Project

General

Profile

Actions

Bug #1694

closed

integrate debian patches

Added by msuraev almost 8 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
-
Target version:
-
Start date:
04/22/2016
Due date:
% Done:

100%

Spec Reference:

Description

The libosmocore (and other parts) have been integrated into debian/ubuntu repos. The packaging (debian/ directory) slightly differs from our repos: some patches etc. It might make sense to integrate relevant changes.


Related issues

Related to libosmocore - Feature #2610: optimize GnuTLS fallbackNew11/02/2017

Actions
Actions #1

Updated by laforge over 7 years ago

  • Assignee set to msuraev
Actions #2

Updated by msuraev over 7 years ago

  • Status changed from New to Stalled
  • % Done changed from 0 to 10

Gerrit #1426 has been sent for review.

Actions #3

Updated by laforge over 7 years ago

Actions #4

Updated by msuraev about 7 years ago

libosmocore in Debian got 6 patches:
1,6 - erroneous
2,4 - already applied
3,5 - specific to Debian build process

Actions #5

Updated by msuraev about 7 years ago

openbsc got 5 patches:
2 are already fixed,
1 is debian-specific,
2 others are adopted into gerrit #1463 and 1464

Actions #6

Updated by msuraev about 7 years ago

  • Status changed from Stalled to In Progress
Actions #7

Updated by msuraev about 7 years ago

libosmo-sccp have 3 patches:
- already fixed
- debian-specific
- conflicting with current master
General changes to debian/ were sent for review in gerrit # 1468.

Actions #8

Updated by msuraev about 7 years ago

  • % Done changed from 10 to 20

Changes submitted to gerrit in 1469, 1473, 1478-1481, 1483-1485. The more intrusive changes are left for further iterations.

Actions #9

Updated by msuraev about 7 years ago

  • Status changed from In Progress to Stalled
Actions #10

Updated by msuraev about 7 years ago

Actions #11

Updated by msuraev about 7 years ago

  • Related to deleted (Feature #1894: include gnutls into our sdk)
Actions #12

Updated by msuraev about 7 years ago

Actions #13

Updated by msuraev almost 7 years ago

Gerrit 1464, 1526 are under review.

Actions #14

Updated by laforge over 6 years ago

ping? no status update for 3 months?

Actions #15

Updated by msuraev over 6 years ago

  • % Done changed from 20 to 30

Blocked by on-going discussion on OpenSSL and getrandom(). The biggest piece which is still out there is license incompatibility due to use of OpenSSL functions.

Proposed solutions:
- use re-licensed (under Apache 2.0) OpenSSL
- use getrandom()

The patches implementing 2nd approach are available in gerrit 1526, 3819-3821.

The downsides:
- the process of re-licensing of OpenSSL is not finished yet, it's unclear from which version onwards it'll be under Apache 2.0 and when this version hits the repositories.
- exessive use of random might (in theory) deplete entropy pool.

The last problem is not specific to either solution but can occur on both of them. So far we've dealt with it by falling back to insecure random generator while logging warning message.

Actions #16

Updated by laforge over 6 years ago

  • Priority changed from Normal to High

random-related patches have been merged, so please un-stall this.

Actions #17

Updated by msuraev over 6 years ago

  • Status changed from Stalled to In Progress
  • % Done changed from 30 to 40

Before merging related gerrit 3819-3821 we have to figure out why SYS_getrandom is undefined in case of our jenkins build. Initially I've suspected that configure test somehow fails but according to test results on gerrit 4193 that's not the case.

Actions #18

Updated by msuraev over 6 years ago

  • Status changed from In Progress to Feedback

On OBS SYS_getrandom is detected properly on all distros with the exception of debian 8. The getrandom syscall was introduced in kernel 3.17, Debian 8 has 3.16 according to https://wiki.debian.org/DebianJessie

From libosmocore PoV it's fine, however applications which do not implement insecure random fallback won't work on Debian 8. Not sure what shall I do about it?

Actions #19

Updated by laforge over 6 years ago

On Thu, Oct 12, 2017 at 12:44:59PM +0000, msuraev [REDMINE] wrote:

Issue #1694 has been updated by msuraev.

Status changed from In Progress to Feedback

On OBS SYS_getrandom is detected properly on all distros with the exception of debian 8. The getrandom syscall was introduced in kernel 3.17, Debian 8 has 3.16 according to https://wiki.debian.org/DebianJessie

From libosmocore PoV it's fine, however applications which do not implement insecure random fallback won't work on Debian 8. Not sure what shall I do about it?

sigh. Guess we need a compile-time switch for libosmocore to use openssl, after all.

The default should be off, but on Debian 8 or other older environments, this could be enabled
at compile time, at which point ./configure must find openssl or otherwise abort.

I'd rather not leave this up to each application to resolve by itself.

lick here: https://osmocom.org/my/account

Actions #20

Updated by msuraev over 6 years ago

laforge wrote:

sigh. Guess we need a compile-time switch for libosmocore to use openssl, after all.

This would not resolve the licensing issue - it will just move it from osmo-* to libosmocore and limit it to Debian 8 (which I think is as unlikely to get apache-licensed openssl as newer kernel with getrandom). I propose to use GnuTLS instead (it's license-compatible and available in Debian 8) as was the case with the earlier version of the patch.

The default should be off, but on Debian 8 or other older environments, this could be enabled
at compile time, at which point ./configure must find openssl or otherwise abort.

We can just enable it as a fallback to missing *getrandom instead of current "always return failure" fallback. Is there a case when we'd like to turn off this GnuTLS fallback and use current failure mode instead?

lick here: https://osmocom.org/my/account

I'd rather not :-)

Actions #21

Updated by msuraev over 6 years ago

  • Status changed from Feedback to Stalled

Gerrit 4593 with fallback implementation is under review. Once it's merged, 3819-3821 jenkins tests should be retriggered.

Actions #22

Updated by msuraev over 6 years ago

Actions #23

Updated by msuraev over 6 years ago

  • Blocked by deleted (Feature #1894: include gnutls into our sdk)
Actions #24

Updated by msuraev over 6 years ago

  • % Done changed from 40 to 60

4593 is merged, 3819-3821 were updated.

Actions #25

Updated by msuraev about 6 years ago

  • Status changed from Stalled to Resolved
  • % Done changed from 60 to 100

Remaining patches 3819-3821 were merged. There's ongoing .deb packaging project - see https://osmocom.org/news/81 so we can close this ticket.

Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)