max_settings = option->max_settings;
}
+
+ if (option->opt_set_mask & NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT) {
+ nghttp2_ratelim_init(&(*session_ptr)->stream_reset_ratelim,
+ option->stream_reset_burst,
+ option->stream_reset_rate);
+ }
}
rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
@@ -4154,6 +4165,23 @@
return nghttp2_session_on_priority_received(session, frame);
}
+static int session_update_stream_reset_ratelim(nghttp2_session *session) {
+ if (!session->server || (session->goaway_flags & NGHTTP2_GOAWAY_SUBMITTED)) {
+ return 0;
+ }
+
+ nghttp2_ratelim_update(&session->stream_reset_ratelim,
+ nghttp2_time_now_sec());
+
+ if (nghttp2_ratelim_drain(&session->stream_reset_ratelim, 1) == 0) {
+ return 0;
+ }
+
+ return nghttp2_session_add_goaway(session, session->last_recv_stream_id,
+ NGHTTP2_INTERNAL_ERROR, NULL, 0,
+ NGHTTP2_GOAWAY_AUX_NONE);
+}
+
int nghttp2_session_on_rst_stream_received(nghttp2_session *session,
nghttp2_frame *frame) {
int rv;
@@ -4183,7 +4211,8 @@
if (nghttp2_is_fatal(rv)) {
return rv;
}
- return 0;
+
+ return session_update_stream_reset_ratelim(session);
}
static int session_process_rst_stream_frame(nghttp2_session *session) {
@@ -6964,6 +6993,9 @@
nghttp2_mem_free(mem, item);
return rv;
}
+
+ session->goaway_flags |= NGHTTP2_GOAWAY_SUBMITTED;
+
return 0;
}
diff -Naur a/lib/nghttp2_session.h b/lib/nghttp2_session.h
--- a/lib/nghttp2_session.h 2023-10-23 14:41:48.230949253 +0800
+++ b/lib/nghttp2_session.h 2023-10-23 16:50:33.908373466 +0800
@@ -39,6 +39,7 @@
#include "nghttp2_buf.h"
#include "nghttp2_callbacks.h"
#include "nghttp2_mem.h"
+#include "nghttp2_ratelim.h"
/* The global variable for tests where we want to disable strict
preface handling. */
@@ -102,6 +103,10 @@
/* The default value of maximum number of concurrent streams. */
#define NGHTTP2_DEFAULT_MAX_CONCURRENT_STREAMS 0xffffffffu
+/* The default values for stream reset rate limiter. */
+#define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
+#define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
+
/* Internal state when receiving incoming frame */
typedef enum {
/* Receiving frame header */
@@ -176,7 +181,9 @@
/* Flag means GOAWAY was sent */
NGHTTP2_GOAWAY_SENT = 0x4,
/* Flag means GOAWAY was received */
- NGHTTP2_GOAWAY_RECV = 0x8
+ NGHTTP2_GOAWAY_RECV = 0x8,
+ /* Flag means GOAWAY has been submitted at least once */
+ NGHTTP2_GOAWAY_SUBMITTED = 0x10
} nghttp2_goaway_flag;
/* nghttp2_inflight_settings stores the SETTINGS entries which local
@@ -227,6 +234,9 @@
/* Queue of In-flight SETTINGS values. SETTINGS bearing ACK is not
considered as in-flight. */
nghttp2_inflight_settings *inflight_settings_head;
+ /* Stream reset rate limiter. If receiving excessive amount of
+ stream resets, GOAWAY will be sent. */
+ nghttp2_ratelim stream_reset_ratelim;
/* The number of outgoing streams. This will be capped by
remote_settings.max_concurrent_streams. */
size_t num_outgoing_streams;
diff -Naur a/lib/nghttp2_time.c b/lib/nghttp2_time.c
--- a/lib/nghttp2_time.c 1970-01-01 08:00:00.000000000 +0800
+++ b/lib/nghttp2_time.c 2023-10-23 16:50:33.908373466 +0800
@@ -0,0 +1,62 @@
+/*
+ * nghttp2 - HTTP/2 C Library
+ *
+ * Copyright (c) 2023 nghttp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#include "nghttp2_time.h"
+
+#ifdef HAVE_TIME_H
+# include <time.h>
+#endif /* HAVE_TIME_H */
+
+#ifdef HAVE_SYSINFOAPI_H
+# include <sysinfoapi.h>
+#endif /* HAVE_SYSINFOAPI_H */
+
+#ifndef HAVE_GETTICKCOUNT64
+static uint64_t time_now_sec(void) {
+ time_t t = time(NULL);
+
+ if (t == -1) {
+ return 0;
+ }
+
+ return (uint64_t)t;
+}
+#endif /* HAVE_GETTICKCOUNT64 */
+
+#ifdef HAVE_CLOCK_GETTIME
+uint64_t nghttp2_time_now_sec(void) {
+ struct timespec tp;
+ int rv = clock_gettime(CLOCK_MONOTONIC, &tp);
+
+ if (rv == -1) {
+ return time_now_sec();
+ }
+
+ return (uint64_t)tp.tv_sec;
+}
+#elif defined(HAVE_GETTICKCOUNT64)
+uint64_t nghttp2_time_now_sec(void) { return GetTickCount64() / 1000; }
+#else /* !HAVE_CLOCK_GETTIME && !HAVE_GETTICKCOUNT64 */
+uint64_t nghttp2_time_now_sec(void) { return time_now_sec(); }
+#endif /* !HAVE_CLOCK_GETTIME && !HAVE_GETTICKCOUNT64 */
diff -Naur a/lib/nghttp2_time.h b/lib/nghttp2_time.h
--- a/lib/nghttp2_time.h 1970-01-01 08:00:00.000000000 +0800
+++ b/lib/nghttp2_time.h 2023-10-23 16:50:33.908373466 +0800
@@ -0,0 +1,38 @@
+/*
+ * nghttp2 - HTTP/2 C Library
+ *
+ * Copyright (c) 2023 nghttp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#ifndef NGHTTP2_TIME_H
+#define NGHTTP2_TIME_H
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif /* HAVE_CONFIG_H */
+
+#include <nghttp2/nghttp2.h>
+
+/* nghttp2_time_now_sec returns seconds from implementation-specific
+ timepoint. If it is unable to get seconds, it returns 0. */
+uint64_t nghttp2_time_now_sec(void);
+
+#endif /* NGHTTP2_TIME_H */
diff -Naur a/tests/CMakeLists.txt b/tests/CMakeLists.txt
--- a/tests/CMakeLists.txt 2023-10-23 14:41:48.238949345 +0800
+++ b/tests/CMakeLists.txt 2023-10-23 16:50:33.916373560 +0800
@@ -21,6 +21,7 @@
nghttp2_npn_test.c
nghttp2_helper_test.c
nghttp2_buf_test.c
+ nghttp2_ratelim_test.c
)
add_executable(main EXCLUDE_FROM_ALL
diff -Naur a/tests/main.c b/tests/main.c
--- a/tests/main.c 2023-10-23 14:41:48.238949345 +0800
+++ b/tests/main.c 2023-10-23 16:50:33.916373560 +0800
@@ -40,6 +40,7 @@
#include "nghttp2_npn_test.h"
#include "nghttp2_helper_test.h"
#include "nghttp2_buf_test.h"
+#include "nghttp2_ratelim_test.h"
extern int nghttp2_enable_strict_preface;
@@ -329,6 +330,8 @@
test_nghttp2_session_no_closed_streams) ||
!CU_add_test(pSuite, "session_set_stream_user_data",
test_nghttp2_session_set_stream_user_data) ||
+ !CU_add_test(pSuite, "session_stream_reset_ratelim",
+ test_nghttp2_session_stream_reset_ratelim) ||
!CU_add_test(pSuite, "http_mandatory_headers",
test_nghttp2_http_mandatory_headers) ||
!CU_add_test(pSuite, "http_content_length",
@@ -425,7 +428,9 @@
!CU_add_test(pSuite, "bufs_advance", test_nghttp2_bufs_advance) ||
!CU_add_test(pSuite, "bufs_next_present",
test_nghttp2_bufs_next_present) ||
- !CU_add_test(pSuite, "bufs_realloc", test_nghttp2_bufs_realloc)) {
+ !CU_add_test(pSuite, "bufs_realloc", test_nghttp2_bufs_realloc))
+ !CU_add_test(pSuite, "ratelim_update", test_nghttp2_ratelim_update) ||
+ !CU_add_test(pSuite, "ratelim_drain", test_nghttp2_ratelim_drain)) {
CU_cleanup_registry();
return (int)CU_get_error();
}
diff -Naur a/tests/Makefile.am b/tests/Makefile.am
--- a/tests/Makefile.am 2023-10-23 14:41:48.238949345 +0800
+++ b/tests/Makefile.am 2023-10-23 16:50:33.916373560 +0800
@@ -40,14 +40,16 @@
nghttp2_hd_test.c \
nghttp2_npn_test.c \
nghttp2_helper_test.c \
- nghttp2_buf_test.c
+ nghttp2_buf_test.c \
+ nghttp2_ratelim_test.c
HFILES = nghttp2_pq_test.h nghttp2_map_test.h nghttp2_queue_test.h \
nghttp2_session_test.h \
nghttp2_frame_test.h nghttp2_stream_test.h nghttp2_hd_test.h \
nghttp2_npn_test.h nghttp2_helper_test.h \
nghttp2_test_helper.h \
- nghttp2_buf_test.h
+ nghttp2_buf_test.h \
+ nghttp2_ratelim_test.c
main_SOURCES = $(HFILES) $(OBJECTS)
diff -Naur a/tests/nghttp2_ratelim_test.c b/tests/nghttp2_ratelim_test.c
--- a/tests/nghttp2_ratelim_test.c 1970-01-01 08:00:00.000000000 +0800
+++ b/tests/nghttp2_ratelim_test.c 2023-10-23 16:50:33.916373560 +0800
@@ -0,0 +1,101 @@
+/*
+ * nghttp2 - HTTP/2 C Library
+ *
+ * Copyright (c) 2023 nghttp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#include "nghttp2_ratelim_test.h"
+
+#include <stdio.h>
+
+#include <CUnit/CUnit.h>
+
+#include "nghttp2_ratelim.h"
+
+void test_nghttp2_ratelim_update(void) {
+ nghttp2_ratelim rl;
+
+ nghttp2_ratelim_init(&rl, 1000, 21);
+
+ CU_ASSERT(1000 == rl.val);
+ CU_ASSERT(1000 == rl.burst);
+ CU_ASSERT(21 == rl.rate);
+ CU_ASSERT(0 == rl.tstamp);
+
+ nghttp2_ratelim_update(&rl, 999);
+
+ CU_ASSERT(1000 == rl.val);
+ CU_ASSERT(999 == rl.tstamp);
+
+ nghttp2_ratelim_drain(&rl, 100);
+
+ CU_ASSERT(900 == rl.val);
+
+ nghttp2_ratelim_update(&rl, 1000);
+
+ CU_ASSERT(921 == rl.val);
+
+ nghttp2_ratelim_update(&rl, 1002);
+
+ CU_ASSERT(963 == rl.val);
+
+ nghttp2_ratelim_update(&rl, 1004);
+
+ CU_ASSERT(1000 == rl.val);
+ CU_ASSERT(1004 == rl.tstamp);
+
+ /* timer skew */
+ nghttp2_ratelim_init(&rl, 1000, 21);
+ nghttp2_ratelim_update(&rl, 1);
+
+ CU_ASSERT(1000 == rl.val);
+
+ nghttp2_ratelim_update(&rl, 0);
+
+ CU_ASSERT(1000 == rl.val);
+
+ /* rate * duration overflow */
+ nghttp2_ratelim_init(&rl, 1000, 100);
+ nghttp2_ratelim_drain(&rl, 999);
+
+ CU_ASSERT(1 == rl.val);
+
+ nghttp2_ratelim_update(&rl, UINT64_MAX);
+
+ CU_ASSERT(1000 == rl.val);
+
+ /* val + rate * duration overflow */
+ nghttp2_ratelim_init(&rl, UINT64_MAX - 1, 2);
+ nghttp2_ratelim_update(&rl, 1);
+
+ CU_ASSERT(UINT64_MAX - 1 == rl.val);
+}
+
+void test_nghttp2_ratelim_drain(void) {
+ nghttp2_ratelim rl;
+
+ nghttp2_ratelim_init(&rl, 100, 7);
+
+ CU_ASSERT(-1 == nghttp2_ratelim_drain(&rl, 101));
+ CU_ASSERT(0 == nghttp2_ratelim_drain(&rl, 51));
+ CU_ASSERT(0 == nghttp2_ratelim_drain(&rl, 49));
+ CU_ASSERT(-1 == nghttp2_ratelim_drain(&rl, 1));
+}
diff -Naur a/tests/nghttp2_ratelim_test.h b/tests/nghttp2_ratelim_test.h
--- a/tests/nghttp2_ratelim_test.h 1970-01-01 08:00:00.000000000 +0800
+++ b/tests/nghttp2_ratelim_test.h 2023-10-23 16:50:33.916373560 +0800
@@ -0,0 +1,35 @@
+/*
+ * nghttp2 - HTTP/2 C Library
+ *
+ * Copyright (c) 2023 nghttp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#ifndef NGHTTP2_RATELIM_TEST_H
+#define NGHTTP2_RATELIM_TEST_H
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif /* HAVE_CONFIG_H */
+
+void test_nghttp2_ratelim_update(void);
+void test_nghttp2_ratelim_drain(void);
+
+#endif /* NGHTTP2_RATELIM_TEST_H */
diff -Naur a/tests/nghttp2_session_test.c b/tests/nghttp2_session_test.c
--- a/tests/nghttp2_session_test.c 2023-10-23 14:41:48.238949345 +0800
+++ b/tests/nghttp2_session_test.c 2023-10-23 16:50:33.916373560 +0800
@@ -11055,6 +11055,109 @@
nghttp2_session_del(session);
}
+void test_nghttp2_session_stream_reset_ratelim(void) {
+ nghttp2_session *session;
+ nghttp2_session_callbacks callbacks;
+ nghttp2_frame frame;
+ ssize_t rv;
+ nghttp2_bufs bufs;
+ nghttp2_buf *buf;
+ nghttp2_mem *mem;
+ size_t i;
+ nghttp2_hd_deflater deflater;
+ size_t nvlen;
+ nghttp2_nv *nva;
+ int32_t stream_id;
+ nghttp2_outbound_item *item;
+ nghttp2_option *option;
+
+ mem = nghttp2_mem_default();
+ frame_pack_bufs_init(&bufs);
+
+ memset(&callbacks, 0, sizeof(nghttp2_session_callbacks));
+ callbacks.send_callback = null_send_callback;
+
+ nghttp2_option_new(&option);
+ nghttp2_option_set_stream_reset_rate_limit(
+ option, NGHTTP2_DEFAULT_STREAM_RESET_BURST, 0);
+
+ nghttp2_session_server_new2(&session, &callbacks, NULL, option);
+
+ nghttp2_frame_settings_init(&frame.settings, NGHTTP2_FLAG_NONE, NULL, 0);
+ rv = nghttp2_frame_pack_settings(&bufs, &frame.settings);
+
+ CU_ASSERT(0 == rv);
+
+ nghttp2_frame_settings_free(&frame.settings, mem);
+
+ buf = &bufs.head->buf;
+ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf));
+
+ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv);
+
+ /* Send SETTINGS ACK */
+ rv = nghttp2_session_send(session);
+
+ CU_ASSERT(0 == rv);
+
+ nghttp2_hd_deflate_init(&deflater, mem);
+
+ for (i = 0; i < NGHTTP2_DEFAULT_STREAM_RESET_BURST + 2; ++i) {
+ stream_id = (int32_t)(i * 2 + 1);
+
+ nghttp2_bufs_reset(&bufs);
+
+ /* HEADERS */
+ nvlen = ARRLEN(reqnv);
+ nghttp2_nv_array_copy(&nva, reqnv, nvlen, mem);
+ nghttp2_frame_headers_init(&frame.headers, NGHTTP2_FLAG_END_HEADERS,
+ stream_id, NGHTTP2_HCAT_HEADERS, NULL, nva,
+ nvlen);
+ rv = nghttp2_frame_pack_headers(&bufs, &frame.headers, &deflater);
+
+ CU_ASSERT(0 == rv);
+
+ nghttp2_frame_headers_free(&frame.headers, mem);
+
+ buf = &bufs.head->buf;
+ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf));
+
+ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv);
+
+ nghttp2_bufs_reset(&bufs);
+
+ /* RST_STREAM */
+ nghttp2_frame_rst_stream_init(&frame.rst_stream, stream_id,
+ NGHTTP2_NO_ERROR);
+ nghttp2_frame_pack_rst_stream(&bufs, &frame.rst_stream);
+ nghttp2_frame_rst_stream_free(&frame.rst_stream);
+
+ buf = &bufs.head->buf;
+ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf));
+
+ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv);
+
+ if (i < NGHTTP2_DEFAULT_STREAM_RESET_BURST) {
+ CU_ASSERT(0 == nghttp2_outbound_queue_size(&session->ob_reg));
+
+ continue;
+ }
+
+ CU_ASSERT(1 == nghttp2_outbound_queue_size(&session->ob_reg));
+
+ item = nghttp2_session_get_next_ob_item(session);
+
+ CU_ASSERT(NGHTTP2_GOAWAY == item->frame.hd.type);
+ CU_ASSERT(NGHTTP2_DEFAULT_STREAM_RESET_BURST * 2 + 1 ==
+ item->frame.goaway.last_stream_id);
+ }
+
+ nghttp2_hd_deflate_free(&deflater);
+ nghttp2_session_del(session);
+ nghttp2_bufs_free(&bufs);
+ nghttp2_option_del(option);
+}
+
static void check_nghttp2_http_recv_headers_fail(
nghttp2_session *session, nghttp2_hd_deflater *deflater, int32_t stream_id,
int stream_state, const nghttp2_nv *nva, size_t nvlen) {
diff -Naur a/tests/nghttp2_session_test.h b/tests/nghttp2_session_test.h
--- a/tests/nghttp2_session_test.h 2023-10-23 14:41:48.238949345 +0800
+++ b/tests/nghttp2_session_test.h 2023-10-23 16:50:33.916373560 +0800
@@ -162,6 +162,7 @@
void test_nghttp2_session_pause_data(void);
void test_nghttp2_session_no_closed_streams(void);
void test_nghttp2_session_set_stream_user_data(void);
+void test_nghttp2_session_stream_reset_ratelim(void);
void test_nghttp2_http_mandatory_headers(void);
void test_nghttp2_http_content_length(void);
void test_nghttp2_http_content_length_mismatch(void);

