Commit 71cbb045 authored by Kel Modderman's avatar Kel Modderman Committed by Ben Hutchings

Use backportable debian/rules.

Drop the setregdomain stuff - in future better methods will exist to change
regdomain to user/admin defined setting.
Add debian/patches/do_not_embed_pubkeys.patch to stop this terrible shitty
embedding of pubkey data into regdbdump/crda binaries.
parent 65d15082
......@@ -33,7 +33,12 @@ ifeq ($(USE_OPENSSL),1)
CFLAGS += -DUSE_OPENSSL -DPUBKEY_DIR=\"$(RUNTIME_PUBKEY_DIR)\" `pkg-config --cflags openssl`
LDLIBS += `pkg-config --libs openssl`
ifeq ($(RUNTIME_PUBKEY_ONLY),1)
CFLAGS += -DRUNTIME_PUBKEY_ONLY
else
CFLAGS += -DHAVE_KEYS_SSL
reglib.o: keys-ssl.c
endif
else
CFLAGS += -DUSE_GCRYPT
......
......@@ -3,11 +3,10 @@ Section: net
Priority: optional
Maintainer: Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>
Uploaders: Kel Modderman <kel@otaku42.de>
Build-Depends: debhelper (>= 7.0.50~),
Build-Depends: debhelper (>= 7),
libnl-dev,
libssl-dev,
pkg-config,
wireless-regdb
pkg-config
Standards-Version: 3.8.4
Vcs-Svn: svn://svn.debian.org/pkg-wpa/crda/trunk
Vcs-Browser: http://svn.debian.org/wsvn/pkg-wpa/crda/trunk/
......@@ -16,7 +15,6 @@ Homepage: http://wireless.kernel.org/en/developers/Regulatory/#CRDA
Package: crda
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, wireless-regdb
Recommends: iw (>= 0.9.18-1)
Description: wireless Central Regulatory Domain Agent
This package provides a Central Regulatory Domain Agent (CRDA) to be used by
the Linux kernel cf80211 wireless subsystem to query and apply the regulatory
......
# Set REGDOMAIN to a ISO/IEC 3166-1 alpha2 country code so that iw(8) may set
# the initial regulatory domain setting for IEEE 802.11 devices which operate
# on this system.
#
# Governments assert the right to regulate usage of radio spectrum within
# their respective territories so make sure you select a ISO/IEC 3166-1 alpha2
# country code suitable for your location or you may infringe on local
# legislature. See `/usr/share/zoneinfo/zone.tab' for a table of timezone
# descriptions containing ISO/IEC 3166-1 alpha2 country codes.
#
# If left unset, a country code will be selected based on the timezone
# configuration of the system.
REGDOMAIN=
debian/setregdomain lib/crda
#!/bin/sh
set -e
# This script can be called in the following ways:
#
# After the package was installed:
# <postinst> configure <old-version>
#
#
# If prerm fails during upgrade or fails on failed upgrade:
# <old-postinst> abort-upgrade <new-version>
#
# If prerm fails during deconfiguration of a package:
# <postinst> abort-deconfigure in-favour <new-package> <version>
# removing <old-package> <version>
#
# If prerm fails during replacement due to conflict:
# <postinst> abort-remove in-favour <new-package> <version>
create_regdomain_table()
{
# Check the input file exists
[ -s "$1" ] || return 0
# The conffile has been removed, do nothing.
[ -w /etc/default/crda ] || return 0
# Path to timezone configuration file, managed by tzdata maintainer
# scripts.
TZCONF=/etc/timezone
# Markers used to flag autogenerated section of /etc/default/crda.
# All configuration data outside of these markers are never touched.
START='### START AUTOGENERATED'
END='### END AUTOGENERATED'
# Remove old autogenerated section.
sed "/^$START/,/^$END/d" /etc/default/crda > \
/etc/default/crda.postinst.tmp
cat >>/etc/default/crda.postinst.tmp <<EOF
$START
#
# Lines between the AUTOGENERATED markers are managed by crda maintainer
# scripts. Do not edit between the markers, all changes will be lost.
#
# This country description <-> ISO 3166 country code matrix is kept in sync
# via dpkg trigger with /usr/share/zoneinfo/zone.tab
#
EOF
# Append new autogenerated section. Parse tzdata's zone.tab and
# output something which can be sourced by a shell script. This is
# done here to avoid overhead at crda udev agent runtime and to
# allow data to be available in early boot.
awk -v end="$END" -v tz="$TZCONF" '
BEGIN {
printf("if [ -z \"$REGDOMAIN\" ]; then\n")
printf("\tTIMEZONE=$(sed \"s# #_#g\" %s 2>/dev/null)\n", tz)
printf("\tcase \"$TIMEZONE\" in\n")
}
$1 ~ /^[A-Z][A-Z]$/ {
printf("\t\t\"%s\")\n", $3)
printf("\t\t\tREGDOMAIN=\"%s\"\n", $1)
printf("\t\t\t;;\n")
}
END {
printf("\tesac\n")
printf("fi\n")
printf("%s\n", end)
}
' "$1" >> /etc/default/crda.postinst.tmp
mv -f /etc/default/crda.postinst.tmp /etc/default/crda
}
case "$1" in
configure|triggered)
create_regdomain_table /usr/share/zoneinfo/zone.tab
;;
abort-upgrade|abort-deconfigure|abort-remove)
;;
*)
echo "$0 called with unknown argument \`$1'" 1>&2
exit 1
;;
esac
#DEBHELPER#
exit 0
SUBSYSTEM=="ieee80211", ACTION=="add", RUN+="/lib/crda/setregdomain"
interest /usr/share/zoneinfo/zone.tab
Description: Allow build without embedding pubkey data into crda/regdbdump
binaries.
From: Kel Modderman <kel@otaku42.de>
--- a/Makefile
+++ b/Makefile
@@ -33,7 +33,12 @@ ifeq ($(USE_OPENSSL),1)
CFLAGS += -DUSE_OPENSSL -DPUBKEY_DIR=\"$(RUNTIME_PUBKEY_DIR)\" `pkg-config --cflags openssl`
LDLIBS += `pkg-config --libs openssl`
+ifeq ($(RUNTIME_PUBKEY_ONLY),1)
+CFLAGS += -DRUNTIME_PUBKEY_ONLY
+else
+CFLAGS += -DHAVE_KEYS_SSL
reglib.o: keys-ssl.c
+endif
else
CFLAGS += -DUSE_GCRYPT
--- a/reglib.c
+++ b/reglib.c
@@ -18,7 +18,7 @@
#include "reglib.h"
-#ifdef USE_OPENSSL
+#if defined(USE_OPENSSL) && defined(HAVE_KEYS_SSL)
#include "keys-ssl.c"
#endif
@@ -49,7 +49,6 @@ int crda_verify_db_signature(__u8 *db, i
#ifdef USE_OPENSSL
RSA *rsa;
__u8 hash[SHA_DIGEST_LENGTH];
- unsigned int i;
int ok = 0;
DIR *pubkey_dir;
struct dirent *nextfile;
@@ -61,6 +60,8 @@ int crda_verify_db_signature(__u8 *db, i
goto out;
}
+#ifdef HAVE_KEYS_SSL
+ unsigned int i;
for (i = 0; (i < sizeof(keys)/sizeof(keys[0])) && (!ok); i++) {
rsa = RSA_new();
if (!rsa) {
@@ -78,6 +79,7 @@ int crda_verify_db_signature(__u8 *db, i
rsa->n = NULL;
RSA_free(rsa);
}
+#endif
if (!ok && (pubkey_dir = opendir(PUBKEY_DIR))) {
while (!ok && (nextfile = readdir(pubkey_dir))) {
snprintf(filename, PATH_MAX, "%s/%s", PUBKEY_DIR,
When USE_OPENSSL=1 do not embed crypto data into binary, use the PUBKEY_DIR
variable just as it is when USE_GCRYPT=1 and just load certs from PUBKEY_DIR
for signature verification at runtime. Remove ssl support from
utils/key2pub.py.
This allows wireless-regdb to be built from source and upgraded independently
of crda and is _crucial_ for distributions who want to build their own
regulatory.bin.
When verification fails provide information about the PUBKEY_DIR variable.
Fix typo (s/make noverify/make all_noverify/).
