[pkg-wpa-devel] r1508 - /crda/trunk/debian/patches/openssl_runtime_verification_tuneup.patch
kelmo-guest at users.alioth.debian.org
kelmo-guest at users.alioth.debian.org
Thu Mar 4 13:29:39 UTC 2010
Author: kelmo-guest
Date: Thu Mar 4 13:29:38 2010
New Revision: 1508
URL: http://svn.debian.org/wsvn/pkg-wpa/?sc=1&rev=1508
Log:
Enhance patch to version to be submitted upstream.
Modified:
crda/trunk/debian/patches/openssl_runtime_verification_tuneup.patch
Modified: crda/trunk/debian/patches/openssl_runtime_verification_tuneup.patch
URL: http://svn.debian.org/wsvn/pkg-wpa/crda/trunk/debian/patches/openssl_runtime_verification_tuneup.patch?rev=1508&op=diff
==============================================================================
--- crda/trunk/debian/patches/openssl_runtime_verification_tuneup.patch (original)
+++ crda/trunk/debian/patches/openssl_runtime_verification_tuneup.patch Thu Mar 4 13:29:38 2010
@@ -1,10 +1,15 @@
-If USE_OPENSSL=1 do not embed crypto data into binary and use the PUBKEY_DIR
-variable just as it is when USE_GCRYPT=1. When verification fails provide
-information about the PUBKEY_DIR variable.
-
-This change removes support for runtime pubkey dir /etc/wireless-regdb/pubkeys
-as wireless-regdb does not currently install custom pubkeys to
-/etc/wireless-regdb/pubkeys and I can't see any further value to it.
+When USE_OPENSSL=1 do not embed crypto data into binary, use the PUBKEY_DIR
+variable just as it is when USE_GCRYPT=1 and just load certs from PUBKEY_DIR
+for signature verification at runtime. When verification fails provide
+information about the PUBKEY_DIR variable (instead of just being a comment).
+
+This allows wireless-regdb to be built from source and upgraded independently
+of crda. This is _crucial_ for distribution packages.
+
+This change also removes support for runtime pubkey dir
+/etc/wireless-regdb/pubkeys because wireless-regdb does not currently install
+custom pubkeys to /etc/wireless-regdb/pubkeys, and couldn't care less
+about that feature :)
Fix typo (s/make noverify/makeall_noverify).
@@ -26,7 +31,7 @@
CFLAGS += -Wall -g
all: all_noverify verify
-@@ -30,12 +23,12 @@ all: all_noverify verify
+@@ -30,17 +23,22 @@ all: all_noverify verify
all_noverify: crda intersect regdbdump
ifeq ($(USE_OPENSSL),1)
@@ -42,21 +47,50 @@
CFLAGS += -DUSE_GCRYPT
LDLIBS += -lgcrypt
-@@ -82,7 +75,13 @@ $(REG_BIN):
+ reglib.o: keys-gcrypt.c
+
++keys-gcrypt.c: utils/key2pub.py $(wildcard $(PUBKEY_DIR)/*.pem)
++ $(NQ) ' GEN ' $@
++ $(NQ) ' Trusted pubkeys:' $(wildcard $(PUBKEY_DIR)/*.pem)
++ $(Q)./utils/key2pub.py $(wildcard $(PUBKEY_DIR)/*.pem) $@
++
+ endif
+ MKDIR ?= mkdir -p
+ INSTALL ?= install
+@@ -82,15 +80,10 @@ $(REG_BIN):
$(NQ) $(REG_GIT)
$(NQ)
$(NQ) "Once cloned (no need to build) cp regulatory.bin to $(REG_BIN)"
- $(NQ) "Use \"make noverify\" to disable verification"
-+ $(NQ)
-+ $(NQ) "If your distribution requires a custom pubkeys dir you must set"
-+ $(NQ) "PUBKEY_DIR to path where the keys are installed by wireless-regdb."
-+ $(NQ) "For example:"
-+ $(NQ) " make PUBKEY_DIR=/usr/lib/crda/pubkeys"
-+ $(NQ)
+ $(NQ) "Use \"make all_noverify\" to disable verification"
$(NQ)
$(Q) exit 1
+-keys-%.c: utils/key2pub.py $(wildcard $(PUBKEY_DIR)/*.pem)
+- $(NQ) ' GEN ' $@
+- $(NQ) ' Trusted pubkeys:' $(wildcard $(PUBKEY_DIR)/*.pem)
+- $(Q)./utils/key2pub.py --$* $(wildcard $(PUBKEY_DIR)/*.pem) $@
+-
+ %.o: %.c regdb.h
+ $(NQ) ' CC ' $@
+ $(Q)$(CC) -c $(CPPFLAGS) $(CFLAGS) -o $@ $<
+@@ -109,7 +102,15 @@ intersect: reglib.o intersect.o print-re
+
+ verify: $(REG_BIN) regdbdump
+ $(NQ) ' CHK $(REG_BIN)'
+- $(Q)./regdbdump $(REG_BIN) >/dev/null
++ @if ! ./regdbdump $(REG_BIN) >/dev/null; then \
++ echo; \
++ echo "If your distribution requires a custom pubkeys dir you must set"; \
++ echo "PUBKEY_DIR to path where the keys are installed by wireless-regdb."; \
++ echo "For example:"; \
++ echo " make PUBKEY_DIR=/lib/crda/pubkeys"; \
++ echo; \
++ exit 1; \
++ fi
+
+ %.gz: %
+ @$(NQ) ' GZIP' $<
--- a/reglib.c
+++ b/reglib.c
@@ -18,10 +18,6 @@
@@ -104,3 +138,126 @@
while (!ok && (nextfile = readdir(pubkey_dir))) {
snprintf(filename, PATH_MAX, "%s/%s", PUBKEY_DIR,
nextfile->d_name);
+--- a/utils/key2pub.py
++++ b/utils/key2pub.py
+@@ -9,81 +9,6 @@ except ImportError, e:
+ sys.stderr.write('On Debian GNU/Linux the package is called "python-m2crypto".\n')
+ sys.exit(1)
+
+-def print_ssl_64(output, name, val):
+- while val[0] == '\0':
+- val = val[1:]
+- while len(val) % 8:
+- val = '\0' + val
+- vnew = []
+- while len(val):
+- vnew.append((val[0], val[1], val[2], val[3], val[4], val[5], val[6], val[7]))
+- val = val[8:]
+- vnew.reverse()
+- output.write('static BN_ULONG %s[%d] = {\n' % (name, len(vnew)))
+- idx = 0
+- for v1, v2, v3, v4, v5, v6, v7, v8 in vnew:
+- if not idx:
+- output.write('\t')
+- output.write('0x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x, ' % (ord(v1), ord(v2), ord(v3), ord(v4), ord(v5), ord(v6), ord(v7), ord(v8)))
+- idx += 1
+- if idx == 2:
+- idx = 0
+- output.write('\n')
+- if idx:
+- output.write('\n')
+- output.write('};\n\n')
+-
+-def print_ssl_32(output, name, val):
+- while val[0] == '\0':
+- val = val[1:]
+- while len(val) % 4:
+- val = '\0' + val
+- vnew = []
+- while len(val):
+- vnew.append((val[0], val[1], val[2], val[3], ))
+- val = val[4:]
+- vnew.reverse()
+- output.write('static BN_ULONG %s[%d] = {\n' % (name, len(vnew)))
+- idx = 0
+- for v1, v2, v3, v4 in vnew:
+- if not idx:
+- output.write('\t')
+- output.write('0x%.2x%.2x%.2x%.2x, ' % (ord(v1), ord(v2), ord(v3), ord(v4)))
+- idx += 1
+- if idx == 4:
+- idx = 0
+- output.write('\n')
+- if idx:
+- output.write('\n')
+- output.write('};\n\n')
+-
+-def print_ssl(output, name, val):
+- import struct
+- if len(struct.pack('@L', 0)) == 8:
+- return print_ssl_64(output, name, val)
+- else:
+- return print_ssl_32(output, name, val)
+-
+-def print_ssl_keys(output, n):
+- output.write(r'''
+-struct pubkey {
+- struct bignum_st e, n;
+-};
+-
+-#define KEY(data) { \
+- .d = data, \
+- .top = sizeof(data)/sizeof(data[0]), \
+-}
+-
+-#define KEYS(e,n) { KEY(e), KEY(n), }
+-
+-static struct pubkey keys[] = {
+-''')
+- for n in xrange(n + 1):
+- output.write(' KEYS(e_%d, n_%d),\n' % (n, n))
+- output.write('};\n')
+- pass
+-
+ def print_gcrypt(output, name, val):
+ while val[0] == '\0':
+ val = val[1:]
+@@ -118,24 +43,10 @@ static const struct key_params keys[] =
+ for n in xrange(n + 1):
+ output.write(' KEYS(e_%d, n_%d),\n' % (n, n))
+ output.write('};\n')
+-
+-
+-modes = {
+- '--ssl': (print_ssl, print_ssl_keys),
+- '--gcrypt': (print_gcrypt, print_gcrypt_keys),
+-}
+
+-try:
+- mode = sys.argv[1]
+- files = sys.argv[2:-1]
+- outfile = sys.argv[-1]
+-except IndexError:
+- mode = None
+-
+-if not mode in modes:
+- print 'Usage: %s [%s] input-file... output-file' % (sys.argv[0], '|'.join(modes.keys()))
+- sys.exit(2)
+
++files = sys.argv[1:-1]
++outfile = sys.argv[-1]
+ output = open(outfile, 'w')
+
+ # load key
+@@ -146,8 +57,8 @@ for f in files:
+ except RSA.RSAError:
+ key = RSA.load_key(f)
+
+- modes[mode][0](output, 'e_%d' % idx, key.e[4:])
+- modes[mode][0](output, 'n_%d' % idx, key.n[4:])
++ print_gcrypt(output, 'e_%d' % idx, key.e[4:])
++ print_gcrypt(output, 'n_%d' % idx, key.n[4:])
+ idx += 1
+
+-modes[mode][1](output, idx - 1)
++print_gcrypt_keys(output, idx - 1)
More information about the Pkg-wpa-devel
mailing list