meta-openembedded/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch - openbmc/openbmc - Gitiles

 From 2024f9729713fd657d65e64c2e4e471baa0a3e5b Mon Sep 17 00:00:00 2001
 From: =?utf8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Wed, 25 Nov 2020 17:18:55 +0100
 Subject: [PATCH] Support hash function from nettle (only)

 Unlike COPTS=-DHAVE_DNSSEC, allow usage of just sha256 function from
 nettle, but keep DNSSEC disabled at build time. Skips use of internal
 hash implementation without support for validation built-in.

 Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
 ---
  Makefile             |  8 +++++---
  bld/pkg-wrapper      | 41 ++++++++++++++++++++++-------------------
  src/config.h         |  8 ++++++++
  src/crypto.c         |  7 +++++++
  src/dnsmasq.h        |  2 +-
  src/hash_questions.c |  2 +-
  6 files changed, 44 insertions(+), 24 deletions(-)

 CVE: CVE-2020-25685
 Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b]
 Comment: Refreshed a hunk from pkg-wrapper and second hunk from Makefile

 Index: dnsmasq-2.81/Makefile
 ===================================================================
 --- dnsmasq-2.81.orig/Makefile
 +++ dnsmasq-2.81/Makefile
 @@ -53,7 +53,7 @@ top?=$(CURDIR)

  dbus_cflags =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1`
  dbus_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1`
 -ubus_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy -lubox -lubus`
 +ubus_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy '-lubox -lubus'`
  idn_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --cflags libidn`
  idn_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --libs libidn`
  idn2_cflags =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --cflags libidn2`
 @@ -62,8 +62,10 @@ ct_cflags =     `echo $(COPTS) | $(top)/
  ct_libs =       `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack`
  lua_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua`
  lua_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua`
 -nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed`
 -nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed`
 +nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --cflags 'nettle hogweed' \
 +                                                        HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle`
 +nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --libs 'nettle hogweed' \
 +                                                        HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle`
  gmp_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp`
  sunos_libs =    `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi`
  version =     -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
 Index: dnsmasq-2.81/bld/pkg-wrapper
 ===================================================================
 --- dnsmasq-2.81.orig/bld/pkg-wrapper
 +++ dnsmasq-2.81/bld/pkg-wrapper
 @@ -1,35 +1,37 @@
  #!/bin/sh

 -search=$1
 -shift
 -pkg=$1
 -shift
 -op=$1
 -shift
 -
  in=`cat`

 -if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \
 -    echo $in | grep $search >/dev/null 2>&1; then
 +search()
 +{
 +    grep "^\#[[:space:]]*define[[:space:]]*$1" config.h >/dev/null 2>&1 || \
 +    echo $in | grep $1 >/dev/null 2>&1
 +}
 +
 +while [ "$#" -gt 0 ]; do
 +    search=$1
 +    pkg=$2
 +    op=$3
 +    lib=$4
 +    shift 4
 +if search "$search"; then
 +
  # Nasty, nasty, in --copy, arg 2 (if non-empty) is another config to search for, used with NO_GMP
      if [ $op = "--copy" ]; then
  	if [ -z "$pkg" ]; then
 -	    pkg="$*"
 -	elif grep "^\#[[:space:]]*define[[:space:]]*$pkg" config.h >/dev/null 2>&1 || \
 -		 echo $in | grep $pkg >/dev/null 2>&1; then
 +	    pkg="$lib"
 +	elif search "$pkg"; then
  	    pkg=""
  	else
 -	    pkg="$*"
 +	    pkg="$lib"
  	fi
 -    elif grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \
 -	     echo $in | grep ${search}_STATIC >/dev/null 2>&1; then
 -	pkg=`$pkg  --static $op $*`
 +    elif search "${search}_STATIC"; then
 +	pkg=`$pkg  --static $op $lib`
      else
 -	pkg=`$pkg $op $*`
 +	pkg=`$pkg $op $lib`
      fi

 -    if grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \
 -	   echo $in | grep ${search}_STATIC >/dev/null 2>&1; then
 +    if search "${search}_STATIC"; then
  	if [ $op = "--libs" ] || [ $op = "--copy" ]; then
  	    echo "-Wl,-Bstatic $pkg -Wl,-Bdynamic"
  	else
 @@ -40,3 +42,4 @@ if grep "^\#[[:space:]]*define[[:space:]
      fi
  fi

 +done
 Index: dnsmasq-2.81/src/config.h
 ===================================================================
 --- dnsmasq-2.81.orig/src/config.h
 +++ dnsmasq-2.81/src/config.h
 @@ -118,6 +118,9 @@ HAVE_AUTH
     define this to include the facility to act as an authoritative DNS
     server for one or more zones.

