[Pkg-openssl-changes] r346 - in openssl-blacklist/trunk: . debian
Kees Cook
kees at alioth.debian.org
Wed Apr 8 16:54:30 UTC 2009
Author: kees
Date: 2009-04-08 16:54:29 +0000 (Wed, 08 Apr 2009)
New Revision: 346
Modified:
openssl-blacklist/trunk/debian/changelog
openssl-blacklist/trunk/debian/control
openssl-blacklist/trunk/debian/rules
openssl-blacklist/trunk/openssl-vulnkey
openssl-blacklist/trunk/test.sh
Log:
* openssl-vulnkey:
- replace sha with hashlib Python module to silence Python 2.6 warnings.
- adjust skip/error handling, reporting more details (Closes: #498326).
- pull version when building instead of being hard-coded.
* debian/rules: use an orig.tar.gz since the blacklist files themselves
are static, to save space in the archive.
* test.sh: added mixed good/bad testing.'
Modified: openssl-blacklist/trunk/debian/changelog
===================================================================
--- openssl-blacklist/trunk/debian/changelog 2008-10-31 22:56:24 UTC (rev 345)
+++ openssl-blacklist/trunk/debian/changelog 2009-04-08 16:54:29 UTC (rev 346)
@@ -1,10 +1,20 @@
-openssl-blacklist (0.4.2) UNRELEASED; urgency=low
+openssl-blacklist (0.5-1) jaunty; urgency=low
+ [ Jamie Strandboge ]
* update openssl-vulnkey to use GPL version 3 as specified in
- debian/copyright
+ debian/copyright.
- -- Jamie Strandboge <jamie at ubuntu.com> Thu, 19 Jun 2008 12:17:06 -0400
+ [ Kees Cook ]
+ * openssl-vulnkey:
+ - replace sha with hashlib Python module to silence Python 2.6 warnings.
+ - adjust skip/error handling, reporting more details (Closes: #498326).
+ - pull version when building instead of being hard-coded.
+ * debian/rules: use an orig.tar.gz since the blacklist files themselves
+ are static, to save space in the archive.
+ * test.sh: added mixed good/bad testing.
+ -- Kees Cook <kees at debian.org> Wed, 08 Apr 2009 08:12:11 -0700
+
openssl-blacklist (0.4.2) unstable; urgency=low
* Add openssl to the Build-Deps, since it is required for the tests.
Modified: openssl-blacklist/trunk/debian/control
===================================================================
--- openssl-blacklist/trunk/debian/control 2008-10-31 22:56:24 UTC (rev 345)
+++ openssl-blacklist/trunk/debian/control 2009-04-08 16:54:29 UTC (rev 346)
@@ -2,7 +2,7 @@
Section: net
XS-Python-Version: all
Priority: optional
-Maintainer: Kees Cook <kees at outflux.net>
+Maintainer: Kees Cook <kees at debian.org>
Uploaders: Jamie Strandboge <jamie at ubuntu.com>, Christoph Martin <christoph.martin at uni-mainz.de>
Build-Depends: debhelper (>= 5.0.38), python-central (>= 0.5.6), openssl (>= 0.9.8g-9)
Standards-Version: 3.8.0.0
Modified: openssl-blacklist/trunk/debian/rules
===================================================================
--- openssl-blacklist/trunk/debian/rules 2008-10-31 22:56:24 UTC (rev 345)
+++ openssl-blacklist/trunk/debian/rules 2009-04-08 16:54:29 UTC (rev 346)
@@ -1,4 +1,5 @@
#!/usr/bin/make -f
+VERSION=$(shell dpkg-parsechangelog | grep ^Version: | cut -d" " -f2)
configure: configure-stamp
configure-stamp:
@@ -8,7 +9,7 @@
build: build-stamp
-build-stamp: configure-stamp
+build-stamp: configure-stamp
dh_testdir
# Add here commands to compile the package.
sh ./test.sh
@@ -19,17 +20,18 @@
dh_testroot
rm -f build-stamp configure-stamp
# Add here commands to clean up after the build process.
- dh_clean
+ dh_clean
install: build
dh_testdir
dh_testroot
- dh_clean -k
+ dh_clean -k
dh_installdirs
mkdir -p $(CURDIR)/debian/tmp/usr/bin
mkdir -p $(CURDIR)/debian/tmp/usr/share/openssl-blacklist
# Add here commands to install the package into debian/openssl-blacklist.
cp $(CURDIR)/openssl-vulnkey $(CURDIR)/debian/tmp/usr/bin/openssl-vulnkey
+ sed -i -e 's/@VERSION@/$(VERSION)/' $(CURDIR)/debian/tmp/usr/bin/openssl-vulnkey
