summaryrefslogtreecommitdiff
path: root/sys-apps/kmod
diff options
context:
space:
mode:
Diffstat (limited to 'sys-apps/kmod')
-rw-r--r--sys-apps/kmod/Manifest3
-rw-r--r--sys-apps/kmod/files/kmod-26-libressl.patch143
-rw-r--r--sys-apps/kmod/kmod-26-r1.ebuild (renamed from sys-apps/kmod/kmod-26.ebuild)11
3 files changed, 154 insertions, 3 deletions
diff --git a/sys-apps/kmod/Manifest b/sys-apps/kmod/Manifest
index 4792b6da957c..2af1c9a8ef81 100644
--- a/sys-apps/kmod/Manifest
+++ b/sys-apps/kmod/Manifest
@@ -1,7 +1,8 @@
+AUX kmod-26-libressl.patch 4014 BLAKE2B db7a2ce3206210cd0358d136c8d0568dae077399075164320ff608ca6ba5f1bca16d206ca975d8f5f9977ec80fcfed5b81146f9649d61e8e88f5f8589368ab1e SHA512 b5d26fda11398d4877821cbe8bd36967bec095d6e6c2489ec8aa4ef968795f0e238a74e2a9c4db8435fc176dc046920a365771a387a25cb1d0ea763210a92483
AUX kmod-static-nodes-r1 500 BLAKE2B 44ae03377e6cc7b5a271063828fcb39ec6925d82e52207771e1b6b4f921d0a07e51e97a8e6f432b542d88fb0195e1298cd54ba92d462a828ddd94dab7f924eb3 SHA512 8210d90f5d0702aea626b6db00adbabbd550009d8275fe430c8b113fcb0593a4dfb9efb22c061dde259e1bd94390be49823415d3fd99909e22a2bbf7ae349f63
DIST kmod-25.tar.xz 545416 BLAKE2B 2ad428f70630a1ef509be888a9ebc45f164695365f0f722f5e7793e96b60c035040b4d9a27f926361cea6d665310fc6cc5599ff4aefeda0fae8571c6510a25a7 SHA512 d579cd0cea24a06362a74927b7a3c777e9e01c990306e1032e4781cd441ffe435c70f2c2c4f6ae39eb1d857e622746411d5824d0c0d8bb79f91dc9fa51956252
DIST kmod-26.tar.xz 552032 BLAKE2B 3e596d06b48599bf4919346475a036b058fb18a7b19d39953e24fa943b95fdbe34a29a5062f6b4fe3510e667ae873d3b9ae03b72350fa85ddbb40ca6a7730b34 SHA512 3ca276c6fc13c2dd2220ec528b8dc4ab4edee5d2b22e16b6f945c552e51f74342c01c33a53740e6af8c893d42bd4d6f629cd8fa6e15ef8bd8da30cb003ef0865
EBUILD kmod-25.ebuild 4913 BLAKE2B f17beda49f104502c22d5f1e83b36b0869829460be48a3d30edec854891b836c185afa85cd46d36279fea0cb01415038e0a2682037638a3723d86b6b51bc4b5c SHA512 ff8089459817c08226c91243aa8582e4a275b813b5569f6dcd2c591bade7db8832c38cb21736e50f8440eeb3b734197c3971b63e3e0899a6baf8f8dcf7f074ff
-EBUILD kmod-26.ebuild 5009 BLAKE2B 545bdf26a17842acedfe60417b159cbd6087da5eb694f35d3ead332609575f15595e6ae36077169fe9af9015981d1352494661e57c063484b73382be9a66fc92 SHA512 138a6c74662bd99b6785573970c7791c9e6ef838fd9a3e09eec7c6c2b9582fe1fce69061ba90d49a304e3ac32585f36142ae3dfcbb637297cdcdcb4279de4186
+EBUILD kmod-26-r1.ebuild 5134 BLAKE2B e663244e433893ba30b1776258257d30a26beb87607553cf48688f3989b0675d186bbc8ee6c639ca139396db42311021f6818b177c15f61b6a62bc9660f68b12 SHA512 f025735f5ce30d16d2560660a2d781091940cfb517fd7f6100aaf470055b9f4185bdf282e98b065e35180b68adcca7f98fb0c035d9ac25607735a1e239a9b17c
EBUILD kmod-9999.ebuild 5002 BLAKE2B f5d77bb0b1bc1b55886a7e31b52bd922e616b080d1ee710d889e6465685a8b47c74500d2852dba03d8068abe5def621628c63ed5e7c096b28f449f7ce0755729 SHA512 2df4cf048aa392368c00f338d5fd46382cc7b362717d6fec5e2efb6f6c38f9783201aecfbf54db02f2e3275cb8dfa6e53aeb8a59f7acedbebedddd0e45ca0172
