aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDoug Barton <dougb@FreeBSD.org>2006-11-04 07:53:25 +0000
committerDoug Barton <dougb@FreeBSD.org>2006-11-04 07:53:25 +0000
commita02f92e875d0d48c46103eef0fbea835048a278b (patch)
tree3043007b955457643a8aaf7cdf24ff1224d3f8e4
parent42b74b2549a0891d22d649ac2404abee2d26ccda (diff)
downloadsrc-a02f92e875d0d48c46103eef0fbea835048a278b.tar.gz
src-a02f92e875d0d48c46103eef0fbea835048a278b.zip
Update to version 9.3.2-P2, which addresses the vulnerability
announced by ISC dated 31 October (delivered via e-mail to the bind-announce@isc.org list on 2 November): Description: Because of OpenSSL's recently announced vulnerabilities (CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940) which affect named, we are announcing this workaround and releasing patches. A proof of concept attack on OpenSSL has been demonstrated for CAN-2006-4339. OpenSSL is required to use DNSSEC with BIND. Fix for version 9.3.2-P1 and lower: Upgrade to BIND 9.3.2-P2, then generate new RSASHA1 and RSAMD5 keys for all old keys using the old default exponent and perform a key rollover to these new keys. These versions also change the default RSA exponent to be 65537 which is not vulnerable to the attacks described in CAN-2006-4339.
Notes
Notes: svn path=/vendor/bind9/dist/; revision=163976
-rw-r--r--contrib/bind9/CHANGES15
-rw-r--r--contrib/bind9/bin/named/query.c4
-rw-r--r--contrib/bind9/configure.in80
-rw-r--r--contrib/bind9/lib/dns/opensslrsa_link.c59
-rw-r--r--contrib/bind9/lib/dns/resolver.c4
-rw-r--r--contrib/bind9/version4
6 files changed, 122 insertions, 44 deletions
diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES
index 0cfafd20aba1..b45cec78ac6e 100644
--- a/contrib/bind9/CHANGES
+++ b/contrib/bind9/CHANGES
@@ -1,4 +1,19 @@
+ --- 9.3.2-P2 released ---
+
+2090. [port] win32: Visual C++ 2005 command line manifest support.
+ [RT #16417]
+
+2089. [security] Raise the minimum safe OpenSSL versions to
+ OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
+ prior to these have known security flaws which
+ are (potentially) exploitable in named. [RT #16391]
+
+2088. [security] Change the default RSA exponent from 3 to 65537.
+ [RT #16391]
+
+2083. [port] win32: Visual C++ 2005 support.
+
--- 9.3.2-P1 released ---
2066. [security] Handle SIG queries gracefully. [RT #16300]
diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c
index b20324b3fd61..6533ce49360b 100644
--- a/contrib/bind9/bin/named/query.c
+++ b/contrib/bind9/bin/named/query.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: query.c,v 1.198.2.13.4.36.6.1 2006/08/17 07:12:31 marka Exp $ */
+/* $Id: query.c,v 1.198.2.13.4.36.6.2 2006/10/04 07:06:01 marka Exp $ */
#include <config.h>
diff --git a/contrib/bind9/configure.in b/contrib/bind9/configure.in
index b14b489bb2b7..cf7517b0b5d3 100644
--- a/contrib/bind9/configure.in
+++ b/contrib/bind9/configure.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2003 Internet Software Consortium.
#
# Permission to use, copy, modify, and distribute this software for any
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
esyscmd([sed "s/^/# /" COPYRIGHT])dnl
AC_DIVERT_POP()dnl
-AC_REVISION($Revision: 1.294.2.23.2.51 $)
+AC_REVISION($Revision: 1.294.2.23.2.51.4.3 $)
AC_INIT(lib/dns/name.c)
AC_PREREQ(2.13)
@@ -357,6 +357,7 @@ AC_C_BIGENDIAN
#
# was --with-openssl specified?
#
+OPENSSL_WARNING=
AC_MSG_CHECKING(for OpenSSL library)
AC_ARG_WITH(openssl,
[ --with-openssl[=PATH] Build with OpenSSL [yes|no|path].
@@ -462,51 +463,38 @@ shared library configuration (e.g., LD_LIBRARY_PATH).)],
[AC_MSG_RESULT(assuming it does work on target platform)]
)
-#
-# OpenSSLDie is new with CERT CS-2002-23. If we see it we have may
-# have a patched library otherwise check that we are greater than
-# the fixed versions
-#
- AC_CHECK_FUNC(OpenSSLDie,
+AC_ARG_ENABLE(openssl-version-check,
+[AC_HELP_STRING([--enable-openssl-version-check],
+ [Check OpenSSL Version @<:@default=yes@:>@])])
+case "$enable_openssl_version_check" in
+yes|'')
AC_MSG_CHECKING(OpenSSL library version)
AC_TRY_RUN([
#include <stdio.h>
#include <openssl/opensslv.h>
int main() {
- if (OPENSSL_VERSION_NUMBER >= 0x0090581fL)
+ if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
+ OPENSSL_VERSION_NUMBER < 0x009080000L) ||
+ OPENSSL_VERSION_NUMBER >= 0x0090804fL)
return (0);
printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",
OPENSSL_VERSION_NUMBER);
- printf("Require OPENSSL_VERSION_NUMBER 0x0090581f or greater\n\n");
+ printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
+ "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
return (1);
}
-],
+ ],
[AC_MSG_RESULT(ok)],
[AC_MSG_RESULT(not compatible)
- AC_MSG_ERROR(you need OpenSSL 0.9.5a or newer)],
+ OPENSSL_WARNING=yes
+ ],
[AC_MSG_RESULT(assuming target platform has compatible version)])
- ,
- AC_MSG_RESULT(did not find fixes for CERT CA-2002-23)
- AC_MSG_CHECKING(OpenSSL library version)
- AC_TRY_RUN([
-#include <stdio.h>
-#include <openssl/opensslv.h>
-int main() {
- if ((OPENSSL_VERSION_NUMBER >= 0x0090605fL &&
- OPENSSL_VERSION_NUMBER < 0x009070000L) ||
- OPENSSL_VERSION_NUMBER >= 0x00907003L)
- return (0);
- printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",
- OPENSSL_VERSION_NUMBER);
- printf("Require OPENSSL_VERSION_NUMBER 0x0090605f or greater (0.9.6e)\n"
- "Require OPENSSL_VERSION_NUMBER 0x00907003 or greater (0.9.7-beta2)\n\n");
- return (1);
-}
-],
- [AC_MSG_RESULT(ok)],
- [AC_MSG_RESULT(not compatible)
- AC_MSG_ERROR(you need OpenSSL 0.9.6e/0.9.7-beta2 (or newer): CERT CA-2002-23)],
- [AC_MSG_RESULT(assuming target platform has compatible version)]))
+;;
+no)
+ AC_MSG_RESULT(Skipped OpenSSL version check)
+;;
+esac
+
AC_MSG_CHECKING(for OpenSSL DSA support)
if test -f $use_openssl/include/openssl/dsa.h
then
@@ -2116,6 +2104,30 @@ AC_OUTPUT(
)
chmod a+x isc-config.sh
+if test "X$OPENSSL_WARNING" != "X"; then
+cat << \EOF
+WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+WARNING WARNING
+WARNING Your OpenSSL crypto library may be vulnerable to WARNING
+WARNING one or more of the the following known security WARNING
+WARNING flaws: WARNING
+WARNING WARNING
+WARNING CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and WARNING
+WARNING CVE-2006-2940. WARNING
+WARNING WARNING
+WARNING It is recommended that you upgrade to OpenSSL WARNING
+WARNING version 0.9.8d/0.9.7l (or greater). WARNING
+WARNING WARNING
+WARNING You can disable this warning by specifying: WARNING
+WARNING WARNING
+WARNING --disable-openssl-version-check WARNING
+WARNING WARNING
+WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+EOF
+fi
+
# Tell Emacs to edit this file in shell mode.
# Local Variables:
# mode: sh
diff --git a/contrib/bind9/lib/dns/opensslrsa_link.c b/contrib/bind9/lib/dns/opensslrsa_link.c
index 0d4426bfabef..f5530971dff1 100644
--- a/contrib/bind9/lib/dns/opensslrsa_link.c
+++ b/contrib/bind9/lib/dns/opensslrsa_link.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
@@ -17,7 +17,7 @@
/*
* Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.1.4.1 2004/12/09 04:07:18 marka Exp $
+ * $Id: opensslrsa_link.c,v 1.1.4.1.10.5 2006/10/11 03:58:50 marka Exp $
*/
#ifdef OPENSSL
@@ -39,6 +39,22 @@
#include <openssl/err.h>
#include <openssl/objects.h>
#include <openssl/rsa.h>
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+#include <openssl/bn.h>
+#endif
+
+/*
+ * We don't use configure for windows so enforce the OpenSSL version
+ * here. Unlike with configure we don't support overriding this test.
+ */
+#ifdef WIN32
+#if !((OPENSSL_VERSION_NUMBER >= 0x009070cfL && \
+ OPENSSL_VERSION_NUMBER < 0x009080000L) || \
+ OPENSSL_VERSION_NUMBER >= 0x0090804fL)
+#error Please upgrade OpenSSL to 0.9.8d/0.9.7l or greater.
+#endif
+#endif
+
/*
* XXXMPA Temporarially disable RSA_BLINDING as it requires
@@ -260,13 +276,47 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
static isc_result_t
opensslrsa_generate(dst_key_t *key, int exp) {
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+ BN_GENCB cb;
+ RSA *rsa = RSA_new();
+ BIGNUM *e = BN_new();
+
+ if (rsa == NULL || e == NULL)
+ goto err;
+
+ if (exp == 0) {
+ /* RSA_F4 0x10001 */
+ BN_set_bit(e, 0);
+ BN_set_bit(e, 16);
+ } else {
+ /* F5 0x100000001 */
+ BN_set_bit(e, 0);
+ BN_set_bit(e, 32);
+ }
+
+ BN_GENCB_set_old(&cb, NULL, NULL);
+
+ if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) {
+ BN_free(e);
+ SET_FLAGS(rsa);
+ key->opaque = rsa;
+ return (ISC_R_SUCCESS);
+ }
+
+ err:
+ if (e != NULL)
+ BN_free(e);
+ if (rsa != NULL)
+ RSA_free(rsa);
+ return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+#else
RSA *rsa;
unsigned long e;
if (exp == 0)
- e = RSA_3;
- else
e = RSA_F4;
+ else
+ e = 0x40000003;
rsa = RSA_generate_key(key->key_size, e, NULL, NULL);
if (rsa == NULL)
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@@ -274,6 +324,7 @@ opensslrsa_generate(dst_key_t *key, int exp) {
key->opaque = rsa;
return (ISC_R_SUCCESS);
+#endif
}
static isc_boolean_t
diff --git a/contrib/bind9/lib/dns/resolver.c b/contrib/bind9/lib/dns/resolver.c
index 28779645a560..a5474f1ae020 100644
--- a/contrib/bind9/lib/dns/resolver.c
+++ b/contrib/bind9/lib/dns/resolver.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: resolver.c,v 1.218.2.18.4.56.4.1 2006/08/17 07:12:31 marka Exp $ */
+/* $Id: resolver.c,v 1.218.2.18.4.56.4.2 2006/10/04 07:06:02 marka Exp $ */
#include <config.h>
diff --git a/contrib/bind9/version b/contrib/bind9/version
index fe47241d0a83..a9b6ee535613 100644
--- a/contrib/bind9/version
+++ b/contrib/bind9/version
@@ -1,4 +1,4 @@
-# $Id: version,v 1.26.2.17.2.21.4.1 2006/08/17 07:12:31 marka Exp $
+# $Id: version,v 1.26.2.17.2.21.4.2 2006/10/04 07:00:13 marka Exp $
#
# This file must follow /bin/sh rules. It is imported directly via
# configure.
@@ -7,4 +7,4 @@ MAJORVER=9
MINORVER=3
PATCHVER=2
RELEASETYPE=-P
-RELEASEVER=1
+RELEASEVER=2