[Pkg-openssl-changes] r315 - in openssl-blacklist/trunk: . debian examples
keescook-guest at alioth.debian.org
keescook-guest at alioth.debian.org
Thu May 29 22:42:55 UTC 2008
Author: keescook-guest
Date: 2008-05-29 22:42:54 +0000 (Thu, 29 May 2008)
New Revision: 315
Modified:
openssl-blacklist/trunk/debian/changelog
openssl-blacklist/trunk/debian/control
openssl-blacklist/trunk/debian/dirs
openssl-blacklist/trunk/debian/openssl-blacklist.install
openssl-blacklist/trunk/debian/rules
openssl-blacklist/trunk/examples/gen_certs.sh
openssl-blacklist/trunk/openssl-vulnkey
openssl-blacklist/trunk/openssl-vulnkey.1
Log:
* debian/{rules,dirs,openssl-blacklist.install}: move openssl-vulnkey to
/usr/bin (Closes: #482435).
* examples/gen_certs.sh:
- test for fixed libssl versions (Closes: #483310).
- correctly skip pre-existing PEM files, thanks to Michel Meyers
(Closes: #483542).
- skip invalid pid 32768.
* openssl-vulnkey: allow reading from stding, based on patch from
Daniel Kahn Gillmor (Closes: #482427).
* debian/control: swap maintainer so Ubuntu syncs do not get confused.
Modified: openssl-blacklist/trunk/debian/changelog
===================================================================
--- openssl-blacklist/trunk/debian/changelog 2008-05-29 01:04:24 UTC (rev 314)
+++ openssl-blacklist/trunk/debian/changelog 2008-05-29 22:42:54 UTC (rev 315)
@@ -1,3 +1,18 @@
+openssl-blacklist (0.3.2) unstable; urgency=low
+
+ * debian/{rules,dirs,openssl-blacklist.install}: move openssl-vulnkey to
+ /usr/bin (Closes: #482435).
+ * examples/gen_certs.sh:
+ - test for fixed libssl versions (Closes: #483310).
+ - correctly skip pre-existing PEM files, thanks to Michel Meyers
+ (Closes: #483542).
+ - skip invalid pid 32768.
+ * openssl-vulnkey: allow reading from stding, based on patch from
+ Daniel Kahn Gillmor (Closes: #482427).
+ * debian/control: swap maintainer so Ubuntu syncs do not get confused.
+
+ -- Kees Cook <kees at outflux.net> Thu, 29 May 2008 15:19:16 -0700
+
openssl-blacklist (0.3.1) unstable; urgency=low
* openssl-vulnkey: fix typo in manpage.
Modified: openssl-blacklist/trunk/debian/control
===================================================================
--- openssl-blacklist/trunk/debian/control 2008-05-29 01:04:24 UTC (rev 314)
+++ openssl-blacklist/trunk/debian/control 2008-05-29 22:42:54 UTC (rev 315)
@@ -2,8 +2,8 @@
Section: net
XS-Python-Version: all
Priority: optional
-Maintainer: Jamie Strandboge <jamie at ubuntu.com>
-Uploaders: Kees Cook <kees at outflux.net>, Christoph Martin <christoph.martin at uni-mainz.de>
+Maintainer: Kees Cook <kees at outflux.net>
+Uploaders: Jamie Strandboge <jamie at ubuntu.com>, Christoph Martin <christoph.martin at uni-mainz.de>
Build-Depends: debhelper (>= 5.0.38), python-central (>= 0.5.6)
Standards-Version: 3.7.3
Vcs-Browser: http://svn.debian.org/wsvn/pkg-openssl/openssl-blacklist
Modified: openssl-blacklist/trunk/debian/dirs
===================================================================
--- openssl-blacklist/trunk/debian/dirs 2008-05-29 01:04:24 UTC (rev 314)
+++ openssl-blacklist/trunk/debian/dirs 2008-05-29 22:42:54 UTC (rev 315)
@@ -1,3 +1,3 @@
-usr/sbin
+usr/bin
usr/share/doc/openssl-blacklist/examples
usr/share/openssl-blacklist
Modified: openssl-blacklist/trunk/debian/openssl-blacklist.install
===================================================================
--- openssl-blacklist/trunk/debian/openssl-blacklist.install 2008-05-29 01:04:24 UTC (rev 314)
+++ openssl-blacklist/trunk/debian/openssl-blacklist.install 2008-05-29 22:42:54 UTC (rev 315)
@@ -1,2 +1,2 @@
usr/share/openssl-blacklist/blacklist.*
-usr/sbin/openssl-vulnkey
+usr/bin/openssl-vulnkey
Modified: openssl-blacklist/trunk/debian/rules
===================================================================
--- openssl-blacklist/trunk/debian/rules 2008-05-29 01:04:24 UTC (rev 314)
+++ openssl-blacklist/trunk/debian/rules 2008-05-29 22:42:54 UTC (rev 315)
@@ -26,11 +26,13 @@
dh_clean -k
dh_installdirs
# Add here commands to install the package into debian/openssl-blacklist.
- cp $(CURDIR)/openssl-vulnkey $(CURDIR)/debian/openssl-blacklist/usr/sbin/openssl-vulnkey
- cat $(CURDIR)/debian/blacklist.prefix > $(CURDIR)/debian/openssl-blacklist/usr/share/openssl-blacklist/blacklist.RSA-2048
- cat $(CURDIR)/blacklist.RSA-2048 | cut -d ' ' -f 2 | cut -b21- | sort >> $(CURDIR)/debian/openssl-blacklist/usr/share/openssl-blacklist/blacklist.RSA-2048
- cat $(CURDIR)/debian/blacklist.prefix > $(CURDIR)/debian/openssl-blacklist/usr/share/openssl-blacklist/blacklist.RSA-1024
- cat $(CURDIR)/blacklist.RSA-1024 | cut -d ' ' -f 2 | cut -b21- | sort >> $(CURDIR)/debian/openssl-blacklist/usr/share/openssl-blacklist/blacklist.RSA-1024
+ cp $(CURDIR)/openssl-vulnkey $(CURDIR)/debian/openssl-blacklist/usr/bin/openssl-vulnkey
+ # Trim blacklists to reduce the size of the package without too
+ # drastically creating false positives.
+ for keysize in $$(cd $(CURDIR) && ls blacklist.* | cut -d. -f2); do \
+ cat $(CURDIR)/debian/blacklist.prefix > $(CURDIR)/debian/openssl-blacklist/usr/share/openssl-blacklist/blacklist.$$keysize; \
+ cat $(CURDIR)/blacklist.$$keysize | cut -d ' ' -f 2 | cut -b21- | sort >> $(CURDIR)/debian/openssl-blacklist/usr/share/openssl-blacklist/blacklist.$$keysize; \
+ done
# Build architecture-dependent files here.
binary-arch: build install
Modified: openssl-blacklist/trunk/examples/gen_certs.sh
===================================================================
--- openssl-blacklist/trunk/examples/gen_certs.sh 2008-05-29 01:04:24 UTC (rev 314)
+++ openssl-blacklist/trunk/examples/gen_certs.sh 2008-05-29 22:42:54 UTC (rev 315)
@@ -1,5 +1,4 @@
#!/bin/sh
-
#
# Author: Jamie Strandboge <jamie at canonical.com>
# Copyright (C) 2008 Canonical Ltd.
@@ -30,6 +29,13 @@
# certs/blacklist-$bits.db
#
+LIBSSL=$(apt-cache policy libssl0.9.8 | grep Installed | awk '{print $NF}')
+dpkg --compare-versions "$LIBSSL" lt 0.9.8g-9 || {
+ echo "Your libssl0.9.8 is newer than the fixed version (0.9.8g-9)." >&2
+ echo "This script is only sensible to run with a broken version. :)" >&2
+ exit 1
+}
+
getpid="./getpid.so"
if [ -z "$1" ]; then
@@ -64,9 +70,9 @@
ls -l ~/.rnd
fi
- for i in $(seq 1 32768);
+ for i in $(seq 1 32767);
do
- if [ -e "certs/cert-$bits-$i-$type" ]; then
+ if [ -e "certs/cert-$bits-$i-$type.pem" ]; then
continue
fi
FORCE_PID=$i LD_PRELOAD="$getpid" openssl req -newkey rsa:${bits} -x509 -nodes -keyout certs/key-$bits-$i-$type.pem -subj '/C=US/ST=Arizona/O=Testlib/OU=Test/CN=CA' -out certs/cert-$bits-$i-$type.pem
Modified: openssl-blacklist/trunk/openssl-vulnkey
===================================================================
--- openssl-blacklist/trunk/openssl-vulnkey 2008-05-29 01:04:24 UTC (rev 314)
+++ openssl-blacklist/trunk/openssl-vulnkey 2008-05-29 22:42:54 UTC (rev 315)
@@ -24,6 +24,8 @@
import sha
import subprocess
import sys
+import tempfile
+import shutil
version = "0.1.1"
db_prefix = "/usr/share/openssl-blacklist/blacklist.RSA-"
@@ -110,22 +112,31 @@
# Check each file
found = False
for f in args:
+ realname = f
+
+ if f == "-":
+ # dump stdin to tmpfile, operate on tmpfile instead
+ temp = tempfile.NamedTemporaryFile()
+ shutil.copyfileobj(sys.stdin,temp)
+ temp.flush()
+ f = temp.name
+
if not os.path.exists(f):
if not options.quiet:
- print >> sys.stderr, "'%s' could not be opened (skipping)" % (f)
+ print >> sys.stderr, "'%s' could not be opened (skipping)" % (realname)
continue
type = get_type(f)
if type == "":
if not options.quiet:
- print >> sys.stderr, "'%s' is not x509 or rsa (skipping)" % (f)
+ print >> sys.stderr, "'%s' is not x509 or rsa (skipping)" % (realname)
continue
last_bits = ""
bits = get_bits(f, type)
if bits == "":
if not options.quiet:
- print >> sys.stderr, "Key has unknown validity: %s" % (f)
+ print >> sys.stderr, "Key has unknown validity: %s" % (realname)
continue
if last_bits != bits:
@@ -136,7 +147,7 @@
except:
try:
print >> sys.stderr, "WARN: could not open database for %s " \
- "bits (skipping %s)" % (bits, f)
+ "bits (skipping %s)" % (bits, realname)
except IOError:
pass
continue
@@ -148,18 +159,18 @@
modulus = get_modulus(f, type)
if modulus == "":
if not options.quiet:
- print >> sys.stderr, "Problem finding modulus: %s" % (file)
+ print >> sys.stderr, "Problem finding modulus: %s" % (realname)
continue
key = sha.sha(modulus).hexdigest()
#print "bits: %s\nmodulus: %s\nkey: %s\nkey80: %s" % (bits, modulus, key, key[20:])
if key[20:] in db_lines:
if not options.quiet:
- print "COMPROMISED: %s %s" % (key, f)
+ print "COMPROMISED: %s %s" % (key, realname)
found = True
else:
if not options.quiet:
- print "Not blacklisted: %s %s" % (key, f)
+ print "Not blacklisted: %s %s" % (key, realname)
if found:
sys.exit(1)
Modified: openssl-blacklist/trunk/openssl-vulnkey.1
===================================================================
--- openssl-blacklist/trunk/openssl-vulnkey.1 2008-05-29 01:04:24 UTC (rev 314)
+++ openssl-blacklist/trunk/openssl-vulnkey.1 2008-05-29 22:42:54 UTC (rev 315)
@@ -45,11 +45,25 @@
must be generated using
.Xr openssl 8 .
.Pp
+If
+.Dq -
+is given as an argument,
+.Nm
+will read from standard input.
+This can be used to process certificate output from
+.Xr s_client 1ssl ,
+for example:
+.Pp
+.Dl $ echo | openssl s_client -connect remote.example.org:https | openssl-vulnkey -
+.Pp
+will test the certificate used by remote.example.org for HTTPS.
+.Pp
+The options are as follows:
.Bl -tag -width Ds
.It Fl q
Quiet mode.
Normally,
-.Xr openssl-vulnkey 1
+.Nm
outputs the fingerprint of each file scanned, with a description of its
status.
This option suppresses that output.
More information about the Pkg-openssl-changes
mailing list