79 lines
1.6 KiB
Diff
79 lines
1.6 KiB
Diff
|
|
Security Fixes (BIND 9.3.2-P2):
|
|
|
|
Change the default RSA exponent from 3 to 65537 which is
|
|
not vulnerable to the attacks described in CVE-2006-4339.
|
|
|
|
Index: lib/dns/opensslrsa_link.c
|
|
--- lib/dns/opensslrsa_link.c.orig 2004-12-09 05:07:18 +0100
|
|
+++ lib/dns/opensslrsa_link.c 2006-11-04 09:58:32 +0100
|
|
@@ -39,6 +39,9 @@
|
|
#include <openssl/err.h>
|
|
#include <openssl/objects.h>
|
|
#include <openssl/rsa.h>
|
|
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
|
|
+#include <openssl/bn.h>
|
|
+#endif
|
|
|
|
/*
|
|
* XXXMPA Temporarially disable RSA_BLINDING as it requires
|
|
@@ -260,13 +263,47 @@
|
|
|
|
static isc_result_t
|
|
opensslrsa_generate(dst_key_t *key, int exp) {
|
|
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
|
|
+ BN_GENCB cb;
|
|
+ RSA *rsa = RSA_new();
|
|
+ BIGNUM *e = BN_new();
|
|
+
|
|
+ if (rsa == NULL || e == NULL)
|
|
+ goto err;
|
|
+
|
|
+ if (exp == 0) {
|
|
+ /* RSA_F4 0x10001 */
|
|
+ BN_set_bit(e, 0);
|
|
+ BN_set_bit(e, 16);
|
|
+ } else {
|
|
+ /* F5 0x100000001 */
|
|
+ BN_set_bit(e, 0);
|
|
+ BN_set_bit(e, 32);
|
|
+ }
|
|
+
|
|
+ BN_GENCB_set_old(&cb, NULL, NULL);
|
|
+
|
|
+ if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) {
|
|
+ BN_free(e);
|
|
+ SET_FLAGS(rsa);
|
|
+ key->opaque = rsa;
|
|
+ return (ISC_R_SUCCESS);
|
|
+ }
|
|
+
|
|
+ err:
|
|
+ if (e != NULL)
|
|
+ BN_free(e);
|
|
+ if (rsa != NULL)
|
|
+ RSA_free(rsa);
|
|
+ return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
|
+#else
|
|
RSA *rsa;
|
|
unsigned long e;
|
|
|
|
if (exp == 0)
|
|
- e = RSA_3;
|
|
- else
|
|
e = RSA_F4;
|
|
+ else
|
|
+ e = 0x40000003;
|
|
rsa = RSA_generate_key(key->key_size, e, NULL, NULL);
|
|
if (rsa == NULL)
|
|
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
|
@@ -274,6 +311,7 @@
|
|
key->opaque = rsa;
|
|
|
|
return (ISC_R_SUCCESS);
|
|
+#endif
|
|
}
|
|
|
|
static isc_boolean_t
|
|
|