[Pkg-openssl-changes] r509 - in openssl/trunk/debian: . patches
Kurt Roeckx
kroeckx at alioth.debian.org
Sat Sep 10 11:09:47 UTC 2011
Author: kroeckx
Date: 2011-09-10 11:09:47 +0000 (Sat, 10 Sep 2011)
New Revision: 509
Added:
openssl/trunk/debian/patches/c_rehash-multi.patch
Modified:
openssl/trunk/debian/changelog
openssl/trunk/debian/patches/series
Log:
Generate hashes for all certs in a file (Closes: #628780)
Modified: openssl/trunk/debian/changelog
===================================================================
--- openssl/trunk/debian/changelog 2011-09-10 11:07:57 UTC (rev 508)
+++ openssl/trunk/debian/changelog 2011-09-10 11:09:47 UTC (rev 509)
@@ -8,6 +8,8 @@
- Add protection against ECDSA timing attacks (CVE-2011-1945)
* Block DigiNotar certifiates. Patch from
Raphael Geissert <geissert at debian.org>
+ * Generate hashes for all certs in a file (Closes: #628780)
+ Patch from Klaus Ethgen <Klaus at Ethgen.de>
-- Kurt Roeckx <kurt at roeckx.be> Sat, 10 Sep 2011 12:03:13 +0200
Added: openssl/trunk/debian/patches/c_rehash-multi.patch
===================================================================
--- openssl/trunk/debian/patches/c_rehash-multi.patch (rev 0)
+++ openssl/trunk/debian/patches/c_rehash-multi.patch 2011-09-10 11:09:47 UTC (rev 509)
@@ -0,0 +1,86 @@
+From: Klaus Ethgen <Klaus at Ethgen.de>
+Subject: Generate hashes for all certs in a file
+Bug: http://bugs.debian.org/628780
+Forwared: no
+
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
+@@ -122,34 +122,50 @@ sub link_hash_cert {
+ my $fname = $_[0];
+ my $hashopt = $_[1] || '-subject_hash';
+ $fname =~ s/'/'\\''/g;
+- my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`;
+- chomp $hash;
+- chomp $fprint;
+- $fprint =~ s/^.*=//;
+- $fprint =~ tr/://d;
+- my $suffix = 0;
+- # Search for an unused hash filename
+- while(exists $hashlist{"$hash.$suffix"}) {
+- # Hash matches: if fingerprint matches its a duplicate cert
+- if($hashlist{"$hash.$suffix"} eq $fprint) {
+- print STDERR "WARNING: Skipping duplicate certificate $fname\n";
+- return;
+- }
+- $suffix++;
+- }
+- $hash .= ".$suffix";
+- print "$fname => $hash\n";
+- $symlink_exists=eval {symlink("",""); 1};
+- if ($symlink_exists) {
+- symlink $fname, $hash;
+- } else {
+- open IN,"<$fname" or die "can't open $fname for read";
+- open OUT,">$hash" or die "can't open $hash for write";
+- print OUT <IN>; # does the job for small text files
+- close OUT;
+- close IN;
+- }
+- $hashlist{$hash} = $fprint;
++ open my $in_fh, '<', $fname or die "can't open $fname for read";
++ my $cert = eval {local $/ = undef; <$in_fh>};
++ close $in_fh;
++ OUTERLOOP:
++ while ($cert =~ /^(-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----)$/gms)
++ {
++ my $part = $1;
++ my $tfile = `tempfile`;
++ chomp $tfile;
++ open my $tfile_fh, '>', $tfile or die "can't open $tfile for write";
++ print {$tfile_fh} "$part\n";
++ close $tfile_fh;
++
++ my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$tfile"`;
++ chomp $hash;
++ chomp $fprint;
++ $fprint =~ s/^.*=//;
++ $fprint =~ tr/://d;
++ my $suffix = 0;
++ # Search for an unused hash filename
++ while(exists $hashlist{"$hash.$suffix"}) {
++ # Hash matches: if fingerprint matches its a duplicate cert
++ if($hashlist{"$hash.$suffix"} eq $fprint) {
++ print STDERR "WARNING: Skipping duplicate certificate $fname\n";
++ unlink $tfile;
++ next OUTERLOOP;
++ }
++ $suffix++;
++ }
++ $hash .= ".$suffix";
++ print "$fname => $hash\n";
++ $symlink_exists=eval {symlink("",""); 1};
++ if ($symlink_exists) {
++ symlink $fname, $hash;
++ } else {
++ open IN,"<$tfile" or die "can't open $tfile for read";
++ open OUT,">$hash" or die "can't open $hash for write";
++ print OUT <IN>; # does the job for small text files
++ close OUT;
++ close IN;
++ }
++ $hashlist{$hash} = $fprint;
++ unlink $tfile;
++ } ## end while ($cert =~ /^(-----BEGIN ...
+ }
+
+ sub link_hash_cert_old {
Modified: openssl/trunk/debian/patches/series
===================================================================
--- openssl/trunk/debian/patches/series 2011-09-10 11:07:57 UTC (rev 508)
+++ openssl/trunk/debian/patches/series 2011-09-10 11:09:47 UTC (rev 509)
@@ -29,3 +29,4 @@
pkcs12-doc.patch
dgst_hmac.patch
block_diginotar.patch
+c_rehash-multi.patch
More information about the Pkg-openssl-changes
mailing list