[pkg-wpa-devel] r1508 - /crda/trunk/debian/patches/openssl_runtime_verification_tuneup.patch

kelmo-guest at users.alioth.debian.org kelmo-guest at users.alioth.debian.org
Thu Mar 4 13:29:39 UTC 2010 

Author: kelmo-guest
Date: Thu Mar  4 13:29:38 2010
New Revision: 1508

URL: http://svn.debian.org/wsvn/pkg-wpa/?sc=1&rev=1508
Log:
Enhance patch to version to be submitted upstream.

Modified:
    crda/trunk/debian/patches/openssl_runtime_verification_tuneup.patch

Modified: crda/trunk/debian/patches/openssl_runtime_verification_tuneup.patch
URL: http://svn.debian.org/wsvn/pkg-wpa/crda/trunk/debian/patches/openssl_runtime_verification_tuneup.patch?rev=1508&op=diff
==============================================================================
--- crda/trunk/debian/patches/openssl_runtime_verification_tuneup.patch (original)
+++ crda/trunk/debian/patches/openssl_runtime_verification_tuneup.patch Thu Mar  4 13:29:38 2010
@@ -1,10 +1,15 @@
-If USE_OPENSSL=1 do not embed crypto data into binary and use the PUBKEY_DIR
-variable just as it is when USE_GCRYPT=1. When verification fails provide
-information about the PUBKEY_DIR variable.
-
-This change removes support for runtime pubkey dir /etc/wireless-regdb/pubkeys
-as wireless-regdb does not currently install custom pubkeys to
-/etc/wireless-regdb/pubkeys and I can't see any further value to it.
+When USE_OPENSSL=1 do not embed crypto data into binary, use the PUBKEY_DIR
+variable just as it is when USE_GCRYPT=1 and just load certs from PUBKEY_DIR
+for signature verification at runtime. When verification fails provide
+information about the PUBKEY_DIR variable (instead of just being a comment).
+
+This allows wireless-regdb to be built from source and upgraded independently
+of crda. This is _crucial_ for distribution packages.
+
+This change also removes support for runtime pubkey dir
+/etc/wireless-regdb/pubkeys because wireless-regdb does not currently install
+custom pubkeys to /etc/wireless-regdb/pubkeys, and couldn't care less
+about that feature :)
 
 Fix typo (s/make noverify/makeall_noverify).
 
@@ -26,7 +31,7 @@
  CFLAGS += -Wall -g
  
  all: all_noverify verify
-@@ -30,12 +23,12 @@ all: all_noverify verify
+@@ -30,17 +23,22 @@ all: all_noverify verify
  all_noverify: crda intersect regdbdump
  
  ifeq ($(USE_OPENSSL),1)
@@ -42,21 +47,50 @@
  CFLAGS += -DUSE_GCRYPT
  LDLIBS += -lgcrypt
  
-@@ -82,7 +75,13 @@ $(REG_BIN):
+ reglib.o: keys-gcrypt.c
+ 
++keys-gcrypt.c: utils/key2pub.py $(wildcard $(PUBKEY_DIR)/*.pem)
++	$(NQ) '  GEN ' $@
++	$(NQ) '  Trusted pubkeys:' $(wildcard $(PUBKEY_DIR)/*.pem)
++	$(Q)./utils/key2pub.py $(wildcard $(PUBKEY_DIR)/*.pem) $@
++
+ endif
+ MKDIR ?= mkdir -p
+ INSTALL ?= install
+@@ -82,15 +80,10 @@ $(REG_BIN):
  	$(NQ) $(REG_GIT)
  	$(NQ)
  	$(NQ) "Once cloned (no need to build) cp regulatory.bin to $(REG_BIN)"
 -	$(NQ) "Use \"make noverify\" to disable verification"
-+	$(NQ)
-+	$(NQ) "If your distribution requires a custom pubkeys dir you must set"
-+	$(NQ) "PUBKEY_DIR to path where the keys are installed by wireless-regdb."
-+	$(NQ) "For example:"
-+	$(NQ) "    make PUBKEY_DIR=/usr/lib/crda/pubkeys"
-+	$(NQ)
 +	$(NQ) "Use \"make all_noverify\" to disable verification"
  	$(NQ)
  	$(Q) exit 1
  
+-keys-%.c: utils/key2pub.py $(wildcard $(PUBKEY_DIR)/*.pem)
+-	$(NQ) '  GEN ' $@
+-	$(NQ) '  Trusted pubkeys:' $(wildcard $(PUBKEY_DIR)/*.pem)
+-	$(Q)./utils/key2pub.py --$* $(wildcard $(PUBKEY_DIR)/*.pem) $@
+-
+ %.o: %.c regdb.h
+ 	$(NQ) '  CC  ' $@
+ 	$(Q)$(CC) -c $(CPPFLAGS) $(CFLAGS) -o $@ $<
+@@ -109,7 +102,15 @@ intersect: reglib.o intersect.o print-re
+ 
+ verify: $(REG_BIN) regdbdump
+ 	$(NQ) '  CHK  $(REG_BIN)'
+-	$(Q)./regdbdump $(REG_BIN) >/dev/null
++	@if ! ./regdbdump $(REG_BIN) >/dev/null; then \
++		echo; \
++		echo "If your distribution requires a custom pubkeys dir you must set"; \
++		echo "PUBKEY_DIR to path where the keys are installed by wireless-regdb."; \
++		echo "For example:"; \
++		echo "    make PUBKEY_DIR=/lib/crda/pubkeys"; \
++		echo; \
++		exit 1; \
++	fi
+ 
+ %.gz: %
+ 	@$(NQ) ' GZIP' $<
 --- a/reglib.c
 +++ b/reglib.c
 @@ -18,10 +18,6 @@
@@ -104,3 +138,126 @@
  		while (!ok && (nextfile = readdir(pubkey_dir))) {
  			snprintf(filename, PATH_MAX, "%s/%s", PUBKEY_DIR,
  				nextfile->d_name);
+--- a/utils/key2pub.py
++++ b/utils/key2pub.py
+@@ -9,81 +9,6 @@ except ImportError, e:
+        sys.stderr.write('On Debian GNU/Linux the package is called "python-m2crypto".\n')
+        sys.exit(1)
+ 
+-def print_ssl_64(output, name, val):
+-    while val[0] == '\0':
+-        val = val[1:]
+-    while len(val) % 8:
+-        val = '\0' + val
+-    vnew = []
+-    while len(val):
+-        vnew.append((val[0], val[1], val[2], val[3], val[4], val[5], val[6], val[7]))
+-        val = val[8:]
+-    vnew.reverse()
+-    output.write('static BN_ULONG %s[%d] = {\n' % (name, len(vnew)))
+-    idx = 0
+-    for v1, v2, v3, v4, v5, v6, v7, v8 in vnew:
+-        if not idx:
+-            output.write('\t')
+-        output.write('0x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x, ' % (ord(v1), ord(v2), ord(v3), ord(v4), ord(v5), ord(v6), ord(v7), ord(v8)))
+-        idx += 1
+-        if idx == 2:
+-            idx = 0
+-            output.write('\n')
+-    if idx:
+-        output.write('\n')
+-    output.write('};\n\n')
+-
+-def print_ssl_32(output, name, val):
+-    while val[0] == '\0':
+-        val = val[1:]
+-    while len(val) % 4:
+-        val = '\0' + val
+-    vnew = []
+-    while len(val):
+-        vnew.append((val[0], val[1], val[2], val[3], ))
+-        val = val[4:]
+-    vnew.reverse()
+-    output.write('static BN_ULONG %s[%d] = {\n' % (name, len(vnew)))
+-    idx = 0
+-    for v1, v2, v3, v4 in vnew:
+-        if not idx:
+-            output.write('\t')
+-        output.write('0x%.2x%.2x%.2x%.2x, ' % (ord(v1), ord(v2), ord(v3), ord(v4)))
+-        idx += 1
+-        if idx == 4:
+-            idx = 0
+-            output.write('\n')
+-    if idx:
+-        output.write('\n')
+-    output.write('};\n\n')
+-
+-def print_ssl(output, name, val):
+-    import struct
+-    if len(struct.pack('@L', 0)) == 8:
+-        return print_ssl_64(output, name, val)
+-    else:
+-        return print_ssl_32(output, name, val)
+-
+-def print_ssl_keys(output, n):
+-    output.write(r'''
+-struct pubkey {
+-	struct bignum_st e, n;
+-};
+-
+-#define KEY(data) {				\
+-	.d = data,				\
+-	.top = sizeof(data)/sizeof(data[0]),	\
+-}
+-
+-#define KEYS(e,n)	{ KEY(e), KEY(n), }
+-
+-static struct pubkey keys[] = {
+-''')
+-    for n in xrange(n + 1):
+-        output.write('	KEYS(e_%d, n_%d),\n' % (n, n))
+-    output.write('};\n')
+-    pass
+-
+ def print_gcrypt(output, name, val):
+     while val[0] == '\0':
+         val = val[1:]
+@@ -118,24 +43,10 @@ static const struct key_params keys[] =
+     for n in xrange(n + 1):
+         output.write('	KEYS(e_%d, n_%d),\n' % (n, n))
+     output.write('};\n')
+-    
+-
+-modes = {
+-    '--ssl': (print_ssl, print_ssl_keys),
+-    '--gcrypt': (print_gcrypt, print_gcrypt_keys),
+-}
+ 
+-try:
+-    mode = sys.argv[1]
+-    files = sys.argv[2:-1]
+-    outfile = sys.argv[-1]
+-except IndexError:
+-    mode = None
+-
+-if not mode in modes:
+-    print 'Usage: %s [%s] input-file... output-file' % (sys.argv[0], '|'.join(modes.keys()))
+-    sys.exit(2)
+ 
++files = sys.argv[1:-1]
++outfile = sys.argv[-1]
+ output = open(outfile, 'w')
+ 
+ # load key
+@@ -146,8 +57,8 @@ for f in files:
+     except RSA.RSAError:
+         key = RSA.load_key(f)
+ 
+-    modes[mode][0](output, 'e_%d' % idx, key.e[4:])
+-    modes[mode][0](output, 'n_%d' % idx, key.n[4:])
++    print_gcrypt(output, 'e_%d' % idx, key.e[4:])
++    print_gcrypt(output, 'n_%d' % idx, key.n[4:])
+     idx += 1
+ 
+-modes[mode][1](output, idx - 1)
++print_gcrypt_keys(output, idx - 1)

More information about the Pkg-wpa-devel mailing list