Hi, At Adam's suggestion, I am placing my request for the migration of ekeyd-1.1.3-1 to testing here. The ekeyd source package builds three binary-arch packages: - ekeyd - ekeyd-uds - ekeyd-egd-linux These packages are not installed by default and are only of use to people who own a Simtec Electronics Entropy Key device. The upgrade from 1.1.2 to 1.1.3 is a fairly small one, but it contains various changes which are of significant use to owners of those devices. Primarily it is a performance improvement although it also includes a state-machine fix to reduce the likelyhood of the host and device getting out of sync permanently. The diffstat between 1.1.2-1 and 1.1.3-1 is: AUTHORS | 2 COPYING | 2 ChangeLog | 26 ++++++++---- daemon/Makefile | 5 +- daemon/THANKS | 1 daemon/connection.c | 84 ++++++++++++++++++++++++++++++----------- daemon/connection.h | 3 - daemon/control.lua | 24 +++++++++-- daemon/egd-linux.c | 4 - daemon/ekeyd.conf.5 | 2 daemon/ekeydctl.8 | 9 ++++ daemon/failmodes.h | 44 --------------------- daemon/lstate.c | 4 + daemon/stats.c | 1 daemon/stats.h | 1 device/frames/pem.c | 46 ++++++++++++---------- debian/changelog | 31 +++------------ debian/control | 10 ++-- debian/ekeyd-egd-linux.default | 2 debian/ekeyd-egd-linux.init | 3 - debian/ekeyd.init | 2 debian/source/format | 1 22 files changed, 168 insertions(+), 139 deletions(-) The diff is attached, but I thought I'd summarise it here for you. AUTHORS, COPYING, daemon/THANKS and ChangeLog are all the obvious changes you'd expect given we're acknowledging a new contributor. The makefile changes allow us to profile the daemon and to clean up afterwards. The upstream changelog states that the daemon is better at coping with the host and device getting out of sync. That comprises the connection.h and connection.c changes for the most part. The pem.c change is to improve performance of PEM decode which frees up CPU time on the host. Some of the control.lua patch is to remove the debug which was slowing the daemon down. The rest of the changes are related to the "badness" reporting patch and do not impact normal operation of the daemon. The failmodes.h header which was deleted was actually a leak of an internal use of the code for device bringup and test. In the debian/ directory, the changelog is as expected, the control file was a standards version boost and the inclusion of misc:Depends at lintian's behest. The ekeyd.init and ekeyd-egd-linux.init changes remove the not-tested status code, replacing it with 'exit 4' to be clear that we're not sure about the right way to report status yet. The change to ekeyd-egd-linux.default fixes the default to be what the daemon would normally do, rather than erroneously making the user expect that the default might be a 30 second retry. Finally the inclusion of debian/source/format should be quite clear. I hope this allays any concerns you might have, and I implore you to accept this change in before we release because it really does help the owners of these devices quite a bit. If you need more information before making your decision, please don't hesitate to ask me. Regards, Daniel. -- Daniel Silverstone http://www.digital-scurf.org/ PGP mail accepted and encouraged. Key Id: 3CCE BABE 206C 3B69
diff -Nru ekeyd-1.1.2/AUTHORS ekeyd-1.1.3/AUTHORS
--- ekeyd-1.1.2/AUTHORS 2009-11-16 15:04:28.000000000 +0000
+++ ekeyd-1.1.3/AUTHORS 2010-08-26 14:13:16.000000000 +0000
@@ -15,4 +15,6 @@
Patches to support MirBSD and to better support OpenBSD provided by Thorsten
Glaser.
+Significant patches to improve performance provided by Nicholas Alcock
+
The implementation of Skein used in this software was written by Doug Whiting.
diff -Nru ekeyd-1.1.2/COPYING ekeyd-1.1.3/COPYING
--- ekeyd-1.1.2/COPYING 2009-07-19 17:46:08.000000000 +0000
+++ ekeyd-1.1.3/COPYING 2010-08-26 14:12:49.000000000 +0000
@@ -1,4 +1,4 @@
-Copyright Simtec Electronics 2009
+Copyright Simtec Electronics 2009, 2010
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
diff -Nru ekeyd-1.1.2/ChangeLog ekeyd-1.1.3/ChangeLog
--- ekeyd-1.1.2/ChangeLog 2010-04-19 15:16:10.000000000 +0000
+++ ekeyd-1.1.3/ChangeLog 2010-08-29 12:43:19.000000000 +0000
@@ -4,20 +4,30 @@
This document summarises the changes between public releases of the
Entropy Key host software.
+v1.1.3
+ * Improve handling of failed rekeying. Will now attempt to
+ re-establish a keyed session every 50 recived packets instead of
+ leaving the connection "Long term key bad"
+ * Removed some debug to improve CPU consumption.
+ * PEM Decode speedup, courtesy of nix@esperi.org.uk
+ * EGD Entropy dispatch speedup, courtesy of nix@esperi.org.uk
+ * Key badness rework, courtesy of nix@esperi.org.uk
+ * EGD-Linux tool resilient in the face of EINTR of poll()
+
v1.1.2
- Various improvements in internal buffer management.
- Improve serial number handling in ekey-rekey.
- Support hostnames in egd-linux.
+ * Various improvements in internal buffer management.
+ * Improve serial number handling in ekey-rekey.
+ * Support hostnames in egd-linux.
- This patch provided by Tollef Fog Heen of Collabora.
- Keyring writing in ekey-setkey is now more careful with
+ * Keyring writing in ekey-setkey is now more careful with
its permissions. Concept courtesy of Kees Cook of Debian
- Improve serial number handling in munin script.
+ * Improve serial number handling in munin script.
- This patch provided by Wouter Verhelst of Debian
- Improve the TotalEntropy munin graph by setting a minimum
+ * Improve the TotalEntropy munin graph by setting a minimum
for the Y axis. This corrects issues in the graph when
the daemon restarts.
-
-v1.1.1
+
+v1.1.1
Fix bug where ekeyd would sit and spin if ekeydctl shutdown
was used to stop the daemon.
Improve logging and retry behaviour for ekeyd-egd-linux.
diff -Nru ekeyd-1.1.2/daemon/Makefile ekeyd-1.1.3/daemon/Makefile
--- ekeyd-1.1.2/daemon/Makefile 2010-09-06 11:02:35.000000000 +0000
+++ ekeyd-1.1.3/daemon/Makefile 2010-08-29 12:40:10.000000000 +0000
@@ -102,10 +102,11 @@
CFLAGS += $(INCLUDES)
CFLAGS += -g -Wall $(OPT)
CFLAGS += -fno-strict-aliasing
-LIBS += -llua$(LUA_V)
+LIBS += -llua$(LUA_V) -lm $(LIBDL)
CFLAGS += -std=c99 -Wall -pedantic -Wshadow -Werror -D_GNU_SOURCE
CFLAGS += '-DCONFIGFILE="$(SYSCONFPREFIX)/ekeyd.conf"' '-DPIDFILE="$(RUNTIMEPRE
LDFLAGS += $(LIBDIRS)
+CFLAGS += $(EXTRA_CFLAGS)
ekey-ulusbd: ekey-ulusbd.o daemonise_ulusbd.o
$(CC) $(CFLAGS) $(PTHFLAGS) $(LDFLAGS) -o $@ $^ -lusb $(PTHLIBS)
@@ -136,7 +137,7 @@
if test -x $<; then chmod +x $@; fi
clean:
- $(RM) rdpkt ekeyd ekey-setkey *.o control.inc ../device/skeinwrap.o ../dinux control.inc.new ekeydctl ekey-ulusbd
+ $(RM) rdpkt ekeyd ekey-setkey *.o control.inc ../device/skeinwrap.o ../dinux control.inc.new ekeydctl ekey-ulusbd *.gcda gmon.out
olddeps:
sudo apt-get install lua5.1 liblua5.1-socket2 liblua5.1-posix0 liblua5.1
diff -Nru ekeyd-1.1.2/daemon/THANKS ekeyd-1.1.3/daemon/THANKS
--- ekeyd-1.1.2/daemon/THANKS 2009-08-16 17:27:16.000000000 +0000
+++ ekeyd-1.1.3/daemon/THANKS 2010-08-26 14:12:21.000000000 +0000
@@ -14,3 +14,4 @@
Lesley Mitchell (RPM packaging work)
M Joonas Pihlaja (OpenBSD assistance)
Daniel Stone (OpenBSD assistance)
+Nicholas Alcock (Lots optimisations and tidying)
diff -Nru ekeyd-1.1.2/daemon/connection.c ekeyd-1.1.3/daemon/connection.c
--- ekeyd-1.1.2/daemon/connection.c 2009-11-29 21:23:32.000000000 +0000
+++ ekeyd-1.1.3/daemon/connection.c 2010-08-09 14:57:12.000000000 +0000
@@ -28,13 +28,15 @@
#include "packet.h"
#include "keydb.h"
#include "connection.h"
-#include "failmodes.h"
/** The maximum number of packets following a keying request before we
* issue a reset instead of waiting.
