[Pkg-openssl-changes] r347 - in openssl-blacklist/tags: . 0.5-1 0.5-1/debian
Kees Cook
kees at alioth.debian.org
Wed Apr 8 17:05:10 UTC 2009
Author: kees
Date: 2009-04-08 17:05:10 +0000 (Wed, 08 Apr 2009)
New Revision: 347
Added:
openssl-blacklist/tags/0.5-1/
openssl-blacklist/tags/0.5-1/debian/changelog
openssl-blacklist/tags/0.5-1/debian/control
openssl-blacklist/tags/0.5-1/debian/rules
openssl-blacklist/tags/0.5-1/openssl-vulnkey
openssl-blacklist/tags/0.5-1/test.sh
Removed:
openssl-blacklist/tags/0.5-1/debian/changelog
openssl-blacklist/tags/0.5-1/debian/control
openssl-blacklist/tags/0.5-1/debian/rules
openssl-blacklist/tags/0.5-1/openssl-vulnkey
openssl-blacklist/tags/0.5-1/test.sh
Log:
releasing 0.5-1
Property changes on: openssl-blacklist/tags/0.5-1
___________________________________________________________________
Added: bzr:revision-info
+ timestamp: 2008-06-19 12:18:24.163000107 -0400
committer: Jamie Strandboge <jamie at canonical.com>
properties:
branch-nick: trunk
Added: bzr:file-ids
+
Added: bzr:ancestry:v3-trunk1
+ svn-v3-trunk1:e5c9a478-d7fa-0310-a32d-da2538be928f:openssl-blacklist%2Ftrunk:323
svn-v3-trunk1:e5c9a478-d7fa-0310-a32d-da2538be928f:openssl-blacklist%2Ftrunk:330
Added: bzr:revision-id:v3-trunk1
+ 7 jamie at canonical.com-20080611181628-1jidf2vvbj6fhrej
8 jamie at canonical.com-20080611182038-0jvtotmqzgpztqmy
9 jamie at canonical.com-20080611203303-ntv6xbllqf4nke36
10 jamie at canonical.com-20080616173025-h90sab8mvwv9gnqm
11 jamie at canonical.com-20080619161608-sczbwyhmt8vtbf9m
12 jamie at canonical.com-20080619161824-s2aj7rsnbilf4gbz
Added: svn:mergeinfo
+
Added: svk:merge
+ e5c9a478-d7fa-0310-a32d-da2538be928f:/openssl-blacklist/trunk:323
e5c9a478-d7fa-0310-a32d-da2538be928f:/openssl-blacklist/trunk:330
Deleted: openssl-blacklist/tags/0.5-1/debian/changelog
===================================================================
--- openssl-blacklist/trunk/debian/changelog 2008-10-31 22:56:24 UTC (rev 345)
+++ openssl-blacklist/tags/0.5-1/debian/changelog 2009-04-08 17:05:10 UTC (rev 347)
@@ -1,117 +0,0 @@
-openssl-blacklist (0.4.2) UNRELEASED; urgency=low
-
- * update openssl-vulnkey to use GPL version 3 as specified in
- debian/copyright
-
- -- Jamie Strandboge <jamie at ubuntu.com> Thu, 19 Jun 2008 12:17:06 -0400
-
-openssl-blacklist (0.4.2) unstable; urgency=low
-
- * Add openssl to the Build-Deps, since it is required for the tests.
-
- -- Kees Cook <kees at outflux.net> Tue, 17 Jun 2008 15:27:38 -0700
-
-openssl-blacklist (0.4.1) unstable; urgency=low
-
- [ Jamie Strandboge ]
- * add RSA-4096 blacklist for le64
- * install RSA-4096 blacklist
- * don't send STDERR to STDOUT as this may interfere with obtaining the
- modulus with long bits
-
- [ Kees Cook ]
- * debian/rules:
- - add new examples (using wildcards)
- - include run of internal tests during build
- * debian/control: bump to standards version 3.8.0 (no changes needed)
-
- -- Kees Cook <kees at outflux.net> Mon, 16 Jun 2008 11:48:09 -0700
-
-openssl-blacklist (0.4) unstable; urgency=low
-
- * allow checking of certificate requests
- * only check moduli with an exponent of 65537 (the default on Debian/Ubuntu)
- * update gen_certs.sh for when ~/.rnd does not exist when openssl is run
- which can happen with openssl 0.9.8g and higher
- * update gen_certs.sh to use '0' (in case of PID randomization)
- * added more examples
- * only prompt once for password (Closes: #483500)
- * properly cache database reads when bits are same
- * added '-m' and '-b' arguments. This is helpful for applications calling
- openssl-vulnkey when the modulus and bits are known, such as openvpn.
- * man page updates
- * added test.sh
- * added blacklists for when ~/.rnd does not exist when openssl is run
- (LP: #232104)
- * added 512 bit and partial 4096 blacklists (need le64) (LP: #231014)
- * reorganized source databases, and ship the new gen_certs.sh format
- * debian/rules: updated to use new blacklist format and organization
- * create openssl-blacklist-extra package (but don't ship 4096 yet)
-
- -- Jamie Strandboge <jamie at ubuntu.com> Tue, 10 Jun 2008 09:09:48 -0400
-
-openssl-blacklist (0.3.2) unstable; urgency=low
-
- * debian/{rules,dirs,openssl-blacklist.install}: move openssl-vulnkey to
- /usr/bin (Closes: #482435).
- * examples/gen_certs.sh:
- - test for fixed libssl versions (Closes: #483310).
- - correctly skip pre-existing PEM files, thanks to Michel Meyers
- (Closes: #483542).
- - skip invalid pid 32768.
- * openssl-vulnkey: allow reading from stding, based on patch from
- Daniel Kahn Gillmor (Closes: #482427).
- * debian/control: swap maintainer so Ubuntu syncs do not get confused.
-
- -- Kees Cook <kees at outflux.net> Thu, 29 May 2008 15:19:16 -0700
-
-openssl-blacklist (0.3.1) unstable; urgency=low
-
- * openssl-vulnkey: fix typo in manpage.