Signed-off-by: Kel Modderman <kel@otaku42.de>
---
--- a/Makefile
+++ b/Makefile
@@ -16,13 +16,6 @@ UDEV_LEVEL=$(CRDA_UDEV_LEVEL)-
# a different location.
UDEV_RULE_DIR?=/lib/udev/rules.d/
-# If your distribution requires a custom pubkeys dir
-# you must update this variable to reflect where the
-# keys are put when building. For example you can run
-# with make PUBKEY_DIR=/usr/lib/crda/pubkeys
-PUBKEY_DIR?=pubkeys
-RUNTIME_PUBKEY_DIR?=/etc/wireless-regdb/pubkeys
-
CFLAGS += -Wall -g
all: all_noverify verify
@@ -30,17 +23,24 @@ all: all_noverify verify
all_noverify: crda intersect regdbdump
ifeq ($(USE_OPENSSL),1)
-CFLAGS += -DUSE_OPENSSL -DPUBKEY_DIR=\"$(RUNTIME_PUBKEY_DIR)\" `pkg-config --cflags openssl`
+PUBKEY_DIR?=$(PREFIX)/lib/crda/pubkeys
+RUNTIME_PUBKEY_DIR?=/etc/wireless-regdb/pubkeys
+CFLAGS += -DUSE_OPENSSL `pkg-config --cflags openssl`
+CFLAGS += -DPUBKEY_DIR=\"$(PUBKEY_DIR)\" -DALT_PUBKEY_DIR=\"$(RUNTIME_PUBKEY_DIR)\"
LDLIBS += `pkg-config --libs openssl`
-reglib.o: keys-ssl.c
-
else
+PUBKEY_DIR?=pubkeys
CFLAGS += -DUSE_GCRYPT
LDLIBS += -lgcrypt
reglib.o: keys-gcrypt.c
+keys-gcrypt.c: utils/key2pub.py $(wildcard $(PUBKEY_DIR)/*.pem)
+ $(NQ) ' GEN ' $@
+ $(NQ) ' Trusted pubkeys:' $(wildcard $(PUBKEY_DIR)/*.pem)
+ $(Q)./utils/key2pub.py $(wildcard $(PUBKEY_DIR)/*.pem) $@
+
endif
MKDIR ?= mkdir -p
INSTALL ?= install
@@ -82,15 +82,10 @@ $(REG_BIN):
$(NQ) $(REG_GIT)
$(NQ)
$(NQ) "Once cloned (no need to build) cp regulatory.bin to $(REG_BIN)"
- $(NQ) "Use \"make noverify\" to disable verification"
+ $(NQ) "Use \"make all_noverify\" to disable verification"
$(NQ)
$(Q) exit 1
-keys-%.c: utils/key2pub.py $(wildcard $(PUBKEY_DIR)/*.pem)
- $(NQ) ' GEN ' $@
- $(NQ) ' Trusted pubkeys:' $(wildcard $(PUBKEY_DIR)/*.pem)
- $(Q)./utils/key2pub.py --$* $(wildcard $(PUBKEY_DIR)/*.pem) $@
-
%.o: %.c regdb.h
$(NQ) ' CC ' $@
$(Q)$(CC) -c $(CPPFLAGS) $(CFLAGS) -o $@ $<
@@ -109,7 +104,15 @@ intersect: reglib.o intersect.o print-re
verify: $(REG_BIN) regdbdump
$(NQ) ' CHK $(REG_BIN)'
- $(Q)./regdbdump $(REG_BIN) >/dev/null
+ @if ! ./regdbdump $(REG_BIN) >/dev/null; then \
+ echo; \
+ echo "If your distribution requires a custom pubkeys dir you must set"; \
+ echo "PUBKEY_DIR to path where the keys are installed by wireless-regdb."; \
+ echo "For example:"; \
+ echo " make PUBKEY_DIR=/lib/crda/pubkeys"; \
+ echo; \
+ exit 1; \
+ fi
%.gz: %
@$(NQ) ' GZIP' $<
--- a/reglib.c
+++ b/reglib.c
@@ -18,10 +18,6 @@
#include "reglib.h"
-#ifdef USE_OPENSSL
-#include "keys-ssl.c"
-#endif
-
#ifdef USE_GCRYPT
#include "keys-gcrypt.c"
#endif
@@ -49,7 +45,6 @@ int crda_verify_db_signature(__u8 *db, i
#ifdef USE_OPENSSL
RSA *rsa;
__u8 hash[SHA_DIGEST_LENGTH];
- unsigned int i;
int ok = 0;
DIR *pubkey_dir;
struct dirent *nextfile;
@@ -61,26 +56,26 @@ int crda_verify_db_signature(__u8 *db, i
goto out;
}
- for (i = 0; (i < sizeof(keys)/sizeof(keys[0])) && (!ok); i++) {
- rsa = RSA_new();
- if (!rsa) {
- fprintf(stderr, "Failed to create RSA key.\n");
- goto out;
+ if ((pubkey_dir = opendir(PUBKEY_DIR))) {
+ while (!ok && (nextfile = readdir(pubkey_dir))) {
+ snprintf(filename, PATH_MAX, "%s/%s", PUBKEY_DIR,
+ nextfile->d_name);
