From 2024f9729713fd657d65e64c2e4e471baa0a3e5b Mon Sep 17 00:00:00 2001 From: =?utf8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 25 Nov 2020 17:18:55 +0100 Subject: [PATCH] Support hash function from nettle (only) Unlike COPTS=-DHAVE_DNSSEC, allow usage of just sha256 function from nettle, but keep DNSSEC disabled at build time. Skips use of internal hash implementation without support for validation built-in. Signed-off-by: Sana Kazi --- Makefile | 8 +++++--- bld/pkg-wrapper | 41 ++++++++++++++++++++++------------------- src/config.h | 8 ++++++++ src/crypto.c | 7 +++++++ src/dnsmasq.h | 2 +- src/hash_questions.c | 2 +- 6 files changed, 44 insertions(+), 24 deletions(-) CVE: CVE-2020-25685 Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b] Comment: Refreshed a hunk from pkg-wrapper and second hunk from Makefile Index: dnsmasq-2.81/Makefile =================================================================== --- dnsmasq-2.81.orig/Makefile +++ dnsmasq-2.81/Makefile @@ -53,7 +53,7 @@ top?=$(CURDIR) dbus_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1` dbus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1` -ubus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy -lubox -lubus` +ubus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy '-lubox -lubus'` idn_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --cflags libidn` idn_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --libs libidn` idn2_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --cflags libidn2` @@ -62,8 +62,10 @@ ct_cflags = `echo $(COPTS) | $(top)/ ct_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack` lua_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua` lua_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua` -nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed` -nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed` +nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags 'nettle hogweed' \ + HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle` +nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs 'nettle hogweed' \ + HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle` gmp_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp` sunos_libs = `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi` version = -DVERSION='\"`$(top)/bld/get-version $(top)`\"' Index: dnsmasq-2.81/bld/pkg-wrapper =================================================================== --- dnsmasq-2.81.orig/bld/pkg-wrapper +++ dnsmasq-2.81/bld/pkg-wrapper @@ -1,35 +1,37 @@ #!/bin/sh -search=$1 -shift -pkg=$1 -shift -op=$1 -shift - in=`cat` -if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \ - echo $in | grep $search >/dev/null 2>&1; then +search() +{ + grep "^\#[[:space:]]*define[[:space:]]*$1" config.h >/dev/null 2>&1 || \ + echo $in | grep $1 >/dev/null 2>&1 +} + +while [ "$#" -gt 0 ]; do + search=$1 + pkg=$2 + op=$3 + lib=$4 + shift 4 +if search "$search"; then + # Nasty, nasty, in --copy, arg 2 (if non-empty) is another config to search for, used with NO_GMP if [ $op = "--copy" ]; then if [ -z "$pkg" ]; then - pkg="$*" - elif grep "^\#[[:space:]]*define[[:space:]]*$pkg" config.h >/dev/null 2>&1 || \ - echo $in | grep $pkg >/dev/null 2>&1; then + pkg="$lib" + elif search "$pkg"; then pkg="" else - pkg="$*" + pkg="$lib" fi - elif grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \ - echo $in | grep ${search}_STATIC >/dev/null 2>&1; then - pkg=`$pkg --static $op $*` + elif search "${search}_STATIC"; then + pkg=`$pkg --static $op $lib` else - pkg=`$pkg $op $*` + pkg=`$pkg $op $lib` fi - if grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \ - echo $in | grep ${search}_STATIC >/dev/null 2>&1; then + if search "${search}_STATIC"; then if [ $op = "--libs" ] || [ $op = "--copy" ]; then echo "-Wl,-Bstatic $pkg -Wl,-Bdynamic" else @@ -40,3 +42,4 @@ if grep "^\#[[:space:]]*define[[:space:] fi fi +done Index: dnsmasq-2.81/src/config.h =================================================================== --- dnsmasq-2.81.orig/src/config.h +++ dnsmasq-2.81/src/config.h @@ -118,6 +118,9 @@ HAVE_AUTH define this to include the facility to act as an authoritative DNS server for one or more zones. +HAVE_NETTLEHASH + include just hash function from nettle, but no DNSSEC. + HAVE_DNSSEC include DNSSEC validator. @@ -185,6 +188,7 @@ RESOLVFILE /* #define HAVE_IDN */ /* #define HAVE_LIBIDN2 */ /* #define HAVE_CONNTRACK */ +/* #define HAVE_NETTLEHASH */ /* #define HAVE_DNSSEC */ @@ -418,6 +422,10 @@ static char *compile_opts = "no-" #endif "auth " +#if !defined(HAVE_NETTLEHASH) && !defined(HAVE_DNSSEC) +"no-" +#endif +"nettlehash " #ifndef HAVE_DNSSEC "no-" #endif Index: dnsmasq-2.81/src/dnsmasq.h =================================================================== --- dnsmasq-2.81.orig/src/dnsmasq.h +++ dnsmasq-2.81/src/dnsmasq.h @@ -161,6 +161,9 @@ extern int capget(cap_user_header_t head # include #endif +#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH) +# include +#endif /* daemon is function in the C library.... */ #define daemon dnsmasq_daemon Index: dnsmasq-2.81/src/hash_questions.c =================================================================== --- dnsmasq-2.81.orig/src/hash_questions.c +++ dnsmasq-2.81/src/hash_questions.c @@ -28,7 +28,7 @@ #include "dnsmasq.h" -#ifdef HAVE_DNSSEC +#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH) unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name) { int q;