Merge debian changes from 3.0.34-6.

diff --git a/debian/apparmor/usr.sbin.privoxy b/debian/apparmor/usr.sbin.privoxy
index e6810a5..776e6bd 100644 (file)
--- a/debian/apparmor/usr.sbin.privoxy
+++ b/debian/apparmor/usr.sbin.privoxy
@@ -16,4 +16,5 @@
   /usr/share/doc/privoxy/p_doc.css r,
   owner /var/lib/privoxy/** rw,
   owner /var/log/privoxy/logfile rw,
+  /etc/ssl/openssl.cnf r,
 }

diff --git a/debian/changelog b/debian/changelog
index 3615aa7..c378502 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,10 +2,25 @@ privoxy (3.0.35~gitsnapshot-1) UNRELEASED; urgency=medium
 
   * Unreleased GIT snapshot.
   * The following patches are now incorporated upstream: 35_pcre2-support,
-    36_pcre2-patternfix, 37_socks-bufferoverflow.
+    36_pcre2-patternfix, 37_socks-bufferoverflow, 38_filter.c-init1,
+    39_filter.c-init2, 40_openssl-deprwarn, 41_md5-to-sha256.
 
  -- Roland Rosenfeld <roland@debian.org>  Fri, 11 Oct 2024 16:31:33 +0200
 
+privoxy (3.0.34-6) unstable; urgency=medium
+
+  * d/test/check-ssl: run privoxy-regression-test --check-bad-ssl.
+  * debian/rules: preserve upstream install-sh on clean.
+  * 38_filter.c-init1, 39_filter.c-init2: initialize variables in
+    filter.c.
+  * d/test/check-ssl: Add tests via howsmyssl.com.
+  * Switch from mbedTLS to OpenSSL (Closes: #1075870).
+  * 40_openssl-deprwarn: Get rid of some openssl deprecation warnings.
+  * 41_md5-to-sha256: Use sha256 as hash algorithm for cert/key files.
+  * debian/salsa-ci.yml: Update to new recipe.
+
+ -- Roland Rosenfeld <roland@debian.org>  Sat, 12 Oct 2024 17:00:09 +0200
+
 privoxy (3.0.34-5) unstable; urgency=medium
 
   * d/tests/privoxy-regression-test: wait for privoxy to start up.

diff --git a/debian/control b/debian/control
index 069d7c1..bfabfd1 100644 (file)
--- a/debian/control
+++ b/debian/control
@@ -10,8 +10,8 @@ Build-Depends: autoconf,
                docbook-utils <!nodoc>,
                groff <!nodoc>,
                libbrotli-dev,
-               libmbedtls-dev,
                libpcre2-dev,
+               libssl-dev,
                man2html <!nodoc>,
                opensp:native <!nodoc>,
                po-debconf,

diff --git a/debian/rules b/debian/rules
index 5b49300..fb39b6a 100755 (executable)
--- a/debian/rules
+++ b/debian/rules
@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 #
-# (c) 2002-2022 Roland Rosenfeld <roland@debian.org>
+# (c) 2002-2024 Roland Rosenfeld <roland@debian.org>
 #
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
@@ -13,6 +13,11 @@ DEBDIR=`pwd`/debian/privoxy
 %:
        dh $@
 
+override_dh_autoreconf:
+#      preserve files overwritten by dh_autoreconf:
+       tar cf debian/autoreconf.tar install-sh
+       dh_autoreconf
+
 override_dh_auto_configure:
        autoheader
        autoconf
@@ -26,7 +31,7 @@ override_dh_auto_configure:
                --enable-extended-statistics \
                --enable-pcre-host-patterns \
                --enable-compression \
-               --with-mbedtls \
+               --with-openssl \
                --with-brotli \
                --with-docbook=/usr/share/sgml/docbook/stylesheet/dsssl/modular
 
@@ -34,7 +39,7 @@ override_dh_auto_build:
        $(MAKE)
 
 ifeq (,$(filter nodoc,$(DEB_BUILD_OPTIONS)))
-#      preserve auto build documentation from source package:
+#      preserve auto build documentation from source package:
        tar cf debian/doc.tar README INSTALL AUTHORS doc/webserver privoxy.8
        env -u LANG LC_ALL=C.UTF-8 $(MAKE) dok
        rm -f doc/webserver/user-manual/*.bak
@@ -59,6 +64,12 @@ endif
        rm -rf doc/source/temp
        dh_clean
 
+override_dh_autoreconf_clean:
+       dh_autoreconf_clean
+#      restore files overwritten by dh_autoreconf:
+       [ ! -f debian/autoreconf.tar ] || tar xf debian/autoreconf.tar
+       rm -f debian/autoreconf.tar
+
 override_dh_auto_install:
        install -m 0755 privoxy $(DEBDIR)/usr/sbin/privoxy
        sed -e 's/\(Sample Configuration File for Privoxy\).*/\1/;' < config \
@@ -92,7 +103,7 @@ endif
        cp -r templates $(DEBDIR)/etc/privoxy/
        rm -f $(DEBDIR)/etc/privoxy/templates/*~
 
-#      Remove trailing spaces from config files:
+#      Remove trailing spaces from config files:
        find $(DEBDIR)/etc/privoxy -type f \
        | xargs grep -l ' $$' \
        | while read f; do \

diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml
index 892f3cd..8424db4 100644 (file)
--- a/debian/salsa-ci.yml
+++ b/debian/salsa-ci.yml
@@ -1,3 +1,3 @@
+---
 include:
- - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml

diff --git a/debian/tests/check-ssl b/debian/tests/check-ssl
new file mode 100755 (executable)
index 0000000..5832214
--- /dev/null
+++ b/debian/tests/check-ssl
@@ -0,0 +1,138 @@
+#!/bin/sh
+#
+# Run privoxy-regression-test.pl --check-bad-ssl
+# and check https://www.howsmyssl.com/
+#
+# (c) 2024 Roland Rosenfeld <roland@debian.org>
+
+PORT=8119
+
+if [ -z "$AUTOPKGTEST_TMP" ]; then
+    AUTOPKGTEST_TMP=$(mktemp -d)
+fi
+
+trap 'rm -rf "$AUTOPKGTEST_TMP"' EXIT
+
+CONFIG=$AUTOPKGTEST_TMP/config
+PIDFILE=$AUTOPKGTEST_TMP/privoxy.pid
+PRIVOXY=$AUTOPKGTEST_TMP/privoxy
+
+cp /usr/sbin/privoxy "$PRIVOXY"
+
+OUTFILE=$AUTOPKGTEST_TMP/checkssl-test-output
+DAEMONOUT=$AUTOPKGTEST_TMP/checkssl-daemon-output
+CERTDIR=$AUTOPKGTEST_TMP/certs
+CADIR=$AUTOPKGTEST_TMP/CA
+
+mkdir "$CERTDIR"
+chmod 700 "$CERTDIR"
+CASFILE=/etc/ssl/certs/ca-certificates.crt
+CADIR="$AUTOPKGTEST_TMP"/CA
+mkdir "$CADIR"
+PRIVOXYCRT="$CADIR"/privoxy.crt
+PRIVOXYKEY="$CADIR"/privoxy.pem
+
+echo "Generate SSL key-pair"
+SSLPASS=foobar
+openssl req -new -x509 -extensions v3_ca -keyout "$PRIVOXYKEY" \
+        -out "$PRIVOXYCRT" -days 2 -passout pass:"$SSLPASS" \
+        -batch 2>/dev/null
+
+echo "Generate privoxy config"
+ACTION="$AUTOPKGTEST_TMP/httpsinspection.action"
+cat <<EOF > "$ACTION"
+{+https-inspection}
+/ # match all
+EOF
+
+sed -e "s/^listen-address.*/listen-address 127.0.0.1:$PORT/" \
+    -e "s%^logdir.*%logdir $AUTOPKGTEST_TMP%" \
+    -e "s/^#debug 65536/debug 13551/" \
+    -e "s/^keep-alive-timeout.*/keep-alive-timeout 21/" \
+    -e "s/^#connection-sharing.*/connection-sharing 0/" \
+    -e "s%^#ca-directory.*%ca-directory $CADIR%" \
+    -e "s/^#ca-cert-file.*/ca-cert-file privoxy.crt/" \
+    -e "s/^#ca-key-file.*/ca-key-file privoxy.pem/" \
+    -e "s/^#ca-password.*/ca-password $SSLPASS/" \
+    -e "s%^#certificate-directory.*%certificate-directory $CERTDIR%" \
+    -e "s%^#trusted-cas-file.*%trusted-cas-file $CASFILE%" \
+    < /usr/share/privoxy/config > "$CONFIG"
+echo "actionsfile $ACTION" >> "$CONFIG"
+
+echo "Starting privoxy on port $PORT"
+$PRIVOXY --pidfile "$PIDFILE" --no-daemon "$CONFIG" > "$DAEMONOUT" 2>&1 &
+sleep 1
+
+CURL_CA_BUNDLE="$PRIVOXYCRT"
+export CURL_CA_BUNDLE
+http_proxy=http://127.0.0.1:$PORT/
+export http_proxy
+
+/usr/bin/privoxy-regression-test --check-bad-ssl \
+    | tee "$OUTFILE" 2>&1
+
+RET=0
+grep -q 'All requests resulted in status code 403 as expected.' "$OUTFILE" \
+     || RET=1
+
+echo "check https://www.howsmyssl.com"
+HOWSMYSSL="$AUTOPKGTEST_TMP"/howsmysql.json
+curl -sS -x "$http_proxy" https://www.howsmyssl.com/a/check > "$HOWSMYSSL"
+
+echo "check TLS version"
+tls_version=$(jq -r '.tls_version' "$HOWSMYSSL")
+if [ "$tls_version" != "TLS 1.2" ] && [ "$tls_version" != "TLS 1.3" ]
+then
+    echo "ERROR: TLS-Version is $tls_version"
+    RET=1
+fi
+
+echo "check values, that should be false"
+for i in beast_vuln tls_compression_supported unknown_cipher_suite_supported
+do
+    checkfalse=$(jq ".$i" "$HOWSMYSSL")
+    if [ "$checkfalse" != "false" ]
+    then
+        echo "ERROR: $i is not false but $checkfalse"
+        RET=1
+    fi
+done
+
+echo "check values, that should be true"
+for i in ephemeral_keys_supported session_ticket_supported
+do
+    checktrue=$(jq ".$i" "$HOWSMYSSL")
+    if [ "$checktrue" != "true" ]
+    then
+        echo "ERROR: $i is not true but $checktrue"
+        RET=1
+    fi
+done
+
+echo "check insecure cipher suites"
+insecure_cipher_suites=$(jq '.insecure_cipher_suites' "$HOWSMYSSL")
+if [ "$insecure_cipher_suites" != '{}' ]
+then
+    echo "ERROR: insecure_cipher_suites is not empty: $insecure_cipher_suites"
+    RET=1
+fi
+
+echo "check overall rating"
+rating=$(jq -r '.rating' "$HOWSMYSSL")
+if [ "$rating" != "Probably Okay" ]
+then
+    echo "ERROR: Rating is $rating"
+    RET=1
+fi
+
+echo "Stopping privoxy on port $PORT"
+kill "$(cat "$PIDFILE")"
+
+# Place privoxy output into artifacts:
+if [ -d "$AUTOPKGTEST_ARTIFACTS" ]
+then
+    cp -a "$OUTFILE" "$DAEMONOUT" "$CADIR" "$CERTDIR" "$HOWSMYSSL" \
+       "$AUTOPKGTEST_ARTIFACTS"/
+fi
+
+return $RET