*/
#define MAX_PACKETS_BEFORE_RESET 5
+/* Number of rekey requests to stay in ESTATE_KEYED_BAD after a bad session key
+#define MAX_REKEYS_BEFORE_RESET 50
+
/* The minimum number of bytes in a shannon info frame to allow updates */
#define MIN_SHANNON_SIZE 100
@@ -61,21 +63,6 @@
return state->current_state;
}
-/** Bad key packet handler
- *
- * Handler for packets which indicate a bad key was set up.
- *
- * @param state The current connection state.
- * @param buf The packets data, will be unused.
- * @param count The length of the data in \a buf.
- * @return The unstrusted state machine state.
- */
-static ekey_state_t
-badkey_pkt_handler(econ_state_t *state, uint8_t *buf, size_t count)
-{
- return ESTATE_UNTRUSTED;
-}
-
/** Reset packet handler
*
* Handler for packets which cause the reset of the entropy key connection.
@@ -100,6 +87,58 @@
return ESTATE_INIT;
}
+/** Bad key packet handler
+ *
+ * Handler for packets which indicate a bad session key was set up.
+ *
+ * @param state The current connection state.
+ * @param buf The packets data, will be unused.
+ * @param count The length of the data in \a buf.
+ * @return The unstrusted state machine state.
+ */
+static ekey_state_t
+badkey_pkt_handler(econ_state_t *state, uint8_t *buf, size_t count)
+{
+ /* session rekeying failed */
+ reset_pkt_handler(state, buf, count);
+
+ state->keyreq_counter = 0;
+
+ return ESTATE_KEYED_BAD;
+}
+
+/** Key request packet counter
+ *
+ * Handler for packets which would cause a session keying request if
+ * the previous one had not failed..
+ *
+ * @param state The current connection state.
+ * @param buf The packets data, will be unused.
+ * @param count The length of the data in \a buf.
+ * @return Either remaining here or resetting.
+ */
+static ekey_state_t
+badkey_count_pkt_handler(econ_state_t *state, uint8_t *buf, size_t count)
+{
+ char *serialnumber;
+
+ if (state->keyreq_counter++ < MAX_REKEYS_BEFORE_RESET) {
+ return state->current_state;
+ }
+
+ serialnumber = econ_getsnum(state);
+ if (serialnumber == NULL) {
+ syslog(LOG_WARNING, "UnknownKey: Retrying keying process.");
+ } else {
+ syslog(LOG_WARNING, "%s: Retrying keying process.", serialnumber);
+ free(serialnumber);
+ }
+
+ return reset_pkt_handler(state, buf, count);
+}
+
+
+
/** Information packet handler
*
@@ -370,20 +409,20 @@
/* update statistics */
state->con_entropy += count;
- //fprintf(stderr, "seq no %d\n",seq_num);
#ifdef SBQS_MESSAGES
printf("DONE %d\n", seq_num);
if (seq_num == 4095) {
/* When processing in SBQS mode, we should stop now */
estream_close(state->key_stream);
state->key_stream = NULL;
- state->current_state = ESTATE_CLOSE;
sbqs_end_timing();
+ return ESTATE_CLOSE;
}
-#else
+#endif
+
if (seq_num == 4095)
return keyreq_pkt_handler(state, NULL, 0);
-#endif
+
return ESTATE_KEYED;
}
@@ -449,6 +488,7 @@
switch (state) {
case ESTATE_CLOSE:
case ESTATE_UNTRUSTED:
+ case ESTATE_KEYED_BAD:
return null_pkt_handler;
}
@@ -483,6 +523,8 @@
pkt_handlers[ESTATE_KEYED_FIRST][PKTTYPE_INFO] = info_pkt_handler;
pkt_handlers[ESTATE_KEYED_FIRST][PKTTYPE_KEYREJECTED] = badkey_pkt_handler;