 +HAVE_NETTLEHASH
 +   include just hash function from nettle, but no DNSSEC.
 +
  HAVE_DNSSEC
     include DNSSEC validator.

 @@ -185,6 +188,7 @@ RESOLVFILE
  /* #define HAVE_IDN */
  /* #define HAVE_LIBIDN2 */
  /* #define HAVE_CONNTRACK */
 +/* #define HAVE_NETTLEHASH */
  /* #define HAVE_DNSSEC */


 @@ -418,6 +422,10 @@ static char *compile_opts =
  "no-"
  #endif
  "auth "
 +#if !defined(HAVE_NETTLEHASH) && !defined(HAVE_DNSSEC)
 +"no-"
 +#endif
 +"nettlehash "
  #ifndef HAVE_DNSSEC
  "no-"
  #endif
 Index: dnsmasq-2.81/src/dnsmasq.h
 ===================================================================
 --- dnsmasq-2.81.orig/src/dnsmasq.h
 +++ dnsmasq-2.81/src/dnsmasq.h
 @@ -161,6 +161,9 @@ extern int capget(cap_user_header_t head
  #  include <nettle/nettle-meta.h>
  #endif

 +#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH)
 +#  include <nettle/nettle-meta.h>
 +#endif
  /* daemon is function in the C library.... */
  #define daemon dnsmasq_daemon

 Index: dnsmasq-2.81/src/hash_questions.c
 ===================================================================
 --- dnsmasq-2.81.orig/src/hash_questions.c
 +++ dnsmasq-2.81/src/hash_questions.c
 @@ -28,7 +28,7 @@

  #include "dnsmasq.h"

 -#ifdef HAVE_DNSSEC
 +#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH)
  unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name)
  {
    int q;
	From 2024f9729713fd657d65e64c2e4e471baa0a3e5b Mon Sep 17 00:00:00 2001
	From: =?utf8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
	Date: Wed, 25 Nov 2020 17:18:55 +0100
	Subject: [PATCH] Support hash function from nettle (only)

	Unlike COPTS=-DHAVE_DNSSEC, allow usage of just sha256 function from
	nettle, but keep DNSSEC disabled at build time. Skips use of internal
	hash implementation without support for validation built-in.

	Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
	---
	Makefile \| 8 +++++---
	bld/pkg-wrapper \| 41 ++++++++++++++++++++++-------------------
	src/config.h \| 8 ++++++++
	src/crypto.c \| 7 +++++++
	src/dnsmasq.h \| 2 +-
	src/hash_questions.c \| 2 +-
	6 files changed, 44 insertions(+), 24 deletions(-)

	CVE: CVE-2020-25685
	Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b]
	Comment: Refreshed a hunk from pkg-wrapper and second hunk from Makefile

	Index: dnsmasq-2.81/Makefile
	===================================================================
	--- dnsmasq-2.81.orig/Makefile
	+++ dnsmasq-2.81/Makefile
	@@ -53,7 +53,7 @@ top?=$(CURDIR)

	dbus_cflags = `echo $(COPTS) \| $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1`
	dbus_libs = `echo $(COPTS) \| $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1`
	-ubus_libs = `echo $(COPTS) \| $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy -lubox -lubus`
	+ubus_libs = `echo $(COPTS) \| $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy '-lubox -lubus'`
	idn_cflags = `echo $(COPTS) \| $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --cflags libidn`
	idn_libs = `echo $(COPTS) \| $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --libs libidn`
	idn2_cflags = `echo $(COPTS) \| $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --cflags libidn2`
	@@ -62,8 +62,10 @@ ct_cflags = `echo $(COPTS) \| $(top)/
	ct_libs = `echo $(COPTS) \| $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack`
	lua_cflags = `echo $(COPTS) \| $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua`
	lua_libs = `echo $(COPTS) \| $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua`
	-nettle_cflags = `echo $(COPTS) \| $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed`
	-nettle_libs = `echo $(COPTS) \| $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed`
	+nettle_cflags = `echo $(COPTS) \| $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags 'nettle hogweed' \
	+ HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle`
	+nettle_libs = `echo $(COPTS) \| $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs 'nettle hogweed' \
	+ HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle`
	gmp_libs = `echo $(COPTS) \| $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp`
	sunos_libs = `if uname \| grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi`
	version = -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
	Index: dnsmasq-2.81/bld/pkg-wrapper
	===================================================================
	--- dnsmasq-2.81.orig/bld/pkg-wrapper
	+++ dnsmasq-2.81/bld/pkg-wrapper
	@@ -1,35 +1,37 @@
	#!/bin/sh

