Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 677960 - sys-apps/kmod - add LibreSSL support
Summary: sys-apps/kmod - add LibreSSL support
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: udev maintainers
URL:
Whiteboard:
Keywords: PullRequest
Depends on:
Blocks: libressl-support
  Show dependency tree
 
Reported: 2019-02-14 07:06 UTC by Stefan Strogin
Modified: 2019-06-10 13:36 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
0001-libkmod-signature-use-PKCS7-for-LibreSSL-or-older-Op.patch (0001-libkmod-signature-use-PKCS7-for-LibreSSL-or-older-Op.patch,4.42 KB, text/plain)
2019-02-15 04:03 UTC, Stefan Strogin
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Strogin gentoo-dev 2019-02-14 07:06:51 UTC
After upgrading to kmod-26 USE=ssl was added, but without libressl support. Simply adding USE=libressl and dependency on dev-libs/libressl won't work:

./doltcompile x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I/var/tmp/portage/sys-apps/kmod-26/work/kmod-26  -include ./config.h -I/var/tmp/portage/sys-apps/kmod-26/work/kmod-26 -DSYSCONFDIR=\""/etc"\"   -pipe -DANOTHER_BRICK_IN_THE -Wall -W -Wextra -Wno-inline -Wvla -Wundef -Wformat=2 -Wlogical-op -Wsign-compare -Wformat-security -Wmissing-include-dirs -Wformat-nonliteral -Wold-style-definition -Wpointer-arith -Winit-self -Wdeclaration-after-statement -Wfloat-equal -Wmissing-prototypes -Wstrict-prototypes -Wredundant-decls -Wmissing-declarations -Wmissing-noreturn -Wshadow -Wendif-labels -Wstrict-aliasing=3 -Wwrite-strings -Wno-long-long -Wno-overlength-strings -Wno-unused-parameter -Wno-missing-field-initializers -Wno-unused-result -Wnested-externs -Wchar-subscripts -Wtype-limits -Wuninitialized -fno-common -fdiagnostics-show-option -fvisibility=hidden -ffunction-sections -fdata-sections  -march=skylake -O2 -pipe -c -o libkmod/libkmod-signature.lo /var/tmp/portage/sys-apps/kmod-26/work/kmod-26/libkmod/libkmod-signature.c
/var/tmp/portage/sys-apps/kmod-26/work/kmod-26/libkmod/libkmod-signature.c:23:10: fatal error: openssl/cms.h: No such file or directory
 #include <openssl/cms.h>
          ^~~~~~~~~~~~~~~
compilation terminated.
make[2]: *** [Makefile:1758: libkmod/libkmod-signature.lo] Error 1
Comment 1 Stefan Strogin gentoo-dev 2019-02-14 07:26:33 UTC
So kmod now uses cryptographic message syntax (CMS) that was removed from LibreSSL.
I'm not sure what can be done in this case, I'll try to investigate.
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2019-02-14 12:14:57 UTC
kmod-26 explicitly checks for >=openssl-1.1.0 in its configure file so unless upstream adds libressl support we cannot do much here.
Comment 3 Stefan Strogin gentoo-dev 2019-02-15 04:03:56 UTC
Created attachment 565446 [details]
0001-libkmod-signature-use-PKCS7-for-LibreSSL-or-older-Op.patch

Alright, here is the tale.

Linux kernel uses either PKCS-7 or CMS signing modules (scripts/sign-file.c). They are very similar standards, but CMS is not supported by LibreSSL.
As I can see there are no differences between the standards that affect module signing. The fields used are the same.

In sign-file.c #if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10000000L || defined(OPENSSL_NO_CMS)
then PKCS-7 is used, otherwise CMS.

Yet modinfo uses only CMS with no alternative.
I have made a patch for using PKCS-7 with LibreSSL or an older OpenSSL version. In fact CMS is not needed, PKCS-7 format has all the same fields that are used when a module is signed using CMS, but PKCS-7 is better supported. For example now I can sign a module using OpenSSL-1.1.1 and CMS and read its signing information with modinfo and PKCS-7, and otherwise.

I will send the patch upstream, and I would appreciate if someone here could review it as well.

Also please don't apply it for before receiving feedback from LKML.
Comment 5 pagorman 2019-02-22 21:44:41 UTC
with the above patch and the --nodeps option, sys-apps/kmod-26 installs appropriately on my amd64 system.
Comment 6 Larry the Git Cow gentoo-dev 2019-02-24 01:51:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=1676e6c83dc843ddccbfae6424b9cf0a454ea6fa

commit 1676e6c83dc843ddccbfae6424b9cf0a454ea6fa
Author:     Stefan Strogin <stefan.strogin@gmail.com>
AuthorDate: 2019-02-24 01:43:38 +0000
Commit:     Stefan Strogin <stefan.strogin@gmail.com>
CommitDate: 2019-02-24 01:44:05 +0000

    sys-apps/kmod: add package from gentoo.git; patch for LibreSSL
    
    Bug: https://bugs.gentoo.org/677960
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Stefan Strogin <stefan.strogin@gmail.com>

 sys-apps/kmod/Manifest                     |   1 +
 sys-apps/kmod/files/kmod-26-libressl.patch | 186 +++++++++++++++++++++++++++
 sys-apps/kmod/files/kmod-static-nodes-r1   |  18 +++
 sys-apps/kmod/kmod-26-r1.ebuild            | 200 +++++++++++++++++++++++++++++
 sys-apps/kmod/metadata.xml                 |  16 +++
 5 files changed, 421 insertions(+)
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2019-05-29 00:38:19 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #2)
> kmod-26 explicitly checks for >=openssl-1.1.0 in its configure file so
> unless upstream adds libressl support we cannot do much here.

Lars, upstream has accepted Stefan's patch.  Would you mind if it were included as a backport until upstream releases a new version?

https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git/commit/?id=628677e066198d8658d7edd5511a5bb27cd229f5
Comment 8 Stefan Strogin gentoo-dev 2019-05-29 16:21:34 UTC
I have updated the PR, so now there is the upstream-accepted patch: https://github.com/gentoo/gentoo/pull/11146
Comment 9 Larry the Git Cow gentoo-dev 2019-06-10 13:36:52 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fb2edfa0a5001ed4e3cdc406b6bcd9bb4fb1c6cb

commit fb2edfa0a5001ed4e3cdc406b6bcd9bb4fb1c6cb
Author:     Stefan Strogin <steils@gentoo.org>
AuthorDate: 2019-05-29 15:36:08 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-06-10 13:34:47 +0000

    sys-apps/kmod: add patch and USE flag for LibreSSL support
    
    Closes: https://bugs.gentoo.org/677960
    Package-Manager: Portage-2.3.67, Repoman-2.3.13
    Signed-off-by: Stefan Strogin <steils@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/11146
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 sys-apps/kmod/files/kmod-26-libressl.patch | 143 +++++++++++++++++++++
 sys-apps/kmod/kmod-26-r1.ebuild            | 200 +++++++++++++++++++++++++++++
 sys-apps/kmod/kmod-26.ebuild               |  11 +-
 3 files changed, 352 insertions(+), 2 deletions(-)