Remove obsolete DNSSEC support [BZ #20591]
The removed function declaration have never been implemented in libresolv.
This commit is contained in:
parent
f4a36548d8
commit
3a2a1d2cc2
16
ChangeLog
16
ChangeLog
@ -1,3 +1,19 @@
|
||||
2016-09-21 Florian Weimer <fweimer@redhat.com>
|
||||
|
||||
[BZ #20591]
|
||||
Remove obsolete DNSSEC support.
|
||||
* resolv/arpa/nameser.h (ns_key_types, NS_KEY_*, NS_ALG_*)
|
||||
(NS_MD5_RSA_*, NS_DSA_*, NS_NXT_*, ns_sign, ns_sign2, ns_sign_tcp)
|
||||
(ns_sign_tcp2, ns_sign_tcp_init, ns_find_tsig, ns_verify)
|
||||
(ns_verify_tcp, ns_verify_tcp_init): Remove.
|
||||
(ns_cert_types): Add comment.
|
||||
* resolv/ns_print.c (ns_sprintrrf): Do not handle DNSSEC records
|
||||
separately.
|
||||
(KEY_RSA, KEY_HMAC_MD5, dst_s_id_calc, dst_s_get_int16)
|
||||
(dst_s_dns_key_id): Remove.
|
||||
* resolv/res_debug.c (__p_key_syms, __p_cert_syms): Remove unused
|
||||
variables.
|
||||
|
||||
2016-09-21 Florian Weimer <fweimer@redhat.com>
|
||||
|
||||
[BZ #20524]
|
||||
|
6
NEWS
6
NEWS
@ -44,6 +44,12 @@ Version 2.25
|
||||
for the Linux quota interface which predates kernel version 2.4.22 has
|
||||
been removed.
|
||||
|
||||
* DNSSEC-related declarations and definitions have been removed from the
|
||||
<arpa/nameser.h> header file, and libresolv will no longer attempt to
|
||||
decode the data part of DNSSEC record types. Previous versions of glibc
|
||||
only implemented minimal support for the previous version of DNSSEC, which
|
||||
is incompatible with the currently deployed version.
|
||||
|
||||
Security related changes:
|
||||
|
||||
On ARM EABI (32-bit), generating a backtrace for execution contexts which
|
||||
|
@ -326,15 +326,7 @@ typedef enum __ns_class {
|
||||
ns_c_max = 65536
|
||||
} ns_class;
|
||||
|
||||
/* DNSSEC constants. */
|
||||
|
||||
typedef enum __ns_key_types {
|
||||
ns_kt_rsa = 1, /*%< key type RSA/MD5 */
|
||||
ns_kt_dh = 2, /*%< Diffie Hellman */
|
||||
ns_kt_dsa = 3, /*%< Digital Signature Standard (MANDATORY) */
|
||||
ns_kt_private = 254 /*%< Private key type starts with OID */
|
||||
} ns_key_types;
|
||||
|
||||
/* Certificate type values in CERT resource records. */
|
||||
typedef enum __ns_cert_types {
|
||||
cert_t_pkix = 1, /*%< PKIX (X.509v3) */
|
||||
cert_t_spki = 2, /*%< SPKI */
|
||||
@ -343,82 +335,6 @@ typedef enum __ns_cert_types {
|
||||
cert_t_oid = 254 /*%< OID private type */
|
||||
} ns_cert_types;
|
||||
|
||||
/* Flags field of the KEY RR rdata. */
|
||||
#define NS_KEY_TYPEMASK 0xC000 /*%< Mask for "type" bits */
|
||||
#define NS_KEY_TYPE_AUTH_CONF 0x0000 /*%< Key usable for both */
|
||||
#define NS_KEY_TYPE_CONF_ONLY 0x8000 /*%< Key usable for confidentiality */
|
||||
#define NS_KEY_TYPE_AUTH_ONLY 0x4000 /*%< Key usable for authentication */
|
||||
#define NS_KEY_TYPE_NO_KEY 0xC000 /*%< No key usable for either; no key */
|
||||
/* The type bits can also be interpreted independently, as single bits: */
|
||||
#define NS_KEY_NO_AUTH 0x8000 /*%< Key unusable for authentication */
|
||||
#define NS_KEY_NO_CONF 0x4000 /*%< Key unusable for confidentiality */
|
||||
#define NS_KEY_RESERVED2 0x2000 /* Security is *mandatory* if bit=0 */
|
||||
#define NS_KEY_EXTENDED_FLAGS 0x1000 /*%< reserved - must be zero */
|
||||
#define NS_KEY_RESERVED4 0x0800 /*%< reserved - must be zero */
|
||||
#define NS_KEY_RESERVED5 0x0400 /*%< reserved - must be zero */
|
||||
#define NS_KEY_NAME_TYPE 0x0300 /*%< these bits determine the type */
|
||||
#define NS_KEY_NAME_USER 0x0000 /*%< key is assoc. with user */
|
||||
#define NS_KEY_NAME_ENTITY 0x0200 /*%< key is assoc. with entity eg host */
|
||||
#define NS_KEY_NAME_ZONE 0x0100 /*%< key is zone key */
|
||||
#define NS_KEY_NAME_RESERVED 0x0300 /*%< reserved meaning */
|
||||
#define NS_KEY_RESERVED8 0x0080 /*%< reserved - must be zero */
|
||||
#define NS_KEY_RESERVED9 0x0040 /*%< reserved - must be zero */
|
||||
#define NS_KEY_RESERVED10 0x0020 /*%< reserved - must be zero */
|
||||
#define NS_KEY_RESERVED11 0x0010 /*%< reserved - must be zero */
|
||||
#define NS_KEY_SIGNATORYMASK 0x000F /*%< key can sign RR's of same name */
|
||||
#define NS_KEY_RESERVED_BITMASK ( NS_KEY_RESERVED2 | \
|
||||
NS_KEY_RESERVED4 | \
|
||||
NS_KEY_RESERVED5 | \
|
||||
NS_KEY_RESERVED8 | \
|
||||
NS_KEY_RESERVED9 | \
|
||||
NS_KEY_RESERVED10 | \
|
||||
NS_KEY_RESERVED11 )
|
||||
#define NS_KEY_RESERVED_BITMASK2 0xFFFF /*%< no bits defined here */
|
||||
/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
|
||||
#define NS_ALG_MD5RSA 1 /*%< MD5 with RSA */
|
||||
#define NS_ALG_DH 2 /*%< Diffie Hellman KEY */
|
||||
#define NS_ALG_DSA 3 /*%< DSA KEY */
|
||||
#define NS_ALG_DSS NS_ALG_DSA
|
||||
#define NS_ALG_EXPIRE_ONLY 253 /*%< No alg, no security */
|
||||
#define NS_ALG_PRIVATE_OID 254 /*%< Key begins with OID giving alg */
|
||||
/* Protocol values */
|
||||
/* value 0 is reserved */
|
||||
#define NS_KEY_PROT_TLS 1
|
||||
#define NS_KEY_PROT_EMAIL 2
|
||||
#define NS_KEY_PROT_DNSSEC 3
|
||||
#define NS_KEY_PROT_IPSEC 4
|
||||
#define NS_KEY_PROT_ANY 255
|
||||
|
||||
/* Signatures */
|
||||
#define NS_MD5RSA_MIN_BITS 512 /*%< Size of a mod or exp in bits */
|
||||
#define NS_MD5RSA_MAX_BITS 4096
|
||||
/* Total of binary mod and exp */
|
||||
#define NS_MD5RSA_MAX_BYTES ((NS_MD5RSA_MAX_BITS+7/8)*2+3)
|
||||
/* Max length of text sig block */
|
||||
#define NS_MD5RSA_MAX_BASE64 (((NS_MD5RSA_MAX_BYTES+2)/3)*4)
|
||||
#define NS_MD5RSA_MIN_SIZE ((NS_MD5RSA_MIN_BITS+7)/8)
|
||||
#define NS_MD5RSA_MAX_SIZE ((NS_MD5RSA_MAX_BITS+7)/8)
|
||||
|
||||
#define NS_DSA_SIG_SIZE 41
|
||||
#define NS_DSA_MIN_SIZE 213
|
||||
#define NS_DSA_MAX_BYTES 405
|
||||
|
||||
/* Offsets into SIG record rdata to find various values */
|
||||
#define NS_SIG_TYPE 0 /*%< Type flags */
|
||||
#define NS_SIG_ALG 2 /*%< Algorithm */
|
||||
#define NS_SIG_LABELS 3 /*%< How many labels in name */
|
||||
#define NS_SIG_OTTL 4 /*%< Original TTL */
|
||||
#define NS_SIG_EXPIR 8 /*%< Expiration time */
|
||||
#define NS_SIG_SIGNED 12 /*%< Signature time */
|
||||
#define NS_SIG_FOOT 16 /*%< Key footprint */
|
||||
#define NS_SIG_SIGNER 18 /*%< Domain name of who signed it */
|
||||
/* How RR types are represented as bit-flags in NXT records */
|
||||
#define NS_NXT_BITS 8
|
||||
#define NS_NXT_BIT_SET( n,p) (p[(n)/NS_NXT_BITS] |= (0x80>>((n)%NS_NXT_BITS)))
|
||||
#define NS_NXT_BIT_CLEAR(n,p) (p[(n)/NS_NXT_BITS] &= ~(0x80>>((n)%NS_NXT_BITS)))
|
||||
#define NS_NXT_BIT_ISSET(n,p) (p[(n)/NS_NXT_BITS] & (0x80>>((n)%NS_NXT_BITS)))
|
||||
#define NS_NXT_MAX 127
|
||||
|
||||
/*%
|
||||
* EDNS0 extended flags and option codes, host order.
|
||||
*/
|
||||
@ -498,25 +414,6 @@ int ns_name_compress (const char *, u_char *, size_t,
|
||||
int ns_name_skip (const u_char **, const u_char *) __THROW;
|
||||
void ns_name_rollback (const u_char *, const u_char **,
|
||||
const u_char **) __THROW;
|
||||
int ns_sign (u_char *, int *, int, int, void *,
|
||||
const u_char *, int, u_char *, int *, time_t) __THROW;
|
||||
int ns_sign2 (u_char *, int *, int, int, void *,
|
||||
const u_char *, int, u_char *, int *, time_t,
|
||||
u_char **, u_char **) __THROW;
|
||||
int ns_sign_tcp (u_char *, int *, int, int,
|
||||
ns_tcp_tsig_state *, int) __THROW;
|
||||
int ns_sign_tcp2 (u_char *, int *, int, int,
|
||||
ns_tcp_tsig_state *, int,
|
||||
u_char **, u_char **) __THROW;
|
||||
int ns_sign_tcp_init (void *, const u_char *, int,
|
||||
ns_tcp_tsig_state *) __THROW;
|
||||
u_char *ns_find_tsig (u_char *, u_char *) __THROW;
|
||||
int ns_verify (u_char *, int *, void *, const u_char *, int,
|
||||
u_char *, int *, time_t *, int) __THROW;
|
||||
int ns_verify_tcp (u_char *, int *, ns_tcp_tsig_state *, int)
|
||||
__THROW;
|
||||
int ns_verify_tcp_init (void *, const u_char *, int,
|
||||
ns_tcp_tsig_state *) __THROW;
|
||||
int ns_samedomain (const char *, const char *) __THROW;
|
||||
int ns_subdomain (const char *, const char *) __THROW;
|
||||
int ns_makecanon (const char *, char *, size_t) __THROW;
|
||||
|
@ -47,8 +47,6 @@ static int addstr(const char *src, size_t len,
|
||||
static int addtab(size_t len, size_t target, int spaced,
|
||||
char **buf, size_t *buflen);
|
||||
|
||||
static u_int16_t dst_s_dns_key_id(const u_char *, const int);
|
||||
|
||||
/* Macros. */
|
||||
|
||||
#define T(x) \
|
||||
@ -436,124 +434,6 @@ ns_sprintrrf(const u_char *msg, size_t msglen,
|
||||
break;
|
||||
}
|
||||
|
||||
case ns_t_key: {
|
||||
char base64_key[NS_MD5RSA_MAX_BASE64];
|
||||
u_int keyflags, protocol, algorithm, key_id;
|
||||
const char *leader;
|
||||
int n;
|
||||
|
||||
if (rdlen < 0U + NS_INT16SZ + NS_INT8SZ + NS_INT8SZ)
|
||||
goto formerr;
|
||||
|
||||
/* Key flags, Protocol, Algorithm. */
|
||||
key_id = dst_s_dns_key_id(rdata, edata-rdata);
|
||||
keyflags = ns_get16(rdata); rdata += NS_INT16SZ;
|
||||
protocol = *rdata++;
|
||||
algorithm = *rdata++;
|
||||
len = SPRINTF((tmp, "0x%04x %u %u",
|
||||
keyflags, protocol, algorithm));
|
||||
T(addstr(tmp, len, &buf, &buflen));
|
||||
|
||||
/* Public key data. */
|
||||
len = b64_ntop(rdata, edata - rdata,
|
||||
base64_key, sizeof base64_key);
|
||||
if (len < 0)
|
||||
goto formerr;
|
||||
if (len > 15) {
|
||||
T(addstr(" (", 2, &buf, &buflen));
|
||||
leader = "\n\t\t";
|
||||
spaced = 0;
|
||||
} else
|
||||
leader = " ";
|
||||
for (n = 0; n < len; n += 48) {
|
||||
T(addstr(leader, strlen(leader), &buf, &buflen));
|
||||
T(addstr(base64_key + n, MIN(len - n, 48),
|
||||
&buf, &buflen));
|
||||
}
|
||||
if (len > 15)
|
||||
T(addstr(" )", 2, &buf, &buflen));
|
||||
n = SPRINTF((tmp, " ; key_tag= %u", key_id));
|
||||
T(addstr(tmp, n, &buf, &buflen));
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
case ns_t_sig: {
|
||||
char base64_key[NS_MD5RSA_MAX_BASE64];
|
||||
u_int type, algorithm, labels, footprint;
|
||||
const char *leader;
|
||||
u_long t;
|
||||
int n;
|
||||
|
||||
if (rdlen < 22U)
|
||||
goto formerr;
|
||||
|
||||
/* Type covered, Algorithm, Label count, Original TTL. */
|
||||
type = ns_get16(rdata); rdata += NS_INT16SZ;
|
||||
algorithm = *rdata++;
|
||||
labels = *rdata++;
|
||||
t = ns_get32(rdata); rdata += NS_INT32SZ;
|
||||
len = SPRINTF((tmp, "%s %d %d %lu ",
|
||||
p_type(type), algorithm, labels, t));
|
||||
T(addstr(tmp, len, &buf, &buflen));
|
||||
if (labels > (u_int)dn_count_labels(name))
|
||||
goto formerr;
|
||||
|
||||
/* Signature expiry. */
|
||||
t = ns_get32(rdata); rdata += NS_INT32SZ;
|
||||
len = SPRINTF((tmp, "%s ", p_secstodate(t)));
|
||||
T(addstr(tmp, len, &buf, &buflen));
|
||||
|
||||
/* Time signed. */
|
||||
t = ns_get32(rdata); rdata += NS_INT32SZ;
|
||||
len = SPRINTF((tmp, "%s ", p_secstodate(t)));
|
||||
T(addstr(tmp, len, &buf, &buflen));
|
||||
|
||||
/* Signature Footprint. */
|
||||
footprint = ns_get16(rdata); rdata += NS_INT16SZ;
|
||||
len = SPRINTF((tmp, "%u ", footprint));
|
||||
T(addstr(tmp, len, &buf, &buflen));
|
||||
|
||||
/* Signer's name. */
|
||||
T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
|
||||
|
||||
/* Signature. */
|
||||
len = b64_ntop(rdata, edata - rdata,
|
||||
base64_key, sizeof base64_key);
|
||||
if (len > 15) {
|
||||
T(addstr(" (", 2, &buf, &buflen));
|
||||
leader = "\n\t\t";
|
||||
spaced = 0;
|
||||
} else
|
||||
leader = " ";
|
||||
if (len < 0)
|
||||
goto formerr;
|
||||
for (n = 0; n < len; n += 48) {
|
||||
T(addstr(leader, strlen(leader), &buf, &buflen));
|
||||
T(addstr(base64_key + n, MIN(len - n, 48),
|
||||
&buf, &buflen));
|
||||
}
|
||||
if (len > 15)
|
||||
T(addstr(" )", 2, &buf, &buflen));
|
||||
break;
|
||||
}
|
||||
|
||||
case ns_t_nxt: {
|
||||
int n, c;
|
||||
|
||||
/* Next domain name. */
|
||||
T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
|
||||
|
||||
/* Type bit map. */
|
||||
n = edata - rdata;
|
||||
for (c = 0; c < n*8; c++)
|
||||
if (NS_NXT_BIT_ISSET(c, rdata)) {
|
||||
len = SPRINTF((tmp, " %s", p_type(c)));
|
||||
T(addstr(tmp, len, &buf, &buflen));
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
case ns_t_cert: {
|
||||
u_int c_type, key_tag, alg;
|
||||
int n;
|
||||
@ -887,81 +767,3 @@ addtab(size_t len, size_t target, int spaced, char **buf, size_t *buflen) {
|
||||
}
|
||||
return (spaced);
|
||||
}
|
||||
|
||||
/* DST algorithm codes */
|
||||
#define KEY_RSA 1
|
||||
#define KEY_HMAC_MD5 157
|
||||
|
||||
/*%
|
||||
* calculates a checksum used in dst for an id.
|
||||
* takes an array of bytes and a length.
|
||||
* returns a 16 bit checksum.
|
||||
*/
|
||||
static u_int16_t
|
||||
dst_s_id_calc(const u_char *key, const int keysize)
|
||||
{
|
||||
u_int32_t ac;
|
||||
const u_char *kp = key;
|
||||
int size = keysize;
|
||||
|
||||
if (!key || (keysize <= 0))
|
||||
return (0xffffU);
|
||||
|
||||
for (ac = 0; size > 1; size -= 2, kp += 2)
|
||||
ac += ((*kp) << 8) + *(kp + 1);
|
||||
|
||||
if (size > 0)
|
||||
ac += ((*kp) << 8);
|
||||
ac += (ac >> 16) & 0xffff;
|
||||
|
||||
return (ac & 0xffff);
|
||||
}
|
||||
|
||||
/*%
|
||||
* dst_s_get_int16
|
||||
* This routine extracts a 16 bit integer from a two byte character
|
||||
* string. The character string is assumed to be in network byte
|
||||
* order and may be unaligned. The number returned is in host order.
|
||||
* Parameter
|
||||
* buf A two byte character string.
|
||||
* Return
|
||||
* The converted integer value.
|
||||
*/
|
||||
|
||||
static u_int16_t
|
||||
dst_s_get_int16(const u_char *buf)
|
||||
{
|
||||
u_int16_t a = 0;
|
||||
a = ((u_int16_t)(buf[0] << 8)) | ((u_int16_t)(buf[1]));
|
||||
return (a);
|
||||
}
|
||||
|
||||
/*%
|
||||
* dst_s_dns_key_id() Function to calculate DNSSEC footprint from KEY record
|
||||
* rdata
|
||||
* Input:
|
||||
* dns_key_rdata: the raw data in wire format
|
||||
* rdata_len: the size of the input data
|
||||
* Output:
|
||||
* the key footprint/id calculated from the key data
|
||||
*/
|
||||
static u_int16_t
|
||||
dst_s_dns_key_id(const u_char *dns_key_rdata, const int rdata_len)
|
||||
{
|
||||
if (!dns_key_rdata)
|
||||
return 0;
|
||||
|
||||
/* compute id */
|
||||
if (dns_key_rdata[3] == KEY_RSA) /*%< Algorithm RSA */
|
||||
return dst_s_get_int16((const u_char *)
|
||||
&dns_key_rdata[rdata_len - 3]);
|
||||
else if (dns_key_rdata[3] == KEY_HMAC_MD5)
|
||||
/* compatibility */
|
||||
return 0;
|
||||
else
|
||||
/* compute a checksum on the key part of the key rr */
|
||||
return dst_s_id_calc(dns_key_rdata, rdata_len);
|
||||
}
|
||||
|
||||
|
||||
/*! \file */
|
||||
|
@ -371,24 +371,6 @@ const struct res_sym __p_update_section_syms[] attribute_hidden = {
|
||||
{0, (char *)0}
|
||||
};
|
||||
|
||||
const struct res_sym __p_key_syms[] attribute_hidden = {
|
||||
{NS_ALG_MD5RSA, "RSA", "RSA KEY with MD5 hash"},
|
||||
{NS_ALG_DH, "DH", "Diffie Hellman"},
|
||||
{NS_ALG_DSA, "DSA", "Digital Signature Algorithm"},
|
||||
{NS_ALG_EXPIRE_ONLY, "EXPIREONLY", "No algorithm"},
|
||||
{NS_ALG_PRIVATE_OID, "PRIVATE", "Algorithm obtained from OID"},
|
||||
{0, NULL, NULL}
|
||||
};
|
||||
|
||||
const struct res_sym __p_cert_syms[] attribute_hidden = {
|
||||
{cert_t_pkix, "PKIX", "PKIX (X.509v3) Certificate"},
|
||||
{cert_t_spki, "SPKI", "SPKI certificate"},
|
||||
{cert_t_pgp, "PGP", "PGP certificate"},
|
||||
{cert_t_url, "URL", "URL Private"},
|
||||
{cert_t_oid, "OID", "OID Private"},
|
||||
{0, NULL, NULL}
|
||||
};
|
||||
|
||||
/*
|
||||
* Names of RR types and qtypes. Types and qtypes are the same, except
|
||||
* that T_ANY is a qtype but not a type. (You can ask for records of type
|
||||
|
Loading…
x
Reference in New Issue
Block a user