Remove obsolete DNSSEC support [BZ #20591]

The removed function declaration have never been implemented in libresolv.
This commit is contained in:
Florian Weimer 2016-09-21 16:08:31 +02:00
parent f4a36548d8
commit 3a2a1d2cc2
5 changed files with 23 additions and 320 deletions

View File

@ -1,3 +1,19 @@
2016-09-21 Florian Weimer <fweimer@redhat.com>
[BZ #20591]
Remove obsolete DNSSEC support.
* resolv/arpa/nameser.h (ns_key_types, NS_KEY_*, NS_ALG_*)
(NS_MD5_RSA_*, NS_DSA_*, NS_NXT_*, ns_sign, ns_sign2, ns_sign_tcp)
(ns_sign_tcp2, ns_sign_tcp_init, ns_find_tsig, ns_verify)
(ns_verify_tcp, ns_verify_tcp_init): Remove.
(ns_cert_types): Add comment.
* resolv/ns_print.c (ns_sprintrrf): Do not handle DNSSEC records
separately.
(KEY_RSA, KEY_HMAC_MD5, dst_s_id_calc, dst_s_get_int16)
(dst_s_dns_key_id): Remove.
* resolv/res_debug.c (__p_key_syms, __p_cert_syms): Remove unused
variables.
2016-09-21 Florian Weimer <fweimer@redhat.com>
[BZ #20524]

6
NEWS
View File

@ -44,6 +44,12 @@ Version 2.25
for the Linux quota interface which predates kernel version 2.4.22 has
been removed.
* DNSSEC-related declarations and definitions have been removed from the
<arpa/nameser.h> header file, and libresolv will no longer attempt to
decode the data part of DNSSEC record types. Previous versions of glibc
only implemented minimal support for the previous version of DNSSEC, which
is incompatible with the currently deployed version.
Security related changes:
On ARM EABI (32-bit), generating a backtrace for execution contexts which

View File

@ -326,15 +326,7 @@ typedef enum __ns_class {
ns_c_max = 65536
} ns_class;
/* DNSSEC constants. */
typedef enum __ns_key_types {
ns_kt_rsa = 1, /*%< key type RSA/MD5 */
ns_kt_dh = 2, /*%< Diffie Hellman */
ns_kt_dsa = 3, /*%< Digital Signature Standard (MANDATORY) */
ns_kt_private = 254 /*%< Private key type starts with OID */
} ns_key_types;
/* Certificate type values in CERT resource records. */
typedef enum __ns_cert_types {
cert_t_pkix = 1, /*%< PKIX (X.509v3) */
cert_t_spki = 2, /*%< SPKI */
@ -343,82 +335,6 @@ typedef enum __ns_cert_types {
cert_t_oid = 254 /*%< OID private type */
} ns_cert_types;
/* Flags field of the KEY RR rdata. */
#define NS_KEY_TYPEMASK 0xC000 /*%< Mask for "type" bits */
#define NS_KEY_TYPE_AUTH_CONF 0x0000 /*%< Key usable for both */
#define NS_KEY_TYPE_CONF_ONLY 0x8000 /*%< Key usable for confidentiality */
#define NS_KEY_TYPE_AUTH_ONLY 0x4000 /*%< Key usable for authentication */
#define NS_KEY_TYPE_NO_KEY 0xC000 /*%< No key usable for either; no key */
/* The type bits can also be interpreted independently, as single bits: */
#define NS_KEY_NO_AUTH 0x8000 /*%< Key unusable for authentication */
#define NS_KEY_NO_CONF 0x4000 /*%< Key unusable for confidentiality */
#define NS_KEY_RESERVED2 0x2000 /* Security is *mandatory* if bit=0 */
#define NS_KEY_EXTENDED_FLAGS 0x1000 /*%< reserved - must be zero */
#define NS_KEY_RESERVED4 0x0800 /*%< reserved - must be zero */
#define NS_KEY_RESERVED5 0x0400 /*%< reserved - must be zero */
#define NS_KEY_NAME_TYPE 0x0300 /*%< these bits determine the type */
#define NS_KEY_NAME_USER 0x0000 /*%< key is assoc. with user */
#define NS_KEY_NAME_ENTITY 0x0200 /*%< key is assoc. with entity eg host */
#define NS_KEY_NAME_ZONE 0x0100 /*%< key is zone key */
#define NS_KEY_NAME_RESERVED 0x0300 /*%< reserved meaning */
#define NS_KEY_RESERVED8 0x0080 /*%< reserved - must be zero */
#define NS_KEY_RESERVED9 0x0040 /*%< reserved - must be zero */
#define NS_KEY_RESERVED10 0x0020 /*%< reserved - must be zero */
#define NS_KEY_RESERVED11 0x0010 /*%< reserved - must be zero */
#define NS_KEY_SIGNATORYMASK 0x000F /*%< key can sign RR's of same name */
#define NS_KEY_RESERVED_BITMASK ( NS_KEY_RESERVED2 | \
NS_KEY_RESERVED4 | \
NS_KEY_RESERVED5 | \
NS_KEY_RESERVED8 | \
NS_KEY_RESERVED9 | \
NS_KEY_RESERVED10 | \
NS_KEY_RESERVED11 )
#define NS_KEY_RESERVED_BITMASK2 0xFFFF /*%< no bits defined here */
/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
#define NS_ALG_MD5RSA 1 /*%< MD5 with RSA */
#define NS_ALG_DH 2 /*%< Diffie Hellman KEY */
#define NS_ALG_DSA 3 /*%< DSA KEY */
#define NS_ALG_DSS NS_ALG_DSA
#define NS_ALG_EXPIRE_ONLY 253 /*%< No alg, no security */
#define NS_ALG_PRIVATE_OID 254 /*%< Key begins with OID giving alg */
/* Protocol values */
/* value 0 is reserved */
#define NS_KEY_PROT_TLS 1
#define NS_KEY_PROT_EMAIL 2
#define NS_KEY_PROT_DNSSEC 3
#define NS_KEY_PROT_IPSEC 4
#define NS_KEY_PROT_ANY 255
/* Signatures */
#define NS_MD5RSA_MIN_BITS 512 /*%< Size of a mod or exp in bits */
#define NS_MD5RSA_MAX_BITS 4096
/* Total of binary mod and exp */
#define NS_MD5RSA_MAX_BYTES ((NS_MD5RSA_MAX_BITS+7/8)*2+3)
/* Max length of text sig block */
#define NS_MD5RSA_MAX_BASE64 (((NS_MD5RSA_MAX_BYTES+2)/3)*4)
#define NS_MD5RSA_MIN_SIZE ((NS_MD5RSA_MIN_BITS+7)/8)
#define NS_MD5RSA_MAX_SIZE ((NS_MD5RSA_MAX_BITS+7)/8)
#define NS_DSA_SIG_SIZE 41
#define NS_DSA_MIN_SIZE 213
#define NS_DSA_MAX_BYTES 405
/* Offsets into SIG record rdata to find various values */
#define NS_SIG_TYPE 0 /*%< Type flags */
#define NS_SIG_ALG 2 /*%< Algorithm */
#define NS_SIG_LABELS 3 /*%< How many labels in name */
#define NS_SIG_OTTL 4 /*%< Original TTL */
#define NS_SIG_EXPIR 8 /*%< Expiration time */
#define NS_SIG_SIGNED 12 /*%< Signature time */
#define NS_SIG_FOOT 16 /*%< Key footprint */
#define NS_SIG_SIGNER 18 /*%< Domain name of who signed it */
/* How RR types are represented as bit-flags in NXT records */
#define NS_NXT_BITS 8
#define NS_NXT_BIT_SET( n,p) (p[(n)/NS_NXT_BITS] |= (0x80>>((n)%NS_NXT_BITS)))
#define NS_NXT_BIT_CLEAR(n,p) (p[(n)/NS_NXT_BITS] &= ~(0x80>>((n)%NS_NXT_BITS)))
#define NS_NXT_BIT_ISSET(n,p) (p[(n)/NS_NXT_BITS] & (0x80>>((n)%NS_NXT_BITS)))
#define NS_NXT_MAX 127
/*%
* EDNS0 extended flags and option codes, host order.
*/
@ -498,25 +414,6 @@ int ns_name_compress (const char *, u_char *, size_t,
int ns_name_skip (const u_char **, const u_char *) __THROW;
void ns_name_rollback (const u_char *, const u_char **,
const u_char **) __THROW;
int ns_sign (u_char *, int *, int, int, void *,
const u_char *, int, u_char *, int *, time_t) __THROW;
int ns_sign2 (u_char *, int *, int, int, void *,
const u_char *, int, u_char *, int *, time_t,
u_char **, u_char **) __THROW;
int ns_sign_tcp (u_char *, int *, int, int,
ns_tcp_tsig_state *, int) __THROW;
int ns_sign_tcp2 (u_char *, int *, int, int,
ns_tcp_tsig_state *, int,
u_char **, u_char **) __THROW;
int ns_sign_tcp_init (void *, const u_char *, int,
ns_tcp_tsig_state *) __THROW;
u_char *ns_find_tsig (u_char *, u_char *) __THROW;
int ns_verify (u_char *, int *, void *, const u_char *, int,
u_char *, int *, time_t *, int) __THROW;
int ns_verify_tcp (u_char *, int *, ns_tcp_tsig_state *, int)
__THROW;
int ns_verify_tcp_init (void *, const u_char *, int,
ns_tcp_tsig_state *) __THROW;
int ns_samedomain (const char *, const char *) __THROW;
int ns_subdomain (const char *, const char *) __THROW;
int ns_makecanon (const char *, char *, size_t) __THROW;

View File

@ -47,8 +47,6 @@ static int addstr(const char *src, size_t len,
static int addtab(size_t len, size_t target, int spaced,
char **buf, size_t *buflen);
static u_int16_t dst_s_dns_key_id(const u_char *, const int);
/* Macros. */
#define T(x) \
@ -436,124 +434,6 @@ ns_sprintrrf(const u_char *msg, size_t msglen,
break;
}
case ns_t_key: {
char base64_key[NS_MD5RSA_MAX_BASE64];
u_int keyflags, protocol, algorithm, key_id;
const char *leader;
int n;
if (rdlen < 0U + NS_INT16SZ + NS_INT8SZ + NS_INT8SZ)
goto formerr;
/* Key flags, Protocol, Algorithm. */
key_id = dst_s_dns_key_id(rdata, edata-rdata);
keyflags = ns_get16(rdata); rdata += NS_INT16SZ;
protocol = *rdata++;
algorithm = *rdata++;
len = SPRINTF((tmp, "0x%04x %u %u",
keyflags, protocol, algorithm));
T(addstr(tmp, len, &buf, &buflen));
/* Public key data. */
len = b64_ntop(rdata, edata - rdata,
base64_key, sizeof base64_key);
if (len < 0)
goto formerr;
if (len > 15) {
T(addstr(" (", 2, &buf, &buflen));
leader = "\n\t\t";
spaced = 0;
} else
leader = " ";
for (n = 0; n < len; n += 48) {
T(addstr(leader, strlen(leader), &buf, &buflen));
T(addstr(base64_key + n, MIN(len - n, 48),
&buf, &buflen));
}
if (len > 15)
T(addstr(" )", 2, &buf, &buflen));
n = SPRINTF((tmp, " ; key_tag= %u", key_id));
T(addstr(tmp, n, &buf, &buflen));
break;
}
case ns_t_sig: {
char base64_key[NS_MD5RSA_MAX_BASE64];
u_int type, algorithm, labels, footprint;
const char *leader;
u_long t;
int n;
if (rdlen < 22U)
goto formerr;
/* Type covered, Algorithm, Label count, Original TTL. */
type = ns_get16(rdata); rdata += NS_INT16SZ;
algorithm = *rdata++;
labels = *rdata++;
t = ns_get32(rdata); rdata += NS_INT32SZ;
len = SPRINTF((tmp, "%s %d %d %lu ",
p_type(type), algorithm, labels, t));
T(addstr(tmp, len, &buf, &buflen));
if (labels > (u_int)dn_count_labels(name))
goto formerr;
/* Signature expiry. */
t = ns_get32(rdata); rdata += NS_INT32SZ;
len = SPRINTF((tmp, "%s ", p_secstodate(t)));
T(addstr(tmp, len, &buf, &buflen));
/* Time signed. */
t = ns_get32(rdata); rdata += NS_INT32SZ;
len = SPRINTF((tmp, "%s ", p_secstodate(t)));
T(addstr(tmp, len, &buf, &buflen));
/* Signature Footprint. */
footprint = ns_get16(rdata); rdata += NS_INT16SZ;
len = SPRINTF((tmp, "%u ", footprint));
T(addstr(tmp, len, &buf, &buflen));
/* Signer's name. */
T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
/* Signature. */
len = b64_ntop(rdata, edata - rdata,
base64_key, sizeof base64_key);
if (len > 15) {
T(addstr(" (", 2, &buf, &buflen));
leader = "\n\t\t";
spaced = 0;
} else
leader = " ";
if (len < 0)
goto formerr;
for (n = 0; n < len; n += 48) {
T(addstr(leader, strlen(leader), &buf, &buflen));
T(addstr(base64_key + n, MIN(len - n, 48),
&buf, &buflen));
}
if (len > 15)
T(addstr(" )", 2, &buf, &buflen));
break;
}
case ns_t_nxt: {
int n, c;
/* Next domain name. */
T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
/* Type bit map. */
n = edata - rdata;
for (c = 0; c < n*8; c++)
if (NS_NXT_BIT_ISSET(c, rdata)) {
len = SPRINTF((tmp, " %s", p_type(c)));
T(addstr(tmp, len, &buf, &buflen));
}
break;
}
case ns_t_cert: {
u_int c_type, key_tag, alg;
int n;
@ -887,81 +767,3 @@ addtab(size_t len, size_t target, int spaced, char **buf, size_t *buflen) {
}
return (spaced);
}
/* DST algorithm codes */
#define KEY_RSA 1
#define KEY_HMAC_MD5 157
/*%
* calculates a checksum used in dst for an id.
* takes an array of bytes and a length.
* returns a 16 bit checksum.
*/
static u_int16_t
dst_s_id_calc(const u_char *key, const int keysize)
{
u_int32_t ac;
const u_char *kp = key;
int size = keysize;
if (!key || (keysize <= 0))
return (0xffffU);
for (ac = 0; size > 1; size -= 2, kp += 2)
ac += ((*kp) << 8) + *(kp + 1);
if (size > 0)
ac += ((*kp) << 8);
ac += (ac >> 16) & 0xffff;
return (ac & 0xffff);
}
/*%
* dst_s_get_int16
* This routine extracts a 16 bit integer from a two byte character
* string. The character string is assumed to be in network byte
* order and may be unaligned. The number returned is in host order.
* Parameter
* buf A two byte character string.
* Return
* The converted integer value.
*/
static u_int16_t
dst_s_get_int16(const u_char *buf)
{
u_int16_t a = 0;
a = ((u_int16_t)(buf[0] << 8)) | ((u_int16_t)(buf[1]));
return (a);
}
/*%
* dst_s_dns_key_id() Function to calculate DNSSEC footprint from KEY record
* rdata
* Input:
* dns_key_rdata: the raw data in wire format
* rdata_len: the size of the input data
* Output:
* the key footprint/id calculated from the key data
*/
static u_int16_t
dst_s_dns_key_id(const u_char *dns_key_rdata, const int rdata_len)
{
if (!dns_key_rdata)
return 0;
/* compute id */
if (dns_key_rdata[3] == KEY_RSA) /*%< Algorithm RSA */
return dst_s_get_int16((const u_char *)
&dns_key_rdata[rdata_len - 3]);
else if (dns_key_rdata[3] == KEY_HMAC_MD5)
/* compatibility */
return 0;
else
/* compute a checksum on the key part of the key rr */
return dst_s_id_calc(dns_key_rdata, rdata_len);
}
/*! \file */

View File

@ -371,24 +371,6 @@ const struct res_sym __p_update_section_syms[] attribute_hidden = {
{0, (char *)0}
};
const struct res_sym __p_key_syms[] attribute_hidden = {
{NS_ALG_MD5RSA, "RSA", "RSA KEY with MD5 hash"},
{NS_ALG_DH, "DH", "Diffie Hellman"},
{NS_ALG_DSA, "DSA", "Digital Signature Algorithm"},
{NS_ALG_EXPIRE_ONLY, "EXPIREONLY", "No algorithm"},
{NS_ALG_PRIVATE_OID, "PRIVATE", "Algorithm obtained from OID"},
{0, NULL, NULL}
};
const struct res_sym __p_cert_syms[] attribute_hidden = {
{cert_t_pkix, "PKIX", "PKIX (X.509v3) Certificate"},
{cert_t_spki, "SPKI", "SPKI certificate"},
{cert_t_pgp, "PGP", "PGP certificate"},
{cert_t_url, "URL", "URL Private"},
{cert_t_oid, "OID", "OID Private"},
{0, NULL, NULL}
};
/*
* Names of RR types and qtypes. Types and qtypes are the same, except
* that T_ANY is a qtype but not a type. (You can ask for records of type