From: Roland Rosenfeld <roland@debian.org>
Date: Sat, 12 Oct 2024 15:28:22 +0000 (+0200)
Subject: Merge debian changes from 3.0.34-6.
X-Git-Tag: v_4_0_0~60^2
X-Git-Url: http://www.privoxy.org/gitweb/@default-cgi@/@default-cgi@send-stylesheet?a=commitdiff_plain;h=3bc4eac301dbcdbbd9dd43c00f8565f399cd5b46;p=privoxy.git
Merge debian changes from 3.0.34-6.
---
diff --git a/debian/apparmor/usr.sbin.privoxy b/debian/apparmor/usr.sbin.privoxy
index e6810a58..776e6bd5 100644
--- a/debian/apparmor/usr.sbin.privoxy
+++ b/debian/apparmor/usr.sbin.privoxy
@@ -16,4 +16,5 @@
/usr/share/doc/privoxy/p_doc.css r,
owner /var/lib/privoxy/** rw,
owner /var/log/privoxy/logfile rw,
+ /etc/ssl/openssl.cnf r,
}
diff --git a/debian/changelog b/debian/changelog
index 3615aa7e..c3785021 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,10 +2,25 @@ privoxy (3.0.35~gitsnapshot-1) UNRELEASED; urgency=medium
* Unreleased GIT snapshot.
* The following patches are now incorporated upstream: 35_pcre2-support,
- 36_pcre2-patternfix, 37_socks-bufferoverflow.
+ 36_pcre2-patternfix, 37_socks-bufferoverflow, 38_filter.c-init1,
+ 39_filter.c-init2, 40_openssl-deprwarn, 41_md5-to-sha256.
-- Roland Rosenfeld <roland@debian.org> Fri, 11 Oct 2024 16:31:33 +0200
+privoxy (3.0.34-6) unstable; urgency=medium
+
+ * d/test/check-ssl: run privoxy-regression-test --check-bad-ssl.
+ * debian/rules: preserve upstream install-sh on clean.
+ * 38_filter.c-init1, 39_filter.c-init2: initialize variables in
+ filter.c.
+ * d/test/check-ssl: Add tests via howsmyssl.com.
+ * Switch from mbedTLS to OpenSSL (Closes: #1075870).
+ * 40_openssl-deprwarn: Get rid of some openssl deprecation warnings.
+ * 41_md5-to-sha256: Use sha256 as hash algorithm for cert/key files.
+ * debian/salsa-ci.yml: Update to new recipe.
+
+ -- Roland Rosenfeld <roland@debian.org> Sat, 12 Oct 2024 17:00:09 +0200
+
privoxy (3.0.34-5) unstable; urgency=medium
* d/tests/privoxy-regression-test: wait for privoxy to start up.
diff --git a/debian/control b/debian/control
index 069d7c1e..bfabfd15 100644
--- a/debian/control
+++ b/debian/control
@@ -10,8 +10,8 @@ Build-Depends: autoconf,
docbook-utils <!nodoc>,
groff <!nodoc>,
libbrotli-dev,
- libmbedtls-dev,
libpcre2-dev,
+ libssl-dev,
man2html <!nodoc>,
opensp:native <!nodoc>,
po-debconf,
diff --git a/debian/rules b/debian/rules
index 5b49300f..fb39b6a2 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,6 +1,6 @@
#!/usr/bin/make -f
#
-# (c) 2002-2022 Roland Rosenfeld <roland@debian.org>
+# (c) 2002-2024 Roland Rosenfeld <roland@debian.org>
#
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
@@ -13,6 +13,11 @@ DEBDIR=`pwd`/debian/privoxy
%:
dh $@
+override_dh_autoreconf:
+# preserve files overwritten by dh_autoreconf:
+ tar cf debian/autoreconf.tar install-sh
+ dh_autoreconf
+
override_dh_auto_configure:
autoheader
autoconf
@@ -26,7 +31,7 @@ override_dh_auto_configure:
--enable-extended-statistics \
--enable-pcre-host-patterns \
--enable-compression \
- --with-mbedtls \
+ --with-openssl \
--with-brotli \
--with-docbook=/usr/share/sgml/docbook/stylesheet/dsssl/modular
@@ -34,7 +39,7 @@ override_dh_auto_build:
$(MAKE)
ifeq (,$(filter nodoc,$(DEB_BUILD_OPTIONS)))
-# preserve auto build documentation from source package:
+# preserve auto build documentation from source package:
tar cf debian/doc.tar README INSTALL AUTHORS doc/webserver privoxy.8
env -u LANG LC_ALL=C.UTF-8 $(MAKE) dok
rm -f doc/webserver/user-manual/*.bak
@@ -59,6 +64,12 @@ endif
rm -rf doc/source/temp
dh_clean
+override_dh_autoreconf_clean:
+ dh_autoreconf_clean
+# restore files overwritten by dh_autoreconf:
+ [ ! -f debian/autoreconf.tar ] || tar xf debian/autoreconf.tar
+ rm -f debian/autoreconf.tar
+
override_dh_auto_install:
install -m 0755 privoxy $(DEBDIR)/usr/sbin/privoxy
sed -e 's/\(Sample Configuration File for Privoxy\).*/\1/;' < config \
@@ -92,7 +103,7 @@ endif
cp -r templates $(DEBDIR)/etc/privoxy/
rm -f $(DEBDIR)/etc/privoxy/templates/*~
-# Remove trailing spaces from config files:
+# Remove trailing spaces from config files:
find $(DEBDIR)/etc/privoxy -type f \
| xargs grep -l ' $$' \
| while read f; do \
diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml
index 892f3cd2..8424db44 100644
--- a/debian/salsa-ci.yml
+++ b/debian/salsa-ci.yml
@@ -1,3 +1,3 @@
+---
include:
- - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
diff --git a/debian/tests/check-ssl b/debian/tests/check-ssl
new file mode 100755
index 00000000..58322143
--- /dev/null
+++ b/debian/tests/check-ssl
@@ -0,0 +1,138 @@
+#!/bin/sh
+#
+# Run privoxy-regression-test.pl --check-bad-ssl
+# and check https://www.howsmyssl.com/
+#
+# (c) 2024 Roland Rosenfeld <roland@debian.org>
+
+PORT=8119
+
+if [ -z "$AUTOPKGTEST_TMP" ]; then
+ AUTOPKGTEST_TMP=$(mktemp -d)
+fi
+
+trap 'rm -rf "$AUTOPKGTEST_TMP"' EXIT
+
+CONFIG=$AUTOPKGTEST_TMP/config
+PIDFILE=$AUTOPKGTEST_TMP/privoxy.pid
+PRIVOXY=$AUTOPKGTEST_TMP/privoxy
+
+cp /usr/sbin/privoxy "$PRIVOXY"
+
+OUTFILE=$AUTOPKGTEST_TMP/checkssl-test-output
+DAEMONOUT=$AUTOPKGTEST_TMP/checkssl-daemon-output
+CERTDIR=$AUTOPKGTEST_TMP/certs
+CADIR=$AUTOPKGTEST_TMP/CA
+
+mkdir "$CERTDIR"
+chmod 700 "$CERTDIR"
+CASFILE=/etc/ssl/certs/ca-certificates.crt
+CADIR="$AUTOPKGTEST_TMP"/CA
+mkdir "$CADIR"
+PRIVOXYCRT="$CADIR"/privoxy.crt
+PRIVOXYKEY="$CADIR"/privoxy.pem
+
+echo "Generate SSL key-pair"
+SSLPASS=foobar
+openssl req -new -x509 -extensions v3_ca -keyout "$PRIVOXYKEY" \
+ -out "$PRIVOXYCRT" -days 2 -passout pass:"$SSLPASS" \
+ -batch 2>/dev/null
+
+echo "Generate privoxy config"
+ACTION="$AUTOPKGTEST_TMP/httpsinspection.action"
+cat <<EOF > "$ACTION"
+{+https-inspection}
+/ # match all
+EOF
+
+sed -e "s/^listen-address.*/listen-address 127.0.0.1:$PORT/" \
+ -e "s%^logdir.*%logdir $AUTOPKGTEST_TMP%" \
+ -e "s/^#debug 65536/debug 13551/" \
+ -e "s/^keep-alive-timeout.*/keep-alive-timeout 21/" \
+ -e "s/^#connection-sharing.*/connection-sharing 0/" \
+ -e "s%^#ca-directory.*%ca-directory $CADIR%" \
+ -e "s/^#ca-cert-file.*/ca-cert-file privoxy.crt/" \
+ -e "s/^#ca-key-file.*/ca-key-file privoxy.pem/" \
+ -e "s/^#ca-password.*/ca-password $SSLPASS/" \
+ -e "s%^#certificate-directory.*%certificate-directory $CERTDIR%" \
+ -e "s%^#trusted-cas-file.*%trusted-cas-file $CASFILE%" \
+ < /usr/share/privoxy/config > "$CONFIG"
+echo "actionsfile $ACTION" >> "$CONFIG"
+
+echo "Starting privoxy on port $PORT"
+$PRIVOXY --pidfile "$PIDFILE" --no-daemon "$CONFIG" > "$DAEMONOUT" 2>&1 &
+sleep 1
+
+CURL_CA_BUNDLE="$PRIVOXYCRT"
+export CURL_CA_BUNDLE
+http_proxy=http://127.0.0.1:$PORT/
+export http_proxy
+
+/usr/bin/privoxy-regression-test --check-bad-ssl \
+ | tee "$OUTFILE" 2>&1
+
+RET=0
+grep -q 'All requests resulted in status code 403 as expected.' "$OUTFILE" \
+ || RET=1
+
+echo "check https://www.howsmyssl.com"
+HOWSMYSSL="$AUTOPKGTEST_TMP"/howsmysql.json
+curl -sS -x "$http_proxy" https://www.howsmyssl.com/a/check > "$HOWSMYSSL"
+
+echo "check TLS version"
+tls_version=$(jq -r '.tls_version' "$HOWSMYSSL")
+if [ "$tls_version" != "TLS 1.2" ] && [ "$tls_version" != "TLS 1.3" ]
+then
+ echo "ERROR: TLS-Version is $tls_version"
+ RET=1
+fi
+
+echo "check values, that should be false"
+for i in beast_vuln tls_compression_supported unknown_cipher_suite_supported
+do
+ checkfalse=$(jq ".$i" "$HOWSMYSSL")
+ if [ "$checkfalse" != "false" ]
+ then
+ echo "ERROR: $i is not false but $checkfalse"
+ RET=1
+ fi
+done
+
+echo "check values, that should be true"
+for i in ephemeral_keys_supported session_ticket_supported
+do
+ checktrue=$(jq ".$i" "$HOWSMYSSL")
+ if [ "$checktrue" != "true" ]
+ then
+ echo "ERROR: $i is not true but $checktrue"
+ RET=1
+ fi
+done
+
+echo "check insecure cipher suites"
+insecure_cipher_suites=$(jq '.insecure_cipher_suites' "$HOWSMYSSL")
+if [ "$insecure_cipher_suites" != '{}' ]
+then
+ echo "ERROR: insecure_cipher_suites is not empty: $insecure_cipher_suites"
+ RET=1
+fi
+
+echo "check overall rating"
+rating=$(jq -r '.rating' "$HOWSMYSSL")
+if [ "$rating" != "Probably Okay" ]
+then
+ echo "ERROR: Rating is $rating"
+ RET=1
+fi
+
+echo "Stopping privoxy on port $PORT"
+kill "$(cat "$PIDFILE")"
+
+# Place privoxy output into artifacts:
+if [ -d "$AUTOPKGTEST_ARTIFACTS" ]
+then
+ cp -a "$OUTFILE" "$DAEMONOUT" "$CADIR" "$CERTDIR" "$HOWSMYSSL" \
+ "$AUTOPKGTEST_ARTIFACTS"/
+fi
+
+return $RET
diff --git a/debian/tests/control b/debian/tests/control
index 6ff73cfe..7c747816 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,5 +1,9 @@
Tests: privoxy-regression-test
-Depends: curl, @
+Depends: privoxy, curl
+
+Tests: check-ssl
+Depends: privoxy, curl, openssl, ca-certificates, jq
+Restrictions: needs-internet
Tests: conditional-defines
Depends: privoxy, libwww-perl, libhtml-tree-perl
diff --git a/debian/tests/privoxy-regression-test b/debian/tests/privoxy-regression-test
index f134b4fe..4ce2cf67 100755
--- a/debian/tests/privoxy-regression-test
+++ b/debian/tests/privoxy-regression-test
@@ -22,8 +22,8 @@ cp /usr/sbin/privoxy "$PRIVOXY"
http_proxy=http://127.0.0.1:$PORT/
export http_proxy
-OUTFILE=$AUTOPKGTEST_TMP/test-output
-DAEMONOUT=$AUTOPKGTEST_TMP/daemon-output
+OUTFILE=$AUTOPKGTEST_TMP/regression-test-output
+DAEMONOUT=$AUTOPKGTEST_TMP/regression-daemon-output
echo "#### pass 1: some optiones disabled"