diff options
| -rw-r--r-- | CHANGELOG | 3 | ||||
| -rw-r--r-- | src/config.h | 3 | ||||
| -rw-r--r-- | src/crypto.c | 48 |
3 files changed, 22 insertions, 32 deletions
@@ -60,6 +60,9 @@ version 2.79 internal-20.thekelleys.org.uk being 192.168.0.70 Thanks to Andy Hawkins for the suggestion. + Tidy up Crypto code, removing workarounds for ancient + versions of libnettle. We now require libnettle 3. + version 2.78 Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris diff --git a/src/config.h b/src/config.h index b317071..ecefb87 100644 --- a/src/config.h +++ b/src/config.h @@ -137,9 +137,6 @@ NO_INOTIFY otherwise be enabled automatically (HAVE_IPV6, >2Gb file sizes) or which are enabled by default in the distributed source tree. Building dnsmasq with something like "make COPTS=-DNO_SCRIPT" will do the trick. - -NO_NETTLE_ECC - Don't include the ECDSA cypher in DNSSEC validation. Needed for older Nettle versions. NO_GMP Don't use and link against libgmp, Useful if nettle is built with --enable-mini-gmp. diff --git a/src/crypto.c b/src/crypto.c index 9e0e562..ebb871e 100644 --- a/src/crypto.c +++ b/src/crypto.c @@ -20,20 +20,12 @@ #include <nettle/rsa.h> #include <nettle/dsa.h> -#ifndef NO_NETTLE_ECC -# include <nettle/ecdsa.h> -# include <nettle/ecc-curve.h> -# include <nettle/eddsa.h> -#endif +#include <nettle/ecdsa.h> +#include <nettle/ecc-curve.h> +#include <nettle/eddsa.h> #include <nettle/nettle-meta.h> #include <nettle/bignum.h> -/* Nettle-3.0 moved to a new API for DSA. We use a name that's defined in the new API - to detect Nettle-3, and invoke the backwards compatibility mode. */ -#ifdef dsa_params_init -#include <nettle/dsa-compat.h> -#endif - /* Implement a "hash-function" to the nettle API, which simply returns the input data, concatenated into a single, statically maintained, buffer. @@ -118,9 +110,10 @@ const struct nettle_hash *hash_find(char *name) /* libnettle >= 3.4 provides nettle_lookup_hash() which avoids nasty ABI incompatibilities if sizeof(nettle_hashes) changes between library - versions. */ + versions. It also #defines nettle_hashes, so use that to tell + if we have the new facilities. */ -#if (NETTLE_VERSION_MAJOR>3) || ((NETTLE_VERSION_MAJOR==3) && (NETTLE_VERSION_MINOR >=4)) +#ifdef nettle_hashes return nettle_lookup_hash(name); #else { @@ -232,19 +225,21 @@ static int dnsmasq_dsa_verify(struct blockdata *key_data, unsigned int key_len, { unsigned char *p; unsigned int t; - - static struct dsa_public_key *key = NULL; + + static mpz_t y; + static struct dsa_params *params = NULL; static struct dsa_signature *sig_struct; (void)digest_len; - if (key == NULL) + if (params == NULL) { if (!(sig_struct = whine_malloc(sizeof(struct dsa_signature))) || - !(key = whine_malloc(sizeof(struct dsa_public_key)))) + !(params = whine_malloc(sizeof(struct dsa_params)))) return 0; - nettle_dsa_public_key_init(key); + mpz_init(y); + nettle_dsa_params_init(params); nettle_dsa_signature_init(sig_struct); } @@ -256,20 +251,19 @@ static int dnsmasq_dsa_verify(struct blockdata *key_data, unsigned int key_len, if (key_len < (213 + (t * 24))) return 0; - mpz_import(key->q, 20, 1, 1, 0, 0, p); p += 20; - mpz_import(key->p, 64 + (t*8), 1, 1, 0, 0, p); p += 64 + (t*8); - mpz_import(key->g, 64 + (t*8), 1, 1, 0, 0, p); p += 64 + (t*8); - mpz_import(key->y, 64 + (t*8), 1, 1, 0, 0, p); p += 64 + (t*8); + mpz_import(params->q, 20, 1, 1, 0, 0, p); p += 20; + mpz_import(params->p, 64 + (t*8), 1, 1, 0, 0, p); p += 64 + (t*8); + mpz_import(params->g, 64 + (t*8), 1, 1, 0, 0, p); p += 64 + (t*8); + mpz_import(y, 64 + (t*8), 1, 1, 0, 0, p); p += 64 + (t*8); mpz_import(sig_struct->r, 20, 1, 1, 0, 0, sig+1); mpz_import(sig_struct->s, 20, 1, 1, 0, 0, sig+21); (void)algo; - return nettle_dsa_sha1_verify_digest(key, digest, sig_struct); + return nettle_dsa_verify(params, y, digest_len, digest, sig_struct); } -#ifndef NO_NETTLE_ECC static int dnsmasq_ecdsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, unsigned char *digest, size_t digest_len, int algo) @@ -371,8 +365,6 @@ static int dnsmasq_eddsa_verify(struct blockdata *key_data, unsigned int key_len return 0; } -#endif - static int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len, unsigned char *digest, size_t digest_len, int algo) { @@ -389,14 +381,12 @@ static int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key case 3: case 6: return dnsmasq_dsa_verify; - -#ifndef NO_NETTLE_ECC + case 13: case 14: return dnsmasq_ecdsa_verify; case 15: case 16: return dnsmasq_eddsa_verify; -#endif } return NULL; |