5
dependency/nghttp2/build.sh
View File

@ -24,11 +24,12 @@ rm -rf install_*
mkdir -p ${build_dir}
cd $nghttp2_dir
patch -p1 < ../cve-2023-35945.patch
patch -p1 < ../CVE-2023-44487.patch
cmake -DCMAKE_INSTALL_PREFIX=$build_dir -D CMAKE_PROJECT_INCLUDE=${current_dir}/project_include.cmake
make install -sj
cd ..
mv install_comm/lib64 install_comm/lib
#mv install_comm/lib64 install_comm/lib
cp -r install_comm install_llt

35
dependency/nghttp2/cve-2023-35945.patch Normal file
View File

@ -0,0 +1,35 @@
diff -Naur a/lib/nghttp2_session.c b/lib/nghttp2_session.c
--- a/lib/nghttp2_session.c 2023-07-25 14:24:37.157709999 +0800
+++ b/lib/nghttp2_session.c 2023-07-25 14:22:35.604257644 +0800
@@ -2938,6 +2938,7 @@
break;
}
if (rv < 0) {
+ int rv2 = 0;
int32_t opened_stream_id = 0;
uint32_t error_code = NGHTTP2_INTERNAL_ERROR;
@@ -2982,19 +2983,19 @@
}
if (opened_stream_id) {
/* careful not to override rv */
- int rv2;
rv2 = nghttp2_session_close_stream(session, opened_stream_id,
error_code);
- if (nghttp2_is_fatal(rv2)) {
- return rv2;
- }
}
nghttp2_outbound_item_free(item, mem);
nghttp2_mem_free(mem, item);
active_outbound_item_reset(aob, mem);
+ if (nghttp2_is_fatal(rv2)) {
+ return rv2;
+ }
+
if (rv == NGHTTP2_ERR_HEADER_COMP) {
/* If header compression error occurred, should terminiate
connection. */

6
dependency/numactl/build.py
View File

@ -115,6 +115,12 @@ class OPOperator():
patch_cmd = 'cd %s/%s; patch -p1 < ../%s' % (self.local_dir, source_code_path, pre_patch)
ret = self.exe_cmd(patch_cmd)
self.error_handler(ret)
status, output = subprocess.getstatusoutput('uname -m')
self.error_handler(status)
cpu_arch = output
if cpu_arch in ('loongarch64') :
ret = self.exe_cmd('cd %s/%s; cp -rf %s/../../build-aux/* ./build-aux/' % (self.local_dir, source_code_path, self.local_dir))
self.error_handler(ret)
# compile source code type
for c_type in self.compiletype:
if c_type == 'comm':

128
dependency/openssl/CVE-2023-0464.patch → dependency/openssl/CVE-2023-0464and2650.patch
View File