- * debian/control: add Vcs details, adjust uploaders line.
- * debian/rules: switch to using dh_installexamples.
-
- -- Kees Cook <kees at outflux.net> Wed, 28 May 2008 13:25:46 -0700
-
-openssl-blacklist (0.3) unstable; urgency=low
-
- * Initial Debian release (keeping changelog for clarity), Closes: #482047.
-
- -- Kees Cook <kees at outflux.net> Wed, 21 May 2008 03:58:17 -0700
-
-openssl-blacklist (0.2) intrepid; urgency=low
-
- * update openssl-vulnkey to also check x509 certificates, with corresponding
- manpage update
- * support 512, 4096 and 8192 databases
- * don't exit if can't open the database (this way databases can optionally be
- added
- * publish complete RSA-1024 and RSA-2048 blacklist for all available
- architectures on Ubuntu
- * fix manpage typos
- * debian/control: use net/optional
- * use python-central and follow DebianPython/NewPolicy
- * added get_certs.sh and getpid.c
-
- -- Jamie Strandboge <jamie at ubuntu.com> Fri, 16 May 2008 08:32:13 -0400
-
-openssl-blacklist (0.1-0ubuntu0.8.04.2) hardy-security; urgency=low
-
- * openssl-vulnkey:
- - Don't exit if the key cannot be parsed.
- - Don't fail if stderr is not available. (LP: #230193)
-
- -- Mathias Gug <mathiaz at ubuntu.com> Wed, 14 May 2008 14:24:07 +0200
-
-openssl-blacklist (0.1-0ubuntu0.8.04.1) hardy-security; urgency=low
-
- * no change rebuild for -security
-
- -- Jamie Strandboge <jamie at ubuntu.com> Tue, 13 May 2008 04:02:50 -0400
-
-openssl-blacklist (0.1) unstable; urgency=low
-
- * Initial release.
-
- -- Jamie Strandboge <jamie at ubuntu.com> Fri, 12 May 2008 15:44:32 -0400
-
Copied: openssl-blacklist/tags/0.5-1/debian/changelog (from rev 346, openssl-blacklist/trunk/debian/changelog)
===================================================================
--- openssl-blacklist/tags/0.5-1/debian/changelog (rev 0)
+++ openssl-blacklist/tags/0.5-1/debian/changelog 2009-04-08 17:05:10 UTC (rev 347)
@@ -0,0 +1,127 @@
+openssl-blacklist (0.5-1) jaunty; urgency=low
+
+ [ Jamie Strandboge ]
+ * update openssl-vulnkey to use GPL version 3 as specified in
+ debian/copyright.
+
+ [ Kees Cook ]
+ * openssl-vulnkey:
+ - replace sha with hashlib Python module to silence Python 2.6 warnings.
+ - adjust skip/error handling, reporting more details (Closes: #498326).
+ - pull version when building instead of being hard-coded.
+ * debian/rules: use an orig.tar.gz since the blacklist files themselves
+ are static, to save space in the archive.
+ * test.sh: added mixed good/bad testing.
+
+ -- Kees Cook <kees at debian.org> Wed, 08 Apr 2009 08:12:11 -0700
+
+openssl-blacklist (0.4.2) unstable; urgency=low
+
+ * Add openssl to the Build-Deps, since it is required for the tests.
+
+ -- Kees Cook <kees at outflux.net> Tue, 17 Jun 2008 15:27:38 -0700
+
+openssl-blacklist (0.4.1) unstable; urgency=low
+
+ [ Jamie Strandboge ]
+ * add RSA-4096 blacklist for le64
+ * install RSA-4096 blacklist
+ * don't send STDERR to STDOUT as this may interfere with obtaining the
+ modulus with long bits
+
+ [ Kees Cook ]
+ * debian/rules:
+ - add new examples (using wildcards)
+ - include run of internal tests during build
+ * debian/control: bump to standards version 3.8.0 (no changes needed)
+
+ -- Kees Cook <kees at outflux.net> Mon, 16 Jun 2008 11:48:09 -0700
+
+openssl-blacklist (0.4) unstable; urgency=low
+
+ * allow checking of certificate requests
+ * only check moduli with an exponent of 65537 (the default on Debian/Ubuntu)
+ * update gen_certs.sh for when ~/.rnd does not exist when openssl is run
+ which can happen with openssl 0.9.8g and higher
+ * update gen_certs.sh to use '0' (in case of PID randomization)
+ * added more examples
+ * only prompt once for password (Closes: #483500)
+ * properly cache database reads when bits are same
+ * added '-m' and '-b' arguments. This is helpful for applications calling
+ openssl-vulnkey when the modulus and bits are known, such as openvpn.
+ * man page updates
+ * added test.sh
+ * added blacklists for when ~/.rnd does not exist when openssl is run
+ (LP: #232104)
+ * added 512 bit and partial 4096 blacklists (need le64) (LP: #231014)
+ * reorganized source databases, and ship the new gen_certs.sh format
+ * debian/rules: updated to use new blacklist format and organization
+ * create openssl-blacklist-extra package (but don't ship 4096 yet)
+
+ -- Jamie Strandboge <jamie at ubuntu.com> Tue, 10 Jun 2008 09:09:48 -0400
+
+openssl-blacklist (0.3.2) unstable; urgency=low
+
+ * debian/{rules,dirs,openssl-blacklist.install}: move openssl-vulnkey to
+ /usr/bin (Closes: #482435).
+ * examples/gen_certs.sh:
+ - test for fixed libssl versions (Closes: #483310).
+ - correctly skip pre-existing PEM files, thanks to Michel Meyers
+ (Closes: #483542).
+ - skip invalid pid 32768.
+ * openssl-vulnkey: allow reading from stding, based on patch from
+ Daniel Kahn Gillmor (Closes: #482427).
+ * debian/control: swap maintainer so Ubuntu syncs do not get confused.
+
+ -- Kees Cook <kees at outflux.net> Thu, 29 May 2008 15:19:16 -0700
+
+openssl-blacklist (0.3.1) unstable; urgency=low
+
+ * openssl-vulnkey: fix typo in manpage.
+ * debian/control: add Vcs details, adjust uploaders line.
+ * debian/rules: switch to using dh_installexamples.
+
+ -- Kees Cook <kees at outflux.net> Wed, 28 May 2008 13:25:46 -0700
+
+openssl-blacklist (0.3) unstable; urgency=low
+
+ * Initial Debian release (keeping changelog for clarity), Closes: #482047.
+
+ -- Kees Cook <kees at outflux.net> Wed, 21 May 2008 03:58:17 -0700
+
+openssl-blacklist (0.2) intrepid; urgency=low
+
+ * update openssl-vulnkey to also check x509 certificates, with corresponding
+ manpage update
+ * support 512, 4096 and 8192 databases
+ * don't exit if can't open the database (this way databases can optionally be
+ added
+ * publish complete RSA-1024 and RSA-2048 blacklist for all available
+ architectures on Ubuntu
+ * fix manpage typos
+ * debian/control: use net/optional
+ * use python-central and follow DebianPython/NewPolicy
+ * added get_certs.sh and getpid.c
+
+ -- Jamie Strandboge <jamie at ubuntu.com> Fri, 16 May 2008 08:32:13 -0400
+
+openssl-blacklist (0.1-0ubuntu0.8.04.2) hardy-security; urgency=low
+
+ * openssl-vulnkey:
+ - Don't exit if the key cannot be parsed.
+ - Don't fail if stderr is not available. (LP: #230193)
+
+ -- Mathias Gug <mathiaz at ubuntu.com> Wed, 14 May 2008 14:24:07 +0200
+
+openssl-blacklist (0.1-0ubuntu0.8.04.1) hardy-security; urgency=low
+
+ * no change rebuild for -security
+
+ -- Jamie Strandboge <jamie at ubuntu.com> Tue, 13 May 2008 04:02:50 -0400
+
+openssl-blacklist (0.1) unstable; urgency=low
+
+ * Initial release.
+
+ -- Jamie Strandboge <jamie at ubuntu.com> Fri, 12 May 2008 15:44:32 -0400
+
Deleted: openssl-blacklist/tags/0.5-1/debian/control
===================================================================
--- openssl-blacklist/trunk/debian/control 2008-10-31 22:56:24 UTC (rev 345)
+++ openssl-blacklist/tags/0.5-1/debian/control 2009-04-08 17:05:10 UTC (rev 347)
@@ -1,28 +0,0 @@
-Source: openssl-blacklist
-Section: net
-XS-Python-Version: all
-Priority: optional
-Maintainer: Kees Cook <kees at outflux.net>
-Uploaders: Jamie Strandboge <jamie at ubuntu.com>, Christoph Martin <christoph.martin at uni-mainz.de>
-Build-Depends: debhelper (>= 5.0.38), python-central (>= 0.5.6), openssl (>= 0.9.8g-9)
-Standards-Version: 3.8.0.0
-Vcs-Browser: http://svn.debian.org/wsvn/pkg-openssl/openssl-blacklist
-Vcs-Svn: svn://svn.debian.org/pkg-openssl/openssl-blacklist/
-
-Package: openssl-blacklist
-Architecture: all
-Pre-Depends: dpkg (>= 1.10.24)
-Depends: ${python:Depends}, openssl (>= 0.9.8g-9)
-XB-Python-Version: ${python:Versions}
-Description: list of blacklisted OpenSSL RSA keys
- Contains the list of known-bad OpenSSL keys for openssl-vulnkey to use when
- examining suspect keys: RSA-1024, RSA-2048
-
-Package: openssl-blacklist-extra
-Architecture: all
-Pre-Depends: dpkg (>= 1.10.24)
-Depends: ${python:Depends}, openssl-blacklist
-XB-Python-Version: ${python:Versions}
-Description: list of non-default blacklisted OpenSSL RSA keys
- Contains the list of known-bad non-default OpenSSL keys for openssl-vulnkey to
- use when examining suspect keys: RSA-512, RSA-4096
Copied: openssl-blacklist/tags/0.5-1/debian/control (from rev 346, openssl-blacklist/trunk/debian/control)
===================================================================
--- openssl-blacklist/tags/0.5-1/debian/control (rev 0)
+++ openssl-blacklist/tags/0.5-1/debian/control 2009-04-08 17:05:10 UTC (rev 347)
@@ -0,0 +1,28 @@
+Source: openssl-blacklist
+Section: net
+XS-Python-Version: all
+Priority: optional
+Maintainer: Kees Cook <kees at debian.org>
+Uploaders: Jamie Strandboge <jamie at ubuntu.com>, Christoph Martin <christoph.martin at uni-mainz.de>
+Build-Depends: debhelper (>= 5.0.38), python-central (>= 0.5.6), openssl (>= 0.9.8g-9)
+Standards-Version: 3.8.0.0
+Vcs-Browser: http://svn.debian.org/wsvn/pkg-openssl/openssl-blacklist
+Vcs-Svn: svn://svn.debian.org/pkg-openssl/openssl-blacklist/
+
+Package: openssl-blacklist
+Architecture: all
+Pre-Depends: dpkg (>= 1.10.24)
+Depends: ${python:Depends}, openssl (>= 0.9.8g-9)
+XB-Python-Version: ${python:Versions}
+Description: list of blacklisted OpenSSL RSA keys
+ Contains the list of known-bad OpenSSL keys for openssl-vulnkey to use when
+ examining suspect keys: RSA-1024, RSA-2048
+
+Package: openssl-blacklist-extra
+Architecture: all
+Pre-Depends: dpkg (>= 1.10.24)
+Depends: ${python:Depends}, openssl-blacklist
+XB-Python-Version: ${python:Versions}
+Description: list of non-default blacklisted OpenSSL RSA keys
+ Contains the list of known-bad non-default OpenSSL keys for openssl-vulnkey to
+ use when examining suspect keys: RSA-512, RSA-4096
Deleted: openssl-blacklist/tags/0.5-1/debian/rules
===================================================================
--- openssl-blacklist/trunk/debian/rules 2008-10-31 22:56:24 UTC (rev 345)
+++ openssl-blacklist/tags/0.5-1/debian/rules 2009-04-08 17:05:10 UTC (rev 347)
@@ -1,77 +0,0 @@
-#!/usr/bin/make -f
-
-configure: configure-stamp
-configure-stamp:
- dh_testdir
- # Add here commands to configure the package.
