From 886cd55aa720deb7e75eeede1292cfd54f7d995a Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 8 Aug 2002 06:39:32 +0000
Subject: [PATCH] 1356.   [security]      Support patches OpenSSL libraries.   
                      http://www.cert.org/advisories/CA-2002-23.html

---
 CHANGES      |  3 +++
 configure.in | 39 ++++++++++++++++++++++++++++++++-------
 2 files changed, 35 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index d70d4aabcb..3837a90dad 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@
 1357.	[bug]		--enable-libbind would fail when not built in the
 			source tree for certain OS's.
 
+1356.	[security]	Support patches OpenSSL libraries.
+			http://www.cert.org/advisories/CA-2002-23.html
+
 1355.	[bug]		It was possible to trigger a INSIST when debugging
 			large dynamic updates. [RT #3390]
 
diff --git a/configure.in b/configure.in
index d4f5ce73e5..bb56f52868 100644
--- a/configure.in
+++ b/configure.in
@@ -13,7 +13,7 @@
 # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-AC_REVISION($Revision: 1.294.2.14 $)
+AC_REVISION($Revision: 1.294.2.15 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.13)
@@ -350,26 +350,51 @@ shared library configuration (e.g., LD_LIBRARY_PATH).)],
 		[AC_MSG_RESULT(assuming it does work on target platform)]
 		)
 		 
-		
-
-
+#
+#	OpenSSLDie is new with CERT CS-2002-23.  If we see it we have may
+#	have a patched library otherwise check that we are greater than
+#	the fixed versions
+#
+		AC_CHECK_FUNC(OpenSSLDie,
 		AC_MSG_CHECKING(OpenSSL library version)
 		AC_TRY_RUN([
 #include <stdio.h>
 #include <openssl/opensslv.h>
 int main() {
-        if (OPENSSL_VERSION_NUMBER >= 0x0090605fL)
+        if (OPENSSL_VERSION_NUMBER >= 0x0090581fL)
                 return (0);
 	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
 		OPENSSL_VERSION_NUMBER);
-	printf("Require OPENSSL_VERSION_NUMBER 0x0090605f or greater\n\n");
+	printf("Require OPENSSL_VERSION_NUMBER 0x0090581f or greater\n\n");
         return (1);
 }
 ],
 	        [AC_MSG_RESULT(ok)],
 		[AC_MSG_RESULT(not compatible)
-		 AC_MSG_ERROR(you need OpenSSL 0.9.6e or newer)],
+		 AC_MSG_ERROR(you need OpenSSL 0.9.5a or newer)],
 		[AC_MSG_RESULT(assuming target platform has compatible version)])
+		,
+	        AC_MSG_RESULT(did not find fixes for CERT CA-2002-23)
+		AC_MSG_CHECKING(OpenSSL library version)
+		AC_TRY_RUN([
+#include <stdio.h>
+#include <openssl/opensslv.h>
+int main() {
+        if ((OPENSSL_VERSION_NUMBER >= 0x0090605fL &&
+	     OPENSSL_VERSION_NUMBER < 0x009070000L) ||
+	     OPENSSL_VERSION_NUMBER >= 0x00907003L)
+                return (0);
+	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
+		OPENSSL_VERSION_NUMBER);
+	printf("Require OPENSSL_VERSION_NUMBER 0x0090605f or greater (0.9.6e)\n"
+	       "Require OPENSSL_VERSION_NUMBER 0x00907003 or greater (0.9.7-beta2)\n\n");
+        return (1);
+}
+],
+	        [AC_MSG_RESULT(ok)],
+		[AC_MSG_RESULT(not compatible)
+		 AC_MSG_ERROR(you need OpenSSL 0.9.6e/0.9.7-beta2 (or newer): CERT CA-2002-23)],
+		[AC_MSG_RESULT(assuming target platform has compatible version)]))
 		CFLAGS="$saved_cflags"
 		LIBS="$saved_libs"
 		;;