+ if ((keyfile = fopen(filename, "rb"))) {
+ rsa = PEM_read_RSA_PUBKEY(keyfile,
+ NULL, NULL, NULL);
+ if (rsa)
+ ok = RSA_verify(NID_sha1, hash, SHA_DIGEST_LENGTH,
+ db + dblen, siglen, rsa) == 1;
+ RSA_free(rsa);
+ fclose(keyfile);
+ }
}
-
- rsa->e = &keys[i].e;
- rsa->n = &keys[i].n;
-
- ok = RSA_verify(NID_sha1, hash, SHA_DIGEST_LENGTH,
- db + dblen, siglen, rsa) == 1;
-
- rsa->e = NULL;
- rsa->n = NULL;
- RSA_free(rsa);
+ closedir(pubkey_dir);
}
- if (!ok && (pubkey_dir = opendir(PUBKEY_DIR))) {
+
+ if (!ok && (pubkey_dir = opendir(ALT_PUBKEY_DIR))) {
while (!ok && (nextfile = readdir(pubkey_dir))) {
- snprintf(filename, PATH_MAX, "%s/%s", PUBKEY_DIR,
+ snprintf(filename, PATH_MAX, "%s/%s", ALT_PUBKEY_DIR,
nextfile->d_name);
if ((keyfile = fopen(filename, "rb"))) {
rsa = PEM_read_RSA_PUBKEY(keyfile,
--- a/utils/key2pub.py
+++ b/utils/key2pub.py
@@ -9,81 +9,6 @@ except ImportError, e:
sys.stderr.write('On Debian GNU/Linux the package is called "python-m2crypto".\n')
sys.exit(1)
-def print_ssl_64(output, name, val):
- while val[0] == '\0':
- val = val[1:]
- while len(val) % 8:
- val = '\0' + val
- vnew = []
- while len(val):
- vnew.append((val[0], val[1], val[2], val[3], val[4], val[5], val[6], val[7]))
- val = val[8:]
- vnew.reverse()
- output.write('static BN_ULONG %s[%d] = {\n' % (name, len(vnew)))
- idx = 0
- for v1, v2, v3, v4, v5, v6, v7, v8 in vnew:
- if not idx:
- output.write('\t')
- output.write('0x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x, ' % (ord(v1), ord(v2), ord(v3), ord(v4), ord(v5), ord(v6), ord(v7), ord(v8)))
- idx += 1
- if idx == 2:
- idx = 0
- output.write('\n')
- if idx:
- output.write('\n')
- output.write('};\n\n')
-
-def print_ssl_32(output, name, val):
- while val[0] == '\0':
- val = val[1:]
- while len(val) % 4:
- val = '\0' + val
- vnew = []
- while len(val):
- vnew.append((val[0], val[1], val[2], val[3], ))
- val = val[4:]
- vnew.reverse()
- output.write('static BN_ULONG %s[%d] = {\n' % (name, len(vnew)))
- idx = 0
- for v1, v2, v3, v4 in vnew:
- if not idx:
- output.write('\t')
- output.write('0x%.2x%.2x%.2x%.2x, ' % (ord(v1), ord(v2), ord(v3), ord(v4)))
- idx += 1
- if idx == 4:
- idx = 0
- output.write('\n')
- if idx:
- output.write('\n')
- output.write('};\n\n')
-
-def print_ssl(output, name, val):
- import struct
- if len(struct.pack('@L', 0)) == 8:
- return print_ssl_64(output, name, val)
- else:
- return print_ssl_32(output, name, val)
-
-def print_ssl_keys(output, n):
- output.write(r'''
-struct pubkey {
- struct bignum_st e, n;
-};
-
-#define KEY(data) { \
- .d = data, \
- .top = sizeof(data)/sizeof(data[0]), \
-}
-
-#define KEYS(e,n) { KEY(e), KEY(n), }
-
-static struct pubkey keys[] = {
-''')
- for n in xrange(n + 1):
- output.write(' KEYS(e_%d, n_%d),\n' % (n, n))
- output.write('};\n')
- pass
-
def print_gcrypt(output, name, val):
while val[0] == '\0':
val = val[1:]
@@ -118,24 +43,10 @@ static const struct key_params keys[] =
for n in xrange(n + 1):
output.write(' KEYS(e_%d, n_%d),\n' % (n, n))
output.write('};\n')
-
-
-modes = {
- '--ssl': (print_ssl, print_ssl_keys),
- '--gcrypt': (print_gcrypt, print_gcrypt_keys),
-}
-try:
- mode = sys.argv[1]
- files = sys.argv[2:-1]