- touch $@
-
-
-build: build-stamp
-build-stamp: configure-stamp
- dh_testdir
- # Add here commands to compile the package.
- sh ./test.sh
- touch $@
-
-clean:
- dh_testdir
- dh_testroot
- rm -f build-stamp configure-stamp
- # Add here commands to clean up after the build process.
- dh_clean
-
-install: build
- dh_testdir
- dh_testroot
- dh_clean -k
- dh_installdirs
- mkdir -p $(CURDIR)/debian/tmp/usr/bin
- mkdir -p $(CURDIR)/debian/tmp/usr/share/openssl-blacklist
- # Add here commands to install the package into debian/openssl-blacklist.
- cp $(CURDIR)/openssl-vulnkey $(CURDIR)/debian/tmp/usr/bin/openssl-vulnkey
- # Trim blacklists to reduce the size of the package without too
- # drastically creating false positives.
- for keysize in 512 1024 2048 4096; do \
- cat $(CURDIR)/debian/blacklist.prefix > $(CURDIR)/debian/tmp/usr/share/openssl-blacklist/blacklist.RSA-$$keysize; \
- cat $(CURDIR)/blacklists/be32/blacklist-$$keysize.db $(CURDIR)/blacklists/le32/blacklist-$$keysize.db $(CURDIR)/blacklists/le64/blacklist-$$keysize.db | cut -d ' ' -f 5 | cut -b21- | sort >> $(CURDIR)/debian/tmp/usr/share/openssl-blacklist/blacklist.RSA-$$keysize; \
- done
-
-# Build architecture-dependent files here.
-binary-arch: build install
-# We have nothing to do by default.
-
-# Build architecture-independent files here.
-binary-indep: build install
- dh_testdir
- dh_testroot
- dh_installchangelogs
- dh_installdocs
- dh_installexamples examples/*.pem examples/*.csr examples/*.key examples/gen_certs.sh examples/getpid.c
- dh_install --sourcedir=debian/tmp
-# dh_installmenu
-# dh_installdebconf
-# dh_installlogrotate
-# dh_installemacsen
-# dh_installpam
-# dh_installmime
-# dh_python
-# dh_installinit
-# dh_installcron
-# dh_installinfo
- dh_pycentral
- dh_installman $(CURDIR)/openssl-vulnkey.1
- dh_link
- dh_strip
- dh_compress
- dh_fixperms
-# dh_perl
-# dh_makeshlibs
- dh_installdeb
- dh_shlibdeps
- dh_gencontrol
- dh_md5sums
- dh_builddeb -- -Zbzip2
-
-binary: binary-indep binary-arch
-.PHONY: build clean binary-indep binary-arch binary install configure
Copied: openssl-blacklist/tags/0.5-1/debian/rules (from rev 346, openssl-blacklist/trunk/debian/rules)
===================================================================
--- openssl-blacklist/tags/0.5-1/debian/rules (rev 0)
+++ openssl-blacklist/tags/0.5-1/debian/rules 2009-04-08 17:05:10 UTC (rev 347)
@@ -0,0 +1,91 @@
+#!/usr/bin/make -f
+VERSION=$(shell dpkg-parsechangelog | grep ^Version: | cut -d" " -f2)
+
+configure: configure-stamp
+configure-stamp:
+ dh_testdir
+ # Add here commands to configure the package.
+ touch $@
+
+
+build: build-stamp
+build-stamp: configure-stamp
+ dh_testdir
+ # Add here commands to compile the package.
+ sh ./test.sh
+ touch $@
+
+clean:
+ dh_testdir
+ dh_testroot
+ rm -f build-stamp configure-stamp
+ # Add here commands to clean up after the build process.
+ dh_clean
+
+install: build
+ dh_testdir
+ dh_testroot
+ dh_clean -k
+ dh_installdirs
+ mkdir -p $(CURDIR)/debian/tmp/usr/bin
+ mkdir -p $(CURDIR)/debian/tmp/usr/share/openssl-blacklist
+ # Add here commands to install the package into debian/openssl-blacklist.
+ cp $(CURDIR)/openssl-vulnkey $(CURDIR)/debian/tmp/usr/bin/openssl-vulnkey
+ sed -i -e 's/@VERSION@/$(VERSION)/' $(CURDIR)/debian/tmp/usr/bin/openssl-vulnkey
+ # Trim blacklists to reduce the size of the package without too
+ # drastically creating false positives.
+ for keysize in 512 1024 2048 4096; do \
+ cat $(CURDIR)/debian/blacklist.prefix > $(CURDIR)/debian/tmp/usr/share/openssl-blacklist/blacklist.RSA-$$keysize; \
+ cat $(CURDIR)/blacklists/be32/blacklist-$$keysize.db $(CURDIR)/blacklists/le32/blacklist-$$keysize.db $(CURDIR)/blacklists/le64/blacklist-$$keysize.db | cut -d ' ' -f 5 | cut -b21- | sort >> $(CURDIR)/debian/tmp/usr/share/openssl-blacklist/blacklist.RSA-$$keysize; \
+ done
+
+# Build architecture-dependent files here.
+binary-arch: build install
+# We have nothing to do by default.
+
+# Build architecture-independent files here.
+binary-indep: build install
+ dh_testdir
+ dh_testroot
+ dh_installchangelogs
+ dh_installdocs
+ dh_installexamples examples/*.pem examples/*.csr examples/*.key examples/gen_certs.sh examples/getpid.c
+ dh_install --sourcedir=debian/tmp
+# dh_installmenu
+# dh_installdebconf
+# dh_installlogrotate
+# dh_installemacsen
+# dh_installpam
+# dh_installmime
+# dh_python
+# dh_installinit
+# dh_installcron
+# dh_installinfo
+ dh_pycentral
+ dh_installman $(CURDIR)/openssl-vulnkey.1
+ dh_link
+ dh_strip
+ dh_compress
+ dh_fixperms
+# dh_perl
+# dh_makeshlibs
+ dh_installdeb
+ dh_shlibdeps
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb -- -Zbzip2
+
+get-orig-source:
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install configure get-orig-source
+
+ORIG_VERSION=$(shell echo "$(VERSION)" | cut -d- -f1)
+ORIG_FILE=$(CURDIR)/../openssl-blacklist_$(ORIG_VERSION).orig.tar.gz
+SVN_CO_DIR=$(CURDIR)/openssl-blacklist-$(ORIG_VERSION)
+get-orig-source:
+ test ! -e $(ORIG_FILE)
+ test ! -e $(SVN_CO_DIR)
+ svn co svn://svn.debian.org/pkg-openssl/openssl-blacklist/trunk $(SVN_CO_DIR)
+ tar czf $(ORIG_FILE) -C `dirname $(SVN_CO_DIR)` --exclude .svn `basename $(SVN_CO_DIR)`/blacklists
+ rm -rf $(SVN_CO_DIR)
Deleted: openssl-blacklist/tags/0.5-1/openssl-vulnkey
===================================================================
--- openssl-blacklist/trunk/openssl-vulnkey 2008-10-31 22:56:24 UTC (rev 345)
+++ openssl-blacklist/tags/0.5-1/openssl-vulnkey 2009-04-08 17:05:10 UTC (rev 347)
@@ -1,204 +0,0 @@
-#!/usr/bin/python
-#
-# openssl-vulnkey: check a database of sha1'd static key hashes for
-# known vulnerable keys
-# Copyright (C) 2008 Canonical Ltd.
-# Author: Jamie Strandboge <jamie at canonical.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 3,
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-
-from optparse import OptionParser
-import os
-import re
-import sha
-import subprocess
-import sys
-import tempfile
-import shutil
-
-version = "0.3.3"
-db_prefix = "/usr/share/openssl-blacklist/blacklist.RSA-"
-db_lines = []
-
-parser = OptionParser(usage="%prog FILE [FILE]", \
- version="%prog: " + version, \
- description="This program checks if FILEs are known " + \
- "vulnerable static keys")
-parser.add_option("-q", "--quiet", action="store_true", dest="quiet", \
- help="be quiet")
-parser.add_option("-b", "--bits", dest="bits", \
- help="number of bits (requires -m)")
-parser.add_option("-m", "--modulus", dest="modulus", \
- help="modulus to check (requires -b)")
-(options, args) = parser.parse_args()
-
-if not ((options.modulus and options.bits) or args):
- parser.print_help()
- sys.exit(1)
-
-def cmd(command, input = None, stderr = subprocess.PIPE, stdout = subprocess.PIPE, stdin = None):
- '''Try to execute given command (array) and return its stdout, or return
- a textual error if it failed.'''
-
- try:
- sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr, close_fds=True)
- except OSError, e:
- return [127, str(e)]
-
- out = sp.communicate(input)[0]
- return [sp.returncode,out]
-
-def get_contents(file):
- '''Determine the type of certificate it is. Returns empty string if
- unsupported.'''
- args = ['-modulus', '-text', '-in', file]
-
- rc, report = cmd(['openssl', 'rsa'] + args)
- if rc == 0:
- return ("rsa", report)
-
- rc, report = cmd(['openssl', 'x509'] + args)
- if rc == 0:
- return ("x509", report)
-
- rc, report = cmd(['openssl', 'req'] + args)
- if rc == 0:
- return ("req", report)
-
- return ("", report)
-
-def get_bits(contents, type):
- '''Find bit length of file. Returns empty string if unsupported.'''
- for line in contents:
- leading = "Private-Key: "
- if type == "x509" or type == "req":
- leading = "RSA Public Key: "
-
- # TODO: don't hardcode these
- if leading + "(512" in contents:
- return "512"
- elif leading + "(1024" in contents:
- return "1024"
- elif leading + "(2048" in contents:
- return "2048"
- elif leading + "(4096" in contents:
- return "4096"
- elif leading + "(8192" in contents:
- return "8192"
-
- return ""
-
-def get_modulus(contents):
- '''Find modulus of file'''
- for line in contents.split('\n'):
- if re.match(r'^Modulus=', line):
- return line + '\n'
-
- return ""
-
-def get_exponent(contents):
- '''Find exponent of file. Returns empty string if unsupported.'''
- if "Exponent: 65537 " in contents:
- return "65537"
-
- return ""
-
-def check_db(bits, last, modulus, name=""):
- '''Check modulus against database'''
- global db_lines
- if last != bits:
- db = db_prefix + bits
- # Read in the database
- try:
- fh = open(db, 'r')
- except:
- try:
- print >> sys.stderr, "WARN: could not open database for %s " \
- "bits. Skipped %s" % (bits, name)
- except IOError:
- pass
- return False
-
- db_lines = fh.read().split('\n')
- fh.close()
-
- key = sha.sha(modulus).hexdigest()
- #print "bits: %s\nmodulus: %s\nkey: %s\nkey80: %s" % (bits, modulus, key, key[20:])
- if key[20:] in db_lines:
- if not options.quiet:
- print "COMPROMISED: %s %s" % (key, name)
- return True
- else:
- if not options.quiet:
- print "Not blacklisted: %s %s" % (key, name)
- return False
-
-
-last_bits = ""
-found = False
-
-if options.bits and options.modulus:
- found = check_db(options.bits, last_bits, "Modulus=" + options.modulus + \
- "\n")
-else:
- # Check each file
- for f in args:
- realname = f
-
- if f == "-":
- # dump stdin to tmpfile, operate on tmpfile instead
- temp = tempfile.NamedTemporaryFile()
- shutil.copyfileobj(sys.stdin,temp)
- temp.flush()
- f = temp.name
-
- if not os.path.exists(f):
- if not options.quiet:
- print >> sys.stderr, "'%s' could not be opened (skipping)" % \
- (realname)
- continue
-
- (type, contents) = get_contents(f)
- if type == "":
- if not options.quiet:
- print >> sys.stderr, "'%s' is not x509, req or rsa (skipping)" \
- % (realname)
- continue
-
- exp = get_exponent(contents)
- if exp == "":
- if not options.quiet:
- print >> sys.stderr, "Unsupported exponent '%s' (skipping)" % \
- (realname)
- continue
-
- bits = get_bits(contents, type)
- if bits == "":
- if not options.quiet:
- print >> sys.stderr, "Key has unknown validity: %s" % \
- (realname)
- continue
-
- modulus = get_modulus(contents)
- if modulus == "":
- if not options.quiet:
- print >> sys.stderr, "Problem finding modulus: %s" % (realname)
- continue
-
- found = check_db(bits, last_bits, modulus, realname)
- last_bits = bits
-
-if found:
- sys.exit(1)
-
Copied: openssl-blacklist/tags/0.5-1/openssl-vulnkey (from rev 346, openssl-blacklist/trunk/openssl-vulnkey)
===================================================================
--- openssl-blacklist/tags/0.5-1/openssl-vulnkey (rev 0)
+++ openssl-blacklist/tags/0.5-1/openssl-vulnkey 2009-04-08 17:05:10 UTC (rev 347)
@@ -0,0 +1,209 @@
+#!/usr/bin/python
+#
+# openssl-vulnkey: check a database of sha1'd static key hashes for
+# known vulnerable keys
+# Copyright (C) 2008-2009 Canonical Ltd.
+# Author: Jamie Strandboge <jamie at canonical.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3,
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+from optparse import OptionParser
+import os
+import re
+import hashlib
+import subprocess
+import sys
+import tempfile
+import shutil
+
+version = "@VERSION@"
+db_prefix = "/usr/share/openssl-blacklist/blacklist.RSA-"
+db_lines = []
+
+parser = OptionParser(usage="%prog FILE [FILE]", \
+ version="%prog: " + version, \
+ description="This program checks if FILEs are known " + \
+ "vulnerable static keys")
+parser.add_option("-q", "--quiet", action="store_true", dest="quiet", \
+ help="be quiet")
+parser.add_option("-b", "--bits", dest="bits", \
+ help="number of bits (requires -m)")
+parser.add_option("-m", "--modulus", dest="modulus", \
+ help="modulus to check (requires -b)")
+(options, args) = parser.parse_args()
+
+if not ((options.modulus and options.bits) or args):
+ parser.print_help()
+ sys.exit(1)
+
+def cmd(command, input = None, stderr = subprocess.PIPE, stdout = subprocess.PIPE, stdin = None):
+ '''Try to execute given command (array) and return its stdout, or return
+ a textual error if it failed.'''
+
+ try:
+ sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr, close_fds=True)
+ except OSError, e:
+ return [127, str(e)]
+
+ out = sp.communicate(input)[0]
+ return [sp.returncode,out]
+
+def get_contents(file):
+ '''Determine the type of certificate it is. Returns empty string if
+ unsupported.'''
+ args = ['-modulus', '-text', '-in', file]
+
+ rc, report = cmd(['openssl', 'rsa'] + args)
+ if rc == 0:
+ return ("rsa", report)
+
+ rc, report = cmd(['openssl', 'x509'] + args)
+ if rc == 0:
+ return ("x509", report)
+
+ rc, report = cmd(['openssl', 'req'] + args)
+ if rc == 0:
+ return ("req", report)
+
+ return ("", report)
+
+def get_bits(contents, type):
+ '''Find bit length of file. Returns empty string if unsupported.'''
+ for line in contents:
+ leading = "Private-Key: "
+ if type == "x509" or type == "req":
+ leading = "RSA Public Key: "
+
+ # TODO: don't hardcode these
+ if leading + "(512" in contents:
+ return "512"
+ elif leading + "(1024" in contents:
+ return "1024"
+ elif leading + "(2048" in contents:
+ return "2048"
+ elif leading + "(4096" in contents:
+ return "4096"
+ elif leading + "(8192" in contents:
+ return "8192"
+
+ return ""
+
+def get_modulus(contents):
+ '''Find modulus of file'''
+ for line in contents.split('\n'):
+ if re.match(r'^Modulus=', line):
+ return line + '\n'
+
+ return ""
+
+def get_exponent(contents):
+ '''Find exponent of file. Returns empty string if unsupported.'''
+ if "Exponent: 65537 " in contents:
+ return "65537"
+
+ return ""
+
+def check_db(bits, last, modulus, name=""):
+ '''Check modulus against database'''
+ global db_lines
+ if last != bits:
+ db = db_prefix + bits
+ # Read in the database
+ try:
+ fh = open(db, 'r')
+ except:
+ try:
+ print >> sys.stderr, "WARN: could not open database for %s " \
+ "bits. Skipped %s" % (bits, name)
+ except IOError:
+ pass
+ return False
+
+ db_lines = fh.read().split('\n')
+ fh.close()
+
+ key = hashlib.sha1(modulus).hexdigest()
+ #print "bits: %s\nmodulus: %s\nkey: %s\nkey80: %s" % (bits, modulus, key, key[20:])
+ if key[20:] in db_lines:
+ if not options.quiet:
+ print "COMPROMISED: %s %s" % (key, name)
+ return True
+ else:
+ if not options.quiet:
+ print "Not blacklisted: %s %s" % (key, name)
+ return False
+
+
+last_bits = ""
+found = False
+
+if options.bits and options.modulus:
+ found = check_db(options.bits, last_bits, "Modulus=" + options.modulus + \
+ "\n")
+else:
+ # Check each file
+ for f in args:
+ realname = f
+
+ if f == "-":
+ # dump stdin to tmpfile, operate on tmpfile instead
+ temp = tempfile.NamedTemporaryFile()
+ shutil.copyfileobj(sys.stdin,temp)
+ temp.flush()
+ f = temp.name
+
+ try:
+ file(f).read()
+ except IOError, e:
+ if not options.quiet:
+ print >> sys.stderr, "ERROR: %s: %s" % (realname, e.strerror)
+ found = True
+ continue
+
+ (type, contents) = get_contents(f)
+ if type == "":
+ if not options.quiet:
+ print >> sys.stderr, "Skipped: %s: is not x509, req or rsa" \
+ % (realname)
+ continue
+
+ exp = get_exponent(contents)
+ if exp == "":
+ if not options.quiet:
+ print >> sys.stderr, "ERROR: %s: unsupported exponent" % \
+ (realname)
+ found = True
+ continue
+
+ bits = get_bits(contents, type)
+ if bits == "":
+ if not options.quiet:
+ print >> sys.stderr, "Skipped: %s: unsupported bit size" % \
+ (realname)
+ continue
+
+ modulus = get_modulus(contents)
+ if modulus == "":
+ if not options.quiet:
+ print >> sys.stderr, "ERROR: %s: problem finding modulus" % \
+ (realname)
+ found = True
+ continue
+
+ if check_db(bits, last_bits, modulus, realname):
+ found = True
+ last_bits = bits
+
+if found:
+ sys.exit(1)
Deleted: openssl-blacklist/tags/0.5-1/test.sh
===================================================================
--- openssl-blacklist/trunk/test.sh 2008-10-31 22:56:24 UTC (rev 345)
+++ openssl-blacklist/tags/0.5-1/test.sh 2009-04-08 17:05:10 UTC (rev 347)
@@ -1,157 +0,0 @@
-#!/bin/sh -e
-#
-# test.sh: check openssl-vulnkey script
-# Copyright (C) 2008 Canonical Ltd.
-# Author: Jamie Strandboge <jamie at canonical.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2,
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-
-good_mod="AE464CB1F29E069310788880C0154F32B40C71B6BBC07B37E5B323B9071217A2B1F345022AE86CF5329CD8EBAFD7E046EDDB06BB689397115222C646C449872ADBFAFD13021BD6B5A63AB38B4016B3AA8625E0F34488925F8632183C1E597E49FA9A21A6479CBCCE5DB2FB435EEA4236595CAEDFB07AFCB0E7A83B826D8B835C732282FB795ABADF05DE88607AC94ED25545B2E07D000F0AC42ACA9FE7023AAD0885F5CD1C8CCE99621FBC5885A115B9F8881AB4D75F657858E1C566C65FF3853365F831E603FD94448A62717B4A051323CB52A401AA7B54D25289A2ABAF9092B1C293DEF53D4FDF4C848426335522688D77F9C099C8202275AB4A2B79379229"
-good_files="examples/good_req.csr examples/good_x509.pem examples/good_rsa.key"
-bad_mod="BDDF1E2F255A193DF3FE272DD9F63CC24975D6FC33F785912B76460ED99735CAFA939EBEB8FB06EBCFD6B3923E9C953F360BCA604EE181CD83930F20FEC7087D4E500897CF218FDF96EB33F46455105D77CD0A43AC80559A92A83DD8218634F7649FD02DDB045E0D57D00F7116E354B73091A762292BEC7483B47E07BC31FF01"
-bad_files="examples/bad_req.csr examples/bad_x509.pem examples/bad_rsa.key examples/bad_rsa_4096.pem examples/bad_x509_4096.pem"
-error=
-
-tmpdir=`mktemp -d`
-
-# setup files
-cp -a ./openssl-vulnkey ./examples $tmpdir
-for b in 512 1024 2048 4096
-do
- cat blacklists/*/*${b}* | cut -d ' ' -f 5 | cut -b21- | sort >> $tmpdir/blacklist.RSA-${b}
-done
-cd $tmpdir
-sed -i "s#^db_prefix .*#db_prefix = '$tmpdir/blacklist.RSA-'#" $tmpdir/openssl-vulnkey
-
-# bad args
-echo -n "no args: "
-if ./openssl-vulnkey >/dev/null ; then
- echo "FAIL"
- error="yes"
-else
- echo "PASS"
-fi
-
-echo -n "no modulus: "
-if ./openssl-vulnkey -b 1024 >/dev/null ; then
- echo "FAIL"
- error="yes"
-else
- echo "PASS"
-fi
-
-echo -n "no bits: "
-if ./openssl-vulnkey -m $bad_mod >/dev/null ; then
- echo "FAIL"
- error="yes"
-else
- echo "PASS"
-fi
-
-# expect bad
-for i in $bad_files
-do
- f=`basename $i`
- echo ""
- echo "$f: "
- if ./openssl-vulnkey $i ; then
- echo "FAIL"
- error="yes"
- else
- echo "PASS"
- fi
-
- echo ""
- echo "$f (stdin): "
- if cat $i | ./openssl-vulnkey - ; then
- echo "FAIL"
- error="yes"
- else
- echo "PASS"
- fi
-done
-
-echo ""
-echo "all bad files ($bad_files): "
-if ./openssl-vulnkey $bad_files ; then
- echo "FAIL"
- error="yes"
-else
- echo "PASS"
-fi
-
-echo ""
-echo "bad modulus: "
-if ./openssl-vulnkey -b 1024 -m $bad_mod ; then
- echo "FAIL"
- error="yes"
-else
- echo "PASS"
-fi
-
-# expect good
-for i in $good_files
-do
- f=`basename $i`
- echo ""
- echo "$f: "
- if ./openssl-vulnkey $i ; then
- echo "PASS"
- else
- echo "FAIL"
- error="yes"
- fi
-
- echo ""
- echo "$f (stdin): "
- if cat $i | ./openssl-vulnkey - ; then
- echo "PASS"
- else
- echo "FAIL"
- error="yes"
- fi
-done
-
-echo ""
-echo "all good files ($good_files): "
-if ./openssl-vulnkey $good_files ; then
- echo "PASS"
-else
- echo "FAIL"
- error="yes"
-fi
-
-echo ""
-echo "good modulus: "
-if ./openssl-vulnkey -b 2048 -m $good_mod ; then
- echo "PASS"
-else
- echo "FAIL"
- error="yes"
-fi
-
-# cleanup and report
-cd - >/dev/null
-rm -rf $tmpdir
-
-echo ""
-echo "----------------------"
-if [ "$error" = "yes" ]; then
- echo "FAILED"
- exit 1
-else
- echo "PASSED"
-fi
-
-exit 0
Copied: openssl-blacklist/tags/0.5-1/test.sh (from rev 346, openssl-blacklist/trunk/test.sh)
===================================================================
--- openssl-blacklist/tags/0.5-1/test.sh (rev 0)
+++ openssl-blacklist/tags/0.5-1/test.sh 2009-04-08 17:05:10 UTC (rev 347)
@@ -0,0 +1,166 @@
+#!/bin/sh -e
+#
+# test.sh: check openssl-vulnkey script
+# Copyright (C) 2008 Canonical Ltd.
