From 3ab8af6cd765999dbf5f0abcc24d7cd3f90a808d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 2 Oct 2006 02:07:29 +0000 Subject: [PATCH] 2089. [security] Raise the minimum safe OpenSSL versions to OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions prior to these have known security flaws which are (potentially) exploitable in named. [RT #16391] 2088. [security] Change the default RSA exponent from 3 to 65537. [RT #16391] --- configure | 246 +++++++++++++----------------------------------------- 1 file changed, 58 insertions(+), 188 deletions(-) diff --git a/configure b/configure index be9c2a2a2e..be4c0022a5 100755 --- a/configure +++ b/configure @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. # -# $Id: configure,v 1.400 2006/08/10 01:57:41 marka Exp $ +# $Id: configure,v 1.401 2006/10/02 02:07:29 marka Exp $ # # Portions Copyright (C) 1996-2001 Nominum, Inc. # @@ -29,7 +29,7 @@ # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# From configure.in Revision: 1.412 . +# From configure.in Revision: 1.413 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.59. # @@ -1050,6 +1050,8 @@ if test -n "$ac_init_help"; then Optional Features: --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] + --enable-openssl-version-check + Check OpenSSL Version [default=yes] --enable-threads enable multithreading --enable-largefile 64-bit file support --enable-shared[=PKGS] @@ -5383,158 +5385,14 @@ _ACEOF fi -# -# OpenSSLDie is new with CERT CS-2002-23. If we see it we have may -# have a patched library otherwise check that we are greater than -# the fixed versions -# - echo "$as_me:$LINENO: checking for OpenSSLDie" >&5 -echo $ECHO_N "checking for OpenSSLDie... $ECHO_C" >&6 -if test "${ac_cv_func_OpenSSLDie+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -/* Define OpenSSLDie to an innocuous variant, in case declares OpenSSLDie. - For example, HP-UX 11i declares gettimeofday. */ -#define OpenSSLDie innocuous_OpenSSLDie -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char OpenSSLDie (); below. - Prefer to if __STDC__ is defined, since - exists even on freestanding compilers. */ +# Check whether --enable-openssl-version-check or --disable-openssl-version-check was given. +if test "${enable_openssl_version_check+set}" = set; then + enableval="$enable_openssl_version_check" -#ifdef __STDC__ -# include -#else -# include -#endif - -#undef OpenSSLDie - -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -{ -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char OpenSSLDie (); -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_OpenSSLDie) || defined (__stub___OpenSSLDie) -choke me -#else -char (*f) () = OpenSSLDie; -#endif -#ifdef __cplusplus -} -#endif - -int -main () -{ -return f != OpenSSLDie; - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 - (eval $ac_link) 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -z "$ac_c_werror_flag" - || test ! -s conftest.err' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_func_OpenSSLDie=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - -ac_cv_func_OpenSSLDie=no -fi -rm -f conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:$LINENO: result: $ac_cv_func_OpenSSLDie" >&5 -echo "${ECHO_T}$ac_cv_func_OpenSSLDie" >&6 -if test $ac_cv_func_OpenSSLDie = yes; then - echo "$as_me:$LINENO: checking OpenSSL library version" >&5 -echo $ECHO_N "checking OpenSSL library version... $ECHO_C" >&6 - if test "$cross_compiling" = yes; then - echo "$as_me:$LINENO: result: assuming target platform has compatible version" >&5 -echo "${ECHO_T}assuming target platform has compatible version" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -#include -#include -int main() { - if (OPENSSL_VERSION_NUMBER >= 0x0090581fL) - return (0); - printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n", - OPENSSL_VERSION_NUMBER); - printf("Require OPENSSL_VERSION_NUMBER 0x0090581f or greater\n\n"); - return (1); -} - -_ACEOF -rm -f conftest$ac_exeext -if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - echo "$as_me:$LINENO: result: ok" >&5 -echo "${ECHO_T}ok" >&6 -else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - -( exit $ac_status ) -echo "$as_me:$LINENO: result: not compatible" >&5 -echo "${ECHO_T}not compatible" >&6 - { { echo "$as_me:$LINENO: error: you need OpenSSL 0.9.5a or newer" >&5 -echo "$as_me: error: you need OpenSSL 0.9.5a or newer" >&2;} - { (exit 1); exit 1; }; } -fi -rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi - -else - echo "$as_me:$LINENO: result: did not find fixes for CERT CA-2002-23" >&5 -echo "${ECHO_T}did not find fixes for CERT CA-2002-23" >&6 +fi; +case "$enable_openssl_version_check" in +yes|'') echo "$as_me:$LINENO: checking OpenSSL library version" >&5 echo $ECHO_N "checking OpenSSL library version... $ECHO_C" >&6 if test "$cross_compiling" = yes; then @@ -5551,14 +5409,14 @@ cat >>conftest.$ac_ext <<_ACEOF #include #include int main() { - if ((OPENSSL_VERSION_NUMBER >= 0x0090605fL && - OPENSSL_VERSION_NUMBER < 0x009070000L) || - OPENSSL_VERSION_NUMBER >= 0x00907003L) + if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL && + OPENSSL_VERSION_NUMBER < 0x009080000L) || + OPENSSL_VERSION_NUMBER >= 0x0090804fL) return (0); printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n", OPENSSL_VERSION_NUMBER); - printf("Require OPENSSL_VERSION_NUMBER 0x0090605f or greater (0.9.6e)\n" - "Require OPENSSL_VERSION_NUMBER 0x00907003 or greater (0.9.7-beta2)\n\n"); + printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n" + "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n"); return (1); } @@ -5584,13 +5442,25 @@ sed 's/^/| /' conftest.$ac_ext >&5 ( exit $ac_status ) echo "$as_me:$LINENO: result: not compatible" >&5 echo "${ECHO_T}not compatible" >&6 - { { echo "$as_me:$LINENO: error: you need OpenSSL 0.9.6e/0.9.7-beta2 (or newer): CERT CA-2002-23" >&5 -echo "$as_me: error: you need OpenSSL 0.9.6e/0.9.7-beta2 (or newer): CERT CA-2002-23" >&2;} + { { echo "$as_me:$LINENO: error: you need OpenSSL 0.9.7k/0.9.8c (or newer) for: +CAN-2002-0659 and CAN-2006-4339 +to skip this test specify: --disable-openssl-version-check +" >&5 +echo "$as_me: error: you need OpenSSL 0.9.7k/0.9.8c (or newer) for: +CAN-2002-0659 and CAN-2006-4339 +to skip this test specify: --disable-openssl-version-check +" >&2;} { (exit 1); exit 1; }; } + fi rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi -fi +;; +no) + echo "$as_me:$LINENO: result: Skipped OpenSSL version check" >&5 +echo "${ECHO_T}Skipped OpenSSL version check" >&6 +;; +esac echo "$as_me:$LINENO: checking for OpenSSL DSA support" >&5 echo $ECHO_N "checking for OpenSSL DSA support... $ECHO_C" >&6 @@ -8988,7 +8858,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 8991 "configure"' > conftest.$ac_ext + echo '#line 8861 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9985,7 +9855,7 @@ fi # Provide some information about the compiler. -echo "$as_me:9988:" \ +echo "$as_me:9858:" \ "checking for Fortran 77 compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` { (eval echo "$as_me:$LINENO: \"$ac_compiler --version &5\"") >&5 @@ -11046,11 +10916,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:11049: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10919: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:11053: \$? = $ac_status" >&5 + echo "$as_me:10923: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -11289,11 +11159,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:11292: $lt_compile\"" >&5) + (eval echo "\"\$as_me:11162: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:11296: \$? = $ac_status" >&5 + echo "$as_me:11166: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -11349,11 +11219,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:11352: $lt_compile\"" >&5) + (eval echo "\"\$as_me:11222: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:11356: \$? = $ac_status" >&5 + echo "$as_me:11226: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -13534,7 +13404,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:15702: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:15836: \$? = $ac_status" >&5 + echo "$as_me:15706: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -15889,11 +15759,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15892: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15762: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:15896: \$? = $ac_status" >&5 + echo "$as_me:15766: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -17250,7 +17120,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:18058: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:18192: \$? = $ac_status" >&5 + echo "$as_me:18062: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -18245,11 +18115,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:18248: $lt_compile\"" >&5) + (eval echo "\"\$as_me:18118: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:18252: \$? = $ac_status" >&5 + echo "$as_me:18122: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -20284,11 +20154,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:20287: $lt_compile\"" >&5) + (eval echo "\"\$as_me:20157: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:20291: \$? = $ac_status" >&5 + echo "$as_me:20161: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -20527,11 +20397,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:20530: $lt_compile\"" >&5) + (eval echo "\"\$as_me:20400: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:20534: \$? = $ac_status" >&5 + echo "$as_me:20404: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -20587,11 +20457,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:20590: $lt_compile\"" >&5) + (eval echo "\"\$as_me:20460: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:20594: \$? = $ac_status" >&5 + echo "$as_me:20464: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -22772,7 +22642,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <