diff --git a/Makefile b/Makefile index a9bcab9..253ebb9 100644 --- a/Makefile +++ b/Makefile @@ -63,12 +63,8 @@ ct_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CON ct_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack` lua_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags $(LUA)` lua_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs $(LUA)` -nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags 'nettle hogweed' \ - HAVE_CRYPTOHASH $(PKG_CONFIG) --cflags nettle \ - HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle` -nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs 'nettle hogweed' \ - HAVE_CRYPTOHASH $(PKG_CONFIG) --libs nettle \ - HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle` +nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags 'nettle hogweed'` +nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs 'nettle hogweed'` gmp_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp` sunos_libs = `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi` nft_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_NFTSET $(PKG_CONFIG) --cflags libnftables` @@ -85,7 +81,7 @@ objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ - metrics.o hash-questions.o domain-match.o nftset.o + metrics.o domain-match.o nftset.o hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ dns-protocol.h radv-protocol.h ip6addr.h metrics.h diff --git a/bld/Android.mk b/bld/Android.mk index 917f8dc..3c4649d 100644 --- a/bld/Android.mk +++ b/bld/Android.mk @@ -11,14 +11,14 @@ LOCAL_SRC_FILES := bpf.c cache.c dbus.c dhcp.c dnsmasq.c \ radv.c slaac.c auth.c ipset.c domain.c \ dnssec.c dnssec-openssl.c blockdata.c tables.c \ loop.c inotify.c poll.c rrfilter.c edns0.c arp.c \ - crypto.c dump.c ubus.c metrics.c hash-questions.c \ - domain-match.c + crypto.c dump.c ubus.c metrics.c \ + domain-match.c nftset.c LOCAL_MODULE := dnsmasq LOCAL_C_INCLUDES := external/dnsmasq/src -LOCAL_CFLAGS := -O2 -g -W -Wall -D__ANDROID__ -DNO_IPV6 -DNO_TFTP -DNO_SCRIPT +LOCAL_CFLAGS := -O2 -g -W -Wall -D__ANDROID__ -DNO_TFTP -DNO_SCRIPT LOCAL_SYSTEM_SHARED_LIBRARIES := libc libcutils LOCAL_LDLIBS := -L$(SYSROOT)/usr/lib -llog diff --git a/src/config.h b/src/config.h index e722e98..a1684a2 100644 --- a/src/config.h +++ b/src/config.h @@ -129,9 +129,6 @@ HAVE_AUTH define this to include the facility to act as an authoritative DNS server for one or more zones. -HAVE_CRYPTOHASH - include just hash function from crypto library, but no DNSSEC. - HAVE_DNSSEC include DNSSEC validator. @@ -200,7 +197,6 @@ RESOLVFILE /* #define HAVE_IDN */ /* #define HAVE_LIBIDN2 */ /* #define HAVE_CONNTRACK */ -/* #define HAVE_CRYPTOHASH */ /* #define HAVE_DNSSEC */ /* #define HAVE_NFTSET */ @@ -438,10 +434,6 @@ static char *compile_opts = "no-" #endif "auth " -#if !defined(HAVE_CRYPTOHASH) && !defined(HAVE_DNSSEC) -"no-" -#endif -"cryptohash " #ifndef HAVE_DNSSEC "no-" #endif diff --git a/src/crypto.c b/src/crypto.c index abc744a..8a67f73 100644 --- a/src/crypto.c +++ b/src/crypto.c @@ -16,7 +16,7 @@ #include "dnsmasq.h" -#if defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH) +#if defined(HAVE_DNSSEC) /* Minimal version of nettle */ @@ -30,9 +30,6 @@ #define MIN_VERSION(major, minor) ((NETTLE_VERSION_MAJOR == (major) && NETTLE_VERSION_MINOR >= (minor)) || \ (NETTLE_VERSION_MAJOR > (major))) -#endif /* defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH) */ - -#if defined(HAVE_DNSSEC) #include #include #include @@ -476,9 +473,6 @@ char *nsec3_digest_name(int digest) } } -#endif /* defined(HAVE_DNSSEC) */ - -#if defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH) /* Find pointer to correct hash function in nettle library */ const struct nettle_hash *hash_find(char *name) { @@ -509,4 +503,4 @@ const struct nettle_hash *hash_find(char *name) #endif } -#endif /* defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH) */ +#endif /* defined(HAVE_DNSSEC) */ diff --git a/src/dnsmasq.c b/src/dnsmasq.c index 0f2955b..0c0e082 100644 --- a/src/dnsmasq.c +++ b/src/dnsmasq.c @@ -410,7 +410,6 @@ int main (int argc, char **argv) { cache_init(); blockdata_init(); - hash_questions_init(); /* Scale random socket pool by ftabsize, but limit it based on available fds. */ diff --git a/src/dnsmasq.h b/src/dnsmasq.h index e2db15b..68a48bd 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -155,11 +155,7 @@ extern int capget(cap_user_header_t header, cap_user_data_t data); #include #endif -/* Backwards compat with 2.83 */ -#if defined(HAVE_NETTLEHASH) -# define HAVE_CRYPTOHASH -#endif -#if defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH) +#if defined(HAVE_DNSSEC) # include #endif @@ -777,8 +773,6 @@ struct dyndir { #define FREC_HAS_PHEADER 512 #define FREC_GONE_TO_TCP 1024 -#define HASH_SIZE 32 /* SHA-256 digest size */ - struct frec { struct frec_src { union mysockaddr source; @@ -1438,10 +1432,6 @@ int setup_timestamp(void); int errflags_to_ede(int status); #endif -/* hash_questions.c */ -void hash_questions_init(void); -unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name); - /* crypto.c */ const struct nettle_hash *hash_find(char *name); int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp); diff --git a/src/hash-questions.c b/src/hash-questions.c deleted file mode 100644 index e6304ac..0000000 --- a/src/hash-questions.c +++ /dev/null @@ -1,284 +0,0 @@ -/* Copyright (c) 2012-2023 Simon Kelley - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; version 2 dated June, 1991, or - (at your option) version 3 dated 29 June, 2007. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ - - -/* Hash the question section. This is used to safely detect query - retransmission and to detect answers to questions we didn't ask, which - might be poisoning attacks. Note that we decode the name rather - than CRC the raw bytes, since replies might be compressed differently. - We ignore case in the names for the same reason. - - The hash used is SHA-256. If we're building with DNSSEC support, - we use the Nettle cypto library. If not, we prefer not to - add a dependency on Nettle, and use a stand-alone implementation. -*/ - -#include "dnsmasq.h" - -#if defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH) - -static const struct nettle_hash *hash; -static void *ctx; -static unsigned char *digest; - -void hash_questions_init(void) -{ - if (!(hash = hash_find("sha256"))) - die(_("Failed to create SHA-256 hash object"), NULL, EC_MISC); - - ctx = safe_malloc(hash->context_size); - digest = safe_malloc(hash->digest_size); -} - -unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name) -{ - int q; - unsigned char *p = (unsigned char *)(header+1); - - hash->init(ctx); - - for (q = ntohs(header->qdcount); q != 0; q--) - { - char *cp, c; - - if (!extract_name(header, plen, &p, name, 1, 4)) - return NULL; /* bad packet */ - - for (cp = name; (c = *cp); cp++) - if (c >= 'A' && c <= 'Z') - *cp += 'a' - 'A'; - - hash->update(ctx, cp - name, (unsigned char *)name); - /* CRC the class and type as well */ - hash->update(ctx, 4, p); - - p += 4; - if (!CHECK_LEN(header, p, plen, 0)) - return NULL; /* bad packet */ - } - - hash->digest(ctx, hash->digest_size, digest); - return digest; -} - -#else /* HAVE_DNSSEC || HAVE_CRYPTOHASH */ - -#define SHA256_BLOCK_SIZE 32 /* SHA256 outputs a 32 byte digest */ -typedef unsigned char BYTE; /* 8-bit byte */ -typedef unsigned int WORD; /* 32-bit word, change to "long" for 16-bit machines */ - -typedef struct { - BYTE data[64]; - WORD datalen; - unsigned long long bitlen; - WORD state[8]; -} SHA256_CTX; - -static void sha256_init(SHA256_CTX *ctx); -static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len); -static void sha256_final(SHA256_CTX *ctx, BYTE hash[]); - -void hash_questions_init(void) -{ -} - -unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name) -{ - int q; - unsigned char *p = (unsigned char *)(header+1); - SHA256_CTX ctx; - static BYTE digest[SHA256_BLOCK_SIZE]; - - sha256_init(&ctx); - - for (q = ntohs(header->qdcount); q != 0; q--) - { - char *cp, c; - - if (!extract_name(header, plen, &p, name, 1, 4)) - return NULL; /* bad packet */ - - for (cp = name; (c = *cp); cp++) - if (c >= 'A' && c <= 'Z') - *cp += 'a' - 'A'; - - sha256_update(&ctx, (BYTE *)name, cp - name); - /* CRC the class and type as well */ - sha256_update(&ctx, (BYTE *)p, 4); - - p += 4; - if (!CHECK_LEN(header, p, plen, 0)) - return NULL; /* bad packet */ - } - - sha256_final(&ctx, digest); - return (unsigned char *)digest; -} - -/* Code from here onwards comes from https://github.com/B-Con/crypto-algorithms - and was written by Brad Conte (brad@bradconte.com), to whom all credit is given. - - This code is in the public domain, and the copyright notice at the head of this - file does not apply to it. -*/ - - -/****************************** MACROS ******************************/ -#define ROTLEFT(a,b) (((a) << (b)) | ((a) >> (32-(b)))) -#define ROTRIGHT(a,b) (((a) >> (b)) | ((a) << (32-(b)))) - -#define CH(x,y,z) (((x) & (y)) ^ (~(x) & (z))) -#define MAJ(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) -#define EP0(x) (ROTRIGHT(x,2) ^ ROTRIGHT(x,13) ^ ROTRIGHT(x,22)) -#define EP1(x) (ROTRIGHT(x,6) ^ ROTRIGHT(x,11) ^ ROTRIGHT(x,25)) -#define SIG0(x) (ROTRIGHT(x,7) ^ ROTRIGHT(x,18) ^ ((x) >> 3)) -#define SIG1(x) (ROTRIGHT(x,17) ^ ROTRIGHT(x,19) ^ ((x) >> 10)) - -/**************************** VARIABLES *****************************/ -static const WORD k[64] = { - 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5, - 0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174, - 0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da, - 0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967, - 0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85, - 0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070, - 0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3, - 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2 -}; - -/*********************** FUNCTION DEFINITIONS ***********************/ -static void sha256_transform(SHA256_CTX *ctx, const BYTE data[]) -{ - WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64]; - - for (i = 0, j = 0; i < 16; ++i, j += 4) - m[i] = (((WORD)data[j]) << 24) | (((WORD)data[j + 1]) << 16) | (((WORD)data[j + 2]) << 8) | (((WORD)data[j + 3])); - for ( ; i < 64; ++i) - m[i] = SIG1(m[i - 2]) + m[i - 7] + SIG0(m[i - 15]) + m[i - 16]; - - a = ctx->state[0]; - b = ctx->state[1]; - c = ctx->state[2]; - d = ctx->state[3]; - e = ctx->state[4]; - f = ctx->state[5]; - g = ctx->state[6]; - h = ctx->state[7]; - - for (i = 0; i < 64; ++i) - { - t1 = h + EP1(e) + CH(e,f,g) + k[i] + m[i]; - t2 = EP0(a) + MAJ(a,b,c); - h = g; - g = f; - f = e; - e = d + t1; - d = c; - c = b; - b = a; - a = t1 + t2; - } - - ctx->state[0] += a; - ctx->state[1] += b; - ctx->state[2] += c; - ctx->state[3] += d; - ctx->state[4] += e; - ctx->state[5] += f; - ctx->state[6] += g; - ctx->state[7] += h; -} - -static void sha256_init(SHA256_CTX *ctx) -{ - ctx->datalen = 0; - ctx->bitlen = 0; - ctx->state[0] = 0x6a09e667; - ctx->state[1] = 0xbb67ae85; - ctx->state[2] = 0x3c6ef372; - ctx->state[3] = 0xa54ff53a; - ctx->state[4] = 0x510e527f; - ctx->state[5] = 0x9b05688c; - ctx->state[6] = 0x1f83d9ab; - ctx->state[7] = 0x5be0cd19; -} - -static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len) -{ - WORD i; - - for (i = 0; i < len; ++i) - { - ctx->data[ctx->datalen] = data[i]; - ctx->datalen++; - if (ctx->datalen == 64) { - sha256_transform(ctx, ctx->data); - ctx->bitlen += 512; - ctx->datalen = 0; - } - } -} - -static void sha256_final(SHA256_CTX *ctx, BYTE hash[]) -{ - WORD i; - - i = ctx->datalen; - - /* Pad whatever data is left in the buffer. */ - if (ctx->datalen < 56) - { - ctx->data[i++] = 0x80; - while (i < 56) - ctx->data[i++] = 0x00; - } - else - { - ctx->data[i++] = 0x80; - while (i < 64) - ctx->data[i++] = 0x00; - sha256_transform(ctx, ctx->data); - memset(ctx->data, 0, 56); - } - - /* Append to the padding the total message's length in bits and transform. */ - ctx->bitlen += ctx->datalen * 8; - ctx->data[63] = ctx->bitlen; - ctx->data[62] = ctx->bitlen >> 8; - ctx->data[61] = ctx->bitlen >> 16; - ctx->data[60] = ctx->bitlen >> 24; - ctx->data[59] = ctx->bitlen >> 32; - ctx->data[58] = ctx->bitlen >> 40; - ctx->data[57] = ctx->bitlen >> 48; - ctx->data[56] = ctx->bitlen >> 56; - sha256_transform(ctx, ctx->data); - - /* Since this implementation uses little endian byte ordering and SHA uses big endian, - reverse all the bytes when copying the final state to the output hash. */ - for (i = 0; i < 4; ++i) - { - hash[i] = (ctx->state[0] >> (24 - i * 8)) & 0x000000ff; - hash[i + 4] = (ctx->state[1] >> (24 - i * 8)) & 0x000000ff; - hash[i + 8] = (ctx->state[2] >> (24 - i * 8)) & 0x000000ff; - hash[i + 12] = (ctx->state[3] >> (24 - i * 8)) & 0x000000ff; - hash[i + 16] = (ctx->state[4] >> (24 - i * 8)) & 0x000000ff; - hash[i + 20] = (ctx->state[5] >> (24 - i * 8)) & 0x000000ff; - hash[i + 24] = (ctx->state[6] >> (24 - i * 8)) & 0x000000ff; - hash[i + 28] = (ctx->state[7] >> (24 - i * 8)) & 0x000000ff; - } -} - -#endif