From a02f92e875d0d48c46103eef0fbea835048a278b Mon Sep 17 00:00:00 2001 From: Doug Barton Date: Sat, 4 Nov 2006 07:53:25 +0000 Subject: [PATCH] Update to version 9.3.2-P2, which addresses the vulnerability announced by ISC dated 31 October (delivered via e-mail to the bind-announce@isc.org list on 2 November): Description: Because of OpenSSL's recently announced vulnerabilities (CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940) which affect named, we are announcing this workaround and releasing patches. A proof of concept attack on OpenSSL has been demonstrated for CAN-2006-4339. OpenSSL is required to use DNSSEC with BIND. Fix for version 9.3.2-P1 and lower: Upgrade to BIND 9.3.2-P2, then generate new RSASHA1 and RSAMD5 keys for all old keys using the old default exponent and perform a key rollover to these new keys. These versions also change the default RSA exponent to be 65537 which is not vulnerable to the attacks described in CAN-2006-4339. --- contrib/bind9/CHANGES | 15 +++++ contrib/bind9/bin/named/query.c | 4 +- contrib/bind9/configure.in | 80 ++++++++++++++----------- contrib/bind9/lib/dns/opensslrsa_link.c | 59 ++++++++++++++++-- contrib/bind9/lib/dns/resolver.c | 4 +- contrib/bind9/version | 4 +- 6 files changed, 122 insertions(+), 44 deletions(-) diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES index 0cfafd20aba1..b45cec78ac6e 100644 --- a/contrib/bind9/CHANGES +++ b/contrib/bind9/CHANGES @@ -1,4 +1,19 @@ + --- 9.3.2-P2 released --- + +2090. [port] win32: Visual C++ 2005 command line manifest support. + [RT #16417] + +2089. [security] Raise the minimum safe OpenSSL versions to + OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions + prior to these have known security flaws which + are (potentially) exploitable in named. [RT #16391] + +2088. [security] Change the default RSA exponent from 3 to 65537. + [RT #16391] + +2083. [port] win32: Visual C++ 2005 support. + --- 9.3.2-P1 released --- 2066. [security] Handle SIG queries gracefully. [RT #16300] diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c index b20324b3fd61..6533ce49360b 100644 --- a/contrib/bind9/bin/named/query.c +++ b/contrib/bind9/bin/named/query.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.198.2.13.4.36.6.1 2006/08/17 07:12:31 marka Exp $ */ +/* $Id: query.c,v 1.198.2.13.4.36.6.2 2006/10/04 07:06:01 marka Exp $ */ #include diff --git a/contrib/bind9/configure.in b/contrib/bind9/configure.in index b14b489bb2b7..cf7517b0b5d3 100644 --- a/contrib/bind9/configure.in +++ b/contrib/bind9/configure.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2003 Internet Software Consortium. # # Permission to use, copy, modify, and distribute this software for any @@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl esyscmd([sed "s/^/# /" COPYRIGHT])dnl AC_DIVERT_POP()dnl -AC_REVISION($Revision: 1.294.2.23.2.51 $) +AC_REVISION($Revision: 1.294.2.23.2.51.4.3 $) AC_INIT(lib/dns/name.c) AC_PREREQ(2.13) @@ -357,6 +357,7 @@ AC_C_BIGENDIAN # # was --with-openssl specified? # +OPENSSL_WARNING= AC_MSG_CHECKING(for OpenSSL library) AC_ARG_WITH(openssl, [ --with-openssl[=PATH] Build with OpenSSL [yes|no|path]. @@ -462,51 +463,38 @@ shared library configuration (e.g., LD_LIBRARY_PATH).)], [AC_MSG_RESULT(assuming it does work on target platform)] ) -# -# OpenSSLDie is new with CERT CS-2002-23. If we see it we have may -# have a patched library otherwise check that we are greater than -# the fixed versions -# - AC_CHECK_FUNC(OpenSSLDie, +AC_ARG_ENABLE(openssl-version-check, +[AC_HELP_STRING([--enable-openssl-version-check], + [Check OpenSSL Version @<:@default=yes@:>@])]) +case "$enable_openssl_version_check" in +yes|'') AC_MSG_CHECKING(OpenSSL library version) AC_TRY_RUN([ #include #include int main() { - if (OPENSSL_VERSION_NUMBER >= 0x0090581fL) + if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL && + OPENSSL_VERSION_NUMBER < 0x009080000L) || + OPENSSL_VERSION_NUMBER >= 0x0090804fL) return (0); printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n", OPENSSL_VERSION_NUMBER); - printf("Require OPENSSL_VERSION_NUMBER 0x0090581f or greater\n\n"); + printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n" + "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n"); return (1); } -], + ], [AC_MSG_RESULT(ok)], [AC_MSG_RESULT(not compatible) - AC_MSG_ERROR(you need OpenSSL 0.9.5a or newer)], + OPENSSL_WARNING=yes + ], [AC_MSG_RESULT(assuming target platform has compatible version)]) - , - AC_MSG_RESULT(did not find fixes for CERT CA-2002-23) - AC_MSG_CHECKING(OpenSSL library version) - AC_TRY_RUN([ -#include -#include -int main() { - if ((OPENSSL_VERSION_NUMBER >= 0x0090605fL && - OPENSSL_VERSION_NUMBER < 0x009070000L) || - OPENSSL_VERSION_NUMBER >= 0x00907003L) - return (0); - printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n", - OPENSSL_VERSION_NUMBER); - printf("Require OPENSSL_VERSION_NUMBER 0x0090605f or greater (0.9.6e)\n" - "Require OPENSSL_VERSION_NUMBER 0x00907003 or greater (0.9.7-beta2)\n\n"); - return (1); -} -], - [AC_MSG_RESULT(ok)], - [AC_MSG_RESULT(not compatible) - AC_MSG_ERROR(you need OpenSSL 0.9.6e/0.9.7-beta2 (or newer): CERT CA-2002-23)], - [AC_MSG_RESULT(assuming target platform has compatible version)])) +;; +no) + AC_MSG_RESULT(Skipped OpenSSL version check) +;; +esac + AC_MSG_CHECKING(for OpenSSL DSA support) if test -f $use_openssl/include/openssl/dsa.h then @@ -2116,6 +2104,30 @@ AC_OUTPUT( ) chmod a+x isc-config.sh +if test "X$OPENSSL_WARNING" != "X"; then +cat << \EOF +WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING +WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING +WARNING WARNING +WARNING Your OpenSSL crypto library may be vulnerable to WARNING +WARNING one or more of the the following known security WARNING +WARNING flaws: WARNING +WARNING WARNING +WARNING CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and WARNING +WARNING CVE-2006-2940. WARNING +WARNING WARNING +WARNING It is recommended that you upgrade to OpenSSL WARNING +WARNING version 0.9.8d/0.9.7l (or greater). WARNING +WARNING WARNING +WARNING You can disable this warning by specifying: WARNING +WARNING WARNING +WARNING --disable-openssl-version-check WARNING +WARNING WARNING +WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING +WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING +EOF +fi + # Tell Emacs to edit this file in shell mode. # Local Variables: # mode: sh diff --git a/contrib/bind9/lib/dns/opensslrsa_link.c b/contrib/bind9/lib/dns/opensslrsa_link.c index 0d4426bfabef..f5530971dff1 100644 --- a/contrib/bind9/lib/dns/opensslrsa_link.c +++ b/contrib/bind9/lib/dns/opensslrsa_link.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -17,7 +17,7 @@ /* * Principal Author: Brian Wellington - * $Id: opensslrsa_link.c,v 1.1.4.1 2004/12/09 04:07:18 marka Exp $ + * $Id: opensslrsa_link.c,v 1.1.4.1.10.5 2006/10/11 03:58:50 marka Exp $ */ #ifdef OPENSSL @@ -39,6 +39,22 @@ #include #include #include +#if OPENSSL_VERSION_NUMBER > 0x00908000L +#include +#endif + +/* + * We don't use configure for windows so enforce the OpenSSL version + * here. Unlike with configure we don't support overriding this test. + */ +#ifdef WIN32 +#if !((OPENSSL_VERSION_NUMBER >= 0x009070cfL && \ + OPENSSL_VERSION_NUMBER < 0x009080000L) || \ + OPENSSL_VERSION_NUMBER >= 0x0090804fL) +#error Please upgrade OpenSSL to 0.9.8d/0.9.7l or greater. +#endif +#endif + /* * XXXMPA Temporarially disable RSA_BLINDING as it requires @@ -260,13 +276,47 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { static isc_result_t opensslrsa_generate(dst_key_t *key, int exp) { +#if OPENSSL_VERSION_NUMBER > 0x00908000L + BN_GENCB cb; + RSA *rsa = RSA_new(); + BIGNUM *e = BN_new(); + + if (rsa == NULL || e == NULL) + goto err; + + if (exp == 0) { + /* RSA_F4 0x10001 */ + BN_set_bit(e, 0); + BN_set_bit(e, 16); + } else { + /* F5 0x100000001 */ + BN_set_bit(e, 0); + BN_set_bit(e, 32); + } + + BN_GENCB_set_old(&cb, NULL, NULL); + + if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) { + BN_free(e); + SET_FLAGS(rsa); + key->opaque = rsa; + return (ISC_R_SUCCESS); + } + + err: + if (e != NULL) + BN_free(e); + if (rsa != NULL) + RSA_free(rsa); + return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +#else RSA *rsa; unsigned long e; if (exp == 0) - e = RSA_3; - else e = RSA_F4; + else + e = 0x40000003; rsa = RSA_generate_key(key->key_size, e, NULL, NULL); if (rsa == NULL) return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); @@ -274,6 +324,7 @@ opensslrsa_generate(dst_key_t *key, int exp) { key->opaque = rsa; return (ISC_R_SUCCESS); +#endif } static isc_boolean_t diff --git a/contrib/bind9/lib/dns/resolver.c b/contrib/bind9/lib/dns/resolver.c index 28779645a560..a5474f1ae020 100644 --- a/contrib/bind9/lib/dns/resolver.c +++ b/contrib/bind9/lib/dns/resolver.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.218.2.18.4.56.4.1 2006/08/17 07:12:31 marka Exp $ */ +/* $Id: resolver.c,v 1.218.2.18.4.56.4.2 2006/10/04 07:06:02 marka Exp $ */ #include diff --git a/contrib/bind9/version b/contrib/bind9/version index fe47241d0a83..a9b6ee535613 100644 --- a/contrib/bind9/version +++ b/contrib/bind9/version @@ -1,4 +1,4 @@ -# $Id: version,v 1.26.2.17.2.21.4.1 2006/08/17 07:12:31 marka Exp $ +# $Id: version,v 1.26.2.17.2.21.4.2 2006/10/04 07:00:13 marka Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. @@ -7,4 +7,4 @@ MAJORVER=9 MINORVER=3 PATCHVER=2 RELEASETYPE=-P -RELEASEVER=1 +RELEASEVER=2