Commit fda0a038 authored by Mark Andrews's avatar Mark Andrews
Browse files

2089. [security] Raise the minimum safe OpenSSL versions to

                        OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
                        prior to these have known security flaws which
                        are (potentially) exploitable in named. [RT #16391]

2088.   [security]      Change the default RSA exponent from 3 to 65537.
                        [RT #16391]
parent 53d36799
2089. [security] Raise the minimum safe OpenSSL versions to
OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
prior to these have known security flaws which
are (potentially) exploitable in named. [RT #16391]
2088. [security] Change the default RSA exponent from 3 to 65537.
[RT #16391]
2087. [port] libisc failed to compile on OS's w/o a vsnprintf.
[RT #16382]
......
......@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
esyscmd([sed "s/^/# /" COPYRIGHT])dnl
AC_DIVERT_POP()dnl
AC_REVISION($Revision: 1.412 $)
AC_REVISION($Revision: 1.413 $)
AC_INIT(lib/dns/name.c)
AC_PREREQ(2.59)
......@@ -483,51 +483,43 @@ shared library configuration (e.g., LD_LIBRARY_PATH).)],
AC_CHECK_FUNC(DSA_generate_parameters,
AC_DEFINE(HAVE_DSA_GENERATE_PARAMETERS, 1,
[Define if libcrypto has DSA_generate_parameters]))
#
# OpenSSLDie is new with CERT CS-2002-23. If we see it we have may
# have a patched library otherwise check that we are greater than
# the fixed versions
#
AC_CHECK_FUNC(OpenSSLDie,
AC_ARG_ENABLE(openssl-version-check,
[AC_HELP_STRING([--enable-openssl-version-check],
[Check OpenSSL Version @<:@default=yes@:>@])])
case "$enable_openssl_version_check" in
yes|'')
AC_MSG_CHECKING(OpenSSL library version)
AC_TRY_RUN([
#include <stdio.h>
#include <openssl/opensslv.h>
int main() {
if (OPENSSL_VERSION_NUMBER >= 0x0090581fL)
if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
OPENSSL_VERSION_NUMBER < 0x009080000L) ||
OPENSSL_VERSION_NUMBER >= 0x0090804fL)
return (0);
printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",
OPENSSL_VERSION_NUMBER);
printf("Require OPENSSL_VERSION_NUMBER 0x0090581f or greater\n\n");
printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
"Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
return (1);
}
],
[AC_MSG_RESULT(ok)],
[AC_MSG_RESULT(not compatible)
AC_MSG_ERROR(you need OpenSSL 0.9.5a or newer)],
[AC_MSG_RESULT(assuming target platform has compatible version)])
,
AC_MSG_RESULT(did not find fixes for CERT CA-2002-23)
AC_MSG_CHECKING(OpenSSL library version)
AC_TRY_RUN([
#include <stdio.h>
#include <openssl/opensslv.h>
int main() {
if ((OPENSSL_VERSION_NUMBER >= 0x0090605fL &&
OPENSSL_VERSION_NUMBER < 0x009070000L) ||
OPENSSL_VERSION_NUMBER >= 0x00907003L)
return (0);
printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",
OPENSSL_VERSION_NUMBER);
printf("Require OPENSSL_VERSION_NUMBER 0x0090605f or greater (0.9.6e)\n"
"Require OPENSSL_VERSION_NUMBER 0x00907003 or greater (0.9.7-beta2)\n\n");
return (1);
}
AC_MSG_ERROR(
[you need OpenSSL 0.9.7k/0.9.8c (or newer) for:
CAN-2002-0659 and CAN-2006-4339
to skip this test specify: --disable-openssl-version-check]
)
],
[AC_MSG_RESULT(ok)],
[AC_MSG_RESULT(not compatible)
AC_MSG_ERROR(you need OpenSSL 0.9.6e/0.9.7-beta2 (or newer): CERT CA-2002-23)],
[AC_MSG_RESULT(assuming target platform has compatible version)]))
[AC_MSG_RESULT(assuming target platform has compatible version)])
;;
no)
AC_MSG_RESULT(Skipped OpenSSL version check)
;;
esac
AC_MSG_CHECKING(for OpenSSL DSA support)
if test -f $use_openssl/include/openssl/dsa.h
then
......
......@@ -17,7 +17,7 @@
/*
* Principal Author: Brian Wellington
* $Id: opensslrsa_link.c,v 1.7 2006/03/02 00:37:23 marka Exp $
* $Id: opensslrsa_link.c,v 1.8 2006/10/02 01:44:27 marka Exp $
*/
#ifdef OPENSSL
......@@ -39,6 +39,9 @@
#include <openssl/err.h>
#include <openssl/objects.h>
#include <openssl/rsa.h>
#if OPENSSL_VERSION_NUMBER > 0x00908000L
#include <openssl/bn.h>
#endif
/*
* XXXMPA Temporarially disable RSA_BLINDING as it requires
......@@ -268,103 +271,50 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
return (ISC_TRUE);
}
#ifndef HAVE_RSA_GENERATE_KEY
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
static RSA *
RSA_generate_key(int bits, unsigned long e_value,
void (*callback)(int,int,void *), void *cb_arg)
{
static isc_result_t
opensslrsa_generate(dst_key_t *key, int exp) {
#if OPENSSL_VERSION_NUMBER > 0x00908000L
BN_GENCB cb;
size_t i;
RSA *rsa = RSA_new();
BIGNUM *e = BN_new();
if (rsa == NULL || e == NULL)
goto err;
/* The problem is when building with 8, 16, or 32 BN_ULONG,
* unsigned long can be larger */
for (i = 0; i < sizeof(unsigned long) * 8; i++) {
if ((e_value & (1UL<<i)) != 0)
BN_set_bit(e, i);
if (exp == 0) {
/* RSA_F4 0x10001 */
BN_set_bit(e, 0);
BN_set_bit(e, 16);
} else {
/* 0x40000003 */
BN_set_bit(e, 0);
BN_set_bit(e, 1);
BN_set_bit(e, 30);
}
BN_GENCB_set_old(&cb, callback, cb_arg);
BN_GENCB_set_old(&cb, NULL, NULL);
if (RSA_generate_key_ex(rsa, bits, e, &cb)) {
if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) {
BN_free(e);
return (rsa);
SET_FLAGS(rsa);
key->opaque = rsa;
return (ISC_R_SUCCESS);
}
err:
if (e != NULL)
BN_free(e);
if (rsa != NULL)
RSA_free(rsa);
return (NULL);
}
#endif
static isc_result_t
opensslrsa_generate(dst_key_t *key, int exp) {
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
#else
RSA *rsa;
unsigned long e;
if (exp == 0)
e = RSA_3;
else
e = RSA_F4;
else
e = 0x40000003;
rsa = RSA_generate_key(key->key_size, e, NULL, NULL);
if (rsa == NULL)
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
......@@ -372,6 +322,7 @@ opensslrsa_generate(dst_key_t *key, int exp) {
key->opaque = rsa;
return (ISC_R_SUCCESS);
#endif
}
static isc_boolean_t
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment