From: Florian Weimer <fw@deneb.enyo.de>
Date: Thu, 22 May 2008 14:46:11 +0000 (+0200)
Subject: Warn about OpenSSL exponents which are not 65537
X-Git-Tag: v0.9.4~1
X-Git-Url: https://repo.or.cz/w/dowkd.git/commitdiff_plain/6c3de852a7696225b25ddeb22c25984fdd2801d6

Warn about OpenSSL exponents which are not 65537
---

diff --git a/dowkd.in b/dowkd.in
index 9b5f79b..761f167 100644
--- a/dowkd.in
+++ b/dowkd.in
@@ -344,23 +344,31 @@ sub from_openvpn_key ($) {
     }
 }
 
-sub openssl_modulus_check ($$) {
-    my ($name, $modulus) = @_;
-    chomp $modulus;
-    if ($modulus =~ /^Modulus=([A-F0-9]+)$/) {
-	$modulus = $1;
-	my $length = length($modulus) * 4;
-	if ($length == 1024 || $length == 2048) {
-	    my $mod = substr $modulus, length($modulus) - 32;
-	    $mod =~ y/A-F/a-f/;
-	    my @mod = $mod =~ /(..)/g;
-	    $mod = join('', map { chr(hex($_)) } reverse @mod);
-	    check_hash $name, $mod, "OpenSSL/RSA/$length";
-	} else {
-	    warn "$name: warning: no blacklist for OpenSSL/RSA/$length key\n";
-	}
+sub openssl_output_check ($$) {
+    my ($name, $output) = @_;
+    my ($length) =
+	$output =~ /^(?:\s+RSA Public |Private-)Key: \((\d+) bit\)/m;
+    $length or die "internal error: could not parse OpenSSL output\n";
+    my ($modulus) = 
+	$output =~ /(?:modulus|\s+Modulus\ \(\d+\ bit\)):$ \s+
+             ( (?:^\s+ (?:[0-9a-f]{2}:)+$ \s+)+
+                  ^\s+ (?:[0-9a-f]{2}:)*(?:[0-9a-f]{2})$ )/xm;
+    $modulus or die "internal error: could not parse modulus\n";
+    $modulus =~ y/0-9a-f//cd;
+    my ($exponent) = $output =~ /^(?:\s+|public)Exponent: (\d+) \(0x/m;
+    $exponent or die "internal error: could not parse exponent\n";
+
+    if ($length == 1024 || $length == 2048) {
+	my $mod = substr $modulus, length($modulus) - 32;
+	$mod =~ y/A-F/a-f/;
+	my @mod = $mod =~ /(..)/g;
+	$mod = join('', map { chr(hex($_)) } reverse @mod);
+	length($mod) == 16 or die;
+	return if check_hash $name, $mod, "OpenSSL/RSA/$length";
+	warn "$name: warning: no blacklist for OpenSSL/RSA/$length key (e=$exponent)\n"
+	    if $exponent != 65537;
     } else {
-	die "internal error: $modulus\n";
+	warn "$name: warning: no blacklist for OpenSSL/RSA/$length key\n";
     }
 }
 
@@ -386,9 +394,9 @@ sub from_pem ($) {
 	    } while ($line = <$src>);
 	  LAST:
 	    $tmp->flush or die "flush: $!";
-	    my $mod = safe_backtick qw/openssl x509 -noout -modulus -in/, $tmp;
-	    if ($mod) {
-		openssl_modulus_check "$name:$lineno", $mod;
+	    my $out = safe_backtick qw/openssl x509 -noout -text -in/, $tmp;
+	    if ($out) {
+		openssl_output_check "$name:$lineno", $out;
 		$found = 1;
 	    } else {
 		warn "$name:$lineno: failed to parse certificate\n";
@@ -404,9 +412,9 @@ sub from_pem ($) {
 	    } while ($line = <$src>);
 	  LAST_RSA:
 	    $tmp->flush or die "flush: $!";
-	    my $mod = safe_backtick qw/openssl rsa -noout -modulus -in/, $tmp;
-	    if ($mod) {
-		openssl_modulus_check "$name:$lineno", $mod;
+	    my $out = safe_backtick qw/openssl rsa -noout -text -in/, $tmp;
+	    if ($out) {
+		openssl_output_check "$name:$lineno", $out;
 		$found = 1;
 	    } else {
 		warn "$name:$lineno: failed to parse RSA private key\n";