Commit afa81ee4 authored by Witold Kręcicki's avatar Witold Kręcicki Committed by Ondřej Surý

Remove all cookie algorithms but AES, which was used as a default, for legacy purposes.

parent 4e339427
......@@ -222,7 +222,7 @@ options {
check-srv-cname ( fail | warn | ignore );
check-wildcard <replaceable>boolean</replaceable>;
clients-per-query <replaceable>integer</replaceable>;
cookie-algorithm ( aes | sha1 | sha256 );
cookie-algorithm ( aes );
cookie-secret <replaceable>string</replaceable>;
coresize ( default | unlimited | <replaceable>sizeval</replaceable> );
datasize ( default | unlimited | <replaceable>sizeval</replaceable> );
......
......@@ -9131,10 +9131,6 @@ load_configuration(const char *filename, named_server_t *server,
INSIST(result == ISC_R_SUCCESS);
if (strcasecmp(cfg_obj_asstring(obj), "aes") == 0) {
server->sctx->cookiealg = ns_cookiealg_aes;
} else if (strcasecmp(cfg_obj_asstring(obj), "sha1") == 0) {
server->sctx->cookiealg = ns_cookiealg_sha1;
} else if (strcasecmp(cfg_obj_asstring(obj), "sha256") == 0) {
server->sctx->cookiealg = ns_cookiealg_sha256;
} else {
INSIST(0);
ISC_UNREACHABLE();
......@@ -9200,24 +9196,6 @@ load_configuration(const char *filename, named_server_t *server,
"128 bits");
}
break;
case ns_cookiealg_sha1:
expectedlength =
isc_md_type_get_size(ISC_MD_SHA1);
if (usedlength != expectedlength) {
CHECKM(ISC_R_RANGE,
"SHA1 cookie-secret must be "
"160 bits");
}
break;
case ns_cookiealg_sha256:
expectedlength =
isc_md_type_get_size(ISC_MD_SHA256);
if (usedlength != expectedlength) {
CHECKM(ISC_R_RANGE,
"SHA256 cookie-secret must be "
"256 bits");
}
break;
}
}
} else {
......
......@@ -3,9 +3,6 @@
/* Define if building universal (internal helper macro) */
#undef AC_APPLE_UNIVERSAL_BUILD
/* Use AES for Client Cookie generation */
#undef AES_CC
/* Define if you cannot bind() before connect() for TCP sockets. */
#undef BROKEN_TCP_BIND_BEFORE_CONNECT
......@@ -468,12 +465,6 @@
/* Define if __thread keyword is available */
#undef HAVE___THREAD
/* Use HMAC-SHA1 for Client Cookie generation */
#undef HMAC_SHA1_CC
/* Use HMAC-SHA256 for Client Cookie generation */
#undef HMAC_SHA256_CC
/* Define if you want to use inline buffers */
#undef ISC_BUFFER_USEINLINE
......
......@@ -298,15 +298,6 @@ typedef __int64 off_t;
/* HMAC_*() return ints */
@HMAC_RETURN_INT@
/* Use AES for Client Cookie generation */
@AES_CC@
/* Use HMAC-SHA1 for Client Cookie generation */
@HMAC_SHA1_CC@
/* Use HMAC-SHA256 for Client Cookie generation */
@HMAC_SHA256_CC@
/* Define to 1 if you have the `readline' function. */
@HAVE_READLINE@
......
......@@ -850,6 +850,7 @@ infodir
docdir
oldincludedir
includedir
runstatedir
localstatedir
sharedstatedir
sysconfdir
......@@ -911,7 +912,6 @@ with_libtool
enable_pthread_rwlock
with_openssl
enable_fips_mode
with_cc_alg
enable_native_pkcs11
with_pkcs11
with_gssapi
......@@ -1019,6 +1019,7 @@ datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
......@@ -1271,6 +1272,15 @@ do
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
-runstatedir | --runstatedir | --runstatedi | --runstated \
| --runstate | --runstat | --runsta | --runst | --runs \
| --run | --ru | --r)
ac_prev=runstatedir ;;
-runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
| --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
| --run=* | --ru=* | --r=*)
runstatedir=$ac_optarg ;;
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
......@@ -1408,7 +1418,7 @@ fi
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
libdir localedir mandir
libdir localedir mandir runstatedir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
......@@ -1561,6 +1571,7 @@ Fine tuning of the installation directories:
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
......@@ -1661,8 +1672,6 @@ Optional Packages:
--with-locktype=ARG Specify mutex lock type (adaptive or standard)
--with-libtool use GNU libtool
--with-openssl=DIR root of the OpenSSL directory
--with-cc-alg=ALG choose the algorithm for Client Cookie
[aes|sha1|sha256] (default is aes)
--with-pkcs11=PATH Build with PKCS11 support [no|path] (PATH is for the
PKCS11 provider)
--with-gssapi=PATH|/path/krb5-config
......@@ -4001,7 +4010,7 @@ else
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
......@@ -4047,7 +4056,7 @@ else
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
......@@ -4071,7 +4080,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
......@@ -4116,7 +4125,7 @@ else
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
......@@ -4140,7 +4149,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
......@@ -16804,44 +16813,6 @@ esac
#
# Client Cookie algorithm choice
#
# Check whether --with-cc-alg was given.
if test "${with_cc_alg+set}" = set; then :
withval=$with_cc_alg; :
else
with_cc_alg="aes"
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for the algorithm for Client Cookie" >&5
$as_echo_n "checking for the algorithm for Client Cookie... " >&6; }
case $with_cc_alg in #(
sha1|SHA1) :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: sha1" >&5
$as_echo "sha1" >&6; }
$as_echo "#define HMAC_SHA1_CC 1" >>confdefs.h
;; #(
sha256|SHA256) :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: sha256" >&5
$as_echo "sha256" >&6; }
$as_echo "#define HMAC_SHA256_CC 1" >>confdefs.h
;; #(
aes|AES|auto) :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: aes" >&5
$as_echo "aes" >&6; }
$as_echo "#define AES_CC 1" >>confdefs.h
;; #(
*) :
as_fn_error $? "Invalid $with_cc_alg algorithm for Client Cookie" "$LINENO" 5 ;;
esac
PKCS11_TOOLS=
PKCS11_TEST=
#
......
......@@ -825,26 +825,6 @@ AX_RESTORE_FLAGS([openssl])
AC_SUBST([OPENSSL_CFLAGS])
AC_SUBST([OPENSSL_LIBS])
#
# Client Cookie algorithm choice
#
AC_ARG_WITH([cc-alg],
[AS_HELP_STRING([--with-cc-alg=ALG],
[choose the algorithm for Client Cookie
[aes|sha1|sha256] (default is aes)])],
[:], [with_cc_alg="aes"])
AC_MSG_CHECKING([for the algorithm for Client Cookie])
AS_CASE([$with_cc_alg],
[sha1|SHA1],[AC_MSG_RESULT([sha1])
AC_DEFINE([HMAC_SHA1_CC], [1], [Use HMAC-SHA1 for Client Cookie generation])],
[sha256|SHA256],[AC_MSG_RESULT([sha256])
AC_DEFINE([HMAC_SHA256_CC], [1], [Use HMAC-SHA256 for Client Cookie generation])],
[aes|AES|auto],[AC_MSG_RESULT([aes])
AC_DEFINE([AES_CC], [1], [Use AES for Client Cookie generation])],
[AC_MSG_ERROR([Invalid $with_cc_alg algorithm for Client Cookie])])
PKCS11_TOOLS=
PKCS11_TEST=
#
......
......@@ -113,7 +113,7 @@ options {
check-wildcard <boolean>;
cleaning-interval <integer>; // obsolete
clients-per-query <integer>;
cookie-algorithm ( aes | sha1 | sha256 );
cookie-algorithm ( aes );
cookie-secret <string>; // may occur multiple times
coresize ( default | unlimited | <sizeval> );
datasize ( default | unlimited | <sizeval> );
......
......@@ -1355,22 +1355,6 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
if (result == ISC_R_SUCCESS)
result = ISC_R_RANGE;
}
if (strcasecmp(ccalg, "sha1") == 0 &&
usedlength != ISC_SHA1_DIGESTLENGTH) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"SHA1 cookie-secret must be "
"160 bits");
if (result == ISC_R_SUCCESS)
result = ISC_R_RANGE;
}
if (strcasecmp(ccalg, "sha256") == 0 &&
usedlength != ISC_SHA256_DIGESTLENGTH) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"SHA256 cookie-secret must be "
"256 bits");
if (result == ISC_R_SUCCESS)
result = ISC_R_RANGE;
}
}
}
......
......@@ -27,11 +27,7 @@
#include <isc/timer.h>
#include <isc/util.h>
#ifdef AES_CC
#include <isc/aes.h>
#else
#include <isc/hmac.h>
#endif
#include <dns/acl.h>
#include <dns/adb.h>
......@@ -2277,7 +2273,6 @@ add_triededns512(fetchctx_t *fctx, isc_sockaddr_t *address) {
static void
compute_cc(resquery_t *query, unsigned char *cookie, size_t len) {
#ifdef AES_CC
unsigned char digest[ISC_AES_BLOCK_LENGTH];
unsigned char input[16];
isc_netaddr_t netaddr;
......@@ -2299,40 +2294,6 @@ compute_cc(resquery_t *query, unsigned char *cookie, size_t len) {
for (i = 0; i < 8; i++)
digest[i] ^= digest[i + 8];
memmove(cookie, digest, 8);
#endif
#if defined(HMAC_SHA1_CC) || defined(HMAC_SHA256_CC)
unsigned char digest[ISC_MAX_MD_SIZE];
unsigned char *input = NULL;
unsigned int length = 0;
isc_netaddr_t netaddr;
#if defined(HMAC_SHA1_CC)
isc_md_type_t type = ISC_MD_SHA1;
unsigned int secret_len = ISC_SHA1_DIGESTLENGTH;
#elif defined(HMAC_SHA256_CC)
isc_md_type_t type = ISC_MD_SHA256;
unsigned int secret_len = ISC_SHA256_DIGESTLENGTH;
#endif
INSIST(len >= 8U);
isc_netaddr_fromsockaddr(&netaddr, &query->addrinfo->sockaddr);
switch (netaddr.family) {
case AF_INET:
input = (unsigned char *)&netaddr.type.in;
length = 4;
break;
case AF_INET6:
input = (unsigned char *)&netaddr.type.in6;
length = 16;
break;
}
RUNTIME_CHECK(isc_hmac(type,
query->fctx->res->view->secret, secret_len,
input, length,
digest, NULL) == ISC_R_SUCCESS);
memmove(cookie, digest, 8);
#endif
}
static isc_result_t
......
......@@ -899,7 +899,7 @@ static cfg_type_t cfg_type_bracketed_portlist = {
&cfg_rep_list, &cfg_type_portrange
};
static const char *cookiealg_enums[] = { "aes", "sha1", "sha256", NULL };
static const char *cookiealg_enums[] = { "aes", NULL };
static cfg_type_t cfg_type_cookiealg = {
"cookiealg", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
&cfg_rep_string, &cookiealg_enums
......
......@@ -1960,53 +1960,6 @@ compute_cookie(ns_client_t *client, uint32_t when, uint32_t nonce,
break;
}
case ns_cookiealg_sha1:
case ns_cookiealg_sha256: {
unsigned char digest[ISC_MAX_MD_SIZE];
unsigned char input[8 + 4 + 4 + 16];
isc_netaddr_t netaddr;
unsigned char *cp;
unsigned int length = 0;
isc_md_type_t md_type =
(client->sctx->cookiealg == ns_cookiealg_sha1)
? ISC_MD_SHA1
: ISC_MD_SHA256;
unsigned int secret_len = isc_md_type_get_size(md_type);
cp = isc_buffer_used(buf);
isc_buffer_putmem(buf, client->cookie, 8);
isc_buffer_putuint32(buf, nonce);
isc_buffer_putuint32(buf, when);
memmove(input, cp, 16);
isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
switch (netaddr.family) {
case AF_INET:
memmove(input + 16,
(unsigned char *)&netaddr.type.in, 4);
length = 16 + 4;
break;
case AF_INET6:
memmove(input + 16,
(unsigned char *)&netaddr.type.in6, 16);
length = 16 + 16;
break;
default:
INSIST(0);
ISC_UNREACHABLE();
}
/*
* XXXOND: Feels wrong to assert on cookie calculation failure
*/
RUNTIME_CHECK(isc_hmac(md_type, secret, secret_len,
input, length,
digest, NULL) == ISC_R_SUCCESS);
isc_buffer_putmem(buf, digest, 8);
break;
}
default:
INSIST(0);
ISC_UNREACHABLE();
......
......@@ -27,9 +27,7 @@ typedef struct ns_server ns_server_t;
typedef struct ns_stats ns_stats_t;
typedef enum {
ns_cookiealg_aes,
ns_cookiealg_sha1,
ns_cookiealg_sha256
ns_cookiealg_aes
} ns_cookiealg_t;
#endif /* NS_TYPES_H */
......@@ -192,8 +192,7 @@ my @projectlist = ("..\\bin\\check\\win32\\checkconf.vcxproj",
my %configdefh;
my @substdefh = ("AES_CC",
"CONFIGARGS",
my @substdefh = ("CONFIGARGS",
"DNS_RDATASET_FIXED",
"HAVE_GEOIP2",
"HAVE_LIBXML2",
......@@ -209,8 +208,6 @@ my @substdefh = ("AES_CC",
"HAVE_PKCS11_ED448",
"HAVE_READLINE",
"HAVE_ZLIB",
"HMAC_SHA1_CC",
"HMAC_SHA256_CC",
"ISC_LIST_CHECKINIT",
"TUNE_LARGE",
"WANT_QUERYTRACE",
......@@ -1599,18 +1596,6 @@ if ($use_openssl eq "no") {
}
}
# with-cc-alg
if ($cookie_algorithm eq "aes") {
$configdefh{"AES_CC"} = 1;
}
if ($cookie_algorithm eq "sha1") {
$configdefh{"HMAC_SHA1_CC"} = 1;
} elsif ($cookie_algorithm eq "sha256") {
$configdefh{"HMAC_SHA256_CC"} = 1;
} elsif ($cookie_algorithm ne "aes") {
die "Unrecognized cookie algorithm: $cookie_algorithm\n";
}
if ($cryptolib ne "") {
print "Cryptographic library for DNSSEC: $cryptolib\n";
} else {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment