src - FreeBSD source tree

diff options


context:
space:
mode:

author	Doug Barton <dougb@FreeBSD.org>	2006-11-04 07:53:25 +0000
committer	Doug Barton <dougb@FreeBSD.org>	2006-11-04 07:53:25 +0000
commit	a02f92e875d0d48c46103eef0fbea835048a278b (patch)
tree	3043007b955457643a8aaf7cdf24ff1224d3f8e4
parent	42b74b2549a0891d22d649ac2404abee2d26ccda (diff)
download	src-a02f92e875d0d48c46103eef0fbea835048a278b.tar.gz src-a02f92e875d0d48c46103eef0fbea835048a278b.zip

Update to version 9.3.2-P2, which addresses the vulnerability

announced by ISC dated 31 October (delivered via e-mail to the bind-announce@isc.org list on 2 November): Description: Because of OpenSSL's recently announced vulnerabilities (CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940) which affect named, we are announcing this workaround and releasing patches. A proof of concept attack on OpenSSL has been demonstrated for CAN-2006-4339. OpenSSL is required to use DNSSEC with BIND. Fix for version 9.3.2-P1 and lower: Upgrade to BIND 9.3.2-P2, then generate new RSASHA1 and RSAMD5 keys for all old keys using the old default exponent and perform a key rollover to these new keys. These versions also change the default RSA exponent to be 65537 which is not vulnerable to the attacks described in CAN-2006-4339.

Notes

Notes: svn path=/vendor/bind9/dist/; revision=163976

Diffstat

-rw-r--r--

contrib/bind9/CHANGES

-rw-r--r--

contrib/bind9/bin/named/query.c

-rw-r--r--

contrib/bind9/configure.in

-rw-r--r--

contrib/bind9/lib/dns/opensslrsa_link.c

-rw-r--r--

contrib/bind9/lib/dns/resolver.c

-rw-r--r--

contrib/bind9/version

6 files changed, 122 insertions, 44 deletions

diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES
index 0cfafd20aba1..b45cec78ac6e 100644
--- a/contrib/bind9/CHANGES
+++ b/contrib/bind9/CHANGES

@@ -1,4 +1,19 @@

+ --- 9.3.2-P2 released ---

+2090. [port] win32: Visual C++ 2005 command line manifest support.

+ [RT #16417]

+2089. [security] Raise the minimum safe OpenSSL versions to

+ OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions

+ prior to these have known security flaws which

+ are (potentially) exploitable in named. [RT #16391]

+2088. [security] Change the default RSA exponent from 3 to 65537.

+ [RT #16391]

+2083. [port] win32: Visual C++ 2005 support.

--- 9.3.2-P1 released ---

2066. [security] Handle SIG queries gracefully. [RT #16300]

diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c
index b20324b3fd61..6533ce49360b 100644
--- a/contrib/bind9/bin/named/query.c
+++ b/contrib/bind9/bin/named/query.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

@@ -15,7 +15,7 @@

* PERFORMANCE OF THIS SOFTWARE.

-/* $Id: query.c,v 1.198.2.13.4.36.6.1 2006/08/17 07:12:31 marka Exp $ */

+/* $Id: query.c,v 1.198.2.13.4.36.6.2 2006/10/04 07:06:01 marka Exp $ */

#include <config.h>

diff --git a/contrib/bind9/configure.in b/contrib/bind9/configure.in
index b14b489bb2b7..cf7517b0b5d3 100644
--- a/contrib/bind9/configure.in
+++ b/contrib/bind9/configure.in

@@ -1,4 +1,4 @@

# Permission to use, copy, modify, and distribute this software for any

@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl

esyscmd([sed "s/^/# /" COPYRIGHT])dnl

AC_DIVERT_POP()dnl

-AC_REVISION($Revision: 1.294.2.23.2.51 $)

+AC_REVISION($Revision: 1.294.2.23.2.51.4.3 $)

AC_INIT(lib/dns/name.c)

AC_PREREQ(2.13)

@@ -357,6 +357,7 @@ AC_C_BIGENDIAN

# was --with-openssl specified?

+OPENSSL_WARNING=

AC_MSG_CHECKING(for OpenSSL library)

AC_ARG_WITH(openssl,

[ --with-openssl[=PATH] Build with OpenSSL [yes|no|path].

@@ -462,51 +463,38 @@ shared library configuration (e.g., LD_LIBRARY_PATH).)],

[AC_MSG_RESULT(assuming it does work on target platform)]

)

-# OpenSSLDie is new with CERT CS-2002-23. If we see it we have may

-# have a patched library otherwise check that we are greater than

-# the fixed versions

- AC_CHECK_FUNC(OpenSSLDie,

+AC_ARG_ENABLE(openssl-version-check,

+[AC_HELP_STRING([--enable-openssl-version-check],

+ [Check OpenSSL Version @<:@default=yes@:>@])])

+case "$enable_openssl_version_check" in

+yes|'')

AC_MSG_CHECKING(OpenSSL library version)

AC_TRY_RUN([

#include <stdio.h>

#include <openssl/opensslv.h>

int main() {

- if (OPENSSL_VERSION_NUMBER >= 0x0090581fL)

+ if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&

+ OPENSSL_VERSION_NUMBER < 0x009080000L) ||

+ OPENSSL_VERSION_NUMBER >= 0x0090804fL)

return (0);

printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",

OPENSSL_VERSION_NUMBER);

- printf("Require OPENSSL_VERSION_NUMBER 0x0090581f or greater\n\n");

+ printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"

+ "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");

return (1);

}

-],

+ ],

[AC_MSG_RESULT(ok)],

[AC_MSG_RESULT(not compatible)

- AC_MSG_ERROR(you need OpenSSL 0.9.5a or newer)],

+ OPENSSL_WARNING=yes

+ ],

[AC_MSG_RESULT(assuming target platform has compatible version)])

- ,

- AC_MSG_RESULT(did not find fixes for CERT CA-2002-23)

- AC_MSG_CHECKING(OpenSSL library version)

- AC_TRY_RUN([

-#include <stdio.h>

-#include <openssl/opensslv.h>

-int main() {

- if ((OPENSSL_VERSION_NUMBER >= 0x0090605fL &&

- OPENSSL_VERSION_NUMBER < 0x009070000L) ||

- OPENSSL_VERSION_NUMBER >= 0x00907003L)

- return (0);

- printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",

- OPENSSL_VERSION_NUMBER);

- printf("Require OPENSSL_VERSION_NUMBER 0x0090605f or greater (0.9.6e)\n"

- "Require OPENSSL_VERSION_NUMBER 0x00907003 or greater (0.9.7-beta2)\n\n");

- return (1);

-],

- [AC_MSG_RESULT(ok)],

- [AC_MSG_RESULT(not compatible)

- AC_MSG_ERROR(you need OpenSSL 0.9.6e/0.9.7-beta2 (or newer): CERT CA-2002-23)],

- [AC_MSG_RESULT(assuming target platform has compatible version)]))

+;;

+no)

+ AC_MSG_RESULT(Skipped OpenSSL version check)

+;;

+esac

AC_MSG_CHECKING(for OpenSSL DSA support)

if test -f $use_openssl/include/openssl/dsa.h

then

@@ -2116,6 +2104,30 @@ AC_OUTPUT(

)

chmod a+x isc-config.sh

+if test "X$OPENSSL_WARNING" != "X"; then

+cat << \EOF

+WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING

+WARNING WARNING

+WARNING Your OpenSSL crypto library may be vulnerable to WARNING

+WARNING one or more of the the following known security WARNING

+WARNING flaws: WARNING

+WARNING WARNING

+WARNING CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and WARNING

+WARNING CVE-2006-2940. WARNING

+WARNING WARNING

+WARNING It is recommended that you upgrade to OpenSSL WARNING

+WARNING version 0.9.8d/0.9.7l (or greater). WARNING

+WARNING WARNING

+WARNING You can disable this warning by specifying: WARNING

+WARNING WARNING

+WARNING --disable-openssl-version-check WARNING

+WARNING WARNING

+WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING

+EOF

+fi

# Tell Emacs to edit this file in shell mode.

# Local Variables:

# mode: sh

diff --git a/contrib/bind9/lib/dns/opensslrsa_link.c b/contrib/bind9/lib/dns/opensslrsa_link.c
index 0d4426bfabef..f5530971dff1 100644
--- a/contrib/bind9/lib/dns/opensslrsa_link.c
+++ b/contrib/bind9/lib/dns/opensslrsa_link.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

@@ -17,7 +17,7 @@

* Principal Author: Brian Wellington

- * $Id: opensslrsa_link.c,v 1.1.4.1 2004/12/09 04:07:18 marka Exp $

+ * $Id: opensslrsa_link.c,v 1.1.4.1.10.5 2006/10/11 03:58:50 marka Exp $

#ifdef OPENSSL

@@ -39,6 +39,22 @@

#include <openssl/err.h>

#include <openssl/objects.h>

#include <openssl/rsa.h>

+#if OPENSSL_VERSION_NUMBER > 0x00908000L

+#include <openssl/bn.h>

+#endif

+/*

+ * We don't use configure for windows so enforce the OpenSSL version

+ * here. Unlike with configure we don't support overriding this test.

+ */

+#ifdef WIN32

+#if !((OPENSSL_VERSION_NUMBER >= 0x009070cfL && \

+ OPENSSL_VERSION_NUMBER < 0x009080000L) || \

+ OPENSSL_VERSION_NUMBER >= 0x0090804fL)

+#error Please upgrade OpenSSL to 0.9.8d/0.9.7l or greater.

+#endif

* XXXMPA Temporarially disable RSA_BLINDING as it requires

@@ -260,13 +276,47 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {

static isc_result_t

opensslrsa_generate(dst_key_t *key, int exp) {

+#if OPENSSL_VERSION_NUMBER > 0x00908000L

+ BN_GENCB cb;

+ RSA *rsa = RSA_new();

+ BIGNUM *e = BN_new();

+ if (rsa == NULL || e == NULL)

+ goto err;

+ if (exp == 0) {

+ /* RSA_F4 0x10001 */

+ BN_set_bit(e, 0);

+ BN_set_bit(e, 16);

+ } else {

+ /* F5 0x100000001 */

+ BN_set_bit(e, 0);

+ BN_set_bit(e, 32);

+ }

+ BN_GENCB_set_old(&cb, NULL, NULL);

+ if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) {

+ BN_free(e);

+ SET_FLAGS(rsa);

+ key->opaque = rsa;

+ return (ISC_R_SUCCESS);

+ }

+ err:

+ if (e != NULL)

+ BN_free(e);

+ if (rsa != NULL)

+ RSA_free(rsa);

+ return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));

+#else

RSA *rsa;

unsigned long e;

if (exp == 0)

- e = RSA_3;

- else

e = RSA_F4;

+ else

+ e = 0x40000003;

rsa = RSA_generate_key(key->key_size, e, NULL, NULL);

if (rsa == NULL)

return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));

@@ -274,6 +324,7 @@ opensslrsa_generate(dst_key_t *key, int exp) {

key->opaque = rsa;

return (ISC_R_SUCCESS);

+#endif

}

static isc_boolean_t

diff --git a/contrib/bind9/lib/dns/resolver.c b/contrib/bind9/lib/dns/resolver.c
index 28779645a560..a5474f1ae020 100644
--- a/contrib/bind9/lib/dns/resolver.c
+++ b/contrib/bind9/lib/dns/resolver.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

@@ -15,7 +15,7 @@

* PERFORMANCE OF THIS SOFTWARE.

-/* $Id: resolver.c,v 1.218.2.18.4.56.4.1 2006/08/17 07:12:31 marka Exp $ */

+/* $Id: resolver.c,v 1.218.2.18.4.56.4.2 2006/10/04 07:06:02 marka Exp $ */

#include <config.h>

diff --git a/contrib/bind9/version b/contrib/bind9/version
index fe47241d0a83..a9b6ee535613 100644
--- a/contrib/bind9/version
+++ b/contrib/bind9/version

@@ -1,4 +1,4 @@

-# $Id: version,v 1.26.2.17.2.21.4.1 2006/08/17 07:12:31 marka Exp $

+# $Id: version,v 1.26.2.17.2.21.4.2 2006/10/04 07:00:13 marka Exp $

# This file must follow /bin/sh rules. It is imported directly via

# configure.

@@ -7,4 +7,4 @@ MAJORVER=9

MINORVER=3

PATCHVER=2

RELEASETYPE=-P

-RELEASEVER=1

+RELEASEVER=2