diff --git a/debian/tests/control b/debian/tests/control
index 6ff73cf..7c74781 100644 (file)
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,5 +1,9 @@
 Tests: privoxy-regression-test
-Depends: curl, @
+Depends: privoxy, curl
+
+Tests: check-ssl
+Depends: privoxy, curl, openssl, ca-certificates, jq
+Restrictions: needs-internet
 
 Tests: conditional-defines
 Depends: privoxy, libwww-perl, libhtml-tree-perl

diff --git a/debian/tests/privoxy-regression-test b/debian/tests/privoxy-regression-test
index f134b4f..4ce2cf6 100755 (executable)
--- a/debian/tests/privoxy-regression-test
+++ b/debian/tests/privoxy-regression-test
@@ -22,8 +22,8 @@ cp /usr/sbin/privoxy "$PRIVOXY"
 http_proxy=http://127.0.0.1:$PORT/
 export http_proxy
 
-OUTFILE=$AUTOPKGTEST_TMP/test-output
-DAEMONOUT=$AUTOPKGTEST_TMP/daemon-output
+OUTFILE=$AUTOPKGTEST_TMP/regression-test-output
+DAEMONOUT=$AUTOPKGTEST_TMP/regression-daemon-output
 
 echo "#### pass 1: some optiones disabled"