From ca1e22ee7d4e36204ec665305962e895ad63081e Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>

Date: Wed, 25 Nov 2020 17:18:55 +0100

Subject: [PATCH] Support hash function from nettle (only)

Unlike COPTS=-DHAVE_DNSSEC, allow usage of just sha256 function from

nettle, but keep DNSSEC disabled at build time. Skips use of internal

hash implementation without support for validation built-in.

---

 Makefile             |  6 ++++--

 bld/pkg-wrapper      | 39 +++++++++++++++++++++------------------

 src/config.h         |  8 ++++++++

 src/dnssec.c         | 17 +++++++++++++++--

 src/hash_questions.c |  7 ++++++-

 5 files changed, 54 insertions(+), 23 deletions(-)

diff --git a/Makefile b/Makefile

index 8a3f2e2..9890ae1 100644

--- a/Makefile

+++ b/Makefile

@@ -59,8 +59,10 @@ ct_cflags =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CON

 ct_libs =       `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack`

 lua_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua5.1` 

 lua_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua5.1` 

-nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed`

-nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed`

+nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --cflags 'nettle hogweed' \

+                                                        HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle`

+nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --libs 'nettle hogweed' \

+                                                        HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle`

 gmp_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp`

 sunos_libs =    `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi`

 version =     -DVERSION='\"`$(top)/bld/get-version $(top)`\"'

diff --git a/bld/pkg-wrapper b/bld/pkg-wrapper

index 0ddb678..3478962 100755

--- a/bld/pkg-wrapper

+++ b/bld/pkg-wrapper

@@ -1,33 +1,35 @@

 #!/bin/sh

-search=$1

-shift

-pkg=$1

-shift

-op=$1

-shift

-

 in=`cat`

-if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \

-    echo $in | grep $search >/dev/null 2>&1; then

+search()

+{

+    grep "^\#[[:space:]]*define[[:space:]]*$1" config.h >/dev/null 2>&1 || \

+    echo $in | grep $1 >/dev/null 2>&1

+}

+

+while [ "$#" -gt 0 ]; do

+    search=$1

+    pkg=$2

+    op=$3

+    lib=$4

+    shift 4

+if search "$search"; then

+

 # Nasty, nasty, in --copy, arg 2 is another config to search for, use with NO_GMP

     if [ $op = "--copy" ]; then

-	if grep "^\#[[:space:]]*define[[:space:]]*$pkg" config.h >/dev/null 2>&1 || \

-            echo $in | grep $pkg >/dev/null 2>&1; then

+	if search "$pkg"; then

 	    pkg=""

 	else 

-	    pkg="$*"

+	    pkg="$lib"

 	fi

-    elif grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \

-	      echo $in | grep ${search}_STATIC >/dev/null 2>&1; then

-	pkg=`$pkg  --static $op $*`

+    elif search "${search}_STATIC"; then

+	pkg=`$pkg  --static $op $lib`

     else

-	pkg=`$pkg $op $*`

+	pkg=`$pkg $op $lib`

     fi

-    if grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \

-	echo $in | grep ${search}_STATIC >/dev/null 2>&1; then

+    if search "${search}_STATIC"; then

 	if [ $op = "--libs" ] || [ $op = "--copy" ]; then

 	    echo "-Wl,-Bstatic $pkg -Wl,-Bdynamic"

 	else

@@ -38,3 +40,4 @@ if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \

     fi

 fi

+done

diff --git a/src/config.h b/src/config.h

index 80a50e1..077147a 100644

--- a/src/config.h

+++ b/src/config.h

@@ -111,6 +111,9 @@ HAVE_AUTH

    define this to include the facility to act as an authoritative DNS

    server for one or more zones.

+HAVE_NETTLEHASH

+   include just hash function from nettle, but no DNSSEC.

+

 HAVE_DNSSEC

    include DNSSEC validator.

@@ -174,6 +177,7 @@ RESOLVFILE

 /* #define HAVE_DBUS */

 /* #define HAVE_IDN */

 /* #define HAVE_CONNTRACK */

+/* #define HAVE_NETTLEHASH */

 /* #define HAVE_DNSSEC */

@@ -430,6 +434,10 @@ static char *compile_opts =

 "no-"

 #endif

 "auth "

+#if !defined(HAVE_NETTLEHASH) && !defined(HAVE_DNSSEC)

+"no-"

+#endif

+"nettlehash "

 #ifndef HAVE_DNSSEC

 "no-"

 #endif

diff --git a/src/dnssec.c b/src/dnssec.c

index f22faa1..d07cee9 100644

--- a/src/dnssec.c

+++ b/src/dnssec.c

@@ -25,8 +25,14 @@

 #  include <nettle/ecdsa.h>

 #  include <nettle/ecc-curve.h>

 #endif

+#endif

+

+#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH)

 #include <nettle/nettle-meta.h>

 #include <nettle/bignum.h>

+#endif

+

+#ifdef HAVE_DNSSEC

 /* Nettle-3.0 moved to a new API for DSA. We use a name that's defined in the new API

    to detect Nettle-3, and invoke the backwards compatibility mode. */

@@ -80,9 +86,12 @@ static char *nsec3_digest_name(int digest)

     default: return NULL;

     }

 }

+#endif

+

+#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH)

 /* Find pointer to correct hash function in nettle library */

-static const struct nettle_hash *hash_find(char *name)

+const struct nettle_hash *hash_find(char *name)

 {

   int i;

@@ -99,7 +108,7 @@ static const struct nettle_hash *hash_find(char *name)

 }

 /* expand ctx and digest memory allocations if necessary and init hash function */

-static int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp)

+int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp)

 {

   static void *ctx = NULL;

   static unsigned char *digest = NULL;

@@ -135,6 +144,10 @@ static int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char

   return 1;

 }

+

+#endif

+

+#ifdef HAVE_DNSSEC

 static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,

 			      unsigned char *digest, size_t digest_len, int algo)

diff --git a/src/hash_questions.c b/src/hash_questions.c

index ae112ac..0d25359 100644

--- a/src/hash_questions.c

+++ b/src/hash_questions.c

@@ -28,7 +28,12 @@

 #include "dnsmasq.h"

-#ifdef HAVE_DNSSEC

+#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH)

+#include <nettle/nettle-meta.h>

+

+const struct nettle_hash *hash_find(char *name);

+int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp);

+

 unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name)

 {

   int q;

-- 

2.26.2