about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog16
-rw-r--r--NEWS6
-rw-r--r--resolv/arpa/nameser.h105
-rw-r--r--resolv/ns_print.c198
-rw-r--r--resolv/res_debug.c18
5 files changed, 23 insertions, 320 deletions
diff --git a/ChangeLog b/ChangeLog
index b1a6692dc6..efa0af514e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,21 @@
 2016-09-21  Florian Weimer  <fweimer@redhat.com>
 
+	[BZ #20591]
+	Remove obsolete DNSSEC support.
+	* resolv/arpa/nameser.h (ns_key_types, NS_KEY_*, NS_ALG_*)
+	(NS_MD5_RSA_*, NS_DSA_*, NS_NXT_*, ns_sign, ns_sign2, ns_sign_tcp)
+	(ns_sign_tcp2, ns_sign_tcp_init, ns_find_tsig, ns_verify)
+	(ns_verify_tcp, ns_verify_tcp_init): Remove.
+	(ns_cert_types): Add comment.
+	* resolv/ns_print.c (ns_sprintrrf): Do not handle DNSSEC records
+	separately.
+	(KEY_RSA, KEY_HMAC_MD5, dst_s_id_calc, dst_s_get_int16)
+	(dst_s_dns_key_id): Remove.
+	* resolv/res_debug.c (__p_key_syms, __p_cert_syms): Remove unused
+	variables.
+
+2016-09-21  Florian Weimer  <fweimer@redhat.com>
+
 	[BZ #20524]
 	* manual/string.texi (String/Array Comparison): Clarify the
 	strverscmp behavior.
diff --git a/NEWS b/NEWS
index 0ea6bfa925..5f7fc07c94 100644
--- a/NEWS
+++ b/NEWS
@@ -44,6 +44,12 @@ Version 2.25
   for the Linux quota interface which predates kernel version 2.4.22 has
   been removed.
 
+* DNSSEC-related declarations and definitions have been removed from the
+  <arpa/nameser.h> header file, and libresolv will no longer attempt to
+  decode the data part of DNSSEC record types.  Previous versions of glibc
+  only implemented minimal support for the previous version of DNSSEC, which
+  is incompatible with the currently deployed version.
+
 Security related changes:
 
   On ARM EABI (32-bit), generating a backtrace for execution contexts which
diff --git a/resolv/arpa/nameser.h b/resolv/arpa/nameser.h
index 04f884441b..cdbec23ce3 100644
--- a/resolv/arpa/nameser.h
+++ b/resolv/arpa/nameser.h
@@ -326,15 +326,7 @@ typedef enum __ns_class {
 	ns_c_max = 65536
 } ns_class;
 
-/* DNSSEC constants. */
-
-typedef enum __ns_key_types {
-	ns_kt_rsa = 1,		/*%< key type RSA/MD5 */
-	ns_kt_dh  = 2,		/*%< Diffie Hellman */
-	ns_kt_dsa = 3,		/*%< Digital Signature Standard (MANDATORY) */
-	ns_kt_private = 254	/*%< Private key type starts with OID */
-} ns_key_types;
-
+/* Certificate type values in CERT resource records.  */
 typedef enum __ns_cert_types {
 	cert_t_pkix = 1,	/*%< PKIX (X.509v3) */
 	cert_t_spki = 2,	/*%< SPKI */
@@ -343,82 +335,6 @@ typedef enum __ns_cert_types {
 	cert_t_oid  = 254	/*%< OID private type */
 } ns_cert_types;
 
-/* Flags field of the KEY RR rdata. */
-#define	NS_KEY_TYPEMASK		0xC000	/*%< Mask for "type" bits */
-#define	NS_KEY_TYPE_AUTH_CONF	0x0000	/*%< Key usable for both */
-#define	NS_KEY_TYPE_CONF_ONLY	0x8000	/*%< Key usable for confidentiality */
-#define	NS_KEY_TYPE_AUTH_ONLY	0x4000	/*%< Key usable for authentication */
-#define	NS_KEY_TYPE_NO_KEY	0xC000	/*%< No key usable for either; no key */
-/* The type bits can also be interpreted independently, as single bits: */
-#define	NS_KEY_NO_AUTH		0x8000	/*%< Key unusable for authentication */
-#define	NS_KEY_NO_CONF		0x4000	/*%< Key unusable for confidentiality */
-#define	NS_KEY_RESERVED2	0x2000	/* Security is *mandatory* if bit=0 */
-#define	NS_KEY_EXTENDED_FLAGS	0x1000	/*%< reserved - must be zero */
-#define	NS_KEY_RESERVED4	0x0800  /*%< reserved - must be zero */
-#define	NS_KEY_RESERVED5	0x0400  /*%< reserved - must be zero */
-#define	NS_KEY_NAME_TYPE	0x0300	/*%< these bits determine the type */
-#define	NS_KEY_NAME_USER	0x0000	/*%< key is assoc. with user */
-#define	NS_KEY_NAME_ENTITY	0x0200	/*%< key is assoc. with entity eg host */
-#define	NS_KEY_NAME_ZONE	0x0100	/*%< key is zone key */
-#define	NS_KEY_NAME_RESERVED	0x0300	/*%< reserved meaning */
-#define	NS_KEY_RESERVED8	0x0080  /*%< reserved - must be zero */
-#define	NS_KEY_RESERVED9	0x0040  /*%< reserved - must be zero */
-#define	NS_KEY_RESERVED10	0x0020  /*%< reserved - must be zero */
-#define	NS_KEY_RESERVED11	0x0010  /*%< reserved - must be zero */
-#define	NS_KEY_SIGNATORYMASK	0x000F	/*%< key can sign RR's of same name */
-#define	NS_KEY_RESERVED_BITMASK ( NS_KEY_RESERVED2 | \
-				  NS_KEY_RESERVED4 | \
-				  NS_KEY_RESERVED5 | \
-				  NS_KEY_RESERVED8 | \
-				  NS_KEY_RESERVED9 | \
-				  NS_KEY_RESERVED10 | \
-				  NS_KEY_RESERVED11 )
-#define NS_KEY_RESERVED_BITMASK2 0xFFFF /*%< no bits defined here */
-/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
-#define	NS_ALG_MD5RSA		1	/*%< MD5 with RSA */
-#define	NS_ALG_DH               2	/*%< Diffie Hellman KEY */
-#define	NS_ALG_DSA              3	/*%< DSA KEY */
-#define	NS_ALG_DSS              NS_ALG_DSA
-#define	NS_ALG_EXPIRE_ONLY	253	/*%< No alg, no security */
-#define	NS_ALG_PRIVATE_OID	254	/*%< Key begins with OID giving alg */
-/* Protocol values  */
-/* value 0 is reserved */
-#define NS_KEY_PROT_TLS         1
-#define NS_KEY_PROT_EMAIL       2
-#define NS_KEY_PROT_DNSSEC      3
-#define NS_KEY_PROT_IPSEC       4
-#define NS_KEY_PROT_ANY		255
-
-/* Signatures */
-#define	NS_MD5RSA_MIN_BITS	 512	/*%< Size of a mod or exp in bits */
-#define	NS_MD5RSA_MAX_BITS	4096
-	/* Total of binary mod and exp */
-#define	NS_MD5RSA_MAX_BYTES	((NS_MD5RSA_MAX_BITS+7/8)*2+3)
-	/* Max length of text sig block */
-#define	NS_MD5RSA_MAX_BASE64	(((NS_MD5RSA_MAX_BYTES+2)/3)*4)
-#define NS_MD5RSA_MIN_SIZE	((NS_MD5RSA_MIN_BITS+7)/8)
-#define NS_MD5RSA_MAX_SIZE	((NS_MD5RSA_MAX_BITS+7)/8)
-
-#define NS_DSA_SIG_SIZE         41
-#define NS_DSA_MIN_SIZE         213
-#define NS_DSA_MAX_BYTES        405
-
-/* Offsets into SIG record rdata to find various values */
-#define	NS_SIG_TYPE	0	/*%< Type flags */
-#define	NS_SIG_ALG	2	/*%< Algorithm */
-#define	NS_SIG_LABELS	3	/*%< How many labels in name */
-#define	NS_SIG_OTTL	4	/*%< Original TTL */
-#define	NS_SIG_EXPIR	8	/*%< Expiration time */
-#define	NS_SIG_SIGNED	12	/*%< Signature time */
-#define	NS_SIG_FOOT	16	/*%< Key footprint */
-#define	NS_SIG_SIGNER	18	/*%< Domain name of who signed it */
-/* How RR types are represented as bit-flags in NXT records */
-#define	NS_NXT_BITS 8
-#define	NS_NXT_BIT_SET(  n,p) (p[(n)/NS_NXT_BITS] |=  (0x80>>((n)%NS_NXT_BITS)))
-#define	NS_NXT_BIT_CLEAR(n,p) (p[(n)/NS_NXT_BITS] &= ~(0x80>>((n)%NS_NXT_BITS)))
-#define	NS_NXT_BIT_ISSET(n,p) (p[(n)/NS_NXT_BITS] &   (0x80>>((n)%NS_NXT_BITS)))
-#define NS_NXT_MAX 127
-
 /*%
  * EDNS0 extended flags and option codes, host order.
  */
@@ -498,25 +414,6 @@ int		ns_name_compress (const char *, u_char *, size_t,
 int		ns_name_skip (const u_char **, const u_char *) __THROW;
 void		ns_name_rollback (const u_char *, const u_char **,
 				  const u_char **) __THROW;
-int		ns_sign (u_char *, int *, int, int, void *,
-			 const u_char *, int, u_char *, int *, time_t) __THROW;
-int		ns_sign2 (u_char *, int *, int, int, void *,
-			  const u_char *, int, u_char *, int *, time_t,
-			  u_char **, u_char **) __THROW;
-int		ns_sign_tcp (u_char *, int *, int, int,
-			     ns_tcp_tsig_state *, int) __THROW;
-int		ns_sign_tcp2 (u_char *, int *, int, int,
-			      ns_tcp_tsig_state *, int,
-			      u_char **, u_char **) __THROW;
-int		ns_sign_tcp_init (void *, const u_char *, int,
-				  ns_tcp_tsig_state *) __THROW;
-u_char		*ns_find_tsig (u_char *, u_char *) __THROW;
-int		ns_verify (u_char *, int *, void *, const u_char *, int,
-			   u_char *, int *, time_t *, int) __THROW;
-int		ns_verify_tcp (u_char *, int *, ns_tcp_tsig_state *, int)
-     __THROW;
-int		ns_verify_tcp_init (void *, const u_char *, int,
-				    ns_tcp_tsig_state *) __THROW;
 int		ns_samedomain (const char *, const char *) __THROW;
 int		ns_subdomain (const char *, const char *) __THROW;
 int		ns_makecanon (const char *, char *, size_t) __THROW;
diff --git a/resolv/ns_print.c b/resolv/ns_print.c
index 7a0e7d5e71..f55680c311 100644
--- a/resolv/ns_print.c
+++ b/resolv/ns_print.c
@@ -47,8 +47,6 @@ static int	addstr(const char *src, size_t len,
 static int	addtab(size_t len, size_t target, int spaced,
 		       char **buf, size_t *buflen);
 
-static u_int16_t dst_s_dns_key_id(const u_char *, const int);
-
 /* Macros. */
 
 #define	T(x) \
@@ -436,124 +434,6 @@ ns_sprintrrf(const u_char *msg, size_t msglen,
 		break;
 	    }
 
-	case ns_t_key: {
-		char base64_key[NS_MD5RSA_MAX_BASE64];
-		u_int keyflags, protocol, algorithm, key_id;
-		const char *leader;
-		int n;
-
-		if (rdlen < 0U + NS_INT16SZ + NS_INT8SZ + NS_INT8SZ)
-			goto formerr;
-
-		/* Key flags, Protocol, Algorithm. */
-		key_id = dst_s_dns_key_id(rdata, edata-rdata);
-		keyflags = ns_get16(rdata);  rdata += NS_INT16SZ;
-		protocol = *rdata++;
-		algorithm = *rdata++;
-		len = SPRINTF((tmp, "0x%04x %u %u",
-			       keyflags, protocol, algorithm));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* Public key data. */
-		len = b64_ntop(rdata, edata - rdata,
-			       base64_key, sizeof base64_key);
-		if (len < 0)
-			goto formerr;
-		if (len > 15) {
-			T(addstr(" (", 2, &buf, &buflen));
-			leader = "\n\t\t";
-			spaced = 0;
-		} else
-			leader = " ";
-		for (n = 0; n < len; n += 48) {
-			T(addstr(leader, strlen(leader), &buf, &buflen));
-			T(addstr(base64_key + n, MIN(len - n, 48),
-				 &buf, &buflen));
-		}
-		if (len > 15)
-			T(addstr(" )", 2, &buf, &buflen));
-		n = SPRINTF((tmp, " ; key_tag= %u", key_id));
-		T(addstr(tmp, n, &buf, &buflen));
-
-		break;
-	    }
-
-	case ns_t_sig: {
-		char base64_key[NS_MD5RSA_MAX_BASE64];
-		u_int type, algorithm, labels, footprint;
-		const char *leader;
-		u_long t;
-		int n;
-
-		if (rdlen < 22U)
-			goto formerr;
-
-		/* Type covered, Algorithm, Label count, Original TTL. */
-	        type = ns_get16(rdata);  rdata += NS_INT16SZ;
-		algorithm = *rdata++;
-		labels = *rdata++;
-		t = ns_get32(rdata);  rdata += NS_INT32SZ;
-		len = SPRINTF((tmp, "%s %d %d %lu ",
-			       p_type(type), algorithm, labels, t));
-		T(addstr(tmp, len, &buf, &buflen));
-		if (labels > (u_int)dn_count_labels(name))
-			goto formerr;
-
-		/* Signature expiry. */
-		t = ns_get32(rdata);  rdata += NS_INT32SZ;
-		len = SPRINTF((tmp, "%s ", p_secstodate(t)));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* Time signed. */
-		t = ns_get32(rdata);  rdata += NS_INT32SZ;
-		len = SPRINTF((tmp, "%s ", p_secstodate(t)));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* Signature Footprint. */
-		footprint = ns_get16(rdata);  rdata += NS_INT16SZ;
-		len = SPRINTF((tmp, "%u ", footprint));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* Signer's name. */
-		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
-
-		/* Signature. */
-		len = b64_ntop(rdata, edata - rdata,
-			       base64_key, sizeof base64_key);
-		if (len > 15) {
-			T(addstr(" (", 2, &buf, &buflen));
-			leader = "\n\t\t";
-			spaced = 0;
-		} else
-			leader = " ";
-		if (len < 0)
-			goto formerr;
-		for (n = 0; n < len; n += 48) {
-			T(addstr(leader, strlen(leader), &buf, &buflen));
-			T(addstr(base64_key + n, MIN(len - n, 48),
-				 &buf, &buflen));
-		}
-		if (len > 15)
-			T(addstr(" )", 2, &buf, &buflen));
-		break;
-	    }
-
-	case ns_t_nxt: {
-		int n, c;
-
-		/* Next domain name. */
-		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
-
-		/* Type bit map. */
-		n = edata - rdata;
-		for (c = 0; c < n*8; c++)
-			if (NS_NXT_BIT_ISSET(c, rdata)) {
-				len = SPRINTF((tmp, " %s", p_type(c)));
-				T(addstr(tmp, len, &buf, &buflen));
-			}
-		break;
-	    }
-
 	case ns_t_cert: {
 		u_int c_type, key_tag, alg;
 		int n;
@@ -887,81 +767,3 @@ addtab(size_t len, size_t target, int spaced, char **buf, size_t *buflen) {
 	}
 	return (spaced);
 }
-
-/* DST algorithm codes */
-#define KEY_RSA			1
-#define KEY_HMAC_MD5		157
-
-/*%
- * calculates a checksum used in dst for an id.
- * takes an array of bytes and a length.
- * returns a 16  bit checksum.
- */
-static u_int16_t
-dst_s_id_calc(const u_char *key, const int keysize)
-{
-	u_int32_t ac;
-	const u_char *kp = key;
-	int size = keysize;
-
-	if (!key || (keysize <= 0))
-		return (0xffffU);
-
-	for (ac = 0; size > 1; size -= 2, kp += 2)
-		ac += ((*kp) << 8) + *(kp + 1);
-
-	if (size > 0)
-		ac += ((*kp) << 8);
-	ac += (ac >> 16) & 0xffff;
-
-	return (ac & 0xffff);
-}
-
-/*%
- * dst_s_get_int16
- *     This routine extracts a 16 bit integer from a two byte character
- *     string.  The character string is assumed to be in network byte
- *     order and may be unaligned.  The number returned is in host order.
- * Parameter
- *     buf     A two byte character string.
- * Return
- *     The converted integer value.
- */
-
-static u_int16_t
-dst_s_get_int16(const u_char *buf)
-{
-	u_int16_t a = 0;
-	a = ((u_int16_t)(buf[0] << 8)) | ((u_int16_t)(buf[1]));
-	return (a);
-}
-
-/*%
- * dst_s_dns_key_id() Function to calculate DNSSEC footprint from KEY record
- *   rdata
- * Input:
- *	dns_key_rdata: the raw data in wire format
- *      rdata_len: the size of the input data
- * Output:
- *      the key footprint/id calculated from the key data
- */
-static u_int16_t
-dst_s_dns_key_id(const u_char *dns_key_rdata, const int rdata_len)
-{
-	if (!dns_key_rdata)
-		return 0;
-
-	/* compute id */
-	if (dns_key_rdata[3] == KEY_RSA)	/*%< Algorithm RSA */
-		return dst_s_get_int16((const u_char *)
-				       &dns_key_rdata[rdata_len - 3]);
-	else if (dns_key_rdata[3] == KEY_HMAC_MD5)
-		/* compatibility */
-		return 0;
-	else
-		/* compute a checksum on the key part of the key rr */
-		return dst_s_id_calc(dns_key_rdata, rdata_len);
-}
-
-
-/*! \file */
diff --git a/resolv/res_debug.c b/resolv/res_debug.c
index bd95590ccc..9b33e19497 100644
--- a/resolv/res_debug.c
+++ b/resolv/res_debug.c
@@ -371,24 +371,6 @@ const struct res_sym __p_update_section_syms[] attribute_hidden = {
 	{0,             (char *)0}
 };
 
-const struct res_sym __p_key_syms[] attribute_hidden = {
-	{NS_ALG_MD5RSA,		"RSA",		"RSA KEY with MD5 hash"},
-	{NS_ALG_DH,		"DH",		"Diffie Hellman"},
-	{NS_ALG_DSA,		"DSA",		"Digital Signature Algorithm"},
-	{NS_ALG_EXPIRE_ONLY,	"EXPIREONLY",	"No algorithm"},
-	{NS_ALG_PRIVATE_OID,	"PRIVATE",	"Algorithm obtained from OID"},
-	{0,			NULL,		NULL}
-};
-
-const struct res_sym __p_cert_syms[] attribute_hidden = {
-	{cert_t_pkix,	"PKIX",		"PKIX (X.509v3) Certificate"},
-	{cert_t_spki,	"SPKI",		"SPKI certificate"},
-	{cert_t_pgp,	"PGP",		"PGP certificate"},
-	{cert_t_url,	"URL",		"URL Private"},
-	{cert_t_oid,	"OID",		"OID Private"},
-	{0,		NULL,		NULL}
-};
-
 /*
  * Names of RR types and qtypes.  Types and qtypes are the same, except
  * that T_ANY is a qtype but not a type.  (You can ask for records of type