diff options
-rw-r--r-- | ChangeLog | 16 | ||||
-rw-r--r-- | NEWS | 6 | ||||
-rw-r--r-- | resolv/arpa/nameser.h | 105 | ||||
-rw-r--r-- | resolv/ns_print.c | 198 | ||||
-rw-r--r-- | resolv/res_debug.c | 18 |
5 files changed, 23 insertions, 320 deletions
@@ -1,5 +1,21 @@ 2016-09-21 Florian Weimer <fweimer@redhat.com> + [BZ #20591] + Remove obsolete DNSSEC support. + * resolv/arpa/nameser.h (ns_key_types, NS_KEY_*, NS_ALG_*) + (NS_MD5_RSA_*, NS_DSA_*, NS_NXT_*, ns_sign, ns_sign2, ns_sign_tcp) + (ns_sign_tcp2, ns_sign_tcp_init, ns_find_tsig, ns_verify) + (ns_verify_tcp, ns_verify_tcp_init): Remove. + (ns_cert_types): Add comment. + * resolv/ns_print.c (ns_sprintrrf): Do not handle DNSSEC records + separately. + (KEY_RSA, KEY_HMAC_MD5, dst_s_id_calc, dst_s_get_int16) + (dst_s_dns_key_id): Remove. + * resolv/res_debug.c (__p_key_syms, __p_cert_syms): Remove unused + variables. + +2016-09-21 Florian Weimer <fweimer@redhat.com> + [BZ #20524] * manual/string.texi (String/Array Comparison): Clarify the strverscmp behavior. @@ -44,6 +44,12 @@ Version 2.25 for the Linux quota interface which predates kernel version 2.4.22 has been removed. +* DNSSEC-related declarations and definitions have been removed from the + <arpa/nameser.h> header file, and libresolv will no longer attempt to + decode the data part of DNSSEC record types. Previous versions of glibc + only implemented minimal support for the previous version of DNSSEC, which + is incompatible with the currently deployed version. + Security related changes: On ARM EABI (32-bit), generating a backtrace for execution contexts which diff --git a/resolv/arpa/nameser.h b/resolv/arpa/nameser.h index 04f8844..cdbec23 100644 --- a/resolv/arpa/nameser.h +++ b/resolv/arpa/nameser.h @@ -326,15 +326,7 @@ typedef enum __ns_class { ns_c_max = 65536 } ns_class; -/* DNSSEC constants. */ - -typedef enum __ns_key_types { - ns_kt_rsa = 1, /*%< key type RSA/MD5 */ - ns_kt_dh = 2, /*%< Diffie Hellman */ - ns_kt_dsa = 3, /*%< Digital Signature Standard (MANDATORY) */ - ns_kt_private = 254 /*%< Private key type starts with OID */ -} ns_key_types; - +/* Certificate type values in CERT resource records. */ typedef enum __ns_cert_types { cert_t_pkix = 1, /*%< PKIX (X.509v3) */ cert_t_spki = 2, /*%< SPKI */ @@ -343,82 +335,6 @@ typedef enum __ns_cert_types { cert_t_oid = 254 /*%< OID private type */ } ns_cert_types; -/* Flags field of the KEY RR rdata. */ -#define NS_KEY_TYPEMASK 0xC000 /*%< Mask for "type" bits */ -#define NS_KEY_TYPE_AUTH_CONF 0x0000 /*%< Key usable for both */ -#define NS_KEY_TYPE_CONF_ONLY 0x8000 /*%< Key usable for confidentiality */ -#define NS_KEY_TYPE_AUTH_ONLY 0x4000 /*%< Key usable for authentication */ -#define NS_KEY_TYPE_NO_KEY 0xC000 /*%< No key usable for either; no key */ -/* The type bits can also be interpreted independently, as single bits: */ -#define NS_KEY_NO_AUTH 0x8000 /*%< Key unusable for authentication */ -#define NS_KEY_NO_CONF 0x4000 /*%< Key unusable for confidentiality */ -#define NS_KEY_RESERVED2 0x2000 /* Security is *mandatory* if bit=0 */ -#define NS_KEY_EXTENDED_FLAGS 0x1000 /*%< reserved - must be zero */ -#define NS_KEY_RESERVED4 0x0800 /*%< reserved - must be zero */ -#define NS_KEY_RESERVED5 0x0400 /*%< reserved - must be zero */ -#define NS_KEY_NAME_TYPE 0x0300 /*%< these bits determine the type */ -#define NS_KEY_NAME_USER 0x0000 /*%< key is assoc. with user */ -#define NS_KEY_NAME_ENTITY 0x0200 /*%< key is