MISC metadata.xml 540 BLAKE2B ec5ee262fe76215688d99e32778848e71de5825f488eea2219e076290e020aa86de6138ab8366d5e077d44797789a27c22fea1c64f9c6e2713cf315b4b891455 SHA512 c4f47a77dfa7bc4cbaa61744fc46c5547763b51b48521cd229ac89680325ecbf415bd9e1ce9c71982ea721d0d5c4cf3677a0f70e8dad65235f523840cd14de94
diff --git a/sys-apps/kmod/files/kmod-26-libressl.patch b/sys-apps/kmod/files/kmod-26-libressl.patch
new file mode 100644
index 000000000000..cb36ab401c21
--- /dev/null
+++ b/sys-apps/kmod/files/kmod-26-libressl.patch
@@ -0,0 +1,143 @@
+From 628677e066198d8658d7edd5511a5bb27cd229f5 Mon Sep 17 00:00:00 2001
+From: Stefan Strogin <steils@gentoo.org>
+Date: Sun, 19 May 2019 03:42:01 +0300
+Subject: [PATCH] libkmod-signature: use PKCS#7 instead of CMS
+
+Linux uses either PKCS #7 or CMS for signing modules (see
+scripts/sign-file.c). CMS is not supported by LibreSSL or older OpenSSL,
+so PKCS #7 is used on systems with these libcrypto providers.
+
+CMS and PKCS #7 formats are very similar. CMS is newer but is as much as
+possible backward compatible with PKCS #7 [1]. PKCS #7 is supported in
+the latest OpenSSL as well as CMS. The fields used for signing kernel
+modules are supported both in PKCS #7 and CMS.
+
+For now modinfo uses CMS with no alternative requiring OpenSSL 1.1.0 or
+newer.
+
+Use PKCS #7 for parsing module signature information, so that modinfo
+could be used both with OpenSSL and LibreSSL.
+
+[1] https://tools.ietf.org/html/rfc5652#section-1.1
+
+Changes v1->v2:
+- Don't use ifdefs for keeping redundant CMS code, just use PKCS #7 both
+with OpenSSL and LibreSSL.
+
+Upstream-Status: Accepted
+[https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git/commit/?id=628677e066198d8658d7edd5511a5bb27cd229f5]
+Signed-off-by: Stefan Strogin <steils@gentoo.org>
+---
+ libkmod/libkmod-signature.c | 37 +++++++++++++++++++------------------
+ 1 file changed, 19 insertions(+), 18 deletions(-)
+
+diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
+index 48d0145..4e8748c 100644
+--- a/libkmod/libkmod-signature.c
++++ b/libkmod/libkmod-signature.c
+@@ -20,7 +20,7 @@
+ #include <endian.h>
+ #include <inttypes.h>
+ #ifdef ENABLE_OPENSSL
+-#include <openssl/cms.h>
++#include <openssl/pkcs7.h>
+ #include <openssl/ssl.h>
+ #endif
+ #include <stdio.h>
+@@ -122,7 +122,7 @@ static bool fill_default(const char *mem, off_t size,
+ #ifdef ENABLE_OPENSSL
+
+ struct pkcs7_private {
+- CMS_ContentInfo *cms;
++ PKCS7 *pkcs7;
+ unsigned char *key_id;
+ BIGNUM *sno;
+ };
+@@ -132,7 +132,7 @@ static void pkcs7_free(void *s)
+ struct kmod_signature_info *si = s;
+ struct pkcs7_private *pvt = si->private;
+
+- CMS_ContentInfo_free(pvt->cms);
++ PKCS7_free(pvt->pkcs7);
+ BN_free(pvt->sno);
+ free(pvt->key_id);
+ free(pvt);
+@@ -197,11 +197,10 @@ static bool fill_pkcs7(const char *mem, off_t size,
+ struct kmod_signature_info *sig_info)
+ {
+ const char *pkcs7_raw;
+- CMS_ContentInfo *cms;
+- STACK_OF(CMS_SignerInfo) *sis;
+- CMS_SignerInfo *si;
+- int rc;
+- ASN1_OCTET_STRING *key_id;
++ PKCS7 *pkcs7;
++ STACK_OF(PKCS7_SIGNER_INFO) *sis;
++ PKCS7_SIGNER_INFO *si;
++ PKCS7_ISSUER_AND_SERIAL *is;
+ X509_NAME *issuer;
+ ASN1_INTEGER *sno;
+ ASN1_OCTET_STRING *sig;
+@@ -220,31 +219,33 @@ static bool fill_pkcs7(const char *mem, off_t size,
+
+ in = BIO_new_mem_buf(pkcs7_raw, sig_len);
+
+- cms = d2i_CMS_bio(in, NULL);
+- if (cms == NULL) {
++ pkcs7 = d2i_PKCS7_bio(in, NULL);
++ if (pkcs7 == NULL) {
+ BIO_free(in);
+ return false;
+ }
+
+ BIO_free(in);
+
+- sis = CMS_get0_SignerInfos(cms);
++ sis = PKCS7_get_signer_info(pkcs7);
+ if (sis == NULL)
+ goto err;
+
+- si = sk_CMS_SignerInfo_value(sis, 0);
++ si = sk_PKCS7_SIGNER_INFO_value(sis, 0);
+ if (si == NULL)
+ goto err;
+
+- rc = CMS_SignerInfo_get0_signer_id(si, &key_id, &issuer, &sno);
+- if (rc == 0)
++ is = si->issuer_and_serial;
++ if (is == NULL)
+ goto err;
++ issuer = is->issuer;
++ sno = is->serial;
+
+- sig = CMS_SignerInfo_get0_signature(si);
++ sig = si->enc_digest;
+ if (sig == NULL)
+ goto err;
+
+- CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg);
++ PKCS7_SIGNER_INFO_get0_algs(si, NULL, &dig_alg, &sig_alg);
+
+ sig_info->sig = (const char *)ASN1_STRING_get0_data(sig);
+ sig_info->sig_len = ASN1_STRING_length(sig);
+@@ -277,7 +278,7 @@ static bool fill_pkcs7(const char *mem, off_t size,
+ if (pvt == NULL)
+ goto err3;
+
+- pvt->cms = cms;
++ pvt->pkcs7 = pkcs7;
+ pvt->key_id = key_id_str;
+ pvt->sno = sno_bn;
+ sig_info->private = pvt;
+@@ -290,7 +291,7 @@ err3:
+ err2:
+ BN_free(sno_bn);
+ err:
+- CMS_ContentInfo_free(cms);
++ PKCS7_free(pkcs7);
+ return false;
+ }
+
+--
+2.21.0
+
diff --git a/sys-apps/kmod/kmod-26.ebuild b/sys-apps/kmod/kmod-26-r1.ebuild
index c65b8e722432..a10a6cdda8d6 100644
--- a/sys-apps/kmod/kmod-26.ebuild
+++ b/sys-apps/kmod/kmod-26-r1.ebuild
@@ -21,7 +21,7 @@ HOMEPAGE="https://git.kernel.org/?p=utils/kernel/kmod/kmod.git"
LICENSE="LGPL-2"
SLOT="0"
-IUSE="debug doc lzma python ssl static-libs +tools zlib"
+IUSE="debug doc libressl lzma python ssl static-libs +tools zlib"
# Upstream does not support running the test suite with custom configure flags.
# I was also told that the test suite is intended for kmod developers.
@@ -36,7 +36,10 @@ RDEPEND="!sys-apps/module-init-tools
!<sys-apps/systemd-216-r3
lzma? ( >=app-arch/xz-utils-5.0.4-r1 )
python? ( ${PYTHON_DEPS} )
- ssl? ( >=dev-libs/openssl-1.1.0:0= )
+ ssl? (
+ !libressl? ( >=dev-libs/openssl-1.1.0:0= )
+ libressl? ( dev-libs/libressl:0= )
+ )
zlib? ( >=sys-libs/zlib-1.2.6 )" #427130
DEPEND="${RDEPEND}
doc? ( dev-util/gtk-doc )
@@ -55,6 +58,10 @@ REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
DOCS="NEWS README TODO"
+PATCHES=(
+ "${FILESDIR}/${P}-libressl.patch" # bug 677960
+)
+
src_prepare() {
default