This is the mail archive of the glibc-cvs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

GNU C Library master sources branch master updated. glibc-2.24-169-g3a2a1d2


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  3a2a1d2cc2e3c9fad9d93eaecf5874f04a679606 (commit)
      from  f4a36548d86453792e3db05898f6f2b732c32581 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3a2a1d2cc2e3c9fad9d93eaecf5874f04a679606

commit 3a2a1d2cc2e3c9fad9d93eaecf5874f04a679606
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Sep 21 16:08:31 2016 +0200

    Remove obsolete DNSSEC support [BZ #20591]
    
    The removed function declaration have never been implemented in libresolv.

diff --git a/ChangeLog b/ChangeLog
index b1a6692..efa0af5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,21 @@
 2016-09-21  Florian Weimer  <fweimer@redhat.com>
 
+	[BZ #20591]
+	Remove obsolete DNSSEC support.
+	* resolv/arpa/nameser.h (ns_key_types, NS_KEY_*, NS_ALG_*)
+	(NS_MD5_RSA_*, NS_DSA_*, NS_NXT_*, ns_sign, ns_sign2, ns_sign_tcp)
+	(ns_sign_tcp2, ns_sign_tcp_init, ns_find_tsig, ns_verify)
+	(ns_verify_tcp, ns_verify_tcp_init): Remove.
+	(ns_cert_types): Add comment.
+	* resolv/ns_print.c (ns_sprintrrf): Do not handle DNSSEC records
+	separately.
+	(KEY_RSA, KEY_HMAC_MD5, dst_s_id_calc, dst_s_get_int16)
+	(dst_s_dns_key_id): Remove.
+	* resolv/res_debug.c (__p_key_syms, __p_cert_syms): Remove unused
+	variables.
+
+2016-09-21  Florian Weimer  <fweimer@redhat.com>
+
 	[BZ #20524]
 	* manual/string.texi (String/Array Comparison): Clarify the
 	strverscmp behavior.
diff --git a/NEWS b/NEWS
index 0ea6bfa..5f7fc07 100644
--- a/NEWS
+++ b/NEWS
@@ -44,6 +44,12 @@ Version 2.25
   for the Linux quota interface which predates kernel version 2.4.22 has
   been removed.
 
+* DNSSEC-related declarations and definitions have been removed from the
+  <arpa/nameser.h> header file, and libresolv will no longer attempt to
+  decode the data part of DNSSEC record types.  Previous versions of glibc
+  only implemented minimal support for the previous version of DNSSEC, which
+  is incompatible with the currently deployed version.
+
 Security related changes:
 
   On ARM EABI (32-bit), generating a backtrace for execution contexts which
diff --git a/resolv/arpa/nameser.h b/resolv/arpa/nameser.h
index 04f8844..cdbec23 100644
--- a/resolv/arpa/nameser.h
+++ b/resolv/arpa/nameser.h
@@ -326,15 +326,7 @@ typedef enum __ns_class {
 	ns_c_max = 65536
 } ns_class;
 
-/* DNSSEC constants. */
-
-typedef enum __ns_key_types {
-	ns_kt_rsa = 1,		/*%< key type RSA/MD5 */
-	ns_kt_dh  = 2,		/*%< Diffie Hellman */
-	ns_kt_dsa = 3,		/*%< Digital Signature Standard (MANDATORY) */
-	ns_kt_private = 254	/*%< Private key type starts with OID */
-} ns_key_types;
-
+/* Certificate type values in CERT resource records.  */
 typedef enum __ns_cert_types {
 	cert_t_pkix = 1,	/*%< PKIX (X.509v3) */
 	cert_t_spki = 2,	/*%< SPKI */
@@ -343,82 +335,6 @@ typedef enum __ns_cert_types {
 	cert_t_oid  = 254	/*%< OID private type */
 } ns_cert_types;
 
-/* Flags field of the KEY RR rdata. */
-#define	NS_KEY_TYPEMASK		0xC000	/*%< Mask for "type" bits */
-#define	NS_KEY_TYPE_AUTH_CONF	0x0000	/*%< Key usable for both */
-#define	NS_KEY_TYPE_CONF_ONLY	0x8000	/*%< Key usable for confidentiality */
-#define	NS_KEY_TYPE_AUTH_ONLY	0x4000	/*%< Key usable for authentication */
-#define	NS_KEY_TYPE_NO_KEY	0xC000	/*%< No key usable for either; no key */
-/* The type bits can also be interpreted independently, as single bits: */
-#define	NS_KEY_NO_AUTH		0x8000	/*%< Key unusable for authentication */
-#define	NS_KEY_NO_CONF		0x4000	/*%< Key unusable for confidentiality */
-#define	NS_KEY_RESERVED2	0x2000	/* Security is *mandatory* if bit=0 */
-#define	NS_KEY_EXTENDED_FLAGS	0x1000	/*%< reserved - must be zero */
-#define	NS_KEY_RESERVED4	0x0800  /*%< reserved - must be zero */
-#define	NS_KEY_RESERVED5	0x0400  /*%< reserved - must be zero */
-#define	NS_KEY_NAME_TYPE	0x0300	/*%< these bits determine the type */
-#define	NS_KEY_NAME_USER	0x0000	/*%< key is assoc. with user */
-#define	NS_KEY_NAME_ENTITY	0x0200	/*%< key is assoc. with entity eg host */
-#define	NS_KEY_NAME_ZONE	0x0100	/*%< key is zone key */
-#define	NS_KEY_NAME_RESERVED	0x0300	/*%< reserved meaning */
-#define	NS_KEY_RESERVED8	0x0080  /*%< reserved - must be zero */
-#define	NS_KEY_RESERVED9	0x0040  /*%< reserved - must be zero */
-#define	NS_KEY_RESERVED10	0x0020  /*%< reserved - must be zero */
-#define	NS_KEY_RESERVED11	0x0010  /*%< reserved - must be zero */
-#define	NS_KEY_SIGNATORYMASK	0x000F	/*%< key can sign RR's of same name */
-#define	NS_KEY_RESERVED_BITMASK ( NS_KEY_RESERVED2 | \
-				  NS_KEY_RESERVED4 | \
-				  NS_KEY_RESERVED5 | \
-				  NS_KEY_RESERVED8 | \
-				  NS_KEY_RESERVED9 | \
-				  NS_KEY_RESERVED10 | \
-				  NS_KEY_RESERVED11 )
-#define NS_KEY_RESERVED_BITMASK2 0xFFFF /*%< no bits defined here */
-/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
-#define	NS_ALG_MD5RSA		1	/*%< MD5 with RSA */
-#define	NS_ALG_DH               2	/*%< Diffie Hellman KEY */
-#define	NS_ALG_DSA              3	/*%< DSA KEY */
-#define	NS_ALG_DSS              NS_ALG_DSA
-#define	NS_ALG_EXPIRE_ONLY	253	/*%< No alg, no security */
-#define	NS_ALG_PRIVATE_OID	254	/*%< Key begins with OID giving alg */
-/* Protocol values  */
-/* value 0 is reserved */
-#define NS_KEY_PROT_TLS         1
-#define NS_KEY_PROT_EMAIL       2
-#define NS_KEY_PROT_DNSSEC      3
-#define NS_KEY_PROT_IPSEC       4
-#define NS_KEY_PROT_ANY		255
-
-/* Signatures */
-#define	NS_MD5RSA_MIN_BITS	 512	/*%< Size of a mod or exp in bits */
-#define	NS_MD5RSA_MAX_BITS	4096
-	/* Total of binary mod and exp */
-#define	NS_MD5RSA_MAX_BYTES	((NS_MD5RSA_MAX_BITS+7/8)*2+3)
-	/* Max length of text sig block */
-#define	NS_MD5RSA_MAX_BASE64	(((NS_MD5RSA_MAX_BYTES+2)/3)*4)
-#define NS_MD5RSA_MIN_SIZE	((NS_MD5RSA_MIN_BITS+7)/8)
-#define NS_MD5RSA_MAX_SIZE	((NS_MD5RSA_MAX_BITS+7)/8)
-
-#define NS_DSA_SIG_SIZE         41
-#define NS_DSA_MIN_SIZE         213
-#define NS_DSA_MAX_BYTES        405
-
-/* Offsets into SIG record rdata to find various values */
-#define	NS_SIG_TYPE	0	/*%< Type flags */
-#define	NS_SIG_ALG	2	/*%< Algorithm */
-#define	NS_SIG_LABELS	3	/*%< How many labels in name */
-#define	NS_SIG_OTTL	4	/*%< Original TTL */
-#define	NS_SIG_EXPIR	8	/*%< Expiration time */
-#define	NS_SIG_SIGNED	12	/*%< Signature time */
-#define	NS_SIG_FOOT	16	/*%< Key footprint */
-#define	NS_SIG_SIGNER	18	/*%< Domain name of who signed it */
-/* How RR types are represented as bit-flags in NXT records */
-#define	NS_NXT_BITS 8
-#define	NS_NXT_BIT_SET(  n,p) (p[(n)/NS_NXT_BITS] |=  (0x80>>((n)%NS_NXT_BITS)))
-#define	NS_NXT_BIT_CLEAR(n,p) (p[(n)/NS_NXT_BITS] &= ~(0x80>>((n)%NS_NXT_BITS)))
-#define	NS_NXT_BIT_ISSET(n,p) (p[(n)/NS_NXT_BITS] &   (0x80>>((n)%NS_NXT_BITS)))
-#define NS_NXT_MAX 127
-
 /*%
  * EDNS0 extended flags and option codes, host order.
  */
@@ -498,25 +414,6 @@ int		ns_name_compress (const char *, u_char *, size_t,
 int		ns_name_skip (const u_char **, const u_char *) __THROW;
 void		ns_name_rollback (const u_char *, const u_char **,
 				  const u_char **) __THROW;
-int		ns_sign (u_char *, int *, int, int, void *,
-			 const u_char *, int, u_char *, int *, time_t) __THROW;
-int		ns_sign2 (u_char *, int *, int, int, void *,
-			  const u_char *, int, u_char *, int *, time_t,
-			  u_char **, u_char **) __THROW;
-int		ns_sign_tcp (u_char *, int *, int, int,
-			     ns_tcp_tsig_state *, int) __THROW;
-int		ns_sign_tcp2 (u_char *, int *, int, int,
-			      ns_tcp_tsig_state *, int,
-			      u_char **, u_char **) __THROW;
-int		ns_sign_tcp_init (void *, const u_char *, int,
-				  ns_tcp_tsig_state *) __THROW;
-u_char		*ns_find_tsig (u_char *, u_char *) __THROW;
-int		ns_verify (u_char *, int *, void *, const u_char *, int,
-			   u_char *, int *, time_t *, int) __THROW;
-int		ns_verify_tcp (u_char *, int *, ns_tcp_tsig_state *, int)
-     __THROW;
-int		ns_verify_tcp_init (void *, const u_char *, int,
-				    ns_tcp_tsig_state *) __THROW;
 int		ns_samedomain (const char *, const char *) __THROW;
 int		ns_subdomain (const char *, const char *) __THROW;
 int		ns_makecanon (const char *, char *, size_t) __THROW;
diff --git a/resolv/ns_print.c b/resolv/ns_print.c
index 7a0e7d5..f55680c 100644
--- a/resolv/ns_print.c
+++ b/resolv/ns_print.c
@@ -47,8 +47,6 @@ static int	addstr(const char *src, size_t len,
 static int	addtab(size_t len, size_t target, int spaced,
 		       char **buf, size_t *buflen);
 
-static u_int16_t dst_s_dns_key_id(const u_char *, const int);
-
 /* Macros. */
 
 #define	T(x) \
@@ -436,124 +434,6 @@ ns_sprintrrf(const u_char *msg, size_t msglen,
 		break;
 	    }
 
-	case ns_t_key: {
-		char base64_key[NS_MD5RSA_MAX_BASE64];
-		u_int keyflags, protocol, algorithm, key_id;
-		const char *leader;
-		int n;
-
-		if (rdlen < 0U + NS_INT16SZ + NS_INT8SZ + NS_INT8SZ)
-			goto formerr;
-
-		/* Key flags, Protocol, Algorithm. */
-		key_id = dst_s_dns_key_id(rdata, edata-rdata);
-		keyflags = ns_get16(rdata);  rdata += NS_INT16SZ;
-		protocol = *rdata++;
-		algorithm = *rdata++;
-		len = SPRINTF((tmp, "0x%04x %u %u",
-			       keyflags, protocol, algorithm));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* Public key data. */
-		len = b64_ntop(rdata, edata - rdata,
-			       base64_key, sizeof base64_key);
-		if (len < 0)
-			goto formerr;
-		if (len > 15) {
-			T(addstr(" (", 2, &buf, &buflen));
-			leader = "\n\t\t";
-			spaced = 0;
-		} else
-			leader = " ";
-		for (n = 0; n < len; n += 48) {
-			T(addstr(leader, strlen(leader), &buf, &buflen));
-			T(addstr(base64_key + n, MIN(len - n, 48),
-				 &buf, &buflen));
-		}
-		if (len > 15)
-			T(addstr(" )", 2, &buf, &buflen));
-		n = SPRINTF((tmp, " ; key_tag= %u", key_id));
-		T(addstr(tmp, n, &buf, &buflen));
-
-		break;
-	    }
-
-	case ns_t_sig: {
-		char base64_key[NS_MD5RSA_MAX_BASE64];
-		u_int type, algorithm, labels, footprint;
-		const char *leader;
-		u_long t;
-		int n;
-
-		if (rdlen < 22U)
-			goto formerr;
-
-		/* Type covered, Algorithm, Label count, Original TTL. */
-	        type = ns_get16(rdata);  rdata += NS_INT16SZ;
-		algorithm = *rdata++;
-		labels = *rdata++;
-		t = ns_get32(rdata);  rdata += NS_INT32SZ;
-		len = SPRINTF((tmp, "%s %d %d %lu ",
-			       p_type(type), algorithm, labels, t));
-		T(addstr(tmp, len, &buf, &buflen));
-		if (labels > (u_int)dn_count_labels(name))
-			goto formerr;
-
-		/* Signature expiry. */
-		t = ns_get32(rdata);  rdata += NS_INT32SZ;
-		len = SPRINTF((tmp, "%s ", p_secstodate(t)));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* Time signed. */
-		t = ns_get32(rdata);  rdata += NS_INT32SZ;
-		len = SPRINTF((tmp, "%s ", p_secstodate(t)));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* Signature Footprint. */
-		footprint = ns_get16(rdata);  rdata += NS_INT16SZ;
-		len = SPRINTF((tmp, "%u ", footprint));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* Signer's name. */
-		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
-
-		/* Signature. */
-		len = b64_ntop(rdata, edata - rdata,
-			       base64_key, sizeof base64_key);
-		if (len > 15) {
-			T(addstr(" (", 2, &buf, &buflen));
-			leader = "\n\t\t";
-			spaced = 0;
-		} else
-			leader = " ";
-		if (len < 0)
-			goto formerr;
-		for (n = 0; n < len; n += 48) {
-			T(addstr(leader, strlen(leader), &buf, &buflen));
-			T(addstr(base64_key + n, MIN(len - n, 48),
-				 &buf, &buflen));
-		}
-		if (len > 15)
-			T(addstr(" )", 2, &buf, &buflen));
-		break;
-	    }
-
-	case ns_t_nxt: {
-		int n, c;
-
-		/* Next domain name. */
-		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
-
-		/* Type bit map. */
-		n = edata - rdata;
-		for (c = 0; c < n*8; c++)
-			if (NS_NXT_BIT_ISSET(c, rdata)) {
-				len = SPRINTF((tmp, " %s", p_type(c)));
-				T(addstr(tmp, len, &buf, &buflen));
-			}
-		break;
-	    }
-
 	case ns_t_cert: {
 		u_int c_type, key_tag, alg;
 		int n;
@@ -887,81 +767,3 @@ addtab(size_t len, size_t target, int spaced, char **buf, size_t *buflen) {
 	}
 	return (spaced);
 }
-
-/* DST algorithm codes */
-#define KEY_RSA			1
-#define KEY_HMAC_MD5		157
-
-/*%
- * calculates a checksum used in dst for an id.
- * takes an array of bytes and a length.
- * returns a 16  bit checksum.
- */
-static u_int16_t
-dst_s_id_calc(const u_char *key, const int keysize)
-{
-	u_int32_t ac;
-	const u_char *kp = key;
-	int size = keysize;
-
-	if (!key || (keysize <= 0))
-		return (0xffffU);
-
-	for (ac = 0; size > 1; size -= 2, kp += 2)
-		ac += ((*kp) << 8) + *(kp + 1);
-
-	if (size > 0)
-		ac += ((*kp) << 8);
-	ac += (ac >> 16) & 0xffff;
-
-	return (ac & 0xffff);
-}
-
-/*%
- * dst_s_get_int16
- *     This routine extracts a 16 bit integer from a two byte character
- *     string.  The character string is assumed to be in network byte
- *     order and may be unaligned.  The number returned is in host order.
- * Parameter
- *     buf     A two byte character string.
- * Return
- *     The converted integer value.
- */
-
-static u_int16_t
-dst_s_get_int16(const u_char *buf)
-{
-	u_int16_t a = 0;
-	a = ((u_int16_t)(buf[0] << 8)) | ((u_int16_t)(buf[1]));
-	return (a);
-}
-
-/*%
- * dst_s_dns_key_id() Function to calculate DNSSEC footprint from KEY record
- *   rdata
- * Input:
- *	dns_key_rdata: the raw data in wire format
- *      rdata_len: the size of the input data
- * Output:
- *      the key footprint/id calculated from the key data
- */
-static u_int16_t
-dst_s_dns_key_id(const u_char *dns_key_rdata, const int rdata_len)
-{
-	if (!dns_key_rdata)
-		return 0;
-
-	/* compute id */
-	if (dns_key_rdata[3] == KEY_RSA)	/*%< Algorithm RSA */
-		return dst_s_get_int16((const u_char *)
-				       &dns_key_rdata[rdata_len - 3]);
-	else if (dns_key_rdata[3] == KEY_HMAC_MD5)
-		/* compatibility */
-		return 0;
-	else
-		/* compute a checksum on the key part of the key rr */
-		return dst_s_id_calc(dns_key_rdata, rdata_len);
-}
-
-
-/*! \file */
diff --git a/resolv/res_debug.c b/resolv/res_debug.c
index bd95590..9b33e19 100644
--- a/resolv/res_debug.c
+++ b/resolv/res_debug.c
@@ -371,24 +371,6 @@ const struct res_sym __p_update_section_syms[] attribute_hidden = {
 	{0,             (char *)0}
 };
 
-const struct res_sym __p_key_syms[] attribute_hidden = {
-	{NS_ALG_MD5RSA,		"RSA",		"RSA KEY with MD5 hash"},
-	{NS_ALG_DH,		"DH",		"Diffie Hellman"},
-	{NS_ALG_DSA,		"DSA",		"Digital Signature Algorithm"},
-	{NS_ALG_EXPIRE_ONLY,	"EXPIREONLY",	"No algorithm"},
-	{NS_ALG_PRIVATE_OID,	"PRIVATE",	"Algorithm obtained from OID"},
-	{0,			NULL,		NULL}
-};
-
-const struct res_sym __p_cert_syms[] attribute_hidden = {
-	{cert_t_pkix,	"PKIX",		"PKIX (X.509v3) Certificate"},
-	{cert_t_spki,	"SPKI",		"SPKI certificate"},
-	{cert_t_pgp,	"PGP",		"PGP certificate"},
-	{cert_t_url,	"URL",		"URL Private"},
-	{cert_t_oid,	"OID",		"OID Private"},
-	{0,		NULL,		NULL}
-};
-
 /*
  * Names of RR types and qtypes.  Types and qtypes are the same, except
  * that T_ANY is a qtype but not a type.  (You can ask for records of type

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog             |   16 ++++
 NEWS                  |    6 ++
 resolv/arpa/nameser.h |  105 +--------------------------
 resolv/ns_print.c     |  198 -------------------------------------------------
 resolv/res_debug.c    |   18 -----
 5 files changed, 23 insertions(+), 320 deletions(-)


hooks/post-receive
-- 
GNU C Library master sources


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]