Generate two keys with the PID forced to the same value and test that

they differ, to defend against recurrences of the recent Debian OpenSSL vulnerability.
author: Colin Watson <cjwatson@debian.org> 2008-05-20 19:59:07 +0000
committer: Colin Watson <cjwatson@debian.org> 2008-05-20 19:59:07 +0000
commit: 2231f4c3038aefc1f77cf456b188b53fb6da4a13 (patch)
tree: a7bac02b6fa3cd8c2f22f9fd76c45b7f47d4ac60 /debian/tests
parent: 15177d9485f496337dabadb0364c08be971c1239 (diff)
4 files changed, 66 insertions, 0 deletions
diff --git a/debian/tests/.cvsignore b/debian/tests/.cvsignore
new file mode 100644
index 000000000..d0383c1d3
--- /dev/null
+++ b/debian/tests/.cvsignore
@@ -0,0 +1,4 @@
+key1
+key1.pub
+key2
+key2.pub
diff --git a/debian/tests/Makefile b/debian/tests/Makefile
new file mode 100644
index 000000000..16d9840ac
--- /dev/null
+++ b/debian/tests/Makefile
@@ -0,0 +1,11 @@
+test: getpid.so
+        ./keygen-test
+getpid.o: getpid.c
+        gcc -fPIC -c $< -o $@
+getpid.so: getpid.o
+        gcc -shared -o $@ $<
+clean:
+        rm -f getpid.o getpid.so key1 key1.pub key2 key2.pub
diff --git a/debian/tests/getpid.c b/debian/tests/getpid.c
new file mode 100644
index 000000000..c9e35b87e
--- /dev/null
+++ b/debian/tests/getpid.c
@@ -0,0 +1,39 @@
+/*
+ * Compile:
+gcc -fPIC -c getpid.c -o getpid.o
+gcc -shared -o getpid.so getpid.o
+ * Use:
+ 
+FORCE_PID=1234 LD_PRELOAD=./getpid.so bash
+#
+# Copyright (C) 2001-2008 Kees Cook
+# kees@outflux.net, http://outflux.net/
+# 
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+# http://www.gnu.org/copyleft/gpl.html
+*/
+#include <sys/types.h>
+#include <unistd.h>
+#include <stdlib.h>
+pid_t getpid(void)
+{
+    return atoi(getenv("FORCE_PID"));
+}
diff --git a/debian/tests/keygen-test b/debian/tests/keygen-test
new file mode 100755
index 000000000..02b7c761a
--- /dev/null
+++ b/debian/tests/keygen-test
@@ -0,0 +1,12 @@
+#! /bin/sh
+rm -f key1 key1.pub key2 key2.pub
+LD_PRELOAD="$(pwd)/getpid.so" FORCE_PID=1234 \
+        ../../build-deb/ssh-keygen -N '' -f key1 >/dev/null
+LD_PRELOAD="$(pwd)/getpid.so" FORCE_PID=1234 \
+        ../../build-deb/ssh-keygen -N '' -f key2 >/dev/null
+if cmp -s key1 key2; then
+        echo "Generated two identical keys!" >&2
+        exit 1
+fi
+exit 0
author	Colin Watson <cjwatson@debian.org>	2008-05-20 19:59:07 +0000
committer	Colin Watson <cjwatson@debian.org>	2008-05-20 19:59:07 +0000
commit	2231f4c3038aefc1f77cf456b188b53fb6da4a13 (patch)
tree	a7bac02b6fa3cd8c2f22f9fd76c45b7f47d4ac60 /debian/tests
parent	15177d9485f496337dabadb0364c08be971c1239 (diff)

diff --git a/debian/tests/.cvsignore b/debian/tests/.cvsignore new file mode 100644 index 000000000..d0383c1d3 --- /dev/null +++ b/debian/tests/.cvsignore
@@ -0,0 +1,4 @@
	1	key1
	2	key1.pub
	3	key2
	4	key2.pub


diff --git a/debian/tests/Makefile b/debian/tests/Makefile new file mode 100644 index 000000000..16d9840ac --- /dev/null +++ b/debian/tests/Makefile
@@ -0,0 +1,11 @@
	1	test: getpid.so
	2	./keygen-test
	3
	4	getpid.o: getpid.c
	5	gcc -fPIC -c $< -o $@
	6
	7	getpid.so: getpid.o
	8	gcc -shared -o $@ $<
	9
	10	clean:
	11	rm -f getpid.o getpid.so key1 key1.pub key2 key2.pub


diff --git a/debian/tests/getpid.c b/debian/tests/getpid.c new file mode 100644 index 000000000..c9e35b87e --- /dev/null +++ b/debian/tests/getpid.c
@@ -0,0 +1,39 @@
	1	/*
	2	* Compile:
	3
	4	gcc -fPIC -c getpid.c -o getpid.o
	5	gcc -shared -o getpid.so getpid.o
	6
	7	* Use:
	8
	9	FORCE_PID=1234 LD_PRELOAD=./getpid.so bash
	10
	11	#
	12	# Copyright (C) 2001-2008 Kees Cook
	13	# kees@outflux.net, http://outflux.net/
	14	#
	15	# This program is free software; you can redistribute it and/or
	16	# modify it under the terms of the GNU General Public License
	17	# as published by the Free Software Foundation; either version 2
	18	# of the License, or (at your option) any later version.
	19	#
	20	# This program is distributed in the hope that it will be useful,
	21	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	22	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	23	# GNU General Public License for more details.
	24	#
	25	# You should have received a copy of the GNU General Public License
	26	# along with this program; if not, write to the Free Software
	27	# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	28	# http://www.gnu.org/copyleft/gpl.html
	29
	30	*/
	31
	32	#include <sys/types.h>
	33	#include <unistd.h>
	34	#include <stdlib.h>
	35
	36	pid_t getpid(void)
	37	{
	38	return atoi(getenv("FORCE_PID"));
	39	}


diff --git a/debian/tests/keygen-test b/debian/tests/keygen-test new file mode 100755 index 000000000..02b7c761a --- /dev/null +++ b/debian/tests/keygen-test
@@ -0,0 +1,12 @@
	1	#! /bin/sh
	2
	3	rm -f key1 key1.pub key2 key2.pub
	4	LD_PRELOAD="$(pwd)/getpid.so" FORCE_PID=1234 \
	5	../../build-deb/ssh-keygen -N '' -f key1 >/dev/null
	6	LD_PRELOAD="$(pwd)/getpid.so" FORCE_PID=1234 \
	7	../../build-deb/ssh-keygen -N '' -f key2 >/dev/null
	8	if cmp -s key1 key2; then
	9	echo "Generated two identical keys!" >&2
	10	exit 1
	11	fi
	12	exit 0