From ca1e22ee7d4e36204ec665305962e895ad63081e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 25 Nov 2020 17:18:55 +0100 Subject: [PATCH] Support hash function from nettle (only) Unlike COPTS=-DHAVE_DNSSEC, allow usage of just sha256 function from nettle, but keep DNSSEC disabled at build time. Skips use of internal hash implementation without support for validation built-in. --- Makefile | 6 ++++-- bld/pkg-wrapper | 39 +++++++++++++++++++++------------------ src/config.h | 8 ++++++++ src/dnssec.c | 17 +++++++++++++++-- src/hash_questions.c | 7 ++++++- 5 files changed, 54 insertions(+), 23 deletions(-) diff --git a/Makefile b/Makefile index 8a3f2e2..9890ae1 100644 --- a/Makefile +++ b/Makefile @@ -59,8 +59,10 @@ ct_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CON ct_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack` lua_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua5.1` lua_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua5.1` -nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed` -nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed` +nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags 'nettle hogweed' \ + HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle` +nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs 'nettle hogweed' \ + HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle` gmp_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp` sunos_libs = `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi` version = -DVERSION='\"`$(top)/bld/get-version $(top)`\"' diff --git a/bld/pkg-wrapper b/bld/pkg-wrapper index 0ddb678..3478962 100755 --- a/bld/pkg-wrapper +++ b/bld/pkg-wrapper @@ -1,33 +1,35 @@ #!/bin/sh -search=$1 -shift -pkg=$1 -shift -op=$1 -shift - in=`cat` -if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \ - echo $in | grep $search >/dev/null 2>&1; then +search() +{ + grep "^\#[[:space:]]*define[[:space:]]*$1" config.h >/dev/null 2>&1 || \ + echo $in | grep $1 >/dev/null 2>&1 +} + +while [ "$#" -gt 0 ]; do + search=$1 + pkg=$2 + op=$3 + lib=$4 + shift 4 +if search "$search"; then + # Nasty, nasty, in --copy, arg 2 is another config to search for, use with NO_GMP if [ $op = "--copy" ]; then - if grep "^\#[[:space:]]*define[[:space:]]*$pkg" config.h >/dev/null 2>&1 || \ - echo $in | grep $pkg >/dev/null 2>&1; then + if search "$pkg"; then pkg="" else - pkg="$*" + pkg="$lib" fi - elif grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \ - echo $in | grep ${search}_STATIC >/dev/null 2>&1; then - pkg=`$pkg --static $op $*` + elif search "${search}_STATIC"; then + pkg=`$pkg --static $op $lib` else - pkg=`$pkg $op $*` + pkg=`$pkg $op $lib` fi - if grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \ - echo $in | grep ${search}_STATIC >/dev/null 2>&1; then + if search "${search}_STATIC"; then if [ $op = "--libs" ] || [ $op = "--copy" ]; then echo "-Wl,-Bstatic $pkg -Wl,-Bdynamic" else @@ -38,3 +40,4 @@ if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \ fi fi +done diff --git a/src/config.h b/src/config.h index 80a50e1..077147a 100644 --- a/src/config.h +++ b/src/config.h @@ -111,6 +111,9 @@ HAVE_AUTH define this to include the facility to act as an authoritative DNS server for one or more zones. +HAVE_NETTLEHASH + include just hash function from nettle, but no DNSSEC. + HAVE_DNSSEC include DNSSEC validator. @@ -174,6 +177,7 @@ RESOLVFILE /* #define HAVE_DBUS */ /* #define HAVE_IDN */ /* #define HAVE_CONNTRACK */ +/* #define HAVE_NETTLEHASH */ /* #define HAVE_DNSSEC */ @@ -430,6 +434,10 @@ static char *compile_opts = "no-" #endif "auth " +#if !defined(HAVE_NETTLEHASH) && !defined(HAVE_DNSSEC) +"no-" +#endif +"nettlehash " #ifndef HAVE_DNSSEC "no-" #endif diff --git a/src/dnssec.c b/src/dnssec.c index f22faa1..d07cee9 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -25,8 +25,14 @@ # include # include #endif +#endif + +#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH) #include #include +#endif + +#ifdef HAVE_DNSSEC /* Nettle-3.0 moved to a new API for DSA. We use a name that's defined in the new API to detect Nettle-3, and invoke the backwards compatibility mode. */ @@ -80,9 +86,12 @@ static char *nsec3_digest_name(int digest) default: return NULL; } } +#endif + +#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH) /* Find pointer to correct hash function in nettle library */ -static const struct nettle_hash *hash_find(char *name) +const struct nettle_hash *hash_find(char *name) { int i; @@ -99,7 +108,7 @@ static const struct nettle_hash *hash_find(char *name) } /* expand ctx and digest memory allocations if necessary and init hash function */ -static int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp) +int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp) { static void *ctx = NULL; static unsigned char *digest = NULL; @@ -135,6 +144,10 @@ static int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char return 1; } + +#endif + +#ifdef HAVE_DNSSEC static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, unsigned char *digest, size_t digest_len, int algo) diff --git a/src/hash_questions.c b/src/hash_questions.c index ae112ac..0d25359 100644 --- a/src/hash_questions.c +++ b/src/hash_questions.c @@ -28,7 +28,12 @@ #include "dnsmasq.h" -#ifdef HAVE_DNSSEC +#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH) +#include + +const struct nettle_hash *hash_find(char *name); +int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp); + unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name) { int q; -- 2.26.2