esyscmd([sed "s/^/# /" COPYRIGHT])dnl
AC_DIVERT_POP()dnl
-AC_REVISION($Revision: 1.412 $)
+AC_REVISION($Revision: 1.413 $)
AC_INIT(lib/dns/name.c)
AC_PREREQ(2.59)
AC_CHECK_FUNC(DSA_generate_parameters,
AC_DEFINE(HAVE_DSA_GENERATE_PARAMETERS, 1,
[Define if libcrypto has DSA_generate_parameters]))
-#
-# OpenSSLDie is new with CERT CS-2002-23. If we see it we have may
-# have a patched library otherwise check that we are greater than
-# the fixed versions
-#
- AC_CHECK_FUNC(OpenSSLDie,
+
+AC_ARG_ENABLE(openssl-version-check,
+[AC_HELP_STRING([--enable-openssl-version-check],
+ [Check OpenSSL Version @<:@default=yes@:>@])])
+case "$enable_openssl_version_check" in
+yes|'')
AC_MSG_CHECKING(OpenSSL library version)
AC_TRY_RUN([
#include <stdio.h>
#include <openssl/opensslv.h>
int main() {
- if (OPENSSL_VERSION_NUMBER >= 0x0090581fL)
+ if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
+ OPENSSL_VERSION_NUMBER < 0x009080000L) ||
+ OPENSSL_VERSION_NUMBER >= 0x0090804fL)
return (0);
printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",
OPENSSL_VERSION_NUMBER);
- printf("Require OPENSSL_VERSION_NUMBER 0x0090581f or greater\n\n");
+ printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
+ "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
return (1);
}
],
[AC_MSG_RESULT(ok)],
[AC_MSG_RESULT(not compatible)
- AC_MSG_ERROR(you need OpenSSL 0.9.5a or newer)],
- [AC_MSG_RESULT(assuming target platform has compatible version)])
- ,
- AC_MSG_RESULT(did not find fixes for CERT CA-2002-23)
- AC_MSG_CHECKING(OpenSSL library version)
- AC_TRY_RUN([
-#include <stdio.h>
-#include <openssl/opensslv.h>
-int main() {
- if ((OPENSSL_VERSION_NUMBER >= 0x0090605fL &&
- OPENSSL_VERSION_NUMBER < 0x009070000L) ||
- OPENSSL_VERSION_NUMBER >= 0x00907003L)
- return (0);
- printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",
- OPENSSL_VERSION_NUMBER);
- printf("Require OPENSSL_VERSION_NUMBER 0x0090605f or greater (0.9.6e)\n"
- "Require OPENSSL_VERSION_NUMBER 0x00907003 or greater (0.9.7-beta2)\n\n");
- return (1);
-}
+ AC_MSG_ERROR(
+[you need OpenSSL 0.9.7k/0.9.8c (or newer) for:
+CAN-2002-0659 and CAN-2006-4339
+to skip this test specify: --disable-openssl-version-check]
+)
],
- [AC_MSG_RESULT(ok)],
- [AC_MSG_RESULT(not compatible)
- AC_MSG_ERROR(you need OpenSSL 0.9.6e/0.9.7-beta2 (or newer): CERT CA-2002-23)],
- [AC_MSG_RESULT(assuming target platform has compatible version)]))
+ [AC_MSG_RESULT(assuming target platform has compatible version)])
+;;
+no)
+ AC_MSG_RESULT(Skipped OpenSSL version check)
+;;
+esac
+
AC_MSG_CHECKING(for OpenSSL DSA support)
if test -f $use_openssl/include/openssl/dsa.h
then
/*
* Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.7 2006/03/02 00:37:23 marka Exp $
+ * $Id: opensslrsa_link.c,v 1.8 2006/10/02 01:44:27 marka Exp $
*/
#ifdef OPENSSL
#include <openssl/err.h>
#include <openssl/objects.h>
#include <openssl/rsa.h>
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+#include <openssl/bn.h>
+#endif
/*
* XXXMPA Temporarially disable RSA_BLINDING as it requires
return (ISC_TRUE);
}
-#ifndef HAVE_RSA_GENERATE_KEY
-/* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-static RSA *
-RSA_generate_key(int bits, unsigned long e_value,
- void (*callback)(int,int,void *), void *cb_arg)
-{
+static isc_result_t
+opensslrsa_generate(dst_key_t *key, int exp) {
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
BN_GENCB cb;
- size_t i;
RSA *rsa = RSA_new();
BIGNUM *e = BN_new();
if (rsa == NULL || e == NULL)
goto err;
- /* The problem is when building with 8, 16, or 32 BN_ULONG,
- * unsigned long can be larger */
- for (i = 0; i < sizeof(unsigned long) * 8; i++) {
- if ((e_value & (1UL<<i)) != 0)
- BN_set_bit(e, i);
+ if (exp == 0) {
+ /* RSA_F4 0x10001 */
+ BN_set_bit(e, 0);
+ BN_set_bit(e, 16);
+ } else {
+ /* 0x40000003 */
+ BN_set_bit(e, 0);
+ BN_set_bit(e, 1);
+ BN_set_bit(e, 30);
}
- BN_GENCB_set_old(&cb, callback, cb_arg);
+ BN_GENCB_set_old(&cb, NULL, NULL);
- if (RSA_generate_key_ex(rsa, bits, e, &cb)) {
+ if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) {
BN_free(e);
- return (rsa);
+ SET_FLAGS(rsa);
+ key->opaque = rsa;
+ return (ISC_R_SUCCESS);
}
+
err:
if (e != NULL)
BN_free(e);
if (rsa != NULL)
RSA_free(rsa);
- return (NULL);
-}
-#endif
-
-static isc_result_t
-opensslrsa_generate(dst_key_t *key, int exp) {
+ return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+#else
RSA *rsa;
unsigned long e;
if (exp == 0)
- e = RSA_3;
+ e = RSA_F4;
else
- e = RSA_F4;
+ e = 0x40000003;
rsa = RSA_generate_key(key->key_size, e, NULL, NULL);
if (rsa == NULL)
- return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+ return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
SET_FLAGS(rsa);
key->opaque = rsa;
return (ISC_R_SUCCESS);
+#endif
}
static isc_boolean_t
projects / thirdparty / bind9.git / commitdiff