+# Author: Jamie Strandboge <jamie at canonical.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2,
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+good_mod="AE464CB1F29E069310788880C0154F32B40C71B6BBC07B37E5B323B9071217A2B1F345022AE86CF5329CD8EBAFD7E046EDDB06BB689397115222C646C449872ADBFAFD13021BD6B5A63AB38B4016B3AA8625E0F34488925F8632183C1E597E49FA9A21A6479CBCCE5DB2FB435EEA4236595CAEDFB07AFCB0E7A83B826D8B835C732282FB795ABADF05DE88607AC94ED25545B2E07D000F0AC42ACA9FE7023AAD0885F5CD1C8CCE99621FBC5885A115B9F8881AB4D75F657858E1C566C65FF3853365F831E603FD94448A62717B4A051323CB52A401AA7B54D25289A2ABAF9092B1C293DEF53D4FDF4C848426335522688D77F9C099C8202275AB4A2B79379229"
+good_files="examples/good_req.csr examples/good_x509.pem examples/good_rsa.key"
+bad_mod="BDDF1E2F255A193DF3FE272DD9F63CC24975D6FC33F785912B76460ED99735CAFA939EBEB8FB06EBCFD6B3923E9C953F360BCA604EE181CD83930F20FEC7087D4E500897CF218FDF96EB33F46455105D77CD0A43AC80559A92A83DD8218634F7649FD02DDB045E0D57D00F7116E354B73091A762292BEC7483B47E07BC31FF01"
+bad_files="examples/bad_req.csr examples/bad_x509.pem examples/bad_rsa.key examples/bad_rsa_4096.pem examples/bad_x509_4096.pem"
+error=
+
+tmpdir=`mktemp -d`
+
+# setup files
+cp -a ./openssl-vulnkey ./examples $tmpdir
+for b in 512 1024 2048 4096
+do
+ cat blacklists/*/*${b}* | cut -d ' ' -f 5 | cut -b21- | sort >> $tmpdir/blacklist.RSA-${b}
+done
+cd $tmpdir
+sed -i "s#^db_prefix .*#db_prefix = '$tmpdir/blacklist.RSA-'#" $tmpdir/openssl-vulnkey
+
+# bad args
+echo -n "no args: "
+if ./openssl-vulnkey >/dev/null ; then
+ echo "FAIL"
+ error="yes"
+else
+ echo "PASS"
+fi
+
+echo -n "no modulus: "
+if ./openssl-vulnkey -b 1024 >/dev/null ; then
+ echo "FAIL"
+ error="yes"
+else
+ echo "PASS"
+fi
+
+echo -n "no bits: "
+if ./openssl-vulnkey -m $bad_mod >/dev/null ; then
+ echo "FAIL"
+ error="yes"
+else
+ echo "PASS"
+fi
+
+# expect bad
+for i in $bad_files
+do
+ f=`basename $i`
+ echo ""
+ echo "$f: "
+ if ./openssl-vulnkey $i ; then
+ echo "FAIL"
+ error="yes"
+ else
+ echo "PASS"
+ fi
+
+ echo ""
+ echo "$f (stdin): "
+ if cat $i | ./openssl-vulnkey - ; then
+ echo "FAIL"
+ error="yes"
+ else
+ echo "PASS"
+ fi
+done
+
+echo ""
+echo "all bad files ($bad_files): "
+if ./openssl-vulnkey $bad_files ; then
+ echo "FAIL"
+ error="yes"
+else
+ echo "PASS"
+fi
+
+echo ""
+echo "bad modulus: "
+if ./openssl-vulnkey -b 1024 -m $bad_mod ; then
+ echo "FAIL"
+ error="yes"
+else
+ echo "PASS"
+fi
+
+# expect good
+for i in $good_files
+do
+ f=`basename $i`
+ echo ""
+ echo "$f: "
+ if ./openssl-vulnkey $i ; then
+ echo "PASS"
+ else
+ echo "FAIL"
+ error="yes"
+ fi
+
+ echo ""
+ echo "$f (stdin): "
+ if cat $i | ./openssl-vulnkey - ; then
+ echo "PASS"
+ else
+ echo "FAIL"
+ error="yes"
+ fi
+done
+
+echo ""
+echo "all good files ($good_files): "
+if ./openssl-vulnkey $good_files ; then
+ echo "PASS"
+else
+ echo "FAIL"
+ error="yes"
+fi
+
+echo ""
+echo "some bad files, some good files ($bad_files $good_files): "
+if ./openssl-vulnkey $bad_files $good_files ; then
+ echo "FAIL"
+ error="yes"
+else
+ echo "PASS"
+fi
+
+echo ""
+echo "good modulus: "
+if ./openssl-vulnkey -b 2048 -m $good_mod ; then
+ echo "PASS"
+else
+ echo "FAIL"
+ error="yes"
+fi
+
+# cleanup and report
+cd - >/dev/null
+rm -rf $tmpdir
+
+echo ""
+echo "----------------------"
+if [ "$error" = "yes" ]; then
+ echo "FAILED"
+ exit 1
+else
+ echo "PASSED"
+fi
+
+exit 0
More information about the Pkg-openssl-changes
mailing list