- outfile = sys.argv[-1]
-except IndexError:
- mode = None
-
-if not mode in modes:
- print 'Usage: %s [%s] input-file... output-file' % (sys.argv[0], '|'.join(modes.keys()))
- sys.exit(2)
+files = sys.argv[1:-1]
+outfile = sys.argv[-1]
output = open(outfile, 'w')
# load key
@@ -146,8 +57,8 @@ for f in files:
except RSA.RSAError:
key = RSA.load_key(f)
- modes[mode][0](output, 'e_%d' % idx, key.e[4:])
- modes[mode][0](output, 'n_%d' % idx, key.n[4:])
+ print_gcrypt(output, 'e_%d' % idx, key.e[4:])
+ print_gcrypt(output, 'n_%d' % idx, key.n[4:])
idx += 1
-modes[mode][1](output, idx - 1)
+print_gcrypt_keys(output, idx - 1)
openssl_runtime_verification_tuneup.patch
do_not_embed_pubkeys.patch
#!/usr/bin/make -f
export CFLAGS = -O$(if $(findstring noopt,$(DEB_BUILD_OPTIONS)),0,2)
export PUBKEY_DIR = /lib/crda/pubkeys
export REG_BIN = /lib/crda/regulatory.bin
export CFLAGS = -O$(if $(findstring noopt,$(DEB_BUILD_OPTIONS)),0,2)
export REG_BIN = /lib/crda/regulatory.bin
export USE_OPENSSL = 1
export V = 1
export PUBKEY_DIR = /lib/crda/pubkeys
export RUNTIME_PUBKEY_DIR = $(PUBKEY_DIR)
export RUNTIME_PUBKEY_ONLY = 1
export V = 1
#export DH_VERBOSE = 1
override_dh_fixperms:
dh_fixperms
chmod 755 debian/crda/lib/crda/setregdomain
build: build-stamp
build-stamp:
dh build --before dh_auto_build
dh_auto_build -- all_noverify
dh build --after dh_auto_build
touch $@
override_dh_installudev:
dh_installudev --priority=85 --name=setregdomain
clean:
dh clean
%:
dh $@
install: install-stamp
install-stamp: build-stamp
dh install
touch $@
binary-arch: install
dh binary-arch
binary-indep:
binary: binary-arch binary-indep
.PHONY: build clean install binary-arch binary-indep binary
#!/bin/sh
#
# This script is executed by /lib/udev/rules.d/85-regulatory.rules in order
# to set a sensible IEEE 802.11 regulatory domain setting based on the systems
# timezone setting. See also /etc/default/crda.
#
set -e
REGDOMAIN=
CRDA_CONF=/etc/default/crda
[ -s "$CRDA_CONF" ] && . "$CRDA_CONF"
[ -z "$REGDOMAIN" ] && exit 0
# In the future, iw may be moved to / filesystem
[ -x /sbin/iw ] && exec /sbin/iw reg set "$REGDOMAIN"
# Wait for /usr, it may not be mounted yet
(
. /lib/udev/hotplug.functions
wait_for_file /usr/sbin/iw
exec /usr/sbin/iw reg set "$REGDOMAIN"
) &
......@@ -18,7 +18,7 @@
#include "reglib.h"
#ifdef USE_OPENSSL
#if defined(USE_OPENSSL) && defined(HAVE_KEYS_SSL)
#include "keys-ssl.c"
#endif
......@@ -49,7 +49,6 @@ int crda_verify_db_signature(__u8 *db, int dblen, int siglen)
#ifdef USE_OPENSSL
RSA *rsa;
__u8 hash[SHA_DIGEST_LENGTH];
unsigned int i;
int ok = 0;
DIR *pubkey_dir;
struct dirent *nextfile;
......@@ -61,6 +60,8 @@ int crda_verify_db_signature(__u8 *db, int dblen, int siglen)
goto out;
}
#ifdef HAVE_KEYS_SSL
unsigned int i;
for (i = 0; (i < sizeof(keys)/sizeof(keys[0])) && (!ok); i++) {
rsa = RSA_new();
if (!rsa) {
......@@ -78,6 +79,7 @@ int crda_verify_db_signature(__u8 *db, int dblen, int siglen)
rsa->n = NULL;
RSA_free(rsa);
}
#endif
if (!ok && (pubkey_dir = opendir(PUBKEY_DIR))) {
while (!ok && (nextfile = readdir(pubkey_dir))) {
snprintf(filename, PATH_MAX, "%s/%s", PUBKEY_DIR,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment