Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-2-0]: src/dist/bind/bin/named Apply patch (requested by adrianp i...
details: https://anonhg.NetBSD.org/src/rev/daf5365cd14c
branches: netbsd-2-0
changeset: 565060:daf5365cd14c
user: bouyer <bouyer%NetBSD.org@localhost>
date: Wed Sep 12 20:54:20 2007 +0000
description:
Apply patch (requested by adrianp in ticket #11365):
dist/bind/bin/named/ns_forw.c: patch
dist/bind/bin/named/ns_func.h: patch
dist/bind/bin/named/ns_main.c: patch
dist/bind/bin/named/ns_resp.c: patch
Address security issue in named(8) documented in CVE-2007-2930 and
VU#927905: use arc4 rather than LC NSID for QID RNG.
diffstat:
dist/bind/bin/named/ns_forw.c | 4 +-
dist/bind/bin/named/ns_func.h | 3 +-
dist/bind/bin/named/ns_main.c | 426 ++---------------------------------------
dist/bind/bin/named/ns_resp.c | 6 +-
4 files changed, 28 insertions(+), 411 deletions(-)
diffs (truncated from 539 to 300 lines):
diff -r a8846f66bb30 -r daf5365cd14c dist/bind/bin/named/ns_forw.c
--- a/dist/bind/bin/named/ns_forw.c Sun Aug 12 19:54:53 2007 +0000
+++ b/dist/bind/bin/named/ns_forw.c Wed Sep 12 20:54:20 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ns_forw.c,v 1.7 2003/08/07 09:20:44 agc Exp $ */
+/* $NetBSD: ns_forw.c,v 1.7.2.1 2007/09/12 20:54:20 bouyer Exp $ */
#if !defined(lint) && !defined(SABER)
static const char sccsid[] = "@(#)ns_forw.c 4.32 (Berkeley) 3/3/91";
@@ -190,7 +190,7 @@
in_tsig->siglen);
if (use_tcp)
qp->q_flags |= Q_USEVC;
- hp->id = qp->q_nsid = htons(nsid_next());
+ hp->id = qp->q_nsid = nsid_next();
hp->ancount = htons(0);
hp->nscount = htons(0);
hp->arcount = htons(0);
diff -r a8846f66bb30 -r daf5365cd14c dist/bind/bin/named/ns_func.h
--- a/dist/bind/bin/named/ns_func.h Sun Aug 12 19:54:53 2007 +0000
+++ b/dist/bind/bin/named/ns_func.h Wed Sep 12 20:54:20 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ns_func.h,v 1.9 2003/08/07 09:20:44 agc Exp $ */
+/* $NetBSD: ns_func.h,v 1.9.2.1 2007/09/12 20:54:20 bouyer Exp $ */
/*
* Copyright (c) 1985, 1990
@@ -278,7 +278,6 @@
void sq_done(struct qstream *);
void ns_setproctitle(char *, int);
void getnetconf(int);
-void nsid_init(void);
void ns_setoption(int option);
void writestream(struct qstream *, const u_char *, int);
void ns_need_unsafe(enum need);
diff -r a8846f66bb30 -r daf5365cd14c dist/bind/bin/named/ns_main.c
--- a/dist/bind/bin/named/ns_main.c Sun Aug 12 19:54:53 2007 +0000
+++ b/dist/bind/bin/named/ns_main.c Wed Sep 12 20:54:20 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ns_main.c,v 1.16 2003/08/07 09:20:45 agc Exp $ */
+/* $NetBSD: ns_main.c,v 1.16.2.1 2007/09/12 20:54:20 bouyer Exp $ */
#if !defined(lint) && !defined(SABER)
static const char sccsid[] = "@(#)ns_main.c 4.55 (Berkeley) 7/1/91";
@@ -169,15 +169,6 @@
#endif
listenmax = 50;
-static u_int16_t nsid_state;
-static u_int16_t *nsid_pool; /* optional query id pool */
-static u_int16_t *nsid_vtable; /* optional shuffle table */
-static u_int32_t nsid_hash_state;
-static u_int16_t nsid_a1, nsid_a2, nsid_a3;
-static u_int16_t nsid_c1, nsid_c2, nsid_c3;
-static u_int16_t nsid_state2;
-static int nsid_algorithm;
-
static int needs = 0, needs_exit = 0, needs_restart = 0;
static handler handlers[main_need_num];
static void savedg_waitfunc(evContext, void*, const void*);
@@ -486,6 +477,9 @@
init_signals();
ns_notice(ns_log_default, "starting (%s). %s", conffile, Version);
+ ns_notice(ns_log_default, "Note: BIND8 is in END OF LIFE as of"
+ " August 2007. You should be running BIND9."
+ " See http://www.isc.org/ for details.");
/*
* Initialize and load database.
@@ -497,8 +491,6 @@
time(&boottime);
resettime = boottime;
- nsid_init();
-
/*
* Fork and go into background now that
* we've done any slow initialization
@@ -2377,400 +2369,33 @@
return (ifp);
}
-/*
- * These are here in case we ever want to get more clever, like perhaps
- * using a bitmap to keep track of outstanding queries and a random
- * allocation scheme to make it a little harder to predict them. Note
- * that the resolver will need the same protection so the cleverness
- * should be put there rather than here; this is just an interface layer.
- *
- * This is true but ... most clients only send out a few queries, they
- * use varying port numbers, and the queries aren't sent to the outside
- * world which we know is full of spoofers. Doing a good job of randomizing
- * ids may also be to expensive for each client. Queries forwarded by the
- * server always come from the same port (unless you let 8.x pick a port
- * and restart it periodically - maybe it should open several and use
- * them randomly). The server sends out lots more queries, and if it's
- * cache is corrupted, it has the potential to affect more clients.
- * NOTE: - randomizing the ID or source port doesn't help a bit if the
- * queries can be sniffed.
- * -- DL
- */
-
-/*
- * Allow the user to pick one of two ID randomization algorithms.
- *
- * The first algorithm is an adaptation of the sequence shuffling
- * algorithm discovered by Carter Bays and S. D. Durham [ACM Trans. Math.
- * Software 2 (1976), 59-64], as documented as Algorithm B in Chapter
- * 3.2.2 in Volume 2 of Knuth's "The Art of Computer Programming". We use
- * a randomly selected linear congruential random number generator with a
- * modulus of 2^16, whose increment is a randomly picked odd number, and
- * whose multiplier is picked from a set which meets the following
- * criteria:
- * Is of the form 8*n+5, which ensures "high potency" according to
- * principle iii in the summary chapter 3.6. This form also has a
- * gcd(a-1,m) of 4 which is good according to principle iv.
- *
- * Is between 0.01 and 0.99 times the modulus as specified by
- * principle iv.
- *
- * Passes the spectral test "with flying colors" (ut >= 1) in
- * dimensions 2 through 6 as calculated by Algorithm S in Chapter
- * 3.3.4 and the ratings calculated by formula 35 in section E.
- *
- * Of the multipliers that pass this test, pick the set that is
- * best according to the theoretical bounds of the serial
- * correlation test. This was calculated using a simplified
- * version of Knuth's Theorem K in Chapter 3.3.3.
+/* void
+ * nsid_hash(buf, len)
+ * mix this entropy into the random number generator.
*
- * These criteria may not be important for this use, but we might as well
- * pick from the best generators since there are so many possible ones and
- * we don't have that many random bits to do the picking.
- *
- * We use a modulus of 2^16 instead of something bigger so that we will
- * tend to cycle through all the possible IDs before repeating any,
- * however the shuffling will perturb this somewhat. Theoretically there
- * is no minimimum interval between two uses of the same ID, but in
- * practice it seems to be >64000.
- *
- * Our adaptatation of Algorithm B mixes the hash state which has
- * captured various random events into the shuffler to perturb the
- * sequence.
- *
- * One disadvantage of this algorithm is that if the generator parameters
- * were to be guessed, it would be possible to mount a limited brute force
- * attack on the ID space since the IDs are only shuffled within a limited
- * range.
- *
- * The second algorithm uses the same random number generator to populate
- * a pool of 65536 IDs. The hash state is used to pick an ID from a window
- * of 4096 IDs in this pool, then the chosen ID is swapped with the ID
- * at the beginning of the window and the window position is advanced.
- * This means that the interval between uses of the ID will be no less
- * than 65536-4096. The ID sequence in the pool will become more random
- * over time.
- *
- * For both algorithms, two more linear congruential random number generators
- * are selected. The ID from the first part of algorithm is used to seed
- * the first of these generators, and its output is used to seed the second.
- * The strategy is use these generators as 1 to 1 hashes to obfuscate the
- * properties of the generator used in the first part of either algorithm.
- *
- * The first algorithm may be suitable for use in a client resolver since
- * its memory requirements are fairly low and it's pretty random out of
- * the box. It is somewhat succeptible to a limited brute force attack,
- * so the second algorithm is probably preferable for a longer running
- * program that issues a large number of queries and has time to randomize
- * the pool.
- */
-
-#define NSID_SHUFFLE_TABLE_SIZE 100 /* Suggested by Knuth */
-/*
- * Pick one of the next 4096 IDs in the pool.
- * There is a tradeoff here between randomness and how often and ID is reused.
- */
-#define NSID_LOOKAHEAD 4096 /* Must be a power of 2 */
-#define NSID_SHUFFLE_ONLY 1 /* algorithm 1 */
-#define NSID_USE_POOL 2 /* algorithm 2 */
-
-/*
- * Keep a running hash of various bits of data that we'll use to
- * stir the ID pool or perturb the ID generator
+ * Note: if you don't have arc4random_addrandom(),
+ * you should upgrade to BIND9.
*/
void
-nsid_hash(u_char *data, size_t len) {
- /*
- * Hash function similar to the one we use for hashing names.
- * We don't fold case or toss the upper bit here, though.
- * This hash doesn't do much interesting when fed binary zeros,
- * so there may be a better hash function.
- * This function doesn't need to be very strong since we're
- * only using it to stir the pool, but it should be reasonably
- * fast.
- */
- while (len-- > 0) {
- nsid_hash_state = HASHROTATE(nsid_hash_state);
- nsid_hash_state += *data++;
- }
+nsid_hash(u_char *buf, size_t len) {
+ arc4random_addrandom(buf, len);
}
-/*
- * Table of good linear congruential multipliers for modulus 2^16
- * in order of increasing serial correlation bounds (so trim from
- * the end).
+/* u_int16_t
+ * nsid_next()
+ * return a random 16-bit integer suitable for use as a query ID.
+ *
+ * Note: if you don't have arc4random(), you should upgrade to BIND9.
*/
-static const u_int16_t nsid_multiplier_table[] = {
- 17565, 25013, 11733, 19877, 23989, 23997, 24997, 25421,
- 26781, 27413, 35901, 35917, 35973, 36229, 38317, 38437,
- 39941, 40493, 41853, 46317, 50581, 51429, 53453, 53805,
- 11317, 11789, 12045, 12413, 14277, 14821, 14917, 18989,
- 19821, 23005, 23533, 23573, 23693, 27549, 27709, 28461,
- 29365, 35605, 37693, 37757, 38309, 41285, 45261, 47061,
- 47269, 48133, 48597, 50277, 50717, 50757, 50805, 51341,
- 51413, 51581, 51597, 53445, 11493, 14229, 20365, 20653,
- 23485, 25541, 27429, 29421, 30173, 35445, 35653, 36789,
- 36797, 37109, 37157, 37669, 38661, 39773, 40397, 41837,
- 41877, 45293, 47277, 47845, 49853, 51085, 51349, 54085,
- 56933, 8877, 8973, 9885, 11365, 11813, 13581, 13589,
- 13613, 14109, 14317, 15765, 15789, 16925, 17069, 17205,
- 17621, 17941, 19077, 19381, 20245, 22845, 23733, 24869,
- 25453, 27213, 28381, 28965, 29245, 29997, 30733, 30901,
- 34877, 35485, 35613, 36133, 36661, 36917, 38597, 40285,
- 40693, 41413, 41541, 41637, 42053, 42349, 45245, 45469,
- 46493, 48205, 48613, 50861, 51861, 52877, 53933, 54397,
- 55669, 56453, 56965, 58021, 7757, 7781, 8333, 9661,
- 12229, 14373, 14453, 17549, 18141, 19085, 20773, 23701,
- 24205, 24333, 25261, 25317, 27181, 30117, 30477, 34757,
- 34885, 35565, 35885, 36541, 37957, 39733, 39813, 41157,
- 41893, 42317, 46621, 48117, 48181, 49525, 55261, 55389,
- 56845, 7045, 7749, 7965, 8469, 9133, 9549, 9789,
- 10173, 11181, 11285, 12253, 13453, 13533, 13757, 14477,
- 15053, 16901, 17213, 17269, 17525, 17629, 18605, 19013,
- 19829, 19933, 20069, 20093, 23261, 23333, 24949, 25309,
- 27613, 28453, 28709, 29301, 29541, 34165, 34413, 37301,
- 37773, 38045, 38405, 41077, 41781, 41925, 42717, 44437,
- 44525, 44613, 45933, 45941, 47077, 50077, 50893, 52117,
- 5293, 55069, 55989, 58125, 59205, 6869, 14685, 15453,
- 16821, 17045, 17613, 18437, 21029, 22773, 22909, 25445,
- 25757, 26541, 30709, 30909, 31093, 31149, 37069, 37725,
- 37925, 38949, 39637, 39701, 40765, 40861, 42965, 44813,
- 45077, 45733, 47045, 50093, 52861, 52957, 54181, 56325,
- 56365, 56381, 56877, 57013, 5741, 58101, 58669, 8613,
- 10045, 10261, 10653, 10733, 11461, 12261, 14069, 15877,
- 17757, 21165, 23885, 24701, 26429, 26645, 27925, 28765,
- 29197, 30189, 31293, 39781, 39909, 40365, 41229, 41453,
- 41653, 42165, 42365, 47421, 48029, 48085, 52773, 5573,
- 57037, 57637, 58341, 58357, 58901, 6357, 7789, 9093,
- 10125, 10709, 10765, 11957, 12469, 13437, 13509, 14773,
- 15437, 15773, 17813, 18829, 19565, 20237, 23461, 23685,
- 23725, 23941, 24877, 25461, 26405, 29509, 30285, 35181,
- 37229, 37893, 38565, 40293, 44189, 44581, 45701, 47381,
- 47589, 48557, 4941, 51069, 5165, 52797, 53149, 5341,
- 56301, 56765, 58581, 59493, 59677, 6085, 6349, 8293,
- 8501, 8517, 11597, 11709, 12589, 12693, 13517, 14909,
- 17397, 18085, 21101, 21269, 22717, 25237, 25661, 29189,
- 30101, 31397, 33933, 34213, 34661, 35533, 36493, 37309,
- 40037, 4189, 42909, 44309, 44357, 44389, 4541, 45461,
- 46445, 48237, 54149, 55301, 55853, 56621, 56717, 56901,
- 5813, 58437, 12493, 15365, 15989, 17829, 18229, 19341,
- 21013, 21357, 22925, 24885, 26053, 27581, 28221, 28485,
- 30605, 30613, 30789, 35437, 36285, 37189, 3941, 41797,
- 4269, 42901, 43293, 44645, 45221, 46893, 4893, 50301,
- 50325, 5189, 52109, 53517, 54053, 54485, 5525, 55949,
- 56973, 59069, 59421, 60733, 61253, 6421, 6701, 6709,
- 7101, 8669, 15797, 19221, 19837, 20133, 20957, 21293,
- 21461, 22461, 29085, 29861, 30869, 34973, 36469, 37565,
- 38125, 38829, 39469, 40061, 40117, 44093, 47429, 48341,
- 50597, 51757, 5541, 57629, 58405, 59621, 59693, 59701,
- 61837, 7061, 10421, 11949, 15405, 20861, 25397, 25509,
- 25893, 26037, 28629, 28869, 29605, 30213, 34205, 35637,
- 36365, 37285, 3773, 39117, 4021, 41061, 42653, 44509,
- 4461, 44829, 4725, 5125, 52269, 56469, 59085, 5917,
- 60973, 8349, 17725, 18637, 19773, 20293, 21453, 22533,
- 24285, 26333, 26997, 31501, 34541, 34805, 37509, 38477,
- 41333, 44125, 46285, 46997, 47637, 48173, 4925, 50253,
- 50381, 50917, 51205, 51325, 52165, 52229, 5253, 5269,
- 53509, 56253, 56341, 5821, 58373, 60301, 61653, 61973,
- 62373, 8397, 11981, 14341, 14509, 15077, 22261, 22429,
- 24261, 28165, 28685, 30661, 34021, 34445, 39149, 3917,
- 43013, 43317, 44053, 44101, 4533, 49541, 49981, 5277,
- 54477, 56357, 57261, 57765, 58573, 59061, 60197, 61197,
- 62189, 7725, 8477, 9565, 10229, 11437, 14613, 14709,
- 16813, 20029, 20677, 31445, 3165, 31957, 3229, 33541,
- 36645, 3805, 38973, 3965, 4029, 44293, 44557, 46245,
- 48917, 4909, 51749, 53709, 55733, 56445, 5925, 6093,
- 61053, 62637, 8661, 9109, 10821, 11389, 13813, 14325,
- 15501, 16149, 18845, 22669, 26437, 29869, 31837, 33709,
Home |
Main Index |
Thread Index |
Old Index