diff options
author | dougb <dougb@FreeBSD.org> | 2006-11-04 07:53:25 +0000 |
---|---|---|
committer | dougb <dougb@FreeBSD.org> | 2006-11-04 07:53:25 +0000 |
commit | 4a3a088a0b6ffaf0dd6b740dbe537d5a082825d5 (patch) | |
tree | 3043007b955457643a8aaf7cdf24ff1224d3f8e4 /contrib/bind9/lib | |
parent | f79340e225254aa582cac2fa090d84f8f8958755 (diff) | |
download | FreeBSD-src-4a3a088a0b6ffaf0dd6b740dbe537d5a082825d5.zip FreeBSD-src-4a3a088a0b6ffaf0dd6b740dbe537d5a082825d5.tar.gz |
Update to version 9.3.2-P2, which addresses the vulnerability
announced by ISC dated 31 October (delivered via e-mail to the
bind-announce@isc.org list on 2 November):
Description:
Because of OpenSSL's recently announced vulnerabilities
(CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940) which affect named,
we are announcing this workaround and releasing patches. A proof of
concept attack on OpenSSL has been demonstrated for CAN-2006-4339.
OpenSSL is required to use DNSSEC with BIND.
Fix for version 9.3.2-P1 and lower:
Upgrade to BIND 9.3.2-P2, then generate new RSASHA1 and
RSAMD5 keys for all old keys using the old default exponent
and perform a key rollover to these new keys.
These versions also change the default RSA exponent to be
65537 which is not vulnerable to the attacks described in
CAN-2006-4339.
Diffstat (limited to 'contrib/bind9/lib')
-rw-r--r-- | contrib/bind9/lib/dns/opensslrsa_link.c | 59 | ||||
-rw-r--r-- | contrib/bind9/lib/dns/resolver.c | 4 |
2 files changed, 57 insertions, 6 deletions
diff --git a/contrib/bind9/lib/dns/opensslrsa_link.c b/contrib/bind9/lib/dns/opensslrsa_link.c index 0d4426b..f553097 100644 --- a/contrib/bind9/lib/dns/opensslrsa_link.c +++ b/contrib/bind9/lib/dns/opensslrsa_link.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -17,7 +17,7 @@ /* * Principal Author: Brian Wellington - * $Id: opensslrsa_link.c,v 1.1.4.1 2004/12/09 04:07:18 marka Exp $ + * $Id: opensslrsa_link.c,v 1.1.4.1.10.5 2006/10/11 03:58:50 marka Exp $ */ #ifdef OPENSSL @@ -39,6 +39,22 @@ #include <openssl/err.h> #include <openssl/objects.h> #include <openssl/rsa.h> +#if OPENSSL_VERSION_NUMBER > 0x00908000L +#include <openssl/bn.h> +#endif + +/* + * We don't use configure for windows so enforce the OpenSSL version + * here. Unlike with configure we don't support overriding this test. + */ +#ifdef WIN32 +#if !((OPENSSL_VERSION_NUMBER >= 0x009070cfL && \ + OPENSSL_VERSION_NUMBER < 0x009080000L) || \ + OPENSSL_VERSION_NUMBER >= 0x0090804fL) +#error Please upgrade OpenSSL to 0.9.8d/0.9.7l or greater. +#endif +#endif + /* * XXXMPA Temporarially disable RSA_BLINDING as it requires @@ -260,13 +276,47 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { static isc_result_t opensslrsa_generate(dst_key_t *key, int exp) { +#if OPENSSL_VERSION_NUMBER > 0x00908000L + BN_GENCB cb; + RSA *rsa = RSA_new(); + BIGNUM *e = BN_new(); + + if (rsa == NULL || e == NULL) + goto err; + + if (exp == 0) { + /* RSA_F4 0x10001 */ + BN_set_bit(e, 0); + BN_set_bit(e, 16); + } else { + /* F5 0x100000001 */ + BN_set_bit(e, 0); + BN_set_bit(e, 32); + } + + BN_GENCB_set_old(&cb, NULL, NULL); + + if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) { + BN_free(e); + SET_FLAGS(rsa); + key->opaque = rsa; + return (ISC_R_SUCCESS); + } + + err: + if (e != NULL) + BN_free(e); + if (rsa != NULL) + RSA_free(rsa); + return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +#else RSA *rsa; unsigned long e; if (exp == 0) - e = RSA_3; - else e = RSA_F4; + else + e = 0x40000003; rsa = RSA_generate_key(key->key_size, e, NULL, NULL); if (rsa == NULL) return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); @@ -274,6 +324,7 @@ opensslrsa_generate(dst_key_t *key, int exp) { key->opaque = rsa; return (ISC_R_SUCCESS); +#endif } static isc_boolean_t diff --git a/contrib/bind9/lib/dns/resolver.c b/contrib/bind9/lib/dns/resolver.c index 2877964..a5474f1 100644 --- a/contrib/bind9/lib/dns/resolver.c +++ b/contrib/bind9/lib/dns/resolver.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.218.2.18.4.56.4.1 2006/08/17 07:12:31 marka Exp $ */ +/* $Id: resolver.c,v 1.218.2.18.4.56.4.2 2006/10/04 07:06:02 marka Exp $ */ #include <config.h> |