From 3bc4eac301dbcdbbd9dd43c00f8565f399cd5b46 Mon Sep 17 00:00:00 2001 From: Roland Rosenfeld Date: Sat, 12 Oct 2024 17:28:22 +0200 Subject: [PATCH] Merge debian changes from 3.0.34-6. --- debian/apparmor/usr.sbin.privoxy | 1 + debian/changelog | 17 +++- debian/control | 2 +- debian/rules | 19 +++- debian/salsa-ci.yml | 4 +- debian/tests/check-ssl | 138 +++++++++++++++++++++++++++ debian/tests/control | 6 +- debian/tests/privoxy-regression-test | 4 +- 8 files changed, 180 insertions(+), 11 deletions(-) create mode 100755 debian/tests/check-ssl diff --git a/debian/apparmor/usr.sbin.privoxy b/debian/apparmor/usr.sbin.privoxy index e6810a58..776e6bd5 100644 --- a/debian/apparmor/usr.sbin.privoxy +++ b/debian/apparmor/usr.sbin.privoxy @@ -16,4 +16,5 @@ /usr/share/doc/privoxy/p_doc.css r, owner /var/lib/privoxy/** rw, owner /var/log/privoxy/logfile rw, + /etc/ssl/openssl.cnf r, } diff --git a/debian/changelog b/debian/changelog index 3615aa7e..c3785021 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,10 +2,25 @@ privoxy (3.0.35~gitsnapshot-1) UNRELEASED; urgency=medium * Unreleased GIT snapshot. * The following patches are now incorporated upstream: 35_pcre2-support, - 36_pcre2-patternfix, 37_socks-bufferoverflow. + 36_pcre2-patternfix, 37_socks-bufferoverflow, 38_filter.c-init1, + 39_filter.c-init2, 40_openssl-deprwarn, 41_md5-to-sha256. -- Roland Rosenfeld Fri, 11 Oct 2024 16:31:33 +0200 +privoxy (3.0.34-6) unstable; urgency=medium + + * d/test/check-ssl: run privoxy-regression-test --check-bad-ssl. + * debian/rules: preserve upstream install-sh on clean. + * 38_filter.c-init1, 39_filter.c-init2: initialize variables in + filter.c. + * d/test/check-ssl: Add tests via howsmyssl.com. + * Switch from mbedTLS to OpenSSL (Closes: #1075870). + * 40_openssl-deprwarn: Get rid of some openssl deprecation warnings. + * 41_md5-to-sha256: Use sha256 as hash algorithm for cert/key files. + * debian/salsa-ci.yml: Update to new recipe. + + -- Roland Rosenfeld Sat, 12 Oct 2024 17:00:09 +0200 + privoxy (3.0.34-5) unstable; urgency=medium * d/tests/privoxy-regression-test: wait for privoxy to start up. diff --git a/debian/control b/debian/control index 069d7c1e..bfabfd15 100644 --- a/debian/control +++ b/debian/control @@ -10,8 +10,8 @@ Build-Depends: autoconf, docbook-utils , groff , libbrotli-dev, - libmbedtls-dev, libpcre2-dev, + libssl-dev, man2html , opensp:native , po-debconf, diff --git a/debian/rules b/debian/rules index 5b49300f..fb39b6a2 100755 --- a/debian/rules +++ b/debian/rules @@ -1,6 +1,6 @@ #!/usr/bin/make -f # -# (c) 2002-2022 Roland Rosenfeld +# (c) 2002-2024 Roland Rosenfeld # # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 @@ -13,6 +13,11 @@ DEBDIR=`pwd`/debian/privoxy %: dh $@ +override_dh_autoreconf: +# preserve files overwritten by dh_autoreconf: + tar cf debian/autoreconf.tar install-sh + dh_autoreconf + override_dh_auto_configure: autoheader autoconf @@ -26,7 +31,7 @@ override_dh_auto_configure: --enable-extended-statistics \ --enable-pcre-host-patterns \ --enable-compression \ - --with-mbedtls \ + --with-openssl \ --with-brotli \ --with-docbook=/usr/share/sgml/docbook/stylesheet/dsssl/modular @@ -34,7 +39,7 @@ override_dh_auto_build: $(MAKE) ifeq (,$(filter nodoc,$(DEB_BUILD_OPTIONS))) -# preserve auto build documentation from source package: +# preserve auto build documentation from source package: tar cf debian/doc.tar README INSTALL AUTHORS doc/webserver privoxy.8 env -u LANG LC_ALL=C.UTF-8 $(MAKE) dok rm -f doc/webserver/user-manual/*.bak @@ -59,6 +64,12 @@ endif rm -rf doc/source/temp dh_clean +override_dh_autoreconf_clean: + dh_autoreconf_clean +# restore files overwritten by dh_autoreconf: + [ ! -f debian/autoreconf.tar ] || tar xf debian/autoreconf.tar + rm -f debian/autoreconf.tar + override_dh_auto_install: install -m 0755 privoxy $(DEBDIR)/usr/sbin/privoxy sed -e 's/\(Sample Configuration File for Privoxy\).*/\1/;' < config \ @@ -92,7 +103,7 @@ endif cp -r templates $(DEBDIR)/etc/privoxy/ rm -f $(DEBDIR)/etc/privoxy/templates/*~ -# Remove trailing spaces from config files: +# Remove trailing spaces from config files: find $(DEBDIR)/etc/privoxy -type f \ | xargs grep -l ' $$' \ | while read f; do \ diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml index 892f3cd2..8424db44 100644 --- a/debian/salsa-ci.yml +++ b/debian/salsa-ci.yml @@ -1,3 +1,3 @@ +--- include: - - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml diff --git a/debian/tests/check-ssl b/debian/tests/check-ssl new file mode 100755 index 00000000..58322143 --- /dev/null +++ b/debian/tests/check-ssl @@ -0,0 +1,138 @@ +#!/bin/sh +# +# Run privoxy-regression-test.pl --check-bad-ssl +# and check https://www.howsmyssl.com/ +# +# (c) 2024 Roland Rosenfeld + +PORT=8119 + +if [ -z "$AUTOPKGTEST_TMP" ]; then + AUTOPKGTEST_TMP=$(mktemp -d) +fi + +trap 'rm -rf "$AUTOPKGTEST_TMP"' EXIT + +CONFIG=$AUTOPKGTEST_TMP/config +PIDFILE=$AUTOPKGTEST_TMP/privoxy.pid +PRIVOXY=$AUTOPKGTEST_TMP/privoxy + +cp /usr/sbin/privoxy "$PRIVOXY" + +OUTFILE=$AUTOPKGTEST_TMP/checkssl-test-output +DAEMONOUT=$AUTOPKGTEST_TMP/checkssl-daemon-output +CERTDIR=$AUTOPKGTEST_TMP/certs +CADIR=$AUTOPKGTEST_TMP/CA + +mkdir "$CERTDIR" +chmod 700 "$CERTDIR" +CASFILE=/etc/ssl/certs/ca-certificates.crt +CADIR="$AUTOPKGTEST_TMP"/CA +mkdir "$CADIR" +PRIVOXYCRT="$CADIR"/privoxy.crt +PRIVOXYKEY="$CADIR"/privoxy.pem + +echo "Generate SSL key-pair" +SSLPASS=foobar +openssl req -new -x509 -extensions v3_ca -keyout "$PRIVOXYKEY" \ + -out "$PRIVOXYCRT" -days 2 -passout pass:"$SSLPASS" \ + -batch 2>/dev/null + +echo "Generate privoxy config" +ACTION="$AUTOPKGTEST_TMP/httpsinspection.action" +cat < "$ACTION" +{+https-inspection} +/ # match all +EOF + +sed -e "s/^listen-address.*/listen-address 127.0.0.1:$PORT/" \ + -e "s%^logdir.*%logdir $AUTOPKGTEST_TMP%" \ + -e "s/^#debug 65536/debug 13551/" \ + -e "s/^keep-alive-timeout.*/keep-alive-timeout 21/" \ + -e "s/^#connection-sharing.*/connection-sharing 0/" \ + -e "s%^#ca-directory.*%ca-directory $CADIR%" \ + -e "s/^#ca-cert-file.*/ca-cert-file privoxy.crt/" \ + -e "s/^#ca-key-file.*/ca-key-file privoxy.pem/" \ + -e "s/^#ca-password.*/ca-password $SSLPASS/" \ + -e "s%^#certificate-directory.*%certificate-directory $CERTDIR%" \ + -e "s%^#trusted-cas-file.*%trusted-cas-file $CASFILE%" \ + < /usr/share/privoxy/config > "$CONFIG" +echo "actionsfile $ACTION" >> "$CONFIG" + +echo "Starting privoxy on port $PORT" +$PRIVOXY --pidfile "$PIDFILE" --no-daemon "$CONFIG" > "$DAEMONOUT" 2>&1 & +sleep 1 + +CURL_CA_BUNDLE="$PRIVOXYCRT" +export CURL_CA_BUNDLE +http_proxy=http://127.0.0.1:$PORT/ +export http_proxy + +/usr/bin/privoxy-regression-test --check-bad-ssl \ + | tee "$OUTFILE" 2>&1 + +RET=0 +grep -q 'All requests resulted in status code 403 as expected.' "$OUTFILE" \ + || RET=1 + +echo "check https://www.howsmyssl.com" +HOWSMYSSL="$AUTOPKGTEST_TMP"/howsmysql.json +curl -sS -x "$http_proxy" https://www.howsmyssl.com/a/check > "$HOWSMYSSL" + +echo "check TLS version" +tls_version=$(jq -r '.tls_version' "$HOWSMYSSL") +if [ "$tls_version" != "TLS 1.2" ] && [ "$tls_version" != "TLS 1.3" ] +then + echo "ERROR: TLS-Version is $tls_version" + RET=1 +fi + +echo "check values, that should be false" +for i in beast_vuln tls_compression_supported unknown_cipher_suite_supported +do + checkfalse=$(jq ".$i" "$HOWSMYSSL") + if [ "$checkfalse" != "false" ] + then + echo "ERROR: $i is not false but $checkfalse" + RET=1 + fi +done + +echo "check values, that should be true" +for i in ephemeral_keys_supported session_ticket_supported +do + checktrue=$(jq ".$i" "$HOWSMYSSL") + if [ "$checktrue" != "true" ] + then + echo "ERROR: $i is not true but $checktrue" + RET=1 + fi +done + +echo "check insecure cipher suites" +insecure_cipher_suites=$(jq '.insecure_cipher_suites' "$HOWSMYSSL") +if [ "$insecure_cipher_suites" != '{}' ] +then + echo "ERROR: insecure_cipher_suites is not empty: $insecure_cipher_suites" + RET=1 +fi + +echo "check overall rating" +rating=$(jq -r '.rating' "$HOWSMYSSL") +if [ "$rating" != "Probably Okay" ] +then + echo "ERROR: Rating is $rating" + RET=1 +fi + +echo "Stopping privoxy on port $PORT" +kill "$(cat "$PIDFILE")" + +# Place privoxy output into artifacts: +if [ -d "$AUTOPKGTEST_ARTIFACTS" ] +then + cp -a "$OUTFILE" "$DAEMONOUT" "$CADIR" "$CERTDIR" "$HOWSMYSSL" \ + "$AUTOPKGTEST_ARTIFACTS"/ +fi + +return $RET diff --git a/debian/tests/control b/debian/tests/control index 6ff73cfe..7c747816 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -1,5 +1,9 @@ Tests: privoxy-regression-test -Depends: curl, @ +Depends: privoxy, curl + +Tests: check-ssl +Depends: privoxy, curl, openssl, ca-certificates, jq +Restrictions: needs-internet Tests: conditional-defines Depends: privoxy, libwww-perl, libhtml-tree-perl diff --git a/debian/tests/privoxy-regression-test b/debian/tests/privoxy-regression-test index f134b4fe..4ce2cf67 100755 --- a/debian/tests/privoxy-regression-test +++ b/debian/tests/privoxy-regression-test @@ -22,8 +22,8 @@ cp /usr/sbin/privoxy "$PRIVOXY" http_proxy=http://127.0.0.1:$PORT/ export http_proxy -OUTFILE=$AUTOPKGTEST_TMP/test-output -DAEMONOUT=$AUTOPKGTEST_TMP/daemon-output +OUTFILE=$AUTOPKGTEST_TMP/regression-test-output +DAEMONOUT=$AUTOPKGTEST_TMP/regression-daemon-output echo "#### pass 1: some optiones disabled" -- 2.39.2