@ -1,31 +1,7 @@
From 879f7080d7e141f415c79eaa3a8ac4a3dad0348b Mon Sep 17 00:00:00 2001
From: Pauli <pauli@openssl.org>
Date: Wed, 8 Mar 2023 15:28:20 +1100
Subject: [PATCH] x509: excessive resource use verifying policy constraints
A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints. Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.
Fixes CVE-2023-0464
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20569)
---
crypto/x509v3/pcy_local.h | 8 +++++++-
crypto/x509v3/pcy_node.c | 12 +++++++++---
crypto/x509v3/pcy_tree.c | 37 +++++++++++++++++++++++++++----------
3 files changed, 43 insertions(+), 14 deletions(-)
diff --git a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h
index 5daf78de45..344aa06765 100644
--- a/crypto/x509v3/pcy_local.h
+++ b/crypto/x509v3/pcy_local.h
@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
diff -Naur a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h
--- a/crypto/x509v3/pcy_local.h 2023-06-08 17:55:38.806638491 +0800
+++ b/crypto/x509v3/pcy_local.h 2023-06-08 17:51:40.695932010 +0800
@@ -111,6 +111,11 @@
};
struct X509_POLICY_TREE_st {
@ -37,7 +13,7 @@ index 5daf78de45..344aa06765 100644
/* This is the tree 'level' data */
X509_POLICY_LEVEL *levels;
int nlevel;
@@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
@@ -159,7 +164,8 @@
X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
X509_POLICY_DATA *data,
X509_POLICY_NODE *parent,
@ -47,11 +23,10 @@ index 5daf78de45..344aa06765 100644
void policy_node_free(X509_POLICY_NODE *node);
int policy_node_match(const X509_POLICY_LEVEL *lvl,
const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c
index e2d7b15322..d574fb9d66 100644
--- a/crypto/x509v3/pcy_node.c
+++ b/crypto/x509v3/pcy_node.c
@@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
diff -Naur a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c
--- a/crypto/x509v3/pcy_node.c 2023-06-08 16:33:09.518582549 +0800
+++ b/crypto/x509v3/pcy_node.c 2023-06-08 17:41:44.829164303 +0800
@@ -59,10 +59,15 @@
X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
X509_POLICY_DATA *data,
X509_POLICY_NODE *parent,
@ -68,7 +43,7 @@ index e2d7b15322..d574fb9d66 100644
node = OPENSSL_zalloc(sizeof(*node));
if (node == NULL) {
X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
@@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
@@ -70,7 +75,7 @@
}
node->data = data;
node->parent = parent;
@ -77,7 +52,7 @@ index e2d7b15322..d574fb9d66 100644
if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
if (level->anyPolicy)
goto node_error;
@@ -90,7 +95,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
@@ -90,24 +95,33 @@
}
}
@ -86,7 +61,14 @@ index e2d7b15322..d574fb9d66 100644
if (tree->extra_data == NULL)
tree->extra_data = sk_X509_POLICY_DATA_new_null();
if (tree->extra_data == NULL){
@@ -103,6 +108,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
- goto node_error;
+ goto extra_data_error;
}
if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) {
X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
- goto node_error;
+ goto extra_data_error;
}
}
@ -94,15 +76,26 @@ index e2d7b15322..d574fb9d66 100644
if (parent)
parent->nchild++;
diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 6e8322cbc5..6c7fd35405 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -13,6 +13,18 @@
return node;
+ extra_data_error:
+ if (level != NULL) {
+ if (level->anyPolicy == node)
+ level->anyPolicy = NULL;
+ else
+ (void) sk_X509_POLICY_NODE_pop(level->nodes);
+ }
+
node_error:
policy_node_free(node);
return NULL;
diff -Naur a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
--- a/crypto/x509v3/pcy_tree.c 2023-06-08 16:33:09.518582549 +0800
+++ b/crypto/x509v3/pcy_tree.c 2023-06-08 17:47:21.872994766 +0800
@@ -14,6 +14,20 @@
#include "pcy_local.h"
+/*
/*
+ * If the maximum number of nodes in the policy tree isn't defined, set it to
+ * a generous default of 1000 nodes.
+ *
@ -114,10 +107,13 @@ index 6e8322cbc5..6c7fd35405 100644
+# define OPENSSL_POLICY_TREE_NODES_MAX 1000
+#endif
+
/*
+static void exnode_free(X509_POLICY_NODE *node);
+
+/*
* Enable this to print out the complete policy tree at various point during
* evaluation.
@@ -168,6 +180,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
*/
@@ -168,6 +182,9 @@
return X509_PCY_TREE_INTERNAL;
}
@ -127,7 +123,7 @@ index 6e8322cbc5..6c7fd35405 100644
/*
* http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
*
@@ -184,7 +199,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
@@ -184,7 +201,7 @@
level = tree->levels;
if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL)
goto bad_tree;
@ -136,7 +132,7 @@ index 6e8322cbc5..6c7fd35405 100644
policy_data_free(data);
goto bad_tree;
}
@@ -243,7 +258,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
@@ -243,7 +260,8 @@
* Return value: 1 on success, 0 otherwise
*/
static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
@ -146,7 +142,7 @@ index 6e8322cbc5..6c7fd35405 100644
{
X509_POLICY_LEVEL *last = curr - 1;
int i, matched = 0;
@@ -253,13 +269,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
@@ -253,13 +271,13 @@
X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
if (policy_node_match(last, node, data->valid_policy)) {
@ -162,7 +158,7 @@ index 6e8322cbc5..6c7fd35405 100644
return 0;
}
return 1;
@@ -272,7 +288,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
@@ -272,7 +290,8 @@
* Return value: 1 on success, 0 otherwise.
*/
static int tree_link_nodes(X509_POLICY_LEVEL *curr,
@ -172,7 +168,7 @@ index 6e8322cbc5..6c7fd35405 100644
{
int i;
@@ -280,7 +297,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
@@ -280,7 +299,7 @@
X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
/* Look for matching nodes in previous level */
@ -181,7 +177,7 @@ index 6e8322cbc5..6c7fd35405 100644
return 0;
}
return 1;
@@ -311,7 +328,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
@@ -311,7 +330,7 @@
/* Curr may not have anyPolicy */
data->qualifier_set = cache->anyPolicy->qualifier_set;
data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
@ -190,7 +186,7 @@ index 6e8322cbc5..6c7fd35405 100644
policy_data_free(data);
return 0;
}
@@ -373,7 +390,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
@@ -373,7 +392,7 @@
}
/* Finally add link to anyPolicy */
if (last->anyPolicy &&
@ -199,16 +195,36 @@ index 6e8322cbc5..6c7fd35405 100644
return 0;
return 1;
}
@@ -555,7 +572,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
@@ -555,15 +574,24 @@
extra->qualifier_set = anyPolicy->data->qualifier_set;
extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
| POLICY_DATA_FLAG_EXTRA_NODE;
- node = level_add_node(NULL, extra, anyPolicy->parent, tree);
+ node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1);
+ node = level_add_node(NULL, extra, anyPolicy->parent,
+ tree, 1);
+ if (node == NULL) {
+ policy_data_free(extra);
+ return 0;
+ }
}
if (!tree->user_policies) {
tree->user_policies = sk_X509_POLICY_NODE_new_null();
@@ -582,7 +599,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
- if (!tree->user_policies)
- return 1;
+ if (!tree->user_policies) {
+ exnode_free(node);
+ return 0;
+ }
}
- if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
+ if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)){
+ exnode_free(node);
return 0;
+ }
}
return 1;
}
@@ -582,7 +610,7 @@
for (i = 1; i < tree->nlevel; i++, curr++) {
cache = policy_cache_set(curr->cert);
@ -217,5 +233,3 @@ index 6e8322cbc5..6c7fd35405 100644
return X509_PCY_TREE_INTERNAL;
if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
--
2.34.1

77
dependency/openssl/CVE-2023-3446.patch Normal file
View File

@ -0,0 +1,77 @@
diff -Naur a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
--- a/crypto/dh/dh_check.c 2023-07-25 19:25:47.628975754 +0800
+++ b/crypto/dh/dh_check.c 2023-07-25 19:22:41.934923083 +0800
@@ -101,6 +101,12 @@
BN_CTX *ctx = NULL;
BIGNUM *t1 = NULL, *t2 = NULL;
+ /* Don't do any checks at all with an excessively large modulus */
+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+ DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
+ return 0;
+ }
+
if (!DH_check_params(dh, ret))
return 0;
diff -Naur a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
--- a/crypto/dh/dh_err.c 2023-07-25 19:25:47.628975754 +0800
+++ b/crypto/dh/dh_err.c 2023-07-25 19:22:41.934923083 +0800
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -18,6 +18,7 @@
{ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0),
"dh_builtin_genparams"},
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},
diff -Naur a/crypto/err/openssl.txt b/crypto/err/openssl.txt
--- a/crypto/err/openssl.txt 2023-07-25 19:25:47.632975799 +0800
+++ b/crypto/err/openssl.txt 2023-07-25 19:22:41.938923126 +0800
@@ -402,6 +402,7 @@
DH_F_COMPUTE_KEY:102:compute_key
DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp
DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams
+DH_F_DH_CHECK:126:DH_check
DH_F_DH_CHECK_EX:121:DH_check_ex
DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex
DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
diff -Naur a/include/openssl/dherr.h b/include/openssl/dherr.h
--- a/include/openssl/dherr.h 2023-07-25 19:25:47.668976201 +0800
+++ b/include/openssl/dherr.h 2023-07-25 19:22:41.978923558 +0800
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -31,6 +31,7 @@
# define DH_F_DHPARAMS_PRINT_FP 101
# define DH_F_DH_BUILTIN_GENPARAMS 106
# define DH_F_DH_CHECK_EX 121
+# define DH_F_DH_CHECK 126
# define DH_F_DH_CHECK_PARAMS_EX 122
# define DH_F_DH_CHECK_PUB_KEY_EX 123
# define DH_F_DH_CMS_DECRYPT 114
diff -Naur a/include/openssl/dh.h b/include/openssl/dh.h
--- a/include/openssl/dh.h 2023-07-25 19:25:47.668976201 +0800
+++ b/include/openssl/dh.h 2023-07-25 19:22:41.978923558 +0800
@@ -29,6 +29,9 @@
# ifndef OPENSSL_DH_MAX_MODULUS_BITS
# define OPENSSL_DH_MAX_MODULUS_BITS 10000
# endif
+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
+# endif
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024