+ pkt_handlers[ESTATE_KEYED_BAD][PKTTYPE_KEYREQ] = badkey_count_pkt_handler;
+
pkt_handlers[ESTATE_KEYED][PKTTYPE_ENTROPY] = entropy_pkt_handler;
pkt_handlers[ESTATE_KEYED][PKTTYPE_INFO] = info_pkt_handler;
pkt_handlers[ESTATE_KEYED][PKTTYPE_KEYREQ] = keyreq_pkt_handler;
@@ -519,7 +561,7 @@
state->eframer = eframe_open(state->key_stream);
state->epkt = epkt_open(state->eframer);
state->current_state = ESTATE_INIT;
- state->key_badness = efm_ok;
+ state->key_badness = 0; /* efm_ok, see control.lua */
state->con_start = time(NULL);
diff -Nru ekeyd-1.1.2/daemon/connection.h ekeyd-1.1.3/daemon/connection.h
--- ekeyd-1.1.2/daemon/connection.h 2009-11-23 23:58:44.000000000 +0000
+++ ekeyd-1.1.3/daemon/connection.h 2010-08-09 14:57:12.000000000 +0000
@@ -22,6 +22,7 @@
ESTATE_SESSION, /** Connection requires keying for session. */
ESTATE_SESSION_SENT, /** keying packet sent, waiting for session. */
ESTATE_KEYED_FIRST, /** State for first packet after session key issued */
+ ESTATE_KEYED_BAD, /** The session key setting failed */
ESTATE_KEYED, /** Connection is active and session key is ok. */
ESTATE_SIZE
} ekey_state_t;
@@ -65,7 +66,7 @@
uint32_t key_dbsd_entl; /**< debiased shanons per bit of left input */
uint32_t key_dbsd_entr; /**< debiased shanons per bit of left input */
- char key_badness; /**< badness indicator \see failmodes.h */
+ char key_badness; /**< badness indicator \see control.lua */
};
diff -Nru ekeyd-1.1.2/daemon/control.lua ekeyd-1.1.3/daemon/control.lua
--- ekeyd-1.1.2/daemon/control.lua 2009-11-05 17:24:52.000000000 +0000
+++ ekeyd-1.1.3/daemon/control.lua 2010-08-09 14:57:12.000000000 +0000
@@ -174,6 +174,19 @@
local ekey_list = {}
local ekey_nr = 1
+local failmodes = {
+ ["0"] = { "efm_ok", "No failure" },
+ ["1"] = { "efm_raw_left_bad", "Left generator is no longer random" },
+ ["2"] = { "efm_raw_right_bad", "Right generator is no longer random" },
+ ["3"] = { "efm_raw_xor_bad", "Generators have become correlated" },
+ ["4"] = { "efm_debias_left_bad", "Left generator is strongly biassed" },
+ ["5"] = { "efm_debias_right_bad", "Right generator is strongly biassed" },
+ ["7"] = { "efm_temp_too_low", "Temperature detected below threshold" },
+ ["8"] = { "efm_temp_too_high", "Temperature detected above threshold" },
+ ["9"] = { "efm_fips1402_threshold_exceeded", "FIPS 140-2 tests exceeded thre
+ ["A"] = { "efm_volt_too_low", "Voltage too low" },
+ ["B"] = { "efm_volt_too_high", "Voltage too high" }}
+
local function update_ekey_stat(ekey)
ekey.stats = ekey_stat(ekey.ekey)
ekey.stats["EntropyRate"] = math.floor((ekey.stats["TotalEntropy"] * 8) / ek
@@ -194,6 +207,9 @@
ekey.stats["WriteRate"] = math.floor((ekey.stats["BytesWritten"] * 8) / ekey
+ ekey.stats["KeyShortBadness"] = failmodes[ekey.stats["KeyRawBadness"]][1]
+ ekey.stats["KeyEnglishBadness"] = failmodes[ekey.stats["KeyRawBadness"]][2]
+
end
local function update_ekey(ekey)
@@ -269,16 +285,16 @@
local function dequeue_entropy(nbytes)
local retstr = ""
while total_entropy > 0 and nbytes > 0 do
- local eval = entropy_blocks[1]
+ local eval = entropy_blocks[#entropy_blocks]
if #eval <= nbytes then
retstr = retstr .. eval
nbytes = nbytes - #eval
- tremove(entropy_blocks, 1)
+ tremove(entropy_blocks, #entropy_blocks)
total_entropy = total_entropy - #eval
else
retstr = retstr .. strsub(eval, 1, nbytes)
total_entropy = total_entropy - nbytes
- entropy_blocks[1] = strsub(eval, nbytes + 1)
+ entropy_blocks[#entropy_blocks] = strsub(eval, nbytes + 1)
nbytes = 0
end
end
@@ -820,5 +836,3 @@
debug.sethook(hookfunc, "", 100)
-gc("setpause", 50)
-gc("setstepmul", 500)
diff -Nru ekeyd-1.1.2/daemon/egd-linux.c ekeyd-1.1.3/daemon/egd-linux.c
--- ekeyd-1.1.2/daemon/egd-linux.c 2010-04-19 13:44:39.000000000 +0000
+++ ekeyd-1.1.3/daemon/egd-linux.c 2010-08-29 12:39:54.000000000 +0000
@@ -324,8 +324,8 @@
signal(SIGPIPE, SIG_IGN);
/* Main poll for activity */
- while (poll(poll_fds, 2, -1) != -1) {
-
+ for (int ret = 0; (ret != -1) || (errno == EINTR); ret = poll(poll_fds, 2,
+
if (poll_fds[RND_POLLFD].revents & (POLLERR | POLLHUP | POLLNVAL)) {
syslog(LOG_INFO, "Linux random device poll error");
break;
diff -Nru ekeyd-1.1.2/daemon/ekeyd.conf.5 ekeyd-1.1.3/daemon/ekeyd.conf.5
--- ekeyd-1.1.2/daemon/ekeyd.conf.5 2009-11-16 15:04:39.000000000 +0000
+++ ekeyd-1.1.3/daemon/ekeyd.conf.5 2010-09-06 11:02:35.000000000 +0000
@@ -19,7 +19,7 @@
The daemon is typically controlled using a unix domain socket (\fI/var/run/ekey
.TP
\fBKeyring\fP The keyring file to use.
-The Entropy Key encrypts the data it sends to the host. To succesfully decrypt erial numbers and encryption keys. The keyring is generally updated using the
+The Entropy Key encrypts the data it sends to the host. To successfully decryptserial numbers and encryption keys. The keyring is generally updated using the
.BR ekey-lt-rekey (8)
tool.
.TP
diff -Nru ekeyd-1.1.2/daemon/ekeydctl.8 ekeyd-1.1.3/daemon/ekeydctl.8
--- ekeyd-1.1.2/daemon/ekeydctl.8 2009-11-16 15:04:39.000000000 +0000
+++ ekeyd-1.1.3/daemon/ekeydctl.8 2010-08-09 14:57:12.000000000 +0000
@@ -87,6 +87,12 @@
.B KeyDbsdShannonPerByteR
The estimated number of shannons per byte from the right generator after debias
.TP
+.B KeyEnglishBadness
+Human-readable explanation of any 'badness' state on the device.
+.TP
+.B KeyRawBadness
+The raw badness token (if any) from the device.
+.TP
.B KeyRawShannonPerByteL
The estimated number of shannons per byte from the left generator before debias
.TP
@@ -96,6 +102,9 @@
.B KeyRawShannonPerByteX
The estimated number of shannons per byte from the exclusive orred output of th
.TP
+.B KeyShortBadness
+Machine-readable reason for any 'badness' state on the device.
+.TP
.B KeyTemperatureC
The internal temperature in Celsius of the Entropy Key.
.TP
diff -Nru ekeyd-1.1.2/daemon/failmodes.h ekeyd-1.1.3/daemon/failmodes.h
--- ekeyd-1.1.2/daemon/failmodes.h 2009-08-07 16:44:51.000000000 +0000
+++ ekeyd-1.1.3/daemon/failmodes.h 1970-01-01 00:00:00.000000000 +0000
@@ -1,44 +0,0 @@
-/* daemon/failmodes.h
- *
- * Failure modes of Entropy Keys
- *
- * Copyright 2009 Simtec Electronics
- *
- * For licence terms refer to the COPYING file.
- */
-
-#ifndef DAEMON_FAILMODES_H
-#define DAEMON_FAILMODES_H
-
-/**
- * Entropy Key Failure Modes.
- */
-typedef enum {
- /** No failure */
- efm_ok = '0',
- /** Left generator is no longer random */
- efm_raw_left_bad = '1',
- /** Right generator is no longer random */
- efm_raw_right_bad = '2',
- /** Generators have become correlated */
- efm_raw_xor_bad = '3',
- /** Left generator is strongly biassed */
- efm_debias_left_bad = '4',
- /** Right generator is strongly biassed */
- efm_debias_right_bad = '5',
-
- /** Temperature detected below threshold */
- efm_temp_too_low = '7',
- /** Temperature detected above threshold */
- efm_temp_too_high = '8',
- /** FIPS 140-2 tests exceeded threshold for failed blocks */
- efm_fips1402_threshold_exceeded = '9',
-
- /** Voltage too low */
- efm_volt_too_low = 'A',
- /** Voltage too high */
- efm_volt_too_high = 'B',
-
-} ekey_failmode_e;
-
-#endif
diff -Nru ekeyd-1.1.2/daemon/lstate.c ekeyd-1.1.3/daemon/lstate.c
--- ekeyd-1.1.2/daemon/lstate.c 2009-11-29 21:23:32.000000000 +0000
+++ ekeyd-1.1.3/daemon/lstate.c 2010-08-09 14:57:12.000000000 +0000
@@ -145,6 +145,10 @@
lua_pushnumber(L, (time(NULL) - key_stats->con_start));
lua_settable(L, -3);
+ lua_pushliteral(L, "KeyRawBadness");
+ lua_pushfstring(L, "%c", key_stats->key_badness);
+ lua_settable(L, -3);
+
free(key_stats);
return 1;
diff -Nru ekeyd-1.1.2/daemon/stats.c ekeyd-1.1.3/daemon/stats.c
--- ekeyd-1.1.2/daemon/stats.c 2009-11-29 21:23:32.000000000 +0000
+++ ekeyd-1.1.3/daemon/stats.c 2010-08-09 14:57:12.000000000 +0000
@@ -42,6 +42,7 @@
stats->key_temp = ekey->key_temp;
stats->key_voltage = ekey->key_voltage;
+ stats->key_badness = ekey->key_badness;
stats->fips_frame_rate = ekey->fips_frame_rate;
stats->key_raw_entl = ekey->key_raw_entl;
diff -Nru ekeyd-1.1.2/daemon/stats.h ekeyd-1.1.3/daemon/stats.h
--- ekeyd-1.1.2/daemon/stats.h 2009-11-29 21:23:32.000000000 +0000
+++ ekeyd-1.1.3/daemon/stats.h 2010-08-09 14:57:12.000000000 +0000
@@ -32,6 +32,7 @@
int key_temp; /**< Last reported key temerature in deci-kelvin. */
int key_voltage; /**< Last internal supply voltage reported by key. */
+ char key_badness; /**< badness indicator \see control.lua */
uint32_t fips_frame_rate; /**< Number of fips frames generated. */
diff -Nru ekeyd-1.1.2/debian/changelog ekeyd-1.1.3/debian/changelog
--- ekeyd-1.1.2/debian/changelog 2010-09-06 11:02:35.000000000 +0000
+++ ekeyd-1.1.3/debian/changelog 2010-09-06 11:02:35.000000000 +0000
@@ -1,28 +1,11 @@
-ekeyd (1.1.2-1) unstable; urgency=low
+ekeyd (1.1.3-1) unstable; urgency=low
* New upstream release
- - Various improvements in internal buffer management.
- - Improve serial number handling in ekey-rekey.
- (Closes: #575570)
- - Support hostnames in egd-linux.
- - Keyring writing in ekey-setkey is now more careful with
- its permissions. (Closes: #575569)
- - Improve serial number handling in munin script.
- (Closes: #560167)
- - Improve the TotalEntropy munin graph by setting a minimum
- for the Y axis. This corrects issues in the graph when
- the daemon restarts.
- * Add sh4 to the list of architectures supported by egd-linux.
- (Closes: #568273)
- * Provide better status implementations for the init scripts.
- (Closes: #561105)
- * Updated ekeyd-egd-linux's defaults file to better expose
- the RETRYTIME value.
- * Include misc:Depends in the Depends lines of the packages, to clear
- some lintian warnings.
- * Update to Standards-Version 3.8.4 (no changes needed)
-
- -- Daniel Silverstone <dsilvers@debian.org> Mon, 19 Apr 2010 17:22:28 +0100
+ - Fixes a lot of performance issues.
+ - Improved rekeying operation to be more resilient
+ * We expect this to (Closes: #577600)
+
+ -- Daniel Silverstone <dsilvers@debian.org> Sun, 29 Aug 2010 14:08:38 +0100
ekeyd (1.1.1-1) unstable; urgency=low
@@ -38,7 +21,7 @@
* Correct FTBFS on hurd-i386 (Closes: #555497)
Thanks to Pino Toscano for the patch.
- -- Daniel Silverstone <dsilvers@debian.org> Tue, 17 Nov 2009 12:19:10 +0000
+ -- Daniel Silverstone <dsilvers@debian.org> Sun, 29 Aug 2010 14:08:33 +0100
ekeyd (1.1.0-1) unstable; urgency=low
diff -Nru ekeyd-1.1.2/debian/control ekeyd-1.1.3/debian/control
--- ekeyd-1.1.2/debian/control 2010-09-06 11:02:35.000000000 +0000
+++ ekeyd-1.1.3/debian/control 2010-09-06 11:02:35.000000000 +0000
@@ -4,11 +4,11 @@
Maintainer: Simtec Electronics <support@simtec.co.uk>
Uploaders: Daniel Silverstone <dsilvers@debian.org>, Vincent Sanders <vince@deb
Build-Depends: debhelper (>= 5), lua5.1, liblua5.1-dev | liblua5.1-0-dev, libus
-Standards-Version: 3.8.4
+Standards-Version: 3.9.1
Package: ekeyd
Architecture: any
-Depends: ${misc:Depends}, ${shlibs:Depends}, lua5.1, liblua5.1-socket2
+Depends: ${shlibs:Depends}, lua5.1, liblua5.1-socket2, ${misc:Depends}
Recommends: udev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386]
Suggests: munin-node
Description: Simtec Electronics UDEKEY01 Entropy Key Daemon
@@ -20,7 +20,7 @@
Package: ekeyd-uds
Architecture: any
-Depends: ${misc:Depends}, ${shlibs:Depends}, ekeyd (= ${binary:Version})
+Depends: ${shlibs:Depends}, ekeyd (= ${binary:Version}), ${misc:Depends}
Description: Simtec Electronics UDEKEY01 Entropy Key Daemon (UDS variant)
This package augments the ekeyd package with additional support
for running the Entropy Key using a userland daemon written using
@@ -31,8 +31,8 @@
or similarly unstable kernel versions.