	-search=$1
	-shift
	-pkg=$1
	-shift
	-op=$1
	-shift
	-
	in=`cat`

	-if grep "^\#[[:space:]]define[[:space:]]$search" config.h >/dev/null 2>&1 \|\| \
	- echo $in \| grep $search >/dev/null 2>&1; then
	+search()
	+{
	+ grep "^\#[[:space:]]define[[:space:]]$1" config.h >/dev/null 2>&1 \|\| \
	+ echo $in \| grep $1 >/dev/null 2>&1
	+}
	+
	+while [ "$#" -gt 0 ]; do
	+ search=$1
	+ pkg=$2
	+ op=$3
	+ lib=$4
	+ shift 4
	+if search "$search"; then
	+
	# Nasty, nasty, in --copy, arg 2 (if non-empty) is another config to search for, used with NO_GMP
	if [ $op = "--copy" ]; then
	if [ -z "$pkg" ]; then
	- pkg="$*"
	- elif grep "^\#[[:space:]]define[[:space:]]$pkg" config.h >/dev/null 2>&1 \|\| \
	- echo $in \| grep $pkg >/dev/null 2>&1; then
	+ pkg="$lib"
	+ elif search "$pkg"; then
	pkg=""
	else
	- pkg="$*"
	+ pkg="$lib"
	fi
	- elif grep "^\#[[:space:]]define[[:space:]]${search}_STATIC" config.h >/dev/null 2>&1 \|\| \
	- echo $in \| grep ${search}_STATIC >/dev/null 2>&1; then
	- pkg=`$pkg --static $op $*`
	+ elif search "${search}_STATIC"; then
	+ pkg=`$pkg --static $op $lib`
	else
	- pkg=`$pkg $op $*`
	+ pkg=`$pkg $op $lib`
	fi

	- if grep "^\#[[:space:]]define[[:space:]]${search}_STATIC" config.h >/dev/null 2>&1 \|\| \
	- echo $in \| grep ${search}_STATIC >/dev/null 2>&1; then
	+ if search "${search}_STATIC"; then
	if [ $op = "--libs" ] \|\| [ $op = "--copy" ]; then
	echo "-Wl,-Bstatic $pkg -Wl,-Bdynamic"
	else
	@@ -40,3 +42,4 @@ if grep "^\#[[:space:]]*define[[:space:]
	fi
	fi

	+done
	Index: dnsmasq-2.81/src/config.h
	===================================================================
	--- dnsmasq-2.81.orig/src/config.h
	+++ dnsmasq-2.81/src/config.h
	@@ -118,6 +118,9 @@ HAVE_AUTH
	define this to include the facility to act as an authoritative DNS
	server for one or more zones.

	+HAVE_NETTLEHASH
	+ include just hash function from nettle, but no DNSSEC.
	+
	HAVE_DNSSEC
	include DNSSEC validator.

	@@ -185,6 +188,7 @@ RESOLVFILE
	/* #define HAVE_IDN */
	/* #define HAVE_LIBIDN2 */
	/* #define HAVE_CONNTRACK */
	+/* #define HAVE_NETTLEHASH */
	/* #define HAVE_DNSSEC */


	@@ -418,6 +422,10 @@ static char *compile_opts =
	"no-"
	#endif
	"auth "
	+#if !defined(HAVE_NETTLEHASH) && !defined(HAVE_DNSSEC)
	+"no-"
	+#endif
	+"nettlehash "
	#ifndef HAVE_DNSSEC
	"no-"
	#endif
	Index: dnsmasq-2.81/src/dnsmasq.h
	===================================================================
	--- dnsmasq-2.81.orig/src/dnsmasq.h
	+++ dnsmasq-2.81/src/dnsmasq.h
	@@ -161,6 +161,9 @@ extern int capget(cap_user_header_t head
	# include <nettle/nettle-meta.h>
	#endif

	+#if defined(HAVE_DNSSEC) \|\| defined(HAVE_NETTLEHASH)
	+# include <nettle/nettle-meta.h>
	+#endif
	/* daemon is function in the C library.... */
	#define daemon dnsmasq_daemon

	Index: dnsmasq-2.81/src/hash_questions.c
	===================================================================
	--- dnsmasq-2.81.orig/src/hash_questions.c
	+++ dnsmasq-2.81/src/hash_questions.c
	@@ -28,7 +28,7 @@

	#include "dnsmasq.h"

	-#ifdef HAVE_DNSSEC
	+#if defined(HAVE_DNSSEC) \|\| defined(HAVE_NETTLEHASH)
	unsigned char hash_questions(struct dns_header header, size_t plen, char *name)
	{
	int q;