28
dependency/openssl/CVE-2023-3817.patch Normal file
View File

@ -0,0 +1,28 @@
diff -Naur a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
--- a/crypto/dh/dh_check.c 2023-09-01 14:52:09.746018434 +0800
+++ b/crypto/dh/dh_check.c 2023-09-01 15:06:12.055519115 +0800
@@ -97,7 +97,7 @@
int DH_check(const DH *dh, int *ret)
{
- int ok = 0, r;
+ int ok = 0, r, q_good = 0;
BN_CTX *ctx = NULL;
BIGNUM *t1 = NULL, *t2 = NULL;
@@ -113,7 +113,14 @@
if (t2 == NULL)
goto err;
- if (dh->q) {
+ if (dh->q != NULL) {
+ if (BN_ucmp(dh->p, dh->q) > 0)
+ q_good = 1;
+ else
+ *ret |= DH_CHECK_INVALID_Q_VALUE;
+ }
+
+ if (q_good) {
if (BN_cmp(dh->g, BN_value_one()) <= 0)
*ret |= DH_NOT_SUITABLE_GENERATOR;
else if (BN_cmp(dh->g, dh->p) >= 0)

107
dependency/openssl/CVE-2023-5678.patch Normal file
View File

@ -0,0 +1,107 @@
diff -Naur a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
--- a/crypto/dh/dh_check.c 2023-11-17 12:04:29.472015740 +0800
+++ b/crypto/dh/dh_check.c 2023-11-17 12:01:49.390161384 +0800
@@ -184,6 +184,19 @@
BN_CTX *ctx = NULL;
*ret = 0;
+
+ /* Don't do any checks at all with an excessively large modulus */
+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+ DHerr(DH_F_DH_CHECK_EX, DH_R_MODULUS_TOO_LARGE);
+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
+ return 0;
+ }
+
+ if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) {
+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
+ return 1;
+ }
+
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
diff -Naur a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
--- a/crypto/dh/dh_err.c 2023-11-17 12:04:29.472015740 +0800
+++ b/crypto/dh/dh_err.c 2023-11-17 12:01:49.390161384 +0800
@@ -81,6 +81,7 @@
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
"parameter encoding error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
"unable to check generator"},
diff -Naur a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
--- a/crypto/dh/dh_key.c 2023-11-17 12:04:29.472015740 +0800
+++ b/crypto/dh/dh_key.c 2023-11-17 12:01:49.390161384 +0800
@@ -109,6 +109,12 @@
BN_MONT_CTX *mont = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
+ if (dh->q != NULL
+ && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE);
+ return 0;
+ }
+
if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
return 0;
@@ -202,6 +208,12 @@
int ret = -1;
int check_result;
+ if (dh->q != NULL
+ && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ DHerr(DH_F_COMPUTE_KEY, DH_R_Q_TOO_LARGE);
+ goto err;
+ }
+
if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
goto err;
diff -Naur a/crypto/err/openssl.txt b/crypto/err/openssl.txt
--- a/crypto/err/openssl.txt 2023-11-17 12:04:29.480015831 +0800
+++ b/crypto/err/openssl.txt 2023-11-17 12:01:49.394161431 +0800
@@ -2103,6 +2103,7 @@
DH_R_NO_PRIVATE_VALUE:100:no private value
DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
DH_R_PEER_KEY_ERROR:111:peer key error
+DH_R_Q_TOO_LARGE:130:q too large
DH_R_SHARED_INFO_ERROR:113:shared info error
DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
DSA_R_BAD_Q_VALUE:102:bad q value
diff -Naur a/include/openssl/dherr.h b/include/openssl/dherr.h
--- a/include/openssl/dherr.h 2023-11-17 12:04:29.532016422 +0800
+++ b/include/openssl/dherr.h 2023-11-17 12:01:49.430161851 +0800
@@ -81,6 +81,7 @@
# define DH_R_NO_PRIVATE_VALUE 100
# define DH_R_PARAMETER_ENCODING_ERROR 105
# define DH_R_PEER_KEY_ERROR 111
+# define DH_R_Q_TOO_LARGE 130
# define DH_R_SHARED_INFO_ERROR 113
# define DH_R_UNABLE_TO_CHECK_GENERATOR 121
diff -Naur a/include/openssl/dh.h b/include/openssl/dh.h
--- a/include/openssl/dh.h 2023-11-17 12:04:29.532016422 +0800
+++ b/include/openssl/dh.h 2023-11-17 12:01:49.430161851 +0800
@@ -68,7 +68,7 @@
/* #define DH_GENERATOR_3 3 */
# define DH_GENERATOR_5 5
-/* DH_check error codes */
+/* DH_check error codes, some of them shared with DH_check_pub_key */
# define DH_CHECK_P_NOT_PRIME 0x01
# define DH_CHECK_P_NOT_SAFE_PRIME 0x02
# define DH_UNABLE_TO_CHECK_GENERATOR 0x04
@@ -80,7 +80,9 @@
/* DH_check_pub_key error codes */
# define DH_CHECK_PUBKEY_TOO_SMALL 0x01
# define DH_CHECK_PUBKEY_TOO_LARGE 0x02
+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */
# define DH_CHECK_PUBKEY_INVALID 0x04
+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */
/*
* primes p where (p-1)/2 is prime too are called "safe"; we define this for

92
dependency/openssl/CVE-2024-0727.patch Normal file
View File

@ -0,0 +1,92 @@
diff -Naur a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c
--- a/crypto/pkcs12/p12_add.c 2024-02-04 10:55:19.252070922 +0800
+++ b/crypto/pkcs12/p12_add.c 2024-02-04 10:53:27.906106687 +0800
@@ -76,6 +76,12 @@
PKCS12_R_CONTENT_TYPE_NOT_DATA);
return NULL;
}
+
+ if (p7->d.data == NULL) {
+ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR);
+ return NULL;
+ }
+
return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
}
@@ -132,6 +138,12 @@
{
if (!PKCS7_type_is_encrypted(p7))
return NULL;
+
+ if (p7->d.data == NULL) {
+ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR);
+ return NULL;
+ }
+
return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm,
ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
pass, passlen,
@@ -159,6 +171,11 @@
PKCS12_R_CONTENT_TYPE_NOT_DATA);
return NULL;
}
+ if (p12->authsafes->d.data == NULL) {
+ PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES, PKCS12_R_DECODE_ERROR);
+ return NULL;
+ }
+
return ASN1_item_unpack(p12->authsafes->d.data,
ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
}
diff -Naur a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
--- a/crypto/pkcs12/p12_mutl.c 2024-02-04 10:55:19.252070922 +0800
+++ b/crypto/pkcs12/p12_mutl.c 2024-02-04 10:53:27.906106687 +0800
@@ -93,6 +93,11 @@
return 0;
}
+ if (p12->authsafes->d.data == NULL) {
+ PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR);
+ return 0;
+ }
+
salt = p12->mac->salt->data;
saltlen = p12->mac->salt->length;
if (!p12->mac->iter)
diff -Naur a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c
--- a/crypto/pkcs12/p12_npas.c 2024-02-04 10:55:19.252070922 +0800
+++ b/crypto/pkcs12/p12_npas.c 2024-02-04 10:53:27.906106687 +0800
@@ -78,8 +78,9 @@
bags = PKCS12_unpack_p7data(p7);
} else if (bagnid == NID_pkcs7_encrypted) {
bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
- if (!alg_get(p7->d.encrypted->enc_data->algorithm,
- &pbe_nid, &pbe_iter, &pbe_saltlen))
+ if (p7->d.encrypted == NULL
+ || !alg_get(p7->d.encrypted->enc_data->algorithm,
+ &pbe_nid, &pbe_iter, &pbe_saltlen))
goto err;
} else {
continue;
diff -Naur a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c
--- a/crypto/pkcs7/pk7_mime.c 2024-02-04 10:55:19.245070861 +0800
+++ b/crypto/pkcs7/pk7_mime.c 2024-02-04 10:53:27.898106618 +0800
@@ -30,11 +30,14 @@
{
STACK_OF(X509_ALGOR) *mdalgs;
int ctype_nid = OBJ_obj2nid(p7->type);
- if (ctype_nid == NID_pkcs7_signed)
+
+ if (ctype_nid == NID_pkcs7_signed) {
+ if (p7->d.sign == NULL)
+ return 0;
mdalgs = p7->d.sign->md_algs;
- else
+ } else {
mdalgs = NULL;
-
+ }
flags ^= SMIME_OLDMIME;
return SMIME_write_ASN1(bio, (ASN1_VALUE *)p7, data, flags,

