This commit was generated by cvs2svn to compensate for changes in r163976,

which included commits to RCS files with non-trunk default branches.
2006-11-04 07:53:25 +00:00 · 2006-11-04 07:53:25 +00:00 · ace7f68b50
commit ace7f68b50
parent 8e6c8e8c0c a02f92e875
6 changed files with 122 additions and 44 deletions
--- a/contrib/bind9/CHANGES
+++ b/contrib/bind9/CHANGES
@ -1,4 +1,19 @@

+	--- 9.3.2-P2 released ---
+
+2090.	[port]		win32: Visual C++ 2005 command line manifest support.
+			[RT #16417]
+
+2089.	[security]	Raise the minimum safe OpenSSL versions to
+			OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
+			prior to these have known security flaws which
+			are (potentially) exploitable in named. [RT #16391]
+
+2088.	[security]	Change the default RSA exponent from 3 to 65537.
+			[RT #16391]
+
+2083.	[port]		win32: Visual C++ 2005 support.
+
 	--- 9.3.2-P1 released ---

 2066.	[security]	Handle SIG queries gracefully. [RT #16300]
--- a/contrib/bind9/bin/named/query.c
+++ b/contrib/bind9/bin/named/query.c
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and distribute this software for any
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: query.c,v 1.198.2.13.4.36.6.1 2006/08/17 07:12:31 marka Exp $ */
+/* $Id: query.c,v 1.198.2.13.4.36.6.2 2006/10/04 07:06:01 marka Exp $ */

 #include <config.h>

--- a/contrib/bind9/configure.in
+++ b/contrib/bind9/configure.in
@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl

-AC_REVISION($Revision: 1.294.2.23.2.51 $)
+AC_REVISION($Revision: 1.294.2.23.2.51.4.3 $)

 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.13)
@ -357,6 +357,7 @@ AC_C_BIGENDIAN
 #
 # was --with-openssl specified?
 #
+OPENSSL_WARNING=
 AC_MSG_CHECKING(for OpenSSL library)
 AC_ARG_WITH(openssl,
 [  --with-openssl[=PATH]   Build with OpenSSL [yes|no|path].
@ -462,51 +463,38 @@ shared library configuration (e.g., LD_LIBRARY_PATH).)],
 		[AC_MSG_RESULT(assuming it does work on target platform)]
 		)
 		 
-#
-#	OpenSSLDie is new with CERT CS-2002-23.  If we see it we have may
-#	have a patched library otherwise check that we are greater than
-#	the fixed versions
-#
-		AC_CHECK_FUNC(OpenSSLDie,
+AC_ARG_ENABLE(openssl-version-check,
+[AC_HELP_STRING([--enable-openssl-version-check],
+	[Check OpenSSL Version @<:@default=yes@:>@])])
+case "$enable_openssl_version_check" in
+yes|'')
 		AC_MSG_CHECKING(OpenSSL library version)
 		AC_TRY_RUN([
 #include <stdio.h>
 #include <openssl/opensslv.h>
 int main() {
-        if (OPENSSL_VERSION_NUMBER >= 0x0090581fL)
+	if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
+	     OPENSSL_VERSION_NUMBER < 0x009080000L) ||
+	    OPENSSL_VERSION_NUMBER >= 0x0090804fL)
                return (0);
 	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
 		OPENSSL_VERSION_NUMBER);
-	printf("Require OPENSSL_VERSION_NUMBER 0x0090581f or greater\n\n");
+	printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
+	       "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
        return (1);
 }
-],
+		],
 	        [AC_MSG_RESULT(ok)],
 		[AC_MSG_RESULT(not compatible)
-		 AC_MSG_ERROR(you need OpenSSL 0.9.5a or newer)],
+                 OPENSSL_WARNING=yes
+		],
 		[AC_MSG_RESULT(assuming target platform has compatible version)])
-		,
-	        AC_MSG_RESULT(did not find fixes for CERT CA-2002-23)
-		AC_MSG_CHECKING(OpenSSL library version)
-		AC_TRY_RUN([
-#include <stdio.h>
-#include <openssl/opensslv.h>
-int main() {
-        if ((OPENSSL_VERSION_NUMBER >= 0x0090605fL &&
-	     OPENSSL_VERSION_NUMBER < 0x009070000L) ||
-	     OPENSSL_VERSION_NUMBER >= 0x00907003L)
-                return (0);
-	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
-		OPENSSL_VERSION_NUMBER);
-	printf("Require OPENSSL_VERSION_NUMBER 0x0090605f or greater (0.9.6e)\n"
-	       "Require OPENSSL_VERSION_NUMBER 0x00907003 or greater (0.9.7-beta2)\n\n");
-        return (1);
-}
-],
-	        [AC_MSG_RESULT(ok)],
-		[AC_MSG_RESULT(not compatible)
-		 AC_MSG_ERROR(you need OpenSSL 0.9.6e/0.9.7-beta2 (or newer): CERT CA-2002-23)],
-		[AC_MSG_RESULT(assuming target platform has compatible version)]))
+;;
+no)
+	AC_MSG_RESULT(Skipped OpenSSL version check)
+;;
+esac
+
 		AC_MSG_CHECKING(for OpenSSL DSA support)
 		if test -f $use_openssl/include/openssl/dsa.h
 		then
@ -2116,6 +2104,30 @@ AC_OUTPUT(
 )
 chmod a+x isc-config.sh

+if test "X$OPENSSL_WARNING" != "X"; then
+cat << \EOF
+WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+WARNING                                                                 WARNING
+WARNING         Your OpenSSL crypto library may be vulnerable to        WARNING
+WARNING         one or more of the the following known security         WARNING
+WARNING         flaws:                                                  WARNING
+WARNING                                                                 WARNING
+WARNING         CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and         WARNING
+WARNING         CVE-2006-2940.                                          WARNING
+WARNING                                                                 WARNING
+WARNING         It is recommended that you upgrade to OpenSSL           WARNING
+WARNING         version 0.9.8d/0.9.7l (or greater).                     WARNING
+WARNING                                                                 WARNING
+WARNING         You can disable this warning by specifying:             WARNING
+WARNING                                                                 WARNING
+WARNING               --disable-openssl-version-check          	        WARNING
+WARNING                                                                 WARNING
+WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+EOF
+fi
+
 # Tell Emacs to edit this file in shell mode.
 # Local Variables:
 # mode: sh
--- a/contrib/bind9/lib/dns/opensslrsa_link.c
+++ b/contrib/bind9/lib/dns/opensslrsa_link.c
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 2000-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and distribute this software for any
@ -17,7 +17,7 @@

 /*
 * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.1.4.1 2004/12/09 04:07:18 marka Exp $
+ * $Id: opensslrsa_link.c,v 1.1.4.1.10.5 2006/10/11 03:58:50 marka Exp $
 */
 #ifdef OPENSSL

@ -39,6 +39,22 @@
 #include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/rsa.h>
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+#include <openssl/bn.h>
+#endif
+
+/*
+ * We don't use configure for windows so enforce the OpenSSL version
+ * here.  Unlike with configure we don't support overriding this test.
+ */
+#ifdef WIN32
+#if !((OPENSSL_VERSION_NUMBER >= 0x009070cfL && \
+       OPENSSL_VERSION_NUMBER < 0x009080000L) || \
+      OPENSSL_VERSION_NUMBER >= 0x0090804fL) 
+#error Please upgrade OpenSSL to 0.9.8d/0.9.7l or greater.
+#endif
+#endif
+

 	/*
 	 * XXXMPA  Temporarially disable RSA_BLINDING as it requires
@ -260,13 +276,47 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {

 static isc_result_t
 opensslrsa_generate(dst_key_t *key, int exp) {
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+	BN_GENCB cb;
+	RSA *rsa = RSA_new();
+	BIGNUM *e = BN_new();
+
+	if (rsa == NULL || e == NULL)
+		goto err;
+
+	if (exp == 0) {
+		/* RSA_F4 0x10001 */
+		BN_set_bit(e, 0);
+		BN_set_bit(e, 16);
+	 } else {
+		/* F5 0x100000001 */
+		BN_set_bit(e, 0);
+		BN_set_bit(e, 32);
+	}
+
+	BN_GENCB_set_old(&cb, NULL, NULL);
+
+	if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) {
+		BN_free(e);
+		SET_FLAGS(rsa);
+		key->opaque = rsa;
+		return (ISC_R_SUCCESS);
+	}
+
+ err:
+	if (e != NULL)
+		BN_free(e);
+	if (rsa != NULL)
+		RSA_free(rsa);
+	return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+#else
 	RSA *rsa;
 	unsigned long e;

 	if (exp == 0)
-		e = RSA_3;
-	else
 		e = RSA_F4;
+	else
+		e = 0x40000003;
 	rsa = RSA_generate_key(key->key_size, e, NULL, NULL);
 	if (rsa == NULL)
 		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@ -274,6 +324,7 @@ opensslrsa_generate(dst_key_t *key, int exp) {
 	key->opaque = rsa;

 	return (ISC_R_SUCCESS);
+#endif
 }

 static isc_boolean_t
--- a/contrib/bind9/lib/dns/resolver.c
+++ b/contrib/bind9/lib/dns/resolver.c
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2003  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and distribute this software for any
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: resolver.c,v 1.218.2.18.4.56.4.1 2006/08/17 07:12:31 marka Exp $ */
+/* $Id: resolver.c,v 1.218.2.18.4.56.4.2 2006/10/04 07:06:02 marka Exp $ */

 #include <config.h>

--- a/contrib/bind9/version
+++ b/contrib/bind9/version
@ -1,4 +1,4 @@
-# $Id: version,v 1.26.2.17.2.21.4.1 2006/08/17 07:12:31 marka Exp $
+# $Id: version,v 1.26.2.17.2.21.4.2 2006/10/04 07:00:13 marka Exp $
 #
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@ -7,4 +7,4 @@ MAJORVER=9
 MINORVER=3
 PATCHVER=2
 RELEASETYPE=-P
-RELEASEVER=1
+RELEASEVER=2