# Trim blacklists to reduce the size of the package without too
# drastically creating false positives.
for keysize in 512 1024 2048 4096; do \
@@ -45,12 +47,12 @@
binary-indep: build install
dh_testdir
dh_testroot
- dh_installchangelogs
+ dh_installchangelogs
dh_installdocs
dh_installexamples examples/*.pem examples/*.csr examples/*.key examples/gen_certs.sh examples/getpid.c
dh_install --sourcedir=debian/tmp
# dh_installmenu
-# dh_installdebconf
+# dh_installdebconf
# dh_installlogrotate
# dh_installemacsen
# dh_installpam
@@ -73,5 +75,17 @@
dh_md5sums
dh_builddeb -- -Zbzip2
+get-orig-source:
+
binary: binary-indep binary-arch
-.PHONY: build clean binary-indep binary-arch binary install configure
+.PHONY: build clean binary-indep binary-arch binary install configure get-orig-source
+
+ORIG_VERSION=$(shell echo "$(VERSION)" | cut -d- -f1)
+ORIG_FILE=$(CURDIR)/../openssl-blacklist_$(ORIG_VERSION).orig.tar.gz
+SVN_CO_DIR=$(CURDIR)/openssl-blacklist-$(ORIG_VERSION)
+get-orig-source:
+ test ! -e $(ORIG_FILE)
+ test ! -e $(SVN_CO_DIR)
+ svn co svn://svn.debian.org/pkg-openssl/openssl-blacklist/trunk $(SVN_CO_DIR)
+ tar czf $(ORIG_FILE) -C `dirname $(SVN_CO_DIR)` --exclude .svn `basename $(SVN_CO_DIR)`/blacklists
+ rm -rf $(SVN_CO_DIR)
Modified: openssl-blacklist/trunk/openssl-vulnkey
===================================================================
--- openssl-blacklist/trunk/openssl-vulnkey 2008-10-31 22:56:24 UTC (rev 345)
+++ openssl-blacklist/trunk/openssl-vulnkey 2009-04-08 16:54:29 UTC (rev 346)
@@ -2,7 +2,7 @@
#
# openssl-vulnkey: check a database of sha1'd static key hashes for
# known vulnerable keys
-# Copyright (C) 2008 Canonical Ltd.
+# Copyright (C) 2008-2009 Canonical Ltd.
# Author: Jamie Strandboge <jamie at canonical.com>
#
# This program is free software: you can redistribute it and/or modify
@@ -21,13 +21,13 @@
from optparse import OptionParser
import os
import re
-import sha
+import hashlib
import subprocess
import sys
import tempfile
import shutil
-version = "0.3.3"
+version = "@VERSION@"
db_prefix = "/usr/share/openssl-blacklist/blacklist.RSA-"
db_lines = []
@@ -84,7 +84,7 @@
leading = "Private-Key: "
if type == "x509" or type == "req":
leading = "RSA Public Key: "
-
+
# TODO: don't hardcode these
if leading + "(512" in contents:
return "512"
@@ -133,7 +133,7 @@
db_lines = fh.read().split('\n')
fh.close()
- key = sha.sha(modulus).hexdigest()
+ key = hashlib.sha1(modulus).hexdigest()
#print "bits: %s\nmodulus: %s\nkey: %s\nkey80: %s" % (bits, modulus, key, key[20:])
if key[20:] in db_lines:
if not options.quiet:
@@ -163,42 +163,47 @@
temp.flush()
f = temp.name
- if not os.path.exists(f):
+ try:
+ file(f).read()
+ except IOError, e:
if not options.quiet:
- print >> sys.stderr, "'%s' could not be opened (skipping)" % \
- (realname)
+ print >> sys.stderr, "ERROR: %s: %s" % (realname, e.strerror)
+ found = True
continue
(type, contents) = get_contents(f)
if type == "":
if not options.quiet:
- print >> sys.stderr, "'%s' is not x509, req or rsa (skipping)" \
+ print >> sys.stderr, "Skipped: %s: is not x509, req or rsa" \
% (realname)
continue
exp = get_exponent(contents)
if exp == "":
if not options.quiet:
- print >> sys.stderr, "Unsupported exponent '%s' (skipping)" % \
+ print >> sys.stderr, "ERROR: %s: unsupported exponent" % \
(realname)
+ found = True
continue
bits = get_bits(contents, type)
if bits == "":
if not options.quiet:
- print >> sys.stderr, "Key has unknown validity: %s" % \
+ print >> sys.stderr, "Skipped: %s: unsupported bit size" % \
(realname)
continue
modulus = get_modulus(contents)
if modulus == "":
if not options.quiet:
- print >> sys.stderr, "Problem finding modulus: %s" % (realname)
+ print >> sys.stderr, "ERROR: %s: problem finding modulus" % \
+ (realname)
+ found = True
continue
- found = check_db(bits, last_bits, modulus, realname)
+ if check_db(bits, last_bits, modulus, realname):
+ found = True
last_bits = bits
if found:
sys.exit(1)
-
Modified: openssl-blacklist/trunk/test.sh
===================================================================
--- openssl-blacklist/trunk/test.sh 2008-10-31 22:56:24 UTC (rev 345)
+++ openssl-blacklist/trunk/test.sh 2009-04-08 16:54:29 UTC (rev 346)
@@ -133,6 +133,15 @@
fi
echo ""
+echo "some bad files, some good files ($bad_files $good_files): "
+if ./openssl-vulnkey $bad_files $good_files ; then
+ echo "FAIL"
+ error="yes"
+else
+ echo "PASS"
+fi
+
+echo ""
echo "good modulus: "
if ./openssl-vulnkey -b 2048 -m $good_mod ; then
echo "PASS"
More information about the Pkg-openssl-changes
mailing list