Project

General

Profile

Bug #1694

integrate debian patches

Added by msuraev over 1 year ago. Updated 25 days ago.

Status:
Stalled
Priority:
High
Assignee:
Category:
-
Target version:
-
Start date:
04/22/2016
Due date:
% Done:

60%

Spec Reference:

Description

The libosmocore (and other parts) have been integrated into debian/ubuntu repos. The packaging (debian/ directory) slightly differs from our repos: some patches etc. It might make sense to integrate relevant changes.


Related issues

Related to libosmocore - Feature #2610: optimize GnuTLS fallback New 11/02/2017

History

#1 Updated by laforge about 1 year ago

  • Assignee set to msuraev

#2 Updated by msuraev about 1 year ago

  • Status changed from New to Stalled
  • % Done changed from 0 to 10

Gerrit #1426 has been sent for review.

#3 Updated by laforge about 1 year ago

#4 Updated by msuraev 12 months ago

libosmocore in Debian got 6 patches:
1,6 - erroneous
2,4 - already applied
3,5 - specific to Debian build process

#5 Updated by msuraev 12 months ago

openbsc got 5 patches:
2 are already fixed,
1 is debian-specific,
2 others are adopted into gerrit #1463 and 1464

#6 Updated by msuraev 12 months ago

  • Status changed from Stalled to In Progress

#7 Updated by msuraev 12 months ago

libosmo-sccp have 3 patches:
- already fixed
- debian-specific
- conflicting with current master
General changes to debian/ were sent for review in gerrit # 1468.

#8 Updated by msuraev 12 months ago

  • % Done changed from 10 to 20

Changes submitted to gerrit in 1469, 1473, 1478-1481, 1483-1485. The more intrusive changes are left for further iterations.

#9 Updated by msuraev 12 months ago

  • Status changed from In Progress to Stalled

#10 Updated by msuraev 12 months ago

#11 Updated by msuraev 12 months ago

  • Related to deleted (Feature #1894: include gnutls into our sdk)

#12 Updated by msuraev 12 months ago

#13 Updated by msuraev 6 months ago

Gerrit 1464, 1526 are under review.

#14 Updated by laforge 2 months ago

ping? no status update for 3 months?

#15 Updated by msuraev 2 months ago

  • % Done changed from 20 to 30

Blocked by on-going discussion on OpenSSL and getrandom(). The biggest piece which is still out there is license incompatibility due to use of OpenSSL functions.

Proposed solutions:
- use re-licensed (under Apache 2.0) OpenSSL
- use getrandom()

The patches implementing 2nd approach are available in gerrit 1526, 3819-3821.

The downsides:
- the process of re-licensing of OpenSSL is not finished yet, it's unclear from which version onwards it'll be under Apache 2.0 and when this version hits the repositories.
- exessive use of random might (in theory) deplete entropy pool.

The last problem is not specific to either solution but can occur on both of them. So far we've dealt with it by falling back to insecure random generator while logging warning message.

#16 Updated by laforge 2 months ago

  • Priority changed from Normal to High

random-related patches have been merged, so please un-stall this.

#17 Updated by msuraev 2 months ago

  • Status changed from Stalled to In Progress
  • % Done changed from 30 to 40

Before merging related gerrit 3819-3821 we have to figure out why SYS_getrandom is undefined in case of our jenkins build. Initially I've suspected that configure test somehow fails but according to test results on gerrit 4193 that's not the case.

#18 Updated by msuraev 2 months ago

  • Status changed from In Progress to Feedback

On OBS SYS_getrandom is detected properly on all distros with the exception of debian 8. The getrandom syscall was introduced in kernel 3.17, Debian 8 has 3.16 according to https://wiki.debian.org/DebianJessie

From libosmocore PoV it's fine, however applications which do not implement insecure random fallback won't work on Debian 8. Not sure what shall I do about it?

#19 Updated by laforge 2 months ago

On Thu, Oct 12, 2017 at 12:44:59PM +0000, msuraev [REDMINE] wrote:

Issue #1694 has been updated by msuraev.

Status changed from In Progress to Feedback

On OBS SYS_getrandom is detected properly on all distros with the exception of debian 8. The getrandom syscall was introduced in kernel 3.17, Debian 8 has 3.16 according to https://wiki.debian.org/DebianJessie

From libosmocore PoV it's fine, however applications which do not implement insecure random fallback won't work on Debian 8. Not sure what shall I do about it?

sigh. Guess we need a compile-time switch for libosmocore to use openssl, after all.

The default should be off, but on Debian 8 or other older environments, this could be enabled
at compile time, at which point ./configure must find openssl or otherwise abort.

I'd rather not leave this up to each application to resolve by itself.

lick here: https://osmocom.org/my/account

#20 Updated by msuraev 2 months ago

laforge wrote:

sigh. Guess we need a compile-time switch for libosmocore to use openssl, after all.

This would not resolve the licensing issue - it will just move it from osmo-* to libosmocore and limit it to Debian 8 (which I think is as unlikely to get apache-licensed openssl as newer kernel with getrandom). I propose to use GnuTLS instead (it's license-compatible and available in Debian 8) as was the case with the earlier version of the patch.

The default should be off, but on Debian 8 or other older environments, this could be enabled
at compile time, at which point ./configure must find openssl or otherwise abort.

We can just enable it as a fallback to missing *getrandom instead of current "always return failure" fallback. Is there a case when we'd like to turn off this GnuTLS fallback and use current failure mode instead?

lick here: https://osmocom.org/my/account

I'd rather not :-)

#21 Updated by msuraev about 1 month ago

  • Status changed from Feedback to Stalled

Gerrit 4593 with fallback implementation is under review. Once it's merged, 3819-3821 jenkins tests should be retriggered.

#22 Updated by msuraev about 1 month ago

#23 Updated by msuraev about 1 month ago

  • Blocked by deleted (Feature #1894: include gnutls into our sdk)

#24 Updated by msuraev 25 days ago

  • % Done changed from 40 to 60

4593 is merged, 3819-3821 were updated.

Also available in: Atom PDF