10 changed files with 723 additions and 130 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/kmod-28.tar.xz
+SOURCES/kmod-25.tar.xz
--- a/.kmod.metadata
+++ b/.kmod.metadata
@ -1 +1 @@
-0acec2b6aea3e6eb71f0b549b0ff0abcac5da004 SOURCES/kmod-28.tar.xz
+761ee76bc31f5db10d470dad607a5f9d68acef68 SOURCES/kmod-25.tar.xz
--- a/SOURCES/0001-depmod-prevent-module-dependency-files-missing-durin.patch
+++ b/SOURCES/0001-depmod-prevent-module-dependency-files-missing-durin.patch
@ -0,0 +1,33 @@
 From c2996b5fa880e81f63c25e80a4157b2239e32c5d Mon Sep 17 00:00:00 2001
 From: Michal Suchanek <msuchanek@suse.de>
 Date: Mon, 10 Dec 2018 22:29:32 +0100
 Subject: [PATCH 1/2] depmod: prevent module dependency files missing during
 depmod invocation
 depmod deletes the module dependency files before moving the temporary
 files in their place. This results in user seeing no dependency files
 while they are updated. Remove the unlink call. The rename call should
 suffice to move the new file in place and unlink the old one. It should
 also do both atomically so there is no window when no dependency file
 exists.
 Signed-off-by: Michal Suchanek <msuchanek@suse.de>
 ---
 tools/depmod.c | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/tools/depmod.c b/tools/depmod.c
 index 989d9077926c..18c0d61b2db3 100644
 --- a/tools/depmod.c
 +++ b/tools/depmod.c
@@ -2451,7 +2451,6 @@ static int depmod_output(struct depmod *depmod, FILE *out)
 			break;
 		}
 -		unlinkat(dfd, itr->name, 0);
 		if (renameat(dfd, tmp, dfd, itr->name) != 0) {
 			err = -errno;
 			CRIT("renameat(%s, %s, %s, %s): %m\n",
 -- 
 2.33.0
--- a/SOURCES/0002-depmod-prevent-module-dependency-files-corruption-du.patch
+++ b/SOURCES/0002-depmod-prevent-module-dependency-files-corruption-du.patch
@ -0,0 +1,62 @@
 From a06bacf500d56b72b5f9b121ebf7f6af9e3df185 Mon Sep 17 00:00:00 2001
 From: Michal Suchanek <msuchanek@suse.de>
 Date: Mon, 17 Dec 2018 23:46:28 +0100
 Subject: [PATCH 2/2] depmod: prevent module dependency files corruption due to
 parallel invocation.
 Depmod does not use unique filename for temporary files. There is no
 guarantee the user does not attempt to run mutiple depmod processes in
 parallel. If that happens a temporary file might be created by
 depmod(1st), truncated by depmod(2nd), and renamed to final name by
 depmod(1st) resulting in corrupted file seen by user.
 Due to missing mkstempat() this is more complex than it should be.
 Adding PID and timestamp to the filename should be reasonably reliable.
 Adding O_EXCL as mkstemp does fails creating the file rather than
 corrupting existing file.
 Signed-off-by: Michal Suchanek <msuchanek@suse.de>
 ---
 tools/depmod.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
 diff --git a/tools/depmod.c b/tools/depmod.c
 index 18c0d61b2db3..0f7e33ccfd59 100644
 --- a/tools/depmod.c
 +++ b/tools/depmod.c
@@ -29,6 +29,7 @@
 #include <string.h>
 #include <unistd.h>
 #include <sys/stat.h>
 +#include <sys/time.h>
 #include <sys/utsname.h>
 #include <shared/array.h>
@@ -2398,6 +2399,9 @@ static int depmod_output(struct depmod *depmod, FILE *out)
 	};
 	const char *dname = depmod->cfg->dirname;
 	int dfd, err = 0;
 +	struct timeval tv;
 +
 +	gettimeofday(&tv, NULL);
 	if (out != NULL)
 		dfd = -1;
@@ -2416,11 +2420,12 @@ static int depmod_output(struct depmod *depmod, FILE *out)
 		int r, ferr;
 		if (fp == NULL) {
 -			int flags = O_CREAT | O_TRUNC | O_WRONLY;
 +			int flags = O_CREAT | O_EXCL | O_WRONLY;
 			int mode = 0644;
 			int fd;
 -			snprintf(tmp, sizeof(tmp), "%s.tmp", itr->name);
 +			snprintf(tmp, sizeof(tmp), "%s.%i.%li.%li", itr->name, getpid(),
 +					tv.tv_usec, tv.tv_sec);
 			fd = openat(dfd, tmp, flags, mode);
 			if (fd < 0) {
 				ERR("openat(%s, %s, %o, %o): %m\n",
 -- 
 2.33.0
--- a/SOURCES/kmod-libkmod-signature-implement-pkcs7-parsing-with-opens.patch
+++ b/SOURCES/kmod-libkmod-signature-implement-pkcs7-parsing-with-opens.patch
@ -0,0 +1,328 @@
 From 391b4714b495183baefa9cb10ac8e1600c166a59 Mon Sep 17 00:00:00 2001
 From: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
 Date: Fri, 1 Feb 2019 22:20:02 +0200
 Subject: [PATCH] libkmod-signature: implement pkcs7 parsing with openssl
 The patch adds data fetching from the PKCS#7 certificate using
 openssl library (which is used by scripts/sign-file.c in the linux
 kernel to sign modules).
