Remove all cookie algorithms but AES, which was used as a default, for legacy purposes.

bin/named/named.conf.docbook

@@ -222,7 +222,7 @@ options {
 	check-srv-cname ( fail | warn | ignore );
 	check-wildcard <replaceable>boolean</replaceable>;
 	clients-per-query <replaceable>integer</replaceable>;
-	cookie-algorithm ( aes | sha1 | sha256 );
+	cookie-algorithm ( aes );
 	cookie-secret <replaceable>string</replaceable>;
 	coresize ( default | unlimited | <replaceable>sizeval</replaceable> );
 	datasize ( default | unlimited | <replaceable>sizeval</replaceable> );

bin/named/server.c

@@ -9131,10 +9131,6 @@ load_configuration(const char *filename, named_server_t *server,
 	INSIST(result == ISC_R_SUCCESS);
 	if (strcasecmp(cfg_obj_asstring(obj), "aes") == 0) {
 		server->sctx->cookiealg = ns_cookiealg_aes;
-	} else if (strcasecmp(cfg_obj_asstring(obj), "sha1") == 0) {
-		server->sctx->cookiealg = ns_cookiealg_sha1;
-	} else if (strcasecmp(cfg_obj_asstring(obj), "sha256") == 0) {
-		server->sctx->cookiealg = ns_cookiealg_sha256;
 	} else {
 		INSIST(0);
 		ISC_UNREACHABLE();
@@ -9200,24 +9196,6 @@ load_configuration(const char *filename, named_server_t *server,
 					       "128 bits");
 				}
 				break;
-			case ns_cookiealg_sha1:
-				expectedlength =
-					isc_md_type_get_size(ISC_MD_SHA1);
-				if (usedlength != expectedlength) {
-					CHECKM(ISC_R_RANGE,
-					       "SHA1 cookie-secret must be "
-					       "160 bits");
-				}
-				break;
-			case ns_cookiealg_sha256:
-				expectedlength =
-					isc_md_type_get_size(ISC_MD_SHA256);
-				if (usedlength != expectedlength) {
-					CHECKM(ISC_R_RANGE,
-					       "SHA256 cookie-secret must be "
-					       "256 bits");
-				}
-				break;
 			}
 		}
 	} else {

config.h.in

@@ -3,9 +3,6 @@
 /* Define if building universal (internal helper macro) */
 #undef AC_APPLE_UNIVERSAL_BUILD
 
-/* Use AES for Client Cookie generation */
-#undef AES_CC
-
 /* Define if you cannot bind() before connect() for TCP sockets. */
 #undef BROKEN_TCP_BIND_BEFORE_CONNECT
 
@@ -468,12 +465,6 @@
 /* Define if __thread keyword is available */
 #undef HAVE___THREAD
 
-/* Use HMAC-SHA1 for Client Cookie generation */
-#undef HMAC_SHA1_CC
-
-/* Use HMAC-SHA256 for Client Cookie generation */
-#undef HMAC_SHA256_CC
-
 /* Define if you want to use inline buffers */
 #undef ISC_BUFFER_USEINLINE
 

config.h.win32

@@ -298,15 +298,6 @@ typedef __int64 off_t;
 /* HMAC_*() return ints */
 @HMAC_RETURN_INT@
 
-/* Use AES for Client Cookie generation */
-@AES_CC@
-
-/* Use HMAC-SHA1 for Client Cookie generation */
-@HMAC_SHA1_CC@
-
-/* Use HMAC-SHA256 for Client Cookie generation */
-@HMAC_SHA256_CC@
-
 /* Define to 1 if you have the `readline' function. */
 @HAVE_READLINE@
 

configure

@@ -850,6 +850,7 @@ infodir
 docdir
 oldincludedir
 includedir
+runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -911,7 +912,6 @@ with_libtool
 enable_pthread_rwlock
 with_openssl
 enable_fips_mode
-with_cc_alg
 enable_native_pkcs11
 with_pkcs11
 with_gssapi
@@ -1019,6 +1019,7 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1271,6 +1272,15 @@ do
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
 
+  -runstatedir | --runstatedir | --runstatedi | --runstated \
+  | --runstate | --runstat | --runsta | --runst | --runs \
+  | --run | --ru | --r)
+    ac_prev=runstatedir ;;
+  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+  | --run=* | --ru=* | --r=*)
+    runstatedir=$ac_optarg ;;
+
   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1408,7 +1418,7 @@ fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir
+		libdir localedir mandir runstatedir
 do
   eval ac_val=\$$ac_var
   # Remove trailing slashes.
@@ -1561,6 +1571,7 @@ Fine tuning of the installation directories:
   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
   --libdir=DIR            object code libraries [EPREFIX/lib]
   --includedir=DIR        C header files [PREFIX/include]
   --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@@ -1661,8 +1672,6 @@ Optional Packages:
   --with-locktype=ARG     Specify mutex lock type (adaptive or standard)
   --with-libtool          use GNU libtool
   --with-openssl=DIR      root of the OpenSSL directory
-  --with-cc-alg=ALG       choose the algorithm for Client Cookie
-                          [aes|sha1|sha256] (default is aes)
   --with-pkcs11=PATH      Build with PKCS11 support [no|path] (PATH is for the
                           PKCS11 provider)
   --with-gssapi=PATH|/path/krb5-config
@@ -4001,7 +4010,7 @@ else
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@@ -4047,7 +4056,7 @@ else
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@@ -4071,7 +4080,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@@ -4116,7 +4125,7 @@ else
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@@ -4140,7 +4149,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@@ -16804,44 +16813,6 @@ esac
 
 
 
-#
-# Client Cookie algorithm choice
-#
-
-# Check whether --with-cc-alg was given.
-if test "${with_cc_alg+set}" = set; then :
-  withval=$with_cc_alg; :
-else
-  with_cc_alg="aes"
-fi
-
-
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for the algorithm for Client Cookie" >&5
-$as_echo_n "checking for the algorithm for Client Cookie... " >&6; }
-case $with_cc_alg in #(
-  sha1|SHA1) :
-    { $as_echo "$as_me:${as_lineno-$LINENO}: result: sha1" >&5
-$as_echo "sha1" >&6; }
-
-$as_echo "#define HMAC_SHA1_CC 1" >>confdefs.h
- ;; #(
-  sha256|SHA256) :
-    { $as_echo "$as_me:${as_lineno-$LINENO}: result: sha256" >&5
-$as_echo "sha256" >&6; }
-
-$as_echo "#define HMAC_SHA256_CC 1" >>confdefs.h
- ;; #(
-  aes|AES|auto) :
-    { $as_echo "$as_me:${as_lineno-$LINENO}: result: aes" >&5
-$as_echo "aes" >&6; }
-
-$as_echo "#define AES_CC 1" >>confdefs.h
- ;; #(
-  *) :
-    as_fn_error $? "Invalid $with_cc_alg algorithm for Client Cookie" "$LINENO" 5 ;;
-esac
-
-
 PKCS11_TOOLS=
 PKCS11_TEST=
 #

configure.ac

@@ -825,26 +825,6 @@ AX_RESTORE_FLAGS([openssl])
 AC_SUBST([OPENSSL_CFLAGS])
 AC_SUBST([OPENSSL_LIBS])
 
-#
-# Client Cookie algorithm choice
-#
-AC_ARG_WITH([cc-alg],
-	    [AS_HELP_STRING([--with-cc-alg=ALG],
-			   [choose the algorithm for Client Cookie
-			    [aes|sha1|sha256] (default is aes)])],
-	    [:], [with_cc_alg="aes"])
-
-AC_MSG_CHECKING([for the algorithm for Client Cookie])
-AS_CASE([$with_cc_alg],
-	[sha1|SHA1],[AC_MSG_RESULT([sha1])
-		     AC_DEFINE([HMAC_SHA1_CC], [1], [Use HMAC-SHA1 for Client Cookie generation])],
-	[sha256|SHA256],[AC_MSG_RESULT([sha256])
-			 AC_DEFINE([HMAC_SHA256_CC], [1], [Use HMAC-SHA256 for Client Cookie generation])],
-	[aes|AES|auto],[AC_MSG_RESULT([aes])
-		       AC_DEFINE([AES_CC], [1], [Use AES for Client Cookie generation])],
-	[AC_MSG_ERROR([Invalid $with_cc_alg algorithm for Client Cookie])])
-
-
 PKCS11_TOOLS=
 PKCS11_TEST=
 #

doc/misc/options

@@ -113,7 +113,7 @@ options {
         check-wildcard <boolean>;
         cleaning-interval <integer>; // obsolete
         clients-per-query <integer>;
-        cookie-algorithm ( aes | sha1 | sha256 );
+        cookie-algorithm ( aes );
         cookie-secret <string>; // may occur multiple times
         coresize ( default | unlimited | <sizeval> );
         datasize ( default | unlimited | <sizeval> );

lib/bind9/check.c

@@ -1355,22 +1355,6 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 				if (result == ISC_R_SUCCESS)
 					result = ISC_R_RANGE;
 			}
-			if (strcasecmp(ccalg, "sha1") == 0 &&
-			    usedlength != ISC_SHA1_DIGESTLENGTH) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "SHA1 cookie-secret must be "
-					    "160 bits");
-				if (result == ISC_R_SUCCESS)
-					result = ISC_R_RANGE;
-			}
-			if (strcasecmp(ccalg, "sha256") == 0 &&
-			    usedlength != ISC_SHA256_DIGESTLENGTH) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "SHA256 cookie-secret must be "
-					    "256 bits");
-				if (result == ISC_R_SUCCESS)
-					result = ISC_R_RANGE;
-			}
 		}
 	}
 

lib/dns/resolver.c

@@ -27,11 +27,7 @@
 #include <isc/timer.h>
 #include <isc/util.h>
 
-#ifdef AES_CC
 #include <isc/aes.h>
-#else
-#include <isc/hmac.h>
-#endif
 
 #include <dns/acl.h>
 #include <dns/adb.h>
@@ -2277,7 +2273,6 @@ add_triededns512(fetchctx_t *fctx, isc_sockaddr_t *address) {
 
 static void
 compute_cc(resquery_t *query, unsigned char *cookie, size_t len) {
-#ifdef AES_CC
 	unsigned char digest[ISC_AES_BLOCK_LENGTH];
 	unsigned char input[16];
 	isc_netaddr_t netaddr;
@@ -2299,40 +2294,6 @@ compute_cc(resquery_t *query, unsigned char *cookie, size_t len) {
 	for (i = 0; i < 8; i++)
 		digest[i] ^= digest[i + 8];
 	memmove(cookie, digest, 8);
-#endif
-#if defined(HMAC_SHA1_CC) || defined(HMAC_SHA256_CC)
-	unsigned char digest[ISC_MAX_MD_SIZE];
-	unsigned char *input = NULL;
-	unsigned int length = 0;
-	isc_netaddr_t netaddr;
-#if defined(HMAC_SHA1_CC)
-	isc_md_type_t type = ISC_MD_SHA1;
-	unsigned int secret_len = ISC_SHA1_DIGESTLENGTH;
-#elif defined(HMAC_SHA256_CC)
-	isc_md_type_t type = ISC_MD_SHA256;
-	unsigned int secret_len = ISC_SHA256_DIGESTLENGTH;
-#endif
-
-	INSIST(len >= 8U);
-
-	isc_netaddr_fromsockaddr(&netaddr, &query->addrinfo->sockaddr);
-	switch (netaddr.family) {
-	case AF_INET:
-		input = (unsigned char *)&netaddr.type.in;
-		length = 4;
-		break;
-	case AF_INET6:
-		input = (unsigned char *)&netaddr.type.in6;
-		length = 16;
-		break;
-	}
-
-	RUNTIME_CHECK(isc_hmac(type,
-			       query->fctx->res->view->secret, secret_len,
-			       input, length,
-			       digest, NULL) == ISC_R_SUCCESS);
-	memmove(cookie, digest, 8);
-#endif
 }
 
 static isc_result_t

lib/isccfg/namedconf.c

@@ -899,7 +899,7 @@ static cfg_type_t cfg_type_bracketed_portlist = {
 	&cfg_rep_list, &cfg_type_portrange
 };
 
-static const char *cookiealg_enums[] = { "aes", "sha1", "sha256", NULL };
+static const char *cookiealg_enums[] = { "aes", NULL };
 static cfg_type_t cfg_type_cookiealg = {
 	"cookiealg", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
 	&cfg_rep_string, &cookiealg_enums

lib/ns/client.c

@@ -1960,53 +1960,6 @@ compute_cookie(ns_client_t *client, uint32_t when, uint32_t nonce,
 		break;
 	}
 
-	case ns_cookiealg_sha1:
-	case ns_cookiealg_sha256: {
-		unsigned char digest[ISC_MAX_MD_SIZE];
-		unsigned char input[8 + 4 + 4 + 16];
-		isc_netaddr_t netaddr;
-		unsigned char *cp;
-		unsigned int length = 0;
-		isc_md_type_t md_type =
-			(client->sctx->cookiealg == ns_cookiealg_sha1)
-			? ISC_MD_SHA1
-			: ISC_MD_SHA256;
-		unsigned int secret_len = isc_md_type_get_size(md_type);
-
-		cp = isc_buffer_used(buf);
-		isc_buffer_putmem(buf, client->cookie, 8);
-		isc_buffer_putuint32(buf, nonce);
-		isc_buffer_putuint32(buf, when);
-		memmove(input, cp, 16);
-
-		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
-		switch (netaddr.family) {
-		case AF_INET:
-			memmove(input + 16,
-				(unsigned char *)&netaddr.type.in, 4);
-			length = 16 + 4;
-			break;
-		case AF_INET6:
-			memmove(input + 16,
-				(unsigned char *)&netaddr.type.in6, 16);
-			length = 16 + 16;
-			break;
-		default:
-			INSIST(0);
-			ISC_UNREACHABLE();
-		}
-
-		/*
-		 * XXXOND: Feels wrong to assert on cookie calculation failure
-		 */
-		RUNTIME_CHECK(isc_hmac(md_type, secret, secret_len,
-				       input, length,
-				       digest, NULL) == ISC_R_SUCCESS);
-
-		isc_buffer_putmem(buf, digest, 8);
-		break;
-	}
-
 	default:
 		INSIST(0);
 		ISC_UNREACHABLE();

lib/ns/include/ns/types.h

@@ -27,9 +27,7 @@ typedef struct ns_server		ns_server_t;
 typedef struct ns_stats			ns_stats_t;
 
 typedef enum {
-	ns_cookiealg_aes,
-	ns_cookiealg_sha1,
-	ns_cookiealg_sha256
+	ns_cookiealg_aes
 } ns_cookiealg_t;
 
 #endif /* NS_TYPES_H */

win32utils/Configure

@@ -192,8 +192,7 @@ my @projectlist = ("..\\bin\\check\\win32\\checkconf.vcxproj",
 
 my %configdefh;
 
-my @substdefh = ("AES_CC",
-                 "CONFIGARGS",
+my @substdefh = ("CONFIGARGS",
                  "DNS_RDATASET_FIXED",
                  "HAVE_GEOIP2",
                  "HAVE_LIBXML2",
@@ -209,8 +208,6 @@ my @substdefh = ("AES_CC",
                  "HAVE_PKCS11_ED448",
                  "HAVE_READLINE",
                  "HAVE_ZLIB",
-                 "HMAC_SHA1_CC",
-                 "HMAC_SHA256_CC",
                  "ISC_LIST_CHECKINIT",
                  "TUNE_LARGE",
                  "WANT_QUERYTRACE",
@@ -1599,18 +1596,6 @@ if ($use_openssl eq "no") {
     }
 }
 
-# with-cc-alg
-if ($cookie_algorithm eq "aes") {
-    $configdefh{"AES_CC"} = 1;
-}
-if ($cookie_algorithm eq "sha1") {
-    $configdefh{"HMAC_SHA1_CC"} = 1;
-} elsif ($cookie_algorithm eq "sha256") {
-    $configdefh{"HMAC_SHA256_CC"} = 1;
-} elsif ($cookie_algorithm ne "aes") {
-    die "Unrecognized cookie algorithm: $cookie_algorithm\n";
-}
-
 if ($cryptolib ne "") {
     print "Cryptographic library for DNSSEC: $cryptolib\n";
 } else {