Fault in openssl-blacklist - version 0.1 -- false negatives.

To: debian-security@lists.debian.org
Subject: Fault in openssl-blacklist - version 0.1 -- false negatives.
From: Dirk-Willem van Gulik <dirkx@webweaving.org>
Date: Fri, 16 May 2008 12:48:14 +0200
Message-id: <[🔎] 750D25FB-7547-49DD-9682-39F3543D81F1@webweaving.org>
In-reply-to: <[🔎] E263B77B-95C5-4E8F-B394-68BE4601F554@webweaving.org>
References: <[🔎] E263B77B-95C5-4E8F-B394-68BE4601F554@webweaving.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just FYI - there seems a minor fault in the openssl-blackist tool[1],I strongly suspect that the line:

#print "bits: %s\nmodulus: %s\nkey: %s\nkey80: %s" % (bits,modulus, key, key[20:])

   if key[20:] in db_lines:

needs to be

   key = sha.sha(modulus).hexdigest()

#print "bits: %s\nmodulus: %s\nkey: %s\nkey80: %s" % (bits,modulus, key, key[20:])

   if key in db_lines:

for the tool to be functional. As it stands - it seems to give falsenegatives -- lulling one in a potentially false sense of security.


Thanks,

Dw.

1: https://launchpad.net/ubuntu/hardy/+source/openssl-blacklist/0.1-0ubuntu0.8.04.2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iQCVAwUBSC1mVjGmPZbsFAuBAQJWTAP+LtUInmamxTl02h5AFSE98D5qpCRe13Mt
t2PfrRYYhWuFK0rfptxWcACxXOTbFqMMALccI7KAiKAPt1YSJ/oEB27j0TGll9o6
YqGlwTzJzZWqRg++dTN2OnziMLzTrOMol7E3Qq6EhFt3ent8yoL8KkmKrXU2RUF6
6NOELC8050o=
=NzLj
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Fault in openssl-blacklist - version 0.1 -- false negatives.
  - From: Dirk-Willem van Gulik <dirkx@webweaving.org>

References:
- Fault in openssl-blacklist - version 0.1 -- false negatives.
  - From: Dirk-Willem van Gulik <dirkx@webweaving.org>

Prev by Date: Minor improvement to openssl-blacklist
Next by Date: SASL AUTH only check 8 first characters of the password
Previous by thread: Fault in openssl-blacklist - version 0.1 -- false negatives.
Next by thread: Re: Fault in openssl-blacklist - version 0.1 -- false negatives.
Index(es):
- Date
- Thread