diff options
| -rwxr-xr-x | Makefile | 1 | ||||
| -rw-r--r-- | packaging/debian/changelog | 3 | ||||
| -rw-r--r-- | packaging/debian/control | 4 | ||||
| -rwxr-xr-x | src/share/keytrans | 8 | ||||
| -rwxr-xr-x | tests/basic | 2 | ||||
| -rwxr-xr-x | tests/keytrans | 55 |
6 files changed, 50 insertions, 23 deletions
@@ -81,6 +81,7 @@ releasenote: ./utils/build-releasenote test: + MONKEYSPHERE_TEST_NO_EXAMINE=true ./tests/keytrans MONKEYSPHERE_TEST_NO_EXAMINE=true ./tests/basic .PHONY: all tarball debian-package freebsd-distinfo clean install installman releasenote test diff --git a/packaging/debian/changelog b/packaging/debian/changelog index b5d067b..ec68e14 100644 --- a/packaging/debian/changelog +++ b/packaging/debian/changelog @@ -9,6 +9,7 @@ monkeysphere (0.25-1~pre) UNRELEASED; urgency=low ports - add 'sshfpr' subcommand to output the ssh fingerprint of a gpg key - pem2openpgp now generates self-sigs over SHA-256 instead of SHA-1 + (changes dependency to libdigest-sha-perl) - some portability improvements - properly handle translation of keys with fingerprints with leading all-zero bytes. @@ -16,7 +17,7 @@ monkeysphere (0.25-1~pre) UNRELEASED; urgency=low (closes MS #917) - explicitly set and use MONKEYSPHERE_GROUP from system "groups" (closes: #534008) - * update Standard-Version to 3.8.2 + * update Standard-Version to 3.8.2 (no changes needed) -- Jameson Graef Rollins <jrollins@finestructure.net> Sat, 11 Jul 2009 18:55:25 -0400 diff --git a/packaging/debian/control b/packaging/debian/control index 5f1444c..bbed4b4 100644 --- a/packaging/debian/control +++ b/packaging/debian/control @@ -3,7 +3,7 @@ Section: net Priority: extra Maintainer: Jameson Graef Rollins <jrollins@finestructure.net> Uploaders: Daniel Kahn Gillmor <dkg@fifthhorseman.net> -Build-Depends: debhelper (>= 7.0), socat, openssh-server, gnupg, libcrypt-openssl-rsa-perl, libdigest-sha1-perl, lockfile-progs | procmail +Build-Depends: debhelper (>= 7.0), socat, openssh-server, gnupg, libcrypt-openssl-rsa-perl, libdigest-sha-perl, lockfile-progs | procmail Standards-Version: 3.8.2 Homepage: http://web.monkeysphere.info/ Vcs-Git: git://git.monkeysphere.info/monkeysphere @@ -11,7 +11,7 @@ Dm-Upload-Allowed: yes Package: monkeysphere Architecture: all -Depends: openssh-client, gnupg, libcrypt-openssl-rsa-perl, libdigest-sha1-perl, lockfile-progs | procmail, adduser, ${misc:Depends} +Depends: openssh-client, gnupg, libcrypt-openssl-rsa-perl, libdigest-sha-perl, lockfile-progs | procmail, adduser, ${misc:Depends} Recommends: netcat | socat, ssh-askpass, cron Enhances: openssh-client, openssh-server Description: use the OpenPGP web of trust to verify ssh connections diff --git a/src/share/keytrans b/src/share/keytrans index 326bfb1..3e6bdf6 100755 --- a/src/share/keytrans +++ b/src/share/keytrans @@ -54,7 +54,7 @@ use File::Basename; use Crypt::OpenSSL::RSA; use Crypt::OpenSSL::Bignum; use Crypt::OpenSSL::Bignum::CTX; -use Digest::SHA1; +use Digest::SHA; use MIME::Base64; use POSIX; @@ -416,7 +416,7 @@ sub fingerprint { my $rsabody = make_rsa_pub_key_body($key, $key_timestamp); - return Digest::SHA1::sha1(pack('Cn', 0x99, length($rsabody)).$rsabody); + return Digest::SHA::sha1(pack('Cn', 0x99, length($rsabody)).$rsabody); } @@ -446,7 +446,7 @@ sub pem2openpgp { my $sigtype = pack('C', $certtype); # RSA my $pubkey_algo = pack('C', $asym_algos->{rsa}); - # SHA1 + # SHA256 my $hash_algo = pack('C', $digests->{sha256}); # FIXME: i'm worried about generating a bazillion new OpenPGP @@ -581,7 +581,7 @@ sub pem2openpgp { $sig_data_to_be_hashed. $trailer; - my $data_hash = Digest::SHA1::sha1_hex($datatosign); + my $data_hash = Digest::SHA::sha256_hex($datatosign); my $issuer_packet = pack('CCa8', 9, $subpacket_types->{issuer}, $keyid); diff --git a/tests/basic b/tests/basic index 5907154..3386f76 100755 --- a/tests/basic +++ b/tests/basic @@ -35,7 +35,7 @@ perl -MCrypt::OpenSSL::RSA -e 1 2>/dev/null || { echo "You must have the perl mo On debian-derived systems, you can set this up with: apt-get install libcrypt-openssl-rsa-perl" ; exit 1; } -perl -MDigest::SHA1 -e 1 2>/dev/null || { echo "You must have the perl module Digest::SHA1 installed to run this test. +perl -MDigest::SHA -e 1 2>/dev/null || { echo "You must have the perl module Digest::SHA installed to run this test. On debian-derived systems, you can set this up with: apt-get install libdigest-sha1-perl" ; exit 1; } diff --git a/tests/keytrans b/tests/keytrans index 285d17b..199db31 100755 --- a/tests/keytrans +++ b/tests/keytrans @@ -17,12 +17,19 @@ set -e # piped commands should return the code of the first non-zero return set -o pipefail -export TESTDIR=$(dirname "$0") +# make sure the TESTDIR is an absolute path, not a relative one. +export TESTDIR=$(cd $(dirname "$0") && pwd) source "$TESTDIR"/common -## setup trap -trap failed_cleanup EXIT +perl -MCrypt::OpenSSL::RSA -e 1 2>/dev/null || { echo "You must have the perl module Crypt::OpenSSL::RSA installed to run this test. +On debian-derived systems, you can set this up with: + apt-get install libcrypt-openssl-rsa-perl" ; exit 1; } + +perl -MDigest::SHA -e 1 2>/dev/null || { echo "You must have the perl module Digest::SHA installed to run this test. +On debian-derived systems, you can set this up with: + apt-get install libdigest-sha1-perl" ; exit 1; } + ###################################################################### ### SETUP VARIABLES @@ -30,17 +37,19 @@ trap failed_cleanup EXIT ## set up some variables to ensure that we're operating strictly in ## the tests, not system-wide: -# make temp dir -TEMPDIR="$TESTDIR"/tmp -if [ -e "$TEMPDIR" ] ; then - echo "tempdir '$TEMPDIR' already exists." - exit 1 -fi -mkdir -p "$TEMPDIR" +mkdir -p "$TESTDIR"/tmp +TEMPDIR=$(mktemp -d "${TMPDIR:-$TESTDIR/tmp}/monkeyspheretest.XXXXXXX") + +mkdir "$TEMPDIR"/bin +ln -s "$TESTDIR"/../src/share/keytrans "$TEMPDIR"/bin/openpgp2ssh +ln -s "$TESTDIR"/../src/share/keytrans "$TEMPDIR"/bin/pem2openpgp # Use the local copy of executables first, instead of system ones. # This should help us test without installing. -export PATH="$TESTDIR"/../src/keytrans:"$PATH" +export PATH="$TEMPDIR"/bin:"$PATH" + +## setup trap +trap failed_cleanup EXIT ###################################################################### ### TEST KEYTRANS @@ -49,6 +58,14 @@ echo "##################################################" echo "### generating openpgp key..." export GNUPGHOME="$TEMPDIR" chmod 700 "$TEMPDIR" + + +# create the key with the same preferences that monkeysphere uses. +cat > "$TEMPDIR"/gpg.conf <<EOF +default-preference-list SHA512 SHA384 SHA256 SHA224 RIPEMD160 SHA1 ZLIB BZIP2 ZIP AES256 AES192 AES CAST5 3DES +cert-digest-algo SHA256 +EOF + # generate a key gpg --batch --$(get_gpg_prng_arg) --gen-key <<EOF Key-Type: RSA @@ -71,13 +88,21 @@ echo "### exporting key to ssh file..." gpg --export-secret-key | openpgp2ssh > \ "$TEMPDIR"/test.pem +gpg --export-secret-key > "$TEMPDIR"/secret.key + +PEM2OPENPGP_USAGE_FLAGS=sign,certify \ +PEM2OPENPGP_TIMESTAMP="$timestamp" pem2openpgp testtest \ + < "$TEMPDIR"/test.pem > "$TEMPDIR"/converted.secret.key + echo "##################################################" echo "### reconvert key, and compare to key in gpg keyring..." diff -u \ - <(gpg --export-secret-key | hd) \ - <(PEM2OPENPGP_USAGE_FLAGS=sign,certify \ - PEM2OPENPGP_TIMESTAMP="$timestamp" pem2openpgp testtest < \ - "$TEMPDIR"/test.pem | hd ) + <(gpg --list-packets < "$TEMPDIR"/secret.key) \ + <(gpg --list-packets < "$TEMPDIR"/converted.secret.key) + +diff -u \ + <(hd "$TEMPDIR"/secret.key) \ + <(hd "$TEMPDIR"/converted.secret.key) trap - EXIT |