From 2d765867c597db18be9d876c9c17e2c0fe1953cd Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 12 Nov 2020 22:06:07 +0000
Subject: Use SHA-256 to provide security against DNS cache poisoning.

Use the SHA-256 hash function to verify that DNS answers
received are for the questions originally asked. This replaces
the slightly insecure SHA-1 (when compiled with DNSSEC) or
the very insecure CRC32 (otherwise). Refer: CERT VU#434904.
---
 bld/Android.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'bld')

diff --git a/bld/Android.mk b/bld/Android.mk
index 080a615..f924be9 100644
--- a/bld/Android.mk
+++ b/bld/Android.mk
@@ -11,7 +11,7 @@ LOCAL_SRC_FILES :=  bpf.c cache.c dbus.c dhcp.c dnsmasq.c \
 		    radv.c slaac.c auth.c ipset.c domain.c \
 	            dnssec.c dnssec-openssl.c blockdata.c tables.c \
 		    loop.c inotify.c poll.c rrfilter.c edns0.c arp.c \
-		    crypto.c dump.c ubus.c
+		    crypto.c dump.c ubus.c metrics.c hash_questions.c
 
 LOCAL_MODULE := dnsmasq
 
-- 
cgit v1.2.1