Project

General

Profile

Bug #1694

integrate debian patches

Added by msuraev about 5 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
-
Target version:
-
Start date:
04/22/2016
Due date:
% Done:

100%

Spec Reference:

Description

The libosmocore (and other parts) have been integrated into debian/ubuntu repos. The packaging (debian/ directory) slightly differs from our repos: some patches etc. It might make sense to integrate relevant changes.


Related issues

Related to libosmocore - Feature #2610: optimize GnuTLS fallbackNew11/02/2017

Associated revisions

Revision 59d57da1 (diff)
Added by rubund over 4 years ago

Fix some typos in stdout output

Change-Id: I0dbb438f3bfbaf9744717cbeec31ceefdd679ee9
Related: OS#1694

Revision 6a161e1a (diff)
Added by rubund over 4 years ago

Fix some typos in stdout output

Change-Id: I0dbb438f3bfbaf9744717cbeec31ceefdd679ee9
Related: OS#1694

Revision 5fa8b083 (diff)
Added by max over 4 years ago

Integrate Debian packaging changes

debian/control:
  • restructure to make it easier to incorporate further changes
  • update package descriptions
  • update project URL
debian/rules:
  • use proper hardening syntax
  • restructure to make it easier to incorporate further changes
  • remove useless comment

debian/compat: update compatibility version

debian/coryright: update to match Debian format

Change-Id: I49cc9239b15dc77d782914ca2547e601d049acdc
Related: OS#1694

Revision d6edfa1d (diff)
Added by max over 4 years ago

Integrate Debian packaging changes

debian/control:
  • restructure to make it easier to incorporate further changes
  • update package descriptions
  • update project URL
debian/rules:
  • use proper hardening syntax
  • restructure to make it easier to incorporate further changes
  • remove useless comment

debian/compat: update compatibility version

debian/coryright: update to match Debian format

Change-Id: I49cc9239b15dc77d782914ca2547e601d049acdc
Related: OS#1694

Revision 8cfba6c1 (diff)
Added by max over 4 years ago

Integrate Debian packaging changes

debian/control:
  • restructure to make it easier to incorporate further changes
  • update package descriptions
  • update project URL
debian/rules:
  • use proper hardening syntax
  • restructure to make it easier to incorporate further changes
  • remove useless comment

debian/copyright: update to match Debian format

Change-Id: I5d68891faa03ae83beeda58eb8ff8aa747dc6ad6
Related: OS#1694

Revision 5f3871e3 (diff)
Added by max over 4 years ago

Integrate Debian packaging changes

debian/control: * restructure to make it easier to incorporate further changes * update package descriptions * update project URL

debian/rules: * use proper hardening syntax * restructure to make it easier to incorporate further changes * add cleanup override

debian/copyright: add file matching Debian format

Change-Id: I6af8ab7f5c75b4d161cebf492f3de5d9dbd00220
Related: OS#1694

Revision c9a86ff3 (diff)
Added by max over 4 years ago

Integrate Debian packaging changes

debian/control:
  • restructure to make it easier to incorporate further changes
  • update package descriptions
  • update project URL
debian/rules:
  • use proper hardening syntax
  • restructure to make it easier to incorporate further changes
  • add cleanup override

debian/copyright: add file matching Debian format

Change-Id: I9174b34a79c0562ef43f757ea76d67301088f109
Related: OS#1694

Revision 126def71 (diff)
Added by max over 4 years ago

Integrate Debian packaging changes

debian/control:
  • restructure to make it easier to incorporate further changes
  • update package descriptions
  • move build-depends to a proper place
  • update project URL
debian/rules:
  • use proper hardening syntax
  • strip linker option without explicit shell invocation
  • remove useless comment
  • add extra cleanup

debian/: package documentation separately

debian/docs: remove empty file

debian/coryright: update to match Debian format

Change-Id: Ia7654d34730e9f269831612bfba70a1338ce29d3
Related: OS#1694

Revision c2ecca6b (diff)
Added by max over 4 years ago

Integrate Debian packaging changes

debian/control: * restructure to make it easier to incorporate further changes * update package descriptions * update project URL

debian/rules: * use proper hardening syntax * restructure to make it easier to incorporate further changes * remove useless comment * add cleanup and test overrides

debian/compat: update compatibility version

Change-Id: Ibf62448eee1df914d21834f5b54831e3f642b79c
Related: OS#1694

Revision f3763590 (diff)
Added by max over 4 years ago

Add copyright for .deb packages

Add debian/copyright in Debian format which should have been added in
c2ecca6b0496127709dcd3afa9d366085d8bec97.

Change-Id: I4c7ef1286ba6d2f3c6aadc8ea1864be513f8cf1d
Related: OS#1694

Revision b632e03f (diff)
Added by max over 4 years ago

Remove obsolete .deb patch

Change-Id: Icbf911540fcc840833c5012363c2ba48fd71db52
Related: OS#1694

Revision 833e97e9 (diff)
Added by max over 4 years ago

Integrate Debian packaging changes

debian/control: * restructure to make it easier to incorporate further changes * update package descriptions * update project URL

debian/rules: * use proper hardening syntax

debian/copyright: update to match Debian format

Change-Id: I9a89e7311c8632ae26ac2e6c02d1e427d94b1608
Related: OS#1694

Revision 4b2b0cc1 (diff)
Added by max over 3 years ago

Add function to generate random identifier

The function is a wrapper on top of getrandom() (if available via glibc) or
corresponding syscall. If neither is available than failure is always
returned.

It's intended to generate small random data good enough for session
identifiers and keys. To generate long-term cryptographic keys it's
better to use special crypto libraries (like GnuTLS for example)
instead.

As an example it's used to replace old insecure random number generator
in osmo-auc-gen utility.

Change-Id: I0241b814ea4c4ce1458f7ad76e31d390383c2048
Related: OS#1694

Revision f624546e (diff)
Added by max over 3 years ago

Fix build on older systems

Make sure GRND_NONBLOCK is always defined, even when using syscall
directly.

Change-Id: I1bcac37ee1847596b49122f9307bd2689ba71b1b
Related: OS#1694

Revision ed029dfa (diff)
Added by max over 3 years ago

Enable GnuTLS fallback

On systems with GNU/Linux kernel older than 3.17 (Debian 8 "jessie" for
example) the osmo_get_rand_id() would always return failure due to
missing getrandom() syscall.

To support such systems, let's add fallback code which uses GnuTLS
library. It can be disabled explicitly via '--disable-gnutls' option at
compile-time, otherwise ./configure will fail if both getrandom() and
GnuTLS are not available. When building with '--enable-embedded' the
fallback is disabled automatically.

Related: OS#1694

Change-Id: Ic77866ce65acf524b768882c751a4f9c0635740b

Revision 858cfecf (diff)
Added by laforge over 3 years ago

debian: build now depends on libgnutls

In Change-Id Ic77866ce65acf524b768882c751a4f9c0635740b we introduced a
gnutls fall-back for random number generation, and made this a default
unless explicitly disabled at compile time. This means the debian
package needs related build dependency.

Change-Id: I918e4b7bf1cb621679dce6339b3c4b69d653e2a6
Related: OS#1694

Revision ca7be8a5 (diff)
Added by max over 3 years ago

Migrate from OpenSSL to osmo_get_rand_id()

This avoids potential licensing incompatibility and makes integration of
Debian packaging patches easier.

The libosmocore version requirements are fine already but for jenkins
tests to pass we have to have Ic77866ce65acf524b768882c751a4f9c0635740b
merged into libosmocore master.

Related: OS#1694
Change-Id: I2b687b7f07ef05bbd861b8479cad5a958a3dde92

Revision ad1e3cdd (diff)
Added by max over 3 years ago

Migrate from OpenSSL to osmo_get_rand_id()

This avoids potential licensing incompatibility and makes integration of
Debian packaging patches easier.

The libosmocore version requirements are fine already but for jenkins
tests to pass we have to have Ic77866ce65acf524b768882c751a4f9c0635740b
merged into libosmocore master.

Change-Id: Ia57bf1300525cf3c247284fe966b1c415c2d53e2
Related: OS#1694

History

#1 Updated by laforge over 4 years ago

  • Assignee set to msuraev

#2 Updated by msuraev over 4 years ago

  • Status changed from New to Stalled
  • % Done changed from 0 to 10

Gerrit #1426 has been sent for review.

#3 Updated by laforge over 4 years ago

#4 Updated by msuraev over 4 years ago

libosmocore in Debian got 6 patches:
1,6 - erroneous
2,4 - already applied
3,5 - specific to Debian build process

#5 Updated by msuraev over 4 years ago

openbsc got 5 patches:
2 are already fixed,
1 is debian-specific,
2 others are adopted into gerrit #1463 and 1464

#6 Updated by msuraev over 4 years ago

  • Status changed from Stalled to In Progress

#7 Updated by msuraev over 4 years ago

libosmo-sccp have 3 patches:
- already fixed
- debian-specific
- conflicting with current master
General changes to debian/ were sent for review in gerrit # 1468.

#8 Updated by msuraev over 4 years ago

  • % Done changed from 10 to 20

Changes submitted to gerrit in 1469, 1473, 1478-1481, 1483-1485. The more intrusive changes are left for further iterations.

#9 Updated by msuraev over 4 years ago

  • Status changed from In Progress to Stalled

#10 Updated by msuraev over 4 years ago

#11 Updated by msuraev over 4 years ago

  • Related to deleted (Feature #1894: include gnutls into our sdk)

#12 Updated by msuraev over 4 years ago

#13 Updated by msuraev almost 4 years ago

Gerrit 1464, 1526 are under review.

#14 Updated by laforge over 3 years ago

ping? no status update for 3 months?

#15 Updated by msuraev over 3 years ago

  • % Done changed from 20 to 30

Blocked by on-going discussion on OpenSSL and getrandom(). The biggest piece which is still out there is license incompatibility due to use of OpenSSL functions.

Proposed solutions:
- use re-licensed (under Apache 2.0) OpenSSL
- use getrandom()

The patches implementing 2nd approach are available in gerrit 1526, 3819-3821.

The downsides:
- the process of re-licensing of OpenSSL is not finished yet, it's unclear from which version onwards it'll be under Apache 2.0 and when this version hits the repositories.
- exessive use of random might (in theory) deplete entropy pool.

The last problem is not specific to either solution but can occur on both of them. So far we've dealt with it by falling back to insecure random generator while logging warning message.

#16 Updated by laforge over 3 years ago

  • Priority changed from Normal to High

random-related patches have been merged, so please un-stall this.

#17 Updated by msuraev over 3 years ago

  • Status changed from Stalled to In Progress
  • % Done changed from 30 to 40

Before merging related gerrit 3819-3821 we have to figure out why SYS_getrandom is undefined in case of our jenkins build. Initially I've suspected that configure test somehow fails but according to test results on gerrit 4193 that's not the case.

#18 Updated by msuraev over 3 years ago

  • Status changed from In Progress to Feedback

On OBS SYS_getrandom is detected properly on all distros with the exception of debian 8. The getrandom syscall was introduced in kernel 3.17, Debian 8 has 3.16 according to https://wiki.debian.org/DebianJessie

From libosmocore PoV it's fine, however applications which do not implement insecure random fallback won't work on Debian 8. Not sure what shall I do about it?

#19 Updated by laforge over 3 years ago

On Thu, Oct 12, 2017 at 12:44:59PM +0000, msuraev [REDMINE] wrote:

Issue #1694 has been updated by msuraev.

Status changed from In Progress to Feedback

On OBS SYS_getrandom is detected properly on all distros with the exception of debian 8. The getrandom syscall was introduced in kernel 3.17, Debian 8 has 3.16 according to https://wiki.debian.org/DebianJessie

From libosmocore PoV it's fine, however applications which do not implement insecure random fallback won't work on Debian 8. Not sure what shall I do about it?

sigh. Guess we need a compile-time switch for libosmocore to use openssl, after all.

The default should be off, but on Debian 8 or other older environments, this could be enabled
at compile time, at which point ./configure must find openssl or otherwise abort.

I'd rather not leave this up to each application to resolve by itself.

lick here: https://osmocom.org/my/account

#20 Updated by msuraev over 3 years ago

laforge wrote:

sigh. Guess we need a compile-time switch for libosmocore to use openssl, after all.

This would not resolve the licensing issue - it will just move it from osmo-* to libosmocore and limit it to Debian 8 (which I think is as unlikely to get apache-licensed openssl as newer kernel with getrandom). I propose to use GnuTLS instead (it's license-compatible and available in Debian 8) as was the case with the earlier version of the patch.

The default should be off, but on Debian 8 or other older environments, this could be enabled
at compile time, at which point ./configure must find openssl or otherwise abort.

We can just enable it as a fallback to missing *getrandom instead of current "always return failure" fallback. Is there a case when we'd like to turn off this GnuTLS fallback and use current failure mode instead?

lick here: https://osmocom.org/my/account

I'd rather not :-)

#21 Updated by msuraev over 3 years ago

  • Status changed from Feedback to Stalled

Gerrit 4593 with fallback implementation is under review. Once it's merged, 3819-3821 jenkins tests should be retriggered.

#22 Updated by msuraev over 3 years ago

#23 Updated by msuraev over 3 years ago

  • Blocked by deleted (Feature #1894: include gnutls into our sdk)

#24 Updated by msuraev over 3 years ago

  • % Done changed from 40 to 60

4593 is merged, 3819-3821 were updated.

#25 Updated by msuraev over 3 years ago

  • Status changed from Stalled to Resolved
  • % Done changed from 60 to 100

Remaining patches 3819-3821 were merged. There's ongoing .deb packaging project - see https://osmocom.org/news/81 so we can close this ticket.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)