[Pkg-openssl-changes] r509 - in openssl/trunk/debian: . patches

Sat Sep 10 11:09:47 UTC 2011

Author: kroeckx
Date: 2011-09-10 11:09:47 +0000 (Sat, 10 Sep 2011)
New Revision: 509

Added:
   openssl/trunk/debian/patches/c_rehash-multi.patch
Modified:
   openssl/trunk/debian/changelog
   openssl/trunk/debian/patches/series
Log:
Generate hashes for all certs in a file (Closes: #628780)


Modified: openssl/trunk/debian/changelog
===================================================================

--- openssl/trunk/debian/changelog	2011-09-10 11:07:57 UTC (rev 508)
+++ openssl/trunk/debian/changelog	2011-09-10 11:09:47 UTC (rev 509)
@@ -8,6 +8,8 @@
     - Add protection against ECDSA timing attacks (CVE-2011-1945)
   * Block DigiNotar certifiates.  Patch from
     Raphael Geissert <geissert at debian.org>
+  * Generate hashes for all certs in a file (Closes: #628780)
+    Patch from Klaus Ethgen <Klaus at Ethgen.de>
 
  -- Kurt Roeckx <kurt at roeckx.be>  Sat, 10 Sep 2011 12:03:13 +0200
 

Added: openssl/trunk/debian/patches/c_rehash-multi.patch
===================================================================
--- openssl/trunk/debian/patches/c_rehash-multi.patch	                        (rev 0)
+++ openssl/trunk/debian/patches/c_rehash-multi.patch	2011-09-10 11:09:47 UTC (rev 509)
@@ -0,0 +1,86 @@
+From: Klaus Ethgen <Klaus at Ethgen.de>
+Subject: Generate hashes for all certs in a file
+Bug: http://bugs.debian.org/628780
+Forwared: no
+
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
+@@ -122,34 +122,50 @@ sub link_hash_cert {
+ 		my $fname = $_[0];
+ 		my $hashopt = $_[1] || '-subject_hash';
+ 		$fname =~ s/'/'\\''/g;
+-		my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`;
+-		chomp $hash;
+-		chomp $fprint;
+-		$fprint =~ s/^.*=//;
+-		$fprint =~ tr/://d;
+-		my $suffix = 0;
+-		# Search for an unused hash filename
+-		while(exists $hashlist{"$hash.$suffix"}) {
+-			# Hash matches: if fingerprint matches its a duplicate cert
+-			if($hashlist{"$hash.$suffix"} eq $fprint) {
+-				print STDERR "WARNING: Skipping duplicate certificate $fname\n";
+-				return;
+-			}
+-			$suffix++;
+-		}
+-		$hash .= ".$suffix";
+-		print "$fname => $hash\n";
+-		$symlink_exists=eval {symlink("",""); 1};
+-		if ($symlink_exists) {
+-			symlink $fname, $hash;
+-		} else {
+-			open IN,"<$fname" or die "can't open $fname for read";
+-			open OUT,">$hash" or die "can't open $hash for write";
+-			print OUT <IN>;	# does the job for small text files
+-			close OUT;
+-			close IN;
+-		}
+-		$hashlist{$hash} = $fprint;
++		open my $in_fh, '<', $fname or die "can't open $fname for read";
++		my $cert = eval {local $/ = undef; <$in_fh>};
++		close $in_fh;
++		OUTERLOOP:
++		while ($cert =~ /^(-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----)$/gms)
++		{
++		   my $part = $1;
++		   my $tfile = `tempfile`;
++		   chomp $tfile;
++		   open my $tfile_fh, '>', $tfile or die "can't open $tfile for write";
++		   print {$tfile_fh} "$part\n";
++		   close $tfile_fh;
++
++		   my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$tfile"`;
++		   chomp $hash;
++		   chomp $fprint;
++		   $fprint =~ s/^.*=//;
++		   $fprint =~ tr/://d;
++		   my $suffix = 0;
++		   # Search for an unused hash filename
++		   while(exists $hashlist{"$hash.$suffix"}) {
++			   # Hash matches: if fingerprint matches its a duplicate cert
++			   if($hashlist{"$hash.$suffix"} eq $fprint) {
++				   print STDERR "WARNING: Skipping duplicate certificate $fname\n";
++				   unlink $tfile;
++				   next OUTERLOOP;
++			   }
++			   $suffix++;
++		   }
++		   $hash .= ".$suffix";
++		   print "$fname => $hash\n";
++		   $symlink_exists=eval {symlink("",""); 1};
++		   if ($symlink_exists) {
++			   symlink $fname, $hash;
++		   } else {
++			   open IN,"<$tfile" or die "can't open $tfile for read";
++			   open OUT,">$hash" or die "can't open $hash for write";
++			   print OUT <IN>;	# does the job for small text files
++			   close OUT;
++			   close IN;
++		   }
++		   $hashlist{$hash} = $fprint;
++		   unlink $tfile;
++		} ## end while ($cert =~ /^(-----BEGIN ...
+ }
+ 
+ sub link_hash_cert_old {

Modified: openssl/trunk/debian/patches/series
===================================================================
--- openssl/trunk/debian/patches/series	2011-09-10 11:07:57 UTC (rev 508)
+++ openssl/trunk/debian/patches/series	2011-09-10 11:09:47 UTC (rev 509)
@@ -29,3 +29,4 @@
 pkcs12-doc.patch
 dgst_hmac.patch
 block_diginotar.patch
+c_rehash-multi.patch


