[Pkg-openssl-changes] r346 - in openssl-blacklist/trunk: . debian

Kees Cook kees at alioth.debian.org
Wed Apr 8 16:54:30 UTC 2009


Author: kees
Date: 2009-04-08 16:54:29 +0000 (Wed, 08 Apr 2009)
New Revision: 346

Modified:
   openssl-blacklist/trunk/debian/changelog
   openssl-blacklist/trunk/debian/control
   openssl-blacklist/trunk/debian/rules
   openssl-blacklist/trunk/openssl-vulnkey
   openssl-blacklist/trunk/test.sh
Log:
* openssl-vulnkey:
  - replace sha with hashlib Python module to silence Python 2.6 warnings.
  - adjust skip/error handling, reporting more details (Closes: #498326).
  - pull version when building instead of being hard-coded.
* debian/rules: use an orig.tar.gz since the blacklist files themselves
  are static, to save space in the archive.
* test.sh: added mixed good/bad testing.'


Modified: openssl-blacklist/trunk/debian/changelog
===================================================================
--- openssl-blacklist/trunk/debian/changelog	2008-10-31 22:56:24 UTC (rev 345)
+++ openssl-blacklist/trunk/debian/changelog	2009-04-08 16:54:29 UTC (rev 346)
@@ -1,10 +1,20 @@
-openssl-blacklist (0.4.2) UNRELEASED; urgency=low
+openssl-blacklist (0.5-1) jaunty; urgency=low
 
+  [ Jamie Strandboge ]
   * update openssl-vulnkey to use GPL version 3 as specified in
-    debian/copyright
+    debian/copyright.
 
- -- Jamie Strandboge <jamie at ubuntu.com>  Thu, 19 Jun 2008 12:17:06 -0400
+  [ Kees Cook ]
+  * openssl-vulnkey:
+    - replace sha with hashlib Python module to silence Python 2.6 warnings.
+    - adjust skip/error handling, reporting more details (Closes: #498326).
+    - pull version when building instead of being hard-coded.
+  * debian/rules: use an orig.tar.gz since the blacklist files themselves
+    are static, to save space in the archive.
+  * test.sh: added mixed good/bad testing.
 
+ -- Kees Cook <kees at debian.org>  Wed, 08 Apr 2009 08:12:11 -0700
+
 openssl-blacklist (0.4.2) unstable; urgency=low
 
   * Add openssl to the Build-Deps, since it is required for the tests.

Modified: openssl-blacklist/trunk/debian/control
===================================================================
--- openssl-blacklist/trunk/debian/control	2008-10-31 22:56:24 UTC (rev 345)
+++ openssl-blacklist/trunk/debian/control	2009-04-08 16:54:29 UTC (rev 346)
@@ -2,7 +2,7 @@
 Section: net
 XS-Python-Version: all
 Priority: optional
-Maintainer: Kees Cook <kees at outflux.net>
+Maintainer: Kees Cook <kees at debian.org>
 Uploaders: Jamie Strandboge <jamie at ubuntu.com>, Christoph Martin <christoph.martin at uni-mainz.de>
 Build-Depends: debhelper (>= 5.0.38), python-central (>= 0.5.6), openssl (>= 0.9.8g-9)
 Standards-Version: 3.8.0.0

Modified: openssl-blacklist/trunk/debian/rules
===================================================================
--- openssl-blacklist/trunk/debian/rules	2008-10-31 22:56:24 UTC (rev 345)
+++ openssl-blacklist/trunk/debian/rules	2009-04-08 16:54:29 UTC (rev 346)
@@ -1,4 +1,5 @@
 #!/usr/bin/make -f
+VERSION=$(shell  dpkg-parsechangelog | grep ^Version: | cut -d" " -f2)
 
 configure: configure-stamp
 configure-stamp:
@@ -8,7 +9,7 @@
 
 
 build: build-stamp
-build-stamp: configure-stamp 
+build-stamp: configure-stamp
 	dh_testdir
 	# Add here commands to compile the package.
 	sh ./test.sh
@@ -19,17 +20,18 @@
 	dh_testroot
 	rm -f build-stamp configure-stamp
 	# Add here commands to clean up after the build process.
-	dh_clean 
+	dh_clean
 
 install: build
 	dh_testdir
 	dh_testroot
-	dh_clean -k 
+	dh_clean -k
 	dh_installdirs
 	mkdir -p $(CURDIR)/debian/tmp/usr/bin
 	mkdir -p $(CURDIR)/debian/tmp/usr/share/openssl-blacklist
 	# Add here commands to install the package into debian/openssl-blacklist.
 	cp $(CURDIR)/openssl-vulnkey $(CURDIR)/debian/tmp/usr/bin/openssl-vulnkey
+	sed -i -e 's/@VERSION@/$(VERSION)/' $(CURDIR)/debian/tmp/usr/bin/openssl-vulnkey
 	# Trim blacklists to reduce the size of the package without too
 	# drastically creating false positives.
 	for keysize in 512 1024 2048 4096; do \
@@ -45,12 +47,12 @@
 binary-indep: build install
 	dh_testdir
 	dh_testroot
-	dh_installchangelogs 
+	dh_installchangelogs
 	dh_installdocs
 	dh_installexamples examples/*.pem examples/*.csr examples/*.key examples/gen_certs.sh examples/getpid.c
 	dh_install --sourcedir=debian/tmp
 #	dh_installmenu
-#	dh_installdebconf	
+#	dh_installdebconf
 #	dh_installlogrotate
 #	dh_installemacsen
 #	dh_installpam
@@ -73,5 +75,17 @@
 	dh_md5sums
 	dh_builddeb -- -Zbzip2
 
+get-orig-source:
+
 binary: binary-indep binary-arch
-.PHONY: build clean binary-indep binary-arch binary install configure
+.PHONY: build clean binary-indep binary-arch binary install configure get-orig-source
+
+ORIG_VERSION=$(shell echo "$(VERSION)" | cut -d- -f1)
+ORIG_FILE=$(CURDIR)/../openssl-blacklist_$(ORIG_VERSION).orig.tar.gz
+SVN_CO_DIR=$(CURDIR)/openssl-blacklist-$(ORIG_VERSION)
+get-orig-source:
+	test ! -e $(ORIG_FILE)
+	test ! -e $(SVN_CO_DIR)
+	svn co svn://svn.debian.org/pkg-openssl/openssl-blacklist/trunk $(SVN_CO_DIR)
+	tar czf $(ORIG_FILE) -C `dirname $(SVN_CO_DIR)` --exclude .svn `basename $(SVN_CO_DIR)`/blacklists
+	rm -rf $(SVN_CO_DIR)

Modified: openssl-blacklist/trunk/openssl-vulnkey
===================================================================
--- openssl-blacklist/trunk/openssl-vulnkey	2008-10-31 22:56:24 UTC (rev 345)
+++ openssl-blacklist/trunk/openssl-vulnkey	2009-04-08 16:54:29 UTC (rev 346)
@@ -2,7 +2,7 @@
 #
 #    openssl-vulnkey: check a database of sha1'd static key hashes for
 #      known vulnerable keys
-#    Copyright (C) 2008 Canonical Ltd.
+#    Copyright (C) 2008-2009 Canonical Ltd.
 #    Author: Jamie Strandboge <jamie at canonical.com>
 #
 #    This program is free software: you can redistribute it and/or modify
@@ -21,13 +21,13 @@
 from optparse import OptionParser
 import os
 import re
-import sha
+import hashlib
 import subprocess
 import sys
 import tempfile
 import shutil
 
-version = "0.3.3"
+version = "@VERSION@"
 db_prefix = "/usr/share/openssl-blacklist/blacklist.RSA-"
 db_lines = []
 
@@ -84,7 +84,7 @@
         leading = "Private-Key: "
         if type == "x509" or type == "req":
             leading = "RSA Public Key: "
-             
+
         # TODO: don't hardcode these
         if leading + "(512" in contents:
             return "512"
@@ -133,7 +133,7 @@
         db_lines = fh.read().split('\n')
         fh.close()
 
-    key = sha.sha(modulus).hexdigest()
+    key = hashlib.sha1(modulus).hexdigest()
     #print "bits: %s\nmodulus: %s\nkey: %s\nkey80: %s" % (bits, modulus, key, key[20:])
     if key[20:] in db_lines:
         if not options.quiet:
@@ -163,42 +163,47 @@
             temp.flush()
             f = temp.name
 
-        if not os.path.exists(f):
+        try:
+            file(f).read()
+        except IOError, e:
             if not options.quiet:
-                print >> sys.stderr, "'%s' could not be opened (skipping)" % \
-                                      (realname)
+                print >> sys.stderr, "ERROR: %s: %s" % (realname, e.strerror)
+            found = True
             continue
 
         (type, contents) = get_contents(f)
         if type == "":
             if not options.quiet:
-                print >> sys.stderr, "'%s' is not x509, req or rsa (skipping)" \
+                print >> sys.stderr, "Skipped: %s: is not x509, req or rsa" \
                                        % (realname)
             continue
 
         exp = get_exponent(contents)
         if exp == "":
             if not options.quiet:
-                print >> sys.stderr, "Unsupported exponent '%s' (skipping)" % \
+                print >> sys.stderr, "ERROR: %s: unsupported exponent" % \
                                       (realname)
+            found = True
             continue
 
         bits = get_bits(contents, type)
         if bits == "":
             if not options.quiet:
-                print >> sys.stderr, "Key has unknown validity: %s" % \
+                print >> sys.stderr, "Skipped: %s: unsupported bit size" % \
                                       (realname)
             continue
 
         modulus = get_modulus(contents)
         if modulus == "":
             if not options.quiet:
-                print >> sys.stderr, "Problem finding modulus: %s" % (realname)
+                print >> sys.stderr, "ERROR: %s: problem finding modulus" % \
+                                      (realname)
+            found = True
             continue
 
-        found = check_db(bits, last_bits, modulus, realname)
+        if check_db(bits, last_bits, modulus, realname):
+            found = True
         last_bits = bits
 
 if found:
     sys.exit(1)
-

Modified: openssl-blacklist/trunk/test.sh
===================================================================
--- openssl-blacklist/trunk/test.sh	2008-10-31 22:56:24 UTC (rev 345)
+++ openssl-blacklist/trunk/test.sh	2009-04-08 16:54:29 UTC (rev 346)
@@ -133,6 +133,15 @@
 fi
 
 echo ""
+echo "some bad files, some good files ($bad_files $good_files): "
+if ./openssl-vulnkey $bad_files $good_files ; then
+    echo "FAIL"
+    error="yes"
+else
+    echo "PASS"
+fi
+
+echo ""
 echo "good modulus: "
 if ./openssl-vulnkey -b 2048 -m $good_mod ; then
     echo "PASS"




More information about the Pkg-openssl-changes mailing list