Package: ekeyd-egd-linux
-Architecture: alpha amd64 arm armel hppa i386 ia64 mips mipsel powerpc s390 spa
-Depends: ${misc:Depends}, ${shlibs:Depends}
+Architecture: alpha amd64 arm armel hppa i386 ia64 mips mipsel powerpc s390 spa
+Depends: ${shlibs:Depends}, ${misc:Depends}
Suggests: ekeyd
Description: Transfers entropy from an EGD to the Linux kernel pool
This utility reads from an EGD capable service over TCP and writes
diff -Nru ekeyd-1.1.2/debian/ekeyd-egd-linux.default ekeyd-1.1.3/debian/ekeyd-eg
--- ekeyd-1.1.2/debian/ekeyd-egd-linux.default 2010-09-06 11:02:35.000000000 +0
+++ ekeyd-1.1.3/debian/ekeyd-egd-linux.default 2010-09-06 11:02:35.000000000 +0
@@ -18,4 +18,4 @@
# SHANNONS=7
# How many seconds between connection retries. Zero means do-not-retry.
-RETRYTIME=30
+# RETRYTIME=0
diff -Nru ekeyd-1.1.2/debian/ekeyd-egd-linux.init ekeyd-1.1.3/debian/ekeyd-egd-l
--- ekeyd-1.1.2/debian/ekeyd-egd-linux.init 2010-09-06 11:02:35.000000000 +0
+++ ekeyd-1.1.3/debian/ekeyd-egd-linux.init 2010-09-06 11:02:35.000000000 +0
@@ -4,7 +4,6 @@
# Provides: ekeyd-egd-linux
# Required-Start: $remote_fs $network
# Required-Stop: $remote_fs $network
-# Should-Start: ekeyd
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Entropy Key Manager, EGD->Linux pool stirrer
@@ -55,7 +54,7 @@
log_end_msg 0
;;
status)
- status_of_proc $DAEMON ekeyd-egd-linux
+ exit 4
;;
*)
echo "Usage: /etc/init.d/ekeyd-egd-linux {start|stop}"
diff -Nru ekeyd-1.1.2/debian/ekeyd.init ekeyd-1.1.3/debian/ekeyd.init
--- ekeyd-1.1.2/debian/ekeyd.init 2010-09-06 11:02:35.000000000 +0000
+++ ekeyd-1.1.3/debian/ekeyd.init 2010-09-06 11:02:35.000000000 +0000
@@ -48,7 +48,7 @@
log_end_msg 0
;;
status)
- status_of_proc $DAEMON ekeyd
+ exit 4
;;
*)
echo "Usage: /etc/init.d/ekeyd {start|stop}"
diff -Nru ekeyd-1.1.2/debian/source/format ekeyd-1.1.3/debian/source/format
--- ekeyd-1.1.2/debian/source/format 1970-01-01 00:00:00.000000000 +0000
+++ ekeyd-1.1.3/debian/source/format 2010-09-06 11:02:35.000000000 +0000
@@ -0,0 +1 @@
+1.0
diff -Nru ekeyd-1.1.2/device/frames/pem.c ekeyd-1.1.3/device/frames/pem.c
--- ekeyd-1.1.2/device/frames/pem.c 2009-11-23 23:58:44.000000000 +0000
+++ ekeyd-1.1.3/device/frames/pem.c 2010-08-09 14:51:29.000000000 +0000
@@ -21,18 +21,22 @@
static const char *dictionary =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-#define FILLERCHAR ('=')
+static int inverse_dictionary[128] =
+ { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0 -- 9 */
+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 10 -- 19 */
+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 20 -- 29 */
+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 30 -- 39 */
+ -1, -1, -1, 62, -1, -1, -1, 63, 52, 53, /* 40 -- 49 */
+ 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, /* 50 -- 59 */
+ -1, 0, -1, -1, -1, 0, 1, 2, 3, 4, /* 60 -- 69 */
+ 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, /* 70 -- 79 */
+ 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, /* 80 -- 89 */
+ 25, -1, -1, -1, -1, -1, -1, 26, 27, 28, /* 90 -- 99 */
+ 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, /* 100--109 */
+ 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, /* 110--119 */
+ 49, 50, 51, -1, -1, -1, -1, -1 }; /* 120--127 */
-static int
-pem64_dict_offset(const char c)
-{
- int i;
- for (i = 0; i < 64; ++i) {
- if (dictionary[i] == c)
- return i;
- }
- return (c == FILLERCHAR) ? 0 : -1;
-}
+#define FILLERCHAR ('=')
/* exported interface documented in pem.h */
int
@@ -91,22 +95,22 @@
{
unsigned char *outbcopy = outbytes;
while (nchars >= 4) {
- char
+ int
c1 = intext[0],
c2 = intext[1],
c3 = intext[2],
c4 = intext[3];
int
- b1 = pem64_dict_offset(c1),
- b2 = pem64_dict_offset(c2),
- b3 = pem64_dict_offset(c3),
- b4 = pem64_dict_offset(c4);
-
+ b1 = inverse_dictionary[c1],
+ b2 = inverse_dictionary[c2],
+ b3 = inverse_dictionary[c3],
+ b4 = inverse_dictionary[c4];
+
if ((b1 == -1) || (b2 == -1) || (b3 == -1) || (b4 == -1))
return outbytes - outbcopy;
-
+
*(outbytes++) = (b1 << 2) | (b2 >> 4);
-
+
if (c3 != FILLERCHAR)
*(outbytes++) = ((b2 & 0xf) << 4) | (b3 >> 2);
if (c4 != FILLERCHAR)
@@ -130,8 +134,8 @@
pem64_decode_12bits(const char *intext)
{
int
- b1 = pem64_dict_offset(intext[0]),
- b2 = pem64_dict_offset(intext[1]);
+ b1 = inverse_dictionary[(int) intext[0]],
+ b2 = inverse_dictionary[(int) intext[1]];
if ((b1 == -1) || (b2 == -1))
return 0;Attachment:
signature.asc
Description: Digital signature