ldnsutils emits wrong sha256 hashes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ldns (Ubuntu) |
Fix Released
|
High
|
Christian Ehrhardt | ||
Impish |
Won't Fix
|
Medium
|
Christian Ehrhardt | ||
Jammy |
Fix Released
|
High
|
Christian Ehrhardt |
Bug Description
[Impact]
* When ldns is compiled with gcc11 without a fix for
strict-aliasing it will silently emit wrong sha256 hashes
* This affected Jammy where it was build with GCC11 already
and a fix was uploaded there.
* If rebuilt as-is today in Impish it would expose that bad
behavior. But the build of today is still from hirsute with GCC10.
Therefore we want to avoid this from ever becoming a problem,
but at the same time have no reason to push an update all
the way through.
The intention is to get this into impish-proposed and stay there
in case any later fix/security-update comes by it will not
trigger this problem.
[Test Plan]
$ cat > root.key << EOF
. 86400 IN DNSKEY 257 3 8 AwEAAaz/
EOF
$ ldns-key2ds -n -2 root.key
. 86400 IN DS 20326 8 2
wrong result:
0ae721f59a19244
correct result:
e06d44b80b8f1d3
Note: To avoid confusion - once more to be clear - the ldns in impish as of today is ok as it was built with older GCC, to see the bad-behavior you'd need to rebuild it as-is.
[Where problems could occur]
* If there is another - not yet discovered - issue with GCC11 it would
pick this one up; But it would do so as well without this fix and
with it we prevent at least one issue.
* If there was someone building ldns from package source relying on
strict-aliasing for anything this will now be disabled - but
intentionally, so IMHO ok.
[Other Info]
* As I mentioned above, this is not meant to migrate to -release,
we want it in -proposed to avoid a latter issue.
---- original bug report ----
Hi,
originally this started by a finding of an FTFBS issue of dns-root-data [1] as reported in the most recent archive rebuild [2]
But comparing those I've found that it is actually ldns that is broken, as it seems most likely by openssl3.0 changes.
Separating this from dns-root-data, you can:
$ cat > root.key << EOF
. 86400 IN DNSKEY 257 3 8 AwEAAaz/
EOF
$ ldns-key2ds -n -2 root.key
. 86400 IN DS 20326 8 2 0ae721f59a19244
The problem here is that this is the wrong hash.
The very same file used to emit:
. 86400 IN DS 20326 8 2 e06d44b80b8f1d3
And on Impish it still does:
ldnsutils | 1.7.1-2build1 | impish/universe | amd64, arm64, armhf, ppc64el, riscv64, s390x
ldnsutils | 1.7.1-2ubuntu3 | jammy/universe | amd64, arm64, armhf, ppc64el, riscv64, s390x
The difference between the two builds related to this seem to be the openssl3.0 changes.
I say it is sha256 explicitly as that is what "-2" selects.
If I run with any of the other hashes jammy/impish still agree which tells me that the rest of the process is still good.
-1 Use SHA1 as the hash function.
-2 Use SHA256 as the hash function
-4 Use SHA384 as the hash function
root@j:~# /usr/bin/
. 86400 IN DS 20326 8 1 ae1ea5b974d4c85
root@j:~# /usr/bin/
. 86400 IN DS 20326 8 4 538f47ba9bb8890
root@i:~# /usr/bin/
. 86400 IN DS 20326 8 1 ae1ea5b974d4c85
root@i:~# /usr/bin/
. 86400 IN DS 20326 8 4 538f47ba9bb8890
The build compares this to a root-anchors.xml from http://
[1]: https:/
[2]: https:/
Related branches
- Lucas Kanashiro (community): Needs Fixing
- Canonical Server packageset reviewers: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 98 lines (+67/-1)4 files modifieddebian/changelog (+7/-0)
debian/control (+2/-1)
debian/patches/lp-1966237-Fix-131-Compile-with-fno-strict-aliasing.patch (+57/-0)
debian/patches/series (+1/-0)
- Paride Legovini (community): Approve
- Canonical Server: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 87 lines (+65/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/lp-1966237-Fix-131-Compile-with-fno-strict-aliasing.patch (+57/-0)
debian/patches/series (+1/-0)
tags: | added: transition-openssl3-jj |
description: | updated |
Changed in ldns (Ubuntu Impish): | |
status: | Confirmed → In Progress |
assignee: | nobody → Christian Ehrhardt (paelzer) |
description: | updated |
tags: | added: block-proposed |
tags: | removed: server-todo |
Subscribed Simon who added the openssl3 delta, he might have more context from having worked on so many of these changes.