assoc. with entity eg host */ -#define NS_KEY_NAME_ZONE 0x0100 /*%< key is zone key */ -#define NS_KEY_NAME_RESERVED 0x0300 /*%< reserved meaning */ -#define NS_KEY_RESERVED8 0x0080 /*%< reserved - must be zero */ -#define NS_KEY_RESERVED9 0x0040 /*%< reserved - must be zero */ -#define NS_KEY_RESERVED10 0x0020 /*%< reserved - must be zero */ -#define NS_KEY_RESERVED11 0x0010 /*%< reserved - must be zero */ -#define NS_KEY_SIGNATORYMASK 0x000F /*%< key can sign RR's of same name */ -#define NS_KEY_RESERVED_BITMASK ( NS_KEY_RESERVED2 | \ - NS_KEY_RESERVED4 | \ - NS_KEY_RESERVED5 | \ - NS_KEY_RESERVED8 | \ - NS_KEY_RESERVED9 | \ - NS_KEY_RESERVED10 | \ - NS_KEY_RESERVED11 ) -#define NS_KEY_RESERVED_BITMASK2 0xFFFF /*%< no bits defined here */ -/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */ -#define NS_ALG_MD5RSA 1 /*%< MD5 with RSA */ -#define NS_ALG_DH 2 /*%< Diffie Hellman KEY */ -#define NS_ALG_DSA 3 /*%< DSA KEY */ -#define NS_ALG_DSS NS_ALG_DSA -#define NS_ALG_EXPIRE_ONLY 253 /*%< No alg, no security */ -#define NS_ALG_PRIVATE_OID 254 /*%< Key begins with OID giving alg */ -/* Protocol values */ -/* value 0 is reserved */ -#define NS_KEY_PROT_TLS 1 -#define NS_KEY_PROT_EMAIL 2 -#define NS_KEY_PROT_DNSSEC 3 -#define NS_KEY_PROT_IPSEC 4 -#define NS_KEY_PROT_ANY 255 - -/* Signatures */ -#define NS_MD5RSA_MIN_BITS 512 /*%< Size of a mod or exp in bits */ -#define NS_MD5RSA_MAX_BITS 4096 - /* Total of binary mod and exp */ -#define NS_MD5RSA_MAX_BYTES ((NS_MD5RSA_MAX_BITS+7/8)*2+3) - /* Max length of text sig block */ -#define NS_MD5RSA_MAX_BASE64 (((NS_MD5RSA_MAX_BYTES+2)/3)*4) -#define NS_MD5RSA_MIN_SIZE ((NS_MD5RSA_MIN_BITS+7)/8) -#define NS_MD5RSA_MAX_SIZE ((NS_MD5RSA_MAX_BITS+7)/8) - -#define NS_DSA_SIG_SIZE 41 -#define NS_DSA_MIN_SIZE 213 -#define NS_DSA_MAX_BYTES 405 - -/* Offsets into SIG record rdata to find various values */ -#define NS_SIG_TYPE 0 /*%< Type flags */ -#define NS_SIG_ALG 2 /*%< Algorithm */ -#define NS_SIG_LABELS 3 /*%< How many labels in name */ -#define NS_SIG_OTTL 4 /*%< Original TTL */ -#define NS_SIG_EXPIR 8 /*%< Expiration time */ -#define NS_SIG_SIGNED 12 /*%< Signature time */ -#define NS_SIG_FOOT 16 /*%< Key footprint */ -#define NS_SIG_SIGNER 18 /*%< Domain name of who signed it */ -/* How RR types are represented as bit-flags in NXT records */ -#define NS_NXT_BITS 8 -#define NS_NXT_BIT_SET( n,p) (p[(n)/NS_NXT_BITS] |= (0x80>>((n)%NS_NXT_BITS))) -#define NS_NXT_BIT_CLEAR(n,p) (p[(n)/NS_NXT_BITS] &= ~(0x80>>((n)%NS_NXT_BITS))) -#define NS_NXT_BIT_ISSET(n,p) (p[(n)/NS_NXT_BITS] & (0x80>>((n)%NS_NXT_BITS))) -#define NS_NXT_MAX 127 - /*% * EDNS0 extended flags and option codes, host order. */ @@ -498,25 +414,6 @@ int ns_name_compress (const char *, u_char *, size_t, int ns_name_skip (const u_char **, const u_char *) __THROW; void ns_name_rollback (const u_char *, const u_char **, const u_char **) __THROW; -int ns_sign (u_char *, int *, int, int, void *, - const u_char *, int, u_char *, int *, time_t) __THROW; -int ns_sign2 (u_char *, int *, int, int, void *, - const u_char *, int, u_char *, int *, time_t, - u_char **, u_char **) __THROW; -int ns_sign_tcp (u_char *, int *, int, int, - ns_tcp_tsig_state *, int) __THROW; -int ns_sign_tcp2 (u_char *, int *, int, int, - ns_tcp_tsig_state *, int, - u_char **, u_char **) __THROW; -int ns_sign_tcp_init (void *, const u_char *, int, - ns_tcp_tsig_state *) __THROW; -u_char *ns_find_tsig (u_char *, u_char *) __THROW; -int ns_verify (u_char *, int *, void *, const u_char *, int, - u_char *, int *, time_t *, int) __THROW; -int ns_verify_tcp (u_char *, int *, ns_tcp_tsig_state *, int) - __THROW; -int ns_verify_tcp_init (void *, const u_char *, int, - ns_tcp_tsig_state *) __THROW; int ns_samedomain (const char *, const char *) __THROW; int ns_subdomain (const char *, const char *) __THROW; int ns_makecanon (const char *, char *, size_t) __THROW; diff --git a/resolv/ns_print.c b/resolv/ns_print.c index 7a0e7d5..f55680c 100644 --- a/resolv/ns_print.c +++ b/resolv/ns_print.c @@ -47,8 +47,6 @@ static int addstr(const char *src, size_t len, static int addtab(size_t len, size_t target, int spaced, char **buf, size_t *buflen); -static u_int16_t dst_s_dns_key_id(const u_char *, const int); - /* Macros. */ #define T(x) \ @@ -436,124 +434,6 @@ ns_sprintrrf(const u_char *msg, size_t msglen, break; } - case ns_t_key: { - char base64_key[NS_MD5RSA_MAX_BASE64]; - u_int keyflags, protocol, algorithm, key_id; - const char *leader; - int n; - - if (rdlen < 0U + NS_INT16SZ + NS_INT8SZ + NS_INT8SZ) - goto formerr; - - /* Key flags, Protocol, Algorithm. */ - key_id = dst_s_dns_key_id(rdata, edata-rdata); - keyflags = ns_get16(rdata); rdata += NS_INT16SZ; - protocol = *rdata++; - algorithm = *rdata++; - len = SPRINTF((tmp, "0x%04x %u %u", - keyflags, protocol, algorithm)); - T(addstr(tmp, len, &buf, &buflen)); - - /* Public key data. */ - len = b64_ntop(rdata, edata - rdata, - base64_key, sizeof base64_key); - if (len < 0) - goto formerr; - if (len > 15) { - T(addstr(" (", 2, &buf, &buflen)); - leader = "\n\t\t"; - spaced = 0; - } else - leader = " "; - for (n = 0; n < len; n += 48) { - T(addstr(leader, strlen(leader), &buf, &buflen)); - T(addstr(base64_key + n, MIN(len - n, 48), - &buf, &buflen)); - } - if (len > 15) - T(addstr(" )", 2, &buf, &buflen)); - n = SPRINTF((tmp, " ; key_tag= %u", key_id)); - T(addstr(tmp, n, &buf, &buflen)); - - break; - } - - case ns_t_sig: { - char base64_key[NS_MD5RSA_MAX_BASE64]; - u_int type, algorithm, labels, footprint; - const char *leader; - u_long t; - int n; - - if (rdlen < 22U) - goto formerr; - - /* Type covered, Algorithm, Label count, Original TTL. */ - type = ns_get16(rdata); rdata += NS_INT16SZ; - algorithm = *rdata++; - labels = *rdata++; - t = ns_get32(rdata); rdata += NS_INT32SZ; - len = SPRINTF((tmp, "%s %d %d %lu ", - p_type(type), algorithm, labels, t)); - T(addstr(tmp, len, &buf, &buflen)); - if (labels > (u_int)dn_count_labels(name)) - goto formerr; - - /* Signature expiry. */ - t = ns_get32(rdata); rdata += NS_INT32SZ; - len = SPRINTF((tmp, "%s ", p_secstodate(t))); - T(addstr(tmp, len, &buf, &buflen)); - - /* Time signed. */ - t = ns_get32(rdata); rdata += NS_INT32SZ; - len = SPRINTF((tmp, "%s ", p_secstodate(t))); - T(addstr(tmp, len, &buf, &buflen)); - - /* Signature Footprint. */ - footprint = ns_get16(rdata); rdata += NS_INT16SZ; - len = SPRINTF((tmp, "%u ", footprint)); - T(addstr(tmp, len, &buf, &buflen)); - - /* Signer's name. */ - T(addname(msg, msglen, &rdata, origin, &buf, &buflen)); - - /* Signature. */ - len = b64_ntop(rdata, edata - rdata, - base64_key, sizeof base64_key); - if (len > 15) { - T(addstr(" (", 2, &buf, &buflen)); - leader = "\n\t\t"; - spaced = 0; - } else - leader = " "; - if (len < 0) - goto formerr; - for (n = 0; n < len; n += 48) { - T(addstr(leader, strlen(leader), &buf, &buflen)); - T(addstr(base64_key + n, MIN(len - n, 48), - &buf, &buflen)); - } - if (len > 15) - T(addstr(" )", 2, &buf, &buflen)); - break; - } - - case ns_t_nxt: { - int n, c; - - /* Next domain name. */ - T(addname(msg, msglen, &rdata, origin, &buf, &buflen)); - - /* Type bit map. */ - n = edata - rdata; - for (c = 0; c < n*8; c++) - if (NS_NXT_BIT_ISSET(c, rdata)) { - len = SPRINTF((tmp, " %s", p_type(c))); - T(addstr(tmp, len, &buf, &buflen)); - } - break; - } - case ns_t_cert: { u_int c_type, key_tag, alg; int n; @@ -887,81 +767,3 @@ addtab(size_t len, size_t target, int spaced, char **buf, size_t *buflen) { } return (spaced); } - -/* DST algorithm codes */ -#define KEY_RSA 1 -#define KEY_HMAC_MD5 157 - -/*% - * calculates a checksum used in dst for an id. - * takes an array of bytes and a length. - * returns a 16 bit checksum. - */ -static u_int16_t -dst_s_id_calc(const u_char *key, const int keysize) -{ - u_int32_t ac; - const u_char *kp = key; - int size = keysize; - - if (!key || (keysize <= 0)) - return (0xffffU); - - for (ac = 0; size > 1; size -= 2, kp += 2) - ac += ((*kp) << 8) + *(kp + 1); - - if (size > 0) - ac += ((*kp) << 8); - ac += (ac >> 16) & 0xffff; - - return (ac & 0xffff); -} - -/*% - * dst_s_get_int16 - * This routine extracts a 16 bit integer from a two byte character - * string. The character string is assumed to be in network byte - * order and may be unaligned. The number returned is in host order. - * Parameter - * buf A two byte character string. - * Return - * The converted integer value. - */ - -static u_int16_t -dst_s_get_int16(const u_char *buf) -{ - u_int16_t a = 0; - a = ((u_int16_t)(buf[0] << 8)) | ((u_int16_t)(buf[1])); - return (a); -} - -/*% - * dst_s_dns_key_id() Function to calculate DNSSEC footprint from KEY record - * rdata - * Input: - * dns_key_rdata: the raw data in wire format - * rdata_len: the size of the input data - * Output: - * the key footprint/id calculated from the key data - */ -static u_int16_t -dst_s_dns_key_id(const u_char *dns_key_rdata, const int rdata_len) -{ - if (!dns_key_rdata) - return 0; - - /* compute id */ - if (dns_key_rdata[3] == KEY_RSA) /*%< Algorithm RSA */ - return dst_s_get_int16((const u_char *) - &dns_key_rdata[rdata_len - 3]); - else if (dns_key_rdata[3] == KEY_HMAC_MD5) - /* compatibility */ - return 0; - else - /* compute a checksum on the key part of the key rr */ - return dst_s_id_calc(dns_key_rdata, rdata_len); -} - - -/*! \file */ diff --git a/resolv/res_debug.c b/resolv/res_debug.c index bd95590..9b33e19 100644 --- a/resolv/res_debug.c +++ b/resolv/res_debug.c @@ -371,24 +371,6 @@ const struct res_sym __p_update_section_syms[] attribute_hidden = { {0, (char *)0} }; -const struct res_sym __p_key_syms[] attribute_hidden = { - {NS_ALG_MD5RSA, "RSA", "RSA KEY with MD5 hash"}, - {NS_ALG_DH, "DH", "Diffie Hellman"}, - {NS_ALG_DSA, "DSA", "Digital Signature Algorithm"}, - {NS_ALG_EXPIRE_ONLY, "EXPIREONLY", "No algorithm"}, - {NS_ALG_PRIVATE_OID, "PRIVATE", "Algorithm obtained from OID"}, - {0, NULL, NULL} -}; - -const struct res_sym __p_cert_syms[] attribute_hidden = { - {cert_t_pkix, "PKIX", "PKIX (X.509v3) Certificate"}, - {cert_t_spki, "SPKI", "SPKI certificate"}, - {cert_t_pgp, "PGP", "PGP certificate"}, - {cert_t_url, "URL", "URL Private"}, - {cert_t_oid, "OID", "OID Private"}, - {0, NULL, NULL} -}; - /* * Names of RR types and qtypes. Types and qtypes are the same, except * that T_ANY is a qtype but not a type. (You can ask for records of type |