Replace patch for sign-file.c with the one sent to upstream. CONFIG_MODULE_SIG_STREEBOG* does not make sense now as there is no tool to properly sign with a GOST algo

0001-sign-file-full-functionality-with-modern-LibreSSL.patch

@@ -0,0 +1,47 @@
+From 7fac9b5a88bf45574b92cc3ad74fac32f3bacbcc Mon Sep 17 00:00:00 2001
+From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+Date: Thu, 19 Mar 2020 00:15:41 +0300
+Subject: [PATCH] sign-file: full functionality with modern LibreSSL
+
+Current pre-release version of LibreSSL has enabled CMS support,
+and now sign-file is fully functional with it.
+
+See https://github.com/libressl-portable/openbsd/commits/master
+
+To test buildability with LibreSSL:
+~$ git clone https://github.com/libressl-portable/portable.git
+~$ cd portable && ./autogen.sh
+~$ ./configure --prefix=/opt/libressl
+~$ make
+~# make install
+Go to the kernel source tree and:
+~$ gcc -I/opt/libressl/include -L /opt/libressl/lib -lcrypto -Wl,-rpath,/opt/libressl/lib scripts/sign-file.c -o scripts/sign-file
+
+Fixes: f8688017 ("sign-file: fix build error in sign-file.c with libressl")
+
+Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+---
+ scripts/sign-file.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/scripts/sign-file.c b/scripts/sign-file.c
+index fbd34b8e8f57..fd4d7c31d1bf 100644
+--- a/scripts/sign-file.c
++++ b/scripts/sign-file.c
+@@ -41,9 +41,10 @@
+  * signing with anything other than SHA1 - so we're stuck with that if such is
+  * the case.
+  */
+-#if defined(LIBRESSL_VERSION_NUMBER) || \
+-	OPENSSL_VERSION_NUMBER < 0x10000000L || \
+-	defined(OPENSSL_NO_CMS)
++#if defined(OPENSSL_NO_CMS) || \
++	( defined(LIBRESSL_VERSION_NUMBER) \
++	&& (LIBRESSL_VERSION_NUMBER < 0x3010000fL) ) || \
++	OPENSSL_VERSION_NUMBER < 0x10000000L
+ #define USE_PKCS7
+ #endif
+ #ifndef USE_PKCS7
+-- 
+2.20.1
+

WIP-Sign-modules-with-GOST-by-LibreSSL.patch

@@ -1,70 +0,0 @@
-From 686598dcff4fd9f91a77b95fb1cf852971283a49 Mon Sep 17 00:00:00 2001
-From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
-Date: Wed, 11 Dec 2019 21:17:15 +0300
-Subject: [PATCH 4/4] (WIP) Sign modules with GOST by LibreSSL
-
-[ work in progress ]
----
- certs/Makefile      |  1 +
- init/Kconfig        | 10 ++++++++++
- scripts/sign-file.c |  4 +---
- 3 files changed, 12 insertions(+), 3 deletions(-)
-
-diff --git a/certs/Makefile b/certs/Makefile
-index f4c25b67aad9..39fb3a53bfe3 100644
---- a/certs/Makefile
-+++ b/certs/Makefile
-@@ -60,6 +60,7 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
- 	@$(kecho) "### needs to be run as root, and uses a hardware random"
- 	@$(kecho) "### number generator if one is available."
- 	@$(kecho) "###"
-+# TODO: fix for LibreSSL/OpenSSL + GOST (Streebog)
- 	$(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
- 		-batch -x509 -config $(obj)/x509.genkey \
- 		-outform PEM -out $(obj)/signing_key.pem \
-diff --git a/init/Kconfig b/init/Kconfig
-index b4daad2bac23..0a733a1399e1 100644
---- a/init/Kconfig
-+++ b/init/Kconfig
-@@ -2119,6 +2119,14 @@ config MODULE_SIG_SHA512
- 	bool "Sign modules with SHA-512"
- 	select CRYPTO_SHA512
- 
-+config MODULE_SIG_STREEBOG256
-+	bool "Sign modules with STREEBOG-256"
-+	select CRYPTO_STREEBOG
-+
-+config MODULE_SIG_STREEBOG512
-+	bool "Sign modules with STREEBOG-512"
-+	select CRYPTO_STREEBOG
-+
- endchoice
- 
- config MODULE_SIG_HASH
-@@ -2129,6 +2137,8 @@ config MODULE_SIG_HASH
- 	default "sha256" if MODULE_SIG_SHA256
- 	default "sha384" if MODULE_SIG_SHA384
- 	default "sha512" if MODULE_SIG_SHA512
-+	default "streebog256" if MODULE_SIG_STREEBOG256
-+	default "streebog512" if MODULE_SIG_STREEBOG512
- 
- config MODULE_COMPRESS
- 	bool "Compress modules on installation"
-diff --git a/scripts/sign-file.c b/scripts/sign-file.c
-index fbd34b8e8f57..010c5f02ff5e 100644
---- a/scripts/sign-file.c
-+++ b/scripts/sign-file.c
-@@ -41,9 +41,7 @@
-  * signing with anything other than SHA1 - so we're stuck with that if such is
-  * the case.
-  */
--#if defined(LIBRESSL_VERSION_NUMBER) || \
--	OPENSSL_VERSION_NUMBER < 0x10000000L || \
--	defined(OPENSSL_NO_CMS)
-+#if defined(OPENSSL_NO_CMS) || OPENSSL_VERSION_NUMBER < 0x10000000L
- #define USE_PKCS7
- #endif
- #ifndef USE_PKCS7
--- 
-2.20.1
-

kernel.spec

@@ -11,7 +11,7 @@
 %define sublevel	25
 
 # Release number. Increase this before a rebuild.
-%define rpmrel		10
+%define rpmrel		11
 %define fullrpmrel	%{rpmrel}
 
 %define rpmtag		%{disttag}
@@ -225,7 +225,8 @@ Patch202:	0002-Documentation-for-AltHa-LSM.patch
 
 # Other patches
 Patch301:	objtool-sync-check.sh-set-the-exit-code-explicitly.patch
-Patch302:	WIP-Sign-modules-with-GOST-by-LibreSSL.patch
+# sent to upstream
+Patch302:	0001-sign-file-full-functionality-with-modern-LibreSSL.patch
 
 # Disable AutoReq
 AutoReq: 	0
@@ -893,8 +894,6 @@ echo CONFIG_MODULE_SIG_FORCE=n >> %{build_dir}/.config.append
 # If %%build_debig is true, signatures will be stripped
 # We sign modules manually in a tricky way bellow
 echo CONFIG_MODULE_SIG_ALL=n >> %{build_dir}/.config.append
-# Use STREEBOG-512 algo (GOST R 34.11-12)
-echo CONFIG_MODULE_SIG_STREEBOG512=y >> %{build_dir}/.config.append
 # Set path to the key that will be generated later by openssl/libressl
 echo CONFIG_MODULE_SIG_KEY=\"%{certs_signing_key_priv_rnd}\" >> %{build_dir}/.config.append
 # Set path to one PEM file with all keys that the kernel must trust