23
dependency/psutil/build.sh
View File

@ -31,19 +31,16 @@ cp -r build/lib*/* $TARGET_PATH
cp ../_psutil_linux.py $TARGET_PATH/psutil/
cp ../_psutil_posix.py $TARGET_PATH/psutil/
cp -f $TARGET_PATH/psutil/_psutil_linux.*.so $TARGET_PATH/psutil/_psutil_linux.so_3.6
version_num=("3.6" "3.7" "3.8" "3.9" "3.10")
for (( i=0;i<${#version_num[*]};i++ ))
do
if [[ $(python3 -V | awk '{print $2}') =~ ${version_num[$i]} ]]; then
mv $TARGET_PATH/psutil/_psutil_linux.*.so $TARGET_PATH/psutil/_psutil_linux.so_${version_num[$i]}
mv $TARGET_PATH/psutil/_psutil_posix.*.so $TARGET_PATH/psutil/_psutil_posix.so_${version_num[$i]}
if [ $? -ne 0 ]; then
die "[Error] \"cp -f $TARGET_PATH/psutil/_psutil_linux.*.so $TARGET_PATH/psutil/_psutil_linux.so_3.6\" failed."
die "[Error] \"mv $TARGET_PATH/_psutil_linux.*.so $TARGET_PATH/psutil/_psutil_linux.so_${version_num[$i]}\" failed."
fi
mv $TARGET_PATH/psutil/_psutil_linux.*.so $TARGET_PATH/psutil/_psutil_linux.so_3.7
if [ $? -ne 0 ]; then
die "[Error] \"mv $TARGET_PATH/_psutil_linux.*.so $TARGET_PATH/psutil/_psutil_linux.so_3.7\" failed."
fi
cp -f $TARGET_PATH/psutil/_psutil_posix.*.so $TARGET_PATH/psutil/_psutil_posix.so_3.6
if [ $? -ne 0 ]; then
die "[Error] \"cp -f $TARGET_PATH/psutil/_psutil_posix.*.so $TARGET_PATH/psutil/_psutil_posix.so_3.6\" failed."
fi
mv $TARGET_PATH/psutil/_psutil_posix.*.so $TARGET_PATH/psutil/_psutil_posix.so_3.7
if [ $? -ne 0 ]; then
die "[Error] \"mv $TARGET_PATH/psutil/_psutil_posix.*.so $TARGET_PATH/psutil/_psutil_posix.so_3.7\" failed."
break
fi
done

2
dependency/pynacl/_sodium.py
View File

@ -1,7 +1,7 @@
def __bootstrap__():
global __bootstrap__, __loader__, __file__
import sys, pkg_resources, imp
__file__ = pkg_resources.resource_filename(__name__, '_sodium.so')
__file__ = pkg_resources.resource_filename(__name__, '_sodium.abi3.so')
__loader__ = None; del __bootstrap__, __loader__
imp.load_dynamic(__name__,__file__)
__bootstrap__()

29
dependency/pynacl/build.sh
View File

@ -1,4 +1,3 @@
#!/bin/bash
#######################################################################
# Copyright (c): 2012-2019, Huawei Tech. Co., Ltd.
# description: the script that make install pynacl
@ -7,7 +6,9 @@
# history:
#######################################################################
set -e
ROOT_DIR=$(pwd)
mkdir -p $(pwd)/../../output/install_tools
ARCH=`uname -m`
python_version=`python3 -V | awk -F ' ' '{print $2}' |awk -F '.' -v OFS='.' '{print $1,$2}'`
export TARGET_PATH=$(pwd)/../../output/install_tools/
export LD_LIBRARY_PATH=$TARGET_PATH:$LD_LIBRARY_PATH
@ -20,16 +21,38 @@ fi
mkdir ${SOURCE_FILE}
tar -zxf $TAR_SOURCE_FILE -C $SOURCE_FILE --strip-components 1
cd $SOURCE_FILE
if [[ "$ARCH"x = "loongarch64"x ]];then
cp -rf $(pwd)/../../../build-aux/* ./src/libsodium/build-aux/
fi
sed -i "s/\"wheel\"//g" setup.py
CFLAGS="-fstack-protector-strong -Wl,-z,relro,-z,now" python3 setup.py build
version_num=("3.6" "3.7" "3.8" "3.9" "3.10")
lib_dir=""
for (( i=0;i<${#version_num[*]};i++ ))
do
if [[ $(python3 -V | awk '{print $2}') =~ ${version_num[$i]} ]]; then
lib_dir="lib${version_num[$i]}"
break
fi
done
if [[ "$PLATFORM" == centos* ]]; then
CPU_BIT=$(uname -m)
if [ X"$CPU_BIT" = X"x86_64" ]; then
gcc -pthread -shared -Wl,-z,relro,-z,now,-z,noexecstack -s -ftrapv -g build/temp.linux-x86_64-$python_version/build/temp.linux-x86_64-$python_version/_sodium.o -Lbuild/temp.linux-x86_64-$python_version/lib -Lbuild/temp.linux-x86_64-$python_version/lib64 -Lbuild/temp.linux-x86_64-$python_version -lsodium -lsodium -o build/lib.linux-x86_64-$python_version/nacl/_sodium.abi3.so
fi
fi
python3 setup.py install --user
if [[ -d "$TARGET_PATH/nacl" ]]; then
mkdir -p $TARGET_PATH/nacl/$lib_dir
cp build/lib*/nacl/_sodium.abi3.so $TARGET_PATH/nacl/$lib_dir
else
cp -r build/lib*/* $TARGET_PATH
mkdir -p $TARGET_PATH/nacl/$lib_dir
cp $TARGET_PATH/nacl/_sodium.abi3.so $TARGET_PATH/nacl/$lib_dir
fi
# add boost script
preloader_dir_path=$(PYTHONPATH='' pip3 show pynacl | awk '/Location/{ print $2 }')
cp ${preloader_dir_path}/nacl/_sodium.py $TARGET_PATH/nacl/
cp ${ROOT_DIR}/_sodium.py $TARGET_PATH/nacl/

29
dependency/unixodbc/CVE-2024-1013.patch Normal file
View File

@ -0,0 +1,29 @@
diff -Naur a/Drivers/Postgre7.1/info.c b/Drivers/Postgre7.1/info.c
--- a/Drivers/Postgre7.1/info.c 2024-03-19 15:43:10.523054234 +0800
+++ b/Drivers/Postgre7.1/info.c 2024-03-19 15:56:31.788491940 +0800
@@ -1779,14 +1779,14 @@
char index_name[MAX_INFO_STRING];
short fields_vector[8];
char isunique[10], isclustered[10];
-SDWORD index_name_len, fields_vector_len;
+SQLLEN index_name_len, fields_vector_len;
TupleNode *row;
int i;
HSTMT hcol_stmt;
StatementClass *col_stmt, *indx_stmt;
char column_name[MAX_INFO_STRING], relhasrules[MAX_INFO_STRING];
char **column_names = 0;
-Int4 column_name_len;
+SQLLEN column_name_len;
int total_columns = 0;
char error = TRUE;
ConnInfo *ci;
@@ -2136,7 +2136,7 @@
StatementClass *tbl_stmt;
char tables_query[STD_STATEMENT_LEN];
char attname[MAX_INFO_STRING];
-SDWORD attname_len;
+SQLLEN
char pktab[MAX_TABLE_LEN + 1];
Int2 result_cols;

1
dependency/unixodbc/build_comm.sh
View File

@ -24,6 +24,7 @@ function build_component()
echo "start to patch."
patch -p1 < ../0001-unixodbc.patch
patch -p1 < ../0002-unixodbc.patch
patch -p1 < ../CVE-2024-1013.patch
echo "end patch."
tmp_cpus=$(grep -w processor /proc/cpuinfo|wc -l)

3
dependency/xgboost/build.sh
View File

@ -38,7 +38,8 @@ cmake .. -DCMAKE_INSTALL_PREFIX=$(pwd)/install_comm
make -j4
make install
rm -rf install_comm/bin install_comm/lib
rm -rf install_comm/bin
mv install_comm/lib install_comm/lib64
export INSTALL_DIR=${TARGET_PATH}/xgboost
mkdir -p ${INSTALL_DIR}/comm ${INSTALL_DIR}/llt
cp -r install_comm/* ${INSTALL_DIR}/comm

21
dependency/zlib/CVE-2023-45853.patch Normal file
View File

@ -0,0 +1,21 @@
diff -Naur a/contrib/minizip/zip.c b/contrib/minizip/zip.c
--- a/contrib/minizip/zip.c 2023-10-16 10:30:43.399786707 +0800
+++ b/contrib/minizip/zip.c 2023-10-16 10:29:53.511135074 +0800
@@ -1083,6 +1083,17 @@
return ZIP_PARAMERROR;
#endif
+ // The filename and comment length must fit in 16 bits.
+ if ((filename!=NULL) && (strlen(filename)>0xffff))
+ return ZIP_PARAMERROR;
+ if ((comment!=NULL) && (strlen(comment)>0xffff))
+ return ZIP_PARAMERROR;
+ // The extra field length must fit in 16 bits. If the member also requires
+ // a Zip64 extra block, that will also need to fit within that 16-bit
+ // length, but that will be checked for later.
+ if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff))
+ return ZIP_PARAMERROR;
+
zi = (zip64_internal*)file;
if (zi->in_opened_file_inzip == 1)

1
dependency/zlib/build_component.sh
View File

@ -32,6 +32,7 @@ function build_component()
fi
patch -p1 < ../zlib.patch
patch -p1 < ../zlib-CVE-2022-37434.patch
patch -p1 < ../CVE-2023-45853.patch
chmod +x configure
for COMPILE_TYPE in ${COMPLIE_TYPE_LIST}
do

10
dependency/zlib/build_component_configure.sh
View File

@ -25,7 +25,10 @@ function build_component_configure()
;;
comm|llt)
CONFIGURE_EXTRA_FLAG="--64"
if [[ X"$(uname -p)" == X*"aarch64" ]];then
if [[ X"$(uname -m)" == X*"aarch64" ]];then
CONFIGURE_EXTRA_FLAG=""
fi
if [[ X"$(uname -m)" == X*"loongarch64" ]];then
CONFIGURE_EXTRA_FLAG=""
fi
mkdir -p ${LOCAL_DIR}/install_${COMPILE_TYPE}
@ -41,7 +44,10 @@ function build_component_configure()
log "[Notice] zlib using \"${COMPILE_TYPE}\" Begin make"
MAKE_EXTRA_FLAG="-m64"
if [[ X"$(uname -p)" == X*"aarch64" ]];then
if [[ X"$(uname -m)" == X*"aarch64" ]];then
MAKE_EXTRA_FLAG=""
fi
if [[ X"$(uname -m)" == X*"loongarch64" ]];then
MAKE_EXTRA_FLAG=""
fi
if [ "${COMPILE_TYPE}"X = "comm"X ]; then

7
dependency/zstd/build.sh
View File

@ -16,9 +16,10 @@ export PACKAGE=zstd
[ -n "${PACKAGE}" ] && rm -rf ${PACKAGE}
mkdir ${PACKAGE}
tar -zxf $TAR_SOURCE_FILE -C $PACKAGE --strip-components 1
cd $PACKAGE/programs
cd ${PACKAGE}
cd programs
patch -p2 < ../../CVE-2022-4899.patch
cd $PACKAGE
cd ..
mkdir -p ../install_comm/lib/
cd build/cmake/
mkdir build
@ -34,7 +35,7 @@ sed -i 's/-std=c99/-std=c99 -Wl,-z,relro,-z,now,-z,noexecstack -fPIC -fstack-pro
sed -i 's/-std=c99/-std=c99 -Wl,-z,relro,-z,now,-z,noexecstack -fPIC -fstack-protector-strong/g' ./lib/CMakeFiles/libzstd_shared.dir/link.txt
make -j4
make install
mv ../../../../install_comm/lib64/libzstd* ../../../../install_comm/lib/
#mv ../../../../install_comm/lib/libzstd* ../../../../install_comm/lib/
INSTALL_DIR=${LOCAL_DIR}/../../output/kernel/dependency/zstd
# copy lib to destination

41
gpl_dependency/postgis/postgis_2.4.2-2.patch
View File

@ -1,6 +1,6 @@
diff -uprN a/gdal-1.11.0/frmts/postgisraster/postgisraster.h b/gdal-1.11.0/frmts/postgisraster/postgisraster.h
--- a/gdal-1.11.0/frmts/postgisraster/postgisraster.h 2020-09-11 17:27:26.000000000 +0800
+++ b/gdal-1.11.0/frmts/postgisraster/postgisraster.h 2022-07-26 10:42:35.516751810 +0800
+++ b/gdal-1.11.0/frmts/postgisraster/postgisraster.h 2023-09-14 17:44:39.190414405 +0800
@@ -38,7 +38,7 @@
#define POSTGISRASTER_H_INCLUDED
@ -12,7 +12,7 @@ diff -uprN a/gdal-1.11.0/frmts/postgisraster/postgisraster.h b/gdal-1.11.0/frmts
#include <float.h>
diff -uprN a/gdal-1.11.0/ogr/ogrsf_frmts/pg/ogr_pg.h b/gdal-1.11.0/ogr/ogrsf_frmts/pg/ogr_pg.h
--- a/gdal-1.11.0/ogr/ogrsf_frmts/pg/ogr_pg.h 2020-09-11 17:27:26.000000000 +0800
+++ b/gdal-1.11.0/ogr/ogrsf_frmts/pg/ogr_pg.h 2022-07-26 10:42:35.516751810 +0800
+++ b/gdal-1.11.0/ogr/ogrsf_frmts/pg/ogr_pg.h 2023-09-14 17:44:39.190414405 +0800
@@ -32,7 +32,7 @@
#define _OGR_PG_H_INCLUDED
@ -24,7 +24,7 @@ diff -uprN a/gdal-1.11.0/ogr/ogrsf_frmts/pg/ogr_pg.h b/gdal-1.11.0/ogr/ogrsf_frm
#include "ogrpgutility.h"
diff -uprN a/gdal-1.11.0/ogr/ogrsf_frmts/pg/ogrpgutility.h b/gdal-1.11.0/ogr/ogrsf_frmts/pg/ogrpgutility.h
--- a/gdal-1.11.0/ogr/ogrsf_frmts/pg/ogrpgutility.h 2020-09-11 17:27:26.000000000 +0800
+++ b/gdal-1.11.0/ogr/ogrsf_frmts/pg/ogrpgutility.h 2022-07-26 10:42:35.516751810 +0800
+++ b/gdal-1.11.0/ogr/ogrsf_frmts/pg/ogrpgutility.h 2023-09-14 17:44:39.190414405 +0800
@@ -30,7 +30,7 @@
#ifndef OGRPGUTILITY_H_INCLUDED
#define OGRPGUTILITY_H_INCLUDED
@ -36,7 +36,7 @@ diff -uprN a/gdal-1.11.0/ogr/ogrsf_frmts/pg/ogrpgutility.h b/gdal-1.11.0/ogr/ogr
int bMultipleCommandAllowed = FALSE);
diff -uprN a/postgis-2.4.2/configure b/postgis-2.4.2/configure
--- a/postgis-2.4.2/configure 2020-09-11 17:27:26.000000000 +0800
+++ b/postgis-2.4.2/configure 2022-07-26 10:43:36.516751810 +0800
+++ b/postgis-2.4.2/configure 2023-09-14 17:44:39.193414430 +0800
@@ -13515,7 +13515,11 @@ if test "x$LIBLWGEOM_ONLY" = "xno"; then
PGSQL_MINOR_VERSION=0
fi
@ -52,7 +52,7 @@ diff -uprN a/postgis-2.4.2/configure b/postgis-2.4.2/configure
PGSQL_LIBDIR=`"$PG_CONFIG" --libdir`
diff -uprN a/postgis-2.4.2/postgis--2.4.2.sql b/postgis-2.4.2/postgis--2.4.2.sql
--- a/postgis-2.4.2/postgis--2.4.2.sql 2020-09-11 17:27:26.000000000 +0800
+++ b/postgis-2.4.2/postgis--2.4.2.sql 2022-07-26 10:42:35.548751810 +0800
+++ b/postgis-2.4.2/postgis--2.4.2.sql 2023-09-14 17:44:39.204414523 +0800
@@ -1720,7 +1720,7 @@ CREATE TABLE spatial_ref_sys (
auth_srid integer,
srtext varchar(2048),
@ -244,15 +244,32 @@ diff -uprN a/postgis-2.4.2/postgis--2.4.2.sql b/postgis-2.4.2/postgis--2.4.2.sql
---------------------------------------------------------------
-- 3D-functions
---------------------------------------------------------------
diff -uprN a/postgis-2.4.2/postgis_raster--2.4.2.sql b/postgis-2.4.2/postgis_raster--2.4.2.sql
--- a/postgis-2.4.2/postgis_raster--2.4.2.sql 2020-09-11 17:27:26.000000000 +0800
+++ b/postgis-2.4.2/postgis_raster--2.4.2.sql 2023-09-14 17:46:32.729369686 +0800
@@ -52,10 +52,11 @@ CREATE OR REPLACE FUNCTION raster_out(ra
-- Availability: 2.0.0
CREATE TYPE raster (
alignment = double,
- internallength = variable,
+ internallength = 8,
+ passedbyvalue = true,
input = raster_in,
output = raster_out,
- storage = extended
+ storage = plain
);
------------------------------------------------------------------------------
diff -uprN a/postgis-2.4.2/postgis_svn_revision.h b/postgis-2.4.2/postgis_svn_revision.h
--- a/postgis-2.4.2/postgis_svn_revision.h 2020-09-11 17:27:26.000000000 +0800
+++ b/postgis-2.4.2/postgis_svn_revision.h 2022-07-26 10:42:35.532751810 +0800
+++ b/postgis-2.4.2/postgis_svn_revision.h 2023-09-14 17:44:39.206414540 +0800
@@ -1 +1 @@
-#define POSTGIS_SVN_REVISION "2.1.1"
+#define POSTGIS_SVN_REVISION '2.1.1'
diff -uprN a/postgis-2.4.2/raster/rt_pg/rtpostgis.c b/postgis-2.4.2/raster/rt_pg/rtpostgis.c
--- a/postgis-2.4.2/raster/rt_pg/rtpostgis.c 2020-09-11 17:27:26.000000000 +0800
+++ b/postgis-2.4.2/raster/rt_pg/rtpostgis.c 2022-07-26 10:42:35.532751810 +0800
+++ b/postgis-2.4.2/raster/rt_pg/rtpostgis.c 2023-09-14 17:44:39.206414540 +0800
@@ -135,7 +135,7 @@
//#include "utils/memutils.h"
@ -280,7 +297,7 @@ diff -uprN a/postgis-2.4.2/raster/rt_pg/rtpostgis.c b/postgis-2.4.2/raster/rt_pg
diff -uprN a/postgis-2.4.2/topology/Makefile.in b/postgis-2.4.2/topology/Makefile.in
--- a/postgis-2.4.2/topology/Makefile.in 2020-09-11 17:27:26.000000000 +0800
+++ b/postgis-2.4.2/topology/Makefile.in 2022-07-26 10:42:35.532751810 +0800
+++ b/postgis-2.4.2/topology/Makefile.in 2023-09-14 17:44:39.206414540 +0800
@@ -64,6 +64,7 @@ PGXS := @PGXS@
# http://www.postgresql.org/message-id/CAB7nPqTsR5o3g-fBi6jbsVdhfPiLFWQ_0cGU5=94Rv_8W3qvFA@mail.gmail.com
NO_TEMP_INSTALL=yes
@ -291,7 +308,7 @@ diff -uprN a/postgis-2.4.2/topology/Makefile.in b/postgis-2.4.2/topology/Makefil
PERL=@PERL@
diff -uprN a/postgis-2.4.2/topology/postgis_topology.c b/postgis-2.4.2/topology/postgis_topology.c
--- a/postgis-2.4.2/topology/postgis_topology.c 2020-09-11 17:27:26.000000000 +0800
+++ b/postgis-2.4.2/topology/postgis_topology.c 2022-07-26 10:42:35.532751810 +0800
+++ b/postgis-2.4.2/topology/postgis_topology.c 2023-09-14 17:44:39.207414548 +0800
@@ -22,6 +22,7 @@
#include "funcapi.h" /* for FuncCallContext */
#include "executor/spi.h" /* this is what you need to work with SPI */
@ -527,7 +544,7 @@ diff -uprN a/postgis-2.4.2/topology/postgis_topology.c b/postgis-2.4.2/topology/
{
diff -uprN a/postgis-2.4.2/topology/sql/topogeometry/totopogeom.sql.in b/postgis-2.4.2/topology/sql/topogeometry/totopogeom.sql.in
--- a/postgis-2.4.2/topology/sql/topogeometry/totopogeom.sql.in 2020-09-11 17:27:26.000000000 +0800
+++ b/postgis-2.4.2/topology/sql/topogeometry/totopogeom.sql.in 2022-07-26 10:42:35.532751810 +0800
+++ b/postgis-2.4.2/topology/sql/topogeometry/totopogeom.sql.in 2023-09-14 17:44:39.207414548 +0800
@@ -199,7 +199,7 @@ BEGIN
'Layer "%" of topology "%" is %, cannot hold a collection feature.',
layer_info.layer_id, topology_info.name, layer_info.typename;
@ -566,7 +583,7 @@ diff -uprN a/postgis-2.4.2/topology/sql/topogeometry/totopogeom.sql.in b/postgis
RAISE EXCEPTION
diff -uprN a/postgis-2.4.2/topology/sql/topogeometry/type.sql.in b/postgis-2.4.2/topology/sql/topogeometry/type.sql.in
--- a/postgis-2.4.2/topology/sql/topogeometry/type.sql.in 2020-09-11 17:27:26.000000000 +0800
+++ b/postgis-2.4.2/topology/sql/topogeometry/type.sql.in 2022-07-26 10:42:35.532751810 +0800
+++ b/postgis-2.4.2/topology/sql/topogeometry/type.sql.in 2023-09-14 17:44:39.207414548 +0800
@@ -24,10 +24,10 @@ CREATE OR REPLACE FUNCTION topology.Geom
AS
$$
@ -599,7 +616,7 @@ diff -uprN a/postgis-2.4.2/topology/sql/topogeometry/type.sql.in b/postgis-2.4.2
$$
diff -uprN a/postgis-2.4.2/topology/topology.sql.in b/postgis-2.4.2/topology/topology.sql.in
--- a/postgis-2.4.2/topology/topology.sql.in 2020-09-11 17:27:26.000000000 +0800
+++ b/postgis-2.4.2/topology/topology.sql.in 2022-07-26 10:42:35.532751810 +0800
+++ b/postgis-2.4.2/topology/topology.sql.in 2023-09-14 17:44:39.208414557 +0800
@@ -340,7 +340,7 @@ CREATE TYPE topology.TopoGeometry AS (
topology_id integer,
layer_id integer,

7
platform/openjdk8/build.sh
View File

@ -28,8 +28,13 @@ mkdir -pv ${TARGET_PATH}
if [ ${ARCH} = "aarch64" ];then
TAR_SOURCE_FILE="bisheng-jdk-8u312-linux-aarch64.tar.gz";
else
elif [ ${ARCH} = "x86_64" ];then
TAR_SOURCE_FILE="bisheng-jdk-8u312-linux-x64.tar.gz";
elif [ ${ARCH} = "loongarch64" ];then
TAR_SOURCE_FILE="loongson8.1.10-jdk8u312b07-linux-loongarch64.tar.gz";
else
echo "There is no jdk for the architecture $ARCH"
exit 1
fi
mkdir ${SOURCE_FILE}

BIN
platform/openjdk8/loongson8.1.10-jdk8u312b07-linux-loongarch64.tar.gz Normal file
View File

Binary file not shown.