--- openssl-blacklist-0.5.orig/openssl-vulnkey +++ openssl-blacklist-0.5/openssl-vulnkey @@ -0,0 +1,214 @@ +#!/usr/bin/python +# +# openssl-vulnkey: check a database of sha1'd static key hashes for +# known vulnerable keys +# Copyright (C) 2008-2011 Canonical Ltd. +# Author: Jamie Strandboge +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 3, +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +from optparse import OptionParser +import os +import re +import hashlib +import subprocess +import sys +import tempfile +import shutil + +version = "@VERSION@" +db_prefix = "/usr/share/openssl-blacklist/blacklist.RSA-" +db_lines = [] + +parser = OptionParser(usage="%prog FILE [FILE]", \ + version="%prog: " + version, \ + description="This program checks if FILEs are known " + \ + "vulnerable static keys") +parser.add_option("-q", "--quiet", action="store_true", dest="quiet", \ + help="be quiet") +parser.add_option("-b", "--bits", dest="bits", \ + help="number of bits (requires -m)") +parser.add_option("-m", "--modulus", dest="modulus", \ + help="modulus to check (requires -b)") +(options, args) = parser.parse_args() + +if not ((options.modulus and options.bits) or args): + parser.print_help() + sys.exit(1) + +def cmd(command, input = None, stderr = subprocess.PIPE, stdout = subprocess.PIPE, stdin = None): + '''Try to execute given command (array) and return its stdout, or return + a textual error if it failed.''' + + try: + sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr, close_fds=True) + except OSError, e: + return [127, str(e)] + + out = sp.communicate(input)[0] + return [sp.returncode,out] + +def get_contents(file): + '''Determine the type of certificate it is. Returns empty string if + unsupported.''' + args = ['-modulus', '-text', '-in', file] + + rc, report = cmd(['openssl', 'rsa'] + args) + if rc == 0: + return ("rsa", report) + + rc, report = cmd(['openssl', 'x509'] + args) + if rc == 0: + return ("x509", report) + + rc, report = cmd(['openssl', 'req'] + args) + if rc == 0: + return ("req", report) + + return ("", report) + +def get_bits(contents, type): + '''Find bit length of file. Returns empty string if unsupported.''' + for line in contents: + leading = "Private-Key: " + if type == "x509" or type == "req": + leading = "RSA Public Key: " + if leading not in contents: + # OpenSSL 1.0.0 + leading = "Public-Key: " + + # TODO: don't hardcode these + if leading + "(512" in contents: + return "512" + elif leading + "(1024" in contents: + return "1024" + elif leading + "(2048" in contents: + return "2048" + elif leading + "(4096" in contents: + return "4096" + elif leading + "(8192" in contents: + return "8192" + + return "" + +def get_modulus(contents): + '''Find modulus of file''' + for line in contents.split('\n'): + if re.match(r'^Modulus=', line): + return line + '\n' + + return "" + +def get_exponent(contents): + '''Find exponent of file. Returns empty string if unsupported.''' + if "Exponent: 65537 " in contents: + return "65537" + + return "" + +def check_db(bits, last, modulus, name=""): + '''Check modulus against database''' + global db_lines + if last != bits: + db = db_prefix + bits + # Read in the database + try: + fh = open(db, 'r') + except: + try: + print >> sys.stderr, "WARN: could not open database for %s " \ + "bits. Skipped %s" % (bits, name) + except IOError: + pass + return False + + db_lines = fh.read().split('\n') + fh.close() + + key = hashlib.sha1(modulus).hexdigest() + #print "bits: %s\nmodulus: %s\nkey: %s\nkey80: %s" % (bits, modulus, key, key[20:]) + if key[20:] in db_lines: + if not options.quiet: + print "COMPROMISED: %s %s" % (key, name) + return True + else: + if not options.quiet: + print "Not blacklisted: %s %s" % (key, name) + return False + + +last_bits = "" +found = False +error = False + +if options.bits and options.modulus: + found = check_db(options.bits, last_bits, \ + "Modulus=%s\n" % (options.modulus)) +else: + # Check each file + for f in args: + realname = f + + if f == "-": + # dump stdin to tmpfile, operate on tmpfile instead + temp = tempfile.NamedTemporaryFile() + shutil.copyfileobj(sys.stdin,temp) + temp.flush() + f = temp.name + + try: + file(f).read() + except IOError, e: + if not options.quiet: + print >> sys.stderr, "ERROR: %s: %s" % (realname, e.strerror) + error = True + continue + + (type, contents) = get_contents(f) + if type == "": + if not options.quiet: + print >> sys.stderr, "Skipped: '%s' is unsupported type " + \ + "(not x509, req or rsa)" % (realname) + continue + + exp = get_exponent(contents) + if exp == "": + if not options.quiet: + print >> sys.stderr, "Skipped: '%s' has unsupported exponent" % \ + (realname) + continue + + bits = get_bits(contents, type) + if bits == "": + if not options.quiet: + print >> sys.stderr, "Skipped: '%s' has unsupported bit size" % \ + (realname) + continue + + modulus = get_modulus(contents) + if modulus == "": + if not options.quiet: + print >> sys.stderr, "ERROR: %s: problem finding modulus" % \ + (realname) + error = True + continue + + if check_db(bits, last_bits, modulus, realname): + found = True + last_bits = bits + +if found: + sys.exit(1) +elif error: + sys.exit(2) --- openssl-blacklist-0.5.orig/openssl-vulnkey.1 +++ openssl-blacklist-0.5/openssl-vulnkey.1 @@ -0,0 +1,108 @@ +.\" Copyright (c) 2008 Canonical Ltd. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: May 12 2008 $ +.Dt OPENSSL-VULNKEY 1 +.Os +.Sh NAME +.Nm openssl-vulnkey +.Nd check blacklist of compromised certificates, requests and keys +.Sh SYNOPSIS +.Nm +.Op Fl q +.Ar file ... +.Nm +.Op Fl q +.Fl b +.Ar BITS +.Fl m +.Ar MODULUS +.Sh DESCRIPTION +.Nm +checks a certificate, request or key against a blacklist of compromised moduli. +.Pp +A substantial number of certificates, requests and keys are known to have been +generated using a broken version of OpenSSL distributed by Debian which failed +to seed its random number generator correctly. x509 certificates, certificate +requests and RSA keys generated using these OpenSSL versions should be assumed +to be compromised. This tool may be useful in checking for such OpenSSL x509 +certificates, certificate requests and RSA keys. +.Pp +Certificates, requests and keys that are compromised cannot be repaired; +replacements must be generated using +.Xr openssl 8 . +.Pp +If +.Dq - +is given as an argument, +.Nm +will read from standard input. +This can be used to process certificate output from +.Xr s_client 1ssl , +for example: +.Pp +.Dl $ echo | openssl s_client -connect remote.example.org:https | openssl-vulnkey - +.Pp +will test the certificate used by remote.example.org for HTTPS. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl q +Quiet mode. +Normally, +.Nm +outputs the fingerprint of each file scanned, with a description of its +status. +This option suppresses that output. +.It Fl b +Number of bits for the modulus specified. Requires \-m. +.It Fl m +Check modulus. Requires \-b. +.El +.Sh BLACKLIST SHA1SUM FORMAT +The blacklist file may start with comments, on lines starting with +.Dq # . +After these initial comments, it must follow a strict format: +.Pp +.Bl -bullet -offset indent -compact +.It +Each line must consist of the lower-case hexadecimal SHA1 fingerprint of the +certificate or key's modulus, and with the first 20 characters removed (that +is, the least significant 80 bits of the fingerprint). +.El +.Pp +The fingerprint of the modulus may be generated using +.Pp +.Dl $ openssl x509 -noout -modulus -in file | sha1sum | cut -d ' ' -f 1 +.Dl $ openssl rsa -noout -modulus -in file | sha1sum | cut -d ' ' -f 1 +.Dl $ openssl req -noout -modulus -in file | sha1sum | cut -d ' ' -f 1 +.Pp +This strict format is necessary to allow the blacklist file to be checked +quickly. +.Sh SEE ALSO +.Xr openssl 1 +.Sh AUTHORS +.An -nosplit +.An Jamie Strandboge Aq jamie@ubuntu.com +.Pp +Much of this manpage is based on Colin Watson's +.Xr ssh-vulnkey 1 --- openssl-blacklist-0.5.orig/test.sh +++ openssl-blacklist-0.5/test.sh @@ -0,0 +1,193 @@ +#!/bin/sh -e +# +# test.sh: check openssl-vulnkey script +# Copyright (C) 2008 Canonical Ltd. +# Author: Jamie Strandboge +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2, +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +good_mod="AE464CB1F29E069310788880C0154F32B40C71B6BBC07B37E5B323B9071217A2B1F345022AE86CF5329CD8EBAFD7E046EDDB06BB689397115222C646C449872ADBFAFD13021BD6B5A63AB38B4016B3AA8625E0F34488925F8632183C1E597E49FA9A21A6479CBCCE5DB2FB435EEA4236595CAEDFB07AFCB0E7A83B826D8B835C732282FB795ABADF05DE88607AC94ED25545B2E07D000F0AC42ACA9FE7023AAD0885F5CD1C8CCE99621FBC5885A115B9F8881AB4D75F657858E1C566C65FF3853365F831E603FD94448A62717B4A051323CB52A401AA7B54D25289A2ABAF9092B1C293DEF53D4FDF4C848426335522688D77F9C099C8202275AB4A2B79379229" +good_files="examples/good_req.csr examples/good_x509.pem examples/good_rsa.key" +bad_mod="BDDF1E2F255A193DF3FE272DD9F63CC24975D6FC33F785912B76460ED99735CAFA939EBEB8FB06EBCFD6B3923E9C953F360BCA604EE181CD83930F20FEC7087D4E500897CF218FDF96EB33F46455105D77CD0A43AC80559A92A83DD8218634F7649FD02DDB045E0D57D00F7116E354B73091A762292BEC7483B47E07BC31FF01" +bad_files="examples/bad_req.csr examples/bad_x509.pem examples/bad_rsa.key examples/bad_rsa_4096.pem examples/bad_x509_4096.pem" +error= + +tmpdir=`mktemp -d` +trap "rm -rf $tmpdir" EXIT HUP INT QUIT TERM +chmod a+x ./openssl-vulnkey + +# setup files +cp -a ./openssl-vulnkey ./examples $tmpdir +for b in 512 1024 2048 4096 +do + cat blacklists/*/*${b}* | cut -d ' ' -f 5 | cut -b21- | sort >> $tmpdir/blacklist.RSA-${b} +done +cd $tmpdir +sed -i "s#^db_prefix .*#db_prefix = '$tmpdir/blacklist.RSA-'#" $tmpdir/openssl-vulnkey + +# bad args +echo -n "no args: " +if ./openssl-vulnkey >/dev/null ; then + echo "FAIL" + error="yes" +else + echo "PASS" +fi + +echo -n "no modulus: " +if ./openssl-vulnkey -b 1024 >/dev/null ; then + echo "FAIL" + error="yes" +else + echo "PASS" +fi + +echo -n "no bits: " +if ./openssl-vulnkey -m $bad_mod >/dev/null ; then + echo "FAIL" + error="yes" +else + echo "PASS" +fi + +# expect bad +for i in $bad_files +do + f=`basename $i` + echo "" + echo "$f: " + if ./openssl-vulnkey $i ; then + echo "FAIL" + error="yes" + else + echo "PASS" + fi + + echo "" + echo "$f (stdin): " + if cat $i | ./openssl-vulnkey - ; then + echo "FAIL" + error="yes" + else + echo "PASS" + fi +done + +echo "" +echo "all bad files ($bad_files): " +if ./openssl-vulnkey $bad_files ; then + echo "FAIL" + error="yes" +else + echo "PASS" +fi + +echo "" +echo "bad modulus: " +if ./openssl-vulnkey -b 1024 -m $bad_mod ; then + echo "FAIL" + error="yes" +else + echo "PASS" +fi + +# expect good +for i in $good_files +do + f=`basename $i` + echo "" + echo "$f: " + if ./openssl-vulnkey $i ; then + echo "PASS" + else + echo "FAIL" + error="yes" + fi + + echo "" + echo "$f (stdin): " + if cat $i | ./openssl-vulnkey - ; then + echo "PASS" + else + echo "FAIL" + error="yes" + fi +done + +echo "" +echo "all good files ($good_files): " +if ./openssl-vulnkey $good_files ; then + echo "PASS" +else + echo "FAIL" + error="yes" +fi + +echo "" +echo "some bad files, some good files ($bad_files $good_files): " +if ./openssl-vulnkey $bad_files $good_files ; then + echo "FAIL" + error="yes" +else + echo "PASS" +fi + +echo "" +echo "good modulus: " +if ./openssl-vulnkey -b 2048 -m $good_mod ; then + echo "PASS" +else + echo "FAIL" + error="yes" +fi + +echo "" +echo "Non-existent file:" +if ./openssl-vulnkey ./nonexistent 2>/dev/null || [ "$?" != "2" ]; then + echo "FAIL" + error="yes" +else + echo "PASS" +fi + + +echo "" +if [ `id -u` = "0" ]; then + echo "Skipping permission test, since run as root" +else + echo "Permission denied:" + noperms="$tmpdir/unreadable" + touch "$noperms" + chmod 0 "$noperms" + if ./openssl-vulnkey "$noperms" 2>/dev/null || [ "$?" != "2" ]; then + echo "FAIL" + error="yes" + else + echo "PASS" + fi +fi + +# cleanup and report +cd - >/dev/null + +echo "" +echo "----------------------" +if [ "$error" = "yes" ]; then + echo "FAILED" + exit 1 +else + echo "PASSED" +fi + +exit 0 --- openssl-blacklist-0.5.orig/debian/copyright +++ openssl-blacklist-0.5/debian/copyright @@ -0,0 +1,24 @@ +Format-Specification: http://wiki.debian.org/Proposals/CopyrightFormat?action=recall&rev=178 +Upstream-Name: openssl-blacklist +Upstream-Maintainer: Jamie Strandboge + Kees Cook +Upstream-Source: svn://svn.debian.org/pkg-openssl/openssl-blacklist + +Files: * +Copyright: Copyright 2008-2011, Canonical Ltd. +License: GPL-3 + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + + On Debian systems the full text of the GNU General Public License can be found + in the `/usr/share/common-licenses/GPL-3' file. --- openssl-blacklist-0.5.orig/debian/watch +++ openssl-blacklist-0.5/debian/watch @@ -0,0 +1 @@ +# See http://anonscm.debian.org/viewvc/pkg-openssl/openssl-blacklist/ --- openssl-blacklist-0.5.orig/debian/compat +++ openssl-blacklist-0.5/debian/compat @@ -0,0 +1 @@ +5 --- openssl-blacklist-0.5.orig/debian/openssl-blacklist.install +++ openssl-blacklist-0.5/debian/openssl-blacklist.install @@ -0,0 +1,3 @@ +usr/share/openssl-blacklist/blacklist.RSA-1024 +usr/share/openssl-blacklist/blacklist.RSA-2048 +usr/bin/openssl-vulnkey --- openssl-blacklist-0.5.orig/debian/rules +++ openssl-blacklist-0.5/debian/rules @@ -0,0 +1,90 @@ +#!/usr/bin/make -f +VERSION=$(shell dpkg-parsechangelog | grep ^Version: | cut -d" " -f2) + +configure: configure-stamp +configure-stamp: + dh_testdir + # Add here commands to configure the package. + touch $@ + + +build: build-stamp +build-stamp: configure-stamp + dh_testdir + # Add here commands to compile the package. + sh ./test.sh + touch $@ + +clean: + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + # Add here commands to clean up after the build process. + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + mkdir -p $(CURDIR)/debian/tmp/usr/bin + mkdir -p $(CURDIR)/debian/tmp/usr/share/openssl-blacklist + # Add here commands to install the package into debian/openssl-blacklist. + cp $(CURDIR)/openssl-vulnkey $(CURDIR)/debian/tmp/usr/bin/openssl-vulnkey + sed -i -e 's/@VERSION@/$(VERSION)/' $(CURDIR)/debian/tmp/usr/bin/openssl-vulnkey + # Trim blacklists to reduce the size of the package without too + # drastically creating false positives. + for keysize in 512 1024 2048 4096; do \ + cat $(CURDIR)/debian/blacklist.prefix > $(CURDIR)/debian/tmp/usr/share/openssl-blacklist/blacklist.RSA-$$keysize; \ + cat $(CURDIR)/blacklists/be32/blacklist-$$keysize.db $(CURDIR)/blacklists/le32/blacklist-$$keysize.db $(CURDIR)/blacklists/le64/blacklist-$$keysize.db | cut -d ' ' -f 5 | cut -b21- | sort >> $(CURDIR)/debian/tmp/usr/share/openssl-blacklist/blacklist.RSA-$$keysize; \ + done + +# Build architecture-dependent files here. +binary-arch: build install +# We have nothing to do by default. + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs + dh_installexamples examples/*.pem examples/*.csr examples/*.key examples/gen_certs.sh examples/getpid.c + dh_install --sourcedir=debian/tmp +# dh_installmenu +# dh_installdebconf +# dh_installlogrotate +# dh_installemacsen +# dh_installpam +# dh_installmime +# dh_installinit +# dh_installcron +# dh_installinfo + dh_python2 + dh_installman $(CURDIR)/openssl-vulnkey.1 + dh_link + dh_strip + dh_compress + dh_fixperms +# dh_perl +# dh_makeshlibs + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb -- -Zbzip2 + +get-orig-source: + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure get-orig-source + +ORIG_VERSION=$(shell echo "$(VERSION)" | cut -d- -f1) +ORIG_FILE=$(CURDIR)/../openssl-blacklist_$(ORIG_VERSION).orig.tar.gz +SVN_CO_DIR=$(CURDIR)/openssl-blacklist-$(ORIG_VERSION) +get-orig-source: + test ! -e $(ORIG_FILE) + test ! -e $(SVN_CO_DIR) + svn co svn://svn.debian.org/pkg-openssl/openssl-blacklist/trunk $(SVN_CO_DIR) + tar czf $(ORIG_FILE) -C `dirname $(SVN_CO_DIR)` --exclude .svn `basename $(SVN_CO_DIR)`/blacklists + rm -rf $(SVN_CO_DIR) --- openssl-blacklist-0.5.orig/debian/openssl-blacklist.dirs +++ openssl-blacklist-0.5/debian/openssl-blacklist.dirs @@ -0,0 +1,3 @@ +usr/bin +usr/share/doc/openssl-blacklist/examples +usr/share/openssl-blacklist --- openssl-blacklist-0.5.orig/debian/control +++ openssl-blacklist-0.5/debian/control @@ -0,0 +1,31 @@ +Source: openssl-blacklist +Section: net +X-Python-Version: >= 2.5 +Priority: optional +Maintainer: Kees Cook +Uploaders: Jamie Strandboge , Christoph Martin +Build-Depends: debhelper (>= 5.0.38), python (>= 2.6.6-3~), openssl (>= 0.9.8g-9) +Standards-Version: 3.9.2 +Vcs-Browser: http://svn.debian.org/wsvn/pkg-openssl/openssl-blacklist +Vcs-Svn: svn://svn.debian.org/pkg-openssl/openssl-blacklist/ + +Package: openssl-blacklist +Architecture: all +Pre-Depends: dpkg (>= 1.10.24) +Depends: ${misc:Depends}, ${python:Depends}, openssl (>= 0.9.8g-9) +Description: Blacklists for OpenSSL RSA keys and tools + This package contains the openssl-vulnkey tool and the common lists of + known-bad OpenSSL keys to use when examining suspect keys with + openssl-vulnkey. + . + RSA-1024, RSA-2048 + +Package: openssl-blacklist-extra +Architecture: all +Pre-Depends: dpkg (>= 1.10.24) +Depends: ${misc:Depends}, ${python:Depends}, openssl-blacklist +Description: Non-default blacklists of OpenSSL RSA keys + This package contains the uncommon lists of known-bad OpenSSL keys to use when + examining suspect keys with openssl-vulnkey. + . + RSA-512, RSA-4096 --- openssl-blacklist-0.5.orig/debian/openssl-blacklist-extra.dirs +++ openssl-blacklist-0.5/debian/openssl-blacklist-extra.dirs @@ -0,0 +1 @@ +usr/share/openssl-blacklist --- openssl-blacklist-0.5.orig/debian/blacklist.prefix +++ openssl-blacklist-0.5/debian/blacklist.prefix @@ -0,0 +1,6 @@ +# After these initial comments, each line must consist of the lower-case key +# modulus checksum: +# openssl rsa -noout -modulus -in /tmp/key.pem | sha1sum | cut -d ' ' -f 1) +# with the first 20 characters removed (that is, the lower 80 bits of the +# fingerprint). Unless these rules are followed, the blacklist will not work +# properly. See openssl-vulnkey(1). --- openssl-blacklist-0.5.orig/debian/changelog +++ openssl-blacklist-0.5/debian/changelog @@ -0,0 +1,156 @@ +openssl-blacklist (0.5-3) unstable; urgency=low + + * openssl-vulnkey: adjust for new openssl 1.0.0 output (Closes: #628332) + * fix test suite when run as root. Patch from Moritz Muehlenhoff. + (Closes: #612461) + * convert to dh_python2. Patch from Colin Watson (Closes: #616927) + * make lintian -Ivi clean + - debian/control: update Standards-Version to 3.9.2 + - debian/control: add ${misc:Depends} to binaries + - debian/control: make Description more verbose + - debian/copyright: convert to DEP-5 + - openssl-vulnkey.1: fix some hyphens as minuses + - add debian/source/format + - add comments only debian/watch file + + -- Jamie Strandboge Wed, 22 Jun 2011 11:14:53 -0500 + +openssl-blacklist (0.5-2) unstable; urgency=low + + * test.sh: fix executable state of openssl-vulnkey (Closes: #525042). + + -- Kees Cook Wed, 06 May 2009 12:12:09 -0700 + +openssl-blacklist (0.5-1) unstable; urgency=low + + [ Kees Cook ] + * openssl-vulnkey: + - replace sha with hashlib Python module to silence Python 2.6 warnings. + - adjust skip/error handling, reporting more details (Closes: #498326). + - pull version when building instead of being hard-coded. + * debian/rules: use an orig.tar.gz since the blacklist files themselves + are static, to save space in the archive. + * test.sh: added mixed good/bad testing. + + [ Jamie Strandboge ] + * update openssl-vulnkey to use GPL version 3 as specified in + debian/copyright. + * test.sh: add non-existent file and permission denied tests, as well + as small cleanups + * openssl-vulnkey: + - exit with status '2' when errors are encountered (ie leave '1' for when + a bad modulus is found) + - be consistent with error reporting + + -- Kees Cook Wed, 08 Apr 2009 11:49:49 -0700 + +openssl-blacklist (0.4.2) unstable; urgency=low + + * Add openssl to the Build-Deps, since it is required for the tests. + + -- Kees Cook Tue, 17 Jun 2008 15:27:38 -0700 + +openssl-blacklist (0.4.1) unstable; urgency=low + + [ Jamie Strandboge ] + * add RSA-4096 blacklist for le64 + * install RSA-4096 blacklist + * don't send STDERR to STDOUT as this may interfere with obtaining the + modulus with long bits + + [ Kees Cook ] + * debian/rules: + - add new examples (using wildcards) + - include run of internal tests during build + * debian/control: bump to standards version 3.8.0 (no changes needed) + + -- Kees Cook Mon, 16 Jun 2008 11:48:09 -0700 + +openssl-blacklist (0.4) unstable; urgency=low + + * allow checking of certificate requests + * only check moduli with an exponent of 65537 (the default on Debian/Ubuntu) + * update gen_certs.sh for when ~/.rnd does not exist when openssl is run + which can happen with openssl 0.9.8g and higher + * update gen_certs.sh to use '0' (in case of PID randomization) + * added more examples + * only prompt once for password (Closes: #483500) + * properly cache database reads when bits are same + * added '-m' and '-b' arguments. This is helpful for applications calling + openssl-vulnkey when the modulus and bits are known, such as openvpn. + * man page updates + * added test.sh + * added blacklists for when ~/.rnd does not exist when openssl is run + (LP: #232104) + * added 512 bit and partial 4096 blacklists (need le64) (LP: #231014) + * reorganized source databases, and ship the new gen_certs.sh format + * debian/rules: updated to use new blacklist format and organization + * create openssl-blacklist-extra package (but don't ship 4096 yet) + + -- Jamie Strandboge Tue, 10 Jun 2008 09:09:48 -0400 + +openssl-blacklist (0.3.2) unstable; urgency=low + + * debian/{rules,dirs,openssl-blacklist.install}: move openssl-vulnkey to + /usr/bin (Closes: #482435). + * examples/gen_certs.sh: + - test for fixed libssl versions (Closes: #483310). + - correctly skip pre-existing PEM files, thanks to Michel Meyers + (Closes: #483542). + - skip invalid pid 32768. + * openssl-vulnkey: allow reading from stding, based on patch from + Daniel Kahn Gillmor (Closes: #482427). + * debian/control: swap maintainer so Ubuntu syncs do not get confused. + + -- Kees Cook Thu, 29 May 2008 15:19:16 -0700 + +openssl-blacklist (0.3.1) unstable; urgency=low + + * openssl-vulnkey: fix typo in manpage. + * debian/control: add Vcs details, adjust uploaders line. + * debian/rules: switch to using dh_installexamples. + + -- Kees Cook Wed, 28 May 2008 13:25:46 -0700 + +openssl-blacklist (0.3) unstable; urgency=low + + * Initial Debian release (keeping changelog for clarity), Closes: #482047. + + -- Kees Cook Wed, 21 May 2008 03:58:17 -0700 + +openssl-blacklist (0.2) intrepid; urgency=low + + * update openssl-vulnkey to also check x509 certificates, with corresponding + manpage update + * support 512, 4096 and 8192 databases + * don't exit if can't open the database (this way databases can optionally be + added + * publish complete RSA-1024 and RSA-2048 blacklist for all available + architectures on Ubuntu + * fix manpage typos + * debian/control: use net/optional + * use python-central and follow DebianPython/NewPolicy + * added get_certs.sh and getpid.c + + -- Jamie Strandboge Fri, 16 May 2008 08:32:13 -0400 + +openssl-blacklist (0.1-0ubuntu0.8.04.2) hardy-security; urgency=low + + * openssl-vulnkey: + - Don't exit if the key cannot be parsed. + - Don't fail if stderr is not available. (LP: #230193) + + -- Mathias Gug Wed, 14 May 2008 14:24:07 +0200 + +openssl-blacklist (0.1-0ubuntu0.8.04.1) hardy-security; urgency=low + + * no change rebuild for -security + + -- Jamie Strandboge Tue, 13 May 2008 04:02:50 -0400 + +openssl-blacklist (0.1) unstable; urgency=low + + * Initial release. + + -- Jamie Strandboge Fri, 12 May 2008 15:44:32 -0400 + --- openssl-blacklist-0.5.orig/debian/README.Debian +++ openssl-blacklist-0.5/debian/README.Debian @@ -0,0 +1,13 @@ +openssl-blacklist for Debian +---------------------------- + +This package contains a set of default OpenSSL keys that were known to +have been generated during the time when the Debian OpenSSL package had a +broken Random Number Generator. + +The source package contains the full fingerprint of the moduli of the +vulnerable keys in the blacklists/ directory. The installed package uses a +partial fingerprint for identifying the keys by stripping off the first 20 +bytes of the checksum. + + -- Jamie Strandboge Fri, 12 May 2008 15:44:32 -0400 --- openssl-blacklist-0.5.orig/debian/openssl-blacklist-extra.install +++ openssl-blacklist-0.5/debian/openssl-blacklist-extra.install @@ -0,0 +1,2 @@ +usr/share/openssl-blacklist/blacklist.RSA-512 +usr/share/openssl-blacklist/blacklist.RSA-4096 --- openssl-blacklist-0.5.orig/debian/source/format +++ openssl-blacklist-0.5/debian/source/format @@ -0,0 +1 @@ +1.0 --- openssl-blacklist-0.5.orig/examples/good_rsa.key +++ openssl-blacklist-0.5/examples/good_rsa.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAs5ByT/fh3klXUEiV7A7VQ00sTQC0YQ0FoZFYFfYbjB/zfYwu +YgXLBz4xI9tLEqiAQ7xKTuiTywVyodj+U0heZD9IfgLJbi6H3ZEQGpnpItf3Dvsc +OXWryYPW7YC3Ur6NSgiZ5KD227Nflo7y12hTgAMDvMgd+817wceGlOmklCUVY0Pa +8L00gIachzBn3CaB7aBuqpw/3tip6CXhj1MBAgVgkGidspBZ+aD9oSUFH7ucSIz3 +wXLqM9V/9Y34AAql8UzCDvxzTE7ber0SElXq3Dk/dsV0FPE0vmDbxncrHjEkFHym ++XzIISWP8URs0aHKcNmqCkpbJ/Q28CVWCWowxQIDAQABAoIBAFAnz8+AwNPge1h8 +Pmh0qqBzZ64r/VlBXd0kq2SKSvu/G4tUszPQkDP4gCkYcCexDiiueaFF0wuSr/wt +iEIXEQPA+BRAHDjSDpZKdhzZzadfLosCbzP7Iic/cgbtKWiHZTzCIChd7jRemvHz +d9XOXU/MiLORxUitDmyPK7V3op76OwktokW4lghXC3CjRNRAXo1qGQhNThFUIQ+z +25vxa3geVVfa4HMw0mliGganXXbdfMVa9Oiyo34gW7TXN30iub6OsGzJ8sgOvMU0 +rHontrFOx10JC1ImlcyAknDE/NhymBDnQRS3Y4vS+OmZVfAfDOlpu2tFwR2yDDkE +o01bBKECgYEA5FNYlxdCXcTsKMtdaByVBJK7gUoWV2Jkmb+RkAhi8ao/KxASkqnP +T3AUiH3sHpi+UrTXvWwA9pe6oeMt2lu4LfQkcCL1xmUuepFDl3NpmIQXw+NOmBn/ +xzEx9QZXPtwbx6oK54wTKQjvVxPvDCcHAj6vQkTZcyL4nJk9MsvZhmkCgYEAyVQZ +H4o+eGSPXfBJb1K8H9+0rln3RPvO+Fl4S9LL+jkNb2cUb9dLBlXPdShAHmXr0MjV +38s90EkWw88yjF6RpACMiFIOJvcpb94K1HTUtHuF4/SOzoLk09QGcFwuDL7WZUjb +R9dlb7U/C4o+drbLW0XOIZ4JDx9EsF9+DQOQI/0CgYEAzobVS1WuokLNmtjY1KOF +520SThBFxSUq+idd83qihRYJrVoMcr1G2AP5jrzYJ5TiEs2hl6Vp+aOlHWnwv+LW +5jo/+26kAaDkOdnL2eJ7UYmqNXYWUV6zDeph1dC2ehV+y0v0MR1y91stowZU5Bkp +Lc6lmLvONWccmgnCYYAicoECgYEAvHjmLAiXAs3hCOfxVy30v0IFO1MtkH7K+uOH +IjRskAro8Olm0GyT55JdbCgKHmr7n7Djx2XUsDA8B4Lop0/At+9roBJw/TlUqU0M +hmf42Bzq8sP3DIys+0D55iXlVjkxLBBQd6jFZRYftwXsA+aL6R4oIoB3qphzDUnY +DwbO4WECgYEArwqyiQtaU/wTt4KvIpNn3snXk7lVCskoeUEQBi1i4IKIowrn75zw +JH1y2feFJPk+q5/nvbTo5Pb/TjNKxCEi1vuqlJaTRzMbtX6a598/kAtCLve6JBdJ +oJGZVYxC5QLwUkZCzFp7KOwYKzdO/R/d7+v/Y5m+efMmJEsR2TOQMTY= +-----END RSA PRIVATE KEY----- --- openssl-blacklist-0.5.orig/examples/good_req.csr +++ openssl-blacklist-0.5/examples/good_req.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICkjCCAXoCAQAwTTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEDAO +BgNVBAoTB1Rlc3RsaWIxDTALBgNVBAsTBFRlc3QxCzAJBgNVBAMTAkNBMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArkZMsfKeBpMQeIiAwBVPMrQMcba7 +wHs35bMjuQcSF6Kx80UCKuhs9TKc2Ouv1+BG7dsGu2iTlxFSIsZGxEmHKtv6/RMC +G9a1pjqzi0AWs6qGJeDzRIiSX4YyGDweWX5J+pohpkecvM5dsvtDXupCNllcrt+w +evyw56g7gm2Lg1xzIoL7eVq63wXeiGB6yU7SVUWy4H0ADwrEKsqf5wI6rQiF9c0c +jM6ZYh+8WIWhFbn4iBq0119leFjhxWbGX/OFM2X4MeYD/ZREimJxe0oFEyPLUqQB +qntU0lKJoquvkJKxwpPe9T1P30yEhCYzVSJojXf5wJnIICJ1q0oreTeSKQIDAQAB +oAAwDQYJKoZIhvcNAQEFBQADggEBADrDCH82pUSUbTQSmazBh2r8VFwQTJOvkSUH +cx6q1fU7DYgqFldl6QnxW5vO5hEr9yASlxzs1qa8z7GaL4JahJjwef/lpou/HWQt +iYnXaJN6kJLR1OyPXnfAuZt23ZvioPuv1sPr1TOW9+groGKg1dRh3S+jclNOjsfB +azhbHd37ffO6cvzSQfmWUA8JNqyZ0siym69+xBErrk+2+jupU7FhFPmmCAqgZ2K/ +no8azQPakIetcFIb+bpIBewlMMYxAV9K9D7emWMWDrIEoqt7PPlYoaO/AUtmYmeA +ZEGO43oeWNXSHhrv4obUZe/pnJPNslOr8GWq1NYHOUS6JHhrmis= +-----END CERTIFICATE REQUEST----- --- openssl-blacklist-0.5.orig/examples/good_x509.pem +++ openssl-blacklist-0.5/examples/good_x509.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDzTCCArWgAwIBAgIJAMdp4sZLfd5gMA0GCSqGSIb3DQEBBQUAME0xCzAJBgNV +BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRAwDgYDVQQKEwdUZXN0bGliMQ0wCwYD +VQQLEwRUZXN0MQswCQYDVQQDEwJDQTAeFw0wODA2MTExMzU0NTJaFw0wODA3MTEx +MzU0NTJaME0xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRAwDgYDVQQK +EwdUZXN0bGliMQ0wCwYDVQQLEwRUZXN0MQswCQYDVQQDEwJDQTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBALOQck/34d5JV1BIlewO1UNNLE0AtGENBaGR +WBX2G4wf832MLmIFywc+MSPbSxKogEO8Sk7ok8sFcqHY/lNIXmQ/SH4CyW4uh92R +EBqZ6SLX9w77HDl1q8mD1u2At1K+jUoImeSg9tuzX5aO8tdoU4ADA7zIHfvNe8HH +hpTppJQlFWND2vC9NICGnIcwZ9wmge2gbqqcP97Yqegl4Y9TAQIFYJBonbKQWfmg +/aElBR+7nEiM98Fy6jPVf/WN+AAKpfFMwg78c0xO23q9EhJV6tw5P3bFdBTxNL5g +28Z3Kx4xJBR8pvl8yCElj/FEbNGhynDZqgpKWyf0NvAlVglqMMUCAwEAAaOBrzCB +rDAdBgNVHQ4EFgQUxRNrQMQDPUYIr6Iuxk5FY/QFr2kwfQYDVR0jBHYwdIAUxRNr +QMQDPUYIr6Iuxk5FY/QFr2mhUaRPME0xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdB +cml6b25hMRAwDgYDVQQKEwdUZXN0bGliMQ0wCwYDVQQLEwRUZXN0MQswCQYDVQQD +EwJDQYIJAMdp4sZLfd5gMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB +AFeAK9+ts70yLCOqOFpMdFSFaKuuEpxk1sJ8IHH1EaOWIRuHANhhMEzkTktD3ac+ +G++xvNwITBzsILPqvJS7v3FJUHkUgUcq1yB5ltyIy0zd1sA1tLOMIVzxUgwb98Xj +XD8uM9Ggw49kbHzP+2mq287Qyp+BZ4PuR3p+nVM7pTtGQfoguog5O7iYnoAnhaRP +Ntw06pmhrOpQ0vW/fne7ybL2DDBgLomTkl4OKkigkszH1TyjMB2tCr7iYZz6hxG1 +OI2rQ+6fOCHN1TZAhKC3h/pQxqJdoDDmTnpz5giu8Kz0EB4jhTT8+H+71mywPizD +iDMH2ZhksUphiW7FrXj51/M= +-----END CERTIFICATE----- --- openssl-blacklist-0.5.orig/examples/bad_rsa.key +++ openssl-blacklist-0.5/examples/bad_rsa.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDl/LnqaBR7lirE3HDMt1GuJyN9XCBz2lEZthyxX65KBFGkZUiY +PwAPjlq9PDTB0gIYNMCIEDFJAJl+xl92njZhK47L8t4+PaxMpCRrM6kz1KY5/gTs +49Z33g70m/zT13sTNmHjK7720QNWCIM2GpmtodiXecDAEI7DaW0KTFSfBQIDAQAB +AoGBAKhAiJ61P+7eADH+90K9BjN7DJqkcFVxLQ27TihxUCd0G2pCcqZ2yIuY4Ec6 +qXn2MnQU+5lPB09Z8fFuHN7BhhOS80roJUeezXwYRMBi00KQx0DVbp3RWYoe9pBo +DF/29Y2DYbOuwT70qoCRWRFL1V/nyHe+6wnvv9e6vY8ah4cNAkEA/3JZzJVRBv7V +0fez/e61F4E0AIeYOE95PLygs6+bF8LyR69y5LQuy2leymVwqyBObYlq437asHCE +DzE+J1dQgwJBAOZ8Qf2eXUsnYWELDr9CNg7a72wJAQ3tGTUPgKdzKI10y67eOiIO +XZtpztsXwA8kOD8xxbcK9C10CgpPpn1+K9cCQApzKhtFbHglyqd5Q6K6tivM/Eyd +P2vmTGZgrQ5Mu8KAFhs6oS+b82Ic4GTVO4O0oaC3g2jlEpsvLyfT8t/3IXMCQCJ/ +PJ1KI6qI9WFB924W6eJlUGp6GodMEnbHoDjv2oT5kzbUGh1YyxfkyUovjtZ1VFnZ +CD+ySwO2l34dl8y2orcCQHfliqv+FruVH7jqC8WfXYjNEPW8eMPbODBA1RMIahCn +yOP/meskyOYERsh9INI3T+1/QrG/a6p3KKgKonNPvPk= +-----END RSA PRIVATE KEY----- --- openssl-blacklist-0.5.orig/examples/bad_req.csr +++ openssl-blacklist-0.5/examples/bad_req.csr @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBjDCB9gIBADBNMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTEQMA4G +A1UEChMHVGVzdGxpYjENMAsGA1UECxMEVGVzdDELMAkGA1UEAxMCQ0EwgZ8wDQYJ +KoZIhvcNAQEBBQADgY0AMIGJAoGBAL3fHi8lWhk98/4nLdn2PMJJddb8M/eFkSt2 +Rg7ZlzXK+pOevrj7BuvP1rOSPpyVPzYLymBO4YHNg5MPIP7HCH1OUAiXzyGP35br +M/RkVRBdd80KQ6yAVZqSqD3YIYY092Sf0C3bBF4NV9APcRbjVLcwkadiKSvsdIO0 +fge8Mf8BAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQA6DdINP3ZkXZld0nKTKUR2 +85yOODOteOeqxsXa3O6uDXZmzLWyJYVGRuNvcBnZeedEHhC6RcNMAVfx1QLDmnB8 +EvYZGbpcgP0KQZeIhv8mTcjjVnTYntWCmNJdvd3UepNUQJn6AKki5JdepJNakoY4 +hwa/eEzc8imLlJAk38kOQw== +-----END CERTIFICATE REQUEST----- --- openssl-blacklist-0.5.orig/examples/gen_certs.sh +++ openssl-blacklist-0.5/examples/gen_certs.sh @@ -0,0 +1,151 @@ +#!/bin/sh + +# +# Author: Jamie Strandboge +# Copyright (C) 2008 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# http://www.gnu.org/copyleft/gpl.html +# + +# +# USAGE: +# gen_certs.sh 512 1024 2048 ... +# +# Results: +# certs/${bits}/cert-${bits}-${type}-${i}-${machine}.pem +# certs/${bits}/key-${bits}-${type}-${i}-${machine}.pem +# certs/${bits}/blacklist-$bits.db +# +# There are 3 types of vulnerable moduli: +# 1. ~/.rnd does not exist when openssl is run +# 2. ~/.rnd existed, but was not readable when openssl is run +# 3. ~/.rnd is readable and writable when openssl is run +# +# Note that on 0.9.8e and lower, 1 and 2 are the same +# + +getpid="./getpid.so" +if [ ! -e "$getpid" ]; then + WORKDIR=$(mktemp -d -t blacklist-XXXXXX) + cd "$WORKDIR" + +cat >getpid.c < +#include +#include + +pid_t getpid(void) +{ + return atoi(getenv("FORCE_PID")); +} +EOM + + gcc -fPIC -c getpid.c -o getpid.o + gcc -shared -o getpid.so getpid.o + + cd - >/dev/null + mv $WORKDIR/getpid.so ./ + rm -rf $WORKDIR +fi + +machine=`uname -m` +rand="$HOME/.rnd" + +if [ -z "$1" ]; then + echo "Must supply a bit length" + exit 1 +fi + +if [ ! -f "$getpid" ]; then + echo "$getpid does not exist, exiting" + exit 1 +fi + +for bits in $@ +do + dir="certs/${bits}" + mkdir -p $dir 2> /dev/null || true + for type in rnd nornd noreadrnd + do + if [ "$type" = "noreadrnd" ]; then + # make $rand unreadable for when people used 'sudo openssl ...' and + # rand is unreadble + echo "Zeroing $rand" + rm -f $rand + cat /dev/null > $rand + chmod 0 $rand + ls -l $rand + elif [ "$type" = "rnd" ]; then + # seed $rand and make it writable for PID updates + echo "Enabling $rand" + rm -f $rand + openssl req -newkey rsa:$bits -x509 -nodes -keyout $dir/foo.pem -subj '/C=US/ST=Arizona/O=Testlib/OU=Test/CN=CA' -out $dir/bar.pem + rm -f $dir/foo.pem $dir/bar.pem + ls -l $rand + else + # take $rand out of the picture to simulate first runs + echo "Removing $rand" + rm -f $rand + fi + + for i in $(seq 0 32767); + do + if [ "$type" = "nornd" ]; then + # take $rand out of the picture to simulate first runs + rm -f $rand + fi + n="${bits}-${type}-${i}-${machine}" + if [ -e "${dir}/cert-${n}.pem" ]; then + continue + fi + FORCE_PID=$i LD_PRELOAD="$getpid" openssl req -newkey rsa:${bits} -x509 -nodes -keyout $dir/key-$n.pem -subj '/C=US/ST=Arizona/O=Testlib/OU=Test/CN=CA' -out $dir/cert-$n.pem + echo -n "${bits} ${i} ${type} ${machine} " >> $dir/blacklist-${bits}.db + openssl rsa -noout -modulus -in $dir/key-$n.pem | sha1sum | cut -d ' ' -f 1 >> $dir/blacklist-${bits}.db + done + done +done + --- openssl-blacklist-0.5.orig/examples/bad_rsa_4096.pem +++ openssl-blacklist-0.5/examples/bad_rsa_4096.pem @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKQIBAAKCAgEAqVl47121hhc1HK5ThPiL71pGrHpciAHFfmui9kqZObpeIS1m +mTqquxbsL756x5kLxWbiDYzL10NgdzcyQlZXJMVx9XpSjIi1A5uys+ZiEWc848ld +F8OPAwD1TVj4k3zTVMQpz+E35IfHeupDvnVTKX/5pig9PWLvb0WvKjA+pZ0ZT1pw +oIZT/KHO3uYa9uYhKfpFqpqfVHVj3uveeyHtmhmc7ytpMdufrrhfV9/S/jZxL7T7 +PUd9dxJRbHTSNF4oo0WSj2pejEFmZ81z+uBFETpr+sUDoqDLODA+kt8aP1gh2dPq +kAd0PWcigkPAliAD8J5OUimujAaOaJZr4B7Ct7tZQVT5CxEA6M8MJgYgTA9Ev3R6 +CH6jT0gl8Qo57NnTH/DSf0lAFkkNb34LgkNqsODHnJiwBCDshmxfvAclNkzRtiuV +P4yrmvQy3Dg2/Q7sgsb6FTsj8KrE5zfP1FIoTDy53TllMMdawPlLiWXe7rqWoCdO +6HyqRs45lJ0iIfKQMMTh+VjwF0n1qmV4WTKR55vN3rMuuqQOkY4N3vIAQKelkyPy +tQmMjc3fTt4AEXzxbcEXYHxaTTS9p6oxzSplZ0DRTAD8KLpeD/b4+owXcZcKgIRf +F9k8RyTamJ+7sS7O/mPboW1Yhd5faqkgdJwp+PUqSp/iZSP0qimC02U1GvUCAwEA +AQKCAgEAjbKjkgViwZPhiOIEWBpvXBK5V8/6ZIK28RS3AkVg+ACMik4mrsd725dO +gJRsv127j6yKMLRCSxfBO38fuonr2ISs2a1ELPqmGyLH3+dA3zb2p9Hw5tVmcCj5 +F4L+WsnzOdX49kuILNu/eYVSsaYRs4O1K+Y3d4m0tfIkorRDdueAKfmOi4JZ++SX +58G5hiUAUtNqP1mpP04KBphtS7IT0QDlYul714/giJ0Uib5qGPMMudJA9gE/ZcYa +AxmsWM0AS70G6KEkA08llG1AQgYtREER4H3AkO7hm14ivVmX6LChglXiyiiyhj4p +jb2LAxI+ubJ77huaROeneLOEB781RJIFB3TdjMXS3ShoCgA900iCi6aNUYhceE19 +l1qSAAIOVaJaFWk4cILZy7uMX4deqGVMflne+0iHB+KymoGjELa4/DDabJNdQLRQ +yGvwKmVF8MSm/+qvrfuRormZoST6HbSbKs0fSffeqZ6MvsirYZbVlExZKzrzXurZ +QtDsUPEIfw2NQ3H6aeeWIWRdk1L2d2yzqC4N8enQN6rVLVk3xFmcBnk9V/hL8Nqg +UJru/M+CS/jJSuhart0VwBuW3s2ciLlyVu/EovvAQoxUw2JXfUYtrj9Qelu7lAHo +EKsJXm/+pX6wwBrfFuRCxLpXSqonJ1wbN++0y8Gru3jbHeknyAECggEBANd6/ry1 +7C840c+ph1NrJ5QwhuuCg6I6fT1dE23/LfkhqCDoIGsVjRSO07A5dwzO0sP2+ixS +d1rvm9oE+QdQ/4bLd0KkhFMEIh/Mb2lGDdwMOizD6N/hIku0piYSsSwoiXqyWV3B +IlahGkKhWoCcP0oAmEORQruJZnkhyZN4Xjr++rV/Kn5Ev2Uo9D80YpcOrCCc8t6G +PGQh2E6CzO87TG34z2m5pOgh5oWp7VUfQj88sSx4YSdbv2iISaU1M4zur0haMT8Q +rJpfQsFMgkVIIxxT6W4jYma0LaYBj0oTZxnhhW0eqNSKozqfKXlHlNgmNjjAHO2X +a235H8ysoxvkkIECggEBAMkxyAxMAHJM4mpX8iZ3ufRDiidCvKaQOB98L9SeQ+j5 +NuYLnHUd9dpYVXQJOriICX39V2F0I89VL4t9VxAy15Wh6ohnJ4GwfbvMt451ImoX +2PU6pv+hVIJb32PPDSg5hnKDEGov9xoYHYeYeWEFT/zBhrtvjisz1xjecBrA96lU +vqskqCDMts28vaUMEuofCTJGIW90X+MbC+v+ECtqyg2j4BsVyE2eOaxVEvospTHL +1rDeZYbAta+nPCOKu/3OKE2kIBtoMdtydO+AI7AsSRfu8ieWU0Jc2iWWHbF8Zh+f +aKfBg7NE1GA38xGmxHUvDu3Gw2jretRBW1IH9dE3EHUCggEADLiRI1jmGZ+UG1tZ +xt3zlzcKMAsjdEdZr264P+0prKSFBXROvaOnEYihDK1HzvTC0pjZChbQPwkYPVW/ +0ePBQhbu8ns96Jy82v25shBVryD1qkDilZz35lpC2MqPtRirjRfMWNGXEmAuabKW +4jLXNao1Uv/XXbTt3MbW3KLlhTwaVu6r9opedj1ltfmEvIA8Pyyk1eg81nh9CZ2F +NbZde7yNmiNAjge6UTfH8BeJVKxjlUmCCs3KzgQFvQAYDADnTjEs6Rk152MqULkQ +k8B/eiOmCz+BhqiqbTt4VxowIwICW3/M3cdVfZd53lQQgHY5Cz6kNo6S5AoqC25B +rtregQKCAQEAieq7JFrRD4lOx/FDiEUYTq4hvSoNYeyI3GRn8UsQaFq13FpnRQ1l +o+hbo7BT9X0jbJ9G0AIqLg1KC0e/b9Y6XFNjD2AO/+L5Pcxmo5v+HFX+npQ3OBLi +eH38E1IyxbkxRbw8e14n+FZBn9rQkcZvf2c2MbSV812U/HI2zNAstYHnNjBppBpQ +0ZWpNsOhD6Z4ymKyttFCjc7TjFFbyjdpDJKipE55QWPOSykCWkZSc2E06Yd6dzYR +FbkBC6glmCVDEX4JmGADlVfPewIO9MxWyrY8fxCYQGygCZXvAuSwqMrAlgacfj4X +i2GvGRGFqIK6rBpNh9WsHGY08HWOd31UpQKCAQA6xHhUp/OdyTb2mgkQrVYJTgLs +NcvwOCP/YZDgCtsK2/JY3s7EJqifNGlP2gu68OiXKUFzZvo/YsbEP63A3gO0a5VG +fjidvH8Ya6ApIJzByzAukZKPqYwXom7R4IMuu1yDwsuo78g6yBY9zkhzBbSB3BI1 +6zXaeJN1S4pxGzcfitegzBus71yAc3VgIfiLkaO1QB9JZ162DqCt4iuqEqkQv2Yo +gX8rwMh9/Iex+HeExWlupNlLz5Z77yg8uWmp4dEEeDrNhwT8lzAv90s7kpLqnj20 +5ywrLYlNH2FPM2u2GuX34bVEVEQsXFXZC5eAJvFAkWe+/5aPBdNU7j5rQ8dc +-----END RSA PRIVATE KEY----- --- openssl-blacklist-0.5.orig/examples/bad_rsa_password_is_pass.key +++ openssl-blacklist-0.5/examples/bad_rsa_password_is_pass.key @@ -0,0 +1,18 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,34D71851EA39C61224A535A75F1054F0 + +diK6oPnDvqS4TVvqbV65zp/S8RxAzMx89v6QvhTvAC7GPvosY0OQgNIcqNzfyQYA +oOF/9g3KU4zGZ0i51mfq5OwiixrEG2dsDMR9MZZo01Izz3D0AQRhOd4/mN4GcAmY +Y1gBXkd905dxULAG/7DypqhGPr0Vjv7th50tptSVLRTogXtfe+gjFv3EH/YTPL+A +L1KlrlrXGIXLfOiUN7v4Nisp8JyGajbrp3XpimAH3L28L7iwNSkH/AJlNfgPKB0h +NBYoiv2nk9RYQF8V84V3XKQIrVjWAvevUyE48zAAd4PVlNYEbS0abbbbHv6yFVFL +tTnusfnGVLZjmnCJ6IT2TuQQJVxcd0eCVTX7op2AoXZu8JaJgSc3Pk8oqgk6NvR2 +0KOSTi/HRLwc7M2G8GHpzwRd1n7fI93DR16pacfl6ZIfX0hphmz2zzVEfD+gKgQT +hQfnPDlVUvJpIFDpgweVWDlgfLNCnC/IaVDY5ZpvroWeWSuR0KMDaJTzL1t0AxoY +pCk93m4XCTn2O6lPB+nqoc/pmTrn2CGSRZbByrYInSwEcJj7bRaEzjl4D3zjCBHh +rWUmS385A4Cwjsf6ZM9lsLUMtaJYHr6Tzn17U7UDzmFjX8++M4BjeJeu84CSa6XI +YWQwJtWY51Nzezse8H+ZguJEhq0ZdS/FKtsZPay0m6sNctjvSZfeRPcFQwh/gs9J +Eo7lAoDvQeNh/pxuAj2hUy7tE+jh4Agru1PWYr0F47FHowJ4hJ3xdfGQcJRYcTw2 +5fQ+snpa5v6RmhVUw2k+KRSDi7XIJOYHwnifVaXKJWZRVqNMKKhuZaBq/juh8a+v +-----END RSA PRIVATE KEY----- --- openssl-blacklist-0.5.orig/examples/bad_x509.pem +++ openssl-blacklist-0.5/examples/bad_x509.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDzTCCArWgAwIBAgIJAJs7Mrs4MdflMA0GCSqGSIb3DQEBBQUAME0xCzAJBgNV +BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRAwDgYDVQQKEwdUZXN0bGliMQ0wCwYD +VQQLEwRUZXN0MQswCQYDVQQDEwJDQTAeFw0wODA1MTIxNzM2NTZaFw0wODA2MTEx +NzM2NTZaME0xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRAwDgYDVQQK +EwdUZXN0bGliMQ0wCwYDVQQLEwRUZXN0MQswCQYDVQQDEwJDQTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBANM8XW6YsOpOq3amDWoKe5xZg8WMCqHTw3lp +WBafJwJ7rIElP6V5xILohKLhzvDKgT7INZ6WENKUc8o21jwegaAQGkgaPP9YYQ6O +pyoqFYJn1m9NooZpKKI9RuAhxUQv355K3WvFNn0/dyJhCSlRExCDbnp31gi38ZH4 +JBm+EYfsoYTwZlHESOqQR4gT623JvlP8ZmnTHKtjij8wY9E8ytpbSvojHc75VIbt +XS1xjDDgzkraL/3hgWAD8J0YOiXMsodKVwOVAOS2UAurfNQ13DAdGfLCVq5Pg33S +3mMOiKZSqHwfKkRCJFA9qX3D7rvHk+blvuxjHB7SeI/LHaEOCvcCAwEAAaOBrzCB +rDAdBgNVHQ4EFgQUC//QSRcOIUe7DnKguOpX+kBmqVcwfQYDVR0jBHYwdIAUC//Q +SRcOIUe7DnKguOpX+kBmqVehUaRPME0xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdB +cml6b25hMRAwDgYDVQQKEwdUZXN0bGliMQ0wCwYDVQQLEwRUZXN0MQswCQYDVQQD +EwJDQYIJAJs7Mrs4MdflMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB +ALRkK4uZ60YHeL6LYLJyhz1p/FJXNWb2TqO7kZQl3ZfkmFJF1524N/K8KrZLwIGJ +KJXUPcGTkBm/3tmvIuAMxn/MRvlEPW1nwQG81QXltObHRF5123Tl1px30Y8B00/V +VBqeKw7sMLF0b4PmnegPz77UhsGikffPJwLt6VUO0j52RW/XvpletgqcxWMHqVLK +z0V73UyaJT3wEm6zEjJINPfPwcw46IeOXcnEekon3JbDxtvm8Q706YOziPStGcel +hh+5myPwDwMgc/mH+jDBK8vyaYGb+xViHK9Fa70jkcSX/AOmYYRKfKZbaR8ba/Ee +xosT4eW/v04AyK9nfcPNbhg= +-----END CERTIFICATE----- --- openssl-blacklist-0.5.orig/examples/getpid.c +++ openssl-blacklist-0.5/examples/getpid.c @@ -0,0 +1,39 @@ +/* + * Compile: + +gcc -fPIC -c getpid.c -o getpid.o +gcc -shared -o getpid.so getpid.o + + * Use: + +FORCE_PID=1234 LD_PRELOAD=./getpid.so bash + +# +# Copyright (C) 2001-2008 Kees Cook +# kees@outflux.net, http://outflux.net/ +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# http://www.gnu.org/copyleft/gpl.html + +*/ + +#include +#include +#include + +pid_t getpid(void) +{ + return atoi(getenv("FORCE_PID")); +} --- openssl-blacklist-0.5.orig/examples/bad_x509_4096.pem +++ openssl-blacklist-0.5/examples/bad_x509_4096.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIFzTCCA7WgAwIBAgIJANoL5xsesSBxMA0GCSqGSIb3DQEBBQUAME0xCzAJBgNV +BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRAwDgYDVQQKEwdUZXN0bGliMQ0wCwYD +VQQLEwRUZXN0MQswCQYDVQQDEwJDQTAeFw0wODA2MTYxNjU1MjFaFw0wODA3MTYx +NjU1MjFaME0xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRAwDgYDVQQK +EwdUZXN0bGliMQ0wCwYDVQQLEwRUZXN0MQswCQYDVQQDEwJDQTCCAiIwDQYJKoZI +hvcNAQEBBQADggIPADCCAgoCggIBAKlZeO9dtYYXNRyuU4T4i+9aRqx6XIgBxX5r +ovZKmTm6XiEtZpk6qrsW7C++eseZC8Vm4g2My9dDYHc3MkJWVyTFcfV6UoyItQOb +srPmYhFnPOPJXRfDjwMA9U1Y+JN801TEKc/hN+SHx3rqQ751Uyl/+aYoPT1i729F +ryowPqWdGU9acKCGU/yhzt7mGvbmISn6Raqan1R1Y97r3nsh7ZoZnO8raTHbn664 +X1ff0v42cS+0+z1HfXcSUWx00jReKKNFko9qXoxBZmfNc/rgRRE6a/rFA6Kgyzgw +PpLfGj9YIdnT6pAHdD1nIoJDwJYgA/CeTlIprowGjmiWa+Aewre7WUFU+QsRAOjP +DCYGIEwPRL90egh+o09IJfEKOezZ0x/w0n9JQBZJDW9+C4JDarDgx5yYsAQg7IZs +X7wHJTZM0bYrlT+Mq5r0Mtw4Nv0O7ILG+hU7I/CqxOc3z9RSKEw8ud05ZTDHWsD5 +S4ll3u66lqAnTuh8qkbOOZSdIiHykDDE4flY8BdJ9apleFkykeebzd6zLrqkDpGO +Dd7yAECnpZMj8rUJjI3N307eABF88W3BF2B8Wk00vaeqMc0qZWdA0UwA/Ci6Xg/2 ++PqMF3GXCoCEXxfZPEck2pifu7Euzv5j26FtWIXeX2qpIHScKfj1Kkqf4mUj9Kop +gtNlNRr1AgMBAAGjga8wgawwHQYDVR0OBBYEFLUCV6yO725sQK9MAIPXzpf0gxke +MH0GA1UdIwR2MHSAFLUCV6yO725sQK9MAIPXzpf0gxkeoVGkTzBNMQswCQYDVQQG +EwJVUzEQMA4GA1UECBMHQXJpem9uYTEQMA4GA1UEChMHVGVzdGxpYjENMAsGA1UE +CxMEVGVzdDELMAkGA1UEAxMCQ0GCCQDaC+cbHrEgcTAMBgNVHRMEBTADAQH/MA0G +CSqGSIb3DQEBBQUAA4ICAQAA1c5VugNjX9MMtR6B8iUnY55zGOfN6Qgh5L3NPj6Y +EpY0HDdeyWT/BNvyLbsgfM12wzWBPj17q/7JBAq/f2bTyGRwsTGPeRXr8r9wrxPC +8OfLMdrDOOhshIbGz9Evror2pTJEgIHXuJKpKOAN3qXA5h5DuDoKojynKV5hep4G +o8E60GMpOev0d17krV8rFcmtFiGs2ZpQPHeTfkm1h/nhkwh38PLD5wAqYOa4STkO +BEHRa9C6KCIN1fYXmauc5m36QXqoXkVw1+DNQGapVmn6eae4hOaA/ZiSzPjyo3Kl +HSHWdy+hqz1WBx3S9Cly2VnE6RTSMTYBwECNnvJbLMFuozG+3vYL+p8gJgJoaetg +vtGPi1Au9xKmmYN6VZKOWASU45Yrgkckifymc86clR5wV3ddVejqalIvI6G60WVR +/zNXkJLs4fj8CRwGEVWWK6+KvAebJjnTFRXDj45di+1upmfC5p5qb+XyKLMSdWFw +O5w2i1Z/6cXKFho/I7rHCl3klFMSA/kyTIbjG4YH0oLQ48b9lGuSIg6XVVhAtTB4 +x+IS7SqneBT3O1YAnkkuf5jUWbju6RGokVAEJUyFStvXCEV9sTuaojWwelGvJlKk +7xmi+dI4MRP2gDpwGMfTDp0BA7UnxMyAtpYTLjP4/OB/bivokf3m1AEZb63HOq0X +QA== +-----END CERTIFICATE-----