2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00

2089. [security] Raise the minimum safe OpenSSL versions to

OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
                        prior to these have known security flaws which
                        are (potentially) exploitable in named. [RT #16391]

2088.   [security]      Change the default RSA exponent from 3 to 65537.
                        [RT #16391]
This commit is contained in:
Mark Andrews 2006-10-02 02:07:29 +00:00
parent fda0a03881
commit 3ab8af6cd7

246
configure vendored
View File

@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
#
# $Id: configure,v 1.400 2006/08/10 01:57:41 marka Exp $
# $Id: configure,v 1.401 2006/10/02 02:07:29 marka Exp $
#
# Portions Copyright (C) 1996-2001 Nominum, Inc.
#
@ -29,7 +29,7 @@
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
# OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# From configure.in Revision: 1.412 .
# From configure.in Revision: 1.413 .
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.59.
#
@ -1050,6 +1050,8 @@ if test -n "$ac_init_help"; then
Optional Features:
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
--enable-openssl-version-check
Check OpenSSL Version [default=yes]
--enable-threads enable multithreading
--enable-largefile 64-bit file support
--enable-shared[=PKGS]
@ -5383,158 +5385,14 @@ _ACEOF
fi
#
# OpenSSLDie is new with CERT CS-2002-23. If we see it we have may
# have a patched library otherwise check that we are greater than
# the fixed versions
#
echo "$as_me:$LINENO: checking for OpenSSLDie" >&5
echo $ECHO_N "checking for OpenSSLDie... $ECHO_C" >&6
if test "${ac_cv_func_OpenSSLDie+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
/* Define OpenSSLDie to an innocuous variant, in case <limits.h> declares OpenSSLDie.
For example, HP-UX 11i <limits.h> declares gettimeofday. */
#define OpenSSLDie innocuous_OpenSSLDie
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char OpenSSLDie (); below.
Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
<limits.h> exists even on freestanding compilers. */
# Check whether --enable-openssl-version-check or --disable-openssl-version-check was given.
if test "${enable_openssl_version_check+set}" = set; then
enableval="$enable_openssl_version_check"
#ifdef __STDC__
# include <limits.h>
#else
# include <assert.h>
#endif
#undef OpenSSLDie
/* Override any gcc2 internal prototype to avoid an error. */
#ifdef __cplusplus
extern "C"
{
#endif
/* We use char because int might match the return type of a gcc2
builtin and then its argument prototype would still apply. */
char OpenSSLDie ();
/* The GNU C library defines this for functions which it implements
to always fail with ENOSYS. Some functions are actually named
something starting with __ and the normal name is an alias. */
#if defined (__stub_OpenSSLDie) || defined (__stub___OpenSSLDie)
choke me
#else
char (*f) () = OpenSSLDie;
#endif
#ifdef __cplusplus
}
#endif
int
main ()
{
return f != OpenSSLDie;
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext conftest$ac_exeext
if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
(eval $ac_link) 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } &&
{ ac_try='test -z "$ac_c_werror_flag"
|| test ! -s conftest.err'
{ (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
(eval $ac_try) 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; } &&
{ ac_try='test -s conftest$ac_exeext'
{ (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
(eval $ac_try) 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; }; then
ac_cv_func_OpenSSLDie=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_cv_func_OpenSSLDie=no
fi
rm -f conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
fi
echo "$as_me:$LINENO: result: $ac_cv_func_OpenSSLDie" >&5
echo "${ECHO_T}$ac_cv_func_OpenSSLDie" >&6
if test $ac_cv_func_OpenSSLDie = yes; then
echo "$as_me:$LINENO: checking OpenSSL library version" >&5
echo $ECHO_N "checking OpenSSL library version... $ECHO_C" >&6
if test "$cross_compiling" = yes; then
echo "$as_me:$LINENO: result: assuming target platform has compatible version" >&5
echo "${ECHO_T}assuming target platform has compatible version" >&6
else
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
#include <stdio.h>
#include <openssl/opensslv.h>
int main() {
if (OPENSSL_VERSION_NUMBER >= 0x0090581fL)
return (0);
printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",
OPENSSL_VERSION_NUMBER);
printf("Require OPENSSL_VERSION_NUMBER 0x0090581f or greater\n\n");
return (1);
}
_ACEOF
rm -f conftest$ac_exeext
if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
(eval $ac_link) 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && { ac_try='./conftest$ac_exeext'
{ (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
(eval $ac_try) 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; }; then
echo "$as_me:$LINENO: result: ok" >&5
echo "${ECHO_T}ok" >&6
else
echo "$as_me: program exited with status $ac_status" >&5
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
( exit $ac_status )
echo "$as_me:$LINENO: result: not compatible" >&5
echo "${ECHO_T}not compatible" >&6
{ { echo "$as_me:$LINENO: error: you need OpenSSL 0.9.5a or newer" >&5
echo "$as_me: error: you need OpenSSL 0.9.5a or newer" >&2;}
{ (exit 1); exit 1; }; }
fi
rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
fi
else
echo "$as_me:$LINENO: result: did not find fixes for CERT CA-2002-23" >&5
echo "${ECHO_T}did not find fixes for CERT CA-2002-23" >&6
fi;
case "$enable_openssl_version_check" in
yes|'')
echo "$as_me:$LINENO: checking OpenSSL library version" >&5
echo $ECHO_N "checking OpenSSL library version... $ECHO_C" >&6
if test "$cross_compiling" = yes; then
@ -5551,14 +5409,14 @@ cat >>conftest.$ac_ext <<_ACEOF
#include <stdio.h>
#include <openssl/opensslv.h>
int main() {
if ((OPENSSL_VERSION_NUMBER >= 0x0090605fL &&
OPENSSL_VERSION_NUMBER < 0x009070000L) ||
OPENSSL_VERSION_NUMBER >= 0x00907003L)
if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
OPENSSL_VERSION_NUMBER < 0x009080000L) ||
OPENSSL_VERSION_NUMBER >= 0x0090804fL)
return (0);
printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",
OPENSSL_VERSION_NUMBER);
printf("Require OPENSSL_VERSION_NUMBER 0x0090605f or greater (0.9.6e)\n"
"Require OPENSSL_VERSION_NUMBER 0x00907003 or greater (0.9.7-beta2)\n\n");
printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
"Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
return (1);
}
@ -5584,13 +5442,25 @@ sed 's/^/| /' conftest.$ac_ext >&5
( exit $ac_status )
echo "$as_me:$LINENO: result: not compatible" >&5
echo "${ECHO_T}not compatible" >&6
{ { echo "$as_me:$LINENO: error: you need OpenSSL 0.9.6e/0.9.7-beta2 (or newer): CERT CA-2002-23" >&5
echo "$as_me: error: you need OpenSSL 0.9.6e/0.9.7-beta2 (or newer): CERT CA-2002-23" >&2;}
{ { echo "$as_me:$LINENO: error: you need OpenSSL 0.9.7k/0.9.8c (or newer) for:
CAN-2002-0659 and CAN-2006-4339
to skip this test specify: --disable-openssl-version-check
" >&5
echo "$as_me: error: you need OpenSSL 0.9.7k/0.9.8c (or newer) for:
CAN-2002-0659 and CAN-2006-4339
to skip this test specify: --disable-openssl-version-check
" >&2;}
{ (exit 1); exit 1; }; }
fi
rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
fi
fi
;;
no)
echo "$as_me:$LINENO: result: Skipped OpenSSL version check" >&5
echo "${ECHO_T}Skipped OpenSSL version check" >&6
;;
esac
echo "$as_me:$LINENO: checking for OpenSSL DSA support" >&5
echo $ECHO_N "checking for OpenSSL DSA support... $ECHO_C" >&6
@ -8988,7 +8858,7 @@ ia64-*-hpux*)
;;
*-*-irix6*)
# Find out which ABI we are using.
echo '#line 8991 "configure"' > conftest.$ac_ext
echo '#line 8861 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
@ -9985,7 +9855,7 @@ fi
# Provide some information about the compiler.
echo "$as_me:9988:" \
echo "$as_me:9858:" \
"checking for Fortran 77 compiler version" >&5
ac_compiler=`set X $ac_compile; echo $2`
{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
@ -11046,11 +10916,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:11049: $lt_compile\"" >&5)
(eval echo "\"\$as_me:10919: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
echo "$as_me:11053: \$? = $ac_status" >&5
echo "$as_me:10923: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
@ -11289,11 +11159,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:11292: $lt_compile\"" >&5)
(eval echo "\"\$as_me:11162: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
echo "$as_me:11296: \$? = $ac_status" >&5
echo "$as_me:11166: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
@ -11349,11 +11219,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:11352: $lt_compile\"" >&5)
(eval echo "\"\$as_me:11222: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
echo "$as_me:11356: \$? = $ac_status" >&5
echo "$as_me:11226: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@ -13534,7 +13404,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
#line 13537 "configure"
#line 13407 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@ -13632,7 +13502,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
#line 13635 "configure"
#line 13505 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@ -15829,11 +15699,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:15832: $lt_compile\"" >&5)
(eval echo "\"\$as_me:15702: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
echo "$as_me:15836: \$? = $ac_status" >&5
echo "$as_me:15706: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
@ -15889,11 +15759,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:15892: $lt_compile\"" >&5)
(eval echo "\"\$as_me:15762: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
echo "$as_me:15896: \$? = $ac_status" >&5
echo "$as_me:15766: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@ -17250,7 +17120,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
#line 17253 "configure"
#line 17123 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@ -17348,7 +17218,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
#line 17351 "configure"
#line 17221 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@ -18185,11 +18055,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:18188: $lt_compile\"" >&5)
(eval echo "\"\$as_me:18058: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
echo "$as_me:18192: \$? = $ac_status" >&5
echo "$as_me:18062: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
@ -18245,11 +18115,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:18248: $lt_compile\"" >&5)
(eval echo "\"\$as_me:18118: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
echo "$as_me:18252: \$? = $ac_status" >&5
echo "$as_me:18122: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@ -20284,11 +20154,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:20287: $lt_compile\"" >&5)
(eval echo "\"\$as_me:20157: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
echo "$as_me:20291: \$? = $ac_status" >&5
echo "$as_me:20161: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
@ -20527,11 +20397,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:20530: $lt_compile\"" >&5)
(eval echo "\"\$as_me:20400: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
echo "$as_me:20534: \$? = $ac_status" >&5
echo "$as_me:20404: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings
@ -20587,11 +20457,11 @@ else
-e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:20590: $lt_compile\"" >&5)
(eval echo "\"\$as_me:20460: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
echo "$as_me:20594: \$? = $ac_status" >&5
echo "$as_me:20464: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@ -22772,7 +22642,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
#line 22775 "configure"
#line 22645 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@ -22870,7 +22740,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
#line 22873 "configure"
#line 22743 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H