 In general the certificate can contain many signatures, but since
 kmod (modinfo) supports only one signature at the moment, only first
 one is taken.
 With the current sign-file.c certificate doesn't contain signer
 key's fingerprint, so "serial number" is used for the key id.
 Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
 ---
 Makefile.am                 |   4 +-
 configure.ac                |  11 ++
 libkmod/libkmod-internal.h  |   3 +
 libkmod/libkmod-module.c    |   3 +
 libkmod/libkmod-signature.c | 197 +++++++++++++++++++++++++++++++++++-
 5 files changed, 213 insertions(+), 5 deletions(-)
 diff --git a/Makefile.am b/Makefile.am
 index 1ab1db585316..de1026f8bd46 100644
 --- a/Makefile.am
 +++ b/Makefile.am
@@ -35,6 +35,8 @@ SED_PROCESS = \
 	-e 's,@liblzma_LIBS\@,${liblzma_LIBS},g' \
 	-e 's,@zlib_CFLAGS\@,${zlib_CFLAGS},g' \
 	-e 's,@zlib_LIBS\@,${zlib_LIBS},g' \
 +	-e 's,@openssl_CFLAGS\@,${openssl_CFLAGS},g' \
 +	-e 's,@openssl_LIBS\@,${openssl_LIBS},g' \
 	< $< > $@ || rm $@
 %.pc: %.pc.in Makefile
@@ -87,7 +89,7 @@ libkmod_libkmod_la_DEPENDENCIES = \
 	${top_srcdir}/libkmod/libkmod.sym
 libkmod_libkmod_la_LIBADD = \
 	shared/libshared.la \
 -	${liblzma_LIBS} ${zlib_LIBS}
 +	${liblzma_LIBS} ${zlib_LIBS} ${openssl_LIBS}
 noinst_LTLIBRARIES += libkmod/libkmod-internal.la
 libkmod_libkmod_internal_la_SOURCES = $(libkmod_libkmod_la_SOURCES)
 diff --git a/configure.ac b/configure.ac
 index fbc7391b2d1b..2e33380a0cc2 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -106,6 +106,17 @@ AS_IF([test "x$with_zlib" != "xno"], [
 ])
 CC_FEATURE_APPEND([with_features], [with_zlib], [ZLIB])
 +AC_ARG_WITH([openssl],
 +	AS_HELP_STRING([--with-openssl], [handle PKCS7 signatures @<:@default=disabled@:>@]),
 +	[], [with_openssl=no])
 +AS_IF([test "x$with_openssl" != "xno"], [
 +	PKG_CHECK_MODULES([openssl], [openssl])
 +	AC_DEFINE([ENABLE_OPENSSL], [1], [Enable openssl for modinfo.])
 +], [
 +	AC_MSG_NOTICE([openssl support not requested])
 +])
 +CC_FEATURE_APPEND([with_features], [with_openssl], [OPENSSL])
 +
 AC_ARG_WITH([bashcompletiondir],
 	AS_HELP_STRING([--with-bashcompletiondir=DIR], [Bash completions directory]),
 	[],
 diff --git a/libkmod/libkmod-internal.h b/libkmod/libkmod-internal.h
 index 346579c71aab..a65ddd156f18 100644
 --- a/libkmod/libkmod-internal.h
 +++ b/libkmod/libkmod-internal.h
@@ -188,5 +188,8 @@ struct kmod_signature_info {
 	const char *algo, *hash_algo, *id_type;
 	const char *sig;
 	size_t sig_len;
 +	void (*free)(void *);
 +	void *private;
 };
 bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signature_info *sig_info) _must_check_ __attribute__((nonnull(1, 2)));
 +void kmod_module_signature_info_free(struct kmod_signature_info *sig_info) __attribute__((nonnull));
 diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c
 index 889f26479a98..bffe715cdef4 100644
 --- a/libkmod/libkmod-module.c
 +++ b/libkmod/libkmod-module.c
@@ -2357,6 +2357,9 @@ KMOD_EXPORT int kmod_module_get_info(const struct kmod_module *mod, struct kmod_
 	ret = count;
 list_error:
 +	/* aux structures freed in normal case also */
 +	kmod_module_signature_info_free(&sig_info);
 +
 	if (ret < 0) {
 		kmod_module_info_free_list(*list);
 		*list = NULL;
 diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
 index 429ffbd8a957..48d0145a7552 100644
 --- a/libkmod/libkmod-signature.c
 +++ b/libkmod/libkmod-signature.c
@@ -19,6 +19,10 @@
 #include <endian.h>
 #include <inttypes.h>
 +#ifdef ENABLE_OPENSSL
 +#include <openssl/cms.h>
 +#include <openssl/ssl.h>
 +#endif
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -115,15 +119,194 @@ static bool fill_default(const char *mem, off_t size,
 	return true;
 }
 -static bool fill_unknown(const char *mem, off_t size,
 -			 const struct module_signature *modsig, size_t sig_len,
 -			 struct kmod_signature_info *sig_info)
 +#ifdef ENABLE_OPENSSL
 +
 +struct pkcs7_private {
 +	CMS_ContentInfo *cms;
 +	unsigned char *key_id;
 +	BIGNUM *sno;
 +};
 +
 +static void pkcs7_free(void *s)
 +{
 +	struct kmod_signature_info *si = s;
 +	struct pkcs7_private *pvt = si->private;
 +
 +	CMS_ContentInfo_free(pvt->cms);
 +	BN_free(pvt->sno);
 +	free(pvt->key_id);
 +	free(pvt);
 +	si->private = NULL;
 +}
 +
 +static int obj_to_hash_algo(const ASN1_OBJECT *o)
 +{
 +	int nid;
 +
 +	nid = OBJ_obj2nid(o);
 +	switch (nid) {
 +	case NID_md4:
 +		return PKEY_HASH_MD4;
 +	case NID_md5:
 +		return PKEY_HASH_MD5;
 +	case NID_sha1:
 +		return PKEY_HASH_SHA1;
 +	case NID_ripemd160:
 +		return PKEY_HASH_RIPE_MD_160;
 +	case NID_sha256:
 +		return PKEY_HASH_SHA256;
 +	case NID_sha384:
 +		return PKEY_HASH_SHA384;
 +	case NID_sha512:
 +		return PKEY_HASH_SHA512;
 +	case NID_sha224:
 +		return PKEY_HASH_SHA224;
 +	default:
 +		return -1;
 +	}
 +	return -1;
 +}
 +
 +static const char *x509_name_to_str(X509_NAME *name)
 +{
 +	int i;
 +	X509_NAME_ENTRY *e;
 +	ASN1_STRING *d;
 +	ASN1_OBJECT *o;
 +	int nid = -1;
 +	const char *str;
 +
 +	for (i = 0; i < X509_NAME_entry_count(name); i++) {
 +		e = X509_NAME_get_entry(name, i);
 +		o = X509_NAME_ENTRY_get_object(e);
 +		nid = OBJ_obj2nid(o);
 +		if (nid == NID_commonName)
 +			break;
 +	}
 +	if (nid == -1)
 +		return NULL;
 +
 +	d = X509_NAME_ENTRY_get_data(e);
 +	str = (const char *)ASN1_STRING_get0_data(d);
 +
 +	return str;
 +}
 +
 +static bool fill_pkcs7(const char *mem, off_t size,
 +		       const struct module_signature *modsig, size_t sig_len,
 +		       struct kmod_signature_info *sig_info)
 +{
 +	const char *pkcs7_raw;
 +	CMS_ContentInfo *cms;
 +	STACK_OF(CMS_SignerInfo) *sis;
 +	CMS_SignerInfo *si;
 +	int rc;
 +	ASN1_OCTET_STRING *key_id;
 +	X509_NAME *issuer;
 +	ASN1_INTEGER *sno;
 +	ASN1_OCTET_STRING *sig;
 +	BIGNUM *sno_bn;
 +	X509_ALGOR *dig_alg;
 +	X509_ALGOR *sig_alg;
 +	const ASN1_OBJECT *o;
 +	BIO *in;
 +	int len;
 +	unsigned char *key_id_str;
 +	struct pkcs7_private *pvt;
 +	const char *issuer_str;
 +
 +	size -= sig_len;
 +	pkcs7_raw = mem + size;
 +
 +	in = BIO_new_mem_buf(pkcs7_raw, sig_len);
 +
 +	cms = d2i_CMS_bio(in, NULL);
 +	if (cms == NULL) {
 +		BIO_free(in);
 +		return false;
 +	}
 +
 +	BIO_free(in);
 +
 +	sis = CMS_get0_SignerInfos(cms);
 +	if (sis == NULL)
 +		goto err;
 +
 +	si = sk_CMS_SignerInfo_value(sis, 0);
 +	if (si == NULL)
 +		goto err;
 +
 +	rc = CMS_SignerInfo_get0_signer_id(si, &key_id, &issuer, &sno);
 +	if (rc == 0)
 +		goto err;
 +
 +	sig = CMS_SignerInfo_get0_signature(si);
 +	if (sig == NULL)
 +		goto err;
 +
 +	CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg);
 +
 +	sig_info->sig = (const char *)ASN1_STRING_get0_data(sig);
 +	sig_info->sig_len = ASN1_STRING_length(sig);
 +
 +	sno_bn = ASN1_INTEGER_to_BN(sno, NULL);
 +	if (sno_bn == NULL)
 +		goto err;
 +
 +	len = BN_num_bytes(sno_bn);
 +	key_id_str = malloc(len);
 +	if (key_id_str == NULL)
 +		goto err2;
 +	BN_bn2bin(sno_bn, key_id_str);
 +
 +	sig_info->key_id = (const char *)key_id_str;
 +	sig_info->key_id_len = len;
 +
 +	issuer_str = x509_name_to_str(issuer);
 +	if (issuer_str != NULL) {
 +		sig_info->signer = issuer_str;
 +		sig_info->signer_len = strlen(issuer_str);
 +	}
 +
 +	X509_ALGOR_get0(&o, NULL, NULL, dig_alg);
 +
 +	sig_info->hash_algo = pkey_hash_algo[obj_to_hash_algo(o)];
 +	sig_info->id_type = pkey_id_type[modsig->id_type];
 +
 +	pvt = malloc(sizeof(*pvt));
 +	if (pvt == NULL)
 +		goto err3;
 +
 +	pvt->cms = cms;
 +	pvt->key_id = key_id_str;
 +	pvt->sno = sno_bn;
 +	sig_info->private = pvt;
 +
 +	sig_info->free = pkcs7_free;
 +
 +	return true;
 +err3:
 +	free(key_id_str);
 +err2:
 +	BN_free(sno_bn);
 +err:
 +	CMS_ContentInfo_free(cms);
 +	return false;
 +}
 +
 +#else /* ENABLE OPENSSL */
 +
 +static bool fill_pkcs7(const char *mem, off_t size,
 +		       const struct module_signature *modsig, size_t sig_len,
 +		       struct kmod_signature_info *sig_info)
 {
 	sig_info->hash_algo = "unknown";
 	sig_info->id_type = pkey_id_type[modsig->id_type];
 	return true;
 }
 +#endif /* ENABLE OPENSSL */
 +
 #define SIG_MAGIC "~Module signature appended~\n"
 /*
@@ -167,8 +350,14 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat
 	switch (modsig->id_type) {
 	case PKEY_ID_PKCS7:
 -		return fill_unknown(mem, size, modsig, sig_len, sig_info);
 +		return fill_pkcs7(mem, size, modsig, sig_len, sig_info);
 	default:
 		return fill_default(mem, size, modsig, sig_len, sig_info);
 	}
 }
 +
 +void kmod_module_signature_info_free(struct kmod_signature_info *sig_info)
 +{
 +	if (sig_info->free)
 +		sig_info->free(sig_info);
 +}
 -- 
 2.20.1
--- a/SOURCES/kmod-modprobe-ignore-builtin-module-on-recursive-removing.patch
+++ b/SOURCES/kmod-modprobe-ignore-builtin-module-on-recursive-removing.patch
@ -0,0 +1,83 @@
 From 52a0ba82e1ad180f9f91920db70a758fac49466a Mon Sep 17 00:00:00 2001
 From: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
 Date: Thu, 31 Oct 2019 20:12:53 +0200
 Subject: [PATCH] modprobe: ignore builtin module on recursive removing
 If there are built-in dependencies and any of them is built-in in
 the kernel, modprobe -r fails with
 modprobe: FATAL: Module module_name is builtin.
 It makes sense to ignore such dependencies for the case when
 removing is called for non-top level module.
 Example: cifs module, it declares bunch of softdeps and the first
 one fails on some kernel configs:
 modprobe: FATAL: Module gcm is builtin.
 Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
 ---
 tools/modprobe.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)
 diff --git a/tools/modprobe.c b/tools/modprobe.c
 index a9e2331567af..44cd15c2bf57 100644
 --- a/tools/modprobe.c
 +++ b/tools/modprobe.c
@@ -353,7 +353,8 @@ static int rmmod_do_remove_module(struct kmod_module *mod)
 	return err;
 }
 -static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies);
 +static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies,
 +			   bool ignore_builtin);
 static int rmmod_do_deps_list(struct kmod_list *list, bool stop_on_errors)
 {
@@ -361,7 +362,7 @@ static int rmmod_do_deps_list(struct kmod_list *list, bool stop_on_errors)
 	kmod_list_foreach_reverse(l, list) {
 		struct kmod_module *m = kmod_module_get_module(l);
 -		int r = rmmod_do_module(m, false);
 +		int r = rmmod_do_module(m, false, true);
 		kmod_module_unref(m);
 		if (r < 0 && stop_on_errors)
@@ -371,7 +372,8 @@ static int rmmod_do_deps_list(struct kmod_list *list, bool stop_on_errors)
 	return 0;
 }
 -static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies)
 +static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies,
 +			   bool ignore_builtin)
 {
 	const char *modname = kmod_module_get_name(mod);
 	struct kmod_list *pre = NULL, *post = NULL;
@@ -401,8 +403,12 @@ static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies)
 			}
 			goto error;
 		} else if (state == KMOD_MODULE_BUILTIN) {
 -			LOG("Module %s is builtin.\n", modname);
 -			err = -ENOENT;
 +			if (ignore_builtin) {
 +				err = 0;
 +			} else {
 +				LOG("Module %s is builtin.\n", modname);
 +				err = -ENOENT;
 +			}
 			goto error;
 		}
 	}
@@ -462,7 +468,7 @@ static int rmmod(struct kmod_ctx *ctx, const char *alias)
 	kmod_list_foreach(l, list) {
 		struct kmod_module *mod = kmod_module_get_module(l);
 -		err = rmmod_do_module(mod, true);
 +		err = rmmod_do_module(mod, true, false);
 		kmod_module_unref(mod);
 		if (err < 0)
 			break;
 -- 
 2.24.0
--- a/SOURCES/kmod-signature-do-not-report-wrong-data-for-pkc-7-signatu.patch
+++ b/SOURCES/kmod-signature-do-not-report-wrong-data-for-pkc-7-signatu.patch
@ -0,0 +1,116 @@
 From a11057201ed326a9e65e757202da960735e45799 Mon Sep 17 00:00:00 2001
 From: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
 Date: Fri, 16 Nov 2018 10:56:34 +0200
 Subject: [PATCH] signature: do not report wrong data for pkc#7 signature
 when PKC#7 signing method is used the old structure doesn't contain
 any useful data, but the data are encoded in the certificate.
 The info getting/showing code is not aware of that at the moment and
 since 0 is a valid constant, shows, for example, wrong "md4" for the
 hash algo.
 The patch splits the 2 mothods of gethering the info and reports
 "unknown" for the algo.
 Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
 ---
 libkmod/libkmod-module.c    |  2 +-
 libkmod/libkmod-signature.c | 56 +++++++++++++++++++++++++------------
 2 files changed, 39 insertions(+), 19 deletions(-)
 diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c
 index ee420f4ec2bf..889f26479a98 100644
 --- a/libkmod/libkmod-module.c
 +++ b/libkmod/libkmod-module.c
@@ -2273,7 +2273,7 @@ KMOD_EXPORT int kmod_module_get_info(const struct kmod_module *mod, struct kmod_
 	struct kmod_elf *elf;
 	char **strings;
 	int i, count, ret = -ENOMEM;
 -	struct kmod_signature_info sig_info;
 +	struct kmod_signature_info sig_info = {};
 	if (mod == NULL || list == NULL)
 		return -ENOENT;
 diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
 index 1f3e26dea203..429ffbd8a957 100644
 --- a/libkmod/libkmod-signature.c
 +++ b/libkmod/libkmod-signature.c
@@ -92,6 +92,38 @@ struct module_signature {
 	uint32_t sig_len;    /* Length of signature data (big endian) */
 };
 +static bool fill_default(const char *mem, off_t size,
 +			 const struct module_signature *modsig, size_t sig_len,
 +			 struct kmod_signature_info *sig_info)
 +{
 +	size -= sig_len;
 +	sig_info->sig = mem + size;
 +	sig_info->sig_len = sig_len;
 +
 +	size -= modsig->key_id_len;
 +	sig_info->key_id = mem + size;
 +	sig_info->key_id_len = modsig->key_id_len;
 +
 +	size -= modsig->signer_len;
 +	sig_info->signer = mem + size;
 +	sig_info->signer_len = modsig->signer_len;
 +
 +	sig_info->algo = pkey_algo[modsig->algo];
 +	sig_info->hash_algo = pkey_hash_algo[modsig->hash];
 +	sig_info->id_type = pkey_id_type[modsig->id_type];
 +
 +	return true;
 +}
 +
 +static bool fill_unknown(const char *mem, off_t size,
 +			 const struct module_signature *modsig, size_t sig_len,
 +			 struct kmod_signature_info *sig_info)
 +{
 +	sig_info->hash_algo = "unknown";
 +	sig_info->id_type = pkey_id_type[modsig->id_type];
 +	return true;
 +}
 +
 #define SIG_MAGIC "~Module signature appended~\n"
 /*
@@ -112,7 +144,6 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat
 	const struct module_signature *modsig;
 	size_t sig_len;
 -
 	size = kmod_file_get_size(file);
 	mem = kmod_file_get_contents(file);
 	if (size < (off_t)strlen(SIG_MAGIC))
@@ -134,21 +165,10 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat
 	    size < (int64_t)(modsig->signer_len + modsig->key_id_len + sig_len))
 		return false;
 -	size -= sig_len;
 -	sig_info->sig = mem + size;
 -	sig_info->sig_len = sig_len;
 -
 -	size -= modsig->key_id_len;
 -	sig_info->key_id = mem + size;
 -	sig_info->key_id_len = modsig->key_id_len;
 -
 -	size -= modsig->signer_len;
 -	sig_info->signer = mem + size;
 -	sig_info->signer_len = modsig->signer_len;
 -
 -	sig_info->algo = pkey_algo[modsig->algo];
 -	sig_info->hash_algo = pkey_hash_algo[modsig->hash];
 -	sig_info->id_type = pkey_id_type[modsig->id_type];
 -
 -	return true;
 +	switch (modsig->id_type) {
 +	case PKEY_ID_PKCS7:
 +		return fill_unknown(mem, size, modsig, sig_len, sig_info);
 +	default:
 +		return fill_default(mem, size, modsig, sig_len, sig_info);
 +	}
 }
 -- 
 2.20.1
--- a/SOURCES/man-rmmod-explain-why-modprobe-r-is-more-useful.patch
+++ b/SOURCES/man-rmmod-explain-why-modprobe-r-is-more-useful.patch
@ -1,58 +0,0 @@
 From 06fadcc6b17c3b9a534540dd6d74b0c5fb1d948d Mon Sep 17 00:00:00 2001
 From: Yauheni Kaliuta <ykaliuta@redhat.com>
 Date: Thu, 2 Feb 2023 15:47:36 +0200
 Subject: [PATCH] man/rmmod: explain why modprobe -r is more useful
 Improve user experience by explaining the option so the user may
 not search explanations in other manpages (modprobe).
 Signed-off-by: Yauheni Kaliuta <ykaliuta@redhat.com>
 Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>
 Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
 ---
 man/rmmod.xml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/man/rmmod.xml b/man/rmmod.xml
 index e7c7e5f9e7dc..67bcbedd972b 100644
 --- a/man/rmmod.xml
 +++ b/man/rmmod.xml
@@ -52,7 +52,8 @@
       want to use
       <citerefentry>
         <refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum>
 -      </citerefentry> with the <option>-r</option> option instead.
 +      </citerefentry> with the <option>-r</option> option instead
 +      since it removes unused dependent modules as well.
     </para>
   </refsect1>
 --- a/man/rmmod.8	2020-12-28 02:58:30.085851136 +0200
 +++ b/man/rmmod.8	2023-02-09 16:55:55.967128297 +0200
@@ -2,12 +2,12 @@
 .\"     Title: rmmod
 .\"    Author: Jon Masters <jcm@jonmasters.org>
 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
 -.\"      Date: 12/27/2020
 +.\"      Date: 02/09/2023
 .\"    Manual: rmmod
 .\"    Source: kmod
 .\"  Language: English
 .\"
 -.TH "RMMOD" "8" "12/27/2020" "kmod" "rmmod"
 +.TH "RMMOD" "8" "02/09/2023" "kmod" "rmmod"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -39,7 +39,7 @@
 \fBmodprobe\fR(8)
 with the
 \fB\-r\fR
 -option instead\&.
 +option instead since it removes unused dependent modules as well\&.
 .SH "OPTIONS"
 .PP
 \fB\-v\fR, \fB\-\-verbose\fR
 -- 
 2.39.1
--- a/SOURCES/weak-modules
+++ b/SOURCES/weak-modules
@ -620,6 +620,7 @@ update_modules_for_krel() {
    if ! validate_weak_links $krel && [[ -z "$force_update" ]]; then
        global_link_state_restore $krel
        compatible_modules=()
    fi
    # add compatible to installed
@ -1152,7 +1153,7 @@ while :; do
    shift
 done
-if [ ! -x "$dracut" ]
+if [ ! -x "$dracut" ] && [ -z "$no_initramfs" ]
 then
    echo "weak-modules: could not find dracut at $dracut"
    exit 1
--- a/SPECS/kmod.spec
+++ b/SPECS/kmod.spec
@ -1,25 +1,30 @@
 Name:		kmod
-Version:	28
+Version:	25
-Release:	9%{?dist}
+Release:	20%{?dist}
 Summary:	Linux kernel module management utilities
 Group:		System Environment/Kernel
 License:	GPLv2+
-URL:		https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git
+URL:		http://git.kernel.org/?p=utils/kernel/kmod/kmod.git;a=summary
 Source0:	https://www.kernel.org/pub/linux/utils/kernel/kmod/%{name}-%{version}.tar.xz
 Source1:	weak-modules
 Source2:	depmod.conf.dist
 Exclusiveos:	Linux
-Patch01:	man-rmmod-explain-why-modprobe-r-is-more-useful.patch
+Patch01:	kmod-signature-do-not-report-wrong-data-for-pkc-7-signatu.patch
 Patch02:	kmod-libkmod-signature-implement-pkcs7-parsing-with-opens.patch
 Patch03:	kmod-modprobe-ignore-builtin-module-on-recursive-removing.patch
 Patch04:	0001-depmod-prevent-module-dependency-files-missing-durin.patch
 Patch05:	0002-depmod-prevent-module-dependency-files-corruption-du.patch
-BuildRequires:  gcc
+BuildRoot:     %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 BuildRequires:	chrpath
 BuildRequires:	zlib-devel
 BuildRequires:	xz-devel
 BuildRequires:  libxslt
 BuildRequires:  openssl-devel
-BuildRequires:  make
+# Remove it as soon as no need for Patch02 anymore (Makefile.am updated)
-BuildRequires:  libzstd-devel
+BuildRequires:  automake autoconf libtool
 Provides:	module-init-tools = 4.0-1
 Obsoletes:	module-init-tools < 4.0-1
@ -34,6 +39,7 @@ examples of loaded and unloaded modules.
 %package libs
 Summary:	Libraries to handle kernel module loading and unloading
 License:	LGPLv2+
 Group:		System Environment/Libraries
 %description libs
 The kmod-libs package provides runtime libraries for any application that
@ -41,6 +47,7 @@ wishes to load or unload Linux kernel modules from the running system.
 %package devel
 Summary:	Header files for kmod development
 Group:		Development/Libraries
 Requires:	%{name}-libs%{?_isa} = %{version}-%{release}
 %description devel
@ -48,26 +55,30 @@ The kmod-devel package provides header files used for development of
 applications that wish to load or unload Linux kernel modules.
 %prep
-%autosetup -p1
+%setup -q
 %patch01 -p1
 %patch02 -p1
 %patch03 -p1
 %patch04 -p1
 %patch05 -p1
 %build
 export V=1
 aclocal
 autoreconf --install --symlink
 %configure \
  --with-openssl \
  --with-zlib \
-  --with-xz \
+  --with-xz   \
-  --with-zstd
+  --with-openssl
-
+make %{?_smp_mflags}
 %{make_build} V=1
 %install
-%{make_install}
+make install DESTDIR=$RPM_BUILD_ROOT
-
+pushd $RPM_BUILD_ROOT/%{_mandir}/man5
 pushd $RPM_BUILD_ROOT%{_mandir}/man5
 ln -s modprobe.d.5.gz modprobe.conf.5.gz
 popd
-find %{buildroot} -type f -name "*.la" -delete
+rm -rf $RPM_BUILD_ROOT%{_libdir}/*.la
 mkdir -p $RPM_BUILD_ROOT%{_sbindir}
 ln -sf ../bin/kmod $RPM_BUILD_ROOT%{_sbindir}/modprobe
 ln -sf ../bin/kmod $RPM_BUILD_ROOT%{_sbindir}/modinfo
@ -80,10 +91,16 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/modprobe.d
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/depmod.d
 mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/modprobe.d
-install -pm 755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/weak-modules
+mkdir -p $RPM_BUILD_ROOT/sbin
 install -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/weak-modules
 install -m 0644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/depmod.d/dist.conf
 %post libs -p /sbin/ldconfig
 %postun libs -p /sbin/ldconfig
 %files
 %defattr(-,root,root,-)
 %dir %{_sysconfdir}/depmod.d
 %dir %{_sysconfdir}/modprobe.d
 %dir %{_prefix}/lib/modprobe.d
@ -102,6 +119,7 @@ install -m 0644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/depmod.d/dist.conf
 %doc NEWS README TODO
 %files libs
 %{!?_licensedir:%global license %%doc}
 %license COPYING
 %{_libdir}/libkmod.so.*
@ -111,73 +129,83 @@ install -m 0644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/depmod.d/dist.conf
 %{_libdir}/libkmod.so
 %changelog
-* Thu May 11 2023 Eugene Syromiatnikov <esyr@redhat.com> - 28-9
+* Wed Oct 11 2023 Eugene Syromiatnikov <esyr@redhat.com> - 25-20
 - Add symvers.xz support to weak-modules
- Resolves: rhbz#2192895
+- Resolves: RHEL-8903
-* Thu Feb  9 2023 Yauheni Kaliuta <ykaliuta@redhat.com> - 28-8
+* Mon Nov 29 2021 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-19
- man/rmmod: explain why modprobe -r is more useful
+- depmod: fix parallel execution issues
-  Resolves: rhbz#2164253
+  Resolves: rhbz#2026938
-* Thu Oct 21 2021 Yauheni Kaliuta <ykaliuta@redhat.com> - 28-7
+* Fri Apr 16 2021 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-18
- Add RHEL gating configuration. Related: rhbz#1985100
+- weak-modules: do not require dracut wneh using --no-initramfs
  Resolves: rhbz#1935416
-* Tue Aug 10 2021 Yauheni Kaliuta <ykaliuta@redhat.com> - 28-6
+* Fri Dec 18 2020 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-17
- add default config.
+- weak-modules: reset compatible_modules if configuration is not valid
-  Resolves: rhbz#1985100
+  Resolves: rhbz#1907855
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 28-5
+* Mon Dec  9 2019 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-16
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+- weak-modules: update_modules_for_krel: always finish sandbox
-  Related: rhbz#1991688
+- weak-modules: groupping: use dependencies of extra/ provider
  Resolves: rhbz#1778889
-* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 28-4
+* Mon Dec  9 2019 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-15
- Rebuilt for RHEL 9 BETA for openssl 3.0
+- weak-modules: reverse checking order for add-kernel
-  Related: rhbz#1971065
+  Resolves: rhbz#1755196
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 28-3
+* Mon Dec  2 2019 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-14
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+- modprobe: do not fail on built-in modules
  Resolves: rhbz#1767513
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 28-2
+* Tue Apr 16 2019 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+- weak-modules: handle independent modules in one run
  Resolves: rhbz#1695763
-* Thu Jan 07 2021 Josh Boyer <jwboyer@fedoraproject.org> - 28-1
+* Tue Apr  2 2019 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-12
- New upstream v28
+- weak-modules: use asterisk for kernel version in sandbox
- Enable zstd support
+  Resolves: rhbz#1689052
 - Resolves: rhbz#1913949
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 27-3
+* Tue Feb  5 2019 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+- add PKCS7/openssl support.
  Resolves: rhbz#1668459.
-* Wed Mar 25 2020 Yauheni Kaliuta <ykaliuta@fedoraproject.org> - 27-2
+* Tue Dec 11 2018 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-10
- add 0001-depmod-do-not-output-.bin-to-stdout.patch
+- weak-modules: group modules on add-kernel
-  Resolves: rhbz#1808430
+- weak-modules: do not make groups if there are no extra modules
  Resolves: rhbz#1649211
-* Thu Feb 20 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 27-1
+* Tue Oct  2 2018 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-9
- New upstream v27
+- Rebuild with updated flags.
  Resolves: rhbz#1630574.
-* Mon Jan 20 2020 Yauheni Kaliuta <ykaliuta@fedoraproject.org> - 26-5
+* Tue Sep  4 2018 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-8
- weak-modules: sync with RHEL
+- weak-modules: fix initial state creation for dry-run
 - weak-modules: check compatibility in a temporary directory
  Resolves: rhbz#1622990.
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 26-4
+* Tue Aug 28 2018 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+- weak-modules: use is_kernel_installed wrapper in update_modules_for_krel.
 - weak-modules: more abstract symvers search implementation.
 - weak-modules: use additional paths for System.map file.
  Resolves: rhbz#1621306.
-* Mon Feb 25 2019 Yauheni Kaliuta <yauheni.kaliuta@redhat.com> - 26-3
+* Thu Aug 09 2018 Eugene Syromiatnikov <esyr@redhat.com> - 25-6
- weak-modules: sync with RHEL
+- weak-modules: check also for /lib/modules/$krel/symvers.gz as a possible
  symvers file path.
  Resolves: rhbz#1614119.
-* Sun Feb 24 2019 Yauheni Kaliuta <ykaliuta@fedoraproject.org> - 26-2
+* Mon Jul 30 2018 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-5
- add PKCS7/openssl support (rhbz 1320921)
+- weak-modules: handle versions with + and other special regex symbols
 - weak-modules: fix misleading message when cannot find dracut.
  Resolves: rhbz#1609372.
-* Sun Feb 24 2019 Yauheni Kaliuta <ykaliuta@fedoraproject.org> - 26-1
+* Fri Jul 27 2018 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-4
- Update to version 26 (rhbz 1673749)
+- fix dracut path, /usr/bin/dracut
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 25-5
+* Wed Jul 25 2018 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+- Add depmod.d/dist.conf.
-
+- Update weak-modules to RHEL version.
 * Mon Oct 29 2018 James Antill <james.antill@redhat.com> - 25-4
 - Remove ldconfig scriptlet, now done via. transfiletrigger in glibc (rhbz 1644063)
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 25-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 25-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
@ -268,7 +296,7 @@ install -m 0644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/depmod.d/dist.conf
 - Update to version 13
 * Wed Mar 20 2013 Weiping Pan <wpan@redhat.com> - 12-3
- Pull in weak-modules for kABI from Jon Masters <jcm@redhat.com> 
+- Pull in weak-modules for kABI from Jon Masters <jcm@redhat.com>
 * Mon Mar 18 2013 Josh Boyer <jwboyer@redhat.com>
 - Add patch to make rmmod understand built-in modules (rhbz 922187)
`@ -1 +1 @@`
	`SOURCES/kmod-28.tar.xz`	`SOURCES/kmod-25.tar.xz`
`@ -1 +1 @@`
	`0acec2b6aea3e6eb71f0b549b0ff0abcac5da004 SOURCES/kmod-28.tar.xz`	`761ee76bc31f5db10d470dad607a5f9d68acef68 SOURCES/kmod-25.tar.xz`