[gentoo-commits] repo/gentoo:master commit in: sys-apps/kmod/, sys-apps/kmod/files/

Mon, 10 Jun 2019 06:37:46 -0700 

commit:     fb2edfa0a5001ed4e3cdc406b6bcd9bb4fb1c6cb
Author:     Stefan Strogin <steils <AT> gentoo <DOT> org>
AuthorDate: Wed May 29 15:36:08 2019 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Mon Jun 10 13:34:47 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fb2edfa0

sys-apps/kmod: add patch and USE flag for LibreSSL support

Closes: https://bugs.gentoo.org/677960
Package-Manager: Portage-2.3.67, Repoman-2.3.13
Signed-off-by: Stefan Strogin <steils <AT> gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/11146
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 sys-apps/kmod/files/kmod-26-libressl.patch         | 143 +++++++++++++++++++++
 .../kmod/{kmod-26.ebuild => kmod-26-r1.ebuild}     |  11 +-
 sys-apps/kmod/kmod-26.ebuild                       |  11 +-
 3 files changed, 161 insertions(+), 4 deletions(-)

diff --git a/sys-apps/kmod/files/kmod-26-libressl.patch 
b/sys-apps/kmod/files/kmod-26-libressl.patch
new file mode 100644
index 00000000000..cb36ab401c2
--- /dev/null
+++ b/sys-apps/kmod/files/kmod-26-libressl.patch
@@ -0,0 +1,143 @@
+From 628677e066198d8658d7edd5511a5bb27cd229f5 Mon Sep 17 00:00:00 2001
+From: Stefan Strogin <[email protected]>
+Date: Sun, 19 May 2019 03:42:01 +0300
+Subject: [PATCH] libkmod-signature: use PKCS#7 instead of CMS
+
+Linux uses either PKCS #7 or CMS for signing modules (see
+scripts/sign-file.c). CMS is not supported by LibreSSL or older OpenSSL,
+so PKCS #7 is used on systems with these libcrypto providers.
+
+CMS and PKCS #7 formats are very similar. CMS is newer but is as much as
+possible backward compatible with PKCS #7 [1]. PKCS #7 is supported in
+the latest OpenSSL as well as CMS. The fields used for signing kernel
+modules are supported both in PKCS #7 and CMS.
+
+For now modinfo uses CMS with no alternative requiring OpenSSL 1.1.0 or
+newer.
+
+Use PKCS #7 for parsing module signature information, so that modinfo
+could be used both with OpenSSL and LibreSSL.
+
+[1] https://tools.ietf.org/html/rfc5652#section-1.1
+
+Changes v1->v2:
+- Don't use ifdefs for keeping redundant CMS code, just use PKCS #7 both
+with OpenSSL and LibreSSL.
+
+Upstream-Status: Accepted
+[https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git/commit/?id=628677e066198d8658d7edd5511a5bb27cd229f5]
+Signed-off-by: Stefan Strogin <[email protected]>
+---
+ libkmod/libkmod-signature.c | 37 +++++++++++++++++++------------------
+ 1 file changed, 19 insertions(+), 18 deletions(-)
+
+diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
+index 48d0145..4e8748c 100644
+--- a/libkmod/libkmod-signature.c
++++ b/libkmod/libkmod-signature.c
+@@ -20,7 +20,7 @@
+ #include <endian.h>
+ #include <inttypes.h>
+ #ifdef ENABLE_OPENSSL
+-#include <openssl/cms.h>
++#include <openssl/pkcs7.h>
+ #include <openssl/ssl.h>
+ #endif
+ #include <stdio.h>
+@@ -122,7 +122,7 @@ static bool fill_default(const char *mem, off_t size,
+ #ifdef ENABLE_OPENSSL
+ 
+ struct pkcs7_private {
+-      CMS_ContentInfo *cms;
++      PKCS7 *pkcs7;
+       unsigned char *key_id;
+       BIGNUM *sno;
+ };
+@@ -132,7 +132,7 @@ static void pkcs7_free(void *s)
+       struct kmod_signature_info *si = s;
+       struct pkcs7_private *pvt = si->private;
+ 
+-      CMS_ContentInfo_free(pvt->cms);
++      PKCS7_free(pvt->pkcs7);
+       BN_free(pvt->sno);
+       free(pvt->key_id);
+       free(pvt);
+@@ -197,11 +197,10 @@ static bool fill_pkcs7(const char *mem, off_t size,
+                      struct kmod_signature_info *sig_info)
+ {
+       const char *pkcs7_raw;
+-      CMS_ContentInfo *cms;
+-      STACK_OF(CMS_SignerInfo) *sis;
+-      CMS_SignerInfo *si;
+-      int rc;
+-      ASN1_OCTET_STRING *key_id;
++      PKCS7 *pkcs7;
++      STACK_OF(PKCS7_SIGNER_INFO) *sis;
++      PKCS7_SIGNER_INFO *si;
++      PKCS7_ISSUER_AND_SERIAL *is;
+       X509_NAME *issuer;
+       ASN1_INTEGER *sno;
+       ASN1_OCTET_STRING *sig;
+@@ -220,31 +219,33 @@ static bool fill_pkcs7(const char *mem, off_t size,
+ 
+       in = BIO_new_mem_buf(pkcs7_raw, sig_len);
+ 
+-      cms = d2i_CMS_bio(in, NULL);
+-      if (cms == NULL) {
++      pkcs7 = d2i_PKCS7_bio(in, NULL);
++      if (pkcs7 == NULL) {
+               BIO_free(in);
+               return false;
+       }
+ 
+       BIO_free(in);
+ 
+-      sis = CMS_get0_SignerInfos(cms);
++      sis = PKCS7_get_signer_info(pkcs7);
+       if (sis == NULL)
+               goto err;
+ 
+-      si = sk_CMS_SignerInfo_value(sis, 0);
++      si = sk_PKCS7_SIGNER_INFO_value(sis, 0);
+       if (si == NULL)
+               goto err;
+ 
+-      rc = CMS_SignerInfo_get0_signer_id(si, &key_id, &issuer, &sno);
+-      if (rc == 0)
++      is = si->issuer_and_serial;
++      if (is == NULL)
+               goto err;
++      issuer = is->issuer;
++      sno = is->serial;
+ 
+-      sig = CMS_SignerInfo_get0_signature(si);
++      sig = si->enc_digest;
+       if (sig == NULL)
+               goto err;
+ 
+-      CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg);
++      PKCS7_SIGNER_INFO_get0_algs(si, NULL, &dig_alg, &sig_alg);
+ 
+       sig_info->sig = (const char *)ASN1_STRING_get0_data(sig);
+       sig_info->sig_len = ASN1_STRING_length(sig);
+@@ -277,7 +278,7 @@ static bool fill_pkcs7(const char *mem, off_t size,
+       if (pvt == NULL)
+               goto err3;
+ 
+-      pvt->cms = cms;
++      pvt->pkcs7 = pkcs7;
+       pvt->key_id = key_id_str;
+       pvt->sno = sno_bn;
+       sig_info->private = pvt;
+@@ -290,7 +291,7 @@ err3:
+ err2:
+       BN_free(sno_bn);
+ err:
+-      CMS_ContentInfo_free(cms);
++      PKCS7_free(pkcs7);
+       return false;
+ }
+ 
+-- 
+2.21.0
+

diff --git a/sys-apps/kmod/kmod-26.ebuild b/sys-apps/kmod/kmod-26-r1.ebuild
similarity index 95%
copy from sys-apps/kmod/kmod-26.ebuild
copy to sys-apps/kmod/kmod-26-r1.ebuild
index c65b8e72243..a10a6cdda8d 100644
--- a/sys-apps/kmod/kmod-26.ebuild
+++ b/sys-apps/kmod/kmod-26-r1.ebuild
@@ -21,7 +21,7 @@ 
HOMEPAGE="https://git.kernel.org/?p=utils/kernel/kmod/kmod.git";
 
 LICENSE="LGPL-2"
 SLOT="0"
-IUSE="debug doc lzma python ssl static-libs +tools zlib"
+IUSE="debug doc libressl lzma python ssl static-libs +tools zlib"
 
 # Upstream does not support running the test suite with custom configure flags.
 # I was also told that the test suite is intended for kmod developers.
@@ -36,7 +36,10 @@ RDEPEND="!sys-apps/module-init-tools
        !<sys-apps/systemd-216-r3
        lzma? ( >=app-arch/xz-utils-5.0.4-r1 )
        python? ( ${PYTHON_DEPS} )
-       ssl? ( >=dev-libs/openssl-1.1.0:0= )
+       ssl? (
+               !libressl? ( >=dev-libs/openssl-1.1.0:0= )
+               libressl? ( dev-libs/libressl:0= )
+       )
        zlib? ( >=sys-libs/zlib-1.2.6 )" #427130
 DEPEND="${RDEPEND}
        doc? ( dev-util/gtk-doc )
@@ -55,6 +58,10 @@ REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
 
 DOCS="NEWS README TODO"
 
+PATCHES=(
+       "${FILESDIR}/${P}-libressl.patch" # bug 677960
+)
+
 src_prepare() {
        default
 

diff --git a/sys-apps/kmod/kmod-26.ebuild b/sys-apps/kmod/kmod-26.ebuild
index c65b8e72243..a10a6cdda8d 100644
--- a/sys-apps/kmod/kmod-26.ebuild
+++ b/sys-apps/kmod/kmod-26.ebuild
@@ -21,7 +21,7 @@ 
HOMEPAGE="https://git.kernel.org/?p=utils/kernel/kmod/kmod.git";
 
 LICENSE="LGPL-2"
 SLOT="0"
-IUSE="debug doc lzma python ssl static-libs +tools zlib"
+IUSE="debug doc libressl lzma python ssl static-libs +tools zlib"
 
 # Upstream does not support running the test suite with custom configure flags.
 # I was also told that the test suite is intended for kmod developers.
@@ -36,7 +36,10 @@ RDEPEND="!sys-apps/module-init-tools
        !<sys-apps/systemd-216-r3
        lzma? ( >=app-arch/xz-utils-5.0.4-r1 )
        python? ( ${PYTHON_DEPS} )
-       ssl? ( >=dev-libs/openssl-1.1.0:0= )
+       ssl? (
+               !libressl? ( >=dev-libs/openssl-1.1.0:0= )
+               libressl? ( dev-libs/libressl:0= )
+       )
        zlib? ( >=sys-libs/zlib-1.2.6 )" #427130
 DEPEND="${RDEPEND}
        doc? ( dev-util/gtk-doc )
@@ -55,6 +58,10 @@ REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
 
 DOCS="NEWS README TODO"
 
+PATCHES=(
+       "${FILESDIR}/${P}-libressl.patch" # bug 677960
+)
+
 src_prepare